Skip to content

feat: add validator for modified date order #55

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
frack113 merged 5 commits into from
Nov 10, 2025
Merged

feat: add validator for modified date order #55

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
d88519c
feat: add validator for modified date order
swachchhanda000 Nov 3, 2025
9c2d043
fix: poetry black reformatting issues
swachchhanda000 Nov 3, 2025
2f1ae75
remove redundant test
swachchhanda000 Nov 3, 2025
db5dfc2
Apply suggestions from code review
swachchhanda000 Nov 10, 2025
afc86c3
reformatting
swachchhanda000 Nov 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 33 additions & 0 deletions sigma/validators/sigmahq/metadata.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,39 @@ def validate(self, rule: SigmaRuleBase) -> List[SigmaValidationIssue]:
return []


@dataclass
class SigmahqModifiedDateOrderIssue(SigmaValidationIssue):
description: ClassVar[str] = (
"Rule has a modified field that has value older than the date field. Modified will always be in the future compared to date."
)
severity: ClassVar[SigmaValidationIssueSeverity] = SigmaValidationIssueSeverity.HIGH


class SigmahqModifiedDateOrderValidator(SigmaRuleValidator):
"""Checks if a rule has a modified field that has value older than the date field."""

def validate(self, rule: SigmaRuleBase) -> List[SigmaValidationIssue]:
if rule.date is not None and rule.modified is not None:
if rule.modified < rule.date:
return [SigmahqModifiedDateOrderIssue([rule])]
return []


@dataclass
class SigmahqModifiedWithoutDateIssue(SigmaValidationIssue):
description: ClassVar[str] = "Rule has a modified field without a date field"
severity: ClassVar[SigmaValidationIssueSeverity] = SigmaValidationIssueSeverity.HIGH


class SigmahqModifiedWithoutDateValidator(SigmaRuleValidator):
"""Checks if a rule has a modified field without a date field."""

def validate(self, rule: SigmaRuleBase) -> List[SigmaValidationIssue]:
if rule.modified is not None and rule.date is None:
return [SigmahqModifiedWithoutDateIssue([rule])]
return []


@dataclass
class SigmahqDescriptionExistenceIssue(SigmaValidationIssue):
description: ClassVar[str] = "Rule is missing the description field"
Expand Down
79 changes: 79 additions & 0 deletions tests/test_metadata.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,10 @@
SigmahqStatusValidator,
SigmahqDateExistenceIssue,
SigmahqDateExistenceValidator,
SigmahqModifiedDateOrderIssue,
SigmahqModifiedDateOrderValidator,
SigmahqModifiedWithoutDateIssue,
SigmahqModifiedWithoutDateValidator,
SigmahqDescriptionExistenceIssue,
SigmahqDescriptionExistenceValidator,
SigmahqDescriptionLengthIssue,
Expand Down Expand Up @@ -126,6 +130,81 @@ def test_validator_SigmahqDateExistence_valid():
assert validator.validate(rule) == []


def test_validator_SigmahqModifiedDateOrder_older():
validator = SigmahqModifiedDateOrderValidator()
rule = SigmaRule.from_yaml(
"""
title: test
status: stable
date: 2023-12-10
modified: 2023-12-05
logsource:
category: test
detection:
sel:
field: path\\*something
condition: sel
"""
)
assert validator.validate(rule) == [SigmahqModifiedDateOrderIssue([rule])]


def test_validator_SigmahqModifiedDateOrder_valid():
validator = SigmahqModifiedDateOrderValidator()
rule = SigmaRule.from_yaml(
"""
title: test
status: stable
date: 2023-12-10
modified: 2023-12-15
logsource:
category: test
detection:
sel:
field: path\\*something
condition: sel
"""
)
assert validator.validate(rule) == []


def test_validator_SigmahqModifiedWithoutDate():
validator = SigmahqModifiedWithoutDateValidator()
rule = SigmaRule.from_yaml(
"""
title: test
status: stable
modified: 2023-12-05
logsource:
category: test
detection:
sel:
field: path\\*something
condition: sel
"""
)
assert validator.validate(rule) == [SigmahqModifiedWithoutDateIssue([rule])]


def test_validator_SigmahqModifiedWithoutDate_valid():
validator = SigmahqModifiedWithoutDateValidator()
rule = SigmaRule.from_yaml(
"""
title: test
status: stable
date: 2023-12-10
modified: 2023-12-15
logsource:
category: test
detection:
sel:
field: path\\*something
condition: sel
"""
)
assert validator.validate(rule) == []


def test_validator_SigmahqStatusExistence():
validator = SigmahqStatusExistenceValidator()
rule = SigmaRule.from_yaml(
Expand Down