{"id":5071,"library":"stix2","title":"STIX 2 Python Library","description":"The stix2 Python library provides APIs for serializing and de-serializing STIX 2 JSON content, enabling users to produce, consume, and process cyber threat intelligence. It supports multiple versions of the STIX 2 Technical Specification, currently STIX 2.1. The library, currently at version 3.0.2, is actively maintained by the OASIS Cyber Threat Intelligence (CTI) Technical Committee, with releases typically driven by STIX specification updates and bug fixes.","status":"active","version":"3.0.2","language":"en","source_language":"en","source_url":"https://github.com/oasis-open/cti-python-stix2","tags":["stix","cybersecurity","threat intelligence","cti","oasis"],"install":[{"cmd":"pip install stix2","lang":"bash","label":"Install latest version"}],"dependencies":[{"reason":"Required Python version.","package":"python","version":">=3.10","optional":false}],"imports":[{"note":"Implicit imports can break across major releases as the default STIX version supported by the library may change. It's recommended to import specific classes or explicitly reference versioned modules (e.g., `stix2.v21.Indicator`).","wrong":"import stix2\nobj = stix2.Indicator()","symbol":"Indicator","correct":"from stix2 import Indicator"},{"symbol":"parse","correct":"from stix2 import parse"},{"symbol":"serialize","correct":"from stix2 import serialize"},{"symbol":"v21 (for explicit versioning)","correct":"from stix2 import v21\nobj = v21.Indicator()"}],"quickstart":{"code":"from stix2 import Indicator, parse, serialize\nfrom datetime import datetime, timezone\n\n# Create a STIX Indicator object\nindicator = Indicator(\n    name=\"File hash for malware variant\",\n    indicator_types=[\"malicious-activity\"],\n    pattern_type=\"stix\",\n    pattern=\"[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']\",\n    valid_from=datetime.now(timezone.utc)\n)\n\n# Serialize the STIX object to JSON\nserialized_indicator = serialize(indicator, pretty=True)\nprint(\"\\nSerialized Indicator:\")\nprint(serialized_indicator)\n\n# Parse a STIX JSON string back into a Python object\njson_string = '''{\n    \"type\": \"indicator\",\n    \"spec_version\": \"2.1\",\n    \"id\": \"indicator--dbcbd659-c927-4f9a-994f-0a2632274394\",\n    \"created\": \"2017-09-26T23:33:39.829Z\",\n    \"modified\": \"2017-09-26T23:33:39.829Z\",\n    \"name\": \"Another malware hash\",\n    \"indicator_types\": [\"malicious-activity\"],\n    \"pattern_type\": \"stix\",\n    \"pattern_version\": \"2.1\",\n    \"pattern\": \"[file:hashes.md5 = 'abcdef1234567890abcdef1234567890']\",\n    \"valid_from\": \"2017-09-26T23:33:39.829952Z\"\n}'''\nparsed_indicator = parse(json_string)\nprint(\"\\nParsed Indicator Name:\", parsed_indicator.name)\n","lang":"python","description":"This quickstart demonstrates how to create a STIX Indicator object, serialize it to pretty-printed JSON, and parse a STIX JSON string back into a Python object. It uses the `Indicator` class for object creation and `serialize` and `parse` functions for data interchange."},"warnings":[{"fix":"Upgrade your Python environment to 3.10 or newer. Ensure your `pyproject.toml` or `setup.py` reflects this requirement.","message":"The `stix2` library now requires Python 3.10 or higher. Older Python versions are no longer supported.","severity":"breaking","affected_versions":"3.0.0 and later"},{"fix":"Explicitly import specific STIX object types (e.g., `from stix2 import Indicator`) or specify the STIX version using versioned modules (e.g., `from stix2 import v21; obj = v21.Indicator()`).","message":"Implicit imports (e.g., `import stix2; stix2.Indicator()`) can lead to breaking changes across major releases of `stix2` as the default STIX specification version supported by the library may be updated.","severity":"breaking","affected_versions":"All major versions (e.g., between v2.x and v3.x)"},{"fix":"For new custom content, define and use STIX Extensions instead of directly adding custom properties. Refer to the `stix2` documentation on custom content and extensions.","message":"Custom properties in STIX 2.0 were deprecated in STIX 2.1 in favor of the `property-extension` mechanism. While the library supports parsing old custom properties for backward compatibility, new content should use extensions.","severity":"deprecated","affected_versions":"STIX 2.1 specification and `stix2` library versions supporting it (v3.0.0+)"},{"fix":"To 'modify' an object, create a new object instance with the desired changes, often leveraging the `new_version()` method for versioning STIX objects appropriately.","message":"STIX objects created with the `stix2` library are immutable by design. All properties must be provided during object instantiation and cannot be changed afterward.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Be aware of the ID generation behavior when creating and versioning objects, especially SCOs. If an SCO's ID-contributing properties change, it's considered a new object, not a minor version update.","message":"ID generation differs between STIX Domain Objects (SDOs) and STIX Relationship Objects (SROs) which use random v4 UUIDs, and STIX Cyber Observable Objects (SCOs) which use deterministic v5 UUIDs. Changing ID-contributing properties for an SCO will result in a new ID.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Ensure your codebase is fully Python 3 compatible and no longer relies on `six` for `stix2`-related operations. This change supports the library's Python 3.10+ requirement.","message":"The `six` compatibility library dependency was dropped in `stix2` v3.0.0. This might affect applications relying on `six` for Python 2/3 compatibility within their `stix2` integration.","severity":"breaking","affected_versions":"3.0.0 and later"}],"env_vars":null,"last_verified":"2026-04-12T00:00:00.000Z","next_check":"2026-07-11T00:00:00.000Z"}