Expand description
Sigma specification version targeting (the sigma-version attribute).
A Sigma document declares the specification MAJOR version it targets via the
optional top-level sigma-version attribute (for example sigma-version: 3).
Only the major is significant, because breaking spec changes occur only at
major bumps. When the attribute is absent, the document resolves to a fixed
floor (SPEC_VERSION_FLOOR): a constant defined by the specification rather
than “the latest a tool supports”, so an absent attribute means the same
thing on every tool and the existing corpus is never silently reinterpreted.
Version-sensitive interpretation is gated on the resolved major. The first
such behavior is array-matching bracket semantics: a trailing [...] on a
field path is an array selector only at SPEC_VERSION_ARRAY_MATCHING or
later; below it, brackets are literal field-name characters. See
array_matching_enabled.
Constants§
- SPEC_
VERSION_ ARRAY_ MATCHING - The major in which array-matching bracket selectors become active. A rule
must declare
sigma-version: 3(or higher) to readfield[any],args[0], and the other selectors as array selectors rather than literal field names. - SPEC_
VERSION_ FLOOR - The fixed floor an absent
sigma-versionresolves to: the v2.x line that is current immediately before array matching (the first versioned breaking change). Existing rules carry nosigma-version, so they resolve here and keep their pre-array-matching semantics. - SPEC_
VERSION_ SUPPORTED - The highest specification major this build implements. A document declaring a major above this targets semantics the tool does not know, and should be rejected or skipped rather than interpreted under older rules.
Functions§
- array_
matching_ enabled - Whether array-matching bracket selectors are enabled at the resolved major.
- is_
unsupported - Whether a declared major exceeds what this build supports
(
SPEC_VERSION_SUPPORTED). An absent version (None) is always supported, since it resolves to the floor. - major_
from_ str - Parse the major component out of a release string: the leading integer of the
dotted version, ignoring an optional
v/Vprefix ("v3.1"->3). - major_
from_ value - Extract the specification major from a
sigma-versionYAML value. - resolve_
major - Resolve a declared major to its effective value: the declared major, or the
fixed floor (
SPEC_VERSION_FLOOR) when absent (None).