Skip to content

fix(asm): decouple appsec [backport 3.0] #12251

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Feb 7, 2025
Merged

fix(asm): decouple appsec [backport 3.0] #12251

merged 2 commits into from
Feb 7, 2025

Conversation

github-actions[bot]
Copy link
Contributor

@github-actions github-actions bot commented Feb 7, 2025

Backport fa18def from #12212 to 3.0.

Second part of #12198

  • Ensure we don't load appsec modules if appsec is disabled or unavailable (except for a few safe modules).
  • Ensure we don't load iast modules if iast is disabled or unavailable.
  • Ensure all initialisation logic for enable flags are handled in ddtrace.settings.asm (small factorisation)
  • Add test on module loading with a mini flask application in tests/appsec/integrations/flask_tests/test_appsec_loading_modules.py, checking with all possible combinations of appsec/iast/aws_lambda enabled or disabled.
  • remove dead code in ddtrace/contrib/internal/langchain/patch.py

APPSEC-56626

(should be backported to 3.0 when possible)

Checklist

  • PR author has checked that all the criteria below are met
  • The PR description includes an overview of the change
  • The PR description articulates the motivation for the change
  • The change includes tests OR the PR description describes a testing strategy
  • The PR description notes risks associated with the change, if any
  • Newly-added code is easy to change
  • The change follows the library release note guidelines
  • The change includes or references documentation updates if necessary
  • Backport labels are set (if applicable)

Reviewer Checklist

  • Reviewer has checked that all the criteria below are met
  • Title is accurate
  • All changes are related to the pull request's stated goal
  • Avoids breaking API changes
  • Testing strategy adequately addresses listed risks
  • Newly-added code is easy to change
  • Release note makes sense to a user of the library
  • If necessary, author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment
  • Backport labels are set in a manner that is consistent with the release branch maintenance policy

@christophe-papazian @github-actions
fix(asm): decouple appsec (#12212)
e169e6b 
Second part of #12198

- Ensure we don't load appsec modules if appsec is disabled or
unavailable (except for a few safe modules).
- Ensure we don't load iast modules if iast is disabled or unavailable.
- Ensure all initialisation logic for enable flags are handled in
ddtrace.settings.asm (small factorisation)
- Add test on module loading with a mini flask application in
`tests/appsec/integrations/flask_tests/test_appsec_loading_modules.py`,
checking with all possible combinations of appsec/iast/aws_lambda
enabled or disabled.
- remove dead code in `ddtrace/contrib/internal/langchain/patch.py`

APPSEC-56626

(should be backported to 3.0 when possible)

## Checklist
- [x] PR author has checked that all the criteria below are met
- The PR description includes an overview of the change
- The PR description articulates the motivation for the change
- The change includes tests OR the PR description describes a testing
strategy
- The PR description notes risks associated with the change, if any
- Newly-added code is easy to change
- The change follows the [library release note
guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html)
- The change includes or references documentation updates if necessary
- Backport labels are set (if
[applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting))

## Reviewer Checklist
- [x] Reviewer has checked that all the criteria below are met
- Title is accurate
- All changes are related to the pull request's stated goal
- Avoids breaking
[API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces)
changes
- Testing strategy adequately addresses listed risks
- Newly-added code is easy to change
- Release note makes sense to a user of the library
- If necessary, author has acknowledged and discussed the performance
implications of this PR as reported in the benchmarks PR comment
- Backport labels are set in a manner that is consistent with the
[release branch maintenance
policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)

(cherry picked from commit fa18def)
@github-actions github-actions bot added the ASM Application Security Monitoring label Feb 7, 2025
@github-actions github-actions bot requested review from a team as code owners February 7, 2025 11:54
datadog-datadog-prod-us1[bot]
datadog-datadog-prod-us1 bot reviewed Feb 7, 2025
View reviewed changes
@datadog-dd-trace-py-rkomorn
Copy link

datadog-dd-trace-py-rkomorn bot commented Feb 7, 2025
edited
Loading

Datadog Report

Branch report: backport-12212-to-3.0
Commit report: 84407d6
Test service: dd-trace-py

✅ 0 Failed, 130 Passed, 1184 Skipped, 3m 23.33s Total duration (24m 38.24s time saved)

@pr-commenter
Copy link

pr-commenter bot commented Feb 7, 2025
edited
Loading

Benchmarks

Benchmark execution time: 2025-02-07 14:02:29

Comparing candidate commit 84407d6 in PR branch backport-12212-to-3.0 with baseline commit 1247ac2 in branch ``.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 394 metrics, 2 unstable metrics.

@github-actions GitHub Actions
Copy link
Contributor Author

github-actions bot commented Feb 7, 2025

CODEOWNERS have been resolved as:

releasenotes/notes/ensure_no_appsec_loading-8ce46c58d6ecf81f.yaml       @DataDog/apm-python
tests/appsec/integrations/flask_tests/mini.py                           @DataDog/asm-python
tests/appsec/integrations/flask_tests/test_appsec_loading_modules.py    @DataDog/asm-python
ddtrace/appsec/__init__.py                                              @DataDog/asm-python
ddtrace/appsec/_asm_request_context.py                                  @DataDog/asm-python
ddtrace/appsec/_common_module_patches.py                                @DataDog/asm-python
ddtrace/appsec/_constants.py                                            @DataDog/asm-python
ddtrace/appsec/_utils.py                                                @DataDog/asm-python
ddtrace/contrib/internal/httplib/patch.py                               @DataDog/apm-core-python @DataDog/apm-idm-python
ddtrace/contrib/internal/langchain/patch.py                             @DataDog/ml-observability
ddtrace/contrib/internal/mysql/patch.py                                 @DataDog/apm-core-python @DataDog/apm-idm-python
ddtrace/contrib/internal/mysqldb/patch.py                               @DataDog/apm-core-python @DataDog/apm-idm-python
ddtrace/contrib/internal/pytest/_plugin_v2.py                           @DataDog/apm-core-python @DataDog/apm-idm-python
ddtrace/contrib/internal/pytest/plugin.py                               @DataDog/apm-core-python @DataDog/apm-idm-python
ddtrace/contrib/internal/requests/patch.py                              @DataDog/apm-core-python @DataDog/apm-idm-python
ddtrace/contrib/internal/sqlalchemy/patch.py                            @DataDog/apm-core-python @DataDog/apm-idm-python
ddtrace/contrib/internal/sqlite3/patch.py                               @DataDog/apm-core-python @DataDog/apm-idm-python
ddtrace/contrib/internal/subprocess/patch.py                            @DataDog/asm-python
ddtrace/contrib/internal/urllib/patch.py                                @DataDog/apm-core-python @DataDog/apm-idm-python
ddtrace/contrib/internal/urllib3/patch.py                               @DataDog/apm-core-python @DataDog/apm-idm-python
ddtrace/contrib/internal/webbrowser/patch.py                            @DataDog/apm-core-python @DataDog/apm-idm-python
ddtrace/internal/appsec/product.py                                      @DataDog/asm-python
ddtrace/internal/writer/writer.py                                       @DataDog/apm-core-python
ddtrace/settings/asm.py                                                 @DataDog/asm-python
hatch.toml                                                              @DataDog/python-guild
tests/appsec/integrations/flask_tests/test_iast_flask.py                @DataDog/asm-python
tests/contrib/subprocess/test_subprocess.py                             @DataDog/asm-python
tests/contrib/subprocess/test_subprocess_patch.py                       @DataDog/asm-python
tests/utils.py                                                          @DataDog/python-guild

datadog-datadog-prod-us1[bot]
datadog-datadog-prod-us1 bot reviewed Feb 7, 2025
View reviewed changes
@christophe-papazian christophe-papazian enabled auto-merge (squash) February 7, 2025 13:15
@christophe-papazian christophe-papazian merged commit 8c5a0c7 into 3.0 Feb 7, 2025
675 checks passed
@christophe-papazian christophe-papazian deleted the backport-12212-to-3.0 branch February 7, 2025 15:14
brettlangdon added a commit that referenced this pull request Feb 21, 2025
@brettlangdon @ajgajg1134
fix(asm): decouple appsec [backport 3.0] (#12251) (#12466)
b8d32a2 
Co-authored-by: Andrew Glaude <[email protected]>
github-actions bot pushed a commit that referenced this pull request Feb 27, 2025
@brettlangdon @ajgajg1134 @github-actions
fix(asm): decouple appsec [backport 3.0] (#12251) (#12466)
6fcaa45 
Co-authored-by: Andrew Glaude <[email protected]>
(cherry picked from commit b8d32a2)
github-actions bot pushed a commit that referenced this pull request Feb 27, 2025
@brettlangdon @ajgajg1134 @github-actions
fix(asm): decouple appsec [backport 3.0] (#12251) (#12466)
ee6c4d5 
Co-authored-by: Andrew Glaude <[email protected]>
(cherry picked from commit b8d32a2)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@datadog-datadog-prod-us1 datadog-datadog-prod-us1[bot] datadog-datadog-prod-us1[bot] left review comments

@emmettbutler emmettbutler emmettbutler approved these changes

@sabrenner sabrenner sabrenner approved these changes

@christophe-papazian christophe-papazian christophe-papazian approved these changes

@sanchda sanchda Awaiting requested review from sanchda sanchda is a code owner automatically assigned from DataDog/python-guild

@wantsui wantsui Awaiting requested review from wantsui wantsui is a code owner automatically assigned from DataDog/apm-idm-python

Assignees
No one assigned
Labels
ASM Application Security Monitoring
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@emmettbutler @sabrenner @christophe-papazian