chore(asm): add waf and rasp errors span tags

ddtrace/appsec/_constants.py

@@ -114,6 +114,8 @@ class APPSEC(metaclass=Constant_Class):
         "DD_APPSEC_OBFUSCATION_PARAMETER_VALUE_REGEXP"
     ] = "DD_APPSEC_OBFUSCATION_PARAMETER_VALUE_REGEXP"
     RC_CLIENT_ID: Literal["_dd.rc.client_id"] = "_dd.rc.client_id"
+    WAF_ERROR: Literal["_dd.appsec.waf.error"] = "_dd.appsec.waf.error"
+    RASP_ERROR: Literal["_dd.appsec.rasp.error"] = "_dd.appsec.rasp.error"
 
 
 TELEMETRY_OFF_NAME = "OFF"

ddtrace/appsec/_processor.py

@@ -339,6 +339,18 @@ def _waf_action(
         )
 
         _asm_request_context.set_waf_info(lambda: self._ddwaf.info)
+        root_span = span._local_root or span
+        if waf_results.return_code < 0:
+            error_tag = APPSEC.RASP_ERROR if rule_type else APPSEC.WAF_ERROR
+            previous = root_span.get_tag(error_tag)
+            if previous is None:
+                root_span.set_tag_str(error_tag, str(waf_results.return_code))
+            else:
+                try:
+                    int_previous = int(previous)
+                except ValueError:
+                    int_previous = -128
+                root_span.set_tag_str(error_tag, str(max(int_previous, waf_results.return_code)))
 
         blocked = {}
         for action, parameters in waf_results.actions.items():
@@ -356,7 +368,7 @@ def _waf_action(
         # FingerPrinting
         for key, value in waf_results.derivatives.items():
             if key.startswith(FINGERPRINTING.PREFIX):
-                (span._local_root or span).set_tag_str(key, value)
+                root_span.set_tag_str(key, value)
 
         if waf_results.data:
             log.debug("[DDAS-011-00] ASM In-App WAF returned: %s. Timeout %s", waf_results.data, waf_results.timeout)

tests/appsec/appsec/test_processor.py

@@ -726,10 +726,13 @@ def test_required_addresses():
 @pytest.mark.parametrize("ephemeral", ["LFI_ADDRESS", "PROCESSOR_SETTINGS"])
 @mock.patch("ddtrace.appsec._ddwaf.DDWaf.run")
 def test_ephemeral_addresses(mock_run, persistent, ephemeral):
+    from ddtrace.appsec._ddwaf.waf_stubs import DDWaf_result
+    from ddtrace.appsec._utils import _observator
     from ddtrace.trace import tracer
 
     processor = AppSecSpanProcessor()
     processor._update_rules([], CUSTOM_RULE_METHOD)
+    mock_run.return_value = DDWaf_result(0, [], {}, 0.0, 0.0, False, _observator(), {})
 
     with asm_context(tracer=tracer, config=config_asm) as span:
         # first call must send all data to the waf

tests/appsec/appsec/test_telemetry.py

@@ -214,6 +214,7 @@ def test_log_metric_error_ddwaf_internal_error(telemetry_writer):
             assert len(list_metrics_logs) == 1
             assert list_metrics_logs[0]["message"] == "appsec.waf.request::error::-3"
             assert "waf_version:{}".format(version()) in list_metrics_logs[0]["tags"]
+            assert span.get_tag("_dd.appsec.waf.error") == "-3"
 
 
 def test_log_metric_error_ddwaf_update_deduplication(telemetry_writer):