Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

appsec: upgrade libddwaf v1.20.1 & ruleset v1.13.2 #2952

Merged
merged 1 commit into from
Oct 30, 2024
Merged

appsec: upgrade libddwaf v1.20.1 & ruleset v1.13.2 #2952

merged 1 commit into from
Oct 30, 2024

Conversation

eliottness
Copy link
Contributor

@eliottness eliottness commented Oct 29, 2024
edited
Loading

What does this PR do?

This PR does multiple things following the upgrade to the latest release of libddwaf https://github.com/DataDog/libddwaf/releases/tag/1.20.1

  • Upgrade libddwaf v1.19.0 -> v1.20.1
  • Upgrade appsec static ruleset v1.13.0 -> v1.13.2
  • Modify how addresses are passed following libddwaf v1.20.0 which made some addresses optional for fingerprinting

Motivation

  • Better RASP detection via the new ruleset and WAF update

Reviewer's Checklist

  • Changed code has unit tests for its functionality at or near 100% coverage.
  • System-Tests covering this feature have been added and enabled with the va.b.c-dev version tag.
  • There is a benchmark for any new code, or changes to existing code.
  • If this interacts with the agent in a new way, a system test has been added.
  • Add an appropriate team label so this PR gets put in the right place for the release notes.
  • Non-trivial go.mod changes, e.g. adding new modules, are reviewed by @DataDog/dd-trace-go-guild.

Unsure? Have a question? Request a review!

@eliottness eliottness requested a review from a team as a code owner October 29, 2024 15:19
RomainMuller
RomainMuller reviewed Oct 29, 2024
View reviewed changes
internal/appsec/emitter/waf/addresses/builder.go
Comment on lines 49 to 51
if len(cookies) == 0 {
cookies = nil
return b
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This means WithCookies(notNil) followed by WithCookies(nil) will leave the old cookies value around...

That feels like a pretty theoretical issue... but I guess if this is the intended behavior it should probably be documented at least?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually this is the behavior for a lot of other optional addresses managed by the address builder. I had to temporarily change it otherwise fingerprints would not generate when there was no cookies in the request but the original goal is still the same: if the map is empty then there nothing for the WAF to run on, so we don't keep nil values. We could also try to delete the previous key in this case but this looks a bit overengineered considering the builder is a short-lived value.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't mind adding docs on the WafAddressesBuilder type tho

@eliottness eliottness changed the title appsec: better ATO and RASP detection appsec: upgrade libddwaf v1.20.1 & ruleset v1.13.2 Oct 30, 2024
@pr-commenter
Copy link

pr-commenter bot commented Oct 30, 2024

Benchmarks

Benchmark execution time: 2024-10-30 09:58:29

Comparing candidate commit b448bf6 in PR branch eliott.bouhana/rasp-ga with baseline commit fcda5e2 in branch main.

Found 0 performance improvements and 3 performance regressions! Performance is the same for 56 metrics, 0 unstable metrics.

scenario:BenchmarkOTelApiWithCustomTags/datadog_otel_api-24

  • 🟥 execution_time [+124.702ns; +178.098ns] or [+2.604%; +3.719%]

scenario:BenchmarkOTelApiWithCustomTags/otel_api-24

  • 🟥 execution_time [+220.365ns; +286.835ns] or [+3.043%; +3.961%]

scenario:BenchmarkStartSpanConcurrent-24

  • 🟥 execution_time [+148.925ns; +327.275ns] or [+2.742%; +6.026%]

@eliottness eliottness enabled auto-merge (squash) October 30, 2024 12:10
@eliottness eliottness merged commit 1cf97ca into main Oct 30, 2024
169 of 171 checks passed
@eliottness eliottness deleted the eliott.bouhana/rasp-ga branch October 30, 2024 12:17
darccio added a commit that referenced this pull request Nov 14, 2024
@darccio
chore(go.mod): keep modifications from #2952
1d3778a
darccio added a commit that referenced this pull request Nov 14, 2024
@darccio
chore(go.mod): keep modifications from #2952
78541ba
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@RomainMuller RomainMuller RomainMuller approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@eliottness @RomainMuller