Skip to content

feat(apisec): implement new API Security sampler #3315

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 10 commits into from
Apr 3, 2025
Merged

feat(apisec): implement new API Security sampler #3315

merged 10 commits into from
Apr 3, 2025

Conversation

RomainMuller
Copy link
Contributor

@RomainMuller RomainMuller commented Mar 19, 2025
edited
Loading

Implementation of the new API Security sampler defined by the latest RFC.

This change makes the API Security sampler make decisions specific to a given endpoint (method + route + response status code) instead of using a simplistic sampling rate. This allows for improved coverage and accuracy of schema extraction as part of API Security.

This change uses the sampler implementation from DataDog/appsec-internal-go#39.

Reviewer's Checklist

  • Changed code has unit tests for its functionality at or near 100% coverage.
  • System-Tests covering this feature have been added and enabled with the va.b.c-dev version tag.
  • There is a benchmark for any new code, or changes to existing code.
  • If this interacts with the agent in a new way, a system test has been added.
  • Add an appropriate team label so this PR gets put in the right place for the release notes.
  • Non-trivial go.mod changes, e.g. adding new modules, are reviewed by @DataDog/dd-trace-go-guild.
  • For internal contributors, a matching PR should be created to the v2-dev branch and reviewed by @DataDog/apm-go.

Unsure? Have a question? Request a review!

@RomainMuller
feat(apisec): implement new API Security sampler
f9ae97c 
Implementation of the new API Security sampler defined by the
[latest RFC](https://docs.google.com/document/d/1PYoHms9PPXR8V_5_T5-KXAhoFDKQYA8mTnmS12xkGOE/edit?tab=t.0).

This change makes the API Security sampler make decisions specific to a
given endpoint (method + route + response status code) instead of using
a simplistic sampling rate. This allows for improved coverage and
accuracy of schema extraction as part of API Security.

This change uses the sampler implementation from
github.com/DataDog/appsec-internal-go#39.
@github-actions github-actions bot added the apm:ecosystem contrib/* related feature requests or bugs label Mar 19, 2025
@datadog-datadog-prod-us1
Copy link

datadog-datadog-prod-us1 bot commented Mar 19, 2025
edited
Loading

Datadog Report

Branch report: romain.marcadier/APPSEC-56547/api-sec-sampler
Commit report: 812cf89
Test service: dd-trace-go

✅ 0 Failed, 4451 Passed, 66 Skipped, 3m 42.86s Total Time

@pr-commenter
Copy link

pr-commenter bot commented Mar 19, 2025
edited
Loading

Benchmarks

Benchmark execution time: 2025-04-03 10:47:28

Comparing candidate commit dcc6eb5 in PR branch romain.marcadier/APPSEC-56547/api-sec-sampler with baseline commit ef0a126 in branch v2-dev.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 55 metrics, 1 unstable metrics.

eliottness
eliottness approved these changes Apr 2, 2025
View reviewed changes
Copy link
Contributor

@eliottness eliottness left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you feel like working on apisec telemetry metrics in another PR ?

@RomainMuller RomainMuller marked this pull request as ready for review April 2, 2025 09:05
@RomainMuller RomainMuller requested review from a team as code owners April 2, 2025 09:05
@RomainMuller RomainMuller requested review from a team as code owners April 2, 2025 13:45
nsrip-dd
nsrip-dd approved these changes Apr 2, 2025
View reviewed changes
Copy link
Contributor

@nsrip-dd nsrip-dd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rubber stamp for the profiling bits (just go.mod/go.sum changes)

@RomainMuller RomainMuller force-pushed the romain.marcadier/APPSEC-56547/api-sec-sampler branch from 750d466 to 55c3db6 Compare April 2, 2025 14:08
@RomainMuller RomainMuller force-pushed the romain.marcadier/APPSEC-56547/api-sec-sampler branch from 68b606f to 2dde675 Compare April 3, 2025 08:10
darccio
darccio reviewed Apr 3, 2025
View reviewed changes
contrib/gorilla/mux/mux.go
@@ -108,6 +108,7 @@ func (r *Router) ServeHTTP(w http.ResponseWriter, req *http.Request) {
spanopts = append(spanopts, httptraceinternal.HeaderTagsFromRequest(req, r.config.headerTags))
resource := r.config.resourceNamer(r, req)
httptrace.TraceAndServe(r.Router, w, req, &httptrace.ServeConfig{
Framework: "github.com/gorilla/mux",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@RomainMuller Do all HTTP contribs need to register this Framework field? It's to add this to contribution guidelines.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AppSec basically uses this to tag telemetry when we are unable to obtain some information... So this is optional, but I reckon helps if present (that might be useful for APM telemetry, too, in the future?)

@RomainMuller RomainMuller merged commit b147b33 into v2-dev Apr 3, 2025
180 of 196 checks passed
@RomainMuller RomainMuller deleted the romain.marcadier/APPSEC-56547/api-sec-sampler branch April 3, 2025 12:15
darccio pushed a commit that referenced this pull request Apr 10, 2025
@RomainMuller @darccio
feat(apisec): implement new API Security sampler (#3315)
09fd5f7 
Implementation of the new API Security sampler defined by the [latest RFC](https://docs.google.com/document/d/1PYoHms9PPXR8V_5_T5-KXAhoFDKQYA8mTnmS12xkGOE/edit?tab=t.0).

This change makes the API Security sampler make decisions specific to a given endpoint (method + route + response status code) instead of using a simplistic sampling rate. This allows for improved coverage and accuracy of schema extraction as part of API Security.

This change uses the sampler implementation from DataDog/appsec-internal-go#39.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@darccio darccio darccio left review comments

@eliottness eliottness eliottness approved these changes

@nsrip-dd nsrip-dd nsrip-dd approved these changes

Assignees
No one assigned
Labels
apm:ecosystem contrib/* related feature requests or bugs
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@RomainMuller @darccio @eliottness @nsrip-dd