security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add test_min_stack_version_supported testcase (#5077)

Browse Source
This commit is contained in:
shashank-elastic
2025-09-10 20:12:36 +05:30
committed by GitHub
parent c6406e97c2
commit a6dfd2c0e1
2 changed files with 25 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
pyproject.toml
+1 -1
View File
@@ -1,6 +1,6 @@
[project]
name = "detection_rules"
version = "1.3.31"
version = "1.3.32"
description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Securitys Detection Engine."
readme = "README.md"
requires-python = ">=3.12"
tests/test_all_rules.py
+24 -1
View File
@@ -36,7 +36,7 @@ from detection_rules.rule import (
from detection_rules.rule_loader import FILE_PATTERN, RULES_CONFIG
from detection_rules.rule_validators import EQLValidator, KQLValidator
from detection_rules.schemas import definitions, get_min_supported_stack_version, get_stack_schemas
from detection_rules.utils import INTEGRATION_RULE_DIR, PatchedTemplate, get_path, make_git
from detection_rules.utils import INTEGRATION_RULE_DIR, PatchedTemplate, get_path, load_etc_dump, make_git
from detection_rules.version_lock import loaded_version_lock
from .base import BaseRuleTest
@@ -1040,6 +1040,29 @@ class TestRuleMetadata(BaseRuleTest):
if validation_integrations_check and "event.dataset" in rule.contents.data.query:
raise validation_integrations_check
def test_min_stack_version_supported(self):
"""Test that rules have a min_stack_version that is supported in stack-schema-map.yaml."""
failures = []
# Load supported stack versions from stack-schema-map.yaml
stack_map = load_etc_dump(["stack-schema-map.yaml"])
# Get the minimum supported stack version as version object
min_supported = min(stack_map.keys(), key=lambda v: Version.parse(v))
# Load all production rules
for rule in self.all_rules:
min_stack_version = rule.contents.metadata.get("min_stack_version")
if not min_stack_version:
continue # skip rules without min_stack_version
# Compare versions using semantic versioning
if Version.parse(min_stack_version) < min_supported:
failures.append(
f"{self.rule_str(rule)} min_stack_version={min_stack_version} < supported={min_supported}"
)
if failures:
fail_msg = "The following rules have min_stack_version lower than the minimum supported in stack-schema-map.yaml:\n"
self.fail(fail_msg + "\n".join(failures))
class TestIntegrationRules(BaseRuleTest):
"""Test integration rules."""