Fix: HybridAnalysis hash search: switch POST to GET + add overview fallback (#2934)

[PranavShukla7]

Description

Fixes #2934

This PR updates the HybridAnalysis analyzer to support API changes introduced in
API v2.35.0, where the POST /search/hash endpoint was deprecated and replaced by a GET version.

The new GET endpoint returns a minimal response instead of a full SampleSummary.
To maintain backward compatibility, this PR adds a fallback request to
/overview/ to restore the previous output structure.

Type of change

• [✓] Bug fix (non-breaking change which fixes an issue).
• New feature (non-breaking change which adds functionality).
• Breaking change (fix or feature that would cause existing functionality to not work as expected).

Checklist

• [✓] I have read and understood the rules about how to Contribute to this project
• [✓] The pull request is for the branch develop
• A new plugin (analyzer, connector, visualizer, playbook, pivot or ingestor) was added or changed, in which case:
  • [✓] I strictly followed the documentation "How to create a Plugin"
  • Usage file was updated. A link to the PR to the docs repo has been added as a comment here.
  • Advanced-Usage was updated (in case the plugin provides additional optional configuration). A link to the PR to the docs repo has been added as a comment here.
  • I have dumped the configuration from Django Admin using the dumpplugin command and added it in the project as a data migration. ("How to share a plugin with the community")
  • If a File analyzer was added and it supports a mimetype which is not already supported, you added a sample of that type inside the archive test_files.zip and you added the default tests for that mimetype in test_classes.py.
  • If you created a new analyzer and it is free (does not require any API key), please add it in the FREE_TO_USE_ANALYZERS playbook by following this guide.
  • Check if it could make sense to add that analyzer/connector to other freely available playbooks.
  • I have provided the resulting raw JSON of a finished analysis and a screenshot of the results.
  • If the plugin interacts with an external service, I have created an attribute called precisely url that contains this information. This is required for Health Checks (HEAD HTTP requests).
  • If the plugin requires mocked testing, _monkeypatch() was used in its class to apply the necessary decorators.
  • I have added that raw JSON sample to the MockUpResponse of the _monkeypatch() method. This serves us to provide a valid sample for testing.
  • I have created the corresponding DataModel for the new analyzer following the documentation
• [✓] I have inserted the copyright banner at the start of the file: # This file is a part of IntelOwl https://github.com/intelowlproject/IntelOwl # See the file 'LICENSE' for copying permission.
• [✓] Please avoid adding new libraries as requirements whenever it is possible. Use new libraries only if strictly needed to solve the issue you are working for. In case of doubt, ask a maintainer permission to use a specific library.
• If external libraries/packages with restrictive licenses were added, they were added in the Legal Notice section.
• [✓] Linters (Black, Flake, Isort) gave 0 errors. If you have correctly installed pre-commit, it does these checks and adjustments on your behalf.
• I have added tests for the feature/bug I solved (see tests folder). All the tests (new and old ones) gave 0 errors.
• If the GUI has been modified:
  • I have a provided a screenshot of the result in the PR.
  • I have created new frontend tests for the new component or updated existing ones.
• [✓] After you had submitted the PR, if DeepSource, Django Doctors or other third-party linters have triggered any alerts during the CI checks, I have solved those alerts.

[PranavShukla7]

Hey @mlodic ,
I’ve updated the analyzer to use the GET version of /search/hash as required by the recent Hybrid Analysis changes, and added a fallback to the overview/{sha256} endpoint to preserve full results when only minimal hashes are returned.

I’ve also refactored the logic into smaller helper functions to make the flow cleaner and easier to maintain.
Could you please review the changes and let me know if anything needs adjustment?

[mlodic]

can you please show us the output from this analyzer from the GUI?

[mlodic]

it seems fine, can you please provide 3 examples of execution with real data:

• 1 with hash and minimal result
• 1 with hash and full result
• 1 for a domain
  This fasten our review because we need to have proof that this works in this platform too and not only in the unitests

[mlodic]

we are not using monkeypatch anymore, you can change the related test here: https://github.com/intelowlproject/IntelOwl/blob/develop/tests/api_app/analyzers_manager/unit_tests/observable_analyzers/test_ha_get.py

[PranavShukla7]

Thanks for the clarification
Since we’re no longer using monkeypatch for this analyzer, I can update the related unit test to use standard request mocking instead.

Before I proceed, just wanted to confirm with you: should I completely remove the monkeypatch logic and adapt the test to validate the analyzer behavior using regular mocked HTTP responses?

[fgibertoni]

Yes that's correct. You can take a look at other existing tests for other analyzers as example.

[fgibertoni]

I do like the general approach of using functions.
If you're performing more than one call to APIs per analyzer run I think it would be better to use a Session object, just to make things more clear. Let me know what you think :)

[fgibertoni]

I think this can be left as pass. Have you changed it for any particular reason?

[PranavShukla7]

I’ve updated the update() method to return True instead of pass.
This matches the expected analyzer interface, where update() should explicitly signal a successful metadata update (even though it’s a no-op for this analyzer).
Let me know if you’d prefer a different behavior here.

[fgibertoni]

I'd prefer to leave it as pass as every other analyzer if that's not a problem 😃

[github-actions]

This pull request has been marked as stale because it has had no activity for 10 days. If you are still working on this, please provide some updates or it will be closed in 5 days.

[fgibertoni]

Hey @PranavShukla7 any updates?

[PranavShukla7]

@fgibertoni yes i need some time please...will do it by the end of the week

[fgibertoni]

Sure, no hurries. Just to be sure you're still working on it 😄

[PranavShukla7]

@fgibertoni that makes sense
I thought about using a Session, but since the analyzer only runs a small, short-lived set of requests per execution, I kept it simple with plain requests for now.

That said, I’m totally open to switching to a Session if you feel it improves clarity or consistency with the rest of the codebase

[fgibertoni]

Ok I understand your point, no problem in leaving it as single requests.