Add waf_error tag to appsec.waf.requests metric

Mariovido · Mariovido · commit 41779c2e45dd · 2025-02-07T12:17:35.000+01:00
diff --git a/dd-java-agent/appsec/src/main/java/com/datadog/appsec/powerwaf/PowerWAFModule.java b/dd-java-agent/appsec/src/main/java/com/datadog/appsec/powerwaf/PowerWAFModule.java
@@ -448,6 +448,7 @@ public void onDataAvailable(
         if (!reqCtx.isAdditiveClosed()) {
           log.error("Error calling WAF", e);
         }
+        WafMetricCollector.get().wafRequestError();
         return;
       } finally {
         if (log.isDebugEnabled()) {
diff --git a/internal-api/src/main/java/datadog/trace/api/telemetry/WafMetricCollector.java b/internal-api/src/main/java/datadog/trace/api/telemetry/WafMetricCollector.java
@@ -34,6 +34,7 @@ private WafMetricCollector() {
   private static final AtomicRequestCounter wafTriggeredRequestCounter = new AtomicRequestCounter();
   private static final AtomicRequestCounter wafBlockedRequestCounter = new AtomicRequestCounter();
   private static final AtomicRequestCounter wafTimeoutRequestCounter = new AtomicRequestCounter();
+  private static final AtomicRequestCounter wafErrorRequestCounter = new AtomicRequestCounter();
   private static final AtomicLongArray raspRuleEvalCounter =
       new AtomicLongArray(RuleType.getNumValues());
   private static final AtomicLongArray raspRuleMatchCounter =
@@ -92,6 +93,10 @@ public void wafRequestTimeout() {
     wafTimeoutRequestCounter.increment();
   }
 
+  public void wafRequestError() {
+    wafErrorRequestCounter.increment();
+  }
+
   public void raspRuleEval(final RuleType ruleType) {
     raspRuleEvalCounter.incrementAndGet(ruleType.ordinal());
   }
@@ -136,6 +141,7 @@ public void prepareMetrics() {
               WafMetricCollector.rulesVersion,
               false,
               false,
+              false,
               false))) {
         return;
       }
@@ -150,6 +156,7 @@ public void prepareMetrics() {
               WafMetricCollector.rulesVersion,
               true,
               false,
+              false,
               false))) {
         return;
       }
@@ -164,6 +171,7 @@ public void prepareMetrics() {
               WafMetricCollector.rulesVersion,
               true,
               true,
+              false,
               false))) {
         return;
       }
@@ -178,11 +186,27 @@ public void prepareMetrics() {
               WafMetricCollector.rulesVersion,
               false,
               false,
+              false,
               true))) {
         return;
       }
     }
 
+    // WAF error requests
+    if (wafErrorRequestCounter.get() > 0) {
+      if (!rawMetricsQueue.offer(
+          new WafRequestsRawMetric(
+              wafErrorRequestCounter.getAndReset(),
+              WafMetricCollector.wafVersion,
+              WafMetricCollector.rulesVersion,
+              false,
+              false,
+              true,
+              false))) {
+        return;
+      }
+    }
+
     // RASP rule eval per rule type
     for (RuleType ruleType : RuleType.values()) {
       long counter = raspRuleEvalCounter.getAndSet(ruleType.ordinal(), 0);
@@ -307,6 +331,7 @@ public WafRequestsRawMetric(
         final String rulesVersion,
         final boolean triggered,
         final boolean blocked,
+        final boolean wafError,
         final boolean wafTimeout) {
       super(
           "waf.requests",
@@ -315,6 +340,7 @@ public WafRequestsRawMetric(
           "event_rules_version:" + rulesVersion,
           "rule_triggered:" + triggered,
           "request_blocked:" + blocked,
+          "waf_error:" + wafError,
           "waf_timeout:" + wafTimeout);
     }
   }
diff --git a/internal-api/src/test/groovy/datadog/trace/api/telemetry/WafMetricCollectorTest.groovy b/internal-api/src/test/groovy/datadog/trace/api/telemetry/WafMetricCollectorTest.groovy
@@ -27,6 +27,7 @@ class WafMetricCollectorTest extends DDSpecification {
     WafMetricCollector.get().wafRequestTriggered()
     WafMetricCollector.get().wafRequestBlocked()
     WafMetricCollector.get().wafRequestTimeout()
+    WafMetricCollector.get().wafRequestError()
     WafMetricCollector.get().raspRuleEval(RuleType.SQL_INJECTION)
     WafMetricCollector.get().raspRuleEval(RuleType.SQL_INJECTION)
     WafMetricCollector.get().raspRuleMatch(RuleType.SQL_INJECTION)
@@ -69,6 +70,7 @@ class WafMetricCollectorTest extends DDSpecification {
       'event_rules_version:rules.3',
       'rule_triggered:false',
       'request_blocked:false',
+      'waf_error:false',
       'waf_timeout:false'
     ].toSet()
 
@@ -81,6 +83,7 @@ class WafMetricCollectorTest extends DDSpecification {
       'event_rules_version:rules.3',
       'rule_triggered:true',
       'request_blocked:false',
+      'waf_error:false',
       'waf_timeout:false'
     ].toSet()
 
@@ -95,6 +98,7 @@ class WafMetricCollectorTest extends DDSpecification {
       'event_rules_version:rules.3',
       'rule_triggered:true',
       'request_blocked:true',
+      'waf_error:false',
       'waf_timeout:false'
     ].toSet()
 
@@ -108,24 +112,39 @@ class WafMetricCollectorTest extends DDSpecification {
       'event_rules_version:rules.3',
       'rule_triggered:false',
       'request_blocked:false',
+      'waf_error:false',
       'waf_timeout:true'
     ].toSet()
 
-    def raspRuleEvalSqli = (WafMetricCollector.RaspRuleEval)metrics[7]
+    def requestWafErrorMetric = (WafMetricCollector.WafRequestsRawMetric)metrics[7]
+    requestWafErrorMetric.namespace == 'appsec'
+    requestWafErrorMetric.metricName == 'waf.requests'
+    requestWafErrorMetric.type == 'count'
+    requestWafErrorMetric.value == 1
+    requestWafErrorMetric.tags.toSet() == [
+      'waf_version:waf_ver1',
+      'event_rules_version:rules.3',
+      'rule_triggered:false',
+      'request_blocked:false',
+      'waf_error:true',
+      'waf_timeout:false'
+    ].toSet()
+
+    def raspRuleEvalSqli = (WafMetricCollector.RaspRuleEval)metrics[8]
     raspRuleEvalSqli.type == 'count'
     raspRuleEvalSqli.value == 3
     raspRuleEvalSqli.namespace == 'appsec'
     raspRuleEvalSqli.metricName == 'rasp.rule.eval'
     raspRuleEvalSqli.tags.toSet() == ['rule_type:sql_injection', 'waf_version:waf_ver1'].toSet()
 
-    def raspRuleMatch = (WafMetricCollector.RaspRuleMatch)metrics[8]
+    def raspRuleMatch = (WafMetricCollector.RaspRuleMatch)metrics[9]
     raspRuleMatch.type == 'count'
     raspRuleMatch.value == 1
     raspRuleMatch.namespace == 'appsec'
     raspRuleMatch.metricName == 'rasp.rule.match'
     raspRuleMatch.tags.toSet() == ['rule_type:sql_injection', 'waf_version:waf_ver1'].toSet()
 
-    def raspTimeout = (WafMetricCollector.RaspTimeout)metrics[9]
+    def raspTimeout = (WafMetricCollector.RaspTimeout)metrics[10]
     raspTimeout.type == 'count'
     raspTimeout.value == 1
     raspTimeout.namespace == 'appsec'
diff --git a/telemetry/src/test/groovy/datadog/telemetry/metric/WafMetricPeriodicActionSpecification.groovy b/telemetry/src/test/groovy/datadog/telemetry/metric/WafMetricPeriodicActionSpecification.groovy
@@ -49,6 +49,7 @@ class WafMetricPeriodicActionSpecification extends DDSpecification {
     WafMetricCollector.get().wafRequestBlocked()
     WafMetricCollector.get().wafRequest()
     WafMetricCollector.get().wafRequestTimeout()
+    WafMetricCollector.get().wafRequestError()
     WafMetricCollector.get().prepareMetrics()
     periodicAction.doIteration(telemetryService)
 
@@ -66,6 +67,7 @@ class WafMetricPeriodicActionSpecification extends DDSpecification {
           'event_rules_version:rules_ver_1',
           'rule_triggered:false',
           'request_blocked:false',
+          'waf_error:false',
           'waf_timeout:false'
         ]
     } )
@@ -78,6 +80,7 @@ class WafMetricPeriodicActionSpecification extends DDSpecification {
           'event_rules_version:rules_ver_1',
           'rule_triggered:true',
           'request_blocked:false',
+          'waf_error:false',
           'waf_timeout:false'
         ]
     } )
@@ -90,6 +93,7 @@ class WafMetricPeriodicActionSpecification extends DDSpecification {
           'event_rules_version:rules_ver_1',
           'rule_triggered:true',
           'request_blocked:true',
+          'waf_error:false',
           'waf_timeout:false'
         ]
     } )
@@ -102,9 +106,23 @@ class WafMetricPeriodicActionSpecification extends DDSpecification {
           'event_rules_version:rules_ver_1',
           'rule_triggered:false',
           'request_blocked:false',
+          'waf_error:false',
           'waf_timeout:true'
         ]
     } )
+    1 * telemetryService.addMetric( { Metric metric ->
+      metric.namespace == 'appsec' &&
+        metric.metric == 'waf.requests' &&
+        metric.points[0][1] == 1 &&
+        metric.tags == [
+          'waf_version:0.0.0',
+          'event_rules_version:rules_ver_1',
+          'rule_triggered:false',
+          'request_blocked:false',
+          'waf_error:true',
+          'waf_timeout:false'
+        ]
+    } )
     0 * _._
 
     when: 'waf.updates happens'
@@ -113,6 +131,7 @@ class WafMetricPeriodicActionSpecification extends DDSpecification {
     WafMetricCollector.get().wafRequestTriggered()
     WafMetricCollector.get().wafRequestBlocked()
     WafMetricCollector.get().wafRequestTimeout()
+    WafMetricCollector.get().wafRequestError()
     WafMetricCollector.get().prepareMetrics()
     periodicAction.doIteration(telemetryService)
 
@@ -130,6 +149,7 @@ class WafMetricPeriodicActionSpecification extends DDSpecification {
           'event_rules_version:rules_ver_2',
           'rule_triggered:false',
           'request_blocked:false',
+          'waf_error:false',
           'waf_timeout:false'
         ]
     } )
@@ -142,6 +162,7 @@ class WafMetricPeriodicActionSpecification extends DDSpecification {
           'event_rules_version:rules_ver_2',
           'rule_triggered:true',
           'request_blocked:false',
+          'waf_error:false',
           'waf_timeout:false'
         ]
     } )
@@ -154,6 +175,7 @@ class WafMetricPeriodicActionSpecification extends DDSpecification {
           'event_rules_version:rules_ver_2',
           'rule_triggered:true',
           'request_blocked:true',
+          'waf_error:false',
           'waf_timeout:false'
         ]
     } )
@@ -166,9 +188,23 @@ class WafMetricPeriodicActionSpecification extends DDSpecification {
           'event_rules_version:rules_ver_2',
           'rule_triggered:false',
           'request_blocked:false',
+          'waf_error:false',
           'waf_timeout:true'
         ]
     } )
+    1 * telemetryService.addMetric( { Metric metric ->
+      metric.namespace == 'appsec' &&
+        metric.metric == 'waf.requests' &&
+        metric.points[0][1] == 1 &&
+        metric.tags == [
+          'waf_version:0.0.0',
+          'event_rules_version:rules_ver_2',
+          'rule_triggered:false',
+          'request_blocked:false',
+          'waf_error:true',
+          'waf_timeout:false'
+        ]
+    } )
     0 * _._
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -448,6 +448,7 @@ public void onDataAvailable(`
`448`	`448`	`if (!reqCtx.isAdditiveClosed()) {`
`449`	`449`	`log.error("Error calling WAF", e);`
`450`	`450`	`}`
	`451`	`+ WafMetricCollector.get().wafRequestError();`
`451`	`452`	`return;`
`452`	`453`	`} finally {`
`453`	`454`	`if (log.isDebugEnabled()) {`