fix: type hinting fixes and additional code checks #4790

traut · 2025-06-11T13:33:21Z

Pull Request

Issue link(s):

Summary - What I changed

adding ruff and pyright checks in CI workflow
making sure pyright has no complains

How To Test

Checklist

Added a label for the type of pr: bug, enhancement, schema, maintenance, Rule: New, Rule: Deprecation, Rule: Tuning, Hunt: New, or Hunt: Tuning so guidelines can be generated
Added the meta:rapid-merge label if planning to merge within 24 hours
Secret and sensitive material has been managed correctly
Automated testing was updated or added to match the most common scenarios
Documentation and comments were added for features that require explanation

Contributor checklist

Have you signed the contributor license agreement?
Have you followed the contributor guidelines?

github-actions · 2025-06-17T16:32:45Z

Enhancement - Guidelines

These guidelines serve as a reminder set of considerations when addressing adding a new schema feature to the code.

Documentation and Context

Describe the feature enhancement in detail (alternative solutions, description of the solution, etc.) if not already documented in an issue.
Include additional context or screenshots.
Ensure the enhancement includes necessary updates to the documentation and versioning.

Code Standards and Practices

Code follows established design patterns within the repo and avoids duplication.
Code changes do not introduce new warnings or errors.
Variables and functions are well-named and descriptive.
Any unnecessary / commented-out code is removed.
Ensure that the code is modular and reusable where applicable.
Check for proper exception handling and messaging.

Testing

New unit tests have been added to cover the enhancement.
Existing unit tests have been updated to reflect the changes.
Provide evidence of testing and validating the enhancement (e.g., test logs, screenshots).
Validate that any rules affected by the enhancement are correctly updated.
Ensure that performance is not negatively impacted by the changes.
Verify that any release artifacts are properly generated and tested.

Additional Schema Related Checks

.github/CODEOWNERS

hunting/run.py

tests/base.py

tests/test_all_rules.py

Mikaayenson · 2025-06-17T20:50:00Z

tests/test_all_rules.py

+        osquery_note_pattern = (
+            "> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin]"
+            "(https://www.elastic.co/guide/en/security/current/invest-guide-run-osquery.html) "
+            "introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display "
+            "unrendered Markdown in this guide."
+        )
        invest_note_pattern = (
-            '> This investigation guide uses the [Investigate Markdown Plugin]'
-            '(https://www.elastic.co/guide/en/security/current/interactive-investigation-guides.html)'
-            ' introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display '
-            'unrendered Markdown in this guide.')
+            "> This investigation guide uses the [Investigate Markdown Plugin]"
+            "(https://www.elastic.co/guide/en/security/current/interactive-investigation-guides.html)"
+            " introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display "
+            "unrendered Markdown in this guide."
+        )


We should double check that when the transform occurs, its still formatted correctly.

detection_rules/beats.py

Mikaayenson · 2025-06-17T21:01:13Z

detection_rules/cli_utils.py

+    suggested_path: Path = Path(DEFAULT_PREBUILT_RULES_DIRS[0]) / contents["name"]
+    path = Path(path or input(f"File path for rule [{suggested_path}]: ") or suggested_path).resolve()


Seems a bit odd to type hint as Path when we explicitly set as a Path object. We also dont type hint the next field path.

contents is dict[str, Any], so there is ambiguity in the calculation of the result type

detection_rules/config.py

detection_rules/devtools.py

detection_rules/docs.py

Mikaayenson · 2025-06-17T21:27:37Z

detection_rules/ecs.py

    """Get schema for KQL."""
-    indexes = indexes or ()
-    converted = flatten_multi_fields(get_schema(version, name='ecs_flat'))
+    indexes = indexes or []


Curious as to why this was a tuple

no idea. I don't think there is a risk of mutation, so we might as well simplify and have list here

Mikaayenson · 2025-06-17T21:38:39Z

Any reason why the build didn't run? Waiting for status to be reported
Note, I think we need to run the lint tests locally and add to this PR (since the workflow won't run until the action is on main)
We'll also want to open a maintenance window and test the backporting logic.

Co-authored-by: Mika Ayenson, PhD <[email protected]>

traut changed the title ~~[WIP] Type hint fixes and adding code checks~~ [WIP] fix: type hint fixes and adding code checks Jun 11, 2025

Mikaayenson assigned traut Jun 16, 2025

traut force-pushed the style-fixes branch from 6f18d46 to 5cac576 Compare June 17, 2025 12:05

traut added python Internal python for the repository ci/cd maintenance Internal changes minor labels Jun 17, 2025

traut marked this pull request as ready for review June 17, 2025 16:32

traut requested review from Mikaayenson, eric-forte-elastic and terrancedejesus as code owners June 17, 2025 16:32

github-actions bot added the backport: auto label Jun 17, 2025

traut force-pushed the style-fixes branch from 4e69b4e to 4afd534 Compare June 17, 2025 16:32

botelastic bot added Hunting schema labels Jun 17, 2025

traut changed the title ~~[WIP] fix: type hint fixes and adding code checks~~ fix: type hinting fixes and additional code checks Jun 17, 2025