Create metric: appsec.rasp.error

sezen-datadog · sezen-datadog · commit 3e089a7ffd63 · 2025-02-10T17:02:31.000+01:00
diff --git a/dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/AppSecRequestContext.java b/dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/AppSecRequestContext.java
@@ -124,6 +124,9 @@ public class AppSecRequestContext implements DataBundle, Closeable {
   private volatile boolean blocked;
   private volatile int wafTimeouts;
   private volatile int raspTimeouts;
+  private volatile int raspInternalErrors;
+  private volatile int raspInvalidObjectErrors;
+  private volatile int raspInvalidArgumentErrors;
 
   // keep a reference to the last published usr.id
   private volatile String userId;
@@ -139,6 +142,18 @@ public class AppSecRequestContext implements DataBundle, Closeable {
   private static final AtomicIntegerFieldUpdater<AppSecRequestContext> RASP_TIMEOUTS_UPDATER =
       AtomicIntegerFieldUpdater.newUpdater(AppSecRequestContext.class, "raspTimeouts");
 
+  private static final AtomicIntegerFieldUpdater<AppSecRequestContext>
+      RASP_INTERNAL_ERRORS_UPDATER =
+          AtomicIntegerFieldUpdater.newUpdater(AppSecRequestContext.class, "raspInternalErrors");
+  private static final AtomicIntegerFieldUpdater<AppSecRequestContext>
+      RASP_INVALID_OBJECT_ERRORS_UPDATER =
+          AtomicIntegerFieldUpdater.newUpdater(
+              AppSecRequestContext.class, "raspInvalidObjectErrors");
+  private static final AtomicIntegerFieldUpdater<AppSecRequestContext>
+      RASP_INVALID_ARGUMENT_ERRORS_UPDATER =
+          AtomicIntegerFieldUpdater.newUpdater(
+              AppSecRequestContext.class, "raspInvalidArgumentErrors");
+
   // to be called by the Event Dispatcher
   public void addAll(DataBundle newData) {
     for (Map.Entry<Address<?>, Object> entry : newData) {
@@ -188,6 +203,22 @@ public void increaseRaspTimeouts() {
     RASP_TIMEOUTS_UPDATER.incrementAndGet(this);
   }
 
+  public void increaseRaspErrorCode(int code) {
+    switch (code) {
+      case -3:
+        RASP_INTERNAL_ERRORS_UPDATER.incrementAndGet(this);
+        break;
+      case -2:
+        RASP_INVALID_OBJECT_ERRORS_UPDATER.incrementAndGet(this);
+        break;
+      case -1:
+        RASP_INVALID_ARGUMENT_ERRORS_UPDATER.incrementAndGet(this);
+        break;
+      default:
+        break;
+    }
+  }
+
   public int getWafTimeouts() {
     return wafTimeouts;
   }
diff --git a/dd-java-agent/appsec/src/main/java/com/datadog/appsec/powerwaf/PowerWAFModule.java b/dd-java-agent/appsec/src/main/java/com/datadog/appsec/powerwaf/PowerWAFModule.java
@@ -46,6 +46,7 @@
 import io.sqreen.powerwaf.exception.AbstractPowerwafException;
 import io.sqreen.powerwaf.exception.InvalidRuleSetException;
 import io.sqreen.powerwaf.exception.TimeoutPowerwafException;
+import io.sqreen.powerwaf.exception.UnclassifiedPowerwafException;
 import java.io.IOException;
 import java.lang.reflect.Constructor;
 import java.lang.reflect.InvocationHandler;
@@ -439,11 +440,21 @@ public void onDataAvailable(
           log.debug(LogCollector.EXCLUDE_TELEMETRY, "Timeout calling the WAF", tpe);
         }
         return;
-      } catch (AbstractPowerwafException e) {
+      } catch (UnclassifiedPowerwafException e) {
         if (!reqCtx.isAdditiveClosed()) {
           log.error("Error calling WAF", e);
         }
         return;
+      } catch (AbstractPowerwafException e) {
+        if (gwCtx.isRasp) {
+          reqCtx.increaseRaspErrorCode(e.code);
+          WafMetricCollector.get().raspErrorCode(gwCtx.raspRuleType, e.code);
+        } else {
+          // TODO APPSEC-56703
+          // reqCtx.increaseWafErrorCode(e.code);
+          // WafMetricCollector.get().wafErrorCode(e.code);
+        }
+        return;
       } finally {
         if (log.isDebugEnabled()) {
           long elapsed = System.currentTimeMillis() - start;
diff --git a/internal-api/src/main/java/datadog/trace/api/telemetry/WafMetricCollector.java b/internal-api/src/main/java/datadog/trace/api/telemetry/WafMetricCollector.java
@@ -6,13 +6,17 @@
 import java.util.List;
 import java.util.concurrent.ArrayBlockingQueue;
 import java.util.concurrent.BlockingQueue;
+import java.util.concurrent.ConcurrentMap;
+import java.util.concurrent.ConcurrentSkipListMap;
 import java.util.concurrent.atomic.AtomicInteger;
 import java.util.concurrent.atomic.AtomicLong;
 import java.util.concurrent.atomic.AtomicLongArray;
 
 public class WafMetricCollector implements MetricCollector<WafMetricCollector.WafMetric> {
 
   public static WafMetricCollector INSTANCE = new WafMetricCollector();
+  private static final int ABSTRACT_POWERWAF_EXCEPTION_NUMBER =
+      3; // only 3 error codes are possible for now in AbstractPowerwafException
 
   public static WafMetricCollector get() {
     return WafMetricCollector.INSTANCE;
@@ -40,6 +44,8 @@ private WafMetricCollector() {
       new AtomicLongArray(RuleType.getNumValues());
   private static final AtomicLongArray raspTimeoutCounter =
       new AtomicLongArray(RuleType.getNumValues());
+  private static final ConcurrentMap<Integer, AtomicLongArray> raspErrorCodeCounter =
+      new ConcurrentSkipListMap<>();
   private static final AtomicLongArray missingUserLoginQueue =
       new AtomicLongArray(LoginFramework.getNumValues() * LoginEvent.getNumValues());
   private static final AtomicLongArray missingUserIdQueue =
@@ -104,6 +110,10 @@ public void raspTimeout(final RuleType ruleType) {
     raspTimeoutCounter.incrementAndGet(ruleType.ordinal());
   }
 
+  public void raspErrorCode(final RuleType ruleType, final int ddwafRunErrorCode) {
+    raspErrorCodeCounter.get(ddwafRunErrorCode).incrementAndGet(ruleType.ordinal());
+  }
+
   public void missingUserLogin(final LoginFramework framework, final LoginEvent eventType) {
     missingUserLoginQueue.incrementAndGet(
         framework.ordinal() * LoginEvent.getNumValues() + eventType.ordinal());
@@ -216,6 +226,21 @@ public void prepareMetrics() {
       }
     }
 
+    // RASP rule type for each possible error code
+    for (int i = -1 * ABSTRACT_POWERWAF_EXCEPTION_NUMBER; i < 0; i++) {
+      raspErrorCodeCounter.put(i, new AtomicLongArray(RuleType.getNumValues()));
+
+      for (RuleType ruleType : RuleType.values()) {
+        long counter = raspErrorCodeCounter.get(i).getAndSet(ruleType.ordinal(), 0);
+        if (counter > 0) {
+          if (!rawMetricsQueue.offer(
+              new RaspError(counter, ruleType, WafMetricCollector.wafVersion, i))) {
+            return;
+          }
+        }
+      }
+    }
+
     // Missing user login
     for (LoginFramework framework : LoginFramework.values()) {
       for (LoginEvent event : LoginEvent.values()) {
@@ -367,6 +392,27 @@ public RaspTimeout(final long counter, final RuleType ruleType, final String waf
     }
   }
 
+  public static class RaspError extends WafMetric {
+    public RaspError(
+        final long counter,
+        final RuleType ruleType,
+        final String wafVersion,
+        final Integer ddwafRunError) {
+      super(
+          "rasp.error",
+          counter,
+          ruleType.variant != null
+              ? new String[] {
+                "rule_type:" + ruleType.type,
+                "rule_variant:" + ruleType.variant,
+                "waf_version:" + wafVersion,
+                "event_rules_version:" + rulesVersion,
+                "waf_error:" + ddwafRunError
+              }
+              : new String[] {"rule_type:" + ruleType.type, "waf_version:" + wafVersion});
+    }
+  }
+
   public static class AtomicRequestCounter {
 
     private final AtomicLong atomicLong = new AtomicLong();
