botelastic[bot]
commented
1 year ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Is your feature request related to a problem? Please describe. This feature request is not related to a problem. At the moment, detection rule versions are whole integers whereas we have the capability to change those to semantic versioning.
Describe the solution you'd like Rather than rule versions be whole integers, we can change them to semantic versioning. This would allow more granularity when determining rule version changes programmatically by determining what is constitutes a major, minor or path update. From this, we can also enhance our communication via documentation about what specific rule changes indicate. For example if a major bump in the rule change is noticed, this indicates the detection logic or query has been modified.
Describe alternatives you've considered The alternative to consider is staying with whole integers. At the moment, because we have to account for forked rules, rule versions are programmatically given a buffer space of ~100 so that rule collisions do not take place. As a result, minor changes to any data field could will cause a whole integer version bump. Worse, a new min-stack is given to the rule, the version bumps 100 spaces and thus can be misleading to customers.
Additional context There are several considerations that need to take place for this.