[lint] fail when referencing ECS fields outside of allowed field reuse locations

[andrewkroh]

I found a number of Fleet integrations referencing ECS fields that should not exist. For example, the as (autonomous system) field set should not be used at the top-level. The only valid "reuse" locations are specified in the schema. I think it should be treated as an error to reference an ECS field outside of it's prescribed field reuse locations.

From the ECS docs:

The generated ecs_flat.yml already takes field reuse locations into account so this could be used when resolving the external ECS definitions to simplify logic in elastic-package.

Linked below are the fields I found that don't exist in ECS (note that this is checked against ECS 8.2 and some of these integrations are building against earlier ECS versions, so there are some false positives for fields like process.ppid).

https://gist.github.com/andrewkroh/35000805a649a4137e59251bc712b0e0#file-invalid_ecs_fields-md

[jsoriano]

I think this check can have some problems:

• A package could be legally using a field that is not in ECS, this field is later added to ECS as a reusable field. Then the package must continue using an old version of ECS, or introduce a breaking change, to avoid failing this check.
• ECS fields are quite generic, I can imagine for example that a service may have its own user or file data (e.g. mysql.user, mysql.database.innodb.file.name...). Or the proposal would be to fail only on ECS fields unexpectedly reused at the top level or under other ECS fields?

[andrewkroh]

A package could be legally using a field that is not in ECS

I'm only proposing enforcing limits on fields declared using external: ecs. If an integration author wants to define arbitrary fields that conflict with ECS, so be it. I think lint should only care if they try to use "imported" ECS fields outside of the manner defined in the schema.

a service may have its own user or file data (e.g. mysql.user, mysql.database.innodb.file.name...)

Interesting 😄 , that's a use case I had not imagined. I don't think we have that usage today from what I observed in integrations repo (they were all top-level reuses). I see the utility in allowing that, but at the same time I think it gives a false sense that the field is officially part of ECS. If after a more thorough check of today's integrations we find that we don't have this use case, I'm leaning toward strictly requiring ECS fields to be used as defined in the schema (it's easier to loosen it later if needed).

[jsoriano]

I'm only proposing enforcing limits on fields declared using external: ecs.

Ok, this limits the problem :) But is it currently possible to define arbitrary fields with external: ecs?

[andrewkroh]

I tested it, and thankfully no it is not.

- name: mysql
  type: group
  release: beta
  fields:
    - name: user
      external: ecs

error calling fields: collecting fields files failed: visiting fields failed: recursive visiting fields failed (namePrefix: ): can't import field: field definition not found in schema (name: mysql.user)

So that reduces the problem to restricting top-level field reuse to those that are defined in the schema. 👍