MISP/misp-modules v3.0.3

MISP Modules v3.0.3 Release Notes (2025-11-19)

on GitHub

This release introduces several new modules and integrations and significant updates to vulnerability parsing, along with various fixes and improvements across the modules.

✨ New Features

• Nextcloud Talk Action Module: A new action module has been added to integrate with Nextcloud Talk, developed during the 2025 hackathon.lu.
• Any.Run Sandbox Integration: Implemented sandbox import and expansion modules, including an API wrapper, for enhanced integration with Any.Run.
• AssemblyLine Module Updates & Refactor: Enhanced the AssemblyLine module with a new API wrapper for improved authentication, submission handling, query management, and error handling.
• OpenAPI Interface and Swagger UI: Added functionality to expose the OpenAPI specification and Swagger UI for the misp-modules service, improving API discoverability.
• Rapid7 AttackerKB CVE Lookup Module: Integrated a new expansion module for looking up CVE information using Rapid7 AttackerKB.
• SophosLabs Intelix Update: Fixed template issues, improved readability, and added region support to the SophosLabs Intelix Expansion module.
• CrowdStrike Falcon Metadata Capture: Added basic metadata capture for the Falcon expansion module.

🚀 Enhancements & Changes

Vulnerability Parsing Updates

• Expanded Vulnerability ID Support: The vulnerability_parser now supports GCVE, CERTFR, and CNVD vulnerability IDs.
• Vulnerability-Lookup Integration: Improved integration with vulnerability-lookup by reusing the vulnerability object creation method to add a reference with the vulnerability ID to every created vulnerability object.
• Better Description Parsing: Enhanced vulnerability description parsing from the fkie source.

General Improvements

• Next-Gen Installation: Added the uv installation method to allow installing MISP Modules on systems that might not meet the required Python version dependencies.
• Hostname Fix: Removed trailing dots from DNS records to ensure they are valid hostname MISP attributes.
• Documentation & Workflow: Updates to documentation (mkdocs and general docs) and internal GitHub workflows, including Python 3.9 End-of-Life removal and handling for libpoppler dependencies.
• Dependency Management: Bumped the poetry lock file with the latest versions.
• Export Module Fixes: Fixed yara export in osqueryexport.py and added functions around various attributes (ip-dst, ip-src, filename, etc.).
• Refactorings: Various code cleanup and refactorings, including for btc_steroids and virustotal.

🛠️ Key Fixes

• API Configuration:
  • Fixed the urlhaus module by adding the missing auth_key argument to all parsers.
  • The expansion module now requires the auth_key configuration to connect to abuse.ch API services.
• Module Logic & Validation:
  • Fixed a bug in crowdstrike_falcon (clean-up).
  • Fixed an issue in the anyrun module (empty f-string fix).
  • Fixed an issue in the cve module (typo for the logo).
  • Excluded private modules from validation in the is_valid_module function.
  • Resolved potential duplicates with references mentioned in the fkie description in the vulnerability parser.
  • Fixed missing config in url-import.
• CSV Import: Added a missing field in the additional header and fixed a MISP Event variable name in csvimport.
• Code Clean-up: Removed unused imports in assemblyline and fixed linter concerns for the new Nextcloud module.
• Testing: Ensured Python files starting with _ are correctly excluded from tests.