Skip to content

appsec: implement waf.error and rasp.error#3963

Merged
cataphract merged 2 commits into
masterfrom
glopes/waf-rasp-error-metric
Jun 9, 2026
Merged

appsec: implement waf.error and rasp.error#3963
cataphract merged 2 commits into
masterfrom
glopes/waf-rasp-error-metric

Conversation

@cataphract

@cataphract cataphract commented Jun 8, 2026

Copy link
Copy Markdown
Contributor

Description

See APPSEC-62689

Reviewer checklist

  • Test coverage seems ok.
  • Appropriate labels assigned.

@cataphract cataphract requested a review from a team as a code owner June 8, 2026 14:14
@datadog-datadog-prod-us1-2

This comment has been minimized.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 169947b8fc

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread appsec/helper-rust/src/client/metrics.rs
Comment thread appsec/helper-rust/src/client/metrics.rs Outdated
@cataphract cataphract force-pushed the glopes/waf-rasp-error-metric branch from 169947b to e312115 Compare June 8, 2026 16:53
@pr-commenter

pr-commenter Bot commented Jun 8, 2026

Copy link
Copy Markdown

Benchmarks [ tracer ]

Benchmark execution time: 2026-06-08 20:33:06

Comparing candidate commit 5cbd457 in PR branch glopes/waf-rasp-error-metric with baseline commit 8b837e8 in branch master.

Found 1 performance improvements and 3 performance regressions! Performance is the same for 190 metrics, 0 unstable metrics.

Explanation

This is an A/B test comparing a candidate commit's performance against that of a baseline commit. Performance changes are noted in the tables below as:

  • 🟩 = significantly better candidate vs. baseline
  • 🟥 = significantly worse candidate vs. baseline

We compute a confidence interval (CI) over the relative difference of means between metrics from the candidate and baseline commits, considering the baseline as the reference.

If the CI is entirely outside the configured SIGNIFICANT_IMPACT_THRESHOLD (or the deprecated UNCONFIDENCE_THRESHOLD), the change is considered significant.

Feel free to reach out to #apm-benchmarking-platform on Slack if you have any questions.

More details about the CI and significant changes

You can imagine this CI as a range of values that is likely to contain the true difference of means between the candidate and baseline commits.

CIs of the difference of means are often centered around 0%, because often changes are not that big:

---------------------------------(------|---^--------)-------------------------------->
                              -0.6%    0%  0.3%     +1.2%
                                 |          |        |
         lower bound of the CI --'          |        |
sample mean (center of the CI) -------------'        |
         upper bound of the CI ----------------------'

As described above, a change is considered significant if the CI is entirely outside the configured SIGNIFICANT_IMPACT_THRESHOLD (or the deprecated UNCONFIDENCE_THRESHOLD).

For instance, for an execution time metric, this confidence interval indicates a significantly worse performance:

----------------------------------------|---------|---(---------^---------)---------->
                                       0%        1%  1.3%      2.2%      3.1%
                                                  |   |         |         |
       significant impact threshold --------------'   |         |         |
                      lower bound of CI --------------'         |         |
       sample mean (center of the CI) --------------------------'         |
                      upper bound of CI ----------------------------------'

scenario:SamplingRuleMatchingBench/benchRegexMatching1

  • 🟥 execution_time [+51.262ns; +107.338ns] or [+3.487%; +7.301%]

scenario:SamplingRuleMatchingBench/benchRegexMatching2

  • 🟥 execution_time [+37.994ns; +116.006ns] or [+2.566%; +7.833%]

scenario:SamplingRuleMatchingBench/benchRegexMatching3

  • 🟥 execution_time [+37.071ns; +116.729ns] or [+2.509%; +7.899%]

scenario:TraceSerializationBench/benchSerializeTrace

  • 🟩 execution_time [-26.601µs; -10.699µs] or [-5.109%; -2.055%]

@cataphract cataphract requested a review from a team as a code owner June 8, 2026 19:14
@cataphract cataphract requested a review from estringana June 9, 2026 10:44
@@ -118,7 +118,6 @@ class TelemetryTests {
TelemetryHelpers.Metric connSuccess

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is there no test checking for this new tags?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These tags are only issued if there is a bug. libddwaf doesn't return failures otherwise. Initially, I added new environment variables to simulate a failure and tested those, but environment variables and filtered on libdatadog, so it became too complicated.

cataphract and others added 2 commits June 9, 2026 12:02
The codecov CLI install fetched the signing key from
https://keybase.io/codecovsecurity/pgp_keys.asc, which now returns
HTTP 404 ("SELF-SIGNED PUBLIC KEY NOT FOUND"). Since the curl had no
-f, it piped the 404 body into `gpg --import`, which found no key and
exited non-zero, killing the step under `set -e` (exit 2) before any
coverage was produced. This broke all three coverage jobs (appsec code
coverage, helper-rust code coverage, helper-rust integration coverage)
on every branch, including master.

Fetch the same key (fingerprint 27034E7FDB850E0BBC2C62FF806BB28AED779869)
from keyserver.ubuntu.com instead, and add -fsSL so curl fails fast on
future breakage rather than silently piping an error page into gpg.
Verified the key validates codecov.SHA256SUM.sig.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@cataphract cataphract force-pushed the glopes/waf-rasp-error-metric branch from 5cbd457 to 3f67532 Compare June 9, 2026 11:03
@cataphract cataphract enabled auto-merge June 9, 2026 11:03
@cataphract cataphract merged commit 0f53344 into master Jun 9, 2026
27 of 28 checks passed
@cataphract cataphract deleted the glopes/waf-rasp-error-metric branch June 9, 2026 11:03
@github-actions github-actions Bot added the profiling Relates to the Continuous Profiler label Jun 9, 2026
@github-actions github-actions Bot added this to the 1.22.0 milestone Jun 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area:asm profiling Relates to the Continuous Profiler tracing

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants