npm - dd-trace - Versions diffs - 5.57.1 → 5.58.0 - Mend

dd-trace 5.57.1 → 5.58.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (56) hide show

package/packages/datadog-plugin-oracledb/src/index.js CHANGED Viewed

@@ -2,17 +2,25 @@
 const { CLIENT_PORT_KEY } = require('../../dd-trace/src/constants')
 const DatabasePlugin = require('../../dd-trace/src/plugins/database')
-const log = require('../../dd-trace/src/log')
+let parser
 class OracledbPlugin extends DatabasePlugin {
   static get id () { return 'oracledb' }
   static get system () { return 'oracle' }
   static get peerServicePrecursors () { return ['db.instance', 'db.hostname'] }
-  start ({ query, connAttrs }) {
+  start ({ query, connAttrs, port, hostname, dbInstance }) {
     const service = this.serviceName({ pluginConfig: this.config, params: connAttrs })
-    // Users can pass either connectString or connectionString
-    const url = getUrl(connAttrs.connectString || connAttrs.connectionString)
+    if (hostname === undefined) {
+      // Lazy load for performance. This is not needed in v6 and up
+      parser ??= require('./connection-parser')
+      const dbInfo = parser(connAttrs)
+      hostname = dbInfo.hostname
+      port ??= dbInfo.port
+      dbInstance ??= dbInfo.dbInstance
+    }
     this.startSpan(this.operationName(), {
       service,
@@ -21,22 +29,12 @@ class OracledbPlugin extends DatabasePlugin {
       kind: 'client',
       meta: {
         'db.user': this.config.user,
-        'db.instance': url.pathname && url.pathname.slice(1),
-        'db.hostname': url.hostname,
-        [CLIENT_PORT_KEY]: url.port
+        'db.instance': dbInstance,
+        'db.hostname': hostname,
+        [CLIENT_PORT_KEY]: port,
       }
     })
   }
 }
-// TODO: Avoid creating an error since it's a heavy operation.
-function getUrl (connectString) {
-  try {
-    return new URL(`http://${connectString}`)
-  } catch (e) {
-    log.error('Invalid oracle connection string', e)
-    return {}
-  }
-}
 module.exports = OracledbPlugin

package/packages/datadog-plugin-tedious/src/index.js CHANGED Viewed

@@ -8,27 +8,28 @@ class TediousPlugin extends DatabasePlugin {
   static get operation () { return 'request' } // TODO: change to match other database plugins
   static get system () { return 'mssql' }
-  start (payload) {
+  bindStart (ctx) {
     const service = this.serviceName({ pluginConfig: this.config, system: this.system })
     const span = this.startSpan(this.operationName(), {
       service,
-      resource: payload.queryOrProcedure,
+      resource: ctx.queryOrProcedure,
       type: 'sql',
       kind: 'client',
       meta: {
         'db.type': 'mssql',
         component: 'tedious',
-        'out.host': payload.connectionConfig.server,
-        [CLIENT_PORT_KEY]: payload.connectionConfig.options.port,
-        'db.user': payload.connectionConfig.userName || payload.connectionConfig.authentication.options.userName,
-        'db.name': payload.connectionConfig.options.database,
-        'db.instance': payload.connectionConfig.options.instanceName
+        'out.host': ctx.connectionConfig.server,
+        [CLIENT_PORT_KEY]: ctx.connectionConfig.options.port,
+        'db.user': ctx.connectionConfig.userName || ctx.connectionConfig.authentication.options.userName,
+        'db.name': ctx.connectionConfig.options.database,
+        'db.instance': ctx.connectionConfig.options.instanceName
       }
-    })
+    }, ctx)
     // SQL Server includes comments when caching queries
     // For that reason we allow service mode but not full mode
-    payload.sql = this.injectDbmQuery(span, payload.queryOrProcedure, service, true)
+    ctx.sql = this.injectDbmQuery(span, ctx.queryOrProcedure, service, true)
+    return ctx.currentStore
   }
 }

package/packages/dd-trace/src/appsec/iast/analyzers/injection-analyzer.js CHANGED Viewed

@@ -7,7 +7,7 @@ class InjectionAnalyzer extends Analyzer {
   _isVulnerable (value, iastContext) {
     let ranges = value && getRanges(iastContext, value)
     if (ranges?.length > 0) {
-      ranges = this._filterSecureRanges(ranges)
+      ranges = this._filterSecureRanges(ranges, value)
       if (!ranges?.length) {
         this._incrementSuppressedMetric(iastContext)
       }
@@ -27,11 +27,13 @@ class InjectionAnalyzer extends Analyzer {
     return ranges?.some(range => range.iinfo.type !== SQL_ROW_VALUE)
   }
-  _filterSecureRanges (ranges) {
-    return ranges?.filter(range => !this._isRangeSecure(range))
+  _filterSecureRanges (ranges, value) {
+    return ranges?.filter(range => !this._isRangeSecure(range, value))
   }
-  _isRangeSecure (range) {
+  _isRangeSecure (range, _value) {
+    // _value is not necessary in this method, but could be used in overridden methods
+    // added here for visibility
     const { secureMarks } = range
     return (secureMarks & this._secureMark) === this._secureMark
   }

package/packages/dd-trace/src/appsec/iast/analyzers/ssrf-analyzer.js CHANGED Viewed

@@ -23,6 +23,15 @@ class SSRFAnalyzer extends InjectionAnalyzer {
       }
     })
   }
+  _isRangeSecure (range, value) {
+    const fragmentIndex = value.indexOf('#')
+    if (fragmentIndex !== -1 && range.start >= fragmentIndex) {
+      return true
+    }
+    return super._isRangeSecure(range, value)
+  }
 }
 module.exports = new SSRFAnalyzer()

package/packages/dd-trace/src/appsec/iast/taint-tracking/operations-taint-object.js CHANGED Viewed

@@ -28,7 +28,10 @@ function taintObject (iastContext, object, type) {
           } else {
             result = tainted
           }
-        } else if (typeof value === 'object' && !visited.has(value)) {
+        } else if (
+          // eslint-disable-next-line eslint-rules/eslint-safe-typeof-object
+          typeof value === 'object' && !visited.has(value)
+        ) {
           visited.add(value)
           for (const key of Object.keys(value)) {
@@ -69,7 +72,7 @@ function traverseAndTaint (node, path, cache, transactionId) {
     return tainted
   }
-  if (typeof node === 'object') {
+  if (typeof node === 'object') { // eslint-disable-line eslint-rules/eslint-safe-typeof-object
     const keys = Array.isArray(node) ? node.keys() : Object.keys(node)
     for (const key of keys) {

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/index.js CHANGED Viewed

@@ -45,6 +45,7 @@ class VulnerabilityFormatter {
     if (evidence.value == null) return { valueParts }
+    // eslint-disable-next-line eslint-rules/eslint-safe-typeof-object
     if (typeof evidence.value === 'object' && evidence.rangesToApply) {
       const { value, ranges } = stringifyWithRanges(evidence.value, evidence.rangesToApply)
       evidence.value = value

package/packages/dd-trace/src/appsec/reporter.js CHANGED Viewed

@@ -1,5 +1,8 @@
 'use strict'
+const dc = require('dc-polyfill')
+const zlib = require('zlib')
 const Limiter = require('../rate_limiter')
 const { storage } = require('../../../datadog-core')
 const web = require('../plugins/util/web')
@@ -7,6 +10,7 @@ const { ipHeaderList } = require('../plugins/util/ip_extractor')
 const {
   incrementWafInitMetric,
   incrementWafUpdatesMetric,
+  incrementWafConfigErrorsMetric,
   incrementWafRequestsMetric,
   updateWafRequestsMetricTags,
   updateRaspRequestsMetricTags,
@@ -14,9 +18,9 @@ const {
   updateRateLimitedMetric,
   getRequestMetrics
 } = require('./telemetry')
-const zlib = require('zlib')
 const { keepTrace } = require('../priority_sampler')
 const { ASM } = require('../standalone/product')
+const { DIAGNOSTIC_KEYS } = require('./waf/diagnostics')
 const REQUEST_HEADER_TAG_PREFIX = 'http.request.headers.'
 const RESPONSE_HEADER_TAG_PREFIX = 'http.response.headers.'
@@ -25,6 +29,8 @@ const COLLECTED_REQUEST_BODY_MAX_STRING_LENGTH = 4096
 const COLLECTED_REQUEST_BODY_MAX_DEPTH = 20
 const COLLECTED_REQUEST_BODY_MAX_ELEMENTS_PER_NODE = 256
+const telemetryLogCh = dc.channel('datadog:telemetry:log')
 // default limiter, configurable with setRateLimit()
 let limiter = new Limiter(100)
@@ -216,17 +222,64 @@ function getCollectedHeaders (req, res, shouldCollectEventHeaders, storedRespons
 function reportWafInit (wafVersion, rulesVersion, diagnosticsRules = {}, success = false) {
   if (success) {
     metricsQueue.set('_dd.appsec.waf.version', wafVersion)
-    metricsQueue.set('_dd.appsec.event_rules.loaded', diagnosticsRules.loaded?.length || 0)
-    metricsQueue.set('_dd.appsec.event_rules.error_count', diagnosticsRules.failed?.length || 0)
-    if (diagnosticsRules.failed?.length) {
-      metricsQueue.set('_dd.appsec.event_rules.errors', JSON.stringify(diagnosticsRules.errors))
-    }
   }
   incrementWafInitMetric(wafVersion, rulesVersion, success)
 }
+function logWafDiagnosticMessage (product, rcConfigId, configKey, message, level) {
+  const tags =
+    `log_type:rc::${product.toLowerCase()}::diagnostic,appsec_config_key:${configKey},rc_config_id:${rcConfigId}`
+  telemetryLogCh.publish({
+    message,
+    level,
+    tags
+  })
+}
+function reportWafConfigUpdate (product, rcConfigId, diagnostics, wafVersion) {
+  if (diagnostics.error) {
+    logWafDiagnosticMessage(product, rcConfigId, '', diagnostics.error, 'ERROR')
+    incrementWafConfigErrorsMetric(wafVersion, diagnostics.ruleset_version)
+  }
+  for (const configKey of DIAGNOSTIC_KEYS) {
+    const configDiagnostics = diagnostics[configKey]
+    if (!configDiagnostics) continue
+    if (configDiagnostics.error) {
+      logWafDiagnosticMessage(product, rcConfigId, configKey, configDiagnostics.error, 'ERROR')
+      incrementWafConfigErrorsMetric(wafVersion, diagnostics.ruleset_version)
+      continue
+    }
+    if (configDiagnostics.errors) {
+      for (const [errorMessage, errorIds] of Object.entries(configDiagnostics.errors)) {
+        logWafDiagnosticMessage(
+          product,
+          rcConfigId,
+          configKey,
+          `"${errorMessage}": ${JSON.stringify(errorIds)}`,
+          'ERROR'
+        )
+        incrementWafConfigErrorsMetric(wafVersion, diagnostics.ruleset_version)
+      }
+    }
+    if (configDiagnostics.warnings) {
+      for (const [warningMessage, warningIds] of Object.entries(configDiagnostics.warnings)) {
+        logWafDiagnosticMessage(
+          product,
+          rcConfigId,
+          configKey,
+          `"${warningMessage}": ${JSON.stringify(warningIds)}`,
+          'WARN'
+        )
+      }
+    }
+  }
+}
 function reportMetrics (metrics, raspRule) {
   const store = storage('legacy').getStore()
   const rootSpan = store?.req && web.root(store.req)
@@ -485,6 +538,7 @@ module.exports = {
   filterExtendedHeaders,
   formatHeaderName,
   reportWafInit,
+  reportWafConfigUpdate,
   reportMetrics,
   reportAttack,
   reportWafUpdate: incrementWafUpdatesMetric,

package/packages/dd-trace/src/appsec/rule_manager.js CHANGED Viewed

@@ -2,21 +2,22 @@
 const fs = require('fs')
 const waf = require('./waf')
+const { DIAGNOSTIC_KEYS } = require('./waf/diagnostics')
 const { ACKNOWLEDGED, ERROR } = require('../remote_config/apply_states')
+const Reporter = require('./reporter')
 const blocking = require('./blocking')
-let defaultRules
+const ASM_PRODUCTS = new Set(['ASM', 'ASM_DD', 'ASM_DATA'])
-let appliedRulesData = new Map()
-let appliedRulesetId
-let appliedRulesOverride = new Map()
-let appliedExclusions = new Map()
-let appliedCustomRules = new Map()
+/*
+  ASM Actions must be tracked in order to update the defaultBlockingActions in blocking. These actions are used
+  by blockRequest method exposed in the user blocking SDK (see packages/dd-trace/src/appsec/sdk/user_blocking.js)
+ */
 let appliedActions = new Map()
 function loadRules (config) {
-  defaultRules = config.rules
+  const defaultRules = config.rules
     ? JSON.parse(fs.readFileSync(config.rules))
     : require('./recommended.json')
@@ -26,137 +27,63 @@ function loadRules (config) {
 }
 function updateWafFromRC ({ toUnapply, toApply, toModify }) {
-  const batch = new Set()
-  const newRulesData = new SpyMap(appliedRulesData)
-  let newRuleset
-  let newRulesetId
-  const newRulesOverride = new SpyMap(appliedRulesOverride)
-  const newExclusions = new SpyMap(appliedExclusions)
-  const newCustomRules = new SpyMap(appliedCustomRules)
   const newActions = new SpyMap(appliedActions)
+  let wafUpdated = false
+  let wafUpdatedFailed = false
   for (const item of toUnapply) {
-    const { product, id } = item
+    if (!ASM_PRODUCTS.has(item.product)) continue
+    try {
+      waf.removeConfig(item.path)
+      item.apply_state = ACKNOWLEDGED
+      wafUpdated = true
-    if (product === 'ASM_DATA') {
-      newRulesData.delete(id)
-    } else if (product === 'ASM_DD') {
-      if (appliedRulesetId === id) {
-        newRuleset = defaultRules
+      // ASM actions
+      if (item.product === 'ASM') {
+        newActions.delete(item.id)
       }
-    } else if (product === 'ASM') {
-      newRulesOverride.delete(id)
-      newExclusions.delete(id)
-      newCustomRules.delete(id)
-      newActions.delete(id)
+    } catch (e) {
+      item.apply_state = ERROR
+      item.apply_error = e.toString()
+      wafUpdatedFailed = true
     }
   }
   for (const item of [...toApply, ...toModify]) {
-    const { product, id, file } = item
-    if (product === 'ASM_DATA') {
-      if (file && file.rules_data && file.rules_data.length) {
-        newRulesData.set(id, file.rules_data)
-      }
-      batch.add(item)
-    } else if (product === 'ASM_DD') {
-      if (appliedRulesetId && appliedRulesetId !== id && newRuleset !== defaultRules) {
-        item.apply_state = ERROR
-        item.apply_error = 'Multiple ruleset received in ASM_DD'
-      } else {
-        if (file?.rules?.length) {
-          const { version, metadata, rules, processors, scanners } = file
-          newRuleset = { version, metadata, rules, processors, scanners }
-          newRulesetId = id
-        }
-        batch.add(item)
-      }
-    } else if (product === 'ASM') {
-      if (file?.rules_override?.length) {
-        newRulesOverride.set(id, file.rules_override)
-      }
+    if (!ASM_PRODUCTS.has(item.product)) continue
-      if (file?.exclusions?.length) {
-        newExclusions.set(id, file.exclusions)
-      }
+    try {
+      waf.updateConfig(item.product, item.id, item.path, item.file)
-      if (file?.custom_rules?.length) {
-        newCustomRules.set(id, file.custom_rules)
-      }
+      item.apply_state = ACKNOWLEDGED
+      wafUpdated = true
-      if (file?.actions?.length) {
-        newActions.set(id, file.actions)
+      // ASM actions
+      if (item.product === 'ASM' && item.file?.actions?.length) {
+        newActions.set(item.id, item.file.actions)
       }
-      batch.add(item)
+    } catch (e) {
+      item.apply_state = ERROR
+      item.apply_error = e instanceof waf.WafUpdateError
+        ? JSON.stringify(extractErrors(e.diagnosticErrors))
+        : e.toString()
+      wafUpdatedFailed = true
     }
   }
-  let newApplyState = ACKNOWLEDGED
-  let newApplyError
-  if (newRulesData.modified ||
-    newRuleset ||
-    newRulesOverride.modified ||
-    newExclusions.modified ||
-    newCustomRules.modified ||
-    newActions.modified
-  ) {
-    const payload = newRuleset || {}
-    if (newRulesData.modified) {
-      payload.rules_data = mergeRulesData(newRulesData)
-    }
-    if (newRulesOverride.modified) {
-      payload.rules_override = concatArrays(newRulesOverride)
-    }
-    if (newExclusions.modified) {
-      payload.exclusions = concatArrays(newExclusions)
-    }
-    if (newCustomRules.modified) {
-      payload.custom_rules = concatArrays(newCustomRules)
-    }
-    if (newActions.modified) {
-      payload.actions = concatArrays(newActions)
-    }
-    try {
-      waf.update(payload)
-      if (newRulesData.modified) {
-        appliedRulesData = newRulesData
-      }
-      if (newRuleset) {
-        appliedRulesetId = newRulesetId
-      }
-      if (newRulesOverride.modified) {
-        appliedRulesOverride = newRulesOverride
-      }
-      if (newExclusions.modified) {
-        appliedExclusions = newExclusions
-      }
-      if (newCustomRules.modified) {
-        appliedCustomRules = newCustomRules
-      }
-      if (newActions.modified) {
-        appliedActions = newActions
+  waf.checkAsmDdFallback()
-        blocking.setDefaultBlockingActionParameters(concatArrays(newActions))
-      }
-    } catch (err) {
-      newApplyState = ERROR
-      newApplyError = err.toString()
-    }
+  if (wafUpdated) {
+    Reporter.reportWafUpdate(waf.wafManager.ddwafVersion, waf.wafManager.rulesVersion, !wafUpdatedFailed)
   }
-  for (const config of batch) {
-    config.apply_state = newApplyState
-    if (newApplyError) config.apply_error = newApplyError
+  // Manage blocking actions
+  if (newActions.modified) {
+    appliedActions = newActions
+    blocking.setDefaultBlockingActionParameters(concatArrays(newActions))
   }
 }
@@ -188,67 +115,32 @@ function concatArrays (files) {
   return [...files.values()].flat()
 }
-/*
-  ASM_DATA Merge strategy:
-  The merge should be based on the id and type. For any duplicate items, the longer expiration should be taken.
-  As a result, multiple Rule Data may use the same DATA_ID and DATA_TYPE. In this case, all values are considered part
-  of a set and are merged. For instance, a denylist customized by environment may use a global Rule Data for all
-  environments and a Rule Data per environment
-*/
-function mergeRulesData (files) {
-  const mergedRulesData = new Map()
-  for (const [, file] of files) {
-    for (const ruleData of file) {
-      const key = `${ruleData.id}+${ruleData.type}`
-      if (mergedRulesData.has(key)) {
-        const existingRulesData = mergedRulesData.get(key)
-        ruleData.data.reduce(rulesReducer, existingRulesData.data)
-      } else {
-        mergedRulesData.set(key, copyRulesData(ruleData))
-      }
+function extractErrors (diagnostics) {
+  if (!diagnostics) return
+  if (diagnostics.error) return diagnostics
+  const result = {}
+  let isResultPopulated = false
+  for (const diagnosticKey of DIAGNOSTIC_KEYS) {
+    if (diagnostics[diagnosticKey]?.error) {
+      (result[diagnosticKey] ??= {}).error = diagnostics[diagnosticKey]?.error
+      isResultPopulated = true
     }
-  }
-  return [...mergedRulesData.values()]
-}
-function rulesReducer (existingEntries, rulesDataEntry) {
-  const existingEntry = existingEntries.find((entry) => entry.value === rulesDataEntry.value)
-  if (existingEntry && !('expiration' in existingEntry)) return existingEntries
-  if (existingEntry && 'expiration' in rulesDataEntry && rulesDataEntry.expiration > existingEntry.expiration) {
-    existingEntry.expiration = rulesDataEntry.expiration
-  } else if (existingEntry && !('expiration' in rulesDataEntry)) {
-    delete existingEntry.expiration
-  } else if (!existingEntry) {
-    existingEntries.push({ ...rulesDataEntry })
+    if (diagnostics[diagnosticKey]?.errors) {
+      (result[diagnosticKey] ??= {}).errors = diagnostics[diagnosticKey]?.errors
+      isResultPopulated = true
+    }
   }
-  return existingEntries
-}
-function copyRulesData (rulesData) {
-  const copy = { ...rulesData }
-  if (copy.data) {
-    const data = []
-    copy.data.forEach(item => {
-      data.push({ ...item })
-    })
-    copy.data = data
-  }
-  return copy
+  return isResultPopulated ? result : null
 }
 function clearAllRules () {
   waf.destroy()
-  defaultRules = undefined
-  appliedRulesData.clear()
-  appliedRulesetId = undefined
-  appliedRulesOverride.clear()
-  appliedExclusions.clear()
-  appliedCustomRules.clear()
   appliedActions.clear()
   blocking.setDefaultBlockingActionParameters(undefined)
 }

package/packages/dd-trace/src/appsec/sdk/track_event.js CHANGED Viewed

@@ -130,7 +130,7 @@ function trackUserLoginFailureV2 (tracer, login, exists, metadata) {
   const wafData = { login }
-  if (typeof exists === 'object' && metadata === undefined) {
+  if (exists !== null && typeof exists === 'object' && metadata === undefined) {
     metadata = exists
     exists = false
   }
@@ -167,10 +167,8 @@ function flattenFields (fields, depth = 0) {
           result[`${key}.${flatKey}`] = flatValue[flatKey]
         }
       }
-    } else {
-      if (value !== undefined) {
-        result[key] = value
-      }
+    } else if (value !== undefined) {
+      result[key] = value
     }
   }

package/packages/dd-trace/src/appsec/telemetry/common.js CHANGED Viewed

@@ -17,7 +17,7 @@ const tags = {
 function getVersionsTags (wafVersion, rulesVersion) {
   return {
     [tags.WAF_VERSION]: wafVersion,
-    [tags.EVENT_RULES_VERSION]: rulesVersion
+    [tags.EVENT_RULES_VERSION]: rulesVersion || 'unknown'
   }
 }

package/packages/dd-trace/src/appsec/telemetry/index.js CHANGED Viewed

@@ -13,6 +13,7 @@ const {
   trackWafMetrics,
   incrementWafInit,
   incrementWafUpdates,
+  incrementWafConfigErrors,
   incrementWafRequests
 } = require('./waf')
 const telemetryMetrics = require('../../telemetry/metrics')
@@ -151,6 +152,12 @@ function incrementWafUpdatesMetric (wafVersion, rulesVersion, success) {
   incrementWafUpdates(wafVersion, rulesVersion, success)
 }
+function incrementWafConfigErrorsMetric (wafVersion, rulesVersion) {
+  if (!enabled) return
+  incrementWafConfigErrors(wafVersion, rulesVersion)
+}
 function incrementWafRequestsMetric (req) {
   if (!req || !enabled) return
@@ -197,6 +204,7 @@ module.exports = {
   updateRaspRuleSkippedMetricTags,
   incrementWafInitMetric,
   incrementWafUpdatesMetric,
+  incrementWafConfigErrorsMetric,
   incrementWafRequestsMetric,
   incrementMissingUserLoginMetric,
   incrementMissingUserIdMetric,

package/packages/dd-trace/src/appsec/telemetry/waf.js CHANGED Viewed

@@ -103,10 +103,11 @@ function incrementWafInit (wafVersion, rulesVersion, success) {
 function incrementWafUpdates (wafVersion, rulesVersion, success) {
   const versionsTags = getVersionsTags(wafVersion, rulesVersion)
   appsecMetrics.count('waf.updates', { ...versionsTags, success }).inc()
+}
-  if (!success) {
-    appsecMetrics.count('waf.config_errors', versionsTags).inc()
-  }
+function incrementWafConfigErrors (wafVersion, rulesVersion) {
+  const versionsTags = getVersionsTags(wafVersion, rulesVersion)
+  appsecMetrics.count('waf.config_errors', versionsTags).inc()
 }
 function incrementWafRequests (store) {
@@ -137,5 +138,6 @@ module.exports = {
   trackWafMetrics,
   incrementWafInit,
   incrementWafUpdates,
+  incrementWafConfigErrors,
   incrementWafRequests
 }

package/packages/dd-trace/src/appsec/waf/diagnostics.js ADDED Viewed

@@ -0,0 +1,15 @@
+'use strict'
+module.exports = {
+  DIAGNOSTIC_KEYS: [
+    'rules',
+    'custom_rules',
+    'exclusions',
+    'actions',
+    'processors',
+    'scanners',
+    'rules_override',
+    'rules_data',
+    'exclusion_data'
+  ]
+}