All, An issue was opened that rightfully pointed out that we are not consistent in our use of referencing operating systems between the Malware and Malware-Analysis objects. We would like to fix this since both of these were added for this release. What we are thinking is making both of them point to a SCO software object and adding the SWID/COSWID property to the software object. Further, we would make the property names consistent. This will make the consistent across these two objects. Please let us know if you have any concerns with making this change. Need to make representation of operating system consistent across objects #220
https://github.com/oasis-tcs/cti-stix2/issues/220 From Malware: os_execution_envs (optional) list of type string The operating systems that the malware family or malware instance is executable on. Each string value for this property SHOULD be a CPE v2.3 entry from the official NVD CPE Dictionary [ NVD ] . This property MAY include custom values including values taken from other standards such as SWID [ SWID ]. From Malware Analysis: operating_system_ref (optional) identifier The operating system used for the dynamic analysis of the malware instance or family. This applies to virtualized operating systems as well as those running on bare metal. The value of this property MUST be the identifier for a SCO software object. Thanks, Bret PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."