Validator fails when validating multi-document YAML files

[kelnage]

The Sigma converter explicitly accepts multi-document YAML files as input (see this function), the sigma-specification and SigmaHQ rule conventions do not recommend against multi-documentation rules, and for correlation rules the specification explicitly recommends using them:

If the "base" rule being used is only being used to support the correlation rule, it's recommended to keep the referenced Sigma rule in the same file as the correlation rule, to ensure that the correlation rule can be easily shared and understood by others.

But when I attempt to validate a valid rule file containing multiple documents, it fails with the following error (using -v to generate a verbose error message):

Several files failed to parse.
  FailedFileLoadError: Failed to parse <PATH TO FILE>
    in "<PYTHON PACKAGE PATH>/check_jsonschema/instance_loader.py", line 50
    >>> data: t.Any = self._parsers.parse_data_with_path(

    caused by

    ComposerError: expected a single document in the stream
      in "<byte string>", line 1, column 1:
        title: Okta MFA Reset or Deactivated
        ^ (line: 1)
    but found another document
      in "<byte string>", line 27, column 1:
        ---
        ^ (line: 27)
      in "<PYTHON PACKAGE PATH>/check_jsonschema/parsers/__init__.py", line 102
      >>> return loadfunc(data)

It seems the check-jsonschema tool doesn't support validating multi-document files. Perhaps multi-document files can be split before validating them, or switching to a tool that does support it?

[mostafa]

@kelnage It'd be hard to split them upon validation. So, maybe switching to another tool would be better. The good thing about check-jsonschema is that it's very fast when ran over 3000+ files. Any other solution should be at least as fast or comparable in performance.