[Security Solution] Handle missing base versions during rule upgrade #154571
Conversation
xcrzx
changed the title
xcrzx
added
release_note:skip
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
xcrzx
force-pushed
the
rule-upgrade-workflow-api
branch
2 times, most recently
from
263fe0d to
409217e
Compare
xcrzx
force-pushed
the
rule-upgrade-workflow-api
branch
from
409217e to
b42bc1a
Compare
...ecurity_solution/server/lib/detection_engine/prebuilt_rules/api/review_rule_upgrade/route.ts
Show resolved
Hide resolved
| if (hasBaseVersion) { | ||
| invariant(base_version.type === 'query', BASE_TYPE_ERROR); | ||
| } |
There was a problem hiding this comment.
nit: maybe extract these invariants to a common function.
There was a problem hiding this comment.
I tried to, but Typescript started complaining about the rule type mismatch. Unfortunately, I haven't found a clean way to fix that, so I left the checks as is.
| /** | ||
| * We couldn't find the base version of the rule in the package so further | ||
| * version comparison is not possible. We assume that the rule is not | ||
| * customized and the value can be updated if there's an update. | ||
| */ | ||
| return currentEqlTarget | ||
| ? ThreeWayDiffOutcome.StockValueNoUpdate | ||
| : ThreeWayDiffOutcome.StockValueCanUpdate; | ||
| } |
There was a problem hiding this comment.
WRT
The above logic has considerable implications. When a historical version of a rule is unavailable, we assume that the rule had no modifications. Therefore, in cases where it has been modified, the upgrade review endpoint would still return "no conflicts detected", and users risk losing all their edits.
In these instances, I'm curious if we should have some UI/UX to help mitigate the issue in the event it actually happens. Whether that's encouraging the user to do a quick export of existing rules, a system-triggered temporary auto-backup of the rules in question, or something along those lines? Depending on how the storage of historical rules goes, perhaps this is uncommon enough to not even be necessary?
There was a problem hiding this comment.
Given that users could lose all their modifications without the ability to restore them, I think it makes sense to implement some safeguards on the client side. It's not a big concern, though, as long as we do not allow them to customize prebuilt rules. So, maybe we should wait and see how the adoption of historical rules goes. If we see a substantial number of packages without historical versions or not all versions available for every rule, then we'll need to implement some workarounds in the UI.
xcrzx
force-pushed
the
rule-upgrade-workflow-api
branch
from
b42bc1a to
8d9a34f
Compare
💚 Build Succeeded
Metrics [docs]Unknown metric groupsESLint disabled line counts
Total ESLint disabled count
History
To update your PR or re-run it, just comment with: cc @xcrzx |
Resolves: #152836
Resolves: #148183
Resolves partially: #148189
Summary
Updates the rule status (
prebuilt_rules/status) and upgrade review (prebuilt_rules/upgrade/_review) APIs to continue working when the base rule version is unavailable, for example, when a detection rules package is released without historical versions.The logic applied when calculating rule diff is as follows:
The above logic has considerable implications. When a historical version of a rule is unavailable, we assume that the rule had no modifications. Therefore, in cases where it has been modified, the upgrade review endpoint would still return "no conflicts detected", and users risk losing all their edits.
If we had the base versions, the result would be different:
Minor changes
This PR adds the
RuleUpgradeStatsForReview.tagsimplementation.Additionally, this PR removes some unused API fields:
PrebuiltRulesStatusStats.num_prebuilt_rules_totalRuleUpgradeStatsForReview.num_rules_to_upgrade_not_customizedRuleUpgradeStatsForReview.num_rules_to_upgrade_customizedRuleUpgradeStatsForReview.fields