Update WAF to 5.9.0 (#8339)

AlexFenlon · web-flow · commit 25326917c29b · 2025-10-03T16:47:39.000+01:00
diff --git a/.github/workflows/regression.yml b/.github/workflows/regression.yml
@@ -275,7 +275,7 @@ jobs:
 
       - name: Generate WAF v5 tgz from JSON
         run: |
-          docker run --rm --user root -v /var/run/docker.sock:/var/run/docker.sock -v ${{ github.workspace }}/tests/data/ap-waf-v5:/data gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nap/waf-compiler:5.8.0 -p /data/wafv5.json -o /data/wafv5.tgz
+          docker run --rm --user root -v /var/run/docker.sock:/var/run/docker.sock -v ${{ github.workspace }}/tests/data/ap-waf-v5:/data gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nap/waf-compiler:5.9.0 -p /data/wafv5.json -o /data/wafv5.tgz
         if: ${{ contains(matrix.images.image, 'nap-v5')}}
 
       - name: Run Regression Tests
diff --git a/.github/workflows/setup-smoke.yml b/.github/workflows/setup-smoke.yml
@@ -152,7 +152,7 @@ jobs:
 
       - name: Generate WAF v5 tgz from JSON
         run: |
-          docker run --rm --user root -v /var/run/docker.sock:/var/run/docker.sock -v ${{ github.workspace }}/tests/data/ap-waf-v5:/data gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nap/waf-compiler:5.8.0 -p /data/wafv5.json -o /data/wafv5.tgz
+          docker run --rm --user root -v /var/run/docker.sock:/var/run/docker.sock -v ${{ github.workspace }}/tests/data/ap-waf-v5:/data gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nap/waf-compiler:5.9.0 -p /data/wafv5.json -o /data/wafv5.tgz
         if: ${{ contains(inputs.image, 'nap-v5')}}
 
       - name: Run Smoke Tests
diff --git a/Makefile b/Makefile
@@ -4,9 +4,9 @@ GIT_TAG = $(shell git describe --exact-match --tags || echo untagged)
 VERSION = $(VER)-SNAPSHOT
 NGINX_OSS_VERSION             ?= 1.29
 NGINX_PLUS_VERSION            ?= R35
-NAP_WAF_VERSION               ?= 35+5.498
-NAP_WAF_COMMON_VERSION        ?= 11.533
-NAP_WAF_PLUGIN_VERSION        ?= 6.20.0
+NAP_WAF_VERSION               ?= 35+5.527
+NAP_WAF_COMMON_VERSION        ?= 11.559
+NAP_WAF_PLUGIN_VERSION        ?= 6.23.0
 NGINX_AGENT_VERSION           ?= 3.3
 PLUS_ARGS = --build-arg NGINX_PLUS_VERSION=$(NGINX_PLUS_VERSION) --secret id=nginx-repo.crt,src=nginx-repo.crt --secret id=nginx-repo.key,src=nginx-repo.key
 
diff --git a/build/Dockerfile b/build/Dockerfile
@@ -2,9 +2,9 @@
 ARG BUILD_OS=debian
 ARG NGINX_OSS_VERSION=1.29
 ARG NGINX_PLUS_VERSION=R35
-ARG NAP_WAF_VERSION=35+5.498
-ARG NAP_WAF_COMMON_VERSION=11.533
-ARG NAP_WAF_PLUGIN_VERSION=6.20.0
+ARG NAP_WAF_VERSION=35+5.527
+ARG NAP_WAF_COMMON_VERSION=11.559
+ARG NAP_WAF_PLUGIN_VERSION=6.23.0
 ARG NGINX_AGENT_VERSION=3.3
 ARG DOWNLOAD_TAG=edge
 ARG DEBIAN_FRONTEND=noninteractive
diff --git a/charts/nginx-ingress/values.schema.json b/charts/nginx-ingress/values.schema.json
@@ -350,10 +350,10 @@
                     },
                     "tag": {
                       "type": "string",
-                      "default": "5.8.0",
+                      "default": "5.9.0",
                       "title": "The tag of the  App Protect WAF v5 Enforcer image",
                       "examples": [
-                        "5.8.0"
+                        "5.9.0"
                       ]
                     },
                     "digest": {
@@ -389,7 +389,7 @@
                   "examples": [
                     {
                       "repository": "private-registry.nginx.com/nap/waf-enforcer",
-                      "tag": "5.8.0",
+                      "tag": "5.9.0",
                       "pullPolicy": "IfNotPresent"
                     }
                   ]
@@ -422,10 +422,10 @@
                     },
                     "tag": {
                       "type": "string",
-                      "default": "5.8.0",
+                      "default": "5.9.0",
                       "title": "The tag of the  App Protect WAF v5 Config Manager image",
                       "examples": [
-                        "5.8.0"
+                        "5.9.0"
                       ]
                     },
                     "digest": {
@@ -461,7 +461,7 @@
                   "examples": [
                     {
                       "repository": "private-registry.nginx.com/nap/waf-config-mgr",
-                      "tag": "5.8.0",
+                      "tag": "5.9.0",
                       "pullPolicy": "IfNotPresent"
                     }
                   ]
@@ -2020,15 +2020,15 @@
               "port": 50000,
               "image": {
                 "repository": "private-registry.nginx.com/nap/waf-enforcer",
-                "tag": "5.8.0",
+                "tag": "5.9.0",
                 "pullPolicy": "IfNotPresent"
               },
               "securityContext": {}
             },
             "configManager": {
               "image": {
                 "repository": "private-registry.nginx.com/nap/waf-config-mgr",
-                "tag": "5.8.0",
+                "tag": "5.9.0",
                 "pullPolicy": "IfNotPresent"
               },
               "securityContext": {
@@ -2660,15 +2660,15 @@
             "port": 50000,
             "image": {
               "repository": "private-registry.nginx.com/nap/waf-enforcer",
-              "tag": "5.8.0",
+              "tag": "5.9.0",
               "pullPolicy": "IfNotPresent"
             },
             "securityContext": {}
           },
           "configManager": {
             "image": {
               "repository": "private-registry.nginx.com/nap/waf-config-mgr",
-              "tag": "5.8.0",
+              "tag": "5.9.0",
               "pullPolicy": "IfNotPresent"
             },
             "securityContext": {
diff --git a/charts/nginx-ingress/values.yaml b/charts/nginx-ingress/values.yaml
@@ -84,7 +84,7 @@ controller:
         repository: private-registry.nginx.com/nap/waf-enforcer
 
         ## The tag of the App Protect WAF v5 Enforcer image.
-        tag: "5.8.0"
+        tag: "5.9.0"
         ## The digest of the App Protect WAF v5 Enforcer image.
         ## If digest is specified it has precedence over tag and will be used instead
         # digest: "sha256:CHANGEME"
@@ -100,7 +100,7 @@ controller:
         repository: private-registry.nginx.com/nap/waf-config-mgr
 
         ## The tag of the App Protect WAF v5 Configuration Manager image.
-        tag: "5.8.0"
+        tag: "5.9.0"
         ## The digest of the App Protect WAF v5 Configuration Manager image.
         ## If digest is specified it has precedence over tag and will be used instead
         # digest: "sha256:CHANGEME"
diff --git a/charts/tests/__snapshots__/helmunit_test.snap b/charts/tests/__snapshots__/helmunit_test.snap
@@ -1936,7 +1936,7 @@ spec:
           - -weight-changes-dynamic-reload=false
       
       - name: waf-enforcer
-        image: my.private.reg/nap/waf-enforcer:5.8.0
+        image: my.private.reg/nap/waf-enforcer:5.9.0
         imagePullPolicy: "IfNotPresent"
         env:
           - name: ENFORCER_PORT
@@ -1947,7 +1947,7 @@ spec:
           - name: app-protect-bd-config
             mountPath: /opt/app_protect/bd_config
       - name: waf-config-mgr
-        image: my.private.reg/nap/waf-config-mgr:5.8.0
+        image: my.private.reg/nap/waf-config-mgr:5.9.0
         imagePullPolicy: "IfNotPresent"
         securityContext:
       
@@ -2519,7 +2519,7 @@ spec:
           - -agent-instance-group=app-protect-wafv5-agentv2-nginx-ingress-controller
       
       - name: waf-enforcer
-        image: my.private.reg/nap/waf-enforcer:5.8.0
+        image: my.private.reg/nap/waf-enforcer:5.9.0
         imagePullPolicy: "IfNotPresent"
         env:
           - name: ENFORCER_PORT
@@ -2530,7 +2530,7 @@ spec:
           - name: app-protect-bd-config
             mountPath: /opt/app_protect/bd_config
       - name: waf-config-mgr
-        image: my.private.reg/nap/waf-config-mgr:5.8.0
+        image: my.private.reg/nap/waf-config-mgr:5.9.0
         imagePullPolicy: "IfNotPresent"
         securityContext:
       
diff --git a/cmd/nginx-ingress/main.go b/cmd/nginx-ingress/main.go
@@ -12,7 +12,6 @@ import (
 	"os/signal"
 	"path/filepath"
 	"reflect"
-	"regexp"
 	"runtime"
 	"strings"
 	"syscall"
@@ -146,8 +145,7 @@ func main() {
 	if *appProtect {
 		appProtectVersion = getAppProtectVersionInfo(ctx)
 
-		r := regexp.MustCompile("^5.*")
-		if r.MatchString(appProtectVersion) {
+		if _, err := os.Stat("/opt/app_protect/VERSION.common"); os.IsNotExist(err) {
 			appProtectV5 = true
 			appProtectBundlePath = appProtectv5BundleFolder
 		}
diff --git a/tests/data/modules/data.json b/tests/data/modules/data.json
@@ -80,11 +80,11 @@
         },
         {
           "name": "nginx-plus-module-appprotect",
-          "version": "35+5.498"
+          "version": "35+5.527"
         },
         {
           "name": "app-protect",
-          "version": "35+5.498"
+          "version": "35+5.527"
         },
         {
           "name": "app-protect-attack-signatures",
@@ -126,15 +126,15 @@
         },
         {
           "name": "nginx-plus-module-appprotect",
-          "version": "35+5.498"
+          "version": "35+5.527"
         },
         {
           "name": "app-protect-module-plus",
-          "version": "35+5.498"
+          "version": "35+5.527"
         },
         {
           "name": "app-protect-plugin",
-          "version": "6.20.0"
+          "version": "6.23.0"
         },
         {
           "name": "nginx-agent",
@@ -202,11 +202,11 @@
         },
         {
           "name": "nginx-plus-module-appprotect",
-          "version": "35+5.498"
+          "version": "35+5.527"
         },
         {
           "name": "app-protect",
-          "version": "35+5.498"
+          "version": "35+5.527"
         },
         {
           "name": "app-protect-attack-signatures",
@@ -349,11 +349,11 @@
         },
         {
           "name": "nginx-plus-module-appprotect",
-          "version": "35.5.498"
+          "version": "35.5.527"
         },
         {
           "name": "app-protect",
-          "version": "35.5.498"
+          "version": "35.5.527"
         },
         {
           "name": "app-protect-attack-signatures",
@@ -395,15 +395,15 @@
         },
         {
           "name": "nginx-plus-module-appprotect",
-          "version": "35.5.498"
+          "version": "35.5.527"
         },
         {
           "name": "app-protect-module-plus",
-          "version": "35.5.498"
+          "version": "35.5.527"
         },
         {
           "name": "app-protect-plugin",
-          "version": "6.20.0"
+          "version": "6.23.0"
         }
       ],
       "system": "alpine",
@@ -495,11 +495,11 @@
         },
         {
           "name": "nginx-plus-module-appprotect",
-          "version": "35+5.498"
+          "version": "35+5.527"
         },
         {
           "name": "app-protect",
-          "version": "35+5.498"
+          "version": "35+5.527"
         },
         {
           "name": "app-protect-attack-signatures",
@@ -541,15 +541,15 @@
         },
         {
           "name": "nginx-plus-module-appprotect",
-          "version": "35+5.498"
+          "version": "35+5.527"
         },
         {
           "name": "app-protect-module-plus",
-          "version": "35+5.498"
+          "version": "35+5.527"
         },
         {
           "name": "app-protect-plugin",
-          "version": "6.20.0"
+          "version": "6.23.0"
         }
       ],
       "system": "ubi",
@@ -583,11 +583,11 @@
         },
         {
           "name": "nginx-plus-module-appprotect",
-          "version": "35+5.498"
+          "version": "35+5.527"
         },
         {
           "name": "app-protect",
-          "version": "35+5.498"
+          "version": "35+5.527"
         },
         {
           "name": "app-protect-attack-signatures",
@@ -629,15 +629,15 @@
         },
         {
           "name": "nginx-plus-module-appprotect",
-          "version": "35+5.498"
+          "version": "35+5.527"
         },
         {
           "name": "app-protect-module-plus",
-          "version": "35+5.498"
+          "version": "35+5.527"
         },
         {
           "name": "app-protect-plugin",
-          "version": "6.20.0"
+          "version": "6.23.0"
         }
       ],
       "system": "ubi",
@@ -701,7 +701,7 @@
         },
         {
           "name": "nginx-plus-module-appprotect",
-          "version": "35+5.498"
+          "version": "35+5.527"
         },
         {
           "name": "nginx-plus-module-appprotectdos",
@@ -713,7 +713,7 @@
         },
         {
           "name": "app-protect",
-          "version": "35+5.498"
+          "version": "35+5.527"
         },
         {
           "name": "app-protect-attack-signatures",
diff --git a/tests/settings.py b/tests/settings.py
@@ -33,4 +33,4 @@
 # Nginx registry address to pull waf components from
 NGX_REG = "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr"
 # WAF component version to pull from above registry
-WAF_V5_VERSION = "5.8.0"
+WAF_V5_VERSION = "5.9.0"

Original file line number	Diff line number	Diff line change
`@@ -80,11 +80,11 @@`
`80`	`80`	`},`
`81`	`81`	`{`
`82`	`82`	`"name": "nginx-plus-module-appprotect",`
`83`		`- "version": "35+5.498"`
	`83`	`+ "version": "35+5.527"`
`84`	`84`	`},`
`85`	`85`	`{`
`86`	`86`	`"name": "app-protect",`
`87`		`- "version": "35+5.498"`
	`87`	`+ "version": "35+5.527"`
`88`	`88`	`},`
`89`	`89`	`{`
`90`	`90`	`"name": "app-protect-attack-signatures",`
`@@ -126,15 +126,15 @@`
`126`	`126`	`},`
`127`	`127`	`{`
`128`	`128`	`"name": "nginx-plus-module-appprotect",`
`129`		`- "version": "35+5.498"`
	`129`	`+ "version": "35+5.527"`
`130`	`130`	`},`
`131`	`131`	`{`
`132`	`132`	`"name": "app-protect-module-plus",`
`133`		`- "version": "35+5.498"`
	`133`	`+ "version": "35+5.527"`
`134`	`134`	`},`
`135`	`135`	`{`
`136`	`136`	`"name": "app-protect-plugin",`
`137`		`- "version": "6.20.0"`
	`137`	`+ "version": "6.23.0"`
`138`	`138`	`},`
`139`	`139`	`{`
`140`	`140`	`"name": "nginx-agent",`
`@@ -202,11 +202,11 @@`
`202`	`202`	`},`
`203`	`203`	`{`
`204`	`204`	`"name": "nginx-plus-module-appprotect",`
`205`		`- "version": "35+5.498"`
	`205`	`+ "version": "35+5.527"`
`206`	`206`	`},`
`207`	`207`	`{`
`208`	`208`	`"name": "app-protect",`
`209`		`- "version": "35+5.498"`
	`209`	`+ "version": "35+5.527"`
`210`	`210`	`},`
`211`	`211`	`{`
`212`	`212`	`"name": "app-protect-attack-signatures",`
`@@ -349,11 +349,11 @@`
`349`	`349`	`},`
`350`	`350`	`{`
`351`	`351`	`"name": "nginx-plus-module-appprotect",`
`352`		`- "version": "35.5.498"`
	`352`	`+ "version": "35.5.527"`
`353`	`353`	`},`
`354`	`354`	`{`
`355`	`355`	`"name": "app-protect",`
`356`		`- "version": "35.5.498"`
	`356`	`+ "version": "35.5.527"`
`357`	`357`	`},`
`358`	`358`	`{`
`359`	`359`	`"name": "app-protect-attack-signatures",`
`@@ -395,15 +395,15 @@`
`395`	`395`	`},`
`396`	`396`	`{`
`397`	`397`	`"name": "nginx-plus-module-appprotect",`
`398`		`- "version": "35.5.498"`
	`398`	`+ "version": "35.5.527"`
`399`	`399`	`},`
`400`	`400`	`{`
`401`	`401`	`"name": "app-protect-module-plus",`
`402`		`- "version": "35.5.498"`
	`402`	`+ "version": "35.5.527"`
`403`	`403`	`},`
`404`	`404`	`{`
`405`	`405`	`"name": "app-protect-plugin",`
`406`		`- "version": "6.20.0"`
	`406`	`+ "version": "6.23.0"`
`407`	`407`	`}`
`408`	`408`	`],`
`409`	`409`	`"system": "alpine",`
`@@ -495,11 +495,11 @@`
`495`	`495`	`},`
`496`	`496`	`{`
`497`	`497`	`"name": "nginx-plus-module-appprotect",`
`498`		`- "version": "35+5.498"`
	`498`	`+ "version": "35+5.527"`
`499`	`499`	`},`
`500`	`500`	`{`
`501`	`501`	`"name": "app-protect",`
`502`		`- "version": "35+5.498"`
	`502`	`+ "version": "35+5.527"`
`503`	`503`	`},`
`504`	`504`	`{`
`505`	`505`	`"name": "app-protect-attack-signatures",`
`@@ -541,15 +541,15 @@`
`541`	`541`	`},`
`542`	`542`	`{`
`543`	`543`	`"name": "nginx-plus-module-appprotect",`
`544`		`- "version": "35+5.498"`
	`544`	`+ "version": "35+5.527"`
`545`	`545`	`},`
`546`	`546`	`{`
`547`	`547`	`"name": "app-protect-module-plus",`
`548`		`- "version": "35+5.498"`
	`548`	`+ "version": "35+5.527"`
`549`	`549`	`},`
`550`	`550`	`{`
`551`	`551`	`"name": "app-protect-plugin",`
`552`		`- "version": "6.20.0"`
	`552`	`+ "version": "6.23.0"`
`553`	`553`	`}`
`554`	`554`	`],`
`555`	`555`	`"system": "ubi",`
`@@ -583,11 +583,11 @@`
`583`	`583`	`},`
`584`	`584`	`{`
`585`	`585`	`"name": "nginx-plus-module-appprotect",`
`586`		`- "version": "35+5.498"`
	`586`	`+ "version": "35+5.527"`
`587`	`587`	`},`
`588`	`588`	`{`
`589`	`589`	`"name": "app-protect",`
`590`		`- "version": "35+5.498"`
	`590`	`+ "version": "35+5.527"`
`591`	`591`	`},`
`592`	`592`	`{`
`593`	`593`	`"name": "app-protect-attack-signatures",`
`@@ -629,15 +629,15 @@`
`629`	`629`	`},`
`630`	`630`	`{`
`631`	`631`	`"name": "nginx-plus-module-appprotect",`
`632`		`- "version": "35+5.498"`
	`632`	`+ "version": "35+5.527"`
`633`	`633`	`},`
`634`	`634`	`{`
`635`	`635`	`"name": "app-protect-module-plus",`
`636`		`- "version": "35+5.498"`
	`636`	`+ "version": "35+5.527"`
`637`	`637`	`},`
`638`	`638`	`{`
`639`	`639`	`"name": "app-protect-plugin",`
`640`		`- "version": "6.20.0"`
	`640`	`+ "version": "6.23.0"`
`641`	`641`	`}`
`642`	`642`	`],`
`643`	`643`	`"system": "ubi",`
`@@ -701,7 +701,7 @@`
`701`	`701`	`},`
`702`	`702`	`{`
`703`	`703`	`"name": "nginx-plus-module-appprotect",`
`704`		`- "version": "35+5.498"`
	`704`	`+ "version": "35+5.527"`
`705`	`705`	`},`
`706`	`706`	`{`
`707`	`707`	`"name": "nginx-plus-module-appprotectdos",`
`@@ -713,7 +713,7 @@`
`713`	`713`	`},`
`714`	`714`	`{`
`715`	`715`	`"name": "app-protect",`
`716`		`- "version": "35+5.498"`
	`716`	`+ "version": "35+5.527"`
`717`	`717`	`},`
`718`	`718`	`{`
`719`	`719`	`"name": "app-protect-attack-signatures",`