From 201660af36fb8b07b3551003cc551d473f9ee669 Mon Sep 17 00:00:00 2001 From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Tue, 24 Feb 2026 13:54:46 -0500 Subject: [PATCH] [Bug] Adding Deprecated Rules to Rules Package Breaks Current Package Build (#5773) * applying patch fix for historical rules and deprecated JSON object --------- Co-authored-by: eric-forte-elastic --- detection_rules/integrations.py | 19 +++++++++++-------- pyproject.toml | 2 +- 2 files changed, 12 insertions(+), 9 deletions(-) diff --git a/detection_rules/integrations.py b/detection_rules/integrations.py index 5cbeff140..eb66d3b0b 100644 --- a/detection_rules/integrations.py +++ b/detection_rules/integrations.py @@ -474,7 +474,7 @@ class SecurityDetectionEngine: def keep_latest_versions( self, - assets: dict[str, Any], + assets: dict[str, dict[str, Any]], num_versions: int = DEFAULT_MAX_RULE_VERSIONS, ) -> dict[str, Any]: """Keeps only the latest N versions of each rule to limit historical rule versions in our release package.""" @@ -482,15 +482,18 @@ class SecurityDetectionEngine: # Dictionary to hold the sorted list of versions for each base rule ID rule_versions: dict[str, list[tuple[int, str]]] = defaultdict(list) - # Separate rule ID and version, and group by base rule ID - for key in assets: - base_id, version = assets[key]["attributes"]["rule_id"], assets[key]["attributes"]["version"] - version = int(version) # Convert version to an integer for sorting - rule_versions[base_id].append((version, key)) - - # Dictionary to hold the final assets with only the specified number of latest versions + # Only version-limit assets that look like rules (have attributes.rule_id and attributes.version). + # Other JSON assets in the package (e.g. manifest) are skipped; add_historical_rules expects only rules. filtered_assets: dict[str, Any] = {} + for key, asset in assets.items(): + attrs = asset.get("attributes") + if not attrs or "rule_id" not in attrs or "version" not in attrs: + continue + base_id = attrs["rule_id"] + version = int(attrs["version"]) + rule_versions[base_id].append((version, key)) + # Keep only the last/latest num_versions versions for each rule # Sort versions and take the last num_versions # Add the latest versions of the rule to the filtered assets diff --git a/pyproject.toml b/pyproject.toml index fbe6a1175..b2ada5c48 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "1.5.48" +version = "1.5.49" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12"