DataDog · sezen-datadog · Oct 8, 2025 · Sep 2, 2025 · Sep 26, 2025 · Sep 30, 2025
@@ -15,7 +15,7 @@ dependencies {
   implementation project(':internal-api')
   implementation project(':communication')
   implementation project(':telemetry')
-  implementation group: 'io.sqreen', name: 'libsqreen', version: '16.0.0'
+  implementation group: 'io.sqreen', name: 'libsqreen', version: '17.1.0'
   implementation libs.moshi
 
   testImplementation libs.bytebuddy

@@ -40,9 +40,8 @@
 import com.datadog.ddwaf.exception.InvalidRuleSetException;
 import com.datadog.ddwaf.exception.UnclassifiedWafException;
 import com.squareup.moshi.JsonAdapter;
-import com.squareup.moshi.JsonReader;
-import com.squareup.moshi.JsonWriter;
 import com.squareup.moshi.Moshi;
+import com.squareup.moshi.Types;
 import datadog.remoteconfig.ConfigurationEndListener;
 import datadog.remoteconfig.ConfigurationPoller;
 import datadog.remoteconfig.PollingRateHinter;
@@ -53,7 +52,6 @@
 import datadog.trace.api.ConfigCollector;
 import datadog.trace.api.ProductActivation;
 import datadog.trace.api.UserIdCollectionMode;
-import datadog.trace.api.telemetry.LogCollector;
 import datadog.trace.api.telemetry.WafMetricCollector;
 import java.io.ByteArrayInputStream;
 import java.io.FileInputStream;
@@ -68,7 +66,6 @@
 import java.util.Set;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.atomic.AtomicBoolean;
-import javax.annotation.Nullable;
 import okio.Okio;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -96,25 +93,10 @@ public class AppSecConfigServiceImpl implements AppSecConfigService {
       new WAFInitializationResultReporter();
   private final WAFStatsReporter statsReporter = new WAFStatsReporter();
 
-  private static final JsonAdapter<Object> ADAPTER =
+  private static final JsonAdapter<Map<String, Object>> ADAPTER =
       new Moshi.Builder()
-          .add(
-              Double.class,
-              new JsonAdapter<Number>() {
-                @Override
-                public Number fromJson(JsonReader reader) throws IOException {
-                  double value = reader.nextDouble();
-                  long longValue = (long) value;
-                  return value % 1 == 0 ? longValue : value;
-                }
-
-                @Override
-                public void toJson(JsonWriter writer, @Nullable Number value) throws IOException {
-                  throw new UnsupportedOperationException();
-                }
-              })
           .build()
-          .adapter(Object.class);
+          .adapter(Types.newParameterizedType(Map.class, String.class, Object.class));
 
   private boolean hasUserWafConfig;
   private boolean defaultConfigActivated;
@@ -310,7 +292,6 @@ private void handleWafUpdateResultReport(String configKey, Map<String, Object> r
       }
 
       // TODO: Send diagnostics via telemetry
-      final LogCollector telemetryLogger = LogCollector.get();
 
       initReporter.setReportForPublication(wafDiagnostics);
       if (wafDiagnostics.rulesetVersion != null
@@ -489,8 +470,7 @@ private static Map<String, Object> loadDefaultWafConfig() throws IOException {
         throw new IOException("Resource " + DEFAULT_CONFIG_LOCATION + " not found");
       }
 
-      Map<String, Object> ret =
-          (Map<String, Object>) ADAPTER.fromJson(Okio.buffer(Okio.source(is)));
+      Map<String, Object> ret = ADAPTER.fromJson(Okio.buffer(Okio.source(is)));
 
       StandardizedLogging._initialConfigSourceAndLibddwafVersion(log, "<bundled config>");
       if (log.isInfoEnabled()) {
@@ -507,8 +487,7 @@ private static Map<String, Object> loadUserWafConfig(Config tracerConfig) throws
       return null;
     }
     try (InputStream is = new FileInputStream(filename)) {
-      Map<String, Object> ret =
-          (Map<String, Object>) ADAPTER.fromJson(Okio.buffer(Okio.source(is)));
+      Map<String, Object> ret = ADAPTER.fromJson(Okio.buffer(Okio.source(is)));
 
       StandardizedLogging._initialConfigSourceAndLibddwafVersion(log, filename);
       if (log.isInfoEnabled()) {

@@ -34,7 +34,6 @@
 import datadog.trace.api.ProductActivation;
 import datadog.trace.api.ProductTraceSource;
 import datadog.trace.api.gateway.Flow;
-import datadog.trace.api.sampling.PrioritySampling;
 import datadog.trace.api.telemetry.LogCollector;
 import datadog.trace.api.telemetry.WafMetricCollector;
 import datadog.trace.api.time.SystemTimeSource;
@@ -53,7 +52,6 @@
 import java.lang.reflect.UndeclaredThrowableException;
 import java.util.Collection;
 import java.util.Collections;
-import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Iterator;
 import java.util.List;
@@ -81,8 +79,6 @@ public class WAFModule implements AppSecModule {
 
   private static final JsonAdapter<List<WAFResultData>> RES_JSON_ADAPTER;
 
-  private static final Map<String, ActionInfo> DEFAULT_ACTIONS;
-
   private static final String EXPLOIT_DETECTED_MSG = "Exploit detected";
   private boolean init = true;
   private String rulesetVersion;
@@ -118,12 +114,6 @@ private CtxAndAddresses(Collection<Address<?>> addressesOfInterest, WafHandle ct
     Moshi moshi = new Moshi.Builder().build();
     RES_JSON_ADAPTER = moshi.adapter(Types.newParameterizedType(List.class, WAFResultData.class));
 
-    Map<String, Object> actionParams = new HashMap<>();
-    actionParams.put("status_code", 403);
-    actionParams.put("type", "auto");
-    actionParams.put("grpc_status_code", 10);
-    DEFAULT_ACTIONS =
-        Collections.singletonMap("block", new ActionInfo("block_request", actionParams));
     createLimitsObject();
   }
 
@@ -425,8 +415,9 @@ public void onDataAvailable(
         Collection<AppSecEvent> events = buildEvents(resultWithData);
         boolean isThrottled = reqCtx.isThrottled(rateLimiter);
 
-        if (resultWithData.keep) {
-          if (!isThrottled) {
+        if (!isThrottled) {
+          if (resultWithData.keep) {
+            reqCtx.setManuallyKept(true);
             AgentSpan activeSpan = AgentTracer.get().activeSpan();
             if (activeSpan != null) {
               log.debug("Setting force-keep tag and manual keep tag on the current span");
@@ -439,31 +430,29 @@ public void onDataAvailable(
               activeSpan
                   .getLocalRootSpan()
                   .setTag(Tags.PROPAGATED_TRACE_SOURCE, ProductTraceSource.ASM);
-            } else {
-              // If active span is not available then we need to set manual keep in GatewayBridge
-              log.debug("There is no active span available");
             }
           } else {
-            log.debug("Rate limited WAF events");
-            if (!gwCtx.isRasp) {
-              reqCtx.setWafRateLimited();
-            }
+            // If active span is not available then we need to set manual keep in GatewayBridge
+            log.debug("There is no active span available");
+          }
+        } else {
+          log.debug("Rate limited WAF events");
+          if (!gwCtx.isRasp) {
+            reqCtx.setWafRateLimited();
           }
-        }
-        if (resultWithData.events && !events.isEmpty() && !isThrottled) {
-          reqCtx.reportEvents(events);
         }
 
         if (flow.isBlocking()) {
           if (!gwCtx.isRasp) {
             reqCtx.setWafBlocked();
           }
         }
+        // report is still done even without keep, in case sampler_keep is desired
+        if (resultWithData.events) {
+          reqCtx.reportEvents(events);
+        }
       }
 
-      reqCtx.setKeepType(
-          resultWithData.keep ? PrioritySampling.USER_KEEP : PrioritySampling.USER_DROP);
-
       if (resultWithData.attributes != null && !resultWithData.attributes.isEmpty()) {
         reqCtx.reportDerivatives(resultWithData.attributes);
       }

@@ -13,7 +13,6 @@
 import datadog.trace.api.Config;
 import datadog.trace.api.http.StoredBodySupplier;
 import datadog.trace.api.internal.TraceSegment;
-import datadog.trace.api.sampling.PrioritySampling;
 import datadog.trace.util.stacktrace.StackTraceEvent;
 import java.io.Closeable;
 import java.util.*;
@@ -166,7 +165,6 @@ public class AppSecRequestContext implements DataBundle, Closeable {
 
   private volatile boolean keepOpenForApiSecurityPostProcessing;
   private volatile Long apiSecurityEndpointHash;
-  private volatile byte keepType = PrioritySampling.SAMPLER_KEEP;
 
   private final AtomicInteger httpClientRequestCount = new AtomicInteger(0);
   private final Set<Long> sampledHttpClientRequests = new HashSet<>();
@@ -175,6 +173,7 @@ public class AppSecRequestContext implements DataBundle, Closeable {
       AtomicIntegerFieldUpdater.newUpdater(AppSecRequestContext.class, "wafTimeouts");
   private static final AtomicIntegerFieldUpdater<AppSecRequestContext> RASP_TIMEOUTS_UPDATER =
       AtomicIntegerFieldUpdater.newUpdater(AppSecRequestContext.class, "raspTimeouts");
+  private boolean manuallyKept = false;
 
   // to be called by the Event Dispatcher
   public void addAll(DataBundle newData) {
@@ -421,14 +420,6 @@ public Long getApiSecurityEndpointHash() {
     return this.apiSecurityEndpointHash;
   }
 
-  public void setKeepType(byte keepType) {
-    this.keepType = keepType;
-  }
-
-  public byte getKeepType() {
-    return this.keepType;
-  }
-
   void addRequestHeader(String name, String value) {
     if (finishedRequestHeaders) {
       throw new IllegalStateException("Request headers were said to be finished before");
@@ -1014,4 +1005,12 @@ public boolean isRaspMatched() {
   public void setRaspMatched(boolean raspMatched) {
     this.raspMatched = raspMatched;
   }
+
+  public boolean isManuallyKept() {
+    return manuallyKept;
+  }
+
+  public void setManuallyKept(boolean manuallyKept) {
+    this.manuallyKept = manuallyKept;
+  }
 }
@@ -8,7 +8,6 @@
 import static com.datadog.appsec.gateway.AppSecRequestContext.REQUEST_HEADERS_ALLOW_LIST;
 import static com.datadog.appsec.gateway.AppSecRequestContext.RESPONSE_HEADERS_ALLOW_LIST;
 import static datadog.trace.api.telemetry.LogCollector.SEND_TELEMETRY;
-import static datadog.trace.bootstrap.instrumentation.api.Tags.SAMPLING_PRIORITY;
 
 import com.datadog.appsec.AppSecSystem;
 import com.datadog.appsec.api.security.ApiSecurityDownstreamSampler;
@@ -863,10 +862,11 @@ private NoopFlow onRequestEnded(RequestContext ctx_, IGSpanInfo spanInfo) {
 
       // If detected any events - mark span at appsec.event
       if (!collectedEvents.isEmpty()) {
-        // Set asm keep in case that root span was not available when events are detected
-        traceSeg.setTagTop(Tags.ASM_KEEP, true);
-        traceSeg.setTagTop(SAMPLING_PRIORITY, ctx.getKeepType());
-        traceSeg.setTagTop(Tags.PROPAGATED_TRACE_SOURCE, ProductTraceSource.ASM);
+        if (ctx.isManuallyKept()) {
+          // Set asm keep in case that root span was not available when events are detected
+          traceSeg.setTagTop(Tags.ASM_KEEP, true);
+          traceSeg.setTagTop(Tags.PROPAGATED_TRACE_SOURCE, ProductTraceSource.ASM);
+        }
         traceSeg.setTagTop("appsec.event", true);
         traceSeg.setTagTop("network.client.ip", ctx.getPeerAddress());