Merge branch 'main' into dudik/add-di-capabilities

dudikeleti · web-flow · commit 35080664f8cf · 2025-09-29T17:08:23.000+02:00
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -34,4 +34,4 @@
 /manifests/ruby.yml @DataDog/ruby-guild @DataDog/asm-ruby
 /manifests/rust.yml @DataDog/apm-rust
 
-
+/chainguard/** @DataDog/system-tests-core # Security sensitive
diff --git a/.github/workflows/run-end-to-end.yml b/.github/workflows/run-end-to-end.yml
@@ -297,9 +297,6 @@ jobs:
     - name: Run APPSEC_BLOCKING_FULL_DENYLIST scenario
       if: always() && steps.build.outcome == 'success' && contains(inputs.scenarios, '"APPSEC_BLOCKING_FULL_DENYLIST"')
       run: ./run.sh APPSEC_BLOCKING_FULL_DENYLIST
-    - name: Run APPSEC_AND_RC_ENABLED scenario
-      if: always() && steps.build.outcome == 'success' && contains(inputs.scenarios, '"APPSEC_AND_RC_ENABLED"')
-      run: ./run.sh APPSEC_AND_RC_ENABLED
     - name: Run APPSEC_RUNTIME_ACTIVATION scenario
       if: always() && steps.build.outcome == 'success' && contains(inputs.scenarios, '"APPSEC_RUNTIME_ACTIVATION"')
       run: ./run.sh APPSEC_RUNTIME_ACTIVATION
diff --git a/chainguard/self.test-activation.sts.yaml b/chainguard/self.test-activation.sts.yaml
@@ -0,0 +1,13 @@
+# Docs: https://datadoghq.atlassian.net/wiki/spaces/SECENG/pages/5138645099/User+guide+dd-octo-sts
+issuer: https://token.actions.githubusercontent.com
+
+subject: repo:DataDog/system-tests-dashboard:ref:refs/heads/main
+claim_pattern:
+  event_name: workflow_dispatch
+  ref: refs/heads/main
+  ref_protected: "true"
+  job_workflow_ref: DataDog/system-tests-dashboard/\.github/workflows/test-activation-tmp\.yml@refs/heads/main
+
+permissions:
+  contents: write
+  pull-requests: write
diff --git a/tests/appsec/test_automated_login_events.py b/tests/appsec/test_automated_login_events.py
@@ -1968,7 +1968,7 @@ def validate_iden(meta):
 
 @rfc("https://docs.google.com/document/d/1RT38U6dTTcB-8muiYV4-aVDCsT_XrliyakjtAPyjUpw")
 @features.user_monitoring
-@scenarios.appsec_and_rc_enabled
+@scenarios.appsec_api_security_rc
 class Test_V3_Login_Events_Blocking:
     def setup_login_event_blocking_auto_id(self):
         rc.rc_state.reset().apply()
diff --git a/tests/appsec/test_automated_user_and_session_tracking.py b/tests/appsec/test_automated_user_and_session_tracking.py
@@ -138,7 +138,7 @@ def test_user_tracking_sdk_overwrite(self):
 
 @rfc("https://docs.google.com/document/d/1RT38U6dTTcB-8muiYV4-aVDCsT_XrliyakjtAPyjUpw")
 @features.user_monitoring
-@scenarios.appsec_and_rc_enabled
+@scenarios.appsec_api_security_rc
 class Test_Automated_User_Blocking:
     def setup_user_blocking_auto(self):
         rc.rc_state.reset().apply()
@@ -228,7 +228,7 @@ def test_user_blocking_sdk(self):
 
 @rfc("https://docs.google.com/document/d/1RT38U6dTTcB-8muiYV4-aVDCsT_XrliyakjtAPyjUpw")
 @features.user_monitoring
-@scenarios.appsec_and_rc_enabled
+@scenarios.appsec_api_security_rc
 class Test_Automated_Session_Blocking:
     def setup_session_blocking(self):
         rc.rc_state.reset().apply()
diff --git a/tests/appsec/test_extended_data_collection.py b/tests/appsec/test_extended_data_collection.py
@@ -46,7 +46,7 @@
 
 
 @features.appsec_extended_data_collection
-@scenarios.appsec_and_rc_enabled
+@scenarios.appsec_api_security_rc
 class Test_ExtendedDataCollectionCapability:
     """Validate that ASM_EXTENDED_DATA_COLLECTION (44) capability is sent"""
 
@@ -55,7 +55,7 @@ def test_extended_data_collection_capability(self):
 
 
 @features.appsec_extended_data_collection
-@scenarios.appsec_and_rc_enabled
+@scenarios.appsec_api_security_rc
 class Test_ExtendedRequestHeadersDataCollection:
     """Test extended data collection using remote config rules and actions"""
 
@@ -254,7 +254,7 @@ def test_extended_data_collection_with_rc_and_authentication_headers(self):
 
 
 @features.appsec_extended_data_collection
-@scenarios.appsec_and_rc_enabled
+@scenarios.appsec_api_security_rc
 class Test_ExtendedResponseHeadersDataCollection:
     """Test extended response headers data collection using remote config rules and actions"""
 
@@ -418,7 +418,7 @@ def test_extended_data_collection_with_rc_and_authentication_headers(self):
 
 
 @features.appsec_extended_data_collection
-@scenarios.appsec_and_rc_enabled
+@scenarios.appsec_api_security_rc
 class Test_ExtendedRequestBodyCollection:
     """Test extended request body data collection using remote config rules and actions"""
 
diff --git a/tests/appsec/test_remote_config_rule_changes.py b/tests/appsec/test_remote_config_rule_changes.py
@@ -319,7 +319,7 @@ def validate_waf_rule_version_tag_by_rc(span, appsec_data):  # noqa: ARG001
 @rfc(
     "https://docs.google.com/document/d/1t6U7WXko_QChhoNIApn0-CRNe6SAKuiiAQIyCRPUXP4/edit?tab=t.0#heading=h.uw8qbgyhhb47"
 )
-@scenarios.appsec_and_rc_enabled
+@scenarios.appsec_api_security_rc
 @features.appsec_rc_asm_dd_multiconfig
 @features.appsec_trace_tagging_rules
 class Test_AsmDdMultiConfiguration:
diff --git a/tests/appsec/test_trace_tagging.py b/tests/appsec/test_trace_tagging.py
@@ -108,7 +108,7 @@ def validate(span):
         interfaces.library.validate_spans(self.r_tt4, validator=validate)
 
 
-@scenarios.appsec_and_rc_enabled
+@scenarios.appsec_api_security_rc
 @features.appsec_trace_tagging_rules
 class Test_TraceTaggingRulesRcCapability:
     """A library with support for trace-tagging rules must provide the
diff --git a/tests/remote_config/test_remote_configuration.py b/tests/remote_config/test_remote_configuration.py
@@ -471,7 +471,7 @@ def validate(data):
 
 # XXX: This test can run in any scenario with rc_api_enabled=True. Default will not work, as /v0.7/config is not reported by the agent,
 # which will make some tracers (e.g. Ruby) not use RC.
-@scenarios.appsec_and_rc_enabled
+@scenarios.appsec_api_security_rc
 @features.remote_config_semantic_versioning
 class Test_RemoteConfigurationSemVer:
     """Tests that semantic versioning is reported in remote config"""
diff --git a/tests/test_the_test/test_minimal_number_of_scenarios.py b/tests/test_the_test/test_minimal_number_of_scenarios.py
@@ -12,15 +12,6 @@
 # You don't need to add B/A if A/B exists
 # Structure: {("SCENARIO_A", "SCENARIO_B"): "reason"}
 SKIP_MERGE_SCENARIOS: dict[tuple[str, str], str] = {
-    ("APPSEC_AND_RC_ENABLED", "APPSEC_API_SECURITY_RC"): "TODO",
-    ("APPSEC_AND_RC_ENABLED", "APPSEC_AUTO_EVENTS_RC"): "TODO",
-    ("APPSEC_AND_RC_ENABLED", "APPSEC_BLOCKING_FULL_DENYLIST"): "TODO",
-    ("APPSEC_AND_RC_ENABLED", "APPSEC_REQUEST_BLOCKING"): "TODO",
-    ("APPSEC_AND_RC_ENABLED", "APPSEC_RUNTIME_ACTIVATION"): "TODO",
-    ("APPSEC_AND_RC_ENABLED", "REMOTE_CONFIG_MOCKED_BACKEND_ASM_DD"): "TODO",
-    ("APPSEC_AND_RC_ENABLED", "REMOTE_CONFIG_MOCKED_BACKEND_ASM_DD_NOCACHE"): "TODO",
-    ("APPSEC_AND_RC_ENABLED", "REMOTE_CONFIG_MOCKED_BACKEND_LIVE_DEBUGGING"): "TODO",
-    ("APPSEC_AND_RC_ENABLED", "TRACING_CONFIG_NONDEFAULT_4"): "TODO",
     ("APPSEC_API_SECURITY_RC", "APPSEC_RUNTIME_ACTIVATION"): "TODO",
     ("APPSEC_API_SECURITY_RC", "REMOTE_CONFIG_MOCKED_BACKEND_ASM_DD_NOCACHE"): "TODO",
     ("APPSEC_AUTO_EVENTS_RC", "APPSEC_RUNTIME_ACTIVATION"): "TODO",
diff --git a/utils/_context/_scenarios/__init__.py b/utils/_context/_scenarios/__init__.py
@@ -266,21 +266,6 @@ class _Scenarios:
         scenario_groups=[scenario_groups.appsec],
     )
 
-    appsec_and_rc_enabled = EndToEndScenario(
-        "APPSEC_AND_RC_ENABLED",
-        rc_api_enabled=True,
-        appsec_enabled=True,
-        iast_enabled=False,
-        weblog_env={"DD_APPSEC_WAF_TIMEOUT": "10000000", "DD_APPSEC_TRACE_RATE_LIMIT": "10000"},  # 10 seconds
-        doc="""
-            A scenario with AppSec and Remote Config enabled. In addition WAF and
-            tracer are configured to have bigger threshold.
-            This scenario should be used in most of the cases if you need
-            Remote Config and AppSec working for all libraries.
-        """,
-        scenario_groups=[scenario_groups.appsec],
-    )
-
     appsec_runtime_activation = EndToEndScenario(
         "APPSEC_RUNTIME_ACTIVATION",
         rc_api_enabled=True,
@@ -317,6 +302,8 @@ class _Scenarios:
             "DD_API_SECURITY_ENABLED": "true",
             "DD_API_SECURITY_REQUEST_SAMPLE_RATE": "1.0",
             "DD_API_SECURITY_SAMPLE_DELAY": "0.0",
+            "DD_APPSEC_WAF_TIMEOUT": "10000000",
+            "DD_APPSEC_TRACE_RATE_LIMIT": "10000",
         },
         rc_api_enabled=True,
         doc="""
diff --git a/utils/_context/_scenarios/endtoend.py b/utils/_context/_scenarios/endtoend.py
@@ -661,7 +661,20 @@ def pytest_sessionfinish(self, session: pytest.Session, exitstatus: int):
                 and self.name in ("TRACE_STATS_COMPUTATION", "TRACING_CONFIG_NONDEFAULT_3"),
                 ticket="APMSP-2158",
             ),
+            _SchemaBug(
+                endpoint="/symdb/v1/input",
+                data_path="$[].content.scopes[].scopes[].symbols[]",
+                condition=self.library >= "golang@2.4.0-dev" and self.name == "DEBUGGER_SYMDB",
+                ticket="DEBUG-4541",
+            ),
+            _SchemaBug(
+                endpoint="/symdb/v1/input",
+                data_path="$[].content",
+                condition=self.library >= "golang@2.4.0-dev" and self.name == "DEBUGGER_SYMDB",
+                ticket="DEBUG-4541",
+            ),
         ]
+
         self._test_schemas(session, interfaces.library, library_bugs)
 
         agent_bugs = [
diff --git a/utils/scripts/ci_orchestrators/time-stats.json b/utils/scripts/ci_orchestrators/time-stats.json
@@ -537,110 +537,6 @@
         "uds-sinatra": 39
       }
     },
-    "APPSEC_AND_RC_ENABLED": {
-      "*": 256.33945578231294,
-      "dotnet": {
-        "*": 307,
-        "poc": 306,
-        "uds": 308
-      },
-      "golang": {
-        "*": 265.5,
-        "chi": 266,
-        "echo": 266,
-        "gin": 265,
-        "net-http": 265,
-        "net-http-orchestrion": 265,
-        "uds-echo": 266
-      },
-      "java": {
-        "*": 264.8,
-        "akka-http": 257,
-        "jersey-grizzly2": 259,
-        "play": 262,
-        "ratpack": 257,
-        "resteasy-netty3": 258,
-        "spring-boot": 267,
-        "spring-boot-3-native": 232,
-        "spring-boot-jetty": 267,
-        "spring-boot-openliberty": 284,
-        "spring-boot-payara": 292,
-        "spring-boot-undertow": 267,
-        "spring-boot-wildfly": 278,
-        "uds-spring-boot": 278,
-        "vertx3": 257,
-        "vertx4": 257
-      },
-      "nodejs": {
-        "*": 268.6,
-        "express4": 268,
-        "express4-typescript": 267,
-        "express5": 267,
-        "nextjs": 266,
-        "uds-express4": 275
-      },
-      "php": {
-        "*": 277.6666666666667,
-        "apache-mod-7.0": 278,
-        "apache-mod-7.0-zts": 277,
-        "apache-mod-7.1": 277,
-        "apache-mod-7.1-zts": 276,
-        "apache-mod-7.2": 278,
-        "apache-mod-7.2-zts": 277,
-        "apache-mod-7.3": 277,
-        "apache-mod-7.3-zts": 277,
-        "apache-mod-7.4": 278,
-        "apache-mod-7.4-zts": 277,
-        "apache-mod-8.0": 278,
-        "apache-mod-8.0-zts": 277,
-        "apache-mod-8.1": 278,
-        "apache-mod-8.1-zts": 277,
-        "apache-mod-8.2": 278,
-        "apache-mod-8.2-zts": 277,
-        "php-fpm-7.0": 279,
-        "php-fpm-7.1": 278,
-        "php-fpm-7.2": 278,
-        "php-fpm-7.3": 278,
-        "php-fpm-7.4": 279,
-        "php-fpm-8.0": 279,
-        "php-fpm-8.1": 278,
-        "php-fpm-8.2": 278
-      },
-      "python": {
-        "*": 122.42857142857143,
-        "django-poc": 128,
-        "django-py3.13": 131,
-        "fastapi": 117,
-        "flask-poc": 116,
-        "python3.12": 132,
-        "uds-flask": 117,
-        "uwsgi-poc": 116
-      },
-      "ruby": {
-        "*": 288.3809523809524,
-        "rack": 287,
-        "rails42": 287,
-        "rails50": 287,
-        "rails51": 288,
-        "rails52": 289,
-        "rails60": 287,
-        "rails61": 289,
-        "rails70": 288,
-        "rails71": 288,
-        "rails72": 290,
-        "rails80": 289,
-        "sinatra14": 287,
-        "sinatra20": 287,
-        "sinatra21": 287,
-        "sinatra22": 286,
-        "sinatra30": 288,
-        "sinatra31": 287,
-        "sinatra32": 286,
-        "sinatra40": 287,
-        "uds-rails": 297,
-        "uds-sinatra": 295
-      }
-    },
     "APPSEC_API_SECURITY": {
       "*": 39.762244897959185,
       "dotnet": {
diff --git a/utils/scripts/compute_impacted_scenario.py b/utils/scripts/compute_impacted_scenario.py
@@ -131,6 +131,7 @@ def main() -> None:
                 files_map: dict[str, ScenarioGroup | Scenario | list[ScenarioGroup | Scenario] | None] = {
                     r"\.cursor/rules/.*": None,
                     r"\.circleci/.*": None,
+                    r"chainguard/.*": None,
                     r"\.vscode/.*": None,
                     r"\.github/actions/pull_images/action.yml": scenario_groups.end_to_end,
                     r"\.github/CODEOWNERS": None,

Original file line number	Diff line number	Diff line change
`@@ -319,7 +319,7 @@ def validate_waf_rule_version_tag_by_rc(span, appsec_data): # noqa: ARG001`
`319`	`319`	`@rfc(`
`320`	`320`	`"https://docs.google.com/document/d/1t6U7WXko_QChhoNIApn0-CRNe6SAKuiiAQIyCRPUXP4/edit?tab=t.0#heading=h.uw8qbgyhhb47"`
`321`	`321`	`)`
`322`		`-@scenarios.appsec_and_rc_enabled`
	`322`	`+@scenarios.appsec_api_security_rc`
`323`	`323`	`@features.appsec_rc_asm_dd_multiconfig`
`324`	`324`	`@features.appsec_trace_tagging_rules`
`325`	`325`	`class Test_AsmDdMultiConfiguration:`