Skip to content

Proposal: Deprecate MAEC Container

Jump to bottom
Ivan Kirillov edited this page Aug 24, 2015 · 19 revisions

Status: CLOSED
Comment Period Closes: August 20th, 2015
Affects Backwards Compatibility: Yes
Relevant Issues: https://github.com/MAECProject/schemas/issues/103

Background Information

The MAEC Container was created to support the notional use case of needing to embed multiple MAEC Packages in a single document. However, there are simpler options for supporting multiple MAEC Packages.

Related Proposals

This proposal is related to the following proposed change to the schema: https://github.com/MAECProject/schemas/wiki/Proposal:-Deprecate-MAEC-Bundle-(as-output-format)

Proposal

Because there is no strong use case for the MAEC Container output format, we propose simplifying MAEC by deprecating the MAEC Container (we've also proposed that the MAEC Bundle be deprecated). As a result, the MAEC Package would be the only MAEC output format available.

The deprecation would involve removing the MAEC Container schema and output format.

In addition, a new top level MAEC_Packages field (of new type MAECPackageListType) could possibly be added to the MAEC Package schema in order to capture multiple MAEC Packages in a single Package document.

Field Type Multiplicity Description
MAEC_Packages MAECPackageListType 0-1 The MAEC_Packages field captures the set of one or more MAEC Packages contained in the Package document.

Accordingly, the MAECPackageListType would have the following structure:

Field Type Multiplicity Description
MAEC_Package PackageType 0-N The MAEC_Package field specifies a single MAEC Package.

Example

<maecPackage:MAEC_Packages>
  <maecPackage:MAEC_Package id="maec-test-pkg-1" schema_version="5.0">
    <maecPackage:Objects>
    ...
    </maecPackage:Objects>
    <maecPackage:Malware_Subjects>
      ...
    </maecPackage:Malware_Subjects>
  </maecPackage:MAEC_Package>
  <maecPackage:MAEC_Package id="maec-test-pkg-2" schema_version="5.0">
    <maecPackage:Malware_Subjects>
      <maecPackage:Malware_Subject>
      ...
      </maecPackage:Malware_Subject>
    </maecPackage:Malware_Subjects>
  </maecPackage:MAEC_Package>
</maecPackage:MAEC_Packages>

Impact

This change will not be backward compatible and is one of several revisions planned in the new major version.

Requested Feedback

  1. Does the proposed deprecation of the MAEC Container make sense?
  2. Is it necessary to support the capture of multiple MAEC Packages?
  3. If so, is the proposed capture in a single Package document reasonable?
  4. Are there alternative solutions?
Clone this wiki locally