Skip to content

Add request_excluded tag to appsec.waf.requests metric #11744

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
jandro996 wants to merge 5 commits into
base: master
Choose a base branch
from
Draft

Add request_excluded tag to appsec.waf.requests metric #11744

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
19900ae
feat: add request_excluded tag to appsec.waf.requests metric
jandro996 Jun 25, 2026
c53548c
review: pre-PR checks
jandro996 Jun 25, 2026
8aadb97
review: fix GatewayBridgeSpecification mock arity for wafRequest
jandro996 Jun 25, 2026
b130f0d
fix: update WafMetricPeriodicActionSpecification for 8-arg wafRequest
jandro996 Jun 25, 2026
9b29570
ci: retrigger pipeline
jandro996 Jun 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/AppSecRequestContext.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -168,6 +168,7 @@ public class AppSecRequestContext implements DataBundle, Closeable {
private volatile boolean wafTruncated;
private volatile boolean wafRequestBlockFailure;
private volatile boolean wafRateLimited;
private volatile boolean wafRequestExcluded;

private volatile int wafTimeouts;
private volatile int raspTimeouts;
Expand Down Expand Up @@ -287,6 +288,15 @@ public boolean isWafRateLimited() {
return wafRateLimited;
}

// placeholder: libddwaf does not yet expose exclusion filter results
public void setWafRequestExcluded() {
wafRequestExcluded = true;
}

public boolean isWafRequestExcluded() {
return wafRequestExcluded;
}

public void increaseWafTimeouts() {
WAF_TIMEOUTS_UPDATER.incrementAndGet(this);
}
Expand Down
3 changes: 2 additions & 1 deletion dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/GatewayBridge.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1057,7 +1057,8 @@ private NoopFlow onRequestEnded(RequestContext ctx_, IGSpanInfo spanInfo) {
ctx.getWafTimeouts() > 0, // wafTimeout,
ctx.isWafRequestBlockFailure(), // blockFailure,
ctx.isWafRateLimited(), // rateLimited,
ctx.isWafTruncated() // inputTruncated
ctx.isWafTruncated(), // inputTruncated
ctx.isWafRequestExcluded() // requestExcluded
);
}

Expand Down
2 changes: 1 addition & 1 deletion ...agent/appsec/src/test/groovy/com/datadog/appsec/gateway/GatewayBridgeSpecification.groovy
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -210,7 +210,7 @@ class GatewayBridgeSpecification extends DDSpecification {
1 * mockAppSecCtx.isWafRequestBlockFailure()
1 * mockAppSecCtx.isWafRateLimited()
1 * mockAppSecCtx.isWafTruncated()
1 * wafMetricCollector.wafRequest(_, _, _, _, _, _, _) // call waf request metric
1 * wafMetricCollector.wafRequest(_, _, _, _, _, _, _, _) // call waf request metric
flow.result == null
flow.action == Flow.Action.Noop.INSTANCE
}
Expand Down
22 changes: 15 additions & 7 deletions internal-api/src/main/java/datadog/trace/api/telemetry/WafMetricCollector.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ private WafMetricCollector() {
private static final BlockingQueue<WafMetric> rawMetricsQueue =
new ArrayBlockingQueue<>(RAW_QUEUE_SIZE);

private static final int WAF_REQUEST_COMBINATIONS = 128; // 2^7
private static final int WAF_REQUEST_COMBINATIONS = 256; // 2^8
private final AtomicLongArray wafRequestCounter = new AtomicLongArray(WAF_REQUEST_COMBINATIONS);

private static final AtomicLongArray wafInputTruncatedCounter =
Expand Down Expand Up @@ -99,7 +99,8 @@ public void wafRequest(
final boolean wafTimeout,
final boolean blockFailure,
final boolean rateLimited,
final boolean inputTruncated) {
final boolean inputTruncated,
final boolean requestExcluded) {
Comment thread
jandro996 marked this conversation as resolved.
int index =
computeWafRequestIndex(
ruleTriggered,
Expand All @@ -108,7 +109,8 @@ public void wafRequest(
wafTimeout,
blockFailure,
rateLimited,
inputTruncated);
inputTruncated,
requestExcluded);
wafRequestCounter.incrementAndGet(index);
}

Expand All @@ -125,7 +127,8 @@ static int computeWafRequestIndex(
boolean wafTimeout,
boolean blockFailure,
boolean rateLimited,
boolean inputTruncated) {
boolean inputTruncated,
boolean requestExcluded) {
int index = 0;
if (ruleTriggered) index |= 1;
if (requestBlocked) index |= 1 << 1;
Expand All @@ -134,6 +137,7 @@ static int computeWafRequestIndex(
if (blockFailure) index |= 1 << 4;
if (rateLimited) index |= 1 << 5;
if (inputTruncated) index |= 1 << 6;
if (requestExcluded) index |= 1 << 7;
return index;
}

Expand Down Expand Up @@ -233,6 +237,7 @@ public void prepareMetrics() {
boolean blockFailure = (i & (1 << 4)) != 0;
boolean rateLimited = (i & (1 << 5)) != 0;
boolean inputTruncated = (i & (1 << 6)) != 0;
boolean requestExcluded = (i & (1 << 7)) != 0;

if (!rawMetricsQueue.offer(
new WafRequestsRawMetric(
Expand All @@ -245,7 +250,8 @@ public void prepareMetrics() {
wafTimeout,
blockFailure,
rateLimited,
inputTruncated))) {
inputTruncated,
requestExcluded))) {
return;
}
}
Expand Down Expand Up @@ -497,7 +503,8 @@ public WafRequestsRawMetric(
final boolean wafTimeout,
final boolean blockFailure,
final boolean rateLimited,
final boolean inputTruncated) {
final boolean inputTruncated,
final boolean requestExcluded) {
super(
"waf.requests",
counter,
Expand All @@ -509,7 +516,8 @@ public WafRequestsRawMetric(
"waf_timeout:" + wafTimeout,
"block_failure:" + blockFailure,
"rate_limited:" + rateLimited,
"input_truncated:" + inputTruncated);
"input_truncated:" + inputTruncated,
"request_excluded:" + (requestExcluded ? "full" : "none"));
}
}

Expand Down
20 changes: 17 additions & 3 deletions internal-api/src/test/groovy/datadog/trace/api/telemetry/WafMetricCollectorTest.groovy
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -432,6 +432,7 @@ class WafMetricCollectorTest extends DDSpecification {
void 'test waf request metrics'() {
given:
def collector = WafMetricCollector.get()
collector.wafInit('waf_ver1', 'rules.1', true)

when:
collector.wafRequest(
Expand All @@ -441,18 +442,21 @@ class WafMetricCollectorTest extends DDSpecification {
wafTimeout,
blockFailure,
rateLimited,
inputTruncated
inputTruncated,
requestExcluded
)

then:
collector.prepareMetrics()
def metrics = collector.drain()
def requestMetrics = metrics.findAll { it.metricName == 'waf.requests' }

requestMetrics.size() == 1
final metric = requestMetrics[0]
metric.type == 'count'
metric.metricName == 'waf.requests'
metric.namespace == 'appsec'
metric.value == 1
metric.tags == [
"waf_version:waf_ver1",
"event_rules_version:rules.1",
Expand All @@ -462,11 +466,21 @@ class WafMetricCollectorTest extends DDSpecification {
"waf_timeout:${wafTimeout}",
"block_failure:${blockFailure}",
"rate_limited:${rateLimited}",
"input_truncated:${inputTruncated}"
"input_truncated:${inputTruncated}",
"request_excluded:${requestExcluded ? 'full' : 'none'}"
]

where:
[triggered, blocked, wafError, wafTimeout, blockFailure, rateLimited, inputTruncated] << allBooleanCombinations(7)
[
triggered,
blocked,
wafError,
wafTimeout,
blockFailure,
rateLimited,
inputTruncated,
requestExcluded
] << allBooleanCombinations(8)
}

void 'test waf input truncated metrics'() {
Expand Down
52 changes: 34 additions & 18 deletions ...etry/src/test/groovy/datadog/telemetry/metric/WafMetricPeriodicActionSpecification.groovy
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,16 +43,16 @@ class WafMetricPeriodicActionSpecification extends DDSpecification {
void 'push waf request metrics and push into the telemetry'() {
when:
WafMetricCollector.get().wafInit('0.0.0', 'rules_ver_1', true)
WafMetricCollector.get().wafRequest(false, false, false, false, false, false, false)
WafMetricCollector.get().wafRequest(true, false, false, false, false, false, false)
WafMetricCollector.get().wafRequest(false, false, false, false, false, false, false)
WafMetricCollector.get().wafRequest(false, true, false, false, false, false, false)
WafMetricCollector.get().wafRequest(false, false, false, false, false, false, false)
WafMetricCollector.get().wafRequest(false, false, false, true, false, false, false)
WafMetricCollector.get().wafRequest(false, false, true, false, false, false, false)
WafMetricCollector.get().wafRequest(false, false, false, false, false, true, false)
WafMetricCollector.get().wafRequest(false, false, false, false, true, false, false)
WafMetricCollector.get().wafRequest(false, false, false, false, false, false, true)
WafMetricCollector.get().wafRequest(false, false, false, false, false, false, false, false)
WafMetricCollector.get().wafRequest(true, false, false, false, false, false, false, false)
WafMetricCollector.get().wafRequest(false, false, false, false, false, false, false, false)
WafMetricCollector.get().wafRequest(false, true, false, false, false, false, false, false)
WafMetricCollector.get().wafRequest(false, false, false, false, false, false, false, false)
WafMetricCollector.get().wafRequest(false, false, false, true, false, false, false, false)
WafMetricCollector.get().wafRequest(false, false, true, false, false, false, false, false)
WafMetricCollector.get().wafRequest(false, false, false, false, false, true, false, false)
WafMetricCollector.get().wafRequest(false, false, false, false, true, false, false, false)
WafMetricCollector.get().wafRequest(false, false, false, false, false, false, true, false)
WafMetricCollector.get().prepareMetrics()
periodicAction.doIteration(telemetryService)

Expand All @@ -75,6 +75,7 @@ class WafMetricPeriodicActionSpecification extends DDSpecification {
'block_failure:false',
'rate_limited:false',
'input_truncated:false',
'request_excluded:none',
]
} )
1 * telemetryService.addMetric( { Metric metric ->
Expand All @@ -91,6 +92,7 @@ class WafMetricPeriodicActionSpecification extends DDSpecification {
'block_failure:false',
'rate_limited:false',
'input_truncated:false',
'request_excluded:none',
]
} )
1 * telemetryService.addMetric( { Metric metric ->
Expand All @@ -107,6 +109,7 @@ class WafMetricPeriodicActionSpecification extends DDSpecification {
'block_failure:false',
'rate_limited:false',
'input_truncated:false',
'request_excluded:none',
]
} )
1 * telemetryService.addMetric( { Metric metric ->
Expand All @@ -123,6 +126,7 @@ class WafMetricPeriodicActionSpecification extends DDSpecification {
'block_failure:false',
'rate_limited:false',
'input_truncated:false',
'request_excluded:none',
]
} )
1 * telemetryService.addMetric( { Metric metric ->
Expand All @@ -139,6 +143,7 @@ class WafMetricPeriodicActionSpecification extends DDSpecification {
'block_failure:false',
'rate_limited:false',
'input_truncated:false',
'request_excluded:none',
]
} )
1 * telemetryService.addMetric( { Metric metric ->
Expand All @@ -155,6 +160,7 @@ class WafMetricPeriodicActionSpecification extends DDSpecification {
'block_failure:true',
'rate_limited:false',
'input_truncated:false',
'request_excluded:none',
]
} )
1 * telemetryService.addMetric( { Metric metric ->
Expand All @@ -171,6 +177,7 @@ class WafMetricPeriodicActionSpecification extends DDSpecification {
'block_failure:false',
'rate_limited:true',
'input_truncated:false',
'request_excluded:none',
]
} )
1 * telemetryService.addMetric( { Metric metric ->
Expand All @@ -187,20 +194,21 @@ class WafMetricPeriodicActionSpecification extends DDSpecification {
'block_failure:false',
'rate_limited:false',
'input_truncated:true',
'request_excluded:none',
]
} )
0 * _._

when: 'waf.updates happens'
WafMetricCollector.get().wafUpdates('rules_ver_2', true)
WafMetricCollector.get().wafRequest(false, false, false, false, false, false, false)
WafMetricCollector.get().wafRequest(true, false, false, false, false, false, false)
WafMetricCollector.get().wafRequest(false, true, false, false, false, false, false)
WafMetricCollector.get().wafRequest(false, false, false, true, false, false, false)
WafMetricCollector.get().wafRequest(false, false, true, false, false, false, false)
WafMetricCollector.get().wafRequest(false, false, false, false, false, true, false)
WafMetricCollector.get().wafRequest(false, false, false, false, true, false, false)
WafMetricCollector.get().wafRequest(false, false, false, false, false, false, true)
WafMetricCollector.get().wafRequest(false, false, false, false, false, false, false, false)
WafMetricCollector.get().wafRequest(true, false, false, false, false, false, false, false)
WafMetricCollector.get().wafRequest(false, true, false, false, false, false, false, false)
WafMetricCollector.get().wafRequest(false, false, false, true, false, false, false, false)
WafMetricCollector.get().wafRequest(false, false, true, false, false, false, false, false)
WafMetricCollector.get().wafRequest(false, false, false, false, false, true, false, false)
WafMetricCollector.get().wafRequest(false, false, false, false, true, false, false, false)
WafMetricCollector.get().wafRequest(false, false, false, false, false, false, true, false)
WafMetricCollector.get().prepareMetrics()
periodicAction.doIteration(telemetryService)

Expand All @@ -223,6 +231,7 @@ class WafMetricPeriodicActionSpecification extends DDSpecification {
'block_failure:false',
'rate_limited:false',
'input_truncated:false',
'request_excluded:none',
]
} )
1 * telemetryService.addMetric( { Metric metric ->
Expand All @@ -239,6 +248,7 @@ class WafMetricPeriodicActionSpecification extends DDSpecification {
'block_failure:false',
'rate_limited:false',
'input_truncated:false',
'request_excluded:none',
]
} )
1 * telemetryService.addMetric( { Metric metric ->
Expand All @@ -255,6 +265,7 @@ class WafMetricPeriodicActionSpecification extends DDSpecification {
'block_failure:false',
'rate_limited:false',
'input_truncated:false',
'request_excluded:none',
]
} )
1 * telemetryService.addMetric( { Metric metric ->
Expand All @@ -271,6 +282,7 @@ class WafMetricPeriodicActionSpecification extends DDSpecification {
'block_failure:false',
'rate_limited:false',
'input_truncated:false',
'request_excluded:none',
]
} )
1 * telemetryService.addMetric( { Metric metric ->
Expand All @@ -287,6 +299,7 @@ class WafMetricPeriodicActionSpecification extends DDSpecification {
'block_failure:false',
'rate_limited:false',
'input_truncated:false',
'request_excluded:none',
]
} )
1 * telemetryService.addMetric( { Metric metric ->
Expand All @@ -303,6 +316,7 @@ class WafMetricPeriodicActionSpecification extends DDSpecification {
'block_failure:true',
'rate_limited:false',
'input_truncated:false',
'request_excluded:none',
]
} )
1 * telemetryService.addMetric( { Metric metric ->
Expand All @@ -319,6 +333,7 @@ class WafMetricPeriodicActionSpecification extends DDSpecification {
'block_failure:false',
'rate_limited:true',
'input_truncated:false',
'request_excluded:none',
]
} )
1 * telemetryService.addMetric( { Metric metric ->
Expand All @@ -335,6 +350,7 @@ class WafMetricPeriodicActionSpecification extends DDSpecification {
'block_failure:false',
'rate_limited:false',
'input_truncated:true',
'request_excluded:none',
]
} )
0 * _._
Expand Down
Loading