Skip to content

MISP Analyzer (misp:2 image) fails with 'input: null' and 'worker didn't generate output file' on Python 3.13.3 #1355

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
phub1123 opened this issue May 20, 2025 · 2 comments
Open

MISP Analyzer (misp:2 image) fails with 'input: null' and 'worker didn't generate output file' on Python 3.13.3 #1355

phub1123 opened this issue May 20, 2025 · 2 comments
Assignees
@nusantara-self
Milestone
3.5.13

Comments

@phub1123
Copy link

Describe the bug
The MISP_2_1 analyzer (using the ghcr.io/thehive-project/misp:2 Docker image, which internally uses Python 3.13.3 and PyMISP 2.5.10) consistently fails when run.
The job report in the Cortex UI shows "input": null and a FutureWarning related to pymisp usage:
/usr/local/lib/python3.13/site-packages/pymisp/__init__.py:67: FutureWarning: This class is deprecated, use PyMISP instead...
The backend Cortex logs (docker logs final_cortex.local_1) indicate that "[warn] o.t.c.s.DockerJobRunnerSrv - The worker didn't generate output file."
This occurs even when correctly selecting the Data Type (e.g., "ip") and providing valid input (e.g., "8.8.8.8") in the UI.
The Docker host machine running the Cortex container is also using Python 3.13.x.

To Reproduce
Steps to reproduce the behavior:

  1. Ensure Cortex and its dependencies (including the ghcr.io/thehive-project/misp:2 analyzer image) are running in a Docker environment.
  2. Navigate to the "Analyzers" page in the Cortex UI.
  3. Select the MISP_2_1 analyzer.
  4. Click the "Run analysis" button (play icon).
  5. In the "Run analysis" dialog:
    a. Set TLP (e.g., AMBER).
    b. Set PAP (e.g., AMBER).
    c. Select Data Type: ip.
    d. Enter Data: 8.8.8.8.
  6. Click "Start".
  7. Observe the job in "Jobs History" shows "Failure".
  8. View the job report, which shows "input": null and the FutureWarning.

Expected behavior
The MISP_2_1 analyzer should:

  1. Successfully receive the input observable (e.g., 8.8.8.8).
  2. Query the configured MISP instance.
  3. Generate an output report file.
  4. Show a "Success" status in the Cortex "Jobs History" with a meaningful report (e.g., "No results found" or details of MISP events if the IP is present).

Complementary information

  • UI Job Report Screenshot (showing input: null and FutureWarning): [Link to your screenshot if you can upload it somewhere, or describe it as previously provided] You can describe: "As seen in previous screenshots, the job report JSON contains \"input\": null and the FutureWarning..."
  • Relevant Docker logs from final_cortex.local_1: 
    [info] o.t.c.s.JobSrv - Looking for similar job in the last 10 minutes (worker=a9f0dc192a18876bb0abe99677334132, dataType=ip, data=Left(8.8.8.8), tlp=2, parameters={})
...
[info] o.t.c.s.DockerJobRunnerSrv - Execute container f8e0f858533fcf96dd64d375b4ae28e80ace0bd3882cf2f542b0eaae43ac7c73
  timeout: 30 minutes
  image  : ghcr.io/thehive-project/misp:2
  volume : /tmp/cortex-jobs/cortex-job-s9c37JYBBAXVpzhgnmTo-11309280436449689568:/job
...
[warn] o.t.c.s.DockerJobRunnerSrv - The worker didn't generate output file.
[info] o.t.c.s.JobSrv - Job s9c37JYBBAXVpzhgnmTo has finished with status Failure
  • Python and PyMISP versions inside ghcr.io/thehive-project/misp:2 Docker image: (If you managed to get these, add them here. E.g., "Python version inside image: 3.x.x", "PyMISP version inside image: y.y.y") This is very valuable if you can get it.

Work environment

  • Client OS: [Your OS, e.g., Ubuntu 22.04, Windows 10, macOS Sonoma]
  • Server OS: [OS running Docker, e.g., Ubuntu 22.04 - likely same as your client for soc-Veriton-S2690G-D22E2]
  • Browser type and version: [Your Browser, e.g., Chrome 120.0.x.x, Firefox 119.x]
  • Cortex version: 3.1.8-1 (from UI screenshot)
  • Cortex Analyzer/Responder name: MISP
  • Cortex Analyzer/Responder version: 2.1 (from UI list of analyzers)
  • Additional Environment Details:
    • Cortex Docker Image: thehiveproject/cortex:latest (Container name final_cortex.local_1)
    • MISP Analyzer Docker Image: ghcr.io/thehive-project/misp:2
    • Python version on the Docker host machine: [Be specific, e.g., Python 3.13.0, 3.13.1]
  • Python and PyMISP versions inside ghcr.io/thehive-project/misp:2 Docker image:
    • Python version inside image: 3.13.3
    • PyMISP version inside image: 2.5.10
@nusantara-self
Copy link
Contributor

Hello @phub1123,

Thanks a lot for bringing this issue to our attention with such detail, I am going to review it and propose a solution in the next release very soon.

Fabien

@nusantara-self nusantara-self added this to the 3.5.13 milestone May 21, 2025
@nusantara-self nusantara-self self-assigned this May 21, 2025
@nusantara-self
Copy link
Contributor

Hello @phub1123, there's a possibility this was incompatibility between python version 3.13 and PyMISP <=2.5.12. I've rebuilt the image with latest 2.5.12 which may fix those issues.

Feel free to let me know if that fixed it, I'll try testing it later on.

Fabien

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nusantara-self nusantara-self

Labels
None yet
Projects
None yet
Milestone
3.5.13
Development

No branches or pull requests
2 participants
@nusantara-self @phub1123