Send rasp telemetry metrics

estringana · estringana · commit 2040f718aabe · 2025-01-30T13:08:40.000+01:00
diff --git a/appsec/src/helper/metrics.hpp b/appsec/src/helper/metrics.hpp
@@ -102,6 +102,9 @@ constexpr std::string_view waf_duration = "_dd.appsec.waf.duration";
 constexpr std::string_view rasp_duration = "_dd.appsec.rasp.duration";
 constexpr std::string_view rasp_rule_eval = "_dd.appsec.rasp.rule.eval";
 constexpr std::string_view rasp_timeout = "_dd.appsec.rasp.timeout";
+constexpr std::string_view telemetry_rasp_rule_eval = "appsec.rasp.rule.eval";
+constexpr std::string_view telemetry_rasp_rule_match = "appsec.rasp.rule.match";
+constexpr std::string_view telemetry_rasp_timeout = "appsec.rasp.timeout";
 
 } // namespace dds::metrics
 
diff --git a/appsec/src/helper/subscriber/waf.cpp b/appsec/src/helper/subscriber/waf.cpp
@@ -332,8 +332,11 @@ void instance::listener::call(
     const std::unique_ptr<ddwaf_result, decltype(&ddwaf_result_free)> scope(
         &res, ddwaf_result_free);
 
-    // NOLINTNEXTLINE
-    total_runtime_ += res.total_runtime / 1000.0;
+    if (rasp_rule ==
+        "") { // RASP WAF call should not be counted on total_runtime_
+        // NOLINTNEXTLINE
+        total_runtime_ += res.total_runtime / 1000.0;
+    }
     if (res.timeout) {
         waf_hit_timeout_ = true;
     }
@@ -352,6 +355,11 @@ void instance::listener::call(
         rasp_calls_++;
         if (res.timeout) {
             rasp_timeouts_ += 1;
+            rasp_metrics_[rasp_rule].timeouts++;
+        }
+        rasp_metrics_[rasp_rule].evaluated++;
+        if (code == DDWAF_MATCH) {
+            rasp_metrics_[rasp_rule].matches++;
         }
     }
 
@@ -419,6 +427,18 @@ void instance::listener::submit_metrics(
             msubmitter.submit_span_metric(
                 metrics::rasp_timeout, rasp_timeouts_);
         }
+
+        for (auto rule : rasp_metrics_) {
+            metrics::telemetry_tags tags;
+            tags.add("rule_type", rule.first);
+            tags.add("waf_version", ddwaf_get_version());
+            msubmitter.submit_metric(
+                metrics::telemetry_rasp_rule_eval, rule.second.evaluated, tags);
+            msubmitter.submit_metric(
+                metrics::telemetry_rasp_rule_match, rule.second.matches, tags);
+            msubmitter.submit_metric(
+                metrics::telemetry_rasp_timeout, rule.second.timeouts, tags);
+        }
     }
 
     for (const auto &[key, value] : derivatives_) {
diff --git a/appsec/src/helper/subscriber/waf.hpp b/appsec/src/helper/subscriber/waf.hpp
@@ -15,6 +15,7 @@
 #include <spdlog/spdlog.h>
 #include <string>
 #include <string_view>
+#include <unordered_map>
 
 namespace dds::waf {
 
@@ -43,6 +44,13 @@ class instance : public dds::subscriber {
         void submit_metrics(metrics::telemetry_submitter &msubmitter) override;
 
     protected:
+        struct rasp_telemetry_metrics {
+            unsigned evaluated = 0;
+            unsigned matches = 0;
+            unsigned timeouts = 0;
+        };
+        std::unordered_map<std::string, rasp_telemetry_metrics> rasp_metrics_ =
+            {};
         ddwaf_context handle_{};
         std::chrono::microseconds waf_timeout_;
         double total_runtime_{0.0};
diff --git a/appsec/tests/helper/waf_test.cpp b/appsec/tests/helper/waf_test.cpp
@@ -185,13 +185,25 @@ TEST(WafTest, ValidRunGood)
                 metrics::telemetry_tags::from_string(
                     std::string{"event_rules_version:1.2.3,waf_version:"} +
                     ddwaf_get_version())));
+        EXPECT_CALL(submitm, submit_metric("appsec.rasp.rule.eval"sv, 1,
+                                 metrics::telemetry_tags::from_string(
+                                     std::string{"rule_type:lfi,waf_version:"} +
+                                     ddwaf_get_version())));
+        EXPECT_CALL(submitm, submit_metric("appsec.rasp.rule.match"sv, 0,
+                                 metrics::telemetry_tags::from_string(
+                                     std::string{"rule_type:lfi,waf_version:"} +
+                                     ddwaf_get_version())));
+        EXPECT_CALL(submitm, submit_metric("appsec.rasp.timeout"sv, 0,
+                                 metrics::telemetry_tags::from_string(
+                                     std::string{"rule_type:lfi,waf_version:"} +
+                                     ddwaf_get_version())));
         EXPECT_CALL(submitm, submit_span_metric(metrics::rasp_rule_eval, 1.0));
         EXPECT_CALL(submitm, submit_span_metric(metrics::waf_duration, _))
             .WillOnce(SaveArg<1>(&duration));
         EXPECT_CALL(submitm, submit_span_metric(metrics::rasp_duration, _))
             .WillOnce(SaveArg<1>(&rasp_duration));
         ctx->submit_metrics(submitm);
-        EXPECT_GT(duration, 0.0);
+        EXPECT_EQ(duration, 0.0);
         EXPECT_GT(rasp_duration, 0);
     }
 }
