Skip to content

fix(aap): fix aap enable telemetry report [backport 4.7]#17571

Open
dd-octo-sts[bot] wants to merge 1 commit into4.7from
backport-17540-to-4.7
Open

fix(aap): fix aap enable telemetry report [backport 4.7]#17571
dd-octo-sts[bot] wants to merge 1 commit into4.7from
backport-17540-to-4.7

Conversation

@dd-octo-sts
Copy link
Copy Markdown
Contributor

@dd-octo-sts dd-octo-sts bot commented Apr 16, 2026
edited by christophe-papazian
Loading

APPSEC-62332

Backport #17540 to 4.7

@github-actions @christophe-papazian
fix(aap): fix aap enable telemetry report (#17540)
60e9623 
APPSEC-62332

## Description

`enable_appsec_rc()` unconditionally called `telemetry_writer.product_activated(APPSEC, True)` whenever remote configuration listeners were registered. Since RC listeners are registered by default (to allow remote enablement of AAP), this caused every service to report AAP as an activated product in internal telemetry — even when AAP was not actually enabled.

This PR makes telemetry product activation reporting conditional on the actual state of AAP:

- **`enable_appsec_rc()`**: only reports `True` when `_asm_enabled` is True (AAP explicitly enabled)
- **`enable_asm()` / `disable_asm()`**: reports `True` / `False` when AAP is toggled via remote configuration
- **`_abort_appsec()`**: reports `False` on fatal errors (e.g. libddwaf load failure), only if AAP was previously enabled
- **`disable_appsec_rc()`**: removed the unconditional `product_activated(False)` call — deactivation is now handled by the paths above

This had **no impact on customers** — it only affected internal telemetry data.

## Testing

- 3 regression tests added in `tests/appsec/appsec/test_remoteconfiguration.py`:
  - `test_rc_activation_does_not_report_appsec_product_when_only_rc_enabled` — core regression: RC-only setup must not report AAP as activated
  - `test_rc_activation_reports_appsec_product_when_enabled` — positive case: explicit enablement reports activation
  - `test_rc_enable_then_disable_asm_reports_telemetry` — full RC lifecycle: enable via RC → reports True, disable via RC → reports False
- Verified the first and third tests **fail on old code** and **pass on new code**
- All 58 existing + new tests pass (`appsec::appsec` suite, Python 3.13)

## Risks

None. The change only affects when `product_activated()` is called in internal telemetry. No user-facing behavior changes.

Co-authored-by: christophe.papazian <christophe.papazian@datadoghq.com>
(cherry picked from commit a9cc850)

Co-authored-by: Christophe Papazian <114495376+christophe-papazian@users.noreply.github.com>
@dd-octo-sts dd-octo-sts bot requested review from a team as code owners April 16, 2026 13:06
@dd-octo-sts dd-octo-sts bot requested review from emmettbutler and ncybul April 16, 2026 13:06
@pr-commenter
Copy link
Copy Markdown

pr-commenter bot commented Apr 16, 2026

Performance SLOs

Comparing candidate backport-17540-to-4.7 (60e9623) with baseline 4.7 (5e92b6b)

📈 Performance Regressions (1 suite)
📈 iastaspectsospath - 24/24

✅ ospathbasename_aspect

Time: ✅ 512.475µs (SLO: <700.000µs 📉 -26.8%) vs baseline: 📈 +19.0%

Memory: ✅ 43.507MB (SLO: <46.000MB -5.4%) vs baseline: +4.8%

✅ ospathbasename_noaspect

Time: ✅ 429.992µs (SLO: <700.000µs 📉 -38.6%) vs baseline: -0.6%

Memory: ✅ 43.624MB (SLO: <46.000MB -5.2%) vs baseline: +4.8%

✅ ospathjoin_aspect

Time: ✅ 622.465µs (SLO: <700.000µs 📉 -11.1%) vs baseline: +0.1%

Memory: ✅ 43.726MB (SLO: <46.000MB -4.9%) vs baseline: +5.3%

✅ ospathjoin_noaspect

Time: ✅ 631.259µs (SLO: <700.000µs -9.8%) vs baseline: -0.7%

Memory: ✅ 43.569MB (SLO: <46.000MB -5.3%) vs baseline: +5.3%

✅ ospathnormcase_aspect

Time: ✅ 351.165µs (SLO: <700.000µs 📉 -49.8%) vs baseline: ~same

Memory: ✅ 43.664MB (SLO: <46.000MB -5.1%) vs baseline: +4.5%

✅ ospathnormcase_noaspect

Time: ✅ 361.580µs (SLO: <700.000µs 📉 -48.3%) vs baseline: -0.3%

Memory: ✅ 43.718MB (SLO: <46.000MB -5.0%) vs baseline: +5.6%

✅ ospathsplit_aspect

Time: ✅ 491.082µs (SLO: <700.000µs 📉 -29.8%) vs baseline: +0.2%

Memory: ✅ 43.495MB (SLO: <46.000MB -5.4%) vs baseline: +4.3%

✅ ospathsplit_noaspect

Time: ✅ 502.614µs (SLO: <700.000µs 📉 -28.2%) vs baseline: +0.9%

Memory: ✅ 43.701MB (SLO: <46.000MB -5.0%) vs baseline: +5.0%

✅ ospathsplitdrive_aspect

Time: ✅ 372.933µs (SLO: <700.000µs 📉 -46.7%) vs baseline: +0.6%

Memory: ✅ 43.730MB (SLO: <46.000MB -4.9%) vs baseline: +5.0%

✅ ospathsplitdrive_noaspect

Time: ✅ 73.269µs (SLO: <700.000µs 📉 -89.5%) vs baseline: +0.6%

Memory: ✅ 43.565MB (SLO: <46.000MB -5.3%) vs baseline: +4.5%

✅ ospathsplitext_aspect

Time: ✅ 463.507µs (SLO: <700.000µs 📉 -33.8%) vs baseline: ~same

Memory: ✅ 43.514MB (SLO: <46.000MB -5.4%) vs baseline: +4.8%

✅ ospathsplitext_noaspect

Time: ✅ 466.484µs (SLO: <700.000µs 📉 -33.4%) vs baseline: +0.6%

Memory: ✅ 43.566MB (SLO: <46.000MB -5.3%) vs baseline: +4.5%

✅ All Tests Passing (2 suites)
iastaspectssplit - 12/12

✅ rsplit_aspect

Time: ✅ 157.034µs (SLO: <250.000µs 📉 -37.2%) vs baseline: +3.2%

Memory: ✅ 43.632MB (SLO: <46.000MB -5.1%) vs baseline: +4.9%

✅ rsplit_noaspect

Time: ✅ 163.784µs (SLO: <250.000µs 📉 -34.5%) vs baseline: +0.5%

Memory: ✅ 43.491MB (SLO: <46.000MB -5.5%) vs baseline: +4.3%

✅ split_aspect

Time: ✅ 150.767µs (SLO: <250.000µs 📉 -39.7%) vs baseline: -0.9%

Memory: ✅ 43.533MB (SLO: <46.000MB -5.4%) vs baseline: +4.7%

✅ split_noaspect

Time: ✅ 160.434µs (SLO: <250.000µs 📉 -35.8%) vs baseline: -0.2%

Memory: ✅ 43.418MB (SLO: <46.000MB -5.6%) vs baseline: +4.5%

✅ splitlines_aspect

Time: ✅ 149.929µs (SLO: <250.000µs 📉 -40.0%) vs baseline: -0.2%

Memory: ✅ 43.558MB (SLO: <46.000MB -5.3%) vs baseline: +4.7%

✅ splitlines_noaspect

Time: ✅ 158.200µs (SLO: <250.000µs 📉 -36.7%) vs baseline: +0.2%

Memory: ✅ 43.493MB (SLO: <46.000MB -5.5%) vs baseline: +5.0%

iastpropagation - 8/8

✅ no-propagation

Time: ✅ 48.477µs (SLO: <60.000µs 📉 -19.2%) vs baseline: -0.1%

Memory: ✅ 40.147MB (SLO: <42.000MB -4.4%) vs baseline: +5.1%

✅ propagation_enabled

Time: ✅ 135.149µs (SLO: <190.000µs 📉 -28.9%) vs baseline: -0.4%

Memory: ✅ 40.108MB (SLO: <42.000MB -4.5%) vs baseline: +4.9%

✅ propagation_enabled_100

Time: ✅ 1.563ms (SLO: <2.300ms 📉 -32.1%) vs baseline: -0.9%

Memory: ✅ 40.128MB (SLO: <42.000MB -4.5%) vs baseline: +5.2%

✅ propagation_enabled_1000

Time: ✅ 28.976ms (SLO: <34.550ms 📉 -16.1%) vs baseline: ~same

Memory: ✅ 40.069MB (SLO: <42.000MB -4.6%) vs baseline: +5.1%

ℹ️ Scenarios Missing SLO Configuration (20 scenarios)

The following scenarios exist in candidate data but have no SLO thresholds configured:

  • iast_aspects-re_expand_aspect
  • iast_aspects-re_expand_noaspect
  • iast_aspects-re_findall_aspect
  • iast_aspects-re_findall_noaspect
  • iast_aspects-re_finditer_aspect
  • iast_aspects-re_finditer_noaspect
  • iast_aspects-re_fullmatch_aspect
  • iast_aspects-re_fullmatch_noaspect
  • iast_aspects-re_group_aspect
  • iast_aspects-re_group_noaspect
  • iast_aspects-re_groups_aspect
  • iast_aspects-re_groups_noaspect
  • iast_aspects-re_match_aspect
  • iast_aspects-re_match_noaspect
  • iast_aspects-re_search_aspect
  • iast_aspects-re_search_noaspect
  • iast_aspects-re_sub_aspect
  • iast_aspects-re_sub_noaspect
  • iast_aspects-re_subn_aspect
  • iast_aspects-re_subn_noaspect

@cit-pr-commenter-54b7da
Copy link
Copy Markdown

cit-pr-commenter-54b7da bot commented Apr 16, 2026

Codeowners resolved as

ddtrace/appsec/_listeners.py                                            @DataDog/asm-python
ddtrace/appsec/_remoteconfiguration.py                                  @DataDog/asm-python
releasenotes/notes/fix-appsec-telemetry-product-activation-d2fa33337ab9e4bd.yaml  @DataDog/apm-python
tests/appsec/appsec/test_remoteconfiguration.py                         @DataDog/asm-python

@christophe-papazian christophe-papazian enabled auto-merge (squash) April 16, 2026 14:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@christophe-papazian christophe-papazian christophe-papazian approved these changes

@emmettbutler emmettbutler Awaiting requested review from emmettbutler emmettbutler is a code owner automatically assigned from DataDog/apm-python

@ncybul ncybul Awaiting requested review from ncybul ncybul is a code owner automatically assigned from DataDog/apm-python

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@christophe-papazian