Skip to content

Refresh ART/STIX at startup and degrade gracefully when offline#67

Merged
deacon-mp merged 1 commit into
masterfrom
fix/art-stix-refresh-graceful
May 20, 2026
Merged

Refresh ART/STIX at startup and degrade gracefully when offline#67
deacon-mp merged 1 commit into
masterfrom
fix/art-stix-refresh-graceful

Conversation

@deacon-mp
Copy link
Copy Markdown
Contributor

@deacon-mp deacon-mp commented May 20, 2026

Summary

The plugin reads its ATT&CK technique→tactic mapping from enterprise-attack.json, which is not committed here (it's 45 MB) — it arrives only as a side effect of the shallow git clone of Red Canary's atomic-red-team on first boot. Two gaps followed from that:

  1. Never refreshed — the --depth 1 clone is frozen at first-boot state; upstream ATT&CK / atomic-test updates never arrive.
  2. Not offline-safegit clone via check_call raised on any network failure, breaking plugin enable; and a missing enterprise-attack.json crashed import with FileNotFoundError.

Changes

clone_atomic_red_team_repo() now ensures the checkout is present and current on every startup:

  • missing/empty → shallow clone
  • already present → git fetch --depth 1 origin HEAD + fast-forward (git reset --hard FETCH_HEAD) only when behind

This refreshes the atomic tests and the bundled STIX together, and a reset --hard also restores enterprise-attack.json if it went missing.

Everything degrades gracefully:

  • offline / git missing / corrupt checkout → log a warning, keep using the on-disk copy; if nothing is on disk, skip import instead of crashing plugin enable.
  • _populate_dict_techniques_tactics() tolerates a missing enterprise-attack.json, falling back to the redcanary-unknown tactic.

Testing

  • python -m py_compile clean.
  • Shallow git fetch --depth 1 origin HEAD + rev-parse comparison verified against a live ART checkout (correctly reports up-to-date).
  • Graceful-skip branch confirmed to catch both CalledProcessError (clone/network failure) and OSError (git absent).
  • Full server boot with the change: clean start, 1754 atomic abilities imported with full tactic mapping intact — no regression.

🤖 Generated with Claude Code

@claude
atomic_svc: refresh ART/STIX at startup, degrade gracefully offline
b140af9 
clone_atomic_red_team_repo() now ensures the Atomic Red Team checkout is
both present AND current on every startup:
  * missing/empty  -> shallow clone
  * already present -> git fetch --depth 1 + fast-forward to latest HEAD

This refreshes the atomic tests and the bundled ATT&CK STIX
(enterprise-attack.json) together, so the 45MB STIX is pulled at startup
rather than committed into the plugin, and stays current instead of being
frozen at first-boot state.

All network operations degrade gracefully: if the host is offline (or git
is unavailable / the checkout is corrupt), a warning is logged and the
existing on-disk copy is used; if nothing is on disk the import is skipped
rather than crashing plugin enable. _populate_dict_techniques_tactics()
likewise tolerates a missing enterprise-attack.json, falling back to the
'redcanary-unknown' tactic instead of raising FileNotFoundError.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@deacon-mp deacon-mp merged commit 689a3cb into master May 20, 2026
1 check passed
@deacon-mp deacon-mp deleted the fix/art-stix-refresh-graceful branch May 20, 2026 14:41
@deacon-mp deacon-mp mentioned this pull request May 20, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@deacon-mp