Skip to content

feat: optimize DSL rule phases and refactor zone types#3878

Open
LaurenceJJones wants to merge 10 commits intocrowdsecurity:masterfrom
LaurenceJJones:feature/appsec-dsl-phase-optimization
Open

feat: optimize DSL rule phases and refactor zone types#3878
LaurenceJJones wants to merge 10 commits intocrowdsecurity:masterfrom
LaurenceJJones:feature/appsec-dsl-phase-optimization

Conversation

@LaurenceJJones
Copy link
Member

@LaurenceJJones LaurenceJJones commented Sep 10, 2025

  • Auto-optimize rules to phase 1 when possible (headers, method, URI, GET args)
  • Maintain phase 2 for body-dependent zones (POST args, files, raw body)
  • Enforce same-phase constraint for chained (AND) rules
  • Allow independent phase optimization for OR rules
  • Replace string maps with typed Zone struct for better maintainability
  • Add comprehensive tests for mixed-phase scenarios

@LaurenceJJones
feat: optimize DSL rule phases and refactor zone types
be45c60 
- Auto-optimize rules to phase 1 when possible (headers, method, URI, GET args)
- Maintain phase 2 for body-dependent zones (POST args, files, raw body)
- Enforce same-phase constraint for chained (AND) rules
- Allow independent phase optimization for OR rules
- Replace string maps with typed Zone struct for better maintainability
- Add comprehensive tests for mixed-phase scenarios
@github-actions
Copy link

github-actions bot commented Sep 10, 2025

@LaurenceJJones: There are no 'kind' label on this PR. You need a 'kind' label to generate the release automatically.

  • /kind feature
  • /kind enhancement
  • /kind refactoring
  • /kind fix
  • /kind chore
  • /kind dependencies
Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

@github-actions
Copy link

github-actions bot commented Sep 10, 2025

@LaurenceJJones: There are no area labels on this PR. You can add as many areas as you see fit.

  • /area agent
  • /area local-api
  • /area cscli
  • /area appsec
  • /area security
  • /area configuration
Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

@LaurenceJJones
Copy link
Member Author

LaurenceJJones commented Sep 10, 2025

/kind feature
/area appsec

@codecov
Copy link

codecov bot commented Sep 10, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 87.27273% with 7 lines in your changes missing coverage. Please review.
✅ Project coverage is 62.89%. Comparing base (c0709b2) to head (129cac3).

Files with missing lines Patch % Lines
pkg/appsec/appsec_rule/modsecurity.go 85.71% 5 Missing and 2 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #3878      +/-   ##
==========================================
- Coverage   63.39%   62.89%   -0.51%     
==========================================
  Files         451      468      +17     
  Lines       32543    33317     +774     
==========================================
+ Hits        20632    20954     +322     
- Misses       9833    10240     +407     
- Partials     2078     2123      +45
Flag Coverage Δ
bats 46.13% <61.81%> (+0.01%) ⬆️
unit-linux 35.75% <87.27%> (+0.17%) ⬆️
unit-windows 25.07% <87.27%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@LaurenceJJones LaurenceJJones added this to the Future release milestone Sep 10, 2025
@LaurenceJJones LaurenceJJones mentioned this pull request Sep 10, 2025
Open
@LaurenceJJones
Copy link
Member Author

LaurenceJJones commented Sep 10, 2025
edited
Loading

Manually run hub tests, results below 100% coverage, which makes sense since we changing phases should not impact effectiveness of rules.

───────────────────────────────────────────────────────
 Test                               Result  Assertions
───────────────────────────────────────────────────────
 CVE-2023-34362                     ✅      0
 CVE-2023-3519                      ✅      0
 vpatch-CVE-2020-5902               ✅      0
 vpatch-CVE-2025-29306              ✅      0
 CVE-2020-11738                     ✅      0
 CVE-2023-28121                     ✅      0
 CVE-2023-6623                      ✅      0
 vpatch-CVE-2024-23897              ✅      0
 vpatch-CVE-2024-57727              ✅      0
 vpatch-CVE-2025-31161              ✅      0
 vpatch-CVE-2025-47812              ✅      0
 CVE-2021-3129                      ✅      0
 CVE-2022-22954                     ✅      0
 vpatch-CVE-2023-23488              ✅      0
 vpatch-laravel-debug-mode          ✅      0
 CVE-2021-22941                     ✅      0
 vpatch-CVE-2024-27956              ✅      0
 vpatch-git-config                  ✅      0
 CVE-2022-46169                     ✅      0
 CVE-2023-6360                      ✅      0
 vpatch-CVE-2021-26086              ✅      0
 vpatch-CVE-2024-8190               ✅      0
 vpatch-CVE-2025-52488              ✅      0
 CVE-2017-9841                      ✅      0
 CVE-2022-27926                     ✅      0
 CVE-2023-0600                      ✅      0
 CVE-2023-6567                      ✅      0
 CVE-2024-1212                      ✅      0
 CVE-2023-20198                     ✅      0
 CVE-2023-22527                     ✅      0
 vpatch-CVE-2024-29824              ✅      0
 vpatch-CVE-2024-51567              ✅      0
 vpatch-CVE-2024-6205               ✅      0
 vpatch-CVE-2024-9474               ✅      0
 CVE-2023-24489                     ✅      0
 generic-freemarker-ssti-args       ✅      0
 vpatch-CVE-2018-20062              ✅      0
 vpatch-CVE-2020-9054               ✅      0
 vpatch-CVE-2024-32113              ✅      0
 CVE-2020-17496                     ✅      0
 vpatch-CVE-2002-1131               ✅      0
 vpatch-CVE-2023-47218              ✅      0
 vpatch-CVE-2024-4577               ✅      0
 vpatch-CVE-2024-52301              ✅      0
 CVE-2023-2009                      ✅      0
 vpatch-CVE-2019-1003030            ✅      0
 vpatch-CVE-2024-27954              ✅      0
 vpatch-CVE-2024-41713              ✅      0
 vpatch-CVE-2025-24893              ✅      0
 cve-2023-42793                     ✅      0
 vpatch-CVE-2019-5418               ✅      0
 vpatch-CVE-2021-26294              ✅      0
 vpatch-CVE-2022-25488              ✅      0
 vpatch-CVE-2022-41082              ✅      0
 vpatch-CVE-2024-27564              ✅      0
 CVE-2023-23752                     ✅      0
 generic-wordpress-uploads-listing  ✅      0
 vpatch-CVE-2018-13379              ✅      0
 CVE-2022-44877                     ✅      0
 CVE-2023-6553                      ✅      0
 appsec-generic-test                ✅      0
 vpatch-CVE-2019-18935              ✅      0
 vpatch-CVE-2025-25257              ✅      0
 vpatch-CVE-2022-26134              ✅      0
 vpatch-CVE-2024-51378              ✅      0
 CVE-2024-1061                      ✅      0
 vpatch-CVE-2024-27348              ✅      0
 CVE-2023-22515                     ✅      0
 CVE-2023-38205                     ✅      0
 CVE-2024-1071                      ✅      0
 vpatch-CVE-2022-1388               ✅      0
 CVE-2023-4634                      ✅      0
 CVE-2023-49070                     ✅      0
 vpatch-CVE-2024-27292              ✅      0
 vpatch-CVE-2025-49132              ✅      0
 CVE-2022-22965                     ✅      0
 generic-freemarker-ssti-body       ✅      0
 CVE-2023-35078                     ✅      0
 vpatch-CVE-2024-32870              ✅      0
 vpatch-CVE-2024-38816              ✅      0
 CVE-2023-46805                     ✅      0
 CVE-2023-50164                     ✅      0
 CVE-2024-22024                     ✅      0
 vpatch-CVE-2024-7593               ✅      0
 vpatch-CVE-2025-49113              ✅      0
 CVE-2019-12989                     ✅      0
 CVE-2023-23489                     ✅      0
 generic-wordpress-uploads-php      ✅      0
 vpatch-CVE-2021-43798              ✅      0
 vpatch-CVE-2021-44529              ✅      0
 vpatch-CVE-2024-28987              ✅      0
 connectwise-auth-bypass            ✅      0
 vpatch-CVE-2024-9465               ✅      0
 CVE-2023-35082                     ✅      0
 vpatch-CVE-2024-51977              ✅      0
 vpatch-CVE-2025-3248               ✅      0
 CVE-2024-29849                     ✅      0
 CVE-2023-33617                     ✅      0
 CVE-2022-35914                     ✅      0
 CVE-2023-7028                      ✅      0
 vpatch-CVE-2022-31499              ✅      0
 vpatch-CVE-2024-29973              ✅      0
 vpatch-CVE-2025-31324              ✅      0
 CVE-2018-10562                     ✅      0
 vpatch-CVE-2024-38856              ✅      0
 vpatch-CVE-2025-28367              ✅      0
 CVE-2023-1389                      ✅      0
 vpatch-CVE-2023-0297               ✅      0
 vpatch-CVE-2024-27198              ✅      0
 CVE-2023-0900                      ✅      0
 CVE-2024-3273                      ✅      0
 symfony_profiler                   ✅      0
 vpatch-CVE-2007-0885               ✅      0
 vpatch-CVE-2024-28255              ✅      0
 vpatch-CVE-2024-3272               ✅      0
 vpatch-CVE-2024-8963               ✅      0
 vpatch-env-access                  ✅      0
 vpatch-CVE-2024-0012               ✅      0
 vpatch-CVE-2024-34102              ✅      0
 vpatch-CVE-2025-29927              ✅      0
───────────────────────────────────────────────────────

phase 2 rules:

crowdsecurity/generic-freemarker-ssti
crowdsecurity/vpatch-CVE-2018-10562
crowdsecurity/vpatch-CVE-2019-12989
crowdsecurity/vpatch-CVE-2020-17496
crowdsecurity/vpatch-CVE-2021-3129
crowdsecurity/vpatch-CVE-2022-22965
crowdsecurity/vpatch-CVE-2023-0297
crowdsecurity/vpatch-CVE-2023-1389
crowdsecurity/vpatch-CVE-2023-22527
crowdsecurity/vpatch-CVE-2023-24489
crowdsecurity/vpatch-CVE-2023-33617
crowdsecurity/vpatch-CVE-2023-40044
crowdsecurity/vpatch-CVE-2023-50164
crowdsecurity/vpatch-CVE-2023-7028
crowdsecurity/vpatch-CVE-2024-22024
crowdsecurity/vpatch-CVE-2024-23897
crowdsecurity/vpatch-CVE-2024-27348
crowdsecurity/vpatch-CVE-2024-27956
crowdsecurity/vpatch-CVE-2024-29824
crowdsecurity/vpatch-CVE-2024-29849
crowdsecurity/vpatch-CVE-2024-29973
crowdsecurity/vpatch-CVE-2024-34102
crowdsecurity/vpatch-CVE-2024-38856
crowdsecurity/vpatch-CVE-2024-51378
crowdsecurity/vpatch-CVE-2024-51567
crowdsecurity/vpatch-CVE-2024-7593
crowdsecurity/vpatch-CVE-2024-8190
crowdsecurity/vpatch-CVE-2024-9465
crowdsecurity/vpatch-CVE-2024-9474
crowdsecurity/vpatch-CVE-2025-31324
crowdsecurity/vpatch-CVE-2025-3248
crowdsecurity/vpatch-CVE-2025-47812
crowdsecurity/vpatch-CVE-2025-52488
crowdsecurity/vpatch-laravel-debug-mode

phase 1 rules:

crowdsecurity/appsec-generic-test
crowdsecurity/base-config
crowdsecurity/experimental-no-user-agent
crowdsecurity/generic-wordpress-uploads-listing
crowdsecurity/generic-wordpress-uploads-php
crowdsecurity/vpatch-connectwise-auth-bypass
crowdsecurity/vpatch-CVE-2002-1131
crowdsecurity/vpatch-CVE-2007-0885
crowdsecurity/vpatch-CVE-2017-9841
crowdsecurity/vpatch-CVE-2018-1000861
crowdsecurity/vpatch-CVE-2018-13379
crowdsecurity/vpatch-CVE-2018-20062
crowdsecurity/vpatch-CVE-2019-1003030
crowdsecurity/vpatch-CVE-2019-18935
crowdsecurity/vpatch-CVE-2019-5418
crowdsecurity/vpatch-CVE-2020-11738
crowdsecurity/vpatch-CVE-2020-5902
crowdsecurity/vpatch-CVE-2020-9054
crowdsecurity/vpatch-CVE-2021-22941
crowdsecurity/vpatch-CVE-2021-26086
crowdsecurity/vpatch-CVE-2021-26294
crowdsecurity/vpatch-CVE-2021-43798
crowdsecurity/vpatch-CVE-2021-44529
crowdsecurity/vpatch-CVE-2022-1388
crowdsecurity/vpatch-CVE-2022-22954
crowdsecurity/vpatch-CVE-2022-25488
crowdsecurity/vpatch-CVE-2022-26134
crowdsecurity/vpatch-CVE-2022-27926
crowdsecurity/vpatch-CVE-2022-31499
crowdsecurity/vpatch-CVE-2022-35914
crowdsecurity/vpatch-CVE-2022-41082
crowdsecurity/vpatch-CVE-2022-44877
crowdsecurity/vpatch-CVE-2022-46169
crowdsecurity/vpatch-CVE-2023-20198
crowdsecurity/vpatch-CVE-2023-22515
crowdsecurity/vpatch-CVE-2023-23752
crowdsecurity/vpatch-CVE-2023-28121
crowdsecurity/vpatch-CVE-2023-34362
crowdsecurity/vpatch-CVE-2023-35078
crowdsecurity/vpatch-CVE-2023-35082
crowdsecurity/vpatch-CVE-2023-3519
crowdsecurity/vpatch-CVE-2023-38205
crowdsecurity/vpatch-CVE-2023-42793
crowdsecurity/vpatch-CVE-2023-46805
crowdsecurity/vpatch-CVE-2023-47218
crowdsecurity/vpatch-CVE-2023-49070
crowdsecurity/vpatch-CVE-2023-6553
crowdsecurity/vpatch-CVE-2024-0012
crowdsecurity/vpatch-CVE-2024-1212
crowdsecurity/vpatch-CVE-2024-27198
crowdsecurity/vpatch-CVE-2024-27292
crowdsecurity/vpatch-CVE-2024-27564
crowdsecurity/vpatch-CVE-2024-27954
crowdsecurity/vpatch-CVE-2024-28255
crowdsecurity/vpatch-CVE-2024-28987
crowdsecurity/vpatch-CVE-2024-32113
crowdsecurity/vpatch-CVE-2024-3272
crowdsecurity/vpatch-CVE-2024-3273
crowdsecurity/vpatch-CVE-2024-32870
crowdsecurity/vpatch-CVE-2024-38816
crowdsecurity/vpatch-CVE-2024-41713
crowdsecurity/vpatch-CVE-2024-4577
crowdsecurity/vpatch-CVE-2024-51977
crowdsecurity/vpatch-CVE-2024-52301
crowdsecurity/vpatch-CVE-2024-57727
crowdsecurity/vpatch-CVE-2024-6205
crowdsecurity/vpatch-CVE-2024-8963
crowdsecurity/vpatch-CVE-2025-24893
crowdsecurity/vpatch-CVE-2025-25257
crowdsecurity/vpatch-CVE-2025-28367
crowdsecurity/vpatch-CVE-2025-29306
crowdsecurity/vpatch-CVE-2025-29927
crowdsecurity/vpatch-CVE-2025-31161
crowdsecurity/vpatch-CVE-2025-49113
crowdsecurity/vpatch-CVE-2025-49132
crowdsecurity/vpatch-env-access
crowdsecurity/vpatch-git-config
crowdsecurity/vpatch-symfony-profiler

You can see most rules will optimize into phase:1

@LaurenceJJones LaurenceJJones modified the milestones: Future release, 1.7.5 Dec 9, 2025
@mmetc mmetc modified the milestones: 1.7.5, Next release, 1.7.6 Jan 19, 2026
@mmetc mmetc modified the milestones: 1.7.6, 1.7.7 Jan 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@mmetc mmetc

Labels

area/appsec kind/feature

Projects

None yet

Milestone

1.7.7

Development

Successfully merging this pull request may close these issues.

2 participants

@LaurenceJJones @mmetc