dd-trace 5.51.0 → 5.53.0

package/packages/datadog-shimmer/src/shimmer.js

@@ -1,12 +1,24 @@
 'use strict'
 
+/**
+ * @type {Set<string | symbol>}
+ */
 const skipMethods = new Set([
   'caller',
   'arguments',
   'name',
   'length'
 ])
+const skipMethodSize = skipMethods.size
 
+const nonConfigurableModuleExports = new WeakMap()
+
+/**
+ * Copies properties from the original function to the wrapped function.
+ *
+ * @param {Function} original - The original function.
+ * @param {Function} wrapped - The wrapped function.
+ */
 function copyProperties (original, wrapped) {
   if (original.constructor !== wrapped.constructor) {
     const proto = Object.getPrototypeOf(original)
@@ -23,7 +35,7 @@ function copyProperties (original, wrapped) {
   if (ownKeys.length !== 2) {
     for (const key of ownKeys) {
       if (skipMethods.has(key)) continue
-      const descriptor = Object.getOwnPropertyDescriptor(original, key)
+      const descriptor = /** @type {PropertyDescriptor} */ (Object.getOwnPropertyDescriptor(original, key))
       if (descriptor.writable && descriptor.enumerable && descriptor.configurable) {
         wrapped[key] = original[key]
       } else if (descriptor.writable || descriptor.configurable || !Object.hasOwn(wrapped, key)) {
@@ -33,6 +45,33 @@ function copyProperties (original, wrapped) {
   }
 }
 
+/**
+ * Copies properties from the original object to the wrapped object, skipping a specific key.
+ *
+ * @param {Record<string | symbol, unknown>} original - The original object.
+ * @param {Record<string | symbol, unknown>} wrapped - The wrapped object.
+ * @param {string | symbol} skipKey - The key to skip during copying.
+ */
+function copyObjectProperties (original, wrapped, skipKey) {
+  const ownKeys = Reflect.ownKeys(original)
+  for (const key of ownKeys) {
+    if (key === skipKey) continue
+    const descriptor = /** @type {PropertyDescriptor} */ (Object.getOwnPropertyDescriptor(original, key))
+    if (descriptor.writable && descriptor.enumerable && descriptor.configurable) {
+      wrapped[key] = original[key]
+    } else if (descriptor.writable || descriptor.configurable || !Object.hasOwn(wrapped, key)) {
+      Object.defineProperty(wrapped, key, descriptor)
+    }
+  }
+}
+
+/**
+ * Wraps a function with a wrapper function.
+ *
+ * @param {Function} original - The original function to wrap.
+ * @param {(original: Function) => Function} wrapper - The wrapper function.
+ * @returns {Function} The wrapped function.
+ */
 function wrapFunction (original, wrapper) {
   const wrapped = wrapper(original)
 
@@ -44,28 +83,55 @@ function wrapFunction (original, wrapper) {
   return wrapped
 }
 
-function wrap (target, name, wrapper) {
-  assertMethod(target, name)
+/**
+ * Wraps a method of an object with a wrapper function.
+ *
+ * @param {Record<string | symbol, unknown> | Function} target - The target
+ * object.
+ * @param {string | symbol} name - The property key of the method to wrap.
+ * @param {(original: Function) => (...args) => any} wrapper - The wrapper function.
+ * @param {{ replaceGetter?: boolean }} [options] - If `replaceGetter` is set to
+ * true, the getter is accessed and the getter is replaced with one that just
+ * returns the earlier retrieved value. Use with care! This may only be done in
+ * case the getter absolutely has no side effect and no setter is defined for the
+ * property.
+ * @returns {Record<string | symbol, unknown> | Function} The target object with
+ * the wrapped method.
+ */
+function wrap (target, name, wrapper, options) {
   if (typeof wrapper !== 'function') {
     throw new Error(wrapper ? 'Target is not a function' : 'No function provided')
   }
 
-  const original = target[name]
-  const wrapped = wrapper(original)
+  // No descriptor means original was on the prototype. This is not totally
+  // safe, since we define the property on the target. That could have an impact
+  // in case e.g., the own keys are checks.
+  const descriptor = Object.getOwnPropertyDescriptor(target, name) ?? {
+    value: target[name],
+    writable: true,
+    configurable: true,
+    enumerable: false
+  }
+
+  if (descriptor.set && (!descriptor.get || options?.replaceGetter)) {
+    // It is possible to support these cases by instrumenting both the getter
+    // and setter (or only the setter, in case that is a use case).
+    // For now, this is not supported due to the complexity and the fact that
+    // this is not a common use case.
+    throw new Error(options?.replaceGetter
+      ? 'Replacing a getter/setter pair is not supported. Implement if required.'
+      : 'Replacing setters is not supported. Implement if required.')
+  }
 
-  if (typeof original === 'function') copyProperties(original, wrapped)
+  const original = descriptor.value ?? options?.replaceGetter ? target[name] : descriptor.get
 
-  let descriptor = Object.getOwnPropertyDescriptor(target, name)
+  assertMethod(target, name, original)
 
-  // No descriptor means original was on the prototype
-  if (descriptor === undefined) {
-    descriptor = {
-      value: wrapped,
-      writable: true,
-      configurable: true,
-      enumerable: false
-    }
-  } else if (descriptor.writable) {
+  const wrapped = wrapper(original)
+
+  copyProperties(original, wrapped)
+
+  if (descriptor.writable) {
     // Fast path for assigned properties.
     if (descriptor.configurable && descriptor.enumerable) {
       target[name] = wrapped
@@ -73,25 +139,58 @@ function wrap (target, name, wrapper) {
     }
     descriptor.value = wrapped
   } else {
-    if (descriptor.get || descriptor.set) {
-      // TODO(BridgeAR): What happens in case there is a setter? This seems wrong?
-      // What happens in case the user does indeed set this to a different value?
-      // In that case the getter would potentially return the wrong value?
-      descriptor.get = () => wrapped
+    if (descriptor.get) {
+      // `replaceGetter` may only be used when the getter has no side effect.
+      if (options?.replaceGetter) {
+        descriptor.get = () => wrapped
+      } else {
+        descriptor.get = wrapped
+      }
     } else {
       descriptor.value = wrapped
     }
 
     if (descriptor.configurable === false) {
-      // TODO(BridgeAR): Bail out instead (throw). It is unclear if the newly
-      // created object is actually used. If it's not used, the wrapping would
-      // have had no effect without noticing. It is also unclear what would happen
-      // in case user code would check for properties to be own properties. That
-      // would fail with this code. A function being replaced with an object is
-      // also not possible.
-      return Object.create(target, {
-        [name]: descriptor
-      })
+      // TODO(BridgeAR): This currently only works on the most outer part. The
+      // moduleExports object.
+      //
+      // It would be possible to also implement it for non moduleExports objects
+      // by passing through the moduleExports object and the property names that
+      // are accessed. That way it would be possible to redefine the complete
+      // property chain. Example:
+      //
+      // shimmer.wrap(hapi.Server.prototype, 'start', wrapStart)
+      // shimmer.wrap(hapi.Server.prototype, 'ext', wrapExt)
+      //
+      // shimmer.wrap(hapi, 'Server', 'prototype', 'start', wrapStart)
+      // shimmer.wrap(hapi, 'Server', 'prototype', 'ext', wrapExt)
+      //
+      // That would however still not resolve the issue about the user replacing
+      // the return value so that the hook picks up the new hapi moduleExports
+      // object. To safely fix that, we would have to couple the register helper
+      // with this code. That way it would be possible to directly pass through
+      // the entries.
+
+      // In case more than a single property is not configurable and writable,
+      // Just reuse the already created object.
+      let moduleExports = nonConfigurableModuleExports.get(target)
+      if (!moduleExports) {
+        if (typeof target === 'function') {
+          const original = target
+          moduleExports = function (...args) { return original.apply(original, args) }
+          // This is a rare case. Accept the slight performance hit.
+          skipMethods.add(name)
+          copyProperties(target, moduleExports)
+          if (skipMethods.size === skipMethodSize + 1) {
+            skipMethods.delete(name)
+          }
+        } else {
+          moduleExports = Object.create(target)
+          copyObjectProperties(target, moduleExports, name)
+        }
+        nonConfigurableModuleExports.set(target, moduleExports)
+      }
+      target = moduleExports
     }
   }
 
@@ -100,6 +199,16 @@ function wrap (target, name, wrapper) {
   return target
 }
 
+/**
+ * Wraps multiple methods and or multiple objects with a wrapper function.
+ * May also receive a single method or object or a single method name.
+ *
+ * @param {Array<Record<string | symbol, unknown> | Function> |
+ *         Record<string | symbol, unknown> |
+ *         Function} targets - The target objects.
+ * @param {Array<string | symbol> | string | symbol} names - The property keys of the methods to wrap.
+ * @param {(original: Function) => (...args) => any} wrapper - The wrapper function.
+ */
 function massWrap (targets, names, wrapper) {
   targets = toArray(targets)
   names = toArray(names)
@@ -111,19 +220,35 @@ function massWrap (targets, names, wrapper) {
   }
 }
 
+/**
+ * Converts a value to an array if it is not already an array.
+ *
+ * @template T
+ * @param {T | T[]} maybeArray - The value to convert.
+ * @returns {T[]} The value as an array.
+ */
 function toArray (maybeArray) {
   return Array.isArray(maybeArray) ? maybeArray : [maybeArray]
 }
 
-function assertMethod (target, name) {
-  if (typeof target?.[name] !== 'function') {
+/**
+ * Asserts that a method is a function.
+ *
+ * @param {Record<string | symbol, unknown> | Function} target - The target object.
+ * @param {string | symbol} name - The property key of the method.
+ * @param {unknown} method - The method to assert.
+ * @throws {Error} If the method is not a function.
+ */
+function assertMethod (target, name, method) {
+  if (typeof method !== 'function') {
     let message = 'No target object provided'
 
     if (target) {
       if (typeof target !== 'object' && typeof target !== 'function') {
         message = 'Invalid target'
       } else {
-        message = target[name] ? `Original method ${name} is not a function` : `No original method ${name}`
+        name = String(name)
+        message = method ? `Original method ${name} is not a function` : `No original method ${name}`
       }
     }
 
@@ -131,6 +256,12 @@ function assertMethod (target, name) {
   }
 }
 
+/**
+ * Asserts that a target is not a class constructor.
+ *
+ * @param {Function} target - The target function.
+ * @throws {Error} If the target is a class constructor.
+ */
 function assertNotClass (target) {
   if (Function.prototype.toString.call(target).startsWith('class')) {
     throw new Error('Target is a native class constructor and cannot be wrapped.')

package/packages/dd-trace/src/appsec/api_security_sampler.js

@@ -4,10 +4,13 @@ const TTLCache = require('@isaacs/ttlcache')
 const web = require('../plugins/util/web')
 const log = require('../log')
 const { AUTO_REJECT, USER_REJECT } = require('../../../../ext/priority')
+const { keepTrace } = require('../priority_sampler')
+const { ASM } = require('../standalone/product')
 
 const MAX_SIZE = 4096
 
 let enabled
+let asmStandaloneEnabled
 
 /**
  * @type {TTLCache}
@@ -20,11 +23,12 @@ class NoopTTLCache {
   has (_key) { return false }
 }
 
-function configure ({ apiSecurity }) {
-  enabled = apiSecurity.enabled
-  sampledRequests = apiSecurity.sampleDelay === 0
+function configure ({ appsec, apmTracingEnabled }) {
+  enabled = appsec.apiSecurity.enabled
+  asmStandaloneEnabled = apmTracingEnabled === false
+  sampledRequests = appsec.apiSecurity.sampleDelay === 0
     ? new NoopTTLCache()
-    : new TTLCache({ max: MAX_SIZE, ttl: apiSecurity.sampleDelay * 1000 })
+    : new TTLCache({ max: MAX_SIZE, ttl: appsec.apiSecurity.sampleDelay * 1000 })
 }
 
 function disable () {
@@ -41,14 +45,18 @@ function sampleRequest (req, res, force = false) {
   const rootSpan = web.root(req)
   if (!rootSpan) return false
 
-  let priority = getSpanPriority(rootSpan)
-  if (!priority) {
-    rootSpan._prioritySampler?.sample(rootSpan)
-    priority = getSpanPriority(rootSpan)
-  }
-
-  if (priority === AUTO_REJECT || priority === USER_REJECT) {
-    return false
+  if (asmStandaloneEnabled) {
+    keepTrace(rootSpan, ASM)
+  } else {
+    let priority = getSpanPriority(rootSpan)
+    if (!priority) {
+      rootSpan._prioritySampler?.sample(rootSpan)
+      priority = getSpanPriority(rootSpan)
+    }
+
+    if (priority === AUTO_REJECT || priority === USER_REJECT) {
+      return false
+    }
   }
 
   if (force) {

package/packages/dd-trace/src/appsec/graphql.js

@@ -38,8 +38,8 @@ function onGraphqlStartResolve ({ context, resolverInfo }) {
 
   if (!resolverInfo || typeof resolverInfo !== 'object') return
 
-  const actions = waf.run({ ephemeral: { [addresses.HTTP_INCOMING_GRAPHQL_RESOLVER]: resolverInfo } }, req)
-  const blockingAction = getBlockingAction(actions)
+  const result = waf.run({ ephemeral: { [addresses.HTTP_INCOMING_GRAPHQL_RESOLVER]: resolverInfo } }, req)
+  const blockingAction = getBlockingAction(result?.actions)
   if (blockingAction) {
     const requestData = graphqlRequestData.get(req)
     if (requestData?.isInGraphqlRequest) {

package/packages/dd-trace/src/appsec/iast/taint-tracking/rewriter.js

@@ -19,9 +19,11 @@ let config
 const hardcodedSecretCh = dc.channel('datadog:secrets:result')
 let rewriter
 let unwrapCompile = () => {}
-let getPrepareStackTrace, cacheRewrittenSourceMap
+let getPrepareStackTrace
+let cacheRewrittenSourceMap
 let kSymbolPrepareStackTrace
-let esmRewriterEnabled = false
+
+function noop () {}
 
 function isFlagPresent (flag) {
   return process.env.NODE_OPTIONS?.includes(flag) ||
@@ -155,7 +157,7 @@ function shimPrepareStackTrace () {
     return
   }
   const pstDescriptor = Object.getOwnPropertyDescriptor(global.Error, 'prepareStackTrace')
-  if (!pstDescriptor || pstDescriptor.configurable) {
+  if (pstDescriptor?.configurable || pstDescriptor?.writable) {
     Object.defineProperty(global.Error, 'prepareStackTrace', getPrepareStackTraceAccessor())
   }
   shimmedPrepareStackTrace = true
@@ -181,16 +183,17 @@ function isEsmConfigured () {
   const hasLoaderArg = isFlagPresent('--loader') || isFlagPresent('--experimental-loader')
   if (hasLoaderArg) return true
 
-  const initializeLoaded = Object.keys(require.cache).find(file => file.includes('import-in-the-middle/hook.js'))
-  return !!initializeLoaded
+  // Fast path for common case when enabled
+  if (require.cache[`${process.cwd()}/node_modules/import-in-the-middle/hook.js`]) {
+    return true
+  }
+  return Object.keys(require.cache).some(file => file.endsWith('import-in-the-middle/hook.js'))
 }
 
-function enableEsmRewriter (telemetryVerbosity) {
-  if (isMainThread && Module.register && !esmRewriterEnabled && isEsmConfigured()) {
+let enableEsmRewriter = function (telemetryVerbosity) {
+  if (isMainThread && Module.register && isEsmConfigured()) {
     shimPrepareStackTrace()
 
-    esmRewriterEnabled = true
-
     const { port1, port2 } = new MessageChannel()
 
     port1.on('message', (message) => {
@@ -229,6 +232,8 @@ function enableEsmRewriter (telemetryVerbosity) {
     }
 
     cacheRewrittenSourceMap = require('@datadog/wasm-js-rewriter/js/source-map').cacheRewrittenSourceMap
+
+    enableEsmRewriter = noop
   }
 }
 

package/packages/dd-trace/src/appsec/index.js

@@ -34,6 +34,7 @@ const UserTracking = require('./user_tracking')
 const { storage } = require('../../../datadog-core')
 const graphql = require('./graphql')
 const rasp = require('./rasp')
+const { isInServerlessEnvironment } = require('../serverless')
 
 const responseAnalyzedSet = new WeakSet()
 
@@ -59,7 +60,7 @@ function enable (_config) {
 
     Reporter.setRateLimit(_config.appsec.rateLimit)
 
-    apiSecuritySampler.configure(_config.appsec)
+    apiSecuritySampler.configure(_config)
 
     UserTracking.setCollectionMode(_config.appsec.eventTracking.mode, false)
 
@@ -83,7 +84,9 @@ function enable (_config) {
     isEnabled = true
     config = _config
   } catch (err) {
-    log.error('[ASM] Unable to start AppSec', err)
+    if (!isInServerlessEnvironment()) {
+      log.error('[ASM] Unable to start AppSec', err)
+    }
 
     disable()
   }
@@ -106,7 +109,7 @@ function onRequestBodyParsed ({ req, res, body, abortController }) {
     }
   }, req)
 
-  handleResults(results, req, res, rootSpan, abortController)
+  handleResults(results?.actions, req, res, rootSpan, abortController)
 }
 
 function onRequestCookieParser ({ req, res, abortController, cookies }) {
@@ -121,7 +124,7 @@ function onRequestCookieParser ({ req, res, abortController, cookies }) {
     }
   }, req)
 
-  handleResults(results, req, res, rootSpan, abortController)
+  handleResults(results?.actions, req, res, rootSpan, abortController)
 }
 
 function incomingHttpStartTranslator ({ req, res, abortController }) {
@@ -149,9 +152,9 @@ function incomingHttpStartTranslator ({ req, res, abortController }) {
     persistent[addresses.HTTP_CLIENT_IP] = clientIp
   }
 
-  const actions = waf.run({ persistent }, req)
+  const results = waf.run({ persistent }, req)
 
-  handleResults(actions, req, res, rootSpan, abortController)
+  handleResults(results?.actions, req, res, rootSpan, abortController)
 }
 
 function incomingHttpEndTranslator ({ req, res }) {
@@ -198,7 +201,7 @@ function onPassportVerify ({ framework, login, user, success, abortController })
 
   const results = UserTracking.trackLogin(framework, login, user, success, rootSpan)
 
-  handleResults(results, store.req, store.req.res, rootSpan, abortController)
+  handleResults(results?.actions, store.req, store.req.res, rootSpan, abortController)
 }
 
 function onPassportDeserializeUser ({ user, abortController }) {
@@ -212,7 +215,7 @@ function onPassportDeserializeUser ({ user, abortController }) {
 
   const results = UserTracking.trackUser(user, rootSpan)
 
-  handleResults(results, store.req, store.req.res, rootSpan, abortController)
+  handleResults(results?.actions, store.req, store.req.res, rootSpan, abortController)
 }
 
 function onExpressSession ({ req, res, sessionId, abortController }) {
@@ -231,7 +234,7 @@ function onExpressSession ({ req, res, sessionId, abortController }) {
     }
   }, req)
 
-  handleResults(results, req, res, rootSpan, abortController)
+  handleResults(results?.actions, req, res, rootSpan, abortController)
 }
 
 function onRequestQueryParsed ({ req, res, query, abortController }) {
@@ -251,7 +254,7 @@ function onRequestQueryParsed ({ req, res, query, abortController }) {
     }
   }, req)
 
-  handleResults(results, req, res, rootSpan, abortController)
+  handleResults(results?.actions, req, res, rootSpan, abortController)
 }
 
 function onRequestProcessParams ({ req, res, abortController, params }) {
@@ -266,7 +269,7 @@ function onRequestProcessParams ({ req, res, abortController, params }) {
     }
   }, req)
 
-  handleResults(results, req, res, rootSpan, abortController)
+  handleResults(results?.actions, req, res, rootSpan, abortController)
 }
 
 function onResponseBody ({ req, res, body }) {
@@ -308,7 +311,7 @@ function onResponseWriteHead ({ req, res, abortController, statusCode, responseH
 
   responseAnalyzedSet.add(res)
 
-  handleResults(results, req, res, rootSpan, abortController)
+  handleResults(results?.actions, req, res, rootSpan, abortController)
 }
 
 function onResponseSetHeader ({ res, abortController }) {

package/packages/dd-trace/src/appsec/rasp/index.js

@@ -85,10 +85,12 @@ function blockOnDatadogRaspAbortError ({ error }) {
   const abortError = findDatadogRaspAbortError(error)
   if (!abortError) return false
 
-  const { req, res, blockingAction, raspRule } = abortError
+  const { req, res, blockingAction, raspRule, ruleTriggered } = abortError
   if (!isBlocked(res)) {
     const blocked = block(req, res, web.root(req), null, blockingAction)
-    updateRaspRuleMatchMetricTags(req, raspRule, true, blocked)
+    if (ruleTriggered) {
+      updateRaspRuleMatchMetricTags(req, raspRule, true, blocked)
+    }
   }
 
   return true

package/packages/dd-trace/src/appsec/rasp/utils.js

@@ -20,23 +20,26 @@ const RULE_TYPES = {
 }
 
 class DatadogRaspAbortError extends Error {
-  constructor (req, res, blockingAction, raspRule) {
+  constructor (req, res, blockingAction, raspRule, ruleTriggered) {
     super('DatadogRaspAbortError')
     this.name = 'DatadogRaspAbortError'
     this.req = req
     this.res = res
     this.blockingAction = blockingAction
     this.raspRule = raspRule
+    this.ruleTriggered = ruleTriggered
   }
 }
 
-function handleResult (actions, req, res, abortController, config, raspRule) {
-  const generateStackTraceAction = actions?.generate_stack
+function handleResult (result, req, res, abortController, config, raspRule) {
+  const generateStackTraceAction = result?.actions?.generate_stack
 
   const { enabled, maxDepth, maxStackTraces } = config.appsec.stackTrace
 
   const rootSpan = web.root(req)
 
+  const ruleTriggered = !!result?.events?.length
+
   if (generateStackTraceAction && enabled && canReportStackTrace(rootSpan, maxStackTraces)) {
     const frames = getCallsiteFrames(maxDepth)
 
@@ -48,11 +51,11 @@ function handleResult (actions, req, res, abortController, config, raspRule) {
   }
 
   if (abortController && !abortOnUncaughtException) {
-    const blockingAction = getBlockingAction(actions)
+    const blockingAction = getBlockingAction(result?.actions)
 
     // Should block only in express
     if (blockingAction && rootSpan?.context()._name === 'express.request') {
-      const abortError = new DatadogRaspAbortError(req, res, blockingAction, raspRule)
+      const abortError = new DatadogRaspAbortError(req, res, blockingAction, raspRule, ruleTriggered)
       abortController.abort(abortError)
 
       // TODO Delete this when support for node 16 is removed
@@ -64,7 +67,9 @@ function handleResult (actions, req, res, abortController, config, raspRule) {
     }
   }
 
-  updateRaspRuleMatchMetricTags(req, raspRule, false, false)
+  if (ruleTriggered) {
+    updateRaspRuleMatchMetricTags(req, raspRule, false, false)
+  }
 }
 
 module.exports = {

package/packages/dd-trace/src/appsec/sdk/user_blocking.js

@@ -9,8 +9,8 @@ const { setUserTags } = require('./set_user')
 const log = require('../../log')
 
 function isUserBlocked (user) {
-  const actions = waf.run({ persistent: { [USER_ID]: user.id } })
-  return !!getBlockingAction(actions)
+  const results = waf.run({ persistent: { [USER_ID]: user.id } })
+  return !!getBlockingAction(results?.actions)
 }
 
 function checkUserAndSetUser (tracer, user) {

package/packages/dd-trace/src/appsec/telemetry/index.js

@@ -41,8 +41,7 @@ function newStore () {
       wafErrorCode: null,
       raspErrorCode: null,
       wafVersion: null,
-      rulesVersion: null,
-      ruleTriggered: null
+      rulesVersion: null
     }
   }
 }

package/packages/dd-trace/src/appsec/telemetry/rasp.js

@@ -49,10 +49,6 @@ function trackRaspMetrics (store, metrics, raspRule) {
     telemetryMetrics.rulesVersion = metrics.rulesVersion
   }
 
-  if (metrics.ruleTriggered) {
-    telemetryMetrics.ruleTriggered = true
-  }
-
   appsecMetrics.count('rasp.rule.eval', tags).inc(1)
 
   if (metrics.errorCode) {
@@ -68,7 +64,6 @@ function trackRaspMetrics (store, metrics, raspRule) {
 
 function trackRaspRuleMatch (store, raspRule, blockTriggered, blocked) {
   const telemetryMetrics = store[DD_TELEMETRY_REQUEST_METRICS]
-  if (!telemetryMetrics.ruleTriggered) return
 
   const tags = {
     waf_version: telemetryMetrics.wafVersion,
@@ -82,10 +77,6 @@ function trackRaspRuleMatch (store, raspRule, blockTriggered, blocked) {
   }
 
   appsecMetrics.count('rasp.rule.match', tags).inc(1)
-
-  // this is needed to not count it twice for the same match
-  // but it also means it can only be called once per waf call even if there are multiple rasp match
-  telemetryMetrics.ruleTriggered = null
 }
 
 function trackRaspRuleSkipped (raspRule, reason) {

package/packages/dd-trace/src/appsec/waf/waf_context_wrapper.js

@@ -19,7 +19,7 @@ class WAFContextWrapper {
     this.rulesVersion = rulesVersion
     this.knownAddresses = knownAddresses
     this.addressesToSkip = new Set()
-    this.cachedUserIdActions = new Map()
+    this.cachedUserIdResults = new Map()
   }
 
   run ({ persistent, ephemeral }, raspRule) {
@@ -36,9 +36,9 @@ class WAFContextWrapper {
     // TODO: make this universal
     const userId = persistent?.[addresses.USER_ID] || ephemeral?.[addresses.USER_ID]
     if (userId) {
-      const cachedAction = this.cachedUserIdActions.get(userId)
-      if (cachedAction) {
-        return cachedAction
+      const cachedResults = this.cachedUserIdResults.get(userId)
+      if (cachedResults) {
+        return cachedResults
       }
     }
 
@@ -142,7 +142,7 @@ class WAFContextWrapper {
 
       Reporter.reportDerivatives(result.derivatives)
 
-      return result.actions
+      return result
     } catch (err) {
       log.error('[ASM] Error while running the AppSec WAF', err)
 
@@ -168,7 +168,7 @@ class WAFContextWrapper {
           const parameter = match.parameters[k]
 
           if (parameter?.address === addresses.USER_ID) {
-            this.cachedUserIdActions.set(userId, result.actions)
+            this.cachedUserIdResults.set(userId, result)
             return
           }
         }