Add new metadata validator

SigmaHQ · Nov 5, 2023 · 78f2f06 · 78f2f06
1 parent 6ec8b38
commit 78f2f06
Show file tree

Hide file tree

Showing 2 changed files with 103 additions and 0 deletions.
diff --git a/sigma/validators/core/metadata.py b/sigma/validators/core/metadata.py
@@ -189,3 +189,51 @@ def validate(self, rule: SigmaRule) -> List[SigmaValidationIssue]:
                 if value_key not in ["id", "type"]
             ]
         return []
+
+
+@dataclass
+class StatusExistenceIssue(SigmaValidationIssue):
+    description = "Rule has no status"
+    severity = SigmaValidationIssueSeverity.MEDIUM
+
+
+class StatusExistenceValidator(SigmaRuleValidator):
+    """Checks if rule has a status."""
+
+    def validate(self, rule: SigmaRule) -> List[SigmaValidationIssue]:
+        if rule.status is None:
+            return [StatusExistenceIssue([rule])]
+        else:
+            return []
+
+
+@dataclass
+class StatusUnsupportedIssue(SigmaValidationIssue):
+    description = "Rule has UNSUPPORTED status"
+    severity = SigmaValidationIssueSeverity.MEDIUM
+
+
+class StatusUnsupportedValidator(SigmaRuleValidator):
+    """Checks if rule has a status UNSUPPORTED."""
+
+    def validate(self, rule: SigmaRule) -> List[SigmaValidationIssue]:
+        if rule.status and rule.status.name == "UNSUPPORTED":
+            return [StatusUnsupportedIssue([rule])]
+        else:
+            return []
+
+
+@dataclass
+class DateExistenceIssue(SigmaValidationIssue):
+    description = "Rule has no status"
+    severity = SigmaValidationIssueSeverity.MEDIUM
+
+
+class DateExistenceValidator(SigmaRuleValidator):
+    """Checks if rule has a status."""
+
+    def validate(self, rule: SigmaRule) -> List[SigmaValidationIssue]:
+        if rule.status is None:
+            return [DateExistenceIssue([rule])]
+        else:
+            return []
diff --git a/tests/test_validators_metadata.py b/tests/test_validators_metadata.py
@@ -23,6 +23,12 @@
     InvalidRelatedIdIssue,
     InvalidRelatedSubfieldValidator,
     InvalidRelatedSubfieldIssue,
+    StatusExistenceValidator,
+    StatusExistenceIssue,
+    StatusUnsupportedValidator,
+    StatusUnsupportedIssue,
+    DateExistenceValidator,
+    DateExistenceIssue,
 )
 
 
@@ -294,3 +300,52 @@ def test_validator_invalid_related_subfield():
     """
     )
     assert validator.validate(rule) == [InvalidRelatedSubfieldIssue([rule], "uuid")]
+
+
+def test_validator_status_existence():
+    validator = StatusExistenceValidator()
+    rule = SigmaRule.from_yaml(
+        """
+    title: Test
+    logsource:
+        category: test
+    detection:
+        sel:
+            field: value
+        condition: sel
+    """
+    )
+    assert validator.validate(rule) == [StatusExistenceIssue([rule])]
+
+
+def test_validator_status_unsupported():
+    validator = StatusUnsupportedValidator()
+    rule = SigmaRule.from_yaml(
+        """
+    title: Test
+    status: unsupported
+    logsource:
+        category: test
+    detection:
+        sel:
+            field: value
+        condition: sel
+    """
+    )
+    assert validator.validate(rule) == [StatusUnsupportedIssue([rule])]
+
+
+def test_validator_date_existence():
+    validator = DateExistenceValidator()
+    rule = SigmaRule.from_yaml(
+        """
+    title: Test
+    logsource:
+        category: test
+    detection:
+        sel:
+            field: value
+        condition: sel
+    """
+    )
+    assert validator.validate(rule) == [DateExistenceIssue([rule])]