adapt rasp screenshots

tracer/test/Datadog.Trace.Security.IntegrationTests/RASP/AspNetCore2Rasp.cs

@@ -101,7 +101,7 @@ public async Task TestRaspRequest(string url, string exploit)
         var settings = VerifyHelper.GetSpanVerifierSettings();
         settings.UseParameters(url, exploit);
         settings.AddIastScrubbing();
-        await VerifySpans(spansFiltered.ToImmutableList(), settings, testName: testName, methodNameOverride: exploit);
+        await VerifySpans(spansFiltered.ToImmutableList(), settings, testName: testName, methodNameOverride: exploit, scrubOnlySession: true);
     }
 
     [SkippableTheory]
@@ -120,7 +120,7 @@ public async Task TestRaspRequestSqlInBody(string url, string exploit, string bo
         var settings = VerifyHelper.GetSpanVerifierSettings();
         settings.UseParameters(url, exploit, body);
         settings.AddIastScrubbing();
-        await VerifySpans(spansFiltered.ToImmutableList(), settings, testName: testName, methodNameOverride: exploit);
+        await VerifySpans(spansFiltered.ToImmutableList(), settings, testName: testName, methodNameOverride: exploit, scrubOnlySession: true);
     }
 }
 #endif

tracer/test/Datadog.Trace.Security.IntegrationTests/RASP/AspNetCore5Rasp.cs

@@ -57,7 +57,7 @@ public async Task TestRaspRequest_ThenDisableRule_ThenEnableAgain(string url, st
         var spansFiltered = spans.Where(x => x.Type == SpanTypes.Web).ToList();
         var settings = VerifyHelper.GetSpanVerifierSettings();
         settings.UseParameters(url, exploit);
-        await VerifySpans(spansFiltered.ToImmutableList(), settings, testName: testName, methodNameOverride: exploit);
+        await VerifySpans(spansFiltered.ToImmutableList(), settings, testName: testName, methodNameOverride: exploit, scrubOnlySession: true);
     }
 }
 
@@ -125,7 +125,7 @@ public async Task TestRaspRequest(string url, string exploit)
         var settings = VerifyHelper.GetSpanVerifierSettings();
         settings.UseParameters(url, exploit);
         settings.AddIastScrubbing();
-        await VerifySpans(spansFiltered.ToImmutableList(), settings, testName: testName, methodNameOverride: exploit);
+        await VerifySpans(spansFiltered.ToImmutableList(), settings, testName: testName, methodNameOverride: exploit, scrubOnlySession: true);
     }
 
     [SkippableTheory]
@@ -144,7 +144,7 @@ public async Task TestRaspRequestSqlInBody(string url, string exploit, string bo
         var settings = VerifyHelper.GetSpanVerifierSettings();
         settings.UseParameters(url, exploit, body);
         settings.AddIastScrubbing();
-        await VerifySpans(spansFiltered.ToImmutableList(), settings, testName: testName, methodNameOverride: exploit);
+        await VerifySpans(spansFiltered.ToImmutableList(), settings, testName: testName, methodNameOverride: exploit, scrubOnlySession: true);
     }
 }
 #endif

tracer/test/Datadog.Trace.Security.IntegrationTests/VerifyScrubber.cs

@@ -15,6 +15,7 @@ internal static class VerifyScrubber
 {
     // the fingerprint is as follows: ssn-<user id hash>-<cookie fields hash>-<cookie values hash>-<session id hash>
     private static readonly Regex AppSecFingerPrintCookiesAndSession = new(@"_dd\.appsec\.fp\.session: ssn-[a-zA-Z0-9]*-(?<CookieFields>[a-zA-Z0-9]*)-(?<CookieValues>[a-zA-Z0-9]*)-(?<SessionFp>[a-zA-Z0-9]*),", RegexOptions.IgnoreCase | RegexOptions.Compiled | RegexOptions.Multiline);
+    private static readonly Regex AppSecFingerPrintSession = new(@"_dd\.appsec\.fp\.session: ssn-[a-zA-Z0-9]*-[a-zA-Z0-9]*-[a-zA-Z0-9]*-(?<SessionFp>[a-zA-Z0-9]*),", RegexOptions.IgnoreCase | RegexOptions.Compiled | RegexOptions.Multiline);
     private static readonly Regex AuthenticationCollectionMode = new(@"_dd.appsec.user.collection_mode: .*,", RegexOptions.IgnoreCase | RegexOptions.Compiled);
 
     /// <summary>
@@ -39,12 +40,12 @@ internal static void ScrubAuthenticatedTags(VerifySettings settings)
     /// if we have: _dd.appsec.fp.session: ssn-asd1--- > _dd.appsec.fp.session: ssn-asd1---,
     /// </summary>
     /// <param name="settings">settings</param>
-    internal static void ScrubSessionFingerprint(this VerifySettings settings)
+    internal static void ScrubSessionFingerprint(this VerifySettings settings, bool onlySession = false)
     {
         settings.AddScrubber(
             s =>
             {
-                var result = AppSecFingerPrintCookiesAndSession.Matches(s.ToString());
+                var result = onlySession ? AppSecFingerPrintSession.Matches(s.ToString()) : AppSecFingerPrintCookiesAndSession.Matches(s.ToString());
                 var indexAdjustment = 0;
                 if (result.Count == 0) { return; }
 

tracer/test/snapshots/Rasp.AspNetCore5.CmdI_url=-Iast-ExecuteCommand-file=-bin-rebootCommand&argumentLine=-f&fromShell=false_exploit=CmdI.verified.txt

@@ -50,7 +50,7 @@
       _dd.appsec.fp.http.endpoint: http-get-92238171-0a2bbc6e-,
       _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-3-bf93958a,
       _dd.appsec.fp.http.network: net-1-1000000000,
-      _dd.appsec.fp.session: ssn--bd9bce81-<CookieValues>-<SessionFp>,
+      _dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-<SessionFp>,
       _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-932-110","name":"OS command injection exploit","tags":{"category":"vulnerability_trigger","type":"command_injection"}},"rule_matches":[{"operator":"cmdi_detector","operator_value":"","parameters":[{"address":null,"highlight":["/bin/rebootCommand"],"key_path":null,"value":null}]}],"span_id": XXX}]},
       _dd.origin: appsec,
       _dd.runtime_family: dotnet

tracer/test/snapshots/Rasp.AspNetCore5.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt

@@ -50,7 +50,7 @@
       _dd.appsec.fp.http.endpoint: http-get-92238171-0a2bbc6e-,
       _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-3-bf93958a,
       _dd.appsec.fp.http.network: net-1-1000000000,
-      _dd.appsec.fp.session: ssn--bd9bce81-<CookieValues>-<SessionFp>,
+      _dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-<SessionFp>,
       _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-932-100","name":"Shell command injection exploit","tags":{"category":"vulnerability_trigger","type":"command_injection"}},"rule_matches":[{"operator":"shi_detector","operator_value":"","parameters":[{"address":null,"highlight":[";evilCommand"],"key_path":null,"value":null}]}],"span_id": XXX}]},
       _dd.origin: appsec,
       _dd.runtime_family: dotnet

tracer/test/snapshots/Rasp.AspNetCore5.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt

@@ -50,7 +50,7 @@
       _dd.appsec.fp.http.endpoint: http-get-e1e32f93-3b9c358f-,
       _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-3-bf93958a,
       _dd.appsec.fp.http.network: net-1-1000000000,
-      _dd.appsec.fp.session: ssn--bd9bce81-<CookieValues>-<SessionFp>,
+      _dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-<SessionFp>,
       _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-001-001","name":"Path traversal attack","tags":{"category":"vulnerability_trigger","type":"lfi"}},"rule_matches":[{"operator":"lfi_detector","operator_value":"","parameters":[{"address":null,"highlight":["/etc/password"],"key_path":null,"value":null}]}],"span_id": XXX}]},
       _dd.origin: appsec,
       _dd.runtime_family: dotnet

tracer/test/snapshots/Rasp.AspNetCore5.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt

@@ -50,7 +50,7 @@
       _dd.appsec.fp.http.endpoint: http-get-05b4d989-4740ae63-,
       _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-3-bf93958a,
       _dd.appsec.fp.http.network: net-1-1000000000,
-      _dd.appsec.fp.session: ssn--bd9bce81-<CookieValues>-<SessionFp>,
+      _dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-<SessionFp>,
       _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-002-001","name":"Server-side request forgery","tags":{"category":"vulnerability_trigger","type":"ssrf"}},"rule_matches":[{"operator":"ssrf_detector","operator_value":"","parameters":[{"address":null,"highlight":["127.0.0.1"],"key_path":null,"value":null}]}],"span_id": XXX}]},
       _dd.origin: appsec,
       _dd.runtime_family: dotnet

tracer/test/snapshots/Rasp.AspNetCore5.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt

@@ -50,7 +50,7 @@
       span.kind: server,
       _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-2-da57b738,
       _dd.appsec.fp.http.network: net-1-1000000000,
-      _dd.appsec.fp.session: ssn--bd9bce81-<CookieValues>-<SessionFp>,
+      _dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-<SessionFp>,
       _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-942-100","name":"SQL injection exploit","tags":{"category":"vulnerability_trigger","type":"sql_injection"}},"rule_matches":[{"operator":"sqli_detector","operator_value":"","parameters":[{"address":null,"highlight":["' or '1'='1"],"key_path":null,"value":null}]}],"span_id": XXX}]},
       _dd.origin: appsec,
       _dd.runtime_family: dotnet

tracer/test/snapshots/RaspIast.AspNetCore5.CmdI_url=-Iast-ExecuteCommand-file=-bin-rebootCommand&argumentLine=-f&fromShell=false_exploit=CmdI.verified.txt

@@ -50,7 +50,7 @@
       _dd.appsec.fp.http.endpoint: http-get-92238171-0a2bbc6e-,
       _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-3-bf93958a,
       _dd.appsec.fp.http.network: net-1-1000000000,
-      _dd.appsec.fp.session: ssn--bd9bce81-<CookieValues>-<SessionFp>,
+      _dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-<SessionFp>,
       _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-932-110","name":"OS command injection exploit","tags":{"category":"vulnerability_trigger","type":"command_injection"}},"rule_matches":[{"operator":"cmdi_detector","operator_value":"","parameters":[{"address":null,"highlight":["/bin/rebootCommand"],"key_path":null,"value":null}]}],"span_id": XXX}]},
       _dd.iast.enabled: 1,
       _dd.iast.json:

tracer/test/snapshots/RaspIast.AspNetCore5.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt

@@ -50,7 +50,7 @@
       _dd.appsec.fp.http.endpoint: http-get-92238171-0a2bbc6e-,
       _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-3-bf93958a,
       _dd.appsec.fp.http.network: net-1-1000000000,
-      _dd.appsec.fp.session: ssn--bd9bce81-<CookieValues>-<SessionFp>,
+      _dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-<SessionFp>,
       _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-932-100","name":"Shell command injection exploit","tags":{"category":"vulnerability_trigger","type":"command_injection"}},"rule_matches":[{"operator":"shi_detector","operator_value":"","parameters":[{"address":null,"highlight":[";evilCommand"],"key_path":null,"value":null}]}],"span_id": XXX}]},
       _dd.iast.enabled: 1,
       _dd.iast.json:

tracer/test/snapshots/RaspIast.AspNetCore5.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt

@@ -50,7 +50,7 @@
       _dd.appsec.fp.http.endpoint: http-get-e1e32f93-3b9c358f-,
       _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-3-bf93958a,
       _dd.appsec.fp.http.network: net-1-1000000000,
-      _dd.appsec.fp.session: ssn--bd9bce81-<CookieValues>-<SessionFp>,
+      _dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-<SessionFp>,
       _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-001-001","name":"Path traversal attack","tags":{"category":"vulnerability_trigger","type":"lfi"}},"rule_matches":[{"operator":"lfi_detector","operator_value":"","parameters":[{"address":null,"highlight":["/etc/password"],"key_path":null,"value":null}]}],"span_id": XXX}]},
       _dd.iast.enabled: 1,
       _dd.iast.json:

tracer/test/snapshots/RaspIast.AspNetCore5.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt

@@ -50,7 +50,7 @@
       _dd.appsec.fp.http.endpoint: http-get-05b4d989-4740ae63-,
       _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-3-bf93958a,
       _dd.appsec.fp.http.network: net-1-1000000000,
-      _dd.appsec.fp.session: ssn--bd9bce81-<CookieValues>-<SessionFp>,
+      _dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-<SessionFp>,
       _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-002-001","name":"Server-side request forgery","tags":{"category":"vulnerability_trigger","type":"ssrf"}},"rule_matches":[{"operator":"ssrf_detector","operator_value":"","parameters":[{"address":null,"highlight":["127.0.0.1"],"key_path":null,"value":null}]}],"span_id": XXX}]},
       _dd.iast.enabled: 1,
       _dd.iast.json:

tracer/test/snapshots/RaspRCM.RuleEnableDisableEnable.AspNetCore5.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt

@@ -51,7 +51,7 @@
       _dd.appsec.fp.http.endpoint: http-get-e1e32f93-3b9c358f-,
       _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63,
       _dd.appsec.fp.http.network: net-1-1000000000,
-      _dd.appsec.fp.session: ssn--bd9bce81-<CookieValues>-<SessionFp>,
+      _dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-<SessionFp>,
       _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-001-001","name":"Path traversal attack","tags":{"category":"vulnerability_trigger","type":"lfi"}},"rule_matches":[{"operator":"lfi_detector","operator_value":"","parameters":[{"address":null,"highlight":["/etc/password"],"key_path":null,"value":null}]}],"span_id": XXX}]},
       _dd.origin: appsec,
       _dd.runtime_family: dotnet
@@ -176,7 +176,7 @@
       _dd.appsec.fp.http.endpoint: http-get-e1e32f93-3b9c358f-,
       _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63,
       _dd.appsec.fp.http.network: net-1-1000000000,
-      _dd.appsec.fp.session: ssn--bd9bce81-<CookieValues>-<SessionFp>,
+      _dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-<SessionFp>,
       _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-001-001","name":"Path traversal attack","tags":{"category":"vulnerability_trigger","type":"lfi"}},"rule_matches":[{"operator":"lfi_detector","operator_value":"","parameters":[{"address":null,"highlight":["/etc/password"],"key_path":null,"value":null}]}],"span_id": XXX}]},
       _dd.origin: appsec,
       _dd.runtime_family: dotnet