From 0e9628fb42aebaa596da8d850424b235b73aefeb Mon Sep 17 00:00:00 2001
From: "sezen.leblay" <sezen.leblay@datadoghq.com>
Date: Thu, 11 Sep 2025 11:38:56 +0200
Subject: [PATCH] Upgrading libddwaf to 1.28.1

---
 .github/workflows/actions.yml                 |   2 +-
 build.gradle                                  |   2 +-
 libddwaf                                      |   2 +-
 src/main/java/com/datadog/ddwaf/Waf.java      |   2 +-
 .../com/datadog/ddwaf/RulesCompatTest.groovy  | 114 ++++++++++++++++++
 5 files changed, 118 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/actions.yml b/.github/workflows/actions.yml
index b428cfe3..3551222a 100644
--- a/.github/workflows/actions.yml
+++ b/.github/workflows/actions.yml
@@ -11,7 +11,7 @@ defaults:
 env:
   buildType: RelWithDebInfo
   tempdir: ${{ github.workspace }}/build
-  libddwafVersion: 1.28.0
+  libddwafVersion: 1.28.1
 jobs:
   Spotless:
     name: spotless
diff --git a/build.gradle b/build.gradle
index c9f7ee86..41e19bea 100644
--- a/build.gradle
+++ b/build.gradle
@@ -28,7 +28,7 @@ repositories {
 }
 
 group 'io.sqreen'
-version '17.0.0'
+version '17.1.0'
 
 sourceCompatibility = 1.8
 targetCompatibility = 1.8
diff --git a/libddwaf b/libddwaf
index bbe9915d..03f74840 160000
--- a/libddwaf
+++ b/libddwaf
@@ -1 +1 @@
-Subproject commit bbe9915d53d5964f3a73a8de8c9cfe9bb80e3b6c
+Subproject commit 03f748400833aa27b5249bdbfba26468bc2975a1
diff --git a/src/main/java/com/datadog/ddwaf/Waf.java b/src/main/java/com/datadog/ddwaf/Waf.java
index f1805d3c..39b0f7f6 100644
--- a/src/main/java/com/datadog/ddwaf/Waf.java
+++ b/src/main/java/com/datadog/ddwaf/Waf.java
@@ -20,7 +20,7 @@
 import org.slf4j.LoggerFactory;
 
 public final class Waf {
-  public static final String LIB_VERSION = "1.28.0";
+  public static final String LIB_VERSION = "1.28.1";
 
   private static final Logger LOGGER = LoggerFactory.getLogger(Waf.class);
   static final boolean EXIT_ON_LEAK;
diff --git a/src/test/groovy/com/datadog/ddwaf/RulesCompatTest.groovy b/src/test/groovy/com/datadog/ddwaf/RulesCompatTest.groovy
index 38c91022..3c149bb0 100644
--- a/src/test/groovy/com/datadog/ddwaf/RulesCompatTest.groovy
+++ b/src/test/groovy/com/datadog/ddwaf/RulesCompatTest.groovy
@@ -640,6 +640,50 @@ class RulesCompatTest implements WafTrait {
     assert result.attributes['_dd.appsec.trace.agent'] == 'TraceTagging/v1'
   }
 
+  @Test
+  void 'test trace tagging rule with attributes, no keep and event'() {
+    def rulesetWithTraceTaggingEvent = TRACE_TAGGING_EVENT_RULESET
+
+    wafDiagnostics = builder.addOrUpdateConfig('test', rulesetWithTraceTaggingEvent)
+
+    // Check if configuration was accepted
+    assert wafDiagnostics.numConfigOK == 1, "WAF configuration was not accepted. numConfigOK = ${wafDiagnostics?.numConfigOK}"
+
+    handle = builder.buildWafHandleInstance()
+    context = new WafContext(handle)
+
+    // Test with input that should match the rule
+    def params = [
+      'server.request.headers.no_cookies': [
+        'user-agent': 'TraceTagging/v4'
+      ]
+    ]
+
+    def result = context.run(params, limits, metrics)
+    assert result.result == Waf.Result.MATCH
+
+    // Since the rule has event: true, result.data should contain event information
+    assert result.data != null
+
+    // Parse the event data
+    def jsonResult = new JsonSlurper().parseText(result.data)
+    assert jsonResult.any { it.rule?.id == 'ttr-000-004' }
+
+    // Assert that both attributes are present
+    assert result.attributes.containsKey('_dd.appsec.trace.integer'), 'Missing _dd.appsec.trace.integer attribute'
+    assert result.attributes.containsKey('_dd.appsec.trace.agent'), 'Missing _dd.appsec.trace.agent attribute'
+
+    // Assert the values
+    assert result.attributes['_dd.appsec.trace.integer'] == 1729L
+    assert result.attributes['_dd.appsec.trace.agent'] == 'TraceTagging/v4'
+
+    // Assert that keep is false (should not have USER_KEEP sampling priority)
+    assert !result.keep
+
+    // Assert that events flag is true
+    assert result.events
+  }
+
   @Test
   void 'test waf should block but returns ok instead of match'() {
     def rulesetWithBlockingRule = [
@@ -1218,4 +1262,74 @@ class RulesCompatTest implements WafTrait {
       ]
     ]
   ]
+
+  private static final Map TRACE_TAGGING_EVENT_RULESET = [
+    version: '2.1',
+    metadata: [
+      rules_version: '1.2.7'
+    ],
+    rules: [
+      [
+        id: 'arachni_rule',
+        name: 'Arachni',
+        tags: [
+          type: 'security_scanner',
+          category: 'attack_attempt'
+        ],
+        conditions: [
+          [
+            parameters: [
+              inputs: [
+                [
+                  address: 'server.request.headers.no_cookies',
+                  key_path: ['user-agent']
+                ]
+              ],
+              regex: '^Arachni\\/v'
+            ],
+            operator: 'match_regex'
+          ]
+        ],
+        transformers: [],
+        on_match: ['block']
+      ]
+    ],
+    rules_compat: [
+      [
+        id: 'ttr-000-004',
+        name: 'Trace Tagging Rule: Attributes, No Keep, Event',
+        tags: [
+          type: 'security_scanner',
+          category: 'attack_attempt'
+        ],
+        conditions: [
+          [
+            parameters: [
+              inputs: [
+                [
+                  address: 'server.request.headers.no_cookies',
+                  key_path: ['user-agent']
+                ]
+              ],
+              regex: '^TraceTagging\\/v4'
+            ],
+            operator: 'match_regex'
+          ]
+        ],
+        output: [
+          event: true,
+          keep: false,
+          attributes: [
+            '_dd.appsec.trace.integer': [
+              value: 1729
+            ],
+            '_dd.appsec.trace.agent': [
+              value: 'TraceTagging/v4'
+            ]
+          ]
+        ],
+        on_match: []
+      ]
+    ]
+  ]
 }