TEST ONLY: Lock versions for releases: 7.16,8.0,8.1,8.2,8.3

[github-actions]

Lock versions for releases: 7.16,8.0,8.1,8.2,8.3.

• Autogenerated from job lock-versions: pr.

⚠️ DO NOT MERGE. THIS IS A TEST ONLY.

[terrancedejesus]

@brokensound77 @Mikaayenson

Original Question

Why are rules double-bumping when running the lock-versions workflow from github?

Example:

Findings

For starters we decided to follow the lock-versions workflow manually locally. This process, to summarize, checks out each version branch, pulls updates, then runs python -m detection_rules dev build-release --update-version-lock.

With the diff file for version.lock.json we manually did this process starting from 7.16 to 8.2. Our test rule's name was Unusual Print Spooler Child Process which went from version 6 to version 7 up until 8.3. When we ran the build release command in the 8.3 branch, the version in the version.lock.json went from version 6 to version 8 instead which is an unexpected double bump.

Our investigation showed that since we are adding new fields, restricted to the 8.3 version at least, these new fields which are built on the fly are added to the final rule. Thus the version had another unexpected change at the 8.3 branch and caused the double bump. We confirmed this by reviewing the finalized rule in the release after it was built.

New fields added to build release rule in 8.3 branch:

No new fields in build release rule 7.16->8.2:

Moving forward we need to keep this in mind when we go to do releases.