Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solution] Adds diff algorithm and unit tests for query fields #190179

Merged
merged 12 commits into from
Sep 9, 2024

Conversation

dplumlee
Copy link
Contributor

@dplumlee dplumlee commented Aug 8, 2024

Summary

Related ticket: #187658

Adds diff algorithm for all the grouped query fields we have in the DiffableRule type and prebuilt rule upgrade workflow. These include kql_query (both inline and saved query), eql_query, and esql_query. Also adds unit tests for all three algorithms.

Checklist

Delete any items that are not applicable to this PR.

For maintainers

@dplumlee dplumlee added release_note:skip Skip the PR/issue when compiling release notes Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Detection Rule Management Security Detection Rule Management Team Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area v8.16.0 labels Aug 8, 2024
@dplumlee dplumlee self-assigned this Aug 8, 2024
@dplumlee dplumlee requested a review from a team as a code owner August 8, 2024 19:04
@dplumlee dplumlee requested a review from xcrzx August 8, 2024 19:04
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@dplumlee dplumlee requested review from jpdjere and removed request for xcrzx August 8, 2024 19:04
@jpdjere
Copy link
Contributor

jpdjere commented Aug 9, 2024

@dplumlee I'm gonna continue reviewing next week cause I gotta handle some SDHs today but:

  • the query field shouldn't be mergeable. We should treat it as a single line string field.
  • since filters is an array, I was thinking that we might be able to apply some more clever merging logic, to have better UX in a case, for example, where a user just adds a filter to a list of existing filters; and therefore not throwing a conflict but just merging the current and target versions. However:
    • more complex scenarios will be increasingly difficult to decide what to do, since each filter is a really complex object
    • there's only 15 prebuilt rules that have filters in their definitions. It looks it doesn't make a lot of sense to put a lot of effort into this right now.

So let's just use the simple diffing algorithm for the filters field for now, as you are already doing. I created a ticket so we can revisit this in the future.

Comment on lines 485 to 516
it('returns target_version as merged output if all versions are the same', () => {
const mockVersions: ThreeVersionsOf<RuleKqlQuery> = {
base_version: MissingVersion,
current_version: {
type: KqlQueryType.inline_query,
query: 'query string = true',
language: KqlQueryLanguageEnum.kuery,
filters: [],
},
target_version: {
type: KqlQueryType.inline_query,
query: 'query string = false',
language: KqlQueryLanguageEnum.kuery,
filters: [],
},
};

const result = kqlQueryDiffAlgorithm(mockVersions);

expect(result).toEqual(
expect.objectContaining({
has_base_version: false,
base_version: undefined,
merged_version: mockVersions.target_version,
diff_outcome: ThreeWayDiffOutcome.MissingBaseCanUpdate,
merge_outcome: ThreeWayMergeOutcome.Target,
conflict: ThreeWayDiffConflict.SOLVABLE,
})
);
});

it('returns target_version as merged output if all versions are different', () => {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure I understand these two scenarios as described here:

  1. returns target_version as merged output if all versions are the same: Do you mean here if current and target versions have the same type?
  2. returns target_version as merged output if all versions are different: Did you mean here if current and target versions have different type? In that case it doesn't match the input data, which are both of saved_query type.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah I meant if both versions had the same/different type fields, I'll switch it over 👍

Comment on lines 39 to 49
export const determineIfAllVersionsAreEqual = <T>(
baseVersion: T,
currentVersion: T,
targetVersion: T
): boolean => {
const baseEqlCurrent = isEqual(baseVersion, currentVersion);
const baseEqlTarget = isEqual(baseVersion, targetVersion);
const currentEqlTarget = isEqual(currentVersion, targetVersion);

return baseEqlCurrent && baseEqlTarget && currentEqlTarget;
};
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is unused now, right? Let's delete it for now then.

Copy link
Contributor

@jpdjere jpdjere left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Leaving my approval because overall LGTM ✅ but please take a look at the two comments I left before merging.

@dplumlee dplumlee enabled auto-merge (squash) September 9, 2024 19:54
@dplumlee dplumlee merged commit f3be719 into elastic:main Sep 9, 2024
39 checks passed
@kibana-ci
Copy link
Collaborator

💚 Build Succeeded

Metrics [docs]

✅ unchanged

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @dplumlee

@kibanamachine kibanamachine added the backport:skip This commit does not require backporting label Sep 9, 2024
@dplumlee dplumlee deleted the query-diff-algorithm branch September 9, 2024 21:22
dplumlee added a commit that referenced this pull request Sep 16, 2024
)

## Summary

Related ticket: #187658

Adds test plan for diff algorithm for arrays of scalar values
implemented here: #190179


### For maintainers

- [ ] This was checked for breaking API changes and was [labeled
appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
kibanamachine pushed a commit to kibanamachine/kibana that referenced this pull request Sep 16, 2024
…tic#192529)

## Summary

Related ticket: elastic#187658

Adds test plan for diff algorithm for arrays of scalar values
implemented here: elastic#190179

### For maintainers

- [ ] This was checked for breaking API changes and was [labeled
appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)

(cherry picked from commit 6680f35)
kibanamachine referenced this pull request Sep 16, 2024
… algorithm (#192529) (#193062)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[Security Solution] Test plan for &#x60;query&#x60; fields diff
algorithm (#192529)](#192529)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Davis
Plumlee","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-09-16T17:19:39Z","message":"[Security
Solution] Test plan for `query` fields diff algorithm (#192529)\n\n##
Summary\r\n\r\nRelated ticket:
https://github.com/elastic/kibana/issues/187658\r\n\r\nAdds test plan
for diff algorithm for arrays of scalar values\r\nimplemented here:
https://github.com/elastic/kibana/pull/190179\r\n\r\n\r\n### For
maintainers\r\n\r\n- [ ] This was checked for breaking API changes and
was
[labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)","sha":"6680f35ef94286d34dd5c56e28575b31eab70836","branchLabelMapping":{"^v9.0.0$":"main","^v8.16.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","test-plan","v9.0.0","Team:Detections
and Resp","Team: SecuritySolution","Team:Detection Rule
Management","Feature:Prebuilt Detection
Rules","v8.16.0"],"title":"[Security Solution] Test plan for `query`
fields diff
algorithm","number":192529,"url":"https://github.com/elastic/kibana/pull/192529","mergeCommit":{"message":"[Security
Solution] Test plan for `query` fields diff algorithm (#192529)\n\n##
Summary\r\n\r\nRelated ticket:
https://github.com/elastic/kibana/issues/187658\r\n\r\nAdds test plan
for diff algorithm for arrays of scalar values\r\nimplemented here:
https://github.com/elastic/kibana/pull/190179\r\n\r\n\r\n### For
maintainers\r\n\r\n- [ ] This was checked for breaking API changes and
was
[labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)","sha":"6680f35ef94286d34dd5c56e28575b31eab70836"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/192529","number":192529,"mergeCommit":{"message":"[Security
Solution] Test plan for `query` fields diff algorithm (#192529)\n\n##
Summary\r\n\r\nRelated ticket:
https://github.com/elastic/kibana/issues/187658\r\n\r\nAdds test plan
for diff algorithm for arrays of scalar values\r\nimplemented here:
https://github.com/elastic/kibana/pull/190179\r\n\r\n\r\n### For
maintainers\r\n\r\n- [ ] This was checked for breaking API changes and
was
[labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)","sha":"6680f35ef94286d34dd5c56e28575b31eab70836"}},{"branch":"8.x","label":"v8.16.0","branchLabelMappingKey":"^v8.16.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Davis Plumlee <[email protected]>
dplumlee added a commit that referenced this pull request Sep 16, 2024
…92655)

## Summary

Completes #187658


Switches `kql_query`, `eql_query`, and `esql_query` fields to use the
implemented diff algorithms assigned to them in
#190179


Adds integration tests in accordance to
#192529 for the `upgrade/_review`
API endpoint for the `query` field diff algorithms.

### Checklist

Delete any items that are not applicable to this PR.

- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [x] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed


### For maintainers

- [ ] This was checked for breaking API changes and was [labeled
appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
kibanamachine pushed a commit to kibanamachine/kibana that referenced this pull request Sep 17, 2024
…astic#192655)

## Summary

Completes elastic#187658

Switches `kql_query`, `eql_query`, and `esql_query` fields to use the
implemented diff algorithms assigned to them in
elastic#190179

Adds integration tests in accordance to
elastic#192529 for the `upgrade/_review`
API endpoint for the `query` field diff algorithms.

### Checklist

Delete any items that are not applicable to this PR.

- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [x] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed

### For maintainers

- [ ] This was checked for breaking API changes and was [labeled
appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)

(cherry picked from commit ceb1b1a)
kibanamachine added a commit that referenced this pull request Sep 17, 2024
…f algorithms (#192655) (#193108)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[Security Solution] Integration tests for &#x60;query&#x60; diff
algorithms (#192655)](#192655)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Davis
Plumlee","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-09-16T23:58:55Z","message":"[Security
Solution] Integration tests for `query` diff algorithms (#192655)\n\n##
Summary\r\n\r\nCompletes
https://github.com/elastic/kibana/issues/187658\r\n\r\n\r\nSwitches
`kql_query`, `eql_query`, and `esql_query` fields to use
the\r\nimplemented diff algorithms assigned to them
in\r\nhttps://github.com//pull/190179\r\n\r\n\r\nAdds
integration tests in accordance
to\r\nhttps://github.com//pull/192529 for the
`upgrade/_review`\r\nAPI endpoint for the `query` field diff
algorithms.\r\n\r\n### Checklist\r\n\r\nDelete any items that are not
applicable to this PR.\r\n\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common scenarios\r\n- [x] [Flaky
Test\r\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1)
was\r\nused on any tests changed\r\n\r\n\r\n### For maintainers\r\n\r\n-
[ ] This was checked for breaking API changes and was
[labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)","sha":"ceb1b1a4bf253ac94f9ba0ba649e9a4908a76c51","branchLabelMapping":{"^v9.0.0$":"main","^v8.16.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["test","release_note:skip","v9.0.0","Team:Detections
and Resp","Team: SecuritySolution","Team:Detection Rule
Management","Feature:Prebuilt Detection
Rules","v8.16.0"],"title":"[Security Solution] Integration tests for
`query` diff
algorithms","number":192655,"url":"https://github.com/elastic/kibana/pull/192655","mergeCommit":{"message":"[Security
Solution] Integration tests for `query` diff algorithms (#192655)\n\n##
Summary\r\n\r\nCompletes
https://github.com/elastic/kibana/issues/187658\r\n\r\n\r\nSwitches
`kql_query`, `eql_query`, and `esql_query` fields to use
the\r\nimplemented diff algorithms assigned to them
in\r\nhttps://github.com//pull/190179\r\n\r\n\r\nAdds
integration tests in accordance
to\r\nhttps://github.com//pull/192529 for the
`upgrade/_review`\r\nAPI endpoint for the `query` field diff
algorithms.\r\n\r\n### Checklist\r\n\r\nDelete any items that are not
applicable to this PR.\r\n\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common scenarios\r\n- [x] [Flaky
Test\r\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1)
was\r\nused on any tests changed\r\n\r\n\r\n### For maintainers\r\n\r\n-
[ ] This was checked for breaking API changes and was
[labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)","sha":"ceb1b1a4bf253ac94f9ba0ba649e9a4908a76c51"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/192655","number":192655,"mergeCommit":{"message":"[Security
Solution] Integration tests for `query` diff algorithms (#192655)\n\n##
Summary\r\n\r\nCompletes
https://github.com/elastic/kibana/issues/187658\r\n\r\n\r\nSwitches
`kql_query`, `eql_query`, and `esql_query` fields to use
the\r\nimplemented diff algorithms assigned to them
in\r\nhttps://github.com//pull/190179\r\n\r\n\r\nAdds
integration tests in accordance
to\r\nhttps://github.com//pull/192529 for the
`upgrade/_review`\r\nAPI endpoint for the `query` field diff
algorithms.\r\n\r\n### Checklist\r\n\r\nDelete any items that are not
applicable to this PR.\r\n\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common scenarios\r\n- [x] [Flaky
Test\r\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1)
was\r\nused on any tests changed\r\n\r\n\r\n### For maintainers\r\n\r\n-
[ ] This was checked for breaking API changes and was
[labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)","sha":"ceb1b1a4bf253ac94f9ba0ba649e9a4908a76c51"}},{"branch":"8.x","label":"v8.16.0","branchLabelMappingKey":"^v8.16.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Davis Plumlee <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport:skip This commit does not require backporting Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area release_note:skip Skip the PR/issue when compiling release notes Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.16.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants