Fix stack-dependent related_integrations.version export

[Mikaayenson]

Issue link(s): Resolves #5601

Summary - What I changed

find_least_compatible_version picked a single ^X.Y.Z anchor from the build stack, so the same rule id shipped different related_integrations.version strings on 8.19 vs 9.x backports while the prebuilt rule version integer stayed the same.

This replaces that with find_compatible_version_range, which emits a stack-invariant OR range from integration manifests (for example ^8.2.0 || ^9.0.0 || ^10.0.0 for endpoint). policy_templates are unioned across manifest anchors instead of parsing the OR string.

Performance: the new path resolves more stack lines per package. Informal local timing was roughly 2 to 9x median vs the old function on endpoint / aws / windows manifests, still sub-10ms per call and once per rule at package build. Not expected to move build-release wall time in a meaningful way.

How To Test

make deps
make pytest
python -m detection_rules view-rule rules_building_block/defense_evasion_download_susp_extension.toml

Spot check export: rule 8d366588-cbd6-43ba-95b4-0971c3f906e5 should show ^8.2.0 || ^9.0.0 || ^10.0.0 for endpoint on every release line.

  "related_integrations": [
    {
      "package": "endpoint",
      "version": "^8.2.0 || ^9.0.0 || ^10.0.0"
    }
  ],

Export toml and import into kibana to ensure it applies successfully.

uv run python -m detection_rules export-rules-from-repo -f rules_building_block/defense_evasion_download_susp_extension.toml

20260528T154018L.ndjson.txt

Backport validation: cherry-pick this PR onto each release branch (or apply the four changed files from 73c07800d), then run the same pytest commands. No version.lock changes required for that pass.

Backport `8.19` (origin/8.19 + PR code)

$ pytest -q
FAILED tests/test_all_rules.py::TestRuleMetadata::test_rule_change_has_updated_date
1 failed, 221 passed, 19 skipped, 2 subtests passed in 69.53s (0:01:09)

# same failure on vanilla origin/8.19 (diffs rules/ vs origin/main, not introduced here)

$ pytest -q -k "not test_rule_change_has_updated_date"
221 passed, 19 skipped, 1 deselected, 2 subtests passed in 65.20s (0:01:05)

$ pytest tests/test_integrations.py::TestFindCompatibleVersionRange -q
.......                                                                  [100%]
7 passed in 0.51s

$ spot-check 8d366588-cbd6-43ba-95b4-0971c3f906e5
[{'package': 'endpoint', 'version': '^8.2.0 || ^9.0.0 || ^10.0.0'}]

Backport `9.2` (origin/9.2 + PR code)

$ pytest -q
222 passed, 19 skipped, 2 subtests passed in 82.76s (0:01:22)

$ pytest tests/test_integrations.py::TestFindCompatibleVersionRange -q
.......                                                                  [100%]
7 passed in 0.54s

$ spot-check 8d366588-cbd6-43ba-95b4-0971c3f906e5
[{'package': 'endpoint', 'version': '^8.2.0 || ^9.0.0 || ^10.0.0'}]

Backport `9.3` (origin/9.3 + PR code)

$ pytest -q
222 passed, 19 skipped, 2 subtests passed in 96.19s (0:01:36)

$ pytest tests/test_integrations.py::TestFindCompatibleVersionRange -q
.......                                                                  [100%]
7 passed in 0.52s

$ spot-check 8d366588-cbd6-43ba-95b4-0971c3f906e5
[{'package': 'endpoint', 'version': '^8.2.0 || ^9.0.0 || ^10.0.0'}]

Backport `9.4` (origin/9.4 + PR code)

$ pytest -q
222 passed, 19 skipped, 2 subtests passed in 106.83s (0:01:46)

$ pytest tests/test_integrations.py::TestFindCompatibleVersionRange -q
.......                                                                  [100%]
7 passed in 0.50s

$ spot-check 8d366588-cbd6-43ba-95b4-0971c3f906e5
[{'package': 'endpoint', 'version': '^8.2.0 || ^9.0.0 || ^10.0.0'}]

Checklist

• Added a label for the type of pr: bug
• Added the meta:rapid-merge label if planning to merge within 24 hours
• Secret and sensitive material has been managed correctly
• Automated testing was updated or added to match the most common scenarios
• Documentation and comments were added for features that require explanation

[github-actions]

Bug - Guidelines

These guidelines serve as a reminder set of considerations when addressing a bug in the code.

Documentation and Context

• Provide detailed documentation (description, screenshots, reproducing the bug, etc.) of the bug if not already documented in an issue.
• Include additional context or details about the problem.
• Ensure the fix includes necessary updates to the release documentation and versioning.

Code Standards and Practices

• Code follows established design patterns within the repo and avoids duplication.
• Ensure that the code is modular and reusable where applicable.

Testing

• New unit tests have been added to cover the bug fix or edge cases.
• Existing unit tests have been updated to reflect the changes.
• Provide evidence of testing and detecting the bug fix (e.g., test logs, screenshots).
• Validate that any rules affected by the bug are correctly updated.
• Ensure that performance is not negatively impacted by the changes.
• Verify that any release artifacts are properly generated and tested.
• Conducted system testing, including fleet, import, and create APIs (e.g., run make test-cli, make test-remote-cli, make test-hunting-cli)

Additional Checks

• Verify that the bug fix works across all relevant environments (e.g., different OS versions).
• Confirm that the proper version label is applied to the PR patch, minor, major.

[Copilot]

Pull request overview

This PR makes related_integrations.version exports stack-invariant by replacing single stack-dependent compatibility anchors with an OR’d compatibility range derived from integration manifests.

Changes:

• Adds find_compatible_version_range and supporting helpers for manifest-derived compatibility ranges.
• Updates rule export conversion to use the new range and union policy templates across selected anchors.
• Replaces related integration tests and bumps the package version to 1.6.44.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File	Description
detection_rules/integrations.py	Adds the new compatibility range computation and removes the old least-compatible helper.
detection_rules/rule.py	Uses the new range API when populating related_integrations.
tests/test_integrations.py	Updates unit tests for the new range behavior.
pyproject.toml	Bumps the project version.

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

[eric-forte-elastic]

For this if check:

fix(integrations): tighten stack-major overlap and anchor resolution
Walk every stack major whose band intersects a bounded Kibana clause
(e.g. >=8.12.0 <9.1.0 includes major 9) and pick the earliest compatible
stack point within a major for the legacy least-compatible walk.

I don't think any of our manifests include a situation where hi is None unless one were to have a manifest with an unbounded range (e.g. ">=8.12.0"). Fine to have this check, but given this I am not sure that this functions as intended.

For the case with an unbounded range majors_to_check only will have [8] and not any other stack majors. Not sure if this accomplishes the goal.

Whereas for the case in the note, it correctly has multiple stack versions to check.

[eric-forte-elastic]

Validated expected results from testing/debugging. 🟢 base flows function as designed.

Details

[eric-forte-elastic]

Nit. Should this doc string be updated to fit the existing format? Short one sentence doc string with more detail in separate comment?

[eric-forte-elastic]

Nit. Akin to https://github.com/elastic/detection-rules/pull/6208/changes#r3325352838, if the goal is to support unbounded upper ranges like ">=8.12.0" should we include a test for that? The hi is none branch?

[eric-forte-elastic]

One main comment and a few nits. Otherwise LGTM 👍

Generally this PR is low risk, as the updated version computation logic in effect is not used in other workflows (like schema validation, etc.). Additionally, Kibana validates this to be a NonEmpty string just like we do in our dataclasses. (ref), so we have considerable freedom in what we populate it with.