When exporting a STIX bundle, the system should not include objects that are missing an ATT&CK ID

[ElJocko]

Downstream tools (e.g., Navigator and the ATT&CK website) require that all objects of the main ATT&CK object types have an ATT&CK ID. The REST API should enforce this by default when exporting a STIX bundle.

This requirement applies to the following object types:

• data sources
• groups
• matrices
• mitigations
• software (tools and malware)
• tactics
• techniques

Note that this has the potential to leave dangling references in the exported bundle if a relationship references an object that does not have an ATT&CK ID (relationships reference objects using the object's stix.id property).

This behavior will be the default for the GET /api/stix-bundles endpoint.

The system must also support a new query string parameter (includeMissingAttackId) for this endpoint that will allow a client to request that all objects be included in the exported bundle, even if they do not have an ATT&CK ID. This will support future uses of the export capability.

GET /api/stix-bundles?includeMissingAttackId=true