[Bug] Analyzer reports migration to 4.1.10 problem

[mieczkowski]

Request Type

Bug

Work Environment

Question	Answer
TheHive version / git hash	4.1.10
Package Type	Docker
Database	Cassandra
Index type	Elasticsearch
Attachments storage	Local

Problem Description

After migration from TheHive 3.5.1 to 4.1.10 everything was migrated but reports from cortex are not visible in observables list:

instead of (hive3):

and in observable details we have all analyzers available to run, but existing reports are under some hash name:

Steps to Reproduce

1. Configure clean installation od hive4, configure cortex key and import cortex templates
2. Do migration...

[KRUXLEX]

@nadouani @ferozsalam @vdebergue @2xyo
Hi, we have same issue, please for fast response/fix for this.
We can't migrate without it

[mieczkowski]

Maybe here is the problem:

https://github.com/TheHive-Project/TheHive/blob/main/migration/src/main/scala/org/thp/thehive/migration/th3/Conversion.scala#L431

      workerId         <- (json \ "analyzerId").validate[String]
      workerName       <- (json \ "analyzerId").validate[String]
      workerDefinition <- (json \ "analyzerId").validate[String]

should be:

      workerId         <- (json \ "analyzerId").validate[String]
      workerName       <- (json \ "analyzerName").validate[String]
      workerDefinition <- (json \ "analyzerDefinition").validate[String]

I will try to test it

[mieczkowski]

Changing this json keys helped, reports are matched correctly, but report tags (taxonomies) are still unavailable. \

I think that they are not migrated because of:

(Json.parse(j) \ "full").asOpt[JsObject]

but I don't know how to fix this. Removing "full" have the same effect as with it.

[mieczkowski]

I've created pull request with analyzer report fix and with taxonomies migration.

[nadouani]

Hello, thanks for raising this issue, we will take a look and fix for 4.2