fix: Better aligning prompt behaviour with jsonschema types (#4894)

* Check for `["array"]` in addition to `"array"`

* version bump

* Exclude non-ecs-schema.json from CI check

(cherry picked from commit c0631d2)

Author: traut

.github/workflows/version-code-and-release.yml

@@ -14,6 +14,7 @@ on:
       - '!hunting/**/*.md'
       - '!hunting/index.md'
       - '!hunting/**/*.toml'
+      - '!detection_rules/etc/non-ecs-schema.json'
     types: [opened, reopened, synchronize, labeled, closed]
 
 permissions:

detection_rules/cli_utils.py

@@ -256,7 +256,8 @@ def rule_prompt(  # noqa: PLR0912, PLR0913, PLR0915
     }
 
     try:
-        rule = TOMLRule(path=Path(path), contents=TOMLRuleContents.from_dict({"rule": contents, "metadata": meta}))
+        rule_contents = TOMLRuleContents.from_dict({"rule": contents, "metadata": meta})
+        rule = TOMLRule(path=Path(path), contents=rule_contents)
     except kql.KqlParseError as e:
         if skip_errors:
             return f"Rule: {kwargs['id']}, Rule Name: {rule_name} query failed to parse: {e.error_msg}"

detection_rules/misc.py

@@ -127,7 +127,7 @@ def schema_prompt(name: str, value: Any | None = None, is_required: bool = False
     if name == "rule_id":
         default = str(uuid.uuid4())
 
-    if len(enum) == 1 and is_required and field_type != "array":
+    if len(enum) == 1 and is_required and field_type not in ("array", ["array"]):
         return enum[0]
 
     def _check_type(_val: Any) -> bool:  # noqa: PLR0911
@@ -163,7 +163,7 @@ def _convert_type(_val: Any) -> Any:
             name=name,
             default=f' [{default}] ("n/a" to leave blank) ' if default else "",
             required=" (required) " if is_required else "",
-            multi=" (multi, comma separated) " if field_type == "array" else "",
+            multi=(" (multi, comma separated) " if field_type in ("array", ["array"]) else ""),
         ).strip()
         + ": "
     )
@@ -179,7 +179,7 @@ def _convert_type(_val: Any) -> Any:
                 continue
             return None
 
-        if field_type == "array":
+        if field_type in ("array", ["array"]):
             result_list = result.split(",")
 
             if not (min_item < len(result_list) < max_items):

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "detection_rules"
-version = "1.3.8"
+version = "1.3.9"
 description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
 readme = "README.md"
 requires-python = ">=3.12"