RubyGems - datadog - Versions diffs - 2.15.0 → 2.16.0 - Mend

datadog 2.15.0 → 2.16.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (121) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +46 -2
data/ext/datadog_profiling_native_extension/datadog_ruby_common.c +1 -4
data/ext/datadog_profiling_native_extension/datadog_ruby_common.h +7 -0
data/ext/datadog_profiling_native_extension/extconf.rb +3 -0
data/ext/datadog_profiling_native_extension/heap_recorder.c +8 -1
data/ext/libdatadog_api/crashtracker.c +1 -9
data/ext/libdatadog_api/crashtracker.h +5 -0
data/ext/libdatadog_api/datadog_ruby_common.c +1 -4
data/ext/libdatadog_api/datadog_ruby_common.h +7 -0
data/ext/libdatadog_api/init.c +15 -0
data/ext/libdatadog_api/library_config.c +122 -0
data/ext/libdatadog_api/library_config.h +19 -0
data/ext/libdatadog_api/process_discovery.c +117 -0
data/ext/libdatadog_api/process_discovery.h +5 -0
data/lib/datadog/appsec/actions_handler.rb +3 -2
data/lib/datadog/appsec/assets/waf_rules/recommended.json +1344 -0
data/lib/datadog/appsec/assets/waf_rules/strict.json +1344 -0
data/lib/datadog/appsec/autoload.rb +1 -1
data/lib/datadog/appsec/component.rb +11 -4
data/lib/datadog/appsec/configuration/settings.rb +31 -18
data/lib/datadog/appsec/context.rb +1 -1
data/lib/datadog/appsec/contrib/active_record/instrumentation.rb +10 -12
data/lib/datadog/appsec/contrib/active_record/integration.rb +1 -1
data/lib/datadog/appsec/contrib/active_record/patcher.rb +22 -22
data/lib/datadog/appsec/contrib/devise/data_extractor.rb +2 -3
data/lib/datadog/appsec/contrib/devise/ext.rb +1 -0
data/lib/datadog/appsec/contrib/devise/integration.rb +1 -1
data/lib/datadog/appsec/contrib/devise/patcher.rb +3 -5
data/lib/datadog/appsec/contrib/devise/tracking_middleware.rb +17 -4
data/lib/datadog/appsec/contrib/excon/integration.rb +1 -1
data/lib/datadog/appsec/contrib/excon/ssrf_detection_middleware.rb +9 -10
data/lib/datadog/appsec/contrib/faraday/integration.rb +1 -1
data/lib/datadog/appsec/contrib/faraday/ssrf_detection_middleware.rb +8 -9
data/lib/datadog/appsec/contrib/graphql/gateway/watcher.rb +8 -9
data/lib/datadog/appsec/contrib/graphql/integration.rb +1 -1
data/lib/datadog/appsec/contrib/rack/gateway/watcher.rb +22 -32
data/lib/datadog/appsec/contrib/rack/integration.rb +1 -1
data/lib/datadog/appsec/contrib/rack/request_middleware.rb +16 -16
data/lib/datadog/appsec/contrib/rails/gateway/watcher.rb +11 -13
data/lib/datadog/appsec/contrib/rails/integration.rb +1 -1
data/lib/datadog/appsec/contrib/rails/patcher.rb +21 -21
data/lib/datadog/appsec/contrib/rest_client/integration.rb +1 -1
data/lib/datadog/appsec/contrib/rest_client/request_ssrf_detection_patch.rb +10 -11
data/lib/datadog/appsec/contrib/sinatra/gateway/watcher.rb +17 -23
data/lib/datadog/appsec/contrib/sinatra/integration.rb +1 -1
data/lib/datadog/appsec/event.rb +85 -95
data/lib/datadog/appsec/instrumentation/gateway/argument.rb +5 -2
data/lib/datadog/appsec/metrics/telemetry.rb +1 -1
data/lib/datadog/appsec/monitor/gateway/watcher.rb +42 -12
data/lib/datadog/appsec/processor/rule_loader.rb +26 -28
data/lib/datadog/appsec/processor/rule_merger.rb +5 -5
data/lib/datadog/appsec/processor.rb +1 -1
data/lib/datadog/appsec/remote.rb +14 -13
data/lib/datadog/appsec/response.rb +6 -6
data/lib/datadog/appsec/security_engine/runner.rb +1 -1
data/lib/datadog/appsec/security_event.rb +39 -0
data/lib/datadog/appsec.rb +1 -1
data/lib/datadog/core/configuration/agentless_settings_resolver.rb +176 -0
data/lib/datadog/core/configuration/components.rb +19 -10
data/lib/datadog/core/configuration/option.rb +61 -25
data/lib/datadog/core/configuration/settings.rb +10 -0
data/lib/datadog/core/configuration/stable_config.rb +23 -0
data/lib/datadog/core/configuration.rb +24 -0
data/lib/datadog/core/crashtracking/component.rb +1 -9
data/lib/datadog/core/environment/git.rb +1 -0
data/lib/datadog/core/environment/variable_helpers.rb +1 -1
data/lib/datadog/core/metrics/client.rb +8 -7
data/lib/datadog/core/process_discovery.rb +32 -0
data/lib/datadog/core/remote/client.rb +7 -0
data/lib/datadog/core/runtime/metrics.rb +1 -1
data/lib/datadog/core/telemetry/component.rb +60 -50
data/lib/datadog/core/telemetry/emitter.rb +17 -11
data/lib/datadog/core/telemetry/event.rb +7 -4
data/lib/datadog/core/telemetry/http/adapters/net.rb +12 -97
data/lib/datadog/core/telemetry/request.rb +3 -3
data/lib/datadog/core/telemetry/transport/http/api.rb +43 -0
data/lib/datadog/core/telemetry/transport/http/client.rb +49 -0
data/lib/datadog/core/telemetry/transport/http/telemetry.rb +92 -0
data/lib/datadog/core/telemetry/transport/http.rb +63 -0
data/lib/datadog/core/telemetry/transport/telemetry.rb +52 -0
data/lib/datadog/core/telemetry/worker.rb +45 -0
data/lib/datadog/core/utils/time.rb +12 -0
data/lib/datadog/core/workers/async.rb +20 -2
data/lib/datadog/core/workers/interval_loop.rb +12 -1
data/lib/datadog/core/workers/runtime_metrics.rb +2 -2
data/lib/datadog/core.rb +8 -0
data/lib/datadog/di/boot.rb +34 -0
data/lib/datadog/di/remote.rb +2 -0
data/lib/datadog/di.rb +5 -32
data/lib/datadog/error_tracking/collector.rb +87 -0
data/lib/datadog/error_tracking/component.rb +167 -0
data/lib/datadog/error_tracking/configuration/settings.rb +63 -0
data/lib/datadog/error_tracking/configuration.rb +11 -0
data/lib/datadog/error_tracking/ext.rb +18 -0
data/lib/datadog/error_tracking/extensions.rb +16 -0
data/lib/datadog/error_tracking/filters.rb +77 -0
data/lib/datadog/error_tracking.rb +18 -0
data/lib/datadog/kit/identity.rb +1 -1
data/lib/datadog/profiling/exporter.rb +1 -1
data/lib/datadog/tracing/analytics.rb +1 -1
data/lib/datadog/tracing/contrib/karafka/distributed/propagation.rb +2 -0
data/lib/datadog/tracing/contrib/karafka/monitor.rb +1 -1
data/lib/datadog/tracing/contrib/mongodb/configuration/settings.rb +8 -0
data/lib/datadog/tracing/contrib/mongodb/ext.rb +1 -0
data/lib/datadog/tracing/contrib/mongodb/subscribers.rb +18 -1
data/lib/datadog/tracing/distributed/b3_multi.rb +1 -1
data/lib/datadog/tracing/distributed/b3_single.rb +1 -1
data/lib/datadog/tracing/distributed/datadog.rb +2 -2
data/lib/datadog/tracing/sampling/rate_sampler.rb +2 -1
data/lib/datadog/tracing/span_operation.rb +38 -14
data/lib/datadog/tracing/trace_operation.rb +15 -7
data/lib/datadog/tracing/tracer.rb +7 -3
data/lib/datadog/tracing/utils.rb +1 -1
data/lib/datadog/version.rb +1 -1
data/lib/datadog.rb +2 -3
metadata +34 -8
data/lib/datadog/core/telemetry/http/env.rb +0 -20
data/lib/datadog/core/telemetry/http/ext.rb +0 -28
data/lib/datadog/core/telemetry/http/response.rb +0 -70
data/lib/datadog/core/telemetry/http/transport.rb +0 -90

data/lib/datadog/appsec/autoload.rb CHANGED Viewed

@@ -4,7 +4,7 @@ if %w[1 true].include?((ENV['DD_APPSEC_ENABLED'] || '').downcase)
   begin
     require_relative 'contrib/auto_instrument'
     Datadog::AppSec::Contrib::AutoInstrument.patch_all
-  rescue StandardError => e
+  rescue => e
     Kernel.warn(
       '[datadog] AppSec failed to instrument. No security check will be performed. error: ' \
       " #{e.class.name} #{e.message}"

data/lib/datadog/appsec/component.rb CHANGED Viewed

@@ -13,7 +13,7 @@ module Datadog
         def build_appsec_component(settings, telemetry:)
           return if !settings.respond_to?(:appsec) || !settings.appsec.enabled
-          ffi_version = Gem.loaded_specs['ffi'] && Gem.loaded_specs['ffi'].version
+          ffi_version = Gem.loaded_specs['ffi']&.version
           unless ffi_version
             Datadog.logger.warn('FFI gem is not loaded, AppSec will be disabled.')
             telemetry.error('AppSec: Component not loaded, due to missing FFI gem')
@@ -61,9 +61,16 @@ module Datadog
           exclusions = AppSec::Processor::RuleLoader.load_exclusions(ip_passlist: settings.appsec.ip_passlist)
+          # NOTE: This is a temporary solution before the RuleMerger refactoring
+          #       with new RemoteConfig setup
+          processors = rules['processors']
+          scanners = rules['scanners']
           ruleset = AppSec::Processor::RuleMerger.merge(
             rules: [rules],
             data: data,
+            scanners: scanners,
+            processors: processors,
             exclusions: exclusions,
             telemetry: telemetry
           )
@@ -88,13 +95,13 @@ module Datadog
         @mutex.synchronize do
           new_processor = Processor.new(ruleset: ruleset, telemetry: telemetry)
-          if new_processor && new_processor.ready?
+          if new_processor&.ready?
             old_processor = @processor
             @telemetry = telemetry
             @processor = new_processor
-            old_processor.finalize if old_processor
+            old_processor&.finalize
           end
         end
       end
@@ -105,7 +112,7 @@ module Datadog
       def shutdown!
         @mutex.synchronize do
-          if processor && processor.ready?
+          if processor&.ready?
             processor.finalize
             @processor = nil
           end

data/lib/datadog/appsec/configuration/settings.rb CHANGED Viewed

@@ -131,9 +131,12 @@ module Datadog
                     o.type :string, nilable: true
                     o.setter do |value|
                       if value
-                        raise(ArgumentError, "appsec.templates.html: file not found: #{value}") unless File.exist?(value)
+                        unless File.exist?(value)
+                          raise(ArgumentError,
+                            "appsec.templates.html: file not found: #{value}")
+                        end
-                        File.open(value, 'rb', &:read) || ''
+                        File.binread(value) || ''
                       end
                     end
                   end
@@ -143,9 +146,12 @@ module Datadog
                     o.type :string, nilable: true
                     o.setter do |value|
                       if value
-                        raise(ArgumentError, "appsec.templates.json: file not found: #{value}") unless File.exist?(value)
+                        unless File.exist?(value)
+                          raise(ArgumentError,
+                            "appsec.templates.json: file not found: #{value}")
+                        end
-                        File.open(value, 'rb', &:read) || ''
+                        File.binread(value) || ''
                       end
                     end
                   end
@@ -155,9 +161,12 @@ module Datadog
                     o.type :string, nilable: true
                     o.setter do |value|
                       if value
-                        raise(ArgumentError, "appsec.templates.text: file not found: #{value}") unless File.exist?(value)
+                        unless File.exist?(value)
+                          raise(ArgumentError,
+                            "appsec.templates.text: file not found: #{value}")
+                        end
-                        File.open(value, 'rb', &:read) || ''
+                        File.binread(value) || ''
                       end
                     end
                   end
@@ -237,7 +246,7 @@ module Datadog
                     Datadog.logger.warn(
                       'The appsec.auto_user_instrumentation.mode value provided is not supported. ' \
-                      "Supported values are: #{AUTO_USER_INSTRUMENTATION_MODES.join(' | ')}. " \
+                      "Supported values are: #{AUTO_USER_INSTRUMENTATION_MODES.join(" | ")}. " \
                       "Using value: #{DISABLED_AUTO_USER_INSTRUMENTATION_MODE}."
                     )
@@ -259,11 +268,13 @@ module Datadog
                       APPSEC_VALID_TRACK_USER_EVENTS_ENABLED_VALUES.include?(env_value.strip.downcase)
                     end
                   end
-                  o.after_set do
-                    Core.log_deprecation(key: :appsec_track_user_events_enabled) do
-                      'The appsec.track_user_events.enabled setting has been deprecated for removal. ' \
-                      'Please remove it from your Datadog.configure block and use ' \
-                      'appsec.auto_user_instrumentation.mode instead.'
+                  o.after_set do |_, _, precedence|
+                    unless precedence == Datadog::Core::Configuration::Option::Precedence::DEFAULT
+                      Core.log_deprecation(key: :appsec_track_user_events_enabled) do
+                        'The appsec.track_user_events.enabled setting is deprecated. ' \
+                        'Please remove it from your Datadog.configure block and use ' \
+                        'appsec.auto_user_instrumentation.mode instead.'
+                      end
                     end
                   end
                 end
@@ -280,18 +291,20 @@ module Datadog
                     else
                       Datadog.logger.warn(
                         'The appsec.track_user_events.mode value provided is not supported.' \
-                        "Supported values are: #{APPSEC_VALID_TRACK_USER_EVENTS_MODE.join(' | ')}." \
+                        "Supported values are: #{APPSEC_VALID_TRACK_USER_EVENTS_MODE.join(" | ")}." \
                         "Using default value: #{SAFE_TRACK_USER_EVENTS_MODE}."
                       )
                       SAFE_TRACK_USER_EVENTS_MODE
                     end
                   end
-                  o.after_set do
-                    Core.log_deprecation(key: :appsec_track_user_events_mode) do
-                      'The appsec.track_user_events.mode setting has been deprecated for removal. ' \
-                      'Please remove it from your Datadog.configure block and use ' \
-                      'appsec.auto_user_instrumentation.mode instead.'
+                  o.after_set do |_, _, precedence|
+                    unless precedence == Datadog::Core::Configuration::Option::Precedence::DEFAULT
+                      Core.log_deprecation(key: :appsec_track_user_events_mode) do
+                        'The appsec.track_user_events.mode setting is deprecated. ' \
+                        'Please remove it from your Datadog.configure block and use ' \
+                        'appsec.auto_user_instrumentation.mode instead.'
+                      end
                     end
                   end
                 end

data/lib/datadog/appsec/context.rb CHANGED Viewed

@@ -56,7 +56,7 @@ module Datadog
       end
       def extract_schema
-        @waf_runner.run({ 'waf.context.processor' => { 'extract-schema' => true } }, {})
+        @waf_runner.run({'waf.context.processor' => {'extract-schema' => true}}, {})
       end
       def export_metrics

data/lib/datadog/appsec/contrib/active_record/instrumentation.rb CHANGED Viewed

@@ -1,5 +1,8 @@
 # frozen_string_literal: true
+require_relative '../../event'
+require_relative '../../security_event'
 module Datadog
   module AppSec
     module Contrib
@@ -28,18 +31,13 @@ module Datadog
             result = context.run_rasp(Ext::RASP_SQLI, {}, ephemeral_data, waf_timeout)
             if result.match?
-              Datadog::AppSec::Event.tag_and_keep!(context, result)
-              event = {
-                waf_result: result,
-                trace: context.trace,
-                span: context.span,
-                sql: sql,
-                actions: result.actions
-              }
-              context.events << event
-              ActionsHandler.handle(result.actions)
+              AppSec::Event.tag_and_keep!(context, result)
+              context.events.push(
+                AppSec::SecurityEvent.new(result, trace: context.trace, span: context.span)
+              )
+              AppSec::ActionsHandler.handle(result.actions)
             end
           end

data/lib/datadog/appsec/contrib/active_record/integration.rb CHANGED Viewed

@@ -16,7 +16,7 @@ module Datadog
           register_as :active_record, auto_patch: true
           def self.version
-            Gem.loaded_specs['activerecord'] && Gem.loaded_specs['activerecord'].version
+            Gem.loaded_specs['activerecord']&.version
           end
           def self.loaded?

data/lib/datadog/appsec/contrib/active_record/patcher.rb CHANGED Viewed

@@ -53,43 +53,43 @@ module Datadog
           def patch_sqlite3_adapter
             instrumentation_module = if ::ActiveRecord.gem_version >= Gem::Version.new('7.1')
-                                       Instrumentation::InternalExecQueryAdapterPatch
-                                     elsif ::ActiveRecord.gem_version.segments.first == 4
-                                       Instrumentation::Rails4ExecQueryAdapterPatch
-                                     else
-                                       Instrumentation::ExecQueryAdapterPatch
-                                     end
+              Instrumentation::InternalExecQueryAdapterPatch
+            elsif ::ActiveRecord.gem_version.segments.first == 4
+              Instrumentation::Rails4ExecQueryAdapterPatch
+            else
+              Instrumentation::ExecQueryAdapterPatch
+            end
             ::ActiveRecord::ConnectionAdapters::SQLite3Adapter.prepend(instrumentation_module)
           end
           def patch_mysql2_adapter
             instrumentation_module = if ::ActiveRecord.gem_version >= Gem::Version.new('7.1')
-                                       Instrumentation::InternalExecQueryAdapterPatch
-                                     elsif ::ActiveRecord.gem_version.segments.first == 4
-                                       Instrumentation::Rails4ExecQueryAdapterPatch
-                                     else
-                                       Instrumentation::ExecQueryAdapterPatch
-                                     end
+              Instrumentation::InternalExecQueryAdapterPatch
+            elsif ::ActiveRecord.gem_version.segments.first == 4
+              Instrumentation::Rails4ExecQueryAdapterPatch
+            else
+              Instrumentation::ExecQueryAdapterPatch
+            end
             ::ActiveRecord::ConnectionAdapters::Mysql2Adapter.prepend(instrumentation_module)
           end
           def patch_postgresql_adapter
             instrumentation_module = if ::ActiveRecord.gem_version.segments.first == 4
-                                       Instrumentation::Rails4ExecuteAndClearAdapterPatch
-                                     else
-                                       Instrumentation::ExecuteAndClearAdapterPatch
-                                     end
+              Instrumentation::Rails4ExecuteAndClearAdapterPatch
+            else
+              Instrumentation::ExecuteAndClearAdapterPatch
+            end
             if defined?(::ActiveRecord::ConnectionAdapters::JdbcAdapter)
               instrumentation_module = if ::ActiveRecord.gem_version >= Gem::Version.new('7.1')
-                                         Instrumentation::InternalExecQueryAdapterPatch
-                                       elsif ::ActiveRecord.gem_version.segments.first == 4
-                                         Instrumentation::Rails4ExecQueryAdapterPatch
-                                       else
-                                         Instrumentation::ExecQueryAdapterPatch
-                                       end
+                Instrumentation::InternalExecQueryAdapterPatch
+              elsif ::ActiveRecord.gem_version.segments.first == 4
+                Instrumentation::Rails4ExecQueryAdapterPatch
+              else
+                Instrumentation::ExecQueryAdapterPatch
+              end
             end
             ::ActiveRecord::ConnectionAdapters::PostgreSQLAdapter.prepend(instrumentation_module)

data/lib/datadog/appsec/contrib/devise/data_extractor.rb CHANGED Viewed

@@ -57,9 +57,8 @@ module Datadog
           def find_devise_scope(object)
             return if ::Devise.mappings.count == 1
-            @devise_scopes[object.class.name] ||= begin
-              ::Devise.mappings.each_value.find { |mapping| mapping.class_name == object.class.name }&.name
-            end
+            @devise_scopes[object.class.name] ||= ::Devise.mappings
+              .each_value.find { |mapping| mapping.class_name == object.class.name }&.name
           end
           def transform(value)

data/lib/datadog/appsec/contrib/devise/ext.rb CHANGED Viewed

@@ -18,6 +18,7 @@ module Datadog
           TAG_DD_LOGIN_FAILURE_MODE = '_dd.appsec.events.users.login.failure.auto.mode'
           TAG_USR_ID = 'usr.id'
+          TAG_SESSION_ID = 'usr.session_id'
           TAG_SIGNUP_TRACK = 'appsec.events.users.signup.track'
           TAG_SIGNUP_USR_ID = 'appsec.events.users.signup.usr.id'
           TAG_SIGNUP_USR_LOGIN = 'appsec.events.users.signup.usr.login'

data/lib/datadog/appsec/contrib/devise/integration.rb CHANGED Viewed

@@ -16,7 +16,7 @@ module Datadog
           register_as :devise, auto_patch: true
           def self.version
-            Gem.loaded_specs['devise'] && Gem.loaded_specs['devise'].version
+            Gem.loaded_specs['devise']&.version
           end
           def self.loaded?

data/lib/datadog/appsec/contrib/devise/patcher.rb CHANGED Viewed

@@ -30,11 +30,9 @@ module Datadog
           def patch
             ::ActiveSupport.on_load(:before_initialize) do |app|
               GUARD_ONCE_PER_APP[app].run do
-                begin
-                  app.middleware.insert_after(Warden::Manager, TrackingMiddleware)
-                rescue RuntimeError
-                  AppSec.telemetry.error('AppSec: unable to insert Devise TrackingMiddleware')
-                end
+                app.middleware.insert_after(Warden::Manager, TrackingMiddleware)
+              rescue RuntimeError
+                AppSec.telemetry.error('AppSec: unable to insert Devise TrackingMiddleware')
               end
             end

data/lib/datadog/appsec/contrib/devise/tracking_middleware.rb CHANGED Viewed

@@ -10,6 +10,7 @@ module Datadog
         # A Rack middleware capable of tracking currently signed user
         class TrackingMiddleware
           WARDEN_KEY = 'warden'
+          SESSION_ID_KEY = 'session_id'
           def initialize(app)
             @app = app
@@ -32,16 +33,28 @@ module Datadog
               return @app.call(env)
             end
+            # NOTE: Rails session id will be set for unauthenticated users as well,
+            #       so we need to make sure we are tracking only authenticated users.
             id = transform(extract_id(env[WARDEN_KEY]))
+            session_id = env[WARDEN_KEY].raw_session[SESSION_ID_KEY] if id
             if id
-              unless context.span.has_tag?(Ext::TAG_USR_ID)
-                context.span[Ext::TAG_USR_ID] = id
+              # NOTE: There is no option to set session id without setting user id via SDK.
+              unless context.span.has_tag?(Ext::TAG_USR_ID) && context.span.has_tag?(Ext::TAG_SESSION_ID)
+                user_id = context.span[Ext::TAG_USR_ID] || id
+                user_session_id = context.span[Ext::TAG_SESSION_ID] || session_id
+                # FIXME: The current implementation of event arguments is forsing us
+                #        to bloat User class, and pass nil-value instead of skip
+                #        passing them at first place.
+                #        This is a temporary situation until we refactor events model.
                 AppSec::Instrumentation.gateway.push(
-                  'identity.set_user', AppSec::Instrumentation::Gateway::User.new(id, nil)
+                  'identity.set_user', AppSec::Instrumentation::Gateway::User.new(user_id, nil, user_session_id)
                 )
               end
-              context.span[Ext::TAG_DD_USR_ID] = id.to_s
+              context.span[Ext::TAG_USR_ID] ||= id
+              context.span[Ext::TAG_DD_USR_ID] = id
               context.span[Ext::TAG_DD_COLLECTION_MODE] ||= Configuration.auto_user_instrumentation_mode
             end

data/lib/datadog/appsec/contrib/excon/integration.rb CHANGED Viewed

@@ -16,7 +16,7 @@ module Datadog
           register_as :excon
           def self.version
-            Gem.loaded_specs['excon'] && Gem.loaded_specs['excon'].version
+            Gem.loaded_specs['excon']&.version
           end
           def self.loaded?

data/lib/datadog/appsec/contrib/excon/ssrf_detection_middleware.rb CHANGED Viewed

@@ -3,6 +3,9 @@
 require 'excon'
+require_relative '../../event'
+require_relative '../../security_event'
 module Datadog
   module AppSec
     module Contrib
@@ -15,22 +18,18 @@ module Datadog
             context = AppSec.active_context
             request_url = URI.join("#{data[:scheme]}://#{data[:host]}", data[:path]).to_s
-            ephemeral_data = { 'server.io.net.url' => request_url }
+            ephemeral_data = {'server.io.net.url' => request_url}
             result = context.run_rasp(Ext::RASP_SSRF, {}, ephemeral_data, Datadog.configuration.appsec.waf_timeout)
             if result.match?
-              Datadog::AppSec::Event.tag_and_keep!(context, result)
+              AppSec::Event.tag_and_keep!(context, result)
-              context.events << {
-                waf_result: result,
-                trace: context.trace,
-                span: context.span,
-                request_url: request_url,
-                actions: result.actions
-              }
+              context.events.push(
+                AppSec::SecurityEvent.new(result, trace: context.trace, span: context.span)
+              )
-              ActionsHandler.handle(result.actions)
+              AppSec::ActionsHandler.handle(result.actions)
             end
             super

data/lib/datadog/appsec/contrib/faraday/integration.rb CHANGED Viewed

@@ -17,7 +17,7 @@ module Datadog
           register_as :faraday, auto_patch: true
           def self.version
-            Gem.loaded_specs['faraday'] && Gem.loaded_specs['faraday'].version
+            Gem.loaded_specs['faraday']&.version
           end
           def self.loaded?

data/lib/datadog/appsec/contrib/faraday/ssrf_detection_middleware.rb CHANGED Viewed

@@ -1,6 +1,9 @@
 # rubocop:disable Naming/FileName
 # frozen_string_literal: true
+require_relative '../../event'
+require_relative '../../security_event'
 module Datadog
   module AppSec
     module Contrib
@@ -19,17 +22,13 @@ module Datadog
             result = context.run_rasp(Ext::RASP_SSRF, {}, ephemeral_data, Datadog.configuration.appsec.waf_timeout)
             if result.match?
-              Datadog::AppSec::Event.tag_and_keep!(context, result)
+              AppSec::Event.tag_and_keep!(context, result)
-              context.events << {
-                waf_result: result,
-                trace: context.trace,
-                span: context.span,
-                request_url: request_env.url,
-                actions: result.actions
-              }
+              context.events.push(
+                AppSec::SecurityEvent.new(result, trace: context.trace, span: context.span)
+              )
-              ActionsHandler.handle(result.actions)
+              AppSec::ActionsHandler.handle(result.actions)
             end
             @app.call(request_env)

data/lib/datadog/appsec/contrib/graphql/gateway/watcher.rb CHANGED Viewed

@@ -1,6 +1,9 @@
 # frozen_string_literal: true
 require 'json'
+require_relative '../../../event'
+require_relative '../../../security_event'
 require_relative '../../../instrumentation/gateway'
 module Datadog
@@ -29,17 +32,13 @@ module Datadog
                     result = context.run_waf(persistent_data, {}, Datadog.configuration.appsec.waf_timeout)
                     if result.match?
-                      Datadog::AppSec::Event.tag_and_keep!(context, result)
+                      AppSec::Event.tag_and_keep!(context, result)
-                      context.events << {
-                        waf_result: result,
-                        trace: context.trace,
-                        span: context.span,
-                        multiplex: gateway_multiplex,
-                        actions: result.actions
-                      }
+                      context.events.push(
+                        AppSec::SecurityEvent.new(result, trace: context.trace, span: context.span)
+                      )
-                      Datadog::AppSec::ActionsHandler.handle(result.actions)
+                      AppSec::ActionsHandler.handle(result.actions)
                     end
                   end

data/lib/datadog/appsec/contrib/graphql/integration.rb CHANGED Viewed

@@ -23,7 +23,7 @@ module Datadog
           register_as :graphql, auto_patch: false
           def self.version
-            Gem.loaded_specs['graphql'] && Gem.loaded_specs['graphql'].version
+            Gem.loaded_specs['graphql']&.version
           end
           def self.loaded?

data/lib/datadog/appsec/contrib/rack/gateway/watcher.rb CHANGED Viewed

@@ -1,8 +1,9 @@
 # frozen_string_literal: true
 require_relative '../ext'
-require_relative '../../../instrumentation/gateway'
 require_relative '../../../event'
+require_relative '../../../security_event'
+require_relative '../../../instrumentation/gateway'
 module Datadog
   module AppSec
@@ -23,7 +24,7 @@ module Datadog
               def watch_request(gateway = Instrumentation.gateway)
                 gateway.watch('rack.request', :appsec) do |stack, gateway_request|
-                  context = gateway_request.env[Datadog::AppSec::Ext::CONTEXT_KEY]
+                  context = gateway_request.env[AppSec::Ext::CONTEXT_KEY]
                   persistent_data = {
                     'server.request.cookies' => gateway_request.cookies,
@@ -37,18 +38,15 @@ module Datadog
                   result = context.run_waf(persistent_data, {}, Datadog.configuration.appsec.waf_timeout)
-                  if result.match?
-                    Datadog::AppSec::Event.tag_and_keep!(context, result)
-                    context.events << {
-                      waf_result: result,
-                      trace: context.trace,
-                      span: context.span,
-                      request: gateway_request,
-                      actions: result.actions
-                    }
+                  if result.match? || !result.derivatives.empty?
+                    context.events.push(
+                      AppSec::SecurityEvent.new(result, trace: context.trace, span: context.span)
+                    )
+                  end
-                    Datadog::AppSec::ActionsHandler.handle(result.actions)
+                  if result.match?
+                    AppSec::Event.tag_and_keep!(context, result)
+                    AppSec::ActionsHandler.handle(result.actions)
                   end
                   stack.call(gateway_request.request)
@@ -68,17 +66,13 @@ module Datadog
                   result = context.run_waf(persistent_data, {}, Datadog.configuration.appsec.waf_timeout)
                   if result.match?
-                    Datadog::AppSec::Event.tag_and_keep!(context, result)
+                    AppSec::Event.tag_and_keep!(context, result)
-                    context.events << {
-                      waf_result: result,
-                      trace: context.trace,
-                      span: context.span,
-                      response: gateway_response,
-                      actions: result.actions
-                    }
+                    context.events.push(
+                      AppSec::SecurityEvent.new(result, trace: context.trace, span: context.span)
+                    )
-                    Datadog::AppSec::ActionsHandler.handle(result.actions)
+                    AppSec::ActionsHandler.handle(result.actions)
                   end
                   stack.call(gateway_response.response)
@@ -87,7 +81,7 @@ module Datadog
               def watch_request_body(gateway = Instrumentation.gateway)
                 gateway.watch('rack.request.body', :appsec) do |stack, gateway_request|
-                  context = gateway_request.env[Datadog::AppSec::Ext::CONTEXT_KEY]
+                  context = gateway_request.env[AppSec::Ext::CONTEXT_KEY]
                   persistent_data = {
                     'server.request.body' => gateway_request.form_hash
@@ -96,17 +90,13 @@ module Datadog
                   result = context.run_waf(persistent_data, {}, Datadog.configuration.appsec.waf_timeout)
                   if result.match?
-                    Datadog::AppSec::Event.tag_and_keep!(context, result)
+                    AppSec::Event.tag_and_keep!(context, result)
-                    context.events << {
-                      waf_result: result,
-                      trace: context.trace,
-                      span: context.span,
-                      request: gateway_request,
-                      actions: result.actions
-                    }
+                    context.events.push(
+                      AppSec::SecurityEvent.new(result, trace: context.trace, span: context.span)
+                    )
-                    Datadog::AppSec::ActionsHandler.handle(result.actions)
+                    AppSec::ActionsHandler.handle(result.actions)
                   end
                   stack.call(gateway_request.request)

data/lib/datadog/appsec/contrib/rack/integration.rb CHANGED Viewed

@@ -19,7 +19,7 @@ module Datadog
           register_as :rack, auto_patch: false
           def self.version
-            Gem.loaded_specs['rack'] && Gem.loaded_specs['rack'].version
+            Gem.loaded_specs['rack']&.version
           end
           def self.loaded?