Refractor SigmahqStatusToHighValidator for regression log (#73)

frack113 · web-flow · commit 9bbcbc1d207c · 2026-02-03T22:33:53.000+01:00
* Refractor SigmahqStatusToHighValidator for regression log

* lint with black

* Update sigmahq_status_to_high_validator pytests
diff --git a/sigma/validators/sigmahq/status.py b/sigma/validators/sigmahq/status.py
@@ -57,13 +57,24 @@ class SigmahqStatusToHighIssue(SigmaValidationIssue):
 class SigmahqStatusToHighValidator(SigmaRuleValidator):
     """Checks if a new rule has a valid status regarding its age"""
 
-    min_days: int = 60
+    min_days_for_nolog_rule: int = 60
+    min_days_for_log_rule: int = 0
 
     def validate(self, rule: SigmaRule | SigmaCorrelationRule) -> List[SigmaValidationIssue]:
-        if rule.date is not None and rule.status is not None:
-            if rule.status > SigmaStatus.EXPERIMENTAL:
-                if (datetime.now().date() - rule.date).days <= self.min_days:
-                    custom_keys = list(rule.custom_attributes.keys())
-                    if "regression_tests_path" not in custom_keys:
-                        return [SigmahqStatusToHighIssue([rule])]
+        if rule.date is None or rule.status is None:
+            return []
+
+        custom_keys = list(rule.custom_attributes.keys())
+        max_status = (
+            SigmaStatus.TEST if "regression_tests_path" in custom_keys else SigmaStatus.EXPERIMENTAL
+        )
+        min_days = (
+            self.min_days_for_log_rule
+            if "regression_tests_path" in custom_keys
+            else self.min_days_for_nolog_rule
+        )
+        delta_days = (datetime.now().date() - rule.date).days
+
+        if rule.status > max_status and delta_days <= min_days:
+            return [SigmahqStatusToHighIssue([rule])]
         return []
diff --git a/tests/sigmahq/status/test_sigmahq_status_to_high_validator.py b/tests/sigmahq/status/test_sigmahq_status_to_high_validator.py
@@ -1,80 +1,146 @@
-from datetime import datetime
-
-from sigma.rule import SigmaRule
+from datetime import date, timedelta
+import pytest
+from sigma.rule import SigmaRule, SigmaStatus
 from sigma.correlations import SigmaCorrelationRule
 from sigma.validators.sigmahq.status import (
     SigmahqStatusToHighIssue,
     SigmahqStatusToHighValidator,
 )
 
+# Constants for test parameters with min_days configuration
+TEST_PARAMS = [
+    # (min_nolog, min_log, days_ago, status, has_regression_tests, expected_has_issue)
+    # Default minimum days (60 for non-log, 15 for log)
+    (60, 15, 1, SigmaStatus.STABLE, False, True),  # New STABLE rule fails
+    (60, 15, 60, SigmaStatus.STABLE, False, True),  # Exactly at min_nolog=60 fails
+    (60, 15, 61, SigmaStatus.STABLE, False, False),  # Just over min_nolog=60 passes
+    (30, 15, 1, SigmaStatus.STABLE, False, True),  # New STABLE rule fails with min_nolog=30
+    (30, 15, 29, SigmaStatus.STABLE, False, True),  # Just under min_nolog=30 fails
+    (30, 15, 30, SigmaStatus.STABLE, False, True),  # Exactly at min_nolog=30 fails
+    (60, 15, 29, SigmaStatus.STABLE, True, False),  # Regression test rule passes
+    (60, 15, 14, SigmaStatus.STABLE, True, True),  # Log rule with regression under min_log=15
+    (30, 15, 29, SigmaStatus.TEST, True, False),  # TEST status always passes
+]
 
-def test_validator_SigmahqStatusToHigh():
-    validator = SigmahqStatusToHighValidator()
-    detection_rule = SigmaRule.from_yaml(
-        """
-    title: Test
-    description: Test
-    status: stable
-    date: 1975-01-01
-    logsource:
-        category: test
-    detection:
-        sel:
-            candle|exists: true
-        condition: sel
-    """
+
+def create_test_rule(days_ago, status, has_regression_tests):
+    """Helper function to create test rules."""
+    date_str = (date.today() - timedelta(days=days_ago)).strftime("%Y-%m-%d")
+
+    yaml_content = f"""
+title: Test Rule
+status: {status.name.lower()}
+date: {date_str}
+logsource:
+    category: test
+    product: windows
+detection:
+    sel:
+        candle|exists: true
+    condition: sel
+"""
+
+    if has_regression_tests:
+        yaml_content += "\nregression_tests_path: regression/rule/test_rule.yml"
+
+    return SigmaRule.from_yaml(yaml_content)
+
+
+def create_correlation_rule(days_ago, status, has_regression_tests):
+    """Helper function to create correlation test rules."""
+    date_str = (date.today() - timedelta(days=days_ago)).strftime("%Y-%m-%d")
+
+    yaml_content = f"""
+title: Test Correlation
+id: 12345678-1234-1234-1234-123456789012
+status: {status.name.lower()}
+date: {date_str}
+logsource:
+    category: correlation
+    product: windows
+correlation:
+    type: temporal
+    rules:
+        - 5638f7c0-ac70-491d-8465-2a65075e0d86
+    timespan: 5m
+    group-by:
+        - ComputerName
+"""
+
+    if has_regression_tests:
+        yaml_content += "\nregression_tests_path: regression/rule/test_rule.yml"
+
+    return SigmaCorrelationRule.from_yaml(yaml_content)
+
+
+@pytest.mark.parametrize(
+    "min_nolog, min_log, days_ago, status, has_regression_tests, expected_has_issue", TEST_PARAMS
+)
+def test_status_validation_detection(
+    min_nolog, min_log, days_ago, status, has_regression_tests, expected_has_issue
+):
+    """Test validation scenarios for detection rules with configurable minimum days."""
+    rule = create_test_rule(days_ago, status, has_regression_tests)
+
+    validator = SigmahqStatusToHighValidator(
+        min_days_for_nolog_rule=min_nolog, min_days_for_log_rule=min_log
     )
-    detection_rule.date = datetime.now().date()
-    assert validator.validate(detection_rule) == [SigmahqStatusToHighIssue([detection_rule])]
 
+    if expected_has_issue:
+        assert validator.validate(rule) == [SigmahqStatusToHighIssue([rule])]
+    else:
+        assert validator.validate(rule) == []
 
-def test_validator_SigmahqStatusToHigh_valid():
-    validator = SigmahqStatusToHighValidator()
-    detection_rule = SigmaRule.from_yaml(
-        """
-    title: Test
-    description: Test
-    status: stable
-    date: 1975-01-01
-    logsource:
-        category: test
-    detection:
-        sel:
-            candle|exists: true
-        condition: sel
-    """
+
+@pytest.mark.parametrize(
+    "min_nolog, min_log, days_ago, status, has_regression_tests, expected_has_issue", TEST_PARAMS
+)
+def test_status_validation_correlation(
+    min_nolog, min_log, days_ago, status, has_regression_tests, expected_has_issue
+):
+    """Test validation scenarios for correlation rules with configurable minimum days."""
+    rule = create_correlation_rule(days_ago, status, has_regression_tests)
+
+    validator = SigmahqStatusToHighValidator(
+        min_days_for_nolog_rule=min_nolog, min_days_for_log_rule=min_log
     )
-    assert validator.validate(detection_rule) == []
+    if expected_has_issue:
+        assert validator.validate(rule) == [SigmahqStatusToHighIssue([rule])]
+    else:
+        assert validator.validate(rule) == []
+
 
+def test_rules_without_date():
+    """Test that rules without dates always pass validation."""
+    # Test with different minimum days configurations
+    validators = [
+        SigmahqStatusToHighValidator(min_days_for_nolog_rule=60, min_days_for_log_rule=15),
+        SigmahqStatusToHighValidator(min_days_for_nolog_rule=30, min_days_for_log_rule=15),
+    ]
 
-def test_validator_SigmahqStatusToHigh_with_regression_valid():
-    validator = SigmahqStatusToHighValidator()
+    # Test detection rule without date
     detection_rule = SigmaRule.from_yaml(
         """
-    title: Test
-    description: Test
-    status: test
-    date: 1975-01-01
-    logsource:
-        category: test
-    detection:
-        sel:
-            candle|exists: true
-        condition: sel
-    regression_tests_path: regression/rule/test_rule.yml
-    """
+title: Rule Without Date
+status: stable
+logsource:
+    category: test
+detection:
+    sel:
+        candle|exists: true
+    condition: sel
+"""
     )
-    detection_rule.date = datetime.now().date()
-    assert validator.validate(detection_rule) == []
 
-
-def test_validator_SigmahqStatusToHigh_correlation():
-    validator = SigmahqStatusToHighValidator()
+    # Test correlation rule without date
     correlation_rule = SigmaCorrelationRule.from_yaml(
         """
-title: Test Correlation
-id: 0e95725d-7320-415d-80f7-004da920fc11
+title: Correlation Rule Without Date
+id: 12345678-1234-1234-1234-123456789012
 status: stable
+logsource:
+    category: correlation
+product: windows
 correlation:
     type: temporal
     rules:
@@ -84,17 +150,44 @@ def test_validator_SigmahqStatusToHigh_correlation():
         - ComputerName
 """
     )
-    correlation_rule.date = datetime.now().date()
-    assert validator.validate(correlation_rule) == [SigmahqStatusToHighIssue([correlation_rule])]
+
+    # All validators should pass rules without dates
+    for validator in validators:
+        assert validator.validate(detection_rule) == []
+        assert validator.validate(correlation_rule) == []
 
 
-def test_validator_SigmahqStatusToHigh_correlation_valid():
-    validator = SigmahqStatusToHighValidator()
+def test_rules_without_status():
+    """Test that rules without dates always pass validation."""
+    # Test with different minimum days configurations
+    validators = [
+        SigmahqStatusToHighValidator(min_days_for_nolog_rule=60, min_days_for_log_rule=15),
+        SigmahqStatusToHighValidator(min_days_for_nolog_rule=30, min_days_for_log_rule=15),
+    ]
+
+    # Test detection rule without date
+    detection_rule = SigmaRule.from_yaml(
+        """
+title: Rule Without Status
+date: 2030-01-01
+logsource:
+    category: test
+detection:
+    sel:
+        candle|exists: true
+    condition: sel
+"""
+    )
+
+    # Test correlation rule without date
     correlation_rule = SigmaCorrelationRule.from_yaml(
         """
-title: Test Correlation
-id: 0e95725d-7320-415d-80f7-004da920fc11
-status: test
+title: Correlation Rule Without Status
+id: 12345678-1234-1234-1234-123456789012
+date: 2030-01-01
+logsource:
+    category: correlation
+product: windows
 correlation:
     type: temporal
     rules:
@@ -104,4 +197,8 @@ def test_validator_SigmahqStatusToHigh_correlation_valid():
         - ComputerName
 """
     )
-    assert validator.validate(correlation_rule) == []
+
+    # All validators should pass rules without dates
+    for validator in validators:
+        assert validator.validate(detection_rule) == []
+        assert validator.validate(correlation_rule) == []
