Add rasp telemetry metrics (#5458)

* add rasp telemetry missing metrics

* add tests for rasp rule match

* report rasp rule skipped metric

* report rasp rule on nextjs

* rasp metrics

* report rule match

* block

* fix windows test

* code cleaning

* add rule triggered related comment

* rule variant tests

* fix rasp duration track test

Author: IlyasShabi

packages/dd-trace/src/appsec/rasp/command_injection.js

@@ -47,7 +47,7 @@ function analyzeCommandInjection ({ file, fileArgs, shell, abortController }) {
   const result = waf.run({ ephemeral }, req, raspRule)
 
   const res = store?.res
-  handleResult(result, req, res, abortController, config)
+  handleResult(result, req, res, abortController, config, raspRule)
 }
 
 module.exports = {

packages/dd-trace/src/appsec/rasp/index.js

@@ -7,6 +7,7 @@ const ssrf = require('./ssrf')
 const sqli = require('./sql_injection')
 const lfi = require('./lfi')
 const cmdi = require('./command_injection')
+const { updateRaspRuleMatchMetricTags } = require('../telemetry')
 
 const { DatadogRaspAbortError } = require('./utils')
 
@@ -84,9 +85,10 @@ function blockOnDatadogRaspAbortError ({ error }) {
   const abortError = findDatadogRaspAbortError(error)
   if (!abortError) return false
 
-  const { req, res, blockingAction } = abortError
+  const { req, res, blockingAction, raspRule } = abortError
   if (!isBlocked(res)) {
-    block(req, res, web.root(req), null, blockingAction)
+    const blocked = block(req, res, web.root(req), null, blockingAction)
+    updateRaspRuleMatchMetricTags(req, raspRule, true, blocked)
   }
 
   return true

packages/dd-trace/src/appsec/rasp/lfi.js

@@ -61,7 +61,7 @@ function analyzeLfi (ctx) {
     const raspRule = { type: RULE_TYPES.LFI }
 
     const result = waf.run({ ephemeral }, req, raspRule)
-    handleResult(result, req, res, ctx.abortController, config)
+    handleResult(result, req, res, ctx.abortController, config, raspRule)
   })
 }
 

packages/dd-trace/src/appsec/rasp/sql_injection.js

@@ -76,7 +76,7 @@ function analyzeSqlInjection (query, dbSystem, abortController) {
 
   const result = waf.run({ ephemeral }, req, raspRule)
 
-  handleResult(result, req, res, abortController, config)
+  handleResult(result, req, res, abortController, config, raspRule)
 }
 
 function hasInputAddress (payload) {

packages/dd-trace/src/appsec/rasp/ssrf.js

@@ -34,7 +34,7 @@ function analyzeSsrf (ctx) {
   const result = waf.run({ ephemeral }, req, raspRule)
 
   const res = store?.res
-  handleResult(result, req, res, ctx.abortController, config)
+  handleResult(result, req, res, ctx.abortController, config, raspRule)
 }
 
 module.exports = { enable, disable }

packages/dd-trace/src/appsec/rasp/utils.js

@@ -4,6 +4,7 @@ const web = require('../../plugins/util/web')
 const { getCallsiteFrames, reportStackTrace, canReportStackTrace } = require('../stack_trace')
 const { getBlockingAction } = require('../blocking')
 const log = require('../../log')
+const { updateRaspRuleMatchMetricTags } = require('../telemetry')
 
 const abortOnUncaughtException = process.execArgv?.includes('--abort-on-uncaught-exception')
 
@@ -19,16 +20,17 @@ const RULE_TYPES = {
 }
 
 class DatadogRaspAbortError extends Error {
-  constructor (req, res, blockingAction) {
+  constructor (req, res, blockingAction, raspRule) {
     super('DatadogRaspAbortError')
     this.name = 'DatadogRaspAbortError'
     this.req = req
     this.res = res
     this.blockingAction = blockingAction
+    this.raspRule = raspRule
   }
 }
 
-function handleResult (actions, req, res, abortController, config) {
+function handleResult (actions, req, res, abortController, config, raspRule) {
   const generateStackTraceAction = actions?.generate_stack
 
   const { enabled, maxDepth, maxStackTraces } = config.appsec.stackTrace
@@ -45,21 +47,24 @@ function handleResult (actions, req, res, abortController, config) {
     )
   }
 
-  if (!abortController || abortOnUncaughtException) return
+  if (abortController && !abortOnUncaughtException) {
+    const blockingAction = getBlockingAction(actions)
 
-  const blockingAction = getBlockingAction(actions)
-  if (blockingAction) {
     // Should block only in express
-    if (rootSpan?.context()._name === 'express.request') {
-      const abortError = new DatadogRaspAbortError(req, res, blockingAction)
+    if (blockingAction && rootSpan?.context()._name === 'express.request') {
+      const abortError = new DatadogRaspAbortError(req, res, blockingAction, raspRule)
       abortController.abort(abortError)
 
       // TODO Delete this when support for node 16 is removed
       if (!abortController.signal.reason) {
         abortController.signal.reason = abortError
       }
+
+      return
     }
   }
+
+  updateRaspRuleMatchMetricTags(req, raspRule, false, false)
 }
 
 module.exports = {

packages/dd-trace/src/appsec/reporter.js

@@ -6,12 +6,13 @@ const web = require('../plugins/util/web')
 const { ipHeaderList } = require('../plugins/util/ip_extractor')
 const {
   incrementWafInitMetric,
-  updateWafRequestsMetricTags,
-  updateRaspRequestsMetricTags,
   incrementWafUpdatesMetric,
   incrementWafRequestsMetric,
-  getRequestMetrics,
-  updateRateLimitedMetric
+  updateWafRequestsMetricTags,
+  updateRaspRequestsMetricTags,
+  updateRaspRuleSkippedMetricTags,
+  updateRateLimitedMetric,
+  getRequestMetrics
 } = require('./telemetry')
 const zlib = require('zlib')
 const { keepTrace } = require('../priority_sampler')
@@ -294,6 +295,7 @@ module.exports = {
   reportMetrics,
   reportAttack,
   reportWafUpdate: incrementWafUpdatesMetric,
+  reportRaspRuleSkipped: updateRaspRuleSkippedMetricTags,
   reportDerivatives,
   finishRequest,
   setRateLimit,

packages/dd-trace/src/appsec/telemetry/index.js

@@ -1,8 +1,13 @@
 'use strict'
 
 const { DD_TELEMETRY_REQUEST_METRICS } = require('./common')
-const { addRaspRequestMetrics, trackRaspMetrics } = require('./rasp')
 const { incrementMissingUserId, incrementMissingUserLogin, incrementSdkEvent } = require('./user')
+const {
+  addRaspRequestMetrics,
+  trackRaspMetrics,
+  trackRaspRuleMatch,
+  trackRaspRuleSkipped
+} = require('./rasp')
 const {
   addWafRequestMetrics,
   trackWafMetrics,
@@ -34,7 +39,10 @@ function newStore () {
       wafTimeouts: 0,
       raspTimeouts: 0,
       wafErrorCode: null,
-      raspErrorCode: null
+      raspErrorCode: null,
+      wafVersion: null,
+      rulesVersion: null,
+      ruleTriggered: null
     }
   }
 }
@@ -58,7 +66,21 @@ function updateRaspRequestsMetricTags (metrics, req, raspRule) {
 
   if (!enabled) return
 
-  trackRaspMetrics(metrics, raspRule)
+  trackRaspMetrics(store, metrics, raspRule)
+}
+
+function updateRaspRuleMatchMetricTags (req, raspRule, blockTriggered, blocked) {
+  if (!enabled || !req) return
+
+  const store = getStore(req)
+
+  trackRaspRuleMatch(store, raspRule, blockTriggered, blocked)
+}
+
+function updateRaspRuleSkippedMetricTags (raspRule, reason) {
+  if (!enabled) return
+
+  trackRaspRuleSkipped(raspRule, reason)
 }
 
 function updateWafRequestsMetricTags (metrics, req) {
@@ -142,6 +164,8 @@ module.exports = {
   updateRateLimitedMetric,
   updateBlockFailureMetric,
   updateRaspRequestsMetricTags,
+  updateRaspRuleMatchMetricTags,
+  updateRaspRuleSkippedMetricTags,
   incrementWafInitMetric,
   incrementWafUpdatesMetric,
   incrementWafRequestsMetric,

packages/dd-trace/src/appsec/telemetry/rasp.js

@@ -1,10 +1,16 @@
 'use strict'
 
 const telemetryMetrics = require('../../telemetry/metrics')
-const { DD_TELEMETRY_REQUEST_METRICS } = require('./common')
+const { DD_TELEMETRY_REQUEST_METRICS, getVersionsTags } = require('./common')
 
 const appsecMetrics = telemetryMetrics.manager.namespace('appsec')
 
+const BLOCKING_STATUS = {
+  FAILURE: 'failure',
+  IRRELEVANT: 'irrelevant',
+  SUCCESS: 'success'
+}
+
 function addRaspRequestMetrics (store, { duration, durationExt, wafTimeout, errorCode }) {
   store[DD_TELEMETRY_REQUEST_METRICS].raspDuration += duration || 0
   store[DD_TELEMETRY_REQUEST_METRICS].raspDurationExt += durationExt || 0
@@ -26,25 +32,95 @@ function addRaspRequestMetrics (store, { duration, durationExt, wafTimeout, erro
   }
 }
 
-function trackRaspMetrics (metrics, raspRule) {
-  const tags = { rule_type: raspRule.type, waf_version: metrics.wafVersion }
+function trackRaspMetrics (store, metrics, raspRule) {
+  const versionsTags = getVersionsTags(metrics.wafVersion, metrics.rulesVersion)
+  const tags = { rule_type: raspRule.type, ...versionsTags }
+  const telemetryMetrics = store[DD_TELEMETRY_REQUEST_METRICS]
 
   if (raspRule.variant) {
     tags.rule_variant = raspRule.variant
   }
 
+  if (metrics.wafVersion) {
+    telemetryMetrics.wafVersion = metrics.wafVersion
+  }
+
+  if (metrics.rulesVersion) {
+    telemetryMetrics.rulesVersion = metrics.rulesVersion
+  }
+
+  if (metrics.ruleTriggered) {
+    telemetryMetrics.ruleTriggered = true
+  }
+
   appsecMetrics.count('rasp.rule.eval', tags).inc(1)
 
+  if (metrics.duration) {
+    appsecMetrics.distribution('rasp.rule.duration', tags).track(metrics.duration)
+
+    const raspDuration = telemetryMetrics.raspDuration
+    appsecMetrics.distribution('rasp.duration', versionsTags).track(raspDuration)
+  }
+
+  if (metrics.durationExt) {
+    const raspDurationExt = telemetryMetrics.raspDurationExt
+    appsecMetrics.distribution('rasp.duration_ext', versionsTags).track(raspDurationExt)
+  }
+
+  if (metrics.errorCode) {
+    const errorTags = { ...tags, waf_error: metrics.errorCode }
+
+    appsecMetrics.count('rasp.error', errorTags).inc(1)
+  }
+
   if (metrics.wafTimeout) {
     appsecMetrics.count('rasp.timeout', tags).inc(1)
   }
+}
 
-  if (metrics.ruleTriggered) {
-    appsecMetrics.count('rasp.rule.match', tags).inc(1)
+function trackRaspRuleMatch (store, raspRule, blockTriggered, blocked) {
+  const telemetryMetrics = store[DD_TELEMETRY_REQUEST_METRICS]
+  if (!telemetryMetrics.ruleTriggered) return
+
+  const tags = {
+    waf_version: telemetryMetrics.wafVersion,
+    event_rules_version: telemetryMetrics.rulesVersion,
+    rule_type: raspRule.type,
+    block: getRuleMatchBlockingStatus(blockTriggered, blocked)
+  }
+
+  if (raspRule.variant) {
+    tags.rule_variant = raspRule.variant
+  }
+
+  appsecMetrics.count('rasp.rule.match', tags).inc(1)
+
+  // this is needed to not count it twice for the same match
+  // but it also means it can only be called once per waf call even if there are multiple rasp match
+  telemetryMetrics.ruleTriggered = null
+}
+
+function trackRaspRuleSkipped (raspRule, reason) {
+  const tags = { reason, rule_type: raspRule.type }
+
+  if (raspRule.variant) {
+    tags.rule_variant = raspRule.variant
   }
+
+  appsecMetrics.count('rasp.rule.skipped', tags).inc(1)
+}
+
+function getRuleMatchBlockingStatus (blockTriggered, blocked) {
+  if (!blockTriggered) {
+    return BLOCKING_STATUS.IRRELEVANT
+  }
+
+  return blocked ? BLOCKING_STATUS.SUCCESS : BLOCKING_STATUS.FAILURE
 }
 
 module.exports = {
   addRaspRequestMetrics,
-  trackRaspMetrics
+  trackRaspMetrics,
+  trackRaspRuleMatch,
+  trackRaspRuleSkipped
 }

packages/dd-trace/src/appsec/waf/waf_context_wrapper.js

@@ -25,6 +25,10 @@ class WAFContextWrapper {
   run ({ persistent, ephemeral }, raspRule) {
     if (this.ddwafContext.disposed) {
       log.warn('[ASM] Calling run on a disposed context')
+      if (raspRule) {
+        Reporter.reportRaspRuleSkipped(raspRule, 'after-request')
+      }
+
       return
     }