Telemetry span metrics

package.json

@@ -82,7 +82,7 @@
   },
   "dependencies": {
     "@datadog/libdatadog": "^0.4.0",
-    "@datadog/native-appsec": "8.4.0",
+    "@datadog/native-appsec": "8.5.0",
     "@datadog/native-iast-rewriter": "2.8.0",
     "@datadog/native-iast-taint-tracking": "3.3.0",
     "@datadog/native-metrics": "^3.1.0",

packages/dd-trace/src/appsec/blocking.js

@@ -4,6 +4,7 @@ const log = require('../log')
 const blockedTemplates = require('./blocked_templates')
 
 const detectedSpecificEndpoints = {}
+const MAX_ERROR_MESSAGE_LENGTH = 512
 
 let templateHtml = blockedTemplates.html
 let templateJson = blockedTemplates.json
@@ -105,24 +106,51 @@ function block (req, res, rootSpan, abortController, actionParameters = defaultB
     return
   }
 
-  const { body, headers, statusCode } = getBlockingData(req, null, actionParameters)
+  try {
+    const { body, headers, statusCode } = getBlockingData(req, null, actionParameters)
 
-  rootSpan.addTags({
-    'appsec.blocked': 'true'
-  })
+    for (const headerName of res.getHeaderNames()) {
+      res.removeHeader(headerName)
+    }
 
-  for (const headerName of res.getHeaderNames()) {
-    res.removeHeader(headerName)
-  }
+    res.writeHead(statusCode, headers)
+
+    // this is needed to call the original end method, since express-session replaces it
+    res.constructor.prototype.end.call(res, body)
 
-  res.writeHead(statusCode, headers)
+    responseBlockedSet.add(res)
 
-  // this is needed to call the original end method, since express-session replaces it
-  res.constructor.prototype.end.call(res, body)
+    abortController?.abort()
+
+    rootSpan.addTags({
+      'appsec.blocked': true
+    })
+  } catch (error) {
+    rootSpan.addTags({
+      '_dd.appsec.block.failed': 1
+    })
+
+    if (error.name) {
+      rootSpan.addTags({
+        '_dd.appsec.error.type': error.name // check telemetry logs section
+      })
+    }
 
-  responseBlockedSet.add(res)
+    if (error.message) {
+      rootSpan.addTags({
+        '_dd.appsec.error.message': truncateMessage(error.message)
+      })
+    }
+  }
+}
+
+function truncateMessage (msg) {
+  const buf = Buffer.from(msg, 'utf8')
+  if (buf.length <= MAX_ERROR_MESSAGE_LENGTH) {
+    return msg
+  }
 
-  abortController?.abort()
+  return buf.subarray(0, MAX_ERROR_MESSAGE_LENGTH).toString('utf8')
 }
 
 function getBlockingAction (actions) {

packages/dd-trace/src/appsec/reporter.js

@@ -89,16 +89,17 @@ function formatHeaderName (name) {
     .toLowerCase()
 }
 
-function reportWafInit (wafVersion, rulesVersion, diagnosticsRules = {}) {
+function reportWafInit (wafVersion, rulesVersion, diagnosticsRules, success) {
   metricsQueue.set('_dd.appsec.waf.version', wafVersion)
 
+  // TODO: these should be removed after per-configuration error reporting through remote configuration initiative
   metricsQueue.set('_dd.appsec.event_rules.loaded', diagnosticsRules.loaded?.length || 0)
   metricsQueue.set('_dd.appsec.event_rules.error_count', diagnosticsRules.failed?.length || 0)
   if (diagnosticsRules.failed?.length) {
     metricsQueue.set('_dd.appsec.event_rules.errors', JSON.stringify(diagnosticsRules.errors))
   }
 
-  incrementWafInitMetric(wafVersion, rulesVersion)
+  incrementWafInitMetric(wafVersion, rulesVersion, success)
 }
 
 function reportMetrics (metrics, raspRule) {
@@ -109,11 +110,28 @@ function reportMetrics (metrics, raspRule) {
   if (metrics.rulesVersion) {
     rootSpan.setTag('_dd.appsec.event_rules.version', metrics.rulesVersion)
   }
+
   if (raspRule) {
     updateRaspRequestsMetricTags(metrics, store.req, raspRule)
   } else {
     updateWafRequestsMetricTags(metrics, store.req)
   }
+
+  reportTruncationMetrics(rootSpan, metrics)
+}
+
+function reportTruncationMetrics (rootSpan, metrics) {
+  if (metrics.maxTruncatedString) {
+    rootSpan.setTag('_dd.appsec.truncated.string_length', metrics.maxTruncatedString)
+  }
+
+  if (metrics.maxTruncatedContainerSize) {
+    rootSpan.setTag('_dd.appsec.truncated.container_size', metrics.maxTruncatedContainerSize)
+  }
+
+  if (metrics.maxTruncatedContainerDepth) {
+    rootSpan.setTag('_dd.appsec.truncated.container_depth', metrics.maxTruncatedContainerDepth)
+  }
 }
 
 function reportAttack (attackData) {
@@ -194,6 +212,8 @@ function finishRequest (req, res) {
   }
 
   const metrics = getRequestMetrics(req)
+
+  // WAF metrics
   if (metrics?.duration) {
     rootSpan.setTag('_dd.appsec.waf.duration', metrics.duration)
   }
@@ -202,6 +222,15 @@ function finishRequest (req, res) {
     rootSpan.setTag('_dd.appsec.waf.duration_ext', metrics.durationExt)
   }
 
+  if (metrics?.wafTimeouts) {
+    rootSpan.setTag('_dd.appsec.waf.timeouts', metrics.wafTimeouts)
+  }
+
+  if (metrics?.wafErrorCode) {
+    rootSpan.setTag('_dd.appsec.waf.error', metrics.wafErrorCode)
+  }
+
+  // RASP metrics
   if (metrics?.raspDuration) {
     rootSpan.setTag('_dd.appsec.rasp.duration', metrics.raspDuration)
   }
@@ -210,10 +239,18 @@ function finishRequest (req, res) {
     rootSpan.setTag('_dd.appsec.rasp.duration_ext', metrics.raspDurationExt)
   }
 
+  if (metrics?.raspTimeouts) {
+    rootSpan.setTag('_dd.appsec.rasp.timeout', metrics.raspTimeouts)
+  }
+
   if (metrics?.raspEvalCount) {
     rootSpan.setTag('_dd.appsec.rasp.rule.eval', metrics.raspEvalCount)
   }
 
+  if (metrics?.raspErrorCode) {
+    rootSpan.setTag('_dd.appsec.rasp.error', metrics.raspErrorCode)
+  }
+
   incrementWafRequestsMetric(req)
 
   // collect some headers even when no attack is detected