feat(m4): STIX parser + seed service + CLI

- backend/app/services/mitre_seed.py: stdlib-only STIX 2.1 parser (urllib + hashlib + json). Pinned to enterprise-attack-19.0.json with sha256 df520ea0775a57db7bff760145b02fed89290802913e056b7ed5970b02f3626a (~52 MB, ~1.1 s parse). Resolves sub-technique parents via relationship[subtechnique-of] with a T1003.001→T1003 dotted-id fallback; upserts on external_id, rebuilds the technique↔tactic M2M in a single transaction so external readers never see an empty join. Persists mitre_last_sync, mitre_version, mitre_source_url in the settings table. - Custom URLs MUST be paired with expected_sha256 OR allow_unverified=true — refuses silent integrity bypass. - CLI: flask metamorph seed-mitre [--source path|url] [--checksum-sha256 hex] [--skip-checksum]. Make target wraps it. - Docker: /data/mitre/ chowned to the metamorph user at build; named volume metamorph_mitre mounted from compose for cross-restart cache. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-12 13:53:53 +02:00
parent bb23bf3928
commit ba976959a1
4 changed files with 541 additions and 5 deletions
--- a/backend/Dockerfile
+++ b/backend/Dockerfile
@@ -30,7 +30,7 @@ ENV PYTHONDONTWRITEBYTECODE=1 \
 # Non-root user
 RUN groupadd --gid 10001 metamorph \
    && useradd --uid 10001 --gid metamorph --shell /usr/sbin/nologin --create-home metamorph \
-    && mkdir -p /data/evidence \
+    && mkdir -p /data/evidence /data/mitre \
    && chown -R metamorph:metamorph /data

 COPY --from=deps /opt/venv /opt/venv