Skip to content

Add test_min_stack_version_supported testcase #5077

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 10 commits into from
Sep 10, 2025
Merged

Add test_min_stack_version_supported testcase #5077

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
2cfe620
Add test_min_stack_version_supported testcase
shashank-elastic Sep 10, 2025
b5fcfd9
Optimise Code
shashank-elastic Sep 10, 2025
6e58b55
Fix ruff formatting and update patch version
shashank-elastic Sep 10, 2025
2f2258d
Fix failing rules for min_stack_version
shashank-elastic Sep 10, 2025
10a735b
Revert Rule Tunings and optimise test case
shashank-elastic Sep 10, 2025
4df4eac
PR review comments
shashank-elastic Sep 10, 2025
ac6a1f8
Fix Ruff checks
shashank-elastic Sep 10, 2025
c11625a
Fix Ruff checks again
shashank-elastic Sep 10, 2025
fe578a6
Merge branch 'main' into test_min_stack_version_supported
shashank-elastic Sep 10, 2025
c271eb2
Generate Doc String
shashank-elastic Sep 10, 2025
File filter

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion pyproject.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
[project]
name = "detection_rules"
version = "1.3.31"
version = "1.3.32"
description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
readme = "README.md"
requires-python = ">=3.12"
Expand Down
25 changes: 24 additions & 1 deletion tests/test_all_rules.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@
from detection_rules.rule_loader import FILE_PATTERN, RULES_CONFIG
from detection_rules.rule_validators import EQLValidator, KQLValidator
from detection_rules.schemas import definitions, get_min_supported_stack_version, get_stack_schemas
from detection_rules.utils import INTEGRATION_RULE_DIR, PatchedTemplate, get_path, make_git
from detection_rules.utils import INTEGRATION_RULE_DIR, PatchedTemplate, get_path, load_etc_dump, make_git
from detection_rules.version_lock import loaded_version_lock

from .base import BaseRuleTest
Expand Down Expand Up @@ -1040,6 +1040,29 @@ def test_event_dataset(self):
if validation_integrations_check and "event.dataset" in rule.contents.data.query:
raise validation_integrations_check

def test_min_stack_version_supported(self):
"""Test that rules have a min_stack_version that is supported in stack-schema-map.yaml."""
failures = []
# Load supported stack versions from stack-schema-map.yaml
stack_map = load_etc_dump(["stack-schema-map.yaml"])

# Get the minimum supported stack version as version object
min_supported = min(stack_map.keys(), key=lambda v: Version.parse(v))
# Load all production rules
for rule in self.all_rules:
min_stack_version = rule.contents.metadata.get("min_stack_version")
if not min_stack_version:
continue # skip rules without min_stack_version
# Compare versions using semantic versioning
if Version.parse(min_stack_version) < min_supported:
failures.append(
f"{self.rule_str(rule)} min_stack_version={min_stack_version} < supported={min_supported}"
)

if failures:
fail_msg = "The following rules have min_stack_version lower than the minimum supported in stack-schema-map.yaml:\n"
self.fail(fail_msg + "\n".join(failures))


class TestIntegrationRules(BaseRuleTest):
"""Test integration rules."""
Expand Down
Loading