[Bug] Pre-Built Detection Rules Package Versioning #2251
Description
Overview
Initial Conversation: https://elastic.slack.com/archives/C02USDK55AQ/p1660833389191059
We recently released 8.2.1 and 7.16.4 pre-built detection rule integration packages for 8.4. During 8.4 dev, @brokensound77 @Mikaayenson and myself were tasked with adding three new fields to rules.
The code was developed, tested and implemented which dynamically builds the three fields during the building of the package. This only occurs if the stack version referenced in packages.yaml is version 8.3 or above.
Our release process involves checking out each least-compatible stack for 7 and 8 series that we support and then building the package from there that is then released to Kibana and Integrations.
Locked commit used: #2236
Therefore, our recent process did the following in short:
Kibana Update
- checkout 8.4
- checkout locked version commit hash
- build 8.4 package
- push updates to Kibana
The Kibana update did receive the rules with the additional fields as expected and tested in the updated PR. This is because we built from the 8.4 branch so the 3 fields were added as they met the minimum stack requirement of 8.3.
OOB Integrations Update
7 Series
- checkout 7.16
- checkout locked version commit hash
- build 7.16 package
- push package to integrations
8 Series
- checkout 8.2 (we only build from -2 on latest series)
- checkout locked version commit hash
- build 8.2 package
- push package to integrations
Since we built from 7.16 and 8.2, the additional fields did not get added to the packages and went into production. This is not a bug as the code is working as expected, however, we will need to release an 8.3.1 package (building from 8.3 branch) for these fields to be added to the package.
Versioning
When version locking occurred and was backported, the process started at 7.16 going to main. If a detection rule had changes, a version bump was given and the changes continued to the next branch, doing the lock versions again. Once 8.3 branch was reached, the new fields were added and some rules received a double bump if they had a change during 8.4 dev. If a rule did not have a change, they still received a single bump because the fields were added in 8.3. This caused all rules to receive a version increase.
This causes an issue if we build with 8.3 if we were to release it immediately as there are no changes to the hash and thus no new versions. Thus we need to manually bump the versions and check forked (previous) versions in the version lock file.
Overall, the tasks are as follows:
- Add
min_stack_versionof 8.3 to all rules | min_stack all rules to 8.3 #2259 - Lock versions from workflow | Lock versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4 #2261
- Adjust
version.lock.jsonfile to change current rules to 100 - Add tests for new build-time fields requiring min_stack_version defined | Add test that newly introduced build-time fields for a min_stack for … #2262
- Release v8.3.1 package | https://epr.elastic.co/package/security_detection_engine/8.3.1/