allowing for new fields in DetectionMetadata

cmcginley-splunk · cmcginley-splunk · commit 0a7db9381062 · 2024-09-11T17:39:23.000-07:00
diff --git a/contentctl/actions/inspect.py b/contentctl/actions/inspect.py
@@ -287,6 +287,7 @@ def check_detection_metadata(self, config: inspect) -> None:
             app_name=config.app.label,
             appid=config.app.appid
         )
+
         # Compare the conf files
         validation_errors: dict[str, list[MetadataValidationError]] = {}
         for rule_name in previous_build_conf.detection_stanzas:
diff --git a/contentctl/objects/abstract_security_content_objects/detection_abstract.py b/contentctl/objects/abstract_security_content_objects/detection_abstract.py
@@ -390,7 +390,11 @@ def metadata(self) -> dict[str, str|float]:
         # NOTE: we ignore the type error around self.status because we are using Pydantic's
         # use_enum_values configuration
         # https://docs.pydantic.dev/latest/api/config/#pydantic.config.ConfigDict.populate_by_name
-        
+
+        # NOTE: The `inspect` action is HIGHLY sensitive to the structure of the metadata line in
+        # the detection stanza in savedsearches.conf. Additive operations (e.g. a new field in the
+        # dict below) should not have any impact, but renaming or removing any of these fields will
+        # break the `inspect` action.
         return {
             'detection_id': str(self.id),
             'deprecated': '1' if self.status == DetectionStatus.deprecated.value else '0',          # type: ignore
diff --git a/contentctl/objects/detection_metadata.py b/contentctl/objects/detection_metadata.py
@@ -5,6 +5,9 @@
 
 
 class DetectionMetadata(BaseModel):
+    """
+    A model of the metadata line in a detection stanza in savedsearches.conf
+    """
     # A bool indicating whether the detection is deprecated (serialized as an int, 1 or 0)
     deprecated: bool = Field(...)
 
@@ -18,6 +21,10 @@ class DetectionMetadata(BaseModel):
     # The time the detection was published
     publish_time: float = Field(...)
 
+    class Config:
+        # Allowing for future fields that may be added to the metadata JSON
+        extra = "allow"
+
     @field_validator("deprecated", mode="before")
     @classmethod
     def validate_deprecated(cls, v: Any) -> Any:

Original file line number	Diff line number	Diff line change
`@@ -287,6 +287,7 @@ def check_detection_metadata(self, config: inspect) -> None:`
`287`	`287`	`app_name=config.app.label,`
`288`	`288`	`appid=config.app.appid`
`289`	`289`	`)`
	`290`	`+`
`290`	`291`	`# Compare the conf files`
`291`	`292`	`validation_errors: dict[str, list[MetadataValidationError]] = {}`
`292`	`293`	`for rule_name in previous_build_conf.detection_stanzas:`