Skip to content

feat(apisec): implement new API Security sampler#3315

Merged
RomainMuller merged 10 commits intov2-devfrom
romain.marcadier/APPSEC-56547/api-sec-sampler
Apr 3, 2025
Merged

feat(apisec): implement new API Security sampler#3315
RomainMuller merged 10 commits intov2-devfrom
romain.marcadier/APPSEC-56547/api-sec-sampler

Conversation

@RomainMuller
Copy link
Copy Markdown
Contributor

@RomainMuller RomainMuller commented Mar 19, 2025
edited
Loading

Implementation of the new API Security sampler defined by the latest RFC.

This change makes the API Security sampler make decisions specific to a given endpoint (method + route + response status code) instead of using a simplistic sampling rate. This allows for improved coverage and accuracy of schema extraction as part of API Security.

This change uses the sampler implementation from DataDog/appsec-internal-go#39.

Reviewer's Checklist

  • Changed code has unit tests for its functionality at or near 100% coverage.
  • System-Tests covering this feature have been added and enabled with the va.b.c-dev version tag.
  • There is a benchmark for any new code, or changes to existing code.
  • If this interacts with the agent in a new way, a system test has been added.
  • Add an appropriate team label so this PR gets put in the right place for the release notes.
  • Non-trivial go.mod changes, e.g. adding new modules, are reviewed by @DataDog/dd-trace-go-guild.
  • For internal contributors, a matching PR should be created to the v2-dev branch and reviewed by @DataDog/apm-go.

Unsure? Have a question? Request a review!

@RomainMuller
feat(apisec): implement new API Security sampler
f9ae97c 
Implementation of the new API Security sampler defined by the
[latest RFC](https://docs.google.com/document/d/1PYoHms9PPXR8V_5_T5-KXAhoFDKQYA8mTnmS12xkGOE/edit?tab=t.0).

This change makes the API Security sampler make decisions specific to a
given endpoint (method + route + response status code) instead of using
a simplistic sampling rate. This allows for improved coverage and
accuracy of schema extraction as part of API Security.

This change uses the sampler implementation from
github.com/DataDog/appsec-internal-go#39.
@github-actions github-actions Bot added the apm:ecosystem contrib/* related feature requests or bugs label Mar 19, 2025
@datadog-datadog-prod-us1
Copy link
Copy Markdown

datadog-datadog-prod-us1 Bot commented Mar 19, 2025
edited
Loading

Datadog Report

Branch report: romain.marcadier/APPSEC-56547/api-sec-sampler
Commit report: 812cf89
Test service: dd-trace-go

✅ 0 Failed, 4451 Passed, 66 Skipped, 3m 42.86s Total Time

@pr-commenter
Copy link
Copy Markdown

pr-commenter Bot commented Mar 19, 2025
edited
Loading

Benchmarks

Benchmark execution time: 2025-04-03 10:47:28

Comparing candidate commit dcc6eb5 in PR branch romain.marcadier/APPSEC-56547/api-sec-sampler with baseline commit ef0a126 in branch v2-dev.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 55 metrics, 1 unstable metrics.

eliottness
eliottness approved these changes Apr 2, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@eliottness eliottness left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you feel like working on apisec telemetry metrics in another PR ?

Comment thread instrumentation/net/http/pattern/pattern.go
@RomainMuller RomainMuller marked this pull request as ready for review April 2, 2025 09:05
@RomainMuller RomainMuller requested review from a team as code owners April 2, 2025 09:05
@RomainMuller RomainMuller requested review from a team as code owners April 2, 2025 13:45
nsrip-dd
nsrip-dd approved these changes Apr 2, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@nsrip-dd nsrip-dd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rubber stamp for the profiling bits (just go.mod/go.sum changes)

@RomainMuller RomainMuller force-pushed the romain.marcadier/APPSEC-56547/api-sec-sampler branch from 750d466 to 55c3db6 Compare April 2, 2025 14:08
eliottness
eliottness reviewed Apr 2, 2025
View reviewed changes
Comment thread instrumentation/appsec/emitter/httpsec/http.go
@RomainMuller RomainMuller force-pushed the romain.marcadier/APPSEC-56547/api-sec-sampler branch from 68b606f to 2dde675 Compare April 3, 2025 08:10
darccio
darccio reviewed Apr 3, 2025
View reviewed changes
Comment thread contrib/gorilla/mux/mux.go
spanopts = append(spanopts, httptraceinternal.HeaderTagsFromRequest(req, r.config.headerTags))
resource := r.config.resourceNamer(r, req)
httptrace.TraceAndServe(r.Router, w, req, &httptrace.ServeConfig{
Framework: "github.com/gorilla/mux",
Copy link
Copy Markdown
Member

@darccio darccio Apr 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@RomainMuller Do all HTTP contribs need to register this Framework field? It's to add this to contribution guidelines.

Copy link
Copy Markdown
Contributor Author

@RomainMuller RomainMuller Apr 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AppSec basically uses this to tag telemetry when we are unable to obtain some information... So this is optional, but I reckon helps if present (that might be useful for APM telemetry, too, in the future?)

@RomainMuller RomainMuller merged commit b147b33 into v2-dev Apr 3, 2025
180 of 196 checks passed
@RomainMuller RomainMuller deleted the romain.marcadier/APPSEC-56547/api-sec-sampler branch April 3, 2025 12:15
darccio pushed a commit that referenced this pull request Apr 10, 2025
@RomainMuller @darccio
feat(apisec): implement new API Security sampler (#3315)
09fd5f7 
Implementation of the new API Security sampler defined by the [latest RFC](https://docs.google.com/document/d/1PYoHms9PPXR8V_5_T5-KXAhoFDKQYA8mTnmS12xkGOE/edit?tab=t.0).

This change makes the API Security sampler make decisions specific to a given endpoint (method + route + response status code) instead of using a simplistic sampling rate. This allows for improved coverage and accuracy of schema extraction as part of API Security.

This change uses the sampler implementation from DataDog/appsec-internal-go#39.
@darccio darccio added the v2.0 label Jun 2, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@darccio darccio darccio left review comments

@eliottness eliottness eliottness approved these changes

@nsrip-dd nsrip-dd nsrip-dd approved these changes

Assignees

No one assigned

Labels

apm:ecosystem contrib/* related feature requests or bugs v2.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@RomainMuller @darccio @eliottness @nsrip-dd