npm - dd-trace - Versions diffs - 4.47.1 → 4.49.0 - Mend

dd-trace 4.47.1 → 4.49.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (156) hide show

package/packages/dd-trace/src/appsec/rasp/command_injection.js ADDED Viewed

@@ -0,0 +1,49 @@
+'use strict'
+const { childProcessExecutionTracingChannel } = require('../channels')
+const { RULE_TYPES, handleResult } = require('./utils')
+const { storage } = require('../../../../datadog-core')
+const addresses = require('../addresses')
+const waf = require('../waf')
+let config
+function enable (_config) {
+  config = _config
+  childProcessExecutionTracingChannel.subscribe({
+    start: analyzeCommandInjection
+  })
+}
+function disable () {
+  if (childProcessExecutionTracingChannel.start.hasSubscribers) {
+    childProcessExecutionTracingChannel.unsubscribe({
+      start: analyzeCommandInjection
+    })
+  }
+}
+function analyzeCommandInjection ({ file, fileArgs, shell, abortController }) {
+  if (!file || !shell) return
+  const store = storage.getStore()
+  const req = store?.req
+  if (!req) return
+  const commandParams = fileArgs ? [file, ...fileArgs] : file
+  const persistent = {
+    [addresses.SHELL_COMMAND]: commandParams
+  }
+  const result = waf.run({ persistent }, req, RULE_TYPES.COMMAND_INJECTION)
+  const res = store?.res
+  handleResult(result, req, res, abortController, config)
+}
+module.exports = {
+  enable,
+  disable
+}

package/packages/dd-trace/src/appsec/rasp/fs-plugin.js ADDED Viewed

@@ -0,0 +1,99 @@
+'use strict'
+const Plugin = require('../../plugins/plugin')
+const { storage } = require('../../../../datadog-core')
+const log = require('../../log')
+const RASP_MODULE = 'rasp'
+const IAST_MODULE = 'iast'
+const enabledFor = {
+  [RASP_MODULE]: false,
+  [IAST_MODULE]: false
+}
+let fsPlugin
+function enterWith (fsProps, store = storage.getStore()) {
+  if (store && !store.fs?.opExcluded) {
+    storage.enterWith({
+      ...store,
+      fs: {
+        ...store.fs,
+        ...fsProps,
+        parentStore: store
+      }
+    })
+  }
+}
+class AppsecFsPlugin extends Plugin {
+  enable () {
+    this.addSub('apm:fs:operation:start', this._onFsOperationStart)
+    this.addSub('apm:fs:operation:finish', this._onFsOperationFinishOrRenderEnd)
+    this.addSub('tracing:datadog:express:response:render:start', this._onResponseRenderStart)
+    this.addSub('tracing:datadog:express:response:render:end', this._onFsOperationFinishOrRenderEnd)
+    super.configure(true)
+  }
+  disable () {
+    super.configure(false)
+  }
+  _onFsOperationStart () {
+    const store = storage.getStore()
+    if (store) {
+      enterWith({ root: store.fs?.root === undefined }, store)
+    }
+  }
+  _onResponseRenderStart () {
+    enterWith({ opExcluded: true })
+  }
+  _onFsOperationFinishOrRenderEnd () {
+    const store = storage.getStore()
+    if (store?.fs?.parentStore) {
+      storage.enterWith(store.fs.parentStore)
+    }
+  }
+}
+function enable (mod) {
+  if (enabledFor[mod] !== false) return
+  enabledFor[mod] = true
+  if (!fsPlugin) {
+    fsPlugin = new AppsecFsPlugin()
+    fsPlugin.enable()
+  }
+  log.info(`Enabled AppsecFsPlugin for ${mod}`)
+}
+function disable (mod) {
+  if (!mod || !enabledFor[mod]) return
+  enabledFor[mod] = false
+  const allDisabled = Object.values(enabledFor).every(val => val === false)
+  if (allDisabled) {
+    fsPlugin?.disable()
+    fsPlugin = undefined
+  }
+  log.info(`Disabled AppsecFsPlugin for ${mod}`)
+}
+module.exports = {
+  enable,
+  disable,
+  AppsecFsPlugin,
+  RASP_MODULE,
+  IAST_MODULE
+}

package/packages/dd-trace/src/appsec/rasp/index.js CHANGED Viewed

@@ -1,10 +1,12 @@
 'use strict'
 const web = require('../../plugins/util/web')
-const { setUncaughtExceptionCaptureCallbackStart } = require('../channels')
-const { block } = require('../blocking')
+const { setUncaughtExceptionCaptureCallbackStart, expressMiddlewareError } = require('../channels')
+const { block, isBlocked } = require('../blocking')
 const ssrf = require('./ssrf')
 const sqli = require('./sql_injection')
+const lfi = require('./lfi')
+const cmdi = require('./command_injection')
 const { DatadogRaspAbortError } = require('./utils')
@@ -30,17 +32,13 @@ function findDatadogRaspAbortError (err, deep = 10) {
     return err
   }
-  if (err.cause && deep > 0) {
+  if (err?.cause && deep > 0) {
     return findDatadogRaspAbortError(err.cause, deep - 1)
   }
 }
-function handleUncaughtExceptionMonitor (err) {
-  const abortError = findDatadogRaspAbortError(err)
-  if (!abortError) return
-  const { req, res, blockingAction } = abortError
-  block(req, res, web.root(req), null, blockingAction)
+function handleUncaughtExceptionMonitor (error) {
+  if (!blockOnDatadogRaspAbortError({ error })) return
   if (!process.hasUncaughtExceptionCaptureCallback()) {
     const cleanUp = removeAllListeners(process, 'uncaughtException')
@@ -82,22 +80,41 @@ function handleUncaughtExceptionMonitor (err) {
   }
 }
+function blockOnDatadogRaspAbortError ({ error }) {
+  const abortError = findDatadogRaspAbortError(error)
+  if (!abortError) return false
+  const { req, res, blockingAction } = abortError
+  if (!isBlocked(res)) {
+    block(req, res, web.root(req), null, blockingAction)
+  }
+  return true
+}
 function enable (config) {
   ssrf.enable(config)
   sqli.enable(config)
+  lfi.enable(config)
+  cmdi.enable(config)
   process.on('uncaughtExceptionMonitor', handleUncaughtExceptionMonitor)
+  expressMiddlewareError.subscribe(blockOnDatadogRaspAbortError)
 }
 function disable () {
   ssrf.disable()
   sqli.disable()
+  lfi.disable()
+  cmdi.disable()
   process.off('uncaughtExceptionMonitor', handleUncaughtExceptionMonitor)
+  if (expressMiddlewareError.hasSubscribers) expressMiddlewareError.unsubscribe(blockOnDatadogRaspAbortError)
 }
 module.exports = {
   enable,
   disable,
-  handleUncaughtExceptionMonitor // exported only for testing purpose
+  handleUncaughtExceptionMonitor, // exported only for testing purpose
+  blockOnDatadogRaspAbortError // exported only for testing purpose
 }

package/packages/dd-trace/src/appsec/rasp/lfi.js ADDED Viewed

@@ -0,0 +1,112 @@
+'use strict'
+const { fsOperationStart, incomingHttpRequestStart } = require('../channels')
+const { storage } = require('../../../../datadog-core')
+const { enable: enableFsPlugin, disable: disableFsPlugin, RASP_MODULE } = require('./fs-plugin')
+const { FS_OPERATION_PATH } = require('../addresses')
+const waf = require('../waf')
+const { RULE_TYPES, handleResult } = require('./utils')
+const { isAbsolute } = require('path')
+let config
+let enabled
+let analyzeSubscribed
+function enable (_config) {
+  config = _config
+  if (enabled) return
+  enabled = true
+  incomingHttpRequestStart.subscribe(onFirstReceivedRequest)
+}
+function disable () {
+  if (fsOperationStart.hasSubscribers) fsOperationStart.unsubscribe(analyzeLfi)
+  if (incomingHttpRequestStart.hasSubscribers) incomingHttpRequestStart.unsubscribe(onFirstReceivedRequest)
+  disableFsPlugin(RASP_MODULE)
+  enabled = false
+  analyzeSubscribed = false
+}
+function onFirstReceivedRequest () {
+  // nodejs unsubscribe during publish bug: https://github.com/nodejs/node/pull/55116
+  process.nextTick(() => {
+    incomingHttpRequestStart.unsubscribe(onFirstReceivedRequest)
+  })
+  enableFsPlugin(RASP_MODULE)
+  if (!analyzeSubscribed) {
+    fsOperationStart.subscribe(analyzeLfi)
+    analyzeSubscribed = true
+  }
+}
+function analyzeLfi (ctx) {
+  const store = storage.getStore()
+  if (!store) return
+  const { req, fs, res } = store
+  if (!req || !fs) return
+  getPaths(ctx, fs).forEach(path => {
+    const persistent = {
+      [FS_OPERATION_PATH]: path
+    }
+    const result = waf.run({ persistent }, req, RULE_TYPES.LFI)
+    handleResult(result, req, res, ctx.abortController, config)
+  })
+}
+function getPaths (ctx, fs) {
+  // these properties could have String, Buffer, URL, Integer or FileHandle types
+  const pathArguments = [
+    ctx.dest,
+    ctx.existingPath,
+    ctx.file,
+    ctx.newPath,
+    ctx.oldPath,
+    ctx.path,
+    ctx.prefix,
+    ctx.src,
+    ctx.target
+  ]
+  return pathArguments
+    .map(path => pathToStr(path))
+    .filter(path => shouldAnalyze(path, fs))
+}
+function pathToStr (path) {
+  if (!path) return
+  if (typeof path === 'string' ||
+      path instanceof String ||
+      path instanceof Buffer ||
+      path instanceof URL) {
+    return path.toString()
+  }
+}
+function shouldAnalyze (path, fs) {
+  if (!path) return
+  const notExcludedRootOp = !fs.opExcluded && fs.root
+  return notExcludedRootOp && (isAbsolute(path) || path.includes('../') || shouldAnalyzeURLFile(path, fs))
+}
+function shouldAnalyzeURLFile (path, fs) {
+  if (path.startsWith('file://')) {
+    return shouldAnalyze(path.substring(7), fs)
+  }
+}
+module.exports = {
+  enable,
+  disable
+}

package/packages/dd-trace/src/appsec/rasp/sql_injection.js CHANGED Viewed

@@ -1,12 +1,18 @@
 'use strict'
-const { pgQueryStart, pgPoolQueryStart, wafRunFinished } = require('../channels')
+const {
+  pgQueryStart,
+  pgPoolQueryStart,
+  wafRunFinished,
+  mysql2OuterQueryStart
+} = require('../channels')
 const { storage } = require('../../../../datadog-core')
 const addresses = require('../addresses')
 const waf = require('../waf')
 const { RULE_TYPES, handleResult } = require('./utils')
 const DB_SYSTEM_POSTGRES = 'postgresql'
+const DB_SYSTEM_MYSQL = 'mysql'
 const reqQueryMap = new WeakMap() // WeakMap<Request, Set<querytext>>
 let config
@@ -17,18 +23,32 @@ function enable (_config) {
   pgQueryStart.subscribe(analyzePgSqlInjection)
   pgPoolQueryStart.subscribe(analyzePgSqlInjection)
   wafRunFinished.subscribe(clearQuerySet)
+  mysql2OuterQueryStart.subscribe(analyzeMysql2SqlInjection)
 }
 function disable () {
   if (pgQueryStart.hasSubscribers) pgQueryStart.unsubscribe(analyzePgSqlInjection)
   if (pgPoolQueryStart.hasSubscribers) pgPoolQueryStart.unsubscribe(analyzePgSqlInjection)
   if (wafRunFinished.hasSubscribers) wafRunFinished.unsubscribe(clearQuerySet)
+  if (mysql2OuterQueryStart.hasSubscribers) mysql2OuterQueryStart.unsubscribe(analyzeMysql2SqlInjection)
+}
+function analyzeMysql2SqlInjection (ctx) {
+  const query = ctx.sql
+  if (!query) return
+  analyzeSqlInjection(query, DB_SYSTEM_MYSQL, ctx.abortController)
 }
 function analyzePgSqlInjection (ctx) {
   const query = ctx.query?.text
   if (!query) return
+  analyzeSqlInjection(query, DB_SYSTEM_POSTGRES, ctx.abortController)
+}
+function analyzeSqlInjection (query, dbSystem, abortController) {
   const store = storage.getStore()
   if (!store) return
@@ -39,7 +59,7 @@ function analyzePgSqlInjection (ctx) {
   let executedQueries = reqQueryMap.get(req)
   if (executedQueries?.has(query)) return
-  // Do not waste time executing same query twice
+  // Do not waste time checking same query twice
   // This also will prevent double calls in pg.Pool internal queries
   if (!executedQueries) {
     executedQueries = new Set()
@@ -49,12 +69,12 @@ function analyzePgSqlInjection (ctx) {
   const persistent = {
     [addresses.DB_STATEMENT]: query,
-    [addresses.DB_SYSTEM]: DB_SYSTEM_POSTGRES
+    [addresses.DB_SYSTEM]: dbSystem
   }
   const result = waf.run({ persistent }, req, RULE_TYPES.SQL_INJECTION)
-  handleResult(result, req, res, ctx.abortController, config)
+  handleResult(result, req, res, abortController, config)
 }
 function hasInputAddress (payload) {

package/packages/dd-trace/src/appsec/rasp/ssrf.js CHANGED Viewed

@@ -1,5 +1,6 @@
 'use strict'
+const { format } = require('url')
 const { httpClientRequestStart } = require('../channels')
 const { storage } = require('../../../../datadog-core')
 const addresses = require('../addresses')
@@ -20,12 +21,12 @@ function disable () {
 function analyzeSsrf (ctx) {
   const store = storage.getStore()
   const req = store?.req
-  const url = ctx.args.uri
+  const outgoingUrl = (ctx.args.options?.uri && format(ctx.args.options.uri)) ?? ctx.args.uri
-  if (!req || !url) return
+  if (!req || !outgoingUrl) return
   const persistent = {
-    [addresses.HTTP_OUTGOING_URL]: url
+    [addresses.HTTP_OUTGOING_URL]: outgoingUrl
   }
   const result = waf.run({ persistent }, req, RULE_TYPES.SSRF)

package/packages/dd-trace/src/appsec/rasp/utils.js CHANGED Viewed

@@ -12,8 +12,10 @@ if (abortOnUncaughtException) {
 }
 const RULE_TYPES = {
-  SSRF: 'ssrf',
-  SQL_INJECTION: 'sql_injection'
+  COMMAND_INJECTION: 'command_injection',
+  LFI: 'lfi',
+  SQL_INJECTION: 'sql_injection',
+  SSRF: 'ssrf'
 }
 class DatadogRaspAbortError extends Error {

package/packages/dd-trace/src/appsec/recommended.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "version": "2.2",
   "metadata": {
-    "rules_version": "1.13.0"
+    "rules_version": "1.13.2"
   },
   "rules": [
     {
@@ -6239,7 +6239,6 @@
     {
       "id": "rasp-930-100",
       "name": "Local file inclusion exploit",
-      "enabled": false,
       "tags": {
         "type": "lfi",
         "category": "vulnerability_trigger",
@@ -6287,8 +6286,7 @@
     },
     {
       "id": "rasp-932-100",
-      "name": "Shell injection exploit",
-      "enabled": false,
+      "name": "Command injection exploit",
       "tags": {
         "type": "command_injection",
         "category": "vulnerability_trigger",
@@ -6337,7 +6335,6 @@
     {
       "id": "rasp-934-100",
       "name": "Server-side request forgery exploit",
-      "enabled": false,
       "tags": {
         "type": "ssrf",
         "category": "vulnerability_trigger",
@@ -6386,7 +6383,6 @@
     {
       "id": "rasp-942-100",
       "name": "SQL injection exploit",
-      "enabled": false,
       "tags": {
         "type": "sql_injection",
         "category": "vulnerability_trigger",
@@ -6426,7 +6422,7 @@
               }
             ]
           },
-          "operator": "sqli_detector"
+          "operator": "sqli_detector@v2"
         }
       ],
       "transformers": [],

package/packages/dd-trace/src/appsec/remote_config/capabilities.js CHANGED Viewed

@@ -18,6 +18,11 @@ module.exports = {
   APM_TRACING_CUSTOM_TAGS: 1n << 15n,
   APM_TRACING_ENABLED: 1n << 19n,
   ASM_RASP_SQLI: 1n << 21n,
+  ASM_RASP_LFI: 1n << 22n,
   ASM_RASP_SSRF: 1n << 23n,
-  APM_TRACING_SAMPLE_RULES: 1n << 29n
+  ASM_RASP_SHI: 1n << 24n,
+  APM_TRACING_SAMPLE_RULES: 1n << 29n,
+  ASM_ENDPOINT_FINGERPRINT: 1n << 32n,
+  ASM_NETWORK_FINGERPRINT: 1n << 34n,
+  ASM_HEADER_FINGERPRINT: 1n << 35n
 }

package/packages/dd-trace/src/appsec/remote_config/index.js CHANGED Viewed

@@ -75,10 +75,15 @@ function enableWafUpdate (appsecConfig) {
     rc.updateCapabilities(RemoteConfigCapabilities.ASM_CUSTOM_RULES, true)
     rc.updateCapabilities(RemoteConfigCapabilities.ASM_CUSTOM_BLOCKING_RESPONSE, true)
     rc.updateCapabilities(RemoteConfigCapabilities.ASM_TRUSTED_IPS, true)
+    rc.updateCapabilities(RemoteConfigCapabilities.ASM_ENDPOINT_FINGERPRINT, true)
+    rc.updateCapabilities(RemoteConfigCapabilities.ASM_NETWORK_FINGERPRINT, true)
+    rc.updateCapabilities(RemoteConfigCapabilities.ASM_HEADER_FINGERPRINT, true)
     if (appsecConfig.rasp?.enabled) {
       rc.updateCapabilities(RemoteConfigCapabilities.ASM_RASP_SQLI, true)
       rc.updateCapabilities(RemoteConfigCapabilities.ASM_RASP_SSRF, true)
+      rc.updateCapabilities(RemoteConfigCapabilities.ASM_RASP_LFI, true)
+      rc.updateCapabilities(RemoteConfigCapabilities.ASM_RASP_SHI, true)
     }
     // TODO: delete noop handlers and kPreUpdate and replace with batched handlers
@@ -103,9 +108,14 @@ function disableWafUpdate () {
     rc.updateCapabilities(RemoteConfigCapabilities.ASM_CUSTOM_RULES, false)
     rc.updateCapabilities(RemoteConfigCapabilities.ASM_CUSTOM_BLOCKING_RESPONSE, false)
     rc.updateCapabilities(RemoteConfigCapabilities.ASM_TRUSTED_IPS, false)
+    rc.updateCapabilities(RemoteConfigCapabilities.ASM_ENDPOINT_FINGERPRINT, false)
+    rc.updateCapabilities(RemoteConfigCapabilities.ASM_NETWORK_FINGERPRINT, false)
+    rc.updateCapabilities(RemoteConfigCapabilities.ASM_HEADER_FINGERPRINT, false)
     rc.updateCapabilities(RemoteConfigCapabilities.ASM_RASP_SQLI, false)
     rc.updateCapabilities(RemoteConfigCapabilities.ASM_RASP_SSRF, false)
+    rc.updateCapabilities(RemoteConfigCapabilities.ASM_RASP_LFI, false)
+    rc.updateCapabilities(RemoteConfigCapabilities.ASM_RASP_SHI, false)
     rc.removeProductHandler('ASM_DATA')
     rc.removeProductHandler('ASM_DD')

package/packages/dd-trace/src/appsec/reporter.js CHANGED Viewed

@@ -13,8 +13,9 @@ const {
   getRequestMetrics
 } = require('./telemetry')
 const zlib = require('zlib')
-const { MANUAL_KEEP } = require('../../../../ext/tags')
 const standalone = require('./standalone')
+const { SAMPLING_MECHANISM_APPSEC } = require('../constants')
+const { keepTrace } = require('../priority_sampler')
 // default limiter, configurable with setRateLimit()
 let limiter = new Limiter(100)
@@ -96,8 +97,6 @@ function reportWafInit (wafVersion, rulesVersion, diagnosticsRules = {}) {
     metricsQueue.set('_dd.appsec.event_rules.errors', JSON.stringify(diagnosticsRules.errors))
   }
-  metricsQueue.set(MANUAL_KEEP, 'true')
   incrementWafInitMetric(wafVersion, rulesVersion)
 }
@@ -129,7 +128,7 @@ function reportAttack (attackData) {
   }
   if (limiter.isAllowed()) {
-    newTags[MANUAL_KEEP] = 'true'
+    keepTrace(rootSpan, SAMPLING_MECHANISM_APPSEC)
     standalone.sample(rootSpan)
   }
@@ -153,7 +152,11 @@ function reportAttack (attackData) {
   rootSpan.addTags(newTags)
 }
-function reportSchemas (derivatives) {
+function isFingerprintDerivative (derivative) {
+  return derivative.startsWith('_dd.appsec.fp')
+}
+function reportDerivatives (derivatives) {
   if (!derivatives) return
   const req = storage.getStore()?.req
@@ -162,9 +165,12 @@ function reportSchemas (derivatives) {
   if (!rootSpan) return
   const tags = {}
-  for (const [address, value] of Object.entries(derivatives)) {
-    const gzippedValue = zlib.gzipSync(JSON.stringify(value))
-    tags[address] = gzippedValue.toString('base64')
+  for (let [tag, value] of Object.entries(derivatives)) {
+    if (!isFingerprintDerivative(tag)) {
+      const gzippedValue = zlib.gzipSync(JSON.stringify(value))
+      value = gzippedValue.toString('base64')
+    }
+    tags[tag] = value
   }
   rootSpan.addTags(tags)
@@ -177,6 +183,8 @@ function finishRequest (req, res) {
   if (metricsQueue.size) {
     rootSpan.addTags(Object.fromEntries(metricsQueue))
+    keepTrace(rootSpan, SAMPLING_MECHANISM_APPSEC)
     standalone.sample(rootSpan)
     metricsQueue.clear()
@@ -248,7 +256,7 @@ module.exports = {
   reportMetrics,
   reportAttack,
   reportWafUpdate: incrementWafUpdatesMetric,
-  reportSchemas,
+  reportDerivatives,
   finishRequest,
   setRateLimit,
   mapHeaderAndTags

package/packages/dd-trace/src/appsec/sdk/track_event.js CHANGED Viewed

@@ -2,9 +2,11 @@
 const log = require('../../log')
 const { getRootSpan } = require('./utils')
-const { MANUAL_KEEP } = require('../../../../../ext/tags')
 const { setUserTags } = require('./set_user')
 const standalone = require('../standalone')
+const waf = require('../waf')
+const { SAMPLING_MECHANISM_APPSEC } = require('../../constants')
+const { keepTrace } = require('../../priority_sampler')
 function trackUserLoginSuccessEvent (tracer, user, metadata) {
   // TODO: better user check here and in _setUser() ?
@@ -54,9 +56,10 @@ function trackEvent (eventName, fields, sdkMethodName, rootSpan, mode) {
     return
   }
+  keepTrace(rootSpan, SAMPLING_MECHANISM_APPSEC)
   const tags = {
-    [`appsec.events.${eventName}.track`]: 'true',
-    [MANUAL_KEEP]: 'true'
+    [`appsec.events.${eventName}.track`]: 'true'
   }
   if (mode === 'sdk') {
@@ -76,6 +79,10 @@ function trackEvent (eventName, fields, sdkMethodName, rootSpan, mode) {
   rootSpan.addTags(tags)
   standalone.sample(rootSpan)
+  if (['users.login.success', 'users.login.failure'].includes(eventName)) {
+    waf.run({ persistent: { [`server.business_logic.${eventName}`]: null } })
+  }
 }
 module.exports = {

package/packages/dd-trace/src/appsec/waf/waf_context_wrapper.js CHANGED Viewed

@@ -93,7 +93,7 @@ class WAFContextWrapper {
         Reporter.reportAttack(JSON.stringify(result.events))
       }
-      Reporter.reportSchemas(result.derivatives)
+      Reporter.reportDerivatives(result.derivatives)
       if (wafRunFinished.hasSubscribers) {
         wafRunFinished.publish({ payload })

package/packages/dd-trace/src/appsec/waf/waf_manager.js CHANGED Viewed

@@ -51,6 +51,10 @@ class WAFManager {
   update (newRules) {
     this.ddwaf.update(newRules)
+    if (this.ddwaf.diagnostics.ruleset_version) {
+      this.rulesVersion = this.ddwaf.diagnostics.ruleset_version
+    }
     Reporter.reportWafUpdate(this.ddwafVersion, this.rulesVersion)
   }