[Security Solution] Tags in Upgrade Flyout Are Not Recognized Correctly Due to Formatting and Order Issues

[pborgonovi]

Describe the bug:
In the Upgrade Flyout, tags in the “Diff view” and “Final update” sections are inconsistently recognized due to differences in formatting and order. Specifically, the presence or absence of a trailing comma (,) and the order of tags affect the system’s ability to match tags correctly. This inconsistency causes a tag, such as "Data Source: Sysmon", to appear as both removed and added in the “Diff view,” despite being present in both states.

Kibana/Elasticsearch Stack version:
8.x

Current branch: 8.x  
Latest commit: ecae27e4444 - [8.x] [Index Mgmt] Improve accessibility of templates table (#199980) (#200031)  
Remote tracking: origin/8.x  
Status relative to remote: up to date (no pending commits)  

Server OS version:

Browser and Browser OS versions:

Elastic Endpoint version:

Original install method (e.g. download page, yum, from source, etc.):

Functional Area (e.g. Endpoint management, timelines, resolver, etc.):
Prebuilt Rules Upgrade

Pre requisites

1. Have an older rules package installed (e.g. 8.15.4)
2. Have prebuilt rules installed - (Have Unusual Persistence via Services Registry rule to replicate the exact scenario since there's a change in the order of the tags on this one)

Steps to reproduce:

1. Upgrade rules package to the latest version
2. Go to Rule Updates table
3. Select Unusual Persistence via Services Registry

Current behavior:
The same tag (e.g., "Data Source: Sysmon") is inconsistently recognized due to differences in formatting or order.
In the “Diff view,” the tag is incorrectly shown as removed and re-added, even though it exists in both the current and final state.

Expected behavior:
Tags should be recognized as identical regardless of formatting (e.g., presence of commas or trailing spaces).
The order of tags should not affect their recognition or comparison in the “Diff view” and “Final update.”

Screenshots (if relevant):

Screen.Recording.2024-11-13.at.10.43.39.AM.mov

Errors in browser console (if relevant):

Provide logs and/or server output (if relevant):

Any additional context (logs, chat logs, magical formulas, etc.):

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[elasticmachine]

Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management)

[elasticmachine]

Pinging @elastic/security-detections-response (Team:Detections and Resp)

[pborgonovi]

Got another example of same type of issue happening in other fields:

[banderror]

@pborgonovi This is how absolutely all diff tools work, and is the effect of combining two things:

• converting the things we diff to JSON (in this case, arrays of tags)
• showing a what's called "inline diff" between the two JSONs

Here's how GitHub renders an inline diff for your example (link):

We're not going to be reinventing the wheel and will stick to UI patterns that are established in the industry.

Not sure I understand what did you mean by the KQL Query example. The screenshot shows precisely what is the difference between two different queries.

[pborgonovi]

Hey @banderror

Thanks for triaging and for the clear explanation. I would consider it working as expected then :)

I'm closing this bug ticket.