Skip to content

chore(asm): keep trace without events if waf decides #13677

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Jun 17, 2025
Merged

chore(asm): keep trace without events if waf decides #13677

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
bed58ae
keep trace without events if waf says so
christophe-papazian Jun 16, 2025
b26b0ca
update st version
christophe-papazian Jun 16, 2025
d3dfa3e
remove agent building process
christophe-papazian Jun 16, 2025
2e1b555
Merge branch 'main' into christophe-papazian/keep_trace_without_secur…
christophe-papazian Jun 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 4 additions & 37 deletions .github/workflows/system-tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,33 +11,6 @@ on:
- cron: '00 04 * * 2-6'

jobs:
system-tests-build-agent:
runs-on: ubuntu-latest
steps:

- name: Checkout system tests
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
repository: 'DataDog/system-tests'
# Automatically managed, use scripts/update-system-tests-version to update
ref: '64afc5f8c1c2aa19adefdf1abf5559b62af8e784'

- name: Build agent
run: ./build.sh -i agent

- name: Save
id: save
run: |
docker image save system_tests/agent:latest | gzip > agent_${{ github.sha }}.tar.gz

- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: agent_${{ github.sha }}
path: |
agent_${{ github.sha }}.tar.gz
retention-days: 2

system-tests-build-weblog:
runs-on: ubuntu-latest
strategy:
Expand Down Expand Up @@ -69,7 +42,7 @@ jobs:
persist-credentials: false
repository: 'DataDog/system-tests'
# Automatically managed, use scripts/update-system-tests-version to update
ref: '64afc5f8c1c2aa19adefdf1abf5559b62af8e784'
ref: '40654a690db784079c5969bfc0a6031964f833a8'

- name: Checkout dd-trace-py
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
Expand Down Expand Up @@ -98,7 +71,7 @@ jobs:

system-tests:
runs-on: ubuntu-latest
needs: [system-tests-build-agent, system-tests-build-weblog]
needs: [system-tests-build-weblog]
strategy:
matrix:
weblog-variant: [flask-poc, uwsgi-poc , django-poc, fastapi, python3.12, django-py3.13]
Expand All @@ -123,7 +96,7 @@ jobs:
persist-credentials: false
repository: 'DataDog/system-tests'
# Automatically managed, use scripts/update-system-tests-version to update
ref: '64afc5f8c1c2aa19adefdf1abf5559b62af8e784'
ref: '40654a690db784079c5969bfc0a6031964f833a8'

- name: Build runner
uses: ./.github/actions/install_runner
Expand All @@ -133,16 +106,10 @@ jobs:
name: ${{ matrix.weblog-variant }}_${{ github.sha }}
path: images_artifacts/

- uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: agent_${{ github.sha }}
path: images_artifacts/

- name: docker load
id: docker_load
run: |
docker load < images_artifacts/${{ matrix.weblog-variant}}_weblog_${{ github.sha }}.tar.gz
docker load < images_artifacts/agent_${{ github.sha }}.tar.gz

- name: Run DEFAULT
if: always() && steps.docker_load.outcome == 'success' && matrix.scenario == 'other'
Expand Down Expand Up @@ -310,7 +277,7 @@ jobs:
persist-credentials: false
repository: 'DataDog/system-tests'
# Automatically managed, use scripts/update-system-tests-version to update
ref: '64afc5f8c1c2aa19adefdf1abf5559b62af8e784'
ref: '40654a690db784079c5969bfc0a6031964f833a8'
- name: Checkout dd-trace-py
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
Expand Down
13 changes: 5 additions & 8 deletions ddtrace/appsec/_processor.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -323,9 +323,7 @@ def _waf_action(
_asm_request_context.set_blocked(blocked)

allowed = True
if waf_results.data or blocked:
# We run the rate limiter only if there is an attack,
# its goal is to limit the number of collected asm events
if waf_results.keep:
allowed = self._rate_limiter.is_allowed()

_asm_request_context.set_waf_telemetry_results(
Expand All @@ -336,9 +334,6 @@ def _waf_action(
not allowed,
)

if not allowed:
return waf_results

if waf_results.data:
_asm_request_context.store_waf_results_data(waf_results.data)
if blocked:
Expand All @@ -355,10 +350,12 @@ def _waf_action(

# Right now, we overwrite any value that could be already there. We need to reconsider when ASM/AppSec's
# specs are updated.
if waf_results.keep:
_asm_manual_keep(span)
if span.get_tag(_ORIGIN_KEY) is None:
span.set_tag_str(_ORIGIN_KEY, APPSEC.ORIGIN_VALUE)

if waf_results.keep and allowed:
_asm_manual_keep(span)

return waf_results

def _is_needed(self, address: str) -> bool:
Expand Down
Loading