linter: validate ATT&CK categories and IDs

[williballenthin]

embed a snapshot of the mitre json to enable this check.

[mr-tz]

also do this for MBC, see related capa-rules PR mandiant/capa-rules#317

[kn0wl3dge]

I should be able to give a hand.

I can see multiples ways of achieving it and would like to know your perspectives and ideas on this.

• We could extract a JSON containing only the needed information and use it to lint the rules. However, it may be complicated to maintain over time…

• To avoid the maintaining cost, we can use TAXII and STIX format to query the last version of ATT&CK and MBC frameworks. But in order to work, capa will now need an internet connection.
  => Or we can make this check optional? What really matters is avoiding a typo before the merge. Since the CI of capa-rules repository is using the lint.py script, it will be able to do those checks.

[williballenthin]

I had in mind extracting the info into JSON (or similar) from the upstream ATT&CK project and storing this in/alongside lint.py. basically just a tree of valid namespaces/terms.

i agree it may periodically fall out of sync. however:

1. it should be obvious when this happens (maybe even call this out in the linter output), and the fix should be trivial (just regenerate/update the data structure), and
2. in theory we could regenerate the mapping in CI periodically, though I'm not sure if its worth the effort to implement.

that being said, i'm more interested in closing this issue than over-engineering the solution. so, please be encouraged to try whatever you think is best. (i don't mean to say that i don't care about code quality or architecture! i'd just rather have a fix that works pretty well than none at all :-) ).

[kn0wl3dge]

Thanks for your feedback!

I started working on it and will open a PR when it's done. Do not hesitate to assign me this issue as I am not able to do it myself.