Bump native-appsec package + ASM multi DD config capability (#6049)

Author: CarlesDD

integration-tests/appsec/graphql.spec.js

@@ -72,15 +72,15 @@ describe('graphql', () => {
     const result = {
       triggers: [
         {
-          rule:
-          {
+          rule: {
             id: 'test-rule-id-1',
             name: 'test-rule-name-1',
             tags:
             {
-              category: 'attack_attempt',
-              type: 'security_scanner'
-            }
+              type: 'security_scanner',
+              category: 'attack_attempt'
+            },
+            on_match: []
           },
           rule_matches: [
             {

package.json

@@ -111,7 +111,7 @@
   ],
   "dependencies": {
     "@datadog/libdatadog": "0.7.0",
-    "@datadog/native-appsec": "9.0.0",
+    "@datadog/native-appsec": "10.0.0",
     "@datadog/native-iast-taint-tracking": "4.0.0",
     "@datadog/native-metrics": "3.1.1",
     "@datadog/pprof": "5.9.0",

packages/dd-trace/src/appsec/reporter.js

@@ -430,21 +430,21 @@ function isRaspAttack (events) {
   return events.some(e => e.rule?.tags?.module === 'rasp')
 }
 
-function isFingerprintDerivative (derivative) {
-  return derivative.startsWith('_dd.appsec.fp')
+function isFingerprintAttribute (attribute) {
+  return attribute.startsWith('_dd.appsec.fp')
 }
 
-function reportDerivatives (derivatives) {
-  if (!derivatives) return
+function reportAttributes (attributes) {
+  if (!attributes) return
 
   const req = storage('legacy').getStore()?.req
   const rootSpan = web.root(req)
 
   if (!rootSpan) return
 
   const tags = {}
-  for (let [tag, value] of Object.entries(derivatives)) {
-    if (!isFingerprintDerivative(tag)) {
+  for (let [tag, value] of Object.entries(attributes)) {
+    if (!isFingerprintAttribute(tag)) {
       const gzippedValue = zlib.gzipSync(JSON.stringify(value))
       value = gzippedValue.toString('base64')
     }
@@ -543,7 +543,7 @@ module.exports = {
   reportAttack,
   reportWafUpdate: incrementWafUpdatesMetric,
   reportRaspRuleSkipped: updateRaspRuleSkippedMetricTags,
-  reportDerivatives,
+  reportAttributes,
   finishRequest,
   mapHeaderAndTags,
   truncateRequestBody

packages/dd-trace/src/appsec/waf/waf_context_wrapper.js

@@ -135,7 +135,7 @@ class WAFContextWrapper {
         this.setUserIdCache(userId, result)
       }
 
-      metrics.duration = result.totalRuntime / 1e3
+      metrics.duration = result.duration / 1e3
       metrics.blockTriggered = blockTriggered
       metrics.ruleTriggered = ruleTriggered
       metrics.wafTimeout = result.timeout
@@ -144,7 +144,7 @@ class WAFContextWrapper {
         Reporter.reportAttack(result.events)
       }
 
-      Reporter.reportDerivatives(result.derivatives)
+      Reporter.reportAttributes(result.attributes)
 
       return result
     } catch (err) {

packages/dd-trace/src/remote_config/capabilities.js

@@ -27,5 +27,6 @@ module.exports = {
   ASM_SESSION_FINGERPRINT: 1n << 33n,
   ASM_NETWORK_FINGERPRINT: 1n << 34n,
   ASM_HEADER_FINGERPRINT: 1n << 35n,
-  ASM_RASP_CMDI: 1n << 37n
+  ASM_RASP_CMDI: 1n << 37n,
+  ASM_DD_MULTICONFIG: 1n << 42n
 }

packages/dd-trace/src/remote_config/index.js

@@ -93,6 +93,7 @@ function enableWafUpdate (appsecConfig) {
     rc.updateCapabilities(RemoteConfigCapabilities.ASM_SESSION_FINGERPRINT, true)
     rc.updateCapabilities(RemoteConfigCapabilities.ASM_NETWORK_FINGERPRINT, true)
     rc.updateCapabilities(RemoteConfigCapabilities.ASM_HEADER_FINGERPRINT, true)
+    rc.updateCapabilities(RemoteConfigCapabilities.ASM_DD_MULTICONFIG, true)
 
     if (appsecConfig.rasp?.enabled) {
       rc.updateCapabilities(RemoteConfigCapabilities.ASM_RASP_SQLI, true)
@@ -128,6 +129,7 @@ function disableWafUpdate () {
     rc.updateCapabilities(RemoteConfigCapabilities.ASM_SESSION_FINGERPRINT, false)
     rc.updateCapabilities(RemoteConfigCapabilities.ASM_NETWORK_FINGERPRINT, false)
     rc.updateCapabilities(RemoteConfigCapabilities.ASM_HEADER_FINGERPRINT, false)
+    rc.updateCapabilities(RemoteConfigCapabilities.ASM_DD_MULTICONFIG, false)
 
     rc.updateCapabilities(RemoteConfigCapabilities.ASM_RASP_SQLI, false)
     rc.updateCapabilities(RemoteConfigCapabilities.ASM_RASP_SSRF, false)

packages/dd-trace/test/appsec/reporter.spec.js

@@ -696,20 +696,20 @@ describe('reporter', () => {
     })
   })
 
-  describe('reportDerivatives', () => {
+  describe('reportAttributes', () => {
     it('should not call addTags if parameter is undefined', () => {
-      Reporter.reportDerivatives(undefined)
+      Reporter.reportAttributes(undefined)
       expect(span.addTags).not.to.be.called
     })
 
     it('should call addTags with an empty array', () => {
-      Reporter.reportDerivatives([])
+      Reporter.reportAttributes([])
       expect(span.addTags).to.be.calledOnceWithExactly({})
     })
 
     it('should call addTags', () => {
       const schemaValue = [{ key: [8] }]
-      const derivatives = {
+      const attributes = {
         '_dd.appsec.fp.http.endpoint': 'endpoint_fingerprint',
         '_dd.appsec.fp.http.header': 'header_fingerprint',
         '_dd.appsec.fp.http.network': 'network_fingerprint',
@@ -722,7 +722,7 @@ describe('reporter', () => {
         'custom.processor.output': schemaValue
       }
 
-      Reporter.reportDerivatives(derivatives)
+      Reporter.reportAttributes(attributes)
 
       const schemaEncoded = zlib.gzipSync(JSON.stringify(schemaValue)).toString('base64')
       expect(span.addTags).to.be.calledOnceWithExactly({

packages/dd-trace/test/appsec/waf/index.spec.js

@@ -49,7 +49,7 @@ describe('WAF Manager', () => {
     sinon.stub(Reporter.metricsQueue, 'set')
     sinon.stub(Reporter, 'reportMetrics')
     sinon.stub(Reporter, 'reportAttack')
-    sinon.stub(Reporter, 'reportDerivatives')
+    sinon.stub(Reporter, 'reportAttributes')
     sinon.spy(Reporter, 'reportWafInit')
     sinon.spy(Reporter, 'reportWafConfigUpdate')
 
@@ -333,7 +333,7 @@ describe('WAF Manager', () => {
       })
 
       it('should call ddwafContext.run with params', () => {
-        ddwafContext.run.returns({ totalRuntime: 1, durationExt: 1 })
+        ddwafContext.run.returns({ duration: 1, durationExt: 1 })
 
         wafContextWrapper.run({
           persistent: {
@@ -354,7 +354,7 @@ describe('WAF Manager', () => {
 
       it('should report attack when ddwafContext returns events', () => {
         const result = {
-          totalRuntime: 1,
+          duration: 1,
           durationExt: 1,
           events: ['ATTACK DATA']
         }
@@ -373,7 +373,7 @@ describe('WAF Manager', () => {
 
       it('should report if rule is triggered', () => {
         const result = {
-          totalRuntime: 1,
+          duration: 1,
           durationExt: 1,
           events: ['ruleTriggered']
         }
@@ -395,7 +395,7 @@ describe('WAF Manager', () => {
 
       it('should report raspRuleType', () => {
         const result = {
-          totalRuntime: 1,
+          duration: 1,
           durationExt: 1
         }
 
@@ -414,7 +414,7 @@ describe('WAF Manager', () => {
 
       it('should not report raspRuleType when it is not provided', () => {
         const result = {
-          totalRuntime: 1,
+          duration: 1,
           durationExt: 1
         }
 
@@ -432,7 +432,7 @@ describe('WAF Manager', () => {
       })
 
       it('should not report attack when ddwafContext does not return events', () => {
-        ddwafContext.run.returns({ totalRuntime: 1, durationExt: 1 })
+        ddwafContext.run.returns({ duration: 1, durationExt: 1 })
         const params = {
           persistent: {
             'server.request.headers.no_cookies': { header: 'value' }
@@ -445,7 +445,7 @@ describe('WAF Manager', () => {
       })
 
       it('should not report attack when ddwafContext returns empty data', () => {
-        ddwafContext.run.returns({ totalRuntime: 1, durationExt: 1, events: [] })
+        ddwafContext.run.returns({ duration: 1, durationExt: 1, events: [] })
         const params = {
           persistent: {
             'server.request.headers.no_cookies': { header: 'value' }
@@ -459,7 +459,7 @@ describe('WAF Manager', () => {
 
       it('should return waf result', () => {
         const result = {
-          totalRuntime: 1, durationExt: 1, events: [], actions: ['block']
+          duration: 1, durationExt: 1, events: [], actions: ['block']
         }
         ddwafContext.run.returns(result)
 
@@ -474,11 +474,11 @@ describe('WAF Manager', () => {
         expect(wafResult).to.be.equals(result)
       })
 
-      it('should report schemas when ddwafContext returns schemas in the derivatives', () => {
+      it('should report schemas when ddwafContext returns schemas in the attributes', () => {
         const result = {
-          totalRuntime: 1,
+          duration: 1,
           durationExt: 1,
-          derivatives: [{ '_dd.appsec.s.req.body': [8] }]
+          attributes: [{ '_dd.appsec.s.req.body': [8] }]
         }
         const params = {
           persistent: {
@@ -492,14 +492,14 @@ describe('WAF Manager', () => {
         ddwafContext.run.returns(result)
 
         wafContextWrapper.run(params)
-        expect(Reporter.reportDerivatives).to.be.calledOnceWithExactly(result.derivatives)
+        expect(Reporter.reportAttributes).to.be.calledOnceWithExactly(result.attributes)
       })
 
-      it('should report fingerprints when ddwafContext returns fingerprints in results derivatives', () => {
+      it('should report fingerprints when ddwafContext returns fingerprints in results attributes', () => {
         const result = {
-          totalRuntime: 1,
+          duration: 1,
           durationExt: 1,
-          derivatives: {
+          attributes: {
             '_dd.appsec.s.req.body': [8],
             '_dd.appsec.fp.http.endpoint': 'http-post-abcdefgh-12345678-abcdefgh',
             '_dd.appsec.fp.http.network': 'net-1-0100000000',
@@ -514,7 +514,7 @@ describe('WAF Manager', () => {
             'server.request.body': 'foo'
           }
         })
-        sinon.assert.calledOnceWithExactly(Reporter.reportDerivatives, result.derivatives)
+        sinon.assert.calledOnceWithExactly(Reporter.reportAttributes, result.attributes)
       })
     })
   })

packages/dd-trace/test/appsec/waf/waf_context_wrapper.spec.js

@@ -25,7 +25,7 @@ describe('WAFContextWrapper', () => {
     const ddwafContext = {
       run: sinon.stub().returns({
         events: {},
-        derivatives: {}
+        attributes: {}
       })
     }
     const wafContextWrapper = new WAFContextWrapper(ddwafContext, 1000, '1.14.0', '1.8.0', knownAddresses)
@@ -72,7 +72,7 @@ describe('WAFContextWrapper', () => {
     const ddwafContext = {
       run: sinon.stub().returns({
         events: {},
-        derivatives: {}
+        attributes: {}
       })
     }
     const wafContextWrapper = new WAFContextWrapper(ddwafContext, 1000, '1.14.0', '1.8.0', knownAddresses)
@@ -178,13 +178,13 @@ describe('WAFContextWrapper', () => {
     const ddwafContext = {
       run: sinon.stub().returns({
         events: [{ rule_matches: [] }],
-        derivatives: [],
+        attributes: [],
         actions: {
           redirect_request: {
             status_code: 301
           }
         },
-        totalRuntime: 123456,
+        duration: 123456,
         timeout: false,
         metrics: {
           maxTruncatedString: 5000,

packages/dd-trace/test/remote_config/index.spec.js

@@ -248,6 +248,8 @@ describe('Remote Config index', () => {
           .to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_RASP_SHI, true)
         expect(rc.updateCapabilities)
           .to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_RASP_CMDI, true)
+        expect(rc.updateCapabilities)
+          .to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_DD_MULTICONFIG, true)
 
         expect(rc.setProductHandler).to.have.been.calledWith('ASM_DATA')
         expect(rc.setProductHandler).to.have.been.calledWith('ASM_DD')
@@ -296,6 +298,8 @@ describe('Remote Config index', () => {
           .to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_RASP_SHI, true)
         expect(rc.updateCapabilities)
           .to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_RASP_CMDI, true)
+        expect(rc.updateCapabilities)
+          .to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_DD_MULTICONFIG, true)
 
         expect(rc.setProductHandler).to.have.been.calledWith('ASM_DATA')
         expect(rc.setProductHandler).to.have.been.calledWith('ASM_DD')
@@ -346,6 +350,8 @@ describe('Remote Config index', () => {
           .to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_RASP_SHI, true)
         expect(rc.updateCapabilities)
           .to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_RASP_CMDI, true)
+        expect(rc.updateCapabilities)
+          .to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_DD_MULTICONFIG, true)
       })
 
       it('should not activate rasp capabilities if rasp is disabled', () => {
@@ -391,6 +397,8 @@ describe('Remote Config index', () => {
           .to.not.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_RASP_SHI)
         expect(rc.updateCapabilities)
           .to.not.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_RASP_CMDI)
+        expect(rc.updateCapabilities)
+          .to.not.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_DD_MULTICONFIG)
       })
     })
 
@@ -436,6 +444,8 @@ describe('Remote Config index', () => {
           .to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_RASP_SHI, false)
         expect(rc.updateCapabilities)
           .to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_RASP_CMDI, false)
+        expect(rc.updateCapabilities)
+          .to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_DD_MULTICONFIG, false)
 
         expect(rc.removeProductHandler).to.have.been.calledWith('ASM_DATA')
         expect(rc.removeProductHandler).to.have.been.calledWith('ASM_DD')