Release v1.29.0 (#463)

Author: Anilm3

CHANGELOG.md

@@ -1,5 +1,74 @@
 # libddwaf release
 
+## v1.29.0 ([unstable](https://github.com/DataDog/libddwaf/blob/master/README.md#versioning-semantics))
+
+### New Features
+
+This release introduces a focused set of features addressing the most pressing use cases. Barring any necessary patch releases, this will constitute the final v1.x release.
+
+#### Block ID
+
+Block and redirect actions now include a `block_id` in their action parameters. This same ID is also included in the generated event, allowing the WAF caller to reference it in the blocking response or add it as a query parameter in a redirect. This ensures that each blocking action can be reliably correlated with its corresponding event.
+
+The following is an example of a block request action, including the new ID:
+
+```yaml
+actions:
+  block_request:
+    status_code: 403
+    grpc_status_code: 10
+    type: auto
+    block_id: "55af6314-9e02-11f0-b0a3-23dee2d4f390"
+```
+
+#### Identifier validation through checksums
+
+A new operator, `match_regex_with_checksum`, has been introduced to improve the accuracy of detections performed using a regular expression, when the identifier itself has a built-in validation mechanism, by performing a secondary validation through a checksum. The checksum may be a purpose-built or generic algorithm, however at this time only the Luhn algorithm is supported.
+
+The configuration of the operator is equivalent to the `match_regex` operator, except for the addition of the `checksum` parameter:
+
+```yaml
+operator: match_regex_with_checksum
+parameters:
+  inputs: [{ address: server.request.body }]
+  regex: "\\b4\\d{3}(?:(?:,\\d{4}){3}|(?:\\s\\d{4}){3}|(?:\\.\\d{4}){3}|(?:-\\d{4}){3})\\b"
+  options: { min_length: 16 }
+  checksum: luhn
+```
+
+#### Incremental processor overrides
+
+Processor overrides have been updated to allow for incremental additions or removals of scanners to a given processor. Before this release, processor overrides fully replaced the list of scanners of a processor, however now each override contributes to the set by either adding or removing scanners.
+
+While this is technically a breaking change, processor overrides are not currently in use. An example of a processor override including and excluding scanners can be seen below:
+
+```json
+{
+  "processor_overrides": [
+    {
+      "target": [{ "id": "extract-content" }],
+      "scanners": {
+        "include": [{ "id": "scanner-001" }],
+        "exclude": [{ "tags": { "type": "email" } }]
+      }
+    }
+  ]
+}
+```
+
+### Release changelog
+
+#### Fixes
+-  Fix single-char matches on `phrase_match` ([#462](https://github.com/DataDog/libddwaf/pull/462))
+
+#### Changes
+- `match_regex_with_checksum` operator: match and verify regexes with a checksum ([#450](https://github.com/DataDog/libddwaf/pull/450))
+- Add block ID to block & redirect action parameters & event ([#459](https://github.com/DataDog/libddwaf/pull/459))
+- Incremental processor overrides ([#461](https://github.com/DataDog/libddwaf/pull/461))
+
+#### Miscellaneous
+- Replace number with integer for integer-only attrs ([#457](https://github.com/DataDog/libddwaf/pull/457))
+
 ## v1.28.1 ([unstable](https://github.com/DataDog/libddwaf/blob/master/README.md#versioning-semantics))
 ### Release changelog
 #### Fixes

version

@@ -1 +1 @@
-1.28.1
+1.29.0