DataDog
diff --git a/‎dd-java-agent/agent-ci-visibility/src/main/java/datadog/trace/civisibility/utils/ProcessHierarchyUtils.java‎
Lines changed: 5 additions & 1 deletion b/‎dd-java-agent/agent-ci-visibility/src/main/java/datadog/trace/civisibility/utils/ProcessHierarchyUtils.java‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎dd-java-agent/appsec/src/main/java/com/datadog/appsec/powerwaf/PowerWAFModule.java‎
Lines changed: 8 additions & 5 deletions b/‎dd-java-agent/appsec/src/main/java/com/datadog/appsec/powerwaf/PowerWAFModule.java‎
Lines changed: 8 additions & 5 deletions
diff --git a/‎dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/powerwaf/PowerWAFModuleSpecification.groovy‎
Lines changed: 8 additions & 7 deletions b/‎dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/powerwaf/PowerWAFModuleSpecification.groovy‎
Lines changed: 8 additions & 7 deletions
diff --git a/‎dd-java-agent/appsec/src/test/resources/test_multi_config.json‎
Lines changed: 27 additions & 1 deletion b/‎dd-java-agent/appsec/src/test/resources/test_multi_config.json‎
Lines changed: 27 additions & 1 deletion
diff --git a/‎dd-java-agent/instrumentation/iast-instrumenter/src/main/java/datadog/trace/instrumentation/iastinstrumenter/IastInstrumentation.java‎
Lines changed: 6 additions & 2 deletions b/‎dd-java-agent/instrumentation/iast-instrumenter/src/main/java/datadog/trace/instrumentation/iastinstrumenter/IastInstrumentation.java‎
Lines changed: 6 additions & 2 deletions
diff --git a/‎dd-java-agent/instrumentation/iast-instrumenter/src/test/groovy/IastInstrumentationForkedTest.groovy‎
Lines changed: 68 additions & 2 deletions b/‎dd-java-agent/instrumentation/iast-instrumenter/src/test/groovy/IastInstrumentationForkedTest.groovy‎
Lines changed: 68 additions & 2 deletions
diff --git a/‎dd-java-agent/instrumentation/iast-instrumenter/src/test/groovy/IastInstrumentationTest.groovy‎
Lines changed: 0 additions & 25 deletions b/‎dd-java-agent/instrumentation/iast-instrumenter/src/test/groovy/IastInstrumentationTest.groovy‎
Lines changed: 0 additions & 25 deletions
diff --git a/‎dd-smoke-tests/appsec/springboot/src/test/groovy/datadog/smoketest/appsec/SpringBootSmokeTest.groovy‎
Lines changed: 3 additions & 0 deletions b/‎dd-smoke-tests/appsec/springboot/src/test/groovy/datadog/smoketest/appsec/SpringBootSmokeTest.groovy‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎dd-smoke-tests/appsec/src/main/groovy/datadog/smoketest/appsec/AbstractAppSecServerSmokeTest.groovy‎
Lines changed: 0 additions & 2 deletions b/‎dd-smoke-tests/appsec/src/main/groovy/datadog/smoketest/appsec/AbstractAppSecServerSmokeTest.groovy‎
Lines changed: 0 additions & 2 deletions
diff --git a/‎dd-smoke-tests/quarkus-native/application/.gitignore‎
Lines changed: 8 additions & 0 deletions b/‎dd-smoke-tests/quarkus-native/application/.gitignore‎
Lines changed: 8 additions & 0 deletions
@@ -38,7 +38,11 @@ private static boolean isMavenParent() {
   }
 
   private static boolean isGradleDaemon() {
-    return ClassLoader.getSystemClassLoader().getResource("org/gradle/launcher/daemon/") != null;
+    return ClassLoader.getSystemClassLoader()
+                .getResource("org/gradle/launcher/daemon/bootstrap/GradleDaemon.class")
+            != null
+        // double-check this is not a Gradle Worker
+        && System.getProperties().getProperty("org.gradle.internal.worker.tmpdir") == null;
   }
 
   public static long getParentSessionId() {
 
@@ -477,11 +477,14 @@ public void onDataAvailable(
           } else if ("redirect_request".equals(actionInfo.type)) {
             Flow.Action.RequestBlockingAction rba = createRedirectRequestAction(actionInfo);
             flow.setAction(rba);
-          } else if ("generate_stack".equals(actionInfo.type)
-              && Config.get().isAppSecStackTraceEnabled()) {
-            String stackId = (String) actionInfo.parameters.get("stack_id");
-            StackTraceEvent stackTraceEvent = createExploitStackTraceEvent(stackId);
-            reqCtx.reportStackTrace(stackTraceEvent);
+          } else if ("generate_stack".equals(actionInfo.type)) {
+            if (Config.get().isAppSecStackTraceEnabled()) {
+              String stackId = (String) actionInfo.parameters.get("stack_id");
+              StackTraceEvent stackTraceEvent = createExploitStackTraceEvent(stackId);
+              reqCtx.reportStackTrace(stackTraceEvent);
+            } else {
+              log.debug("Ignoring action with type generate_stack (disabled by config)");
+            }
           } else {
             log.info("Ignoring action with type {}", actionInfo.type);
           }
 
@@ -657,7 +657,7 @@ class PowerWAFModuleSpecification extends DDSpecification {
 
     then:
     1 * segment.setTagTop('_dd.appsec.waf.version', _ as String)
-    1 * segment.setTagTop('_dd.appsec.event_rules.loaded', 115)
+    1 * segment.setTagTop('_dd.appsec.event_rules.loaded', 116)
     1 * segment.setTagTop('_dd.appsec.event_rules.error_count', 1)
     1 * segment.setTagTop('_dd.appsec.event_rules.errors', { it =~ /\{"[^"]+":\["bad rule"\]\}/})
     1 * segment.setTagTop('asm.keep', true)
@@ -777,11 +777,12 @@ class PowerWAFModuleSpecification extends DDSpecification {
     setupWithStubConfigService()
     AppSecEvent event
     StackTraceEvent stackTrace
-    injectSysConfig('appsec.stacktrace.enabled', 'true')
     pwafModule = new PowerWAFModule() // replace the one created too soon
+    def attackBundle = MapDataBundle.of(KnownAddresses.HEADERS_NO_COOKIES,
+      new CaseInsensitiveMap<List<String>>(['user-agent': 'Arachni/generate-stacktrace']))
 
     when:
-    dataListener.onDataAvailable(Stub(ChangeableFlow), ctx, ATTACK_BUNDLE, gwCtx)
+    dataListener.onDataAvailable(Stub(ChangeableFlow), ctx, attackBundle, gwCtx)
     ctx.closeAdditive()
 
     then:
@@ -791,16 +792,16 @@ class PowerWAFModuleSpecification extends DDSpecification {
     ctx.reportEvents(_ as Collection<AppSecEvent>) >> { event = it[0].iterator().next() }
     ctx.reportStackTrace(_ as StackTraceEvent) >> { stackTrace = it[0] }
 
-    event.rule.id == 'ua0-600-12x'
+    event.rule.id == 'generate-stacktrace-on-scanner'
     event.rule.name == 'Arachni'
     event.rule.tags == [type: 'security_scanner', category: 'attack_attempt']
 
     event.ruleMatches[0].operator == 'match_regex'
-    event.ruleMatches[0].operator_value == '^Arachni\\/v'
+    event.ruleMatches[0].operator_value == '^Arachni\\/generate-stacktrace'
     event.ruleMatches[0].parameters[0].address == 'server.request.headers.no_cookies'
-    event.ruleMatches[0].parameters[0].highlight == ['Arachni/v']
+    event.ruleMatches[0].parameters[0].highlight == ['Arachni/generate-stacktrace']
     event.ruleMatches[0].parameters[0].key_path == ['user-agent']
-    event.ruleMatches[0].parameters[0].value == 'Arachni/v0'
+    event.ruleMatches[0].parameters[0].value == 'Arachni/generate-stacktrace'
 
     event.spanId == 777
 
 
@@ -3803,7 +3803,33 @@
         }
       ],
       "transformers": [],
-      "on_match": ["block", "stack_trace"]
+      "on_match": ["block"]
+    },
+    {
+      "id": "generate-stacktrace-on-scanner",
+      "name": "Arachni",
+      "tags": {
+        "type": "security_scanner",
+        "category": "attack_attempt"
+      },
+      "conditions": [
+        {
+          "parameters": {
+            "inputs": [
+              {
+                "address": "server.request.headers.no_cookies",
+                "key_path": [
+                  "user-agent"
+                ]
+              }
+            ],
+            "regex": "^Arachni\\/generate-stacktrace"
+          },
+          "operator": "match_regex"
+        }
+      ],
+      "transformers": [],
+      "on_match": ["stack_trace"]
     },
     {
       "id": "ua0-600-13x",
 
@@ -37,8 +37,12 @@ public ElementMatcher<TypeDescription> callerType() {
 
   @Override
   public boolean isApplicable(final Set<TargetSystem> enabledSystems) {
-    return enabledSystems.contains(TargetSystem.IAST)
-        || (enabledSystems.contains(TargetSystem.APPSEC) && Config.get().isAppSecRaspEnabled());
+    return enabledSystems.contains(TargetSystem.IAST) || isRaspEnabled();
+  }
+
+  private boolean isRaspEnabled() {
+    return InstrumenterConfig.get().getAppSecActivation() == ProductActivation.FULLY_ENABLED
+        && Config.get().isAppSecRaspEnabled();
   }
 
   @Override
 
@@ -1,5 +1,7 @@
 import datadog.trace.agent.test.AgentTestRunner
+import datadog.trace.agent.tooling.InstrumenterModule
 import datadog.trace.api.Config
+import datadog.trace.api.ProductActivation
 import datadog.trace.api.config.AppSecConfig
 import datadog.trace.api.config.IastConfig
 import datadog.trace.instrumentation.iastinstrumenter.IastInstrumentation
@@ -10,24 +12,50 @@ class IastInstrumentationForkedTest extends AgentTestRunner {
   @Shared
   boolean iastEnabled = false
 
+  @Shared
+  def appSecActivation = ProductActivation.ENABLED_INACTIVE
+
   @Shared
   boolean raspEnabled = false
 
+  @Shared
+  boolean applicable = false
+
   @Shared
   Set<Class<?>> expectedCallSites = []
 
+  Set<InstrumenterModule.TargetSystem> enabledSystems
+
   @Override
   protected void configurePreAgent() {
     injectSysConfig(IastConfig.IAST_ENABLED, iastEnabled.toString())
     injectSysConfig(AppSecConfig.APPSEC_RASP_ENABLED, raspEnabled.toString())
+    enabledSystems = new HashSet<>()
+    if (iastEnabled) {
+      enabledSystems.add(InstrumenterModule.TargetSystem.IAST)
+    }
+    if (appSecActivation == ProductActivation.ENABLED_INACTIVE) {
+      enabledSystems.add(InstrumenterModule.TargetSystem.APPSEC)
+    } else if (appSecActivation == ProductActivation.FULLY_ENABLED) {
+      enabledSystems.add(InstrumenterModule.TargetSystem.APPSEC)
+      injectSysConfig(AppSecConfig.APPSEC_ENABLED, "true")
+    } else {
+      injectSysConfig(AppSecConfig.APPSEC_ENABLED, "false")
+    }
   }
 
   void 'test Iast Instrumentation call site supplier'() {
     given:
     final instrumentation = new IastInstrumentation()
 
     when:
-    final callSites = instrumentation.callSites().get().toList()
+    final shouldApply = instrumentation.isApplicable(enabledSystems)
+
+    then:
+    shouldApply == applicable
+
+    when:
+    final callSites = !applicable ? [] : instrumentation.callSites().get().toList()
 
     then:
     callSites.size() == expectedCallSites.size()
@@ -47,25 +75,63 @@ class IastForkedTest extends IastInstrumentationForkedTest {
 
   boolean iastEnabled = true
 
+  def appSecActivation = ProductActivation.ENABLED_INACTIVE
+
   boolean raspEnabled = false
 
+  boolean applicable = true
+
   Set<Class<?>> expectedCallSites = [MockCallSites, MockCallSitesWithTelemetry]
 }
 
-class RaspForkedTest extends IastInstrumentationForkedTest {
+class AppSecInactiveRaspForkedTest extends IastInstrumentationForkedTest {
 
   boolean iastEnabled = false
 
+  def appSecActivation = ProductActivation.ENABLED_INACTIVE
+
   boolean raspEnabled = true
 
+  boolean applicable = false
+
+  Set<Class<?>> expectedCallSites = []
+}
+
+class AppSecDisabledRaspForkedTest extends IastInstrumentationForkedTest {
+
+  boolean iastEnabled = false
+
+  def appSecActivation = ProductActivation.FULLY_DISABLED
+
+  boolean raspEnabled = true
+
+  boolean applicable = false
+
+  Set<Class<?>> expectedCallSites = []
+}
+
+class AppSecEnabledRaspForkedTest extends IastInstrumentationForkedTest {
+
+  boolean iastEnabled = false
+
+  def appSecActivation = ProductActivation.FULLY_ENABLED
+
+  boolean raspEnabled = true
+
+  boolean applicable = true
+
   Set<Class<?>> expectedCallSites = [MockRaspCallSites]
 }
 
 class AllCallSitesForkedTest extends IastInstrumentationForkedTest {
 
   boolean iastEnabled = true
 
+  def appSecActivation = ProductActivation.FULLY_ENABLED
+
   boolean raspEnabled = true
 
+  boolean applicable = true
+
   Set<Class<?>> expectedCallSites = [MockCallSites, MockCallSitesWithTelemetry, MockRaspCallSites]
 }
@@ -1,36 +1,11 @@
 import datadog.trace.agent.test.AgentTestRunner
-import datadog.trace.agent.tooling.InstrumenterModule
-import datadog.trace.api.config.AppSecConfig
 import datadog.trace.api.config.IastConfig
 import datadog.trace.instrumentation.iastinstrumenter.IastHardcodedSecretListener
 import datadog.trace.instrumentation.iastinstrumenter.IastInstrumentation
 import net.bytebuddy.description.type.TypeDescription
 
 class IastInstrumentationTest extends AgentTestRunner {
 
-  void 'test Iast Instrumentation enablement'() {
-    given:
-    injectSysConfig(AppSecConfig.APPSEC_RASP_ENABLED, Boolean.toString(rasp))
-    final instrumentation = new IastInstrumentation()
-
-    when:
-    final enabled = instrumentation.isEnabled()
-    final applicable = instrumentation.isApplicable(enabledSystems as Set<InstrumenterModule.TargetSystem>)
-
-    then:
-    enabled
-    applicable == expected
-
-    where:
-    enabledSystems                                                                 | rasp  | expected
-    []                                                                             | false | false
-    [InstrumenterModule.TargetSystem.APPSEC]                                       | false | false
-    [InstrumenterModule.TargetSystem.IAST]                                         | false | true
-    [InstrumenterModule.TargetSystem.APPSEC]                                       | true  | true
-    [InstrumenterModule.TargetSystem.IAST, InstrumenterModule.TargetSystem.APPSEC] | false | true
-    [InstrumenterModule.TargetSystem.IAST, InstrumenterModule.TargetSystem.APPSEC] | true  | true
-  }
-
   void 'test Iast Instrumentation type matching'() {
     given:
     final instrumentation = new IastInstrumentation()
 
@@ -295,6 +295,9 @@ class SpringBootSmokeTest extends AbstractAppSecServerSmokeTest {
       }
     }
     assert trigger != null, 'test trigger not found'
+    rootSpan.span.metaStruct != null
+    def stack = rootSpan.span.metaStruct.get('_dd.stack')
+    assert stack != null, 'stack is not set'
   }
 
   void 'rasp blocks on sql injection'() {
 
@@ -43,8 +43,6 @@ abstract class AbstractAppSecServerSmokeTest extends AbstractServerSmokeTest {
   @Shared
   protected String[] defaultAppSecProperties = [
     "-Ddd.appsec.enabled=${System.getProperty('smoke_test.appsec.enabled') ?: 'true'}",
-    // TODO: rely on default once its true
-    "-Ddd.appsec.rasp.enabled=true",
     "-Ddd.profiling.enabled=false",
     // disable AppSec rate limit
     "-Ddd.appsec.trace.rate.limit=-1"
 
@@ -0,0 +1,8 @@
+# Ignore all project specific gradle directories/files
+.gradle
+gradle
+build
+gradlew
+gradlew.bat
+
+
Original file line number	Diff line number	Diff line change
`@@ -38,7 +38,11 @@ private static boolean isMavenParent() {`
`38`	`38`	`}`
`39`	`39`
`40`	`40`	`private static boolean isGradleDaemon() {`
`41`		`- return ClassLoader.getSystemClassLoader().getResource("org/gradle/launcher/daemon/") != null;`
	`41`	`+ return ClassLoader.getSystemClassLoader()`
	`42`	`+ .getResource("org/gradle/launcher/daemon/bootstrap/GradleDaemon.class")`
	`43`	`+ != null`
	`44`	`+ // double-check this is not a Gradle Worker`
	`45`	`+ && System.getProperties().getProperty("org.gradle.internal.worker.tmpdir") == null;`
`42`	`46`	`}`
`43`	`47`
`44`	`48`	`public static long getParentSessionId() {`
Original file line number	Diff line number	Diff line change
`@@ -295,6 +295,9 @@ class SpringBootSmokeTest extends AbstractAppSecServerSmokeTest {`
`295`	`295`	`}`
`296`	`296`	`}`
`297`	`297`	`assert trigger != null, 'test trigger not found'`
	`298`	`+ rootSpan.span.metaStruct != null`
	`299`	`+ def stack = rootSpan.span.metaStruct.get('_dd.stack')`
	`300`	`+ assert stack != null, 'stack is not set'`
`298`	`301`	`}`
`299`	`302`
`300`	`303`	`void 'rasp blocks on sql injection'() {`
-Original file line number
+Diff line change
@@ @@ -0,0 +1,8 @@ @@
 +# Ignore all project specific gradle directories/files
 +.gradle
 +gradle
 +build
 +gradlew
 +gradlew.bat
++
++