nginx · oliveromahony · Mar 25, 2024 · Mar 18, 2024
@@ -1276,6 +1276,7 @@ Represents App Protect WAF details
 | health | [AppProtectWAFHealth](#f5-nginx-agent-sdk-AppProtectWAFHealth) |  | App Protect Health details (This is being deprecated and will be removed in a future release) |
 | waf_location | [string](#string) |  | Location of WAF metadata file |
 | precompiled_publication | [bool](#bool) |  | Determines whether the publication of NGINX App Protect pre-compiled content from an external source is supported |
+| waf_release | [string](#string) |  | WAF release |
 
 
 

@@ -19,6 +19,8 @@ message AppProtectWAFDetails {
   string waf_location = 5 [(gogoproto.jsontag) = "waf_location"];
   // Determines whether the publication of NGINX App Protect pre-compiled content from an external source is supported
   bool precompiled_publication = 6 [(gogoproto.jsontag) = "precompiled_publication"];
+  // WAF release
+  string waf_release = 7 [(gogoproto.jsontag) = "waf_release"];
 }
 
 // Represents the health of App Protect WAF

@@ -9,7 +9,7 @@ package nap
 
 const (
 	NAP_VERSION_FILE         = "/opt/app_protect/VERSION"
-	BD_SOCKET_PLUGIN_PATH    = "/usr/share/ts/bin/bd-socket-plugin"
+	NAP_RELEASE_FILE         = "/opt/app_protect/RELEASE"
 	BD_SOCKET_PLUGIN_PROCESS = "bd-socket-plugin"
 
 	// TODO: Rather than using the update yaml files for attack signatures and threat

@@ -28,7 +28,7 @@ const (
 )
 
 var (
-	requiredNAPFiles    = []string{BD_SOCKET_PLUGIN_PATH, NAP_VERSION_FILE}
+	requiredNAPFiles    = []string{NAP_VERSION_FILE, NAP_RELEASE_FILE}
 	requireNAPProcesses = []string{BD_SOCKET_PLUGIN_PROCESS}
 	processCheckFunc    = core.CheckForProcesses
 )
@@ -56,7 +56,7 @@ func NewNginxAppProtect(optDirPath, symLinkDir string) (*NginxAppProtect, error)
 	// Get the release version of NAP on the system if NAP is installed
 	var napRelease *NAPRelease
 	if status != MISSING {
-		napRelease, err = installedNAPRelease(NAP_VERSION_FILE)
+		napRelease, err = installedNAPRelease(NAP_VERSION_FILE, NAP_RELEASE_FILE)
 		if err != nil {
 			return nil, err
 		}
@@ -107,7 +107,7 @@ func (nap *NginxAppProtect) Monitor(pollInterval time.Duration) chan NAPReportBu
 func (nap *NginxAppProtect) monitor(msgChannel chan NAPReportBundle, pollInterval time.Duration) {
 	// Initial symlink sync
 	if nap.Release.VersioningDetails.NAPRelease != "" {
-		err := nap.syncSymLink("", nap.Release.VersioningDetails.NAPRelease)
+		err := nap.syncSymLink("", nap.Release.VersioningDetails.NAPBuild)
 		if err != nil {
 			log.Errorf("Error occurred while performing initial sync for NAP symlink  - %v", err)
 		}
@@ -137,7 +137,7 @@ func (nap *NginxAppProtect) monitor(msgChannel chan NAPReportBundle, pollInterva
 			previousReport := nap.GenerateNAPReport()
 			log.Infof("Change in NAP detected... \nPrevious: %+v\nUpdated: %+v\n", previousReport, newNAPReport)
 
-			err = nap.syncSymLink(nap.Release.VersioningDetails.NAPRelease, newNAPReport.NAPVersion)
+			err = nap.syncSymLink(nap.Release.VersioningDetails.NAPBuild, newNAPReport.NAPVersion)
 			if err != nil {
 				log.Errorf("Got the following error syncing NAP symlink - %v", err)
 				break
@@ -237,7 +237,8 @@ func (nap *NginxAppProtect) removeNAPSymlinks(symlinkPatternToIgnore string) err
 // to be in sync with the current system NAP values.
 func (nap *NginxAppProtect) GenerateNAPReport() NAPReport {
 	return NAPReport{
-		NAPVersion:              nap.Release.VersioningDetails.NAPRelease,
+		NAPVersion:              nap.Release.VersioningDetails.NAPBuild,
+		NAPRelease:              nap.Release.VersioningDetails.NAPRelease,
 		Status:                  nap.Status,
 		AttackSignaturesVersion: nap.AttackSignaturesVersion,
 		ThreatCampaignsVersion:  nap.ThreatCampaignsVersion,

@@ -73,6 +73,7 @@ func UpdateMetadata(
 
 	metadata := &Metadata{
 		NapVersion:                       appProtectWAFDetails.GetWafVersion(),
+		NapRelease:                       appProtectWAFDetails.GetWafRelease(),
 		PrecompiledPublication:           appProtectWAFDetails.GetPrecompiledPublication(),
 		AttackSignatureRevisionTimestamp: appProtectWAFDetails.GetAttackSignaturesVersion(),
 		ThreatCampaignRevisionTimestamp:  appProtectWAFDetails.GetThreatCampaignsVersion(),

@@ -27,7 +27,8 @@ const (
 	nginxID  = "1"
 	systemID = "2"
 
-	wafVersion                 = "4.2.0"
+	wafVersion                 = "4.815.0"
+	wafRelease                 = "4.8.1"
 	wafAttackSignaturesVersion = "2023.01.01"
 	wafThreatCampaignsVersion  = "2023.01.02"
 )
@@ -57,7 +58,8 @@ var (
 	}`
 
 	metadata1 = `{
-	"napVersion": "4.2.0",
+	"napVersion": "4.815.0",
+	"napRelease": "4.8.1",
 	"precompiledPublication": false,
 	"attackSignatureRevisionTimestamp": "2023.01.09",
 	"threatCampaignRevisionTimestamp": "2023.01.04",
@@ -77,7 +79,8 @@ var (
 }`
 
 	metadata2 = `{
-	"napVersion":"4.2.0",
+	"napVersion":"4.815.0",
+	"napRelease":"4.8.1",
 	"precompiledPublication": true,
 	"attackSignatureRevisionTimestamp": "2023.01.09",
 	"threatCampaignRevisionTimestamp": "2023.01.04",
@@ -96,9 +99,9 @@ var (
 	]
 }`
 
-	expectedFalse = `{"napVersion":"4.2.0","precompiledPublication":false,"attackSignatureRevisionTimestamp":"2023.01.01","threatCampaignRevisionTimestamp":"2023.01.02","policyMetadata":[{"name":"my-nap-policy.json"}],"logProfileMetadata":[{"name":"log-all.json"}]}`
+	expectedFalse = `{"napVersion":"4.815.0","napRelease":"4.8.1","precompiledPublication":false,"attackSignatureRevisionTimestamp":"2023.01.01","threatCampaignRevisionTimestamp":"2023.01.02","policyMetadata":[{"name":"my-nap-policy.json"}],"logProfileMetadata":[{"name":"log-all.json"}]}`
 
-	expectedTrue = `{"napVersion":"4.2.0","precompiledPublication":true,"attackSignatureRevisionTimestamp":"2023.01.01","threatCampaignRevisionTimestamp":"2023.01.02","policyMetadata":[{"name":"my-nap-policy.json"}],"logProfileMetadata":[{"name":"log-all.json"}]}`
+	expectedTrue = `{"napVersion":"4.815.0","napRelease":"4.8.1","precompiledPublication":true,"attackSignatureRevisionTimestamp":"2023.01.01","threatCampaignRevisionTimestamp":"2023.01.02","policyMetadata":[{"name":"my-nap-policy.json"}],"logProfileMetadata":[{"name":"log-all.json"}]}`
 )
 
 func TestUpdateNapMetadata(t *testing.T) {
@@ -166,6 +169,7 @@ func TestUpdateNapMetadata(t *testing.T) {
 
 			appProtectWAFDetails := &proto.AppProtectWAFDetails{
 				WafVersion:              wafVersion,
+				WafRelease:              wafRelease,
 				AttackSignaturesVersion: wafAttackSignaturesVersion,
 				ThreatCampaignsVersion:  wafThreatCampaignsVersion,
 				WafLocation:             metadataFile,

@@ -17,36 +17,40 @@ import (
 
 // installedNAPRelease gets the NAP release version based off the Nginx App Protect installed
 // on the system.
-func installedNAPRelease(versionFile string) (*NAPRelease, error) {
-	// Get build version of NAP, so we can determine the release  details
-	napBuildVersion, err := installedNAPBuildVersion(versionFile)
+func installedNAPRelease(versionFile, releaseFile string) (*NAPRelease, error) {
+	// Get build version of NAP, so we can determine the release details
+	napBuildVersion, err := installedNAP(versionFile)
+	if err != nil {
+		return nil, err
+	}
+	napRelease, err := installedNAP(releaseFile)
 	if err != nil {
 		return nil, err
 	}
 
-	unmappedRelease := ReleaseUnmappedBuild(napBuildVersion)
+	unmappedRelease := ReleaseUnmappedBuild(napBuildVersion, napRelease)
 	return &unmappedRelease, nil
 }
 
-// installedNAPBuildVersion gets the NAP build version based off the Nginx App Protect installed
+// installedNAP gets the NAP version or release based off the Nginx App Protect installed
 // on the system.
-func installedNAPBuildVersion(versionFile string) (string, error) {
+func installedNAP(file string) (string, error) {
 	// Check if nap version file exists
-	exists, err := core.FileExists(versionFile)
+	exists, err := core.FileExists(file)
 	if !exists && err == nil {
-		return "", fmt.Errorf(FILE_NOT_FOUND, versionFile)
+		return "", fmt.Errorf(FILE_NOT_FOUND, file)
 	} else if err != nil {
 		return "", err
 	}
 
-	versionBytes, err := os.ReadFile(versionFile)
+	bytes, err := os.ReadFile(file)
 	if err != nil {
 		return "", err
 	}
 
-	// Remove the trailing '\n' from the version string since it was read
+	// Remove the trailing '\n' from the string since it was read
 	// from a file
-	version := strings.Split(string(versionBytes), "\n")[0]
+	napNumber := strings.Split(string(bytes), "\n")[0]
 
-	return version, nil
+	return napNumber, nil
 }