Add DuplicateReferencesValidator

SigmaHQ · Nov 4, 2023 · 991ff3f · 991ff3f
1 parent ae7c544
commit 991ff3f
Show file tree

Hide file tree

Showing 2 changed files with 64 additions and 0 deletions.
diff --git a/sigma/validators/core/metadata.py b/sigma/validators/core/metadata.py
@@ -1,3 +1,4 @@
+from collections import Counter
 from collections import defaultdict
 from dataclasses import dataclass
 from typing import ClassVar, Dict, List
@@ -94,3 +95,22 @@ def finalize(self) -> List[SigmaValidationIssue]:
             for title, rules in self.titles.items()
             if len(rules) > 1
         ]
+
+
+@dataclass
+class DuplicateReferencesIssue(SigmaValidationIssue):
+    description = "The same references appears multiple times"
+    severity = SigmaValidationIssueSeverity.MEDIUM
+    reference: str
+
+
+class DuplicateReferencesValidator(SigmaRuleValidator):
+    """Validate rule References uniqueness."""
+
+    def validate(self, rule: SigmaRule) -> List[SigmaValidationIssue]:
+        references = Counter(rule.references)
+        return [
+            DuplicateReferencesIssue([rule], reference)
+            for reference, count in references.items()
+            if count > 1
+        ]
diff --git a/tests/test_validators.py b/tests/test_validators.py
@@ -23,6 +23,8 @@
     TitleLengthValidator,
     DuplicateTitleIssue,
     DuplicateTitleValidator,
+    DuplicateReferencesIssue,
+    DuplicateReferencesValidator,
 )
 from sigma.validators.core.condition import (
     AllOfThemConditionIssue,
@@ -898,3 +900,45 @@ def test_validator_duplicate_title_valid():
     """
     )
     assert validator.validate(rule) == []
+
+
+def test_validator_duplicate_references():
+    validator = DuplicateReferencesValidator()
+    rule = SigmaRule.from_yaml(
+        """
+    title: Test
+    references:
+        - ref_a
+        - ref_b
+        - ref_a
+    status: test
+    logsource:
+        category: test
+    detection:
+        sel:
+            field: value
+        condition: sel
+    """
+    )
+    assert validator.validate(rule) == [DuplicateReferencesIssue([rule], "ref_a")]
+
+
+def test_validator_duplicate_references_valid():
+    validator = DuplicateReferencesValidator()
+    rule = SigmaRule.from_yaml(
+        """
+    title: Test
+    references:
+        - ref_a
+        - ref_b
+        - ref_c
+    status: test
+    logsource:
+        category: test
+    detection:
+        sel:
+            field: value
+        condition: sel
+    """
+    )
+    assert validator.validate(rule) == []