comparison¶
Transformation utilities for STIX pattern comparison expressions.
-
class
AbsorptionTransformer¶ Applies boolean “absorption” rules for AST simplification. E.g.:
A and (A or B) = A A or (A and B) = A-
transform_and(ast)¶
-
transform_or(ast)¶
-
-
class
ComparisonExpressionTransformer¶ Transformer base class with special support for transforming comparison expressions. The transform method implemented here performs a bottom-up in-place transformation, with support for some comparison expression-specific callbacks.
- Specifically, subclasses can implement methods:
- “transform_or” for OR nodes “transform_and” for AND nodes “transform_comparison” for plain comparison nodes (<prop> <op> <value>) “transform_default” for both types of nodes
“transform_default” is a fallback, if a type-specific callback is not found. The default implementation does nothing to the AST. The type-specific callbacks are preferred over the default, if both exist.
In all cases, the callbacks are called with an AST for a subtree rooted at the appropriate node type, where the subtree’s children have already been transformed. They must return the same thing as the base transform() method: a 2-tuple with the transformed AST and a boolean for change detection. See doc for the superclass’ method.
This process currently silently drops parenthetical nodes.
-
transform(ast)¶ Transform the given AST and return the resulting AST.
Parameters: ast – The AST to transform Returns: A 2-tuple: the transformed AST and a boolean indicating whether the transformation actually changed anything. The change detection is useful in situations where a transformation needs to be repeated until the AST stops changing.
-
transform_default(ast)¶ Override to handle transforming AST nodes which don’t have a more specific method implemented.
-
class
DNFTransformer¶ Convert a comparison expression AST to DNF. E.g.:
A and (B or C) => (A and B) or (A and C)-
transform_and(ast)¶
-
-
class
FlattenTransformer¶ Flatten all nodes of the AST. E.g.:
A and (B and C) => A and B and C A or (B or C) => A or B or C (A) => A-
transform_and(ast)¶
-
transform_or(ast)¶
-
-
class
OrderDedupeTransformer¶ Order the children of all nodes in the AST. Because the deduping algorithm is based on sorted data, this transformation also does deduping.
- E.g.:
- A and A => A A or A => A
-
transform_and(ast)¶
-
transform_or(ast)¶
-
class
SpecialValueCanonicalization¶ Try to find particular leaf-node comparison expressions whose rhs (i.e. the constant) can be canonicalized. This is an idiosyncratic transformation based on some ideas people had for context-sensitive semantic equivalence in constant values.
-
transform_comparison(ast)¶
-