Merge branch 'sezen.leblay/upgrade-libddwaf-java-1.23' into sezen.leblay/APPSEC-57893-appsec-enabled-metric

Author: sezen-datadog

.github/workflows/analyze-changes.yaml

@@ -40,7 +40,7 @@ jobs:
             ${{ runner.os }}-gradle-
         
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
+        uses: github/codeql-action/init@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19
         with:
           languages: 'java'
           build-mode: 'manual'
@@ -57,7 +57,7 @@ jobs:
             --build-cache --parallel --stacktrace --no-daemon --max-workers=4
 
       - name: Perform CodeQL Analysis and upload results to GitHub Security tab
-        uses: github/codeql-action/analyze@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
+        uses: github/codeql-action/analyze@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19
 
   trivy:
     name: Analyze changes with Trivy
@@ -109,7 +109,7 @@ jobs:
           ls -laR "./workspace/.trivy"
 
       - name: Run Trivy security scanner
-        uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 # v0.30.0
+        uses: aquasecurity/trivy-action@76071ef0d7ec797419534a183b498b4d6366cf37 # v0.31.0
         with:
           scan-type: rootfs
           scan-ref: './workspace/.trivy/'
@@ -122,7 +122,7 @@ jobs:
           TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
+        uses: github/codeql-action/upload-sarif@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19
         if: always()
         with:
           sarif_file: 'trivy-results.sarif'

.github/workflows/check-ci-pipelines.yml

@@ -23,7 +23,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Run Ensure CI Success
-        uses: DataDog/ensure-ci-success@727e7fe39ae2e1ce7ea336ec85a7369ab0731754
+        uses: DataDog/ensure-ci-success@4a4b720e881d965254a9de2a4f14d1ec0c3d0d7c
         with:
           initial-delay-seconds: "500"
           max-retries: "60"

.gitlab-ci.yml

@@ -95,6 +95,12 @@ default:
   - ONE_INDEXED_NODE_INDEX=${CI_NODE_INDEX:-1}; export NORMALIZED_NODE_INDEX=$((ONE_INDEXED_NODE_INDEX - 1))
   - echo "NORMALIZED_NODE_TOTAL=${NORMALIZED_NODE_TOTAL}, NORMALIZED_NODE_INDEX=$NORMALIZED_NODE_INDEX"
 
+.cgroup_info: &cgroup_info
+  - source .gitlab/gitlab-utils.sh
+  - gitlab_section_start "cgroup-info" "cgroup info"
+  - .gitlab/cgroup-info.sh
+  - gitlab_section_end "cgroup-info"
+
 .gradle_build: &gradle_build
   image: ghcr.io/datadog/dd-trace-java-docker-build:${BUILDER_IMAGE_VERSION_PREFIX}base
   stage: build
@@ -140,6 +146,8 @@ default:
     - mv .gradle-copy .gradle
     - ls -la
     - gitlab_section_end "gradle-dance"
+  after_script:
+    - *cgroup_info
 
 build:
   extends: .gradle_build
@@ -275,6 +283,7 @@ test_published_artifacts:
     - export GRADLE_OPTS="-Dorg.gradle.jvmargs='-Xmx1G -Xms1G -XX:ErrorFile=/tmp/hs_err_pid%p.log -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/tmp'"
     - ./gradlew check --info $GRADLE_ARGS
   after_script:
+    - *cgroup_info
     - source .gitlab/gitlab-utils.sh
     - gitlab_section_start "collect-reports" "Collecting reports"
     - .circleci/collect_reports.sh
@@ -293,6 +302,7 @@ test_published_artifacts:
   script:
     - ./gradlew $GRADLE_TARGET -PskipTests -PrunBuildSrcTests -PskipSpotless -PtaskPartitionCount=$NORMALIZED_NODE_TOTAL -PtaskPartition=$NORMALIZED_NODE_INDEX $GRADLE_ARGS
   after_script:
+    - *cgroup_info
     - source .gitlab/gitlab-utils.sh
     - gitlab_section_start "collect-reports" "Collecting reports"
     - .circleci/collect_reports.sh --destination ./check_reports --move
@@ -353,6 +363,7 @@ muzzle:
     - split --number=l/$NORMALIZED_NODE_TOTAL --suffix-length=1 --numeric-suffixes sortedMuzzleTasks muzzleSplit
     - ./gradlew `cat muzzleSplit${NORMALIZED_NODE_INDEX} | xargs` $GRADLE_ARGS
   after_script:
+    - *cgroup_info
     - source .gitlab/gitlab-utils.sh
     - gitlab_section_start "collect-reports" "Collecting reports"
     - .circleci/collect_reports.sh
@@ -373,6 +384,7 @@ muzzle-dep-report:
     - export SKIP_BUILDSCAN="true"
     - ./gradlew generateMuzzleReport muzzleInstrumentationReport $GRADLE_ARGS
   after_script:
+    - *cgroup_info
     - .circleci/collect_muzzle_deps.sh
   artifacts:
     when: always
@@ -432,6 +444,7 @@ muzzle-dep-report:
   after_script:
     - *restore_pretest_env
     - *set_datadog_api_keys
+    - *cgroup_info
     - source .gitlab/gitlab-utils.sh
     - gitlab_section_start "collect-reports" "Collecting reports"
     - .circleci/collect_reports.sh

.gitlab/cgroup-info.sh

@@ -0,0 +1,83 @@
+#!/usr/bin/env bash
+
+print_metric() {
+  local label="$1"
+  local raw_value="$2"
+  local trimmed_value
+
+  # Use read -rd '' to trim leading/trailing IFS whitespace (space, tab, newline)
+  read -rd '' trimmed_value <<< "$raw_value" || :
+
+  # Check if trimmed_value contains a newline character for formatting
+  if [[ "$trimmed_value" == *$'\n'* ]]; then
+    local indent="  "
+    # Using a more robust way to handle potential leading/trailing newlines in raw_value for printf
+    printf "%-35s :\n" "$label"
+    printf "%s\n" "$indent${trimmed_value//$'\n'/$'\n'$indent}" # Indent and print the value on new lines
+  else
+    printf "%-35s : %s\n" "$label" "$trimmed_value"
+  fi
+}
+
+cat_file() {
+  cat "$1" 2>/dev/null || echo 'not found'
+}
+
+# Show cgroup memory usage
+print_metric "RAM memory" "$( (grep MemTotal /proc/meminfo | tr -s ' ' | cut -d ' ' -f 2) 2>/dev/null || echo 'not found')"
+
+if [ -f /sys/fs/cgroup/cgroup.controllers ]; then
+  # cgroup v2
+  print_metric "cgroup v2 memory.peak" "$(cat_file /sys/fs/cgroup/memory.peak)"
+  print_metric "cgroup v2 memory.max" "$(cat_file /sys/fs/cgroup/memory.max)"
+  print_metric "cgroup v2 memory.high" "$(cat_file /sys/fs/cgroup/memory.high)"
+  print_metric "cgroup v2 memory.current" "$(cat_file /sys/fs/cgroup/memory.current)"
+  if [ -f /sys/fs/cgroup/memory.pressure ]; then
+    print_metric "cgroup v2 memory.pressure" "$(cat_file /sys/fs/cgroup/memory.pressure)"
+  fi
+  if [ -f /sys/fs/cgroup/memory.events ]; then
+    print_metric "cgroup v2 memory.events oom" "$( (grep -E '^oom\\s' /sys/fs/cgroup/memory.events | cut -d' ' -f2) 2>/dev/null || echo 'not found')"
+    print_metric "cgroup v2 memory.events oom_kill" "$( (grep -E '^oom_kill\\s' /sys/fs/cgroup/memory.events | cut -d' ' -f2) 2>/dev/null || echo 'not found')"
+    print_metric "cgroup v2 memory.events high" "$( (grep -E '^high\\s' /sys/fs/cgroup/memory.events | cut -d' ' -f2) 2>/dev/null || echo 'not found')"
+  fi
+
+  # CPU metrics
+  print_metric "cgroup v2 cpu.max" "$(cat_file /sys/fs/cgroup/cpu.max)"
+  print_metric "cgroup v2 cpu.nr_throttled" "$( (grep -E "^nr_throttled[[:space:]]+" /sys/fs/cgroup/cpu.stat | cut -d' ' -f2) 2>/dev/null || echo 'not found')"
+  print_metric "cgroup v2 cpu.throttled_usec" "$( (grep -E "^throttled_usec[[:space:]]+" /sys/fs/cgroup/cpu.stat | cut -d' ' -f2) 2>/dev/null || echo 'not found')"
+  print_metric "cgroup v2 cpu.usage_usec" "$( (grep -E "^usage_usec[[:space:]]+" /sys/fs/cgroup/cpu.stat | cut -d' ' -f2) 2>/dev/null || echo 'not found')"
+  if [ -f /sys/fs/cgroup/cpu.pressure ]; then # cpu.pressure might not exist on older kernels/setups
+    print_metric "cgroup v2 cpu.pressure" "$(cat_file /sys/fs/cgroup/cpu.pressure)"
+  fi
+
+elif [ -d "/sys/fs/cgroup/memory" ]; then # Assuming if memory cgroup v1 exists, cpu might too
+  # cgroup v1
+  # Note: In cgroup v1, memory stats are typically found under /sys/fs/cgroup/memory/
+  # The specific path might vary if inside a nested cgroup.
+  # This script assumes it's running in a context where /sys/fs/cgroup/memory/ points to the relevant cgroup.
+  print_metric "cgroup v1 memory.usage_in_bytes" "$(cat_file /sys/fs/cgroup/memory/memory.usage_in_bytes)"
+  print_metric "cgroup v1 memory.limit_in_bytes" "$(cat_file /sys/fs/cgroup/memory/memory.limit_in_bytes)"
+  print_metric "cgroup v1 memory.failcnt" "$(cat_file /sys/fs/cgroup/memory/memory.failcnt)"
+  print_metric "cgroup v1 memory.max_usage_in_bytes" "$(cat_file /sys/fs/cgroup/memory/memory.max_usage_in_bytes)"
+
+  # Throttling stats from /sys/fs/cgroup/cpu/cpu.stat
+  if [ -f /sys/fs/cgroup/cpu/cpu.stat ]; then
+    print_metric "cgroup v1 cpu.nr_throttled" "$( (grep -E "^nr_throttled[[:space:]]+" /sys/fs/cgroup/cpu/cpu.stat | cut -d' ' -f2) 2>/dev/null || echo 'not found')"
+    print_metric "cgroup v1 cpu.throttled_time_ns" "$( (grep -E "^throttled_time[[:space:]]+" /sys/fs/cgroup/cpu/cpu.stat | cut -d' ' -f2) 2>/dev/null || echo 'not found')"
+  else
+    # Print not found for these specific metrics if cpu.stat is missing, to avoid ambiguity
+    print_metric "cgroup v1 cpu.nr_throttled" "not found (cpu.stat)"
+    print_metric "cgroup v1 cpu.throttled_time_ns" "not found (cpu.stat)"
+  fi
+  # CPU Quota settings from /sys/fs/cgroup/cpu/
+  print_metric "cgroup v1 cpu.cfs_period_us" "$(cat_file /sys/fs/cgroup/cpu/cpu.cfs_period_us)"
+  print_metric "cgroup v1 cpu.cfs_quota_us" "$(cat_file /sys/fs/cgroup/cpu/cpu.cfs_quota_us)"
+  # CPU usage from /sys/fs/cgroup/cpuacct/ (usually same hierarchy as cpu)
+  print_metric "cgroup v1 cpuacct.usage_ns" "$(cat_file /sys/fs/cgroup/cpuacct/cpuacct.usage)"
+  print_metric "cgroup v1 cpuacct.usage_user_ns" "$(cat_file /sys/fs/cgroup/cpuacct/cpuacct.usage_user)"
+  print_metric "cgroup v1 cpuacct.usage_sys_ns" "$(cat_file /sys/fs/cgroup/cpuacct/cpuacct.usage_sys)"
+
+else
+  printf "cgroup memory paths not found. Neither cgroup v2 controller file nor cgroup v1 memory directory detected.\n"
+fi
+

benchmark/load/petclinic/benchmark.json

@@ -30,12 +30,6 @@
         "JAVA_OPTS": "-javaagent:${TRACER} -Ddd.appsec.enabled=true"
       }
     },
-    "appsec_no_iast": {
-      "env": {
-        "VARIANT": "appsec_no_iast",
-        "JAVA_OPTS": "-javaagent:${TRACER} -Ddd.appsec.enabled=true -Ddd.iast.enabled=false"
-      }
-    },
     "iast": {
       "env": {
         "VARIANT": "iast",

benchmark/startup/petclinic/benchmark.json

@@ -24,12 +24,6 @@
         "JAVA_OPTS": "-Ddd.appsec.enabled=true"
       }
     },
-    "appsec_no_iast": {
-      "env": {
-        "VARIANT": "appsec",
-        "JAVA_OPTS": "-Ddd.appsec.enabled=true -Ddd.iast.enabled=false"
-      }
-    },
     "iast": {
       "env": {
         "VARIANT": "iast",

dd-java-agent/appsec/build.gradle

@@ -15,7 +15,7 @@ dependencies {
   implementation project(':internal-api')
   implementation project(':communication')
   implementation project(':telemetry')
-  implementation group: 'io.sqreen', name: 'libsqreen', version: '13.0.1'
+  implementation group: 'io.sqreen', name: 'libsqreen', version: '14.0.0'
   implementation libs.moshi
 
   testImplementation libs.bytebuddy
@@ -70,6 +70,7 @@ ext {
     'com.datadog.appsec.config.MergedAsmData.InvalidAsmDataException',
     'com.datadog.appsec.ddwaf.WafInitialization',
     'com.datadog.appsec.ddwaf.WAFModule.WAFDataCallback',
+    'com.datadog.appsec.config.AppSecModuleConfigurer.Reconfiguration',
     'com.datadog.appsec.report.*',
     'com.datadog.appsec.config.AppSecConfigServiceImpl.SubscribeFleetServiceRunnable.1',
     'com.datadog.appsec.util.StandardizedLogging',
@@ -81,6 +82,7 @@ ext {
     'com.datadog.appsec.config.AppSecFeatures.Asm',
     'com.datadog.appsec.config.AppSecFeatures.ApiSecurity',
     'com.datadog.appsec.config.AppSecFeatures.AutoUserInstrum',
+    'com.datadog.appsec.AppSecModule.AppSecModuleActivationException',
     'com.datadog.appsec.event.ReplaceableEventProducerService',
     'com.datadog.appsec.api.security.ApiSecuritySampler.NoOp',
   ]

dd-java-agent/appsec/src/jmh/java/datadog/appsec/benchmark/WafBenchmark.java

@@ -3,21 +3,24 @@
 import static java.util.concurrent.TimeUnit.MICROSECONDS;
 import static java.util.concurrent.TimeUnit.SECONDS;
 
-import com.datadog.appsec.config.AppSecConfig;
-import com.datadog.appsec.config.AppSecConfigDeserializer;
 import com.datadog.appsec.event.data.KnownAddresses;
 import com.datadog.ddwaf.Waf;
+import com.datadog.ddwaf.WafBuilder;
 import com.datadog.ddwaf.WafContext;
 import com.datadog.ddwaf.WafHandle;
 import com.datadog.ddwaf.WafMetrics;
 import com.datadog.ddwaf.exception.AbstractWafException;
+import com.squareup.moshi.JsonAdapter;
+import com.squareup.moshi.Moshi;
+import com.squareup.moshi.Types;
 import java.io.IOException;
 import java.io.InputStream;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import okio.Okio;
 import org.openjdk.jmh.annotations.Benchmark;
 import org.openjdk.jmh.annotations.BenchmarkMode;
 import org.openjdk.jmh.annotations.Fork;
@@ -38,45 +41,49 @@
 @OutputTimeUnit(MICROSECONDS)
 @Fork(value = 3)
 public class WafBenchmark {
+  private static final JsonAdapter<Map<String, Object>> ADAPTER =
+      new Moshi.Builder()
+          .build()
+          .adapter(Types.newParameterizedType(Map.class, String.class, Object.class));
 
   static {
     BenchmarkUtil.disableLogging();
     BenchmarkUtil.initializeWaf();
   }
 
-  WafHandle ctx;
+  WafBuilder wafBuilder;
+  WafHandle wafHandle;
+  WafContext wafContext;
   Map<String, Object> wafData = new HashMap<>();
   Waf.Limits limits = new Waf.Limits(50, 500, 1000, 5000000, 5000000);
 
   @Benchmark
   public void withMetrics() throws Exception {
-    WafMetrics metricsCollector = ctx.createMetrics();
-    WafContext add = ctx.openContext();
+    WafMetrics metricsCollector = new WafMetrics();
+    wafContext = new WafContext(wafHandle);
     try {
-      add.run(wafData, limits, metricsCollector);
+      wafContext.run(wafData, limits, metricsCollector);
     } finally {
-      add.close();
+      wafContext.close();
     }
   }
 
   @Benchmark
   public void withoutMetrics() throws Exception {
-    WafContext add = ctx.openContext();
+    wafContext = new WafContext(wafHandle);
     try {
-      add.run(wafData, limits, null);
+      wafContext.run(wafData, limits, null);
     } finally {
-      add.close();
+      wafContext.close();
     }
   }
 
   @Setup(Level.Trial)
   public void setUp() throws AbstractWafException, IOException {
+    wafBuilder = new WafBuilder();
     InputStream stream = getClass().getClassLoader().getResourceAsStream("test_multi_config.json");
-    Map<String, AppSecConfig> cfg =
-        Collections.singletonMap("waf", AppSecConfigDeserializer.INSTANCE.deserialize(stream));
-    AppSecConfig waf = cfg.get("waf");
-    ctx = Waf.createHandle("waf", waf.getRawConfig());
-
+    wafBuilder.addOrUpdateConfig("waf", ADAPTER.fromJson(Okio.buffer(Okio.source(stream))));
+    wafHandle = wafBuilder.buildWafHandleInstance();
     wafData.put(KnownAddresses.REQUEST_METHOD.getKey(), "POST");
     wafData.put(
         KnownAddresses.REQUEST_URI_RAW.getKey(), "/foo/bar?foo=bar&foo=xpto&foo=%3cscript%3e");
@@ -112,6 +119,14 @@ public void setUp() throws AbstractWafException, IOException {
 
   @TearDown(Level.Trial)
   public void teardown() {
-    ctx.close();
+    if (wafHandle != null && wafHandle.isOnline()) {
+      wafHandle.close();
+    }
+    if (wafContext != null && wafContext.isOnline()) {
+      wafContext.close();
+    }
+    if (wafBuilder != null && wafBuilder.isOnline()) {
+      wafBuilder.close();
+    }
   }
 }

dd-java-agent/appsec/src/main/java/com/datadog/appsec/AppSecModule.java

@@ -3,17 +3,24 @@
 import com.datadog.appsec.config.AppSecModuleConfigurer;
 import com.datadog.appsec.event.DataListener;
 import com.datadog.appsec.event.data.Address;
+import com.datadog.ddwaf.WafBuilder;
 import java.util.Collection;
 
 public interface AppSecModule {
   void config(AppSecModuleConfigurer appSecConfigService) throws AppSecModuleActivationException;
 
+  void setWafBuilder(WafBuilder wafBuilder);
+
+  void setRuleVersion(String rulesetVersion);
+
   String getName();
 
   String getInfo();
 
   Collection<DataSubscription> getDataSubscriptions();
 
+  boolean isWafBuilderSet();
+
   abstract class DataSubscription implements DataListener {
     private final Collection<Address<?>> subscribedAddresses;
     private final Priority priority;