If inner levels of test.yaml have any field missing, s-v considers test failed
Discovered while re-doing https://github.com/OISF/suricata-verify/pull/381
Sample failure: https://github.com/inashivb/suricata-verify/runs/1774430094
Updated by Shivani Bhardwaj about 3 years ago
- Subject changed from If inner levels of yaml have any field missing, s-v considers test failed to If inner levels of test.yaml have any field missing, s-v considers test failed
Philippe Antoine wrote in #note-1:
I am not sure I understand.
Which yaml are we talking about ? test.yaml ?
Yes. Sorry for being unclear.
Can we have the example where it works and where it fails with an inner field missing ?
This one is passing the tests as all the fields of alert section from eve are present here: https://github.com/OISF/suricata-verify/pull/381/files#diff-efb9bb0172a43f58d20b5e5a92f7b3694e2efd1c8c3342087a7da4e937b267dbR13
This one is failing as it misses gid and category fields from the alert section: https://github.com/inashivb/suricata-verify/commit/19fbb35e1e089375b017b551306e2c6db3d5b5c8#diff-efb9bb0172a43f58d20b5e5a92f7b3694e2efd1c8c3342087a7da4e937b267dbR13
Updated by Jason Ish about 3 years ago
This is somewhat by design.. If you have a match block like:
alert: action: allowed severity: 3 signature: msg escape tests signature_id: 100
You are looking for equality on the whole object. If you just want to look for one value, you can use: