Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solution] Adds normalization for query fields before diff algorithm comparison #203482

Merged
merged 5 commits into from
Dec 13, 2024

Conversation

dplumlee
Copy link
Contributor

@dplumlee dplumlee commented Dec 9, 2024

Summary

Fixes #203151

Adds a normalization for the kql_query, eql_query, and esql_query fields that trims the whitespace from the beginning and end of query strings for a more robust comparison in the diff algorithms. Since whitespace before or after the query string is purely a formatting choice and doesn't impact the query itself, we discard the excess whitespace characters before the direct string comparison.

Checklist

Check the PR satisfies following conditions.

Reviewers should verify this PR satisfies this list as well.

@dplumlee dplumlee added bug Fixes for quality problems that affect the customer experience release_note:skip Skip the PR/issue when compiling release notes v9.0.0 Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Detection Rule Management Security Detection Rule Management Team Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area backport:version Backport to applied version labels v8.18.0 v8.17.1 labels Dec 9, 2024
@dplumlee dplumlee self-assigned this Dec 9, 2024
@dplumlee dplumlee requested review from a team as code owners December 9, 2024 18:46
@dplumlee dplumlee requested a review from maximpn December 9, 2024 18:46
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@dplumlee dplumlee requested review from xcrzx and removed request for maximpn December 9, 2024 18:47
@kibanamachine
Copy link
Contributor

Flaky Test Runner Stats

🟠 Some tests failed. - kibana-flaky-test-suite-runner#7570

[✅] x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/management/trial_license_complete_tier/configs/ess.config.ts: 100/100 tests passed.
[❌] x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/management/trial_license_complete_tier/configs/serverless.config.ts: 97/100 tests passed.

see run history

@jpdjere jpdjere requested review from jpdjere and removed request for xcrzx December 11, 2024 20:19
Copy link
Contributor

@jpdjere jpdjere left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good, tested and behaving properly. LGTM!

My only question is: do you think we should do the same for other string fields like name and description? Not sure if the newline at the end of the queries comes directly from the rule assets, or where it is introduced, but I guess exactly the same could theoretically happen for other string fields in the future.

@dplumlee
Copy link
Contributor Author

@elasticmachine merge upstream

@dplumlee
Copy link
Contributor Author

@jpdjere that's not a bad question, after thinking it over I think I'll add it to all the fields that we don't allow new line formatting to be added or removed via the current rule edit UI. Namely not fields like description, setup and note as we want to preserve all the multi-line format customizations

The fields that will be trimmed now, including the ones in this PR are:

  • kql_query
  • eql_query
  • esql_query
  • threat_query
  • name

@dplumlee dplumlee force-pushed the query-trimming-is-customized branch from c9cf4f6 to 7a6a7f7 Compare December 12, 2024 20:53
@elasticmachine
Copy link
Contributor

💛 Build succeeded, but was flaky

Failed CI Steps

Test Failures

  • [job] [logs] FTR Configs #97 / APM API tests fleet/input_only_package.spec.ts basic no archive APM package policy input only package when ingesting events using the scoped api key the events can be seen on the Service Inventory Page

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
securitySolution 14.7MB 14.7MB +72.0B

History

cc @dplumlee

@dplumlee dplumlee merged commit 0294838 into elastic:main Dec 13, 2024
8 checks passed
@kibanamachine
Copy link
Contributor

Starting backport for target branches: 8.17, 8.x

https://github.com/elastic/kibana/actions/runs/12309325228

kibanamachine pushed a commit to kibanamachine/kibana that referenced this pull request Dec 13, 2024
… algorithm comparison (elastic#203482)

## Summary

Fixes elastic#203151

Adds a normalization for the `kql_query`, `eql_query`, and `esql_query`
fields that trims the whitespace from the beginning and end of query
strings for a more robust comparison in the diff algorithms. Since
whitespace before or after the query string is purely a formatting
choice and doesn't impact the query itself, we discard the excess
whitespace characters before the direct string comparison.

### Checklist

Check the PR satisfies following conditions.

Reviewers should verify this PR satisfies this list as well.

- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [x] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed

(cherry picked from commit 0294838)
@kibanamachine
Copy link
Contributor

💔 Some backports could not be created

Status Branch Result
8.17 Backport failed because of merge conflicts
8.x

Note: Successful backport PRs will be merged automatically after passing CI.

Manual backport

To create the backport manually run:

node scripts/backport --pr 203482

Questions ?

Please refer to the Backport tool documentation

@dplumlee
Copy link
Contributor Author

💚 All backports created successfully

Status Branch Result
8.17

Note: Successful backport PRs will be merged automatically after passing CI.

Questions ?

Please refer to the Backport tool documentation

@dplumlee dplumlee deleted the query-trimming-is-customized branch December 13, 2024 04:37
kibanamachine added a commit that referenced this pull request Dec 13, 2024
…elds before diff algorithm comparison (#203482) (#204159)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[Security Solution] Adds normalization for `query` fields
before diff algorithm comparison
(#203482)](#203482)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Davis
Plumlee","email":"56367316+dplumlee@users.noreply.github.com"},"sourceCommit":{"committedDate":"2024-12-13T03:58:50Z","message":"[Security
Solution] Adds normalization for `query` fields before diff algorithm
comparison (#203482)\n\n## Summary\r\n\r\nFixes
https://github.com/elastic/kibana/issues/203151\r\n\r\nAdds a
normalization for the `kql_query`, `eql_query`, and
`esql_query`\r\nfields that trims the whitespace from the beginning and
end of query\r\nstrings for a more robust comparison in the diff
algorithms. Since\r\nwhitespace before or after the query string is
purely a formatting\r\nchoice and doesn't impact the query itself, we
discard the excess\r\nwhitespace characters before the direct string
comparison.\r\n\r\n### Checklist\r\n\r\nCheck the PR satisfies following
conditions. \r\n\r\nReviewers should verify this PR satisfies this list
as well.\r\n\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common scenarios\r\n- [x] [Flaky
Test\r\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1)
was\r\nused on any tests
changed","sha":"0294838a95975ac6b5ee37a94ecacfe2e9a19955","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:skip","v9.0.0","Team:Detections
and Resp","Team: SecuritySolution","Team:Detection Rule
Management","Feature:Prebuilt Detection
Rules","backport:version","v8.18.0","v8.17.1"],"title":"[Security
Solution] Adds normalization for `query` fields before diff algorithm
comparison","number":203482,"url":"https://github.com/elastic/kibana/pull/203482","mergeCommit":{"message":"[Security
Solution] Adds normalization for `query` fields before diff algorithm
comparison (#203482)\n\n## Summary\r\n\r\nFixes
https://github.com/elastic/kibana/issues/203151\r\n\r\nAdds a
normalization for the `kql_query`, `eql_query`, and
`esql_query`\r\nfields that trims the whitespace from the beginning and
end of query\r\nstrings for a more robust comparison in the diff
algorithms. Since\r\nwhitespace before or after the query string is
purely a formatting\r\nchoice and doesn't impact the query itself, we
discard the excess\r\nwhitespace characters before the direct string
comparison.\r\n\r\n### Checklist\r\n\r\nCheck the PR satisfies following
conditions. \r\n\r\nReviewers should verify this PR satisfies this list
as well.\r\n\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common scenarios\r\n- [x] [Flaky
Test\r\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1)
was\r\nused on any tests
changed","sha":"0294838a95975ac6b5ee37a94ecacfe2e9a19955"}},"sourceBranch":"main","suggestedTargetBranches":["8.x","8.17"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/203482","number":203482,"mergeCommit":{"message":"[Security
Solution] Adds normalization for `query` fields before diff algorithm
comparison (#203482)\n\n## Summary\r\n\r\nFixes
https://github.com/elastic/kibana/issues/203151\r\n\r\nAdds a
normalization for the `kql_query`, `eql_query`, and
`esql_query`\r\nfields that trims the whitespace from the beginning and
end of query\r\nstrings for a more robust comparison in the diff
algorithms. Since\r\nwhitespace before or after the query string is
purely a formatting\r\nchoice and doesn't impact the query itself, we
discard the excess\r\nwhitespace characters before the direct string
comparison.\r\n\r\n### Checklist\r\n\r\nCheck the PR satisfies following
conditions. \r\n\r\nReviewers should verify this PR satisfies this list
as well.\r\n\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common scenarios\r\n- [x] [Flaky
Test\r\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1)
was\r\nused on any tests
changed","sha":"0294838a95975ac6b5ee37a94ecacfe2e9a19955"}},{"branch":"8.x","label":"v8.18.0","branchLabelMappingKey":"^v8.18.0$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.17","label":"v8.17.1","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Davis Plumlee <56367316+dplumlee@users.noreply.github.com>
dplumlee added a commit that referenced this pull request Dec 13, 2024
…re diff algorithm comparison (#203482) (#204160)

# Backport

This will backport the following commits from `main` to `8.17`:
- [[Security Solution] Adds normalization for `query` fields before diff
algorithm comparison
(#203482)](#203482)

<!--- Backport version: 8.9.8 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Davis
Plumlee","email":"56367316+dplumlee@users.noreply.github.com"},"sourceCommit":{"committedDate":"2024-12-13T03:58:50Z","message":"[Security
Solution] Adds normalization for `query` fields before diff algorithm
comparison (#203482)\n\n## Summary\r\n\r\nFixes
https://github.com/elastic/kibana/issues/203151\r\n\r\nAdds a
normalization for the `kql_query`, `eql_query`, and
`esql_query`\r\nfields that trims the whitespace from the beginning and
end of query\r\nstrings for a more robust comparison in the diff
algorithms. Since\r\nwhitespace before or after the query string is
purely a formatting\r\nchoice and doesn't impact the query itself, we
discard the excess\r\nwhitespace characters before the direct string
comparison.\r\n\r\n### Checklist\r\n\r\nCheck the PR satisfies following
conditions. \r\n\r\nReviewers should verify this PR satisfies this list
as well.\r\n\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common scenarios\r\n- [x] [Flaky
Test\r\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1)
was\r\nused on any tests
changed","sha":"0294838a95975ac6b5ee37a94ecacfe2e9a19955","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:skip","v9.0.0","Team:Detections
and Resp","Team: SecuritySolution","Team:Detection Rule
Management","Feature:Prebuilt Detection
Rules","backport:version","v8.18.0","v8.17.1"],"number":203482,"url":"https://github.com/elastic/kibana/pull/203482","mergeCommit":{"message":"[Security
Solution] Adds normalization for `query` fields before diff algorithm
comparison (#203482)\n\n## Summary\r\n\r\nFixes
https://github.com/elastic/kibana/issues/203151\r\n\r\nAdds a
normalization for the `kql_query`, `eql_query`, and
`esql_query`\r\nfields that trims the whitespace from the beginning and
end of query\r\nstrings for a more robust comparison in the diff
algorithms. Since\r\nwhitespace before or after the query string is
purely a formatting\r\nchoice and doesn't impact the query itself, we
discard the excess\r\nwhitespace characters before the direct string
comparison.\r\n\r\n### Checklist\r\n\r\nCheck the PR satisfies following
conditions. \r\n\r\nReviewers should verify this PR satisfies this list
as well.\r\n\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common scenarios\r\n- [x] [Flaky
Test\r\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1)
was\r\nused on any tests
changed","sha":"0294838a95975ac6b5ee37a94ecacfe2e9a19955"}},"sourceBranch":"main","suggestedTargetBranches":["8.17"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","labelRegex":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/203482","number":203482,"mergeCommit":{"message":"[Security
Solution] Adds normalization for `query` fields before diff algorithm
comparison (#203482)\n\n## Summary\r\n\r\nFixes
https://github.com/elastic/kibana/issues/203151\r\n\r\nAdds a
normalization for the `kql_query`, `eql_query`, and
`esql_query`\r\nfields that trims the whitespace from the beginning and
end of query\r\nstrings for a more robust comparison in the diff
algorithms. Since\r\nwhitespace before or after the query string is
purely a formatting\r\nchoice and doesn't impact the query itself, we
discard the excess\r\nwhitespace characters before the direct string
comparison.\r\n\r\n### Checklist\r\n\r\nCheck the PR satisfies following
conditions. \r\n\r\nReviewers should verify this PR satisfies this list
as well.\r\n\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common scenarios\r\n- [x] [Flaky
Test\r\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1)
was\r\nused on any tests
changed","sha":"0294838a95975ac6b5ee37a94ecacfe2e9a19955"}},{"branch":"8.x","label":"v8.18.0","labelRegex":"^v8.18.0$","isSourceBranch":false,"url":"https://github.com/elastic/kibana/pull/204159","number":204159,"state":"OPEN"},{"branch":"8.17","label":"v8.17.1","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport:version Backport to applied version labels bug Fixes for quality problems that affect the customer experience Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area release_note:skip Skip the PR/issue when compiling release notes Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.17.0 v8.17.1 v8.18.0 v9.0.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[Security Solution] is_customized Flag is Set to True When Reverting Changes to Prebuilt Rules
4 participants