Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(asm): don't load appsec modules (iast) if disabled #12184

Merged
merged 10 commits into from
Feb 3, 2025
Merged

chore(asm): don't load appsec modules (iast) if disabled #12184

merged 10 commits into from
Feb 3, 2025
+135 −149

Conversation

christophe-papazian
Copy link
Contributor

@christophe-papazian christophe-papazian commented Jan 31, 2025
edited
Loading

The goal is to make sure no appsec module is loaded if appsec is disabled.
This PR is the first one of 2, handling IAST.
It removes all non guarded IAST import from outside appsec.

  • ensure we don't load any iast module if iast is disabled
  • replace _is_iast_enabled() by a field _iast_enabled in the asm config

APPSEC-56626

Checklist

  • PR author has checked that all the criteria below are met
  • The PR description includes an overview of the change
  • The PR description articulates the motivation for the change
  • The change includes tests OR the PR description describes a testing
    strategy
  • The PR description notes risks associated with the change, if any
  • Newly-added code is easy to change
  • The change follows the library release note
    guidelines
  • The change includes or references documentation updates if necessary
  • Backport labels are set (if
    applicable)

Reviewer Checklist

  • Reviewer has checked that all the criteria below are met
  • Title is accurate
  • All changes are related to the pull request's stated goal
  • Avoids breaking
    API
    changes
  • Testing strategy adequately addresses listed risks
  • Newly-added code is easy to change
  • Release note makes sense to a user of the library
  • If necessary, author has acknowledged and discussed the performance
    implications of this PR as reported in the benchmarks PR comment
  • Backport labels are set in a manner that is consistent with the
    release branch maintenance
    policy

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jan 31, 2025
edited
Loading

CODEOWNERS have been resolved as:

ddtrace/_monkey.py                                                      @DataDog/apm-core-python
ddtrace/appsec/_asm_request_context.py                                  @DataDog/asm-python
ddtrace/appsec/_iast/__init__.py                                        @DataDog/asm-python
ddtrace/appsec/_iast/_handlers.py                                       @DataDog/asm-python
ddtrace/appsec/_iast/_iast_request_context.py                           @DataDog/asm-python
ddtrace/appsec/_iast/_loader.py                                         @DataDog/asm-python
ddtrace/appsec/_iast/_pytest_plugin.py                                  @DataDog/asm-python
ddtrace/appsec/_iast/_utils.py                                          @DataDog/asm-python
ddtrace/appsec/_iast/taint_sinks/insecure_cookie.py                     @DataDog/asm-python
ddtrace/contrib/dbapi/__init__.py                                       @DataDog/apm-core-python @DataDog/apm-idm-python
ddtrace/contrib/dbapi_async/__init__.py                                 @DataDog/apm-core-python @DataDog/apm-idm-python
ddtrace/contrib/internal/fastapi/patch.py                               @DataDog/apm-core-python @DataDog/apm-idm-python
ddtrace/contrib/internal/langchain/patch.py                             @DataDog/ml-observability
ddtrace/contrib/internal/pytest/plugin.py                               @DataDog/apm-core-python @DataDog/apm-idm-python
ddtrace/contrib/internal/starlette/patch.py                             @DataDog/apm-core-python @DataDog/apm-idm-python
ddtrace/internal/iast/product.py                                        @DataDog/asm-python
ddtrace/settings/asm.py                                                 @DataDog/asm-python
tests/appsec/iast/fixtures/integration/main_configure.py                @DataDog/asm-python
tests/appsec/integrations/django_tests/test_django_appsec_iast.py       @DataDog/asm-python
tests/appsec/integrations/flask_tests/test_iast_flask.py                @DataDog/asm-python
tests/contrib/dbapi/test_dbapi_appsec.py                                @DataDog/asm-python

@codecov-commenter
Copy link

Codecov Report

Attention: Patch coverage is 18.75000% with 39 lines in your changes missing coverage. Please review.

Please upload report for BASE (3.x-staging@0ed084a). Learn more about missing BASE report.

Files with missing lines Patch % Lines
ddtrace/appsec/_iast/_handlers.py 0.00% 17 Missing ⚠️
ddtrace/appsec/_iast/_pytest_plugin.py 0.00% 3 Missing ⚠️
ddtrace/contrib/internal/langchain/patch.py 0.00% 3 Missing ⚠️
ddtrace/appsec/_iast/_iast_request_context.py 50.00% 2 Missing ⚠️
ddtrace/appsec/_iast/_loader.py 0.00% 2 Missing ⚠️
...dtrace/appsec/_iast/taint_sinks/insecure_cookie.py 0.00% 2 Missing ⚠️
ddtrace/contrib/dbapi_async/__init__.py 50.00% 2 Missing ⚠️
ddtrace/contrib/internal/pytest/plugin.py 0.00% 2 Missing ⚠️
ddtrace/settings/asm.py 33.33% 2 Missing ⚠️
ddtrace/_monkey.py 50.00% 1 Missing ⚠️
... and 3 more
Additional details and impacted files 
@@              Coverage Diff               @@
##             3.x-staging   #12184   +/-   ##
==============================================
  Coverage               ?   12.74%           
==============================================
  Files                  ?     1606           
  Lines                  ?   135677           
  Branches               ?        0           
==============================================
  Hits                   ?    17298           
  Misses                 ?   118379           
  Partials               ?        0

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@christophe-papazian christophe-papazian added changelog/no-changelog A changelog entry is not required for this PR. ASM Application Security Monitoring labels Jan 31, 2025
@datadog-dd-trace-py-rkomorn
Copy link

datadog-dd-trace-py-rkomorn bot commented Jan 31, 2025
edited
Loading

Datadog Report

Branch report: christophe-papazian/remove_appsec_dependencies_if_serverless
Commit report: 484dae9
Test service: dd-trace-py

✅ 0 Failed, 130 Passed, 1468 Skipped, 4m 41.04s Total duration (35m 44.47s time saved)

@pr-commenter
Copy link

pr-commenter bot commented Jan 31, 2025
edited
Loading

Benchmarks

Benchmark execution time: 2025-02-03 14:47:27

Comparing candidate commit 484dae9 in PR branch christophe-papazian/remove_appsec_dependencies_if_serverless with baseline commit a22143d in branch 3.x-staging.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 394 metrics, 2 unstable metrics.

@christophe-papazian christophe-papazian force-pushed the christophe-papazian/remove_appsec_dependencies_if_serverless branch from a2fc25e to 9271c33 Compare January 31, 2025 16:43
@christophe-papazian christophe-papazian marked this pull request as ready for review February 3, 2025 09:03
@christophe-papazian christophe-papazian requested review from a team as code owners February 3, 2025 09:03
@christophe-papazian christophe-papazian changed the title chore(asm): don't load appsec modules (asm or iast) if disabled chore(asm): don't load appsec modules (iast) if disabled Feb 3, 2025
gnufede
gnufede reviewed Feb 3, 2025
View reviewed changes
ddtrace/settings/asm.py Outdated Show resolved Hide resolved
christophe-papazian and others added 3 commits February 3, 2025 11:12
@christophe-papazian
add windows check to iast_supported field
213531f
@christophe-papazian
Merge branch 'christophe-papazian/remove_appsec_dependencies_if_serve…
bdf2f49 
…rless' of github.com:DataDog/dd-trace-py into christophe-papazian/remove_appsec_dependencies_if_serverless
@christophe-papazian
Merge branch '3.x-staging' into christophe-papazian/remove_appsec_dep…
4e94859 
…endencies_if_serverless
@christophe-papazian christophe-papazian enabled auto-merge (squash) February 3, 2025 13:41
@christophe-papazian christophe-papazian merged commit ea2a9a5 into 3.x-staging Feb 3, 2025
722 checks passed
@christophe-papazian christophe-papazian deleted the christophe-papazian/remove_appsec_dependencies_if_serverless branch February 3, 2025 15:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@datadog-datadog-prod-us1 datadog-datadog-prod-us1[bot] datadog-datadog-prod-us1[bot] left review comments

@juliewang8 juliewang8 juliewang8 approved these changes

@wantsui wantsui wantsui approved these changes

@avara1986 avara1986 avara1986 approved these changes

@emmettbutler emmettbutler emmettbutler approved these changes

@gnufede gnufede gnufede approved these changes

@erikayasuda erikayasuda Awaiting requested review from erikayasuda erikayasuda is a code owner automatically assigned from DataDog/apm-core-python

Assignees
No one assigned
Labels
ASM Application Security Monitoring changelog/no-changelog A changelog entry is not required for this PR.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@christophe-papazian @codecov-commenter @gnufede @emmettbutler @avara1986 @wantsui @juliewang8