[Security Solution] Fix "unbounded array" code scanner warning for prebuilt rule assets#255741
Merged
nikitaindik merged 3 commits intoelastic:mainfrom Mar 6, 2026
Conversation
Adds a maxSize constraint to the tags field in the prebuilt rule assets saved object schema to resolve CodeQL alert elastic#2072 (unbounded-array-in-schema). Made-with: Cursor
Contributor
|
Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management) |
Contributor
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
Contributor
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
banderror
reviewed
Mar 3, 2026
...on/server/lib/detection_engine/prebuilt_rules/logic/rule_assets/prebuilt_rule_assets_type.ts
Show resolved
Hide resolved
…tion_tests/ci_checks
Contributor
💔 Build Failed
Failed CI StepsTest Failures
Metrics [docs]
History
cc @nikitaindik |
gsoldevila
approved these changes
Mar 6, 2026
Member
gsoldevila
left a comment
There was a problem hiding this comment.
Changes LGTM! You can disregard the `Check Saved Objects changes" soft failure, as you have schema-only changes.
banderror
approved these changes
Mar 6, 2026
Contributor
banderror
left a comment
There was a problem hiding this comment.
Thanks @nikitaindik, LGTM!
Contributor
|
@nikitaindik Is it worth backporting to active branches? |
Contributor
Author
|
@banderror This CodeQL is running only on main, so no need to backport. |
kapral18
pushed a commit
to kapral18/kibana
that referenced
this pull request
Mar 9, 2026
…ebuilt rule assets (elastic#255741) **Resolves: https://github.com/elastic/kibana/security/code-scanning/2072** ## Summary Adds a `maxSize` constraint to the `tags` field in the `security-rule` saved object schema (`prebuilt_rule_assets_type.ts`), resolving [CodeQL alert elastic#2072](https://github.com/elastic/kibana/security/code-scanning/2072) (unbounded-array-in-schema). - Introduced a `MAX_TAGS_PER_RULE` constant (100) to bound the `schema.arrayOf()` call - Prebuilt rules typically have fewer than 15 tags, so 100 is a generous safe limit - No model version bump needed since this is a validation-only change with no structural/mapping impact --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
gsoldevila
added a commit
that referenced
this pull request
Mar 11, 2026
…without a version bump (#256432) ## Summary When a saved object type's schema validation constraints are tightened (e.g. adding a `maxSize` limit to an array field) without touching the underlying ES mappings, the 'Check changes in Saved Objects' CI check was incorrectly rejecting the change as a forbidden model version mutation. This PR relaxes the validation to allow schema-only changes to the **latest** model version, provided all three conditions hold: - Only the latest model version's schemas were modified (no older versions touched). - The mappings have not been modified. - The latest model version's schema still covers all mapped fields (`validateAllMappingsInModelVersion` still passes). When this exceptional case is detected, a warning is emitted in the CI output making it clear why the change is allowed and reminding that any future mapping changes will still require a proper model version bump. ## Context Fixes the CI failure on #255741, where adding a `maxSize` constraint to the `tags` field in the `security-rule` SO type caused the check to fail. Tracking task: elastic/kibana-team#3021 (sub-issue of elastic/kibana-team#2349) Made with [Cursor](https://cursor.com)
qn895
pushed a commit
to qn895/kibana
that referenced
this pull request
Mar 11, 2026
…ebuilt rule assets (elastic#255741) **Resolves: https://github.com/elastic/kibana/security/code-scanning/2072** ## Summary Adds a `maxSize` constraint to the `tags` field in the `security-rule` saved object schema (`prebuilt_rule_assets_type.ts`), resolving [CodeQL alert elastic#2072](https://github.com/elastic/kibana/security/code-scanning/2072) (unbounded-array-in-schema). - Introduced a `MAX_TAGS_PER_RULE` constant (100) to bound the `schema.arrayOf()` call - Prebuilt rules typically have fewer than 15 tags, so 100 is a generous safe limit - No model version bump needed since this is a validation-only change with no structural/mapping impact --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
sorenlouv
pushed a commit
that referenced
this pull request
Mar 17, 2026
…without a version bump (#256432) ## Summary When a saved object type's schema validation constraints are tightened (e.g. adding a `maxSize` limit to an array field) without touching the underlying ES mappings, the 'Check changes in Saved Objects' CI check was incorrectly rejecting the change as a forbidden model version mutation. This PR relaxes the validation to allow schema-only changes to the **latest** model version, provided all three conditions hold: - Only the latest model version's schemas were modified (no older versions touched). - The mappings have not been modified. - The latest model version's schema still covers all mapped fields (`validateAllMappingsInModelVersion` still passes). When this exceptional case is detected, a warning is emitted in the CI output making it clear why the change is allowed and reminding that any future mapping changes will still require a proper model version bump. ## Context Fixes the CI failure on #255741, where adding a `maxSize` constraint to the `tags` field in the `security-rule` SO type caused the check to fail. Tracking task: https://github.com/elastic/kibana-team/issues/3021 (sub-issue of https://github.com/elastic/kibana-team/issues/2349) Made with [Cursor](https://cursor.com)
jeramysoucy
pushed a commit
to jeramysoucy/kibana
that referenced
this pull request
Mar 26, 2026
…without a version bump (elastic#256432) ## Summary When a saved object type's schema validation constraints are tightened (e.g. adding a `maxSize` limit to an array field) without touching the underlying ES mappings, the 'Check changes in Saved Objects' CI check was incorrectly rejecting the change as a forbidden model version mutation. This PR relaxes the validation to allow schema-only changes to the **latest** model version, provided all three conditions hold: - Only the latest model version's schemas were modified (no older versions touched). - The mappings have not been modified. - The latest model version's schema still covers all mapped fields (`validateAllMappingsInModelVersion` still passes). When this exceptional case is detected, a warning is emitted in the CI output making it clear why the change is allowed and reminding that any future mapping changes will still require a proper model version bump. ## Context Fixes the CI failure on elastic#255741, where adding a `maxSize` constraint to the `tags` field in the `security-rule` SO type caused the check to fail. Tracking task: elastic/kibana-team#3021 (sub-issue of elastic/kibana-team#2349) Made with [Cursor](https://cursor.com)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Resolves: https://github.com/elastic/kibana/security/code-scanning/2072
Summary
Adds a
maxSizeconstraint to thetagsfield in thesecurity-rulesaved object schema (prebuilt_rule_assets_type.ts), resolving CodeQL alert #2072 (unbounded-array-in-schema).MAX_TAGS_PER_RULEconstant (100) to bound theschema.arrayOf()call