-
Notifications
You must be signed in to change notification settings - Fork 18
Proposal: Deprecate MAEC Container
Status: CLOSED
Comment Period Closes: August 20th, 2015
Affects Backwards Compatibility: Yes
Relevant Issues: https://github.com/MAECProject/schemas/issues/103
The MAEC Container was created to support the notional use case of needing to embed multiple MAEC Packages in a single document. However, there are simpler options for supporting multiple MAEC Packages.
This proposal is related to the following proposed change to the schema: https://github.com/MAECProject/schemas/wiki/Proposal:-Deprecate-MAEC-Bundle-(as-output-format)
Because there is no strong use case for the MAEC Container output format, we propose simplifying MAEC by deprecating the MAEC Container (we've also proposed that the MAEC Bundle be deprecated). As a result, the MAEC Package would be the only MAEC output format available.
The deprecation would involve removing the MAEC Container schema and output format.
In addition, a new top level MAEC_Packages
field (of new type MAECPackageListType
) could possibly be added to the MAEC Package schema in order to capture multiple MAEC Packages in a single Package document.
Field | Type | Multiplicity | Description |
---|---|---|---|
MAEC_Packages | MAECPackageListType |
0-1 | The MAEC_Packages field captures the set of one or more MAEC Packages contained in the Package document. |
Accordingly, the MAECPackageListType
would have the following structure:
Field | Type | Multiplicity | Description |
---|---|---|---|
MAEC_Package | PackageType |
0-N | The MAEC_Package field specifies a single MAEC Package. |
<maecPackage:MAEC_Packages>
<maecPackage:MAEC_Package id="maec-test-pkg-1" schema_version="5.0">
<maecPackage:Objects>
...
</maecPackage:Objects>
<maecPackage:Malware_Subjects>
...
</maecPackage:Malware_Subjects>
</maecPackage:MAEC_Package>
<maecPackage:MAEC_Package id="maec-test-pkg-2" schema_version="5.0">
<maecPackage:Malware_Subjects>
<maecPackage:Malware_Subject>
...
</maecPackage:Malware_Subject>
</maecPackage:Malware_Subjects>
</maecPackage:MAEC_Package>
</maecPackage:MAEC_Packages>
This change will not be backward compatible and is one of several revisions planned in the new major version.
- Does the proposed deprecation of the MAEC Container make sense?
- Is it necessary to support the capture of multiple MAEC Packages?
- If so, is the proposed capture in a single Package document reasonable?
- Are there alternative solutions?