[SOAR-18821] joe sandbox issue with passing a sample (#3077) (#3078)

* Updated parameters and bumped SDK

* Refreshing the plugin

* Linting the unit test

plugins/joe_sandbox/.CHECKSUM

@@ -1,7 +1,7 @@
 {
-	"spec": "7c44d7ec555d0bf72ad65e02bb277cbc",
-	"manifest": "c6ce22bd383963cc96f5c7e9fe92d071",
-	"setup": "f0407b136e81ef2ace16e53ffdbc7ff8",
+	"spec": "5cfed2d6030225802d6a71f1920dc882",
+	"manifest": "cd604b540e9eb0b4cfa625072c405fe0",
+	"setup": "8bcad3fda51df4fbbce75c43dfc14a61",
 	"schemas": [
 		{
 			"identifier": "check_server_status/schema.py",
@@ -57,7 +57,7 @@
 		},
 		{
 			"identifier": "submit_sample/schema.py",
-			"hash": "1d67d8122b794bf07aab8d4e8278a4ae"
+			"hash": "a7bfbeee4afc2b28a6fd209db9ef0fac"
 		},
 		{
 			"identifier": "submit_sample_url/schema.py",

plugins/joe_sandbox/Dockerfile

@@ -1,4 +1,4 @@
-FROM --platform=linux/amd64 rapid7/insightconnect-python-3-slim-plugin:5.4.4
+FROM --platform=linux/amd64 rapid7/insightconnect-python-3-slim-plugin:6.2.4
 
 LABEL organization=rapid7
 LABEL sdk=python

plugins/joe_sandbox/bin/icon_joe_sandbox

@@ -6,7 +6,7 @@ from sys import argv
 
 Name = "Joe Sandbox"
 Vendor = "rapid7"
-Version = "2.0.0"
+Version = "3.0.0"
 Description = "Joe Sandbox Cloud executes files and URLs fully automated in a controlled environment and monitors the behavior of applications and the operating system for suspicious activities"
 
 

plugins/joe_sandbox/icon_joe_sandbox/actions/get_submitted_info/action.py

@@ -8,7 +8,7 @@
 class GetSubmittedInfo(insightconnect_plugin_runtime.Action):
     def __init__(self):
         super(self.__class__, self).__init__(
-            name="get_submission_info",
+            name="get_submitted_info",
             description=Component.DESCRIPTION,
             input=GetSubmittedInfoInput(),
             output=GetSubmittedInfoOutput(),

plugins/joe_sandbox/icon_joe_sandbox/actions/submit_cookbook/action.py

@@ -1,3 +1,5 @@
+from io import BytesIO
+
 import insightconnect_plugin_runtime
 from .schema import SubmitCookbookInput, SubmitCookbookOutput, Input, Output, Component
 
@@ -26,15 +28,15 @@ def run(self, params={}):
         additional_parameters.update({"accept-tac": 1})
 
         try:
-            cookbook_bytes = b64decode(cookbook) if cookbook else None
+            cookbook_bytes = BytesIO(b64decode(cookbook)) if cookbook else None
         except binascii.Error:
             raise PluginException(
                 cause='Unable to decode base64 input for "cookbook". ',
                 assistance="Contents of the file must be encoded with base64!",
             )
 
         try:
-            webids = self.connection.api.submit_cookbook(cookbook_bytes, parameters, additional_parameters)
+            submission_id = self.connection.api.submit_cookbook(cookbook_bytes, parameters, additional_parameters)
         except jbxapi.MissingParameterError as error:
             raise ConnectionTestException(
                 cause=f"An error occurred: {error}",
@@ -48,4 +50,4 @@ def run(self, params={}):
                 assistance="If the issue persists please contact support.",
             )
 
-        return {Output.SUBMISSION_ID: webids.get("submission_id")}
+        return {Output.SUBMISSION_ID: submission_id.get("submission_id")}

plugins/joe_sandbox/icon_joe_sandbox/actions/submit_sample/action.py

@@ -1,3 +1,5 @@
+from io import BytesIO
+
 import insightconnect_plugin_runtime
 from .schema import SubmitSampleInput, SubmitSampleOutput, Input, Output, Component
 
@@ -28,15 +30,15 @@ def run(self, params={}):
         if "hybrid-decompilation" not in additional_parameters:
             additional_parameters.update({"hybrid-decompilation": 0})
         try:
-            sample_bytes = b64decode(sample)
+            sample_bytes = BytesIO(b64decode(sample))
         except binascii.Error:
             raise PluginException(
                 cause='Unable to decode base64 input for "sample". ',
                 assistance="Contents of the file must be encoded with base64!",
             )
 
         try:
-            cookbook_bytes = b64decode(cookbook) if cookbook else None
+            cookbook_bytes = BytesIO(b64decode(cookbook)) if cookbook else None
         except binascii.Error:
             raise PluginException(
                 cause='Unable to decode base64 input for "cookbook". ',
@@ -45,8 +47,15 @@ def run(self, params={}):
 
         if filename:
             sample_tuple = (filename, sample_bytes)
-            webids = self.connection.api.submit_sample(sample_tuple, cookbook_bytes, parameters, additional_parameters)
+            submission_id = self.connection.api.submit_sample(
+                sample_tuple, cookbook_bytes, parameters, additional_parameters
+            )
         else:
-            webids = self.connection.api.submit_sample(sample_bytes, cookbook_bytes, parameters, additional_parameters)
+            submission_id = self.connection.api.submit_sample(
+                sample_bytes, cookbook_bytes, parameters, additional_parameters
+            )
+
+        submission_id_object = submission_id.get("submission_id")
+        self.logger.info(f"submission_id {submission_id_object}")
 
-        return {Output.WEBIDS: webids}
+        return {Output.SUBMISSION_ID: submission_id_object}

plugins/joe_sandbox/icon_joe_sandbox/actions/submit_sample/schema.py

@@ -16,7 +16,7 @@ class Input:
 
 
 class Output:
-    WEBIDS = "webids"
+    SUBMISSION_ID = "submission_id"
 
 
 class SubmitSampleInput(insightconnect_plugin_runtime.Input):
@@ -77,18 +77,15 @@ class SubmitSampleOutput(insightconnect_plugin_runtime.Output):
   "type": "object",
   "title": "Variables",
   "properties": {
-    "webids": {
-      "type": "array",
-      "title": "Web IDs",
-      "description": "Web IDs associated with the sample",
-      "items": {
-        "type": "string"
-      },
+    "submission_id": {
+      "type": "string",
+      "title": "Submission ID",
+      "description": "Submission ID associated with the sample",
       "order": 1
     }
   },
   "required": [
-    "webids"
+    "submission_id"
   ],
   "definitions": {}
 }

plugins/joe_sandbox/plugin.spec.yaml

@@ -6,13 +6,13 @@ title: Joe Sandbox
 description: Joe Sandbox Cloud executes files and URLs fully automated in a controlled
   environment and monitors the behavior of applications and the operating system for
   suspicious activities
-version: 2.0.0
+version: 3.0.0
 supported_versions: ['Joe Sandbox API v2']
 connection_version: 2
 requirements: ["API Key", "Sandbox server (if not using cloud)"]
 sdk:
   type: slim
-  version: 5.4.4
+  version: 6.2.4
   user: nobody
 vendor: rapid7
 support: community
@@ -34,6 +34,20 @@ hub_tags:
   use_cases: [application_management, cloud_security, reporting_and_analytics]
   keywords: [sandbox, malware, analysis]
   features: [sandbox, analysis]
+version_history:
+  - "3.0.0 - Buffering encoded strings and fixing issues related to the actions | Updated SDK to 6.2.4 version"
+  - "2.0.0 - Update `jbxapi` dependency | `List Keyboard Layouts` - Renamed to `List Languages and Locales` | Updated SDK | `Get Submitted Info` - New action"
+  - "1.0.4 - Add extra optional input for Submit Sample action"
+  - "1.0.3 - Add example inputs"
+  - "1.0.2 - Fix misspelling in error message | Remove generic 'automation' keyword"
+  - "1.0.1 - New spec and help.md format for the Extension Library"
+  - "1.0.0 - Initial plugin"
+links:
+  - "[Joe Sandbox](https://www.joesecurity.org)"
+references:
+  - "[Joe Sandbox API](https://jbxcloud.joesecurity.org/userguide?sphinxurl=usage%2Fwebapi.html)"
+  - "[Joe Sandbox API wrapper](https://github.com/joesecurity/jbxapi)"
+  - "[Report formats](https://jbxcloud.joesecurity.org/userguide?sphinxurl=usage/reportformats.html)"
 types:
   system:
     name:
@@ -338,11 +352,11 @@ actions:
         required: false
         example: '{ "accept-tac": 1, "url-reputation": 0, "export-to-jbxview": 1, "delete-after-days": 30 }'
     output:
-      webids:
-        title: Web IDs
-        description: Web IDs associated with the sample
-        type: "[]string"
-        example: ["1234567", "7654321"]
+      submission_id:
+        title: Submission ID
+        description: Submission ID associated with the sample
+        type: string
+        example: "1234567"
         required: true
   submit_sample_url:
     title: Submit Sample URL

plugins/joe_sandbox/setup.py

@@ -3,7 +3,7 @@
 
 
 setup(name="joe_sandbox-rapid7-plugin",
-      version="2.0.0",
+      version="3.0.0",
       description="Joe Sandbox Cloud executes files and URLs fully automated in a controlled environment and monitors the behavior of applications and the operating system for suspicious activities",
       author="rapid7",
       author_email="",

plugins/joe_sandbox/unit_test/mock.py

@@ -57,6 +57,12 @@ def mock_conditions(url: str, status_code: int) -> MockResponse:
         return MockResponse("get_server_info", status_code)
     if url == "https://example.com/v2/submission/info":
         return MockResponse("get_submitted_info", status_code)
+    if url == "https://example.com/v2/submission/new":
+        return MockResponse("submit_sample", status_code)
+    if url == "https://example.com/v2/submission/chunked-sample":
+        return MockResponse("chunked_sample", status_code)
+    if url == "https://example.com/v2/submission/info":
+        return MockResponse("get_submitted_info", status_code)
     if url == "https://example.com/v2/analysis/list":
         return MockResponse("list_analysis", status_code)
     if url == "https://example.com/v2/server/lia_countries":

plugins/joe_sandbox/unit_test/responses/chunked_sample.json.resp

@@ -0,0 +1,6 @@
+{
+  "data": {
+    "apikey": "abcdef",
+    "submission_id": "12345"
+  }
+}

plugins/joe_sandbox/unit_test/responses/get_submitted_info.json.resp

@@ -0,0 +1,57 @@
+{
+  "data": {
+    "submission_info": {
+      "analyses": [
+        {
+          "analysisid": "1111",
+          "classification": "",
+          "comments": "",
+          "detection": "clean",
+          "duration": 595,
+          "encrypted": false,
+          "filename": "test.csv",
+          "has_malwareconfig": false,
+          "md5": "df7761075b3e745e58ae6c9607721d04",
+          "runs": [
+            {
+              "detection": "clean",
+              "error": null,
+              "score": 0,
+              "sigma": false,
+              "suricata": false,
+              "system": "w10x64_21h1_office",
+              "yara": false
+            },
+            {
+              "detection": "clean",
+              "error": null,
+              "score": 0,
+              "sigma": false,
+              "suricata": false,
+              "system": "w7x64_office",
+              "yara": false
+            }
+          ],
+          "score": 0,
+          "scriptname": "default.jbs",
+          "sha1": "111",
+          "sha256": "1111",
+          "status": "finished",
+          "tags": [],
+          "threatname": "",
+          "time": "2025-02-04T15:44:08+01:00",
+          "webid": "1111"
+        }
+      ],
+      "most_relevant_analysis": {
+        "detection": "clean",
+        "score": 0,
+        "webid": "1111"
+      },
+      "name": "test.csv",
+      "status": "finished",
+      "submission_id": "12345",
+      "time": "2025-02-04T15:44:06+01:00"
+    }
+  }
+}

plugins/joe_sandbox/unit_test/responses/submit_sample.json.resp

@@ -0,0 +1,5 @@
+{
+  "data": {
+    "submission_id": "12345"
+  }
+}

plugins/joe_sandbox/unit_test/test_get_submitted_info.py

@@ -0,0 +1,88 @@
+import sys
+import os
+
+sys.path.append(os.path.abspath("../"))
+
+from unittest import TestCase
+from unittest.mock import patch
+from icon_joe_sandbox.actions.get_submitted_info.action import GetSubmittedInfo
+from icon_joe_sandbox.actions.get_submitted_info.schema import Input, Output
+from jsonschema import validate
+from mock import Util, mock_request_200, mocked_request, MagicMock
+
+
+class TestGetSubmittedInfo(TestCase):
+    @patch("requests.request", side_effect=mock_request_200)
+    def setUp(self, mock_client) -> None:
+        self.action = Util.default_connector(GetSubmittedInfo())
+        self.params = {Input.SUBMISSION_ID: "12345"}
+
+    @patch("requests.request", side_effect=mock_request_200)
+    def test_get_submitted_info(self, mock_get) -> None:
+        mocked_request(mock_get)
+        response = self.action.run(self.params)
+        expected = {
+            Output.SUBMISSION_INFO: {
+                "submission_info": {
+                    "analyses": [
+                        {
+                            "analysisid": "1111",
+                            "classification": "",
+                            "comments": "",
+                            "detection": "clean",
+                            "duration": 595,
+                            "encrypted": False,
+                            "filename": "test.csv",
+                            "has_malwareconfig": False,
+                            "md5": "df7761075b3e745e58ae6c9607721d04",
+                            "runs": [
+                                {
+                                    "detection": "clean",
+                                    "error": None,
+                                    "score": 0,
+                                    "sigma": False,
+                                    "suricata": False,
+                                    "system": "w10x64_21h1_office",
+                                    "yara": False,
+                                },
+                                {
+                                    "detection": "clean",
+                                    "error": None,
+                                    "score": 0,
+                                    "sigma": False,
+                                    "suricata": False,
+                                    "system": "w7x64_office",
+                                    "yara": False,
+                                },
+                            ],
+                            "score": 0,
+                            "scriptname": "default.jbs",
+                            "sha1": "111",
+                            "sha256": "1111",
+                            "status": "finished",
+                            "tags": [],
+                            "threatname": "",
+                            "time": "2025-02-04T15:44:08+01:00",
+                            "webid": "1111",
+                        }
+                    ],
+                    "most_relevant_analysis": {
+                        "detection": "clean",
+                        "score": 0,
+                        "webid": "1111",
+                    },
+                    "name": "test.csv",
+                    "status": "finished",
+                    "submission_id": "12345",
+                    "time": "2025-02-04T15:44:06+01:00",
+                },
+                "most_relevant_analysis": {
+                    "webid": "running",
+                    "detection": "running",
+                    "score": "running",
+                },
+            }
+        }
+
+        validate(response, self.action.output.schema)
+        self.assertEqual(response, expected)