[ASM] WAF error span tags (#6729)

## Summary of changes

This PR adds the new error span tags for ASM. It adds the error tags
containing the error returned by the WAF.

These tags are defined in [this
RFC](https://docs.google.com/document/d/1D4hkC0jwwUyeo0hEQgyKP54kM1LZU98GL8MaP60tQrA/edit?tab=t.0).

## Reason for change

## Implementation details

## Test coverage

## Other details
<!-- Fixes #{issue} -->

<!-- ⚠️ Note: where possible, please obtain 2 approvals prior to
merging. Unless CODEOWNERS specifies otherwise, for external teams it is
typically best to have one review from a team member, and one review
from apm-dotnet. Trivial changes do not require 2 reviews. -->

Author: NachoEchevarria

tracer/src/Datadog.Trace/AppSec/AppSecRequestContext.cs

@@ -24,6 +24,8 @@ internal partial class AppSecRequestContext
     private readonly object _sync = new();
     private readonly RaspTelemetryHelper? _raspTelemetryHelper = Security.Instance.RaspEnabled ? new RaspTelemetryHelper() : null;
     private readonly List<object> _wafSecurityEvents = new();
+    private int? _wafError = null;
+    private int? _wafRaspError = null;
     private Dictionary<string, List<Dictionary<string, object>>>? _raspStackTraces;
 
     internal void CloseWebSpan(TraceTagCollection tags, Span span)
@@ -50,10 +52,36 @@ internal void CloseWebSpan(TraceTagCollection tags, Span span)
                 span.SetMetaStruct(StackKey, MetaStructHelper.ObjectToByteArray(_raspStackTraces));
             }
 
+            if (_wafError != null)
+            {
+                tags.SetTag(Tags.WafError, _wafError.ToString());
+            }
+
+            if (_wafRaspError != null)
+            {
+                tags.SetTag(Tags.RaspWafError, _wafRaspError.ToString());
+            }
+
             _raspTelemetryHelper?.GenerateRaspSpanMetricTags(span.Tags);
         }
     }
 
+    internal void CheckWAFError(int code, bool isRasp)
+    {
+        int? existingValue = isRasp ? _wafRaspError : _wafError;
+        if (code < 0 && (existingValue == null || existingValue < code))
+        {
+            if (isRasp)
+            {
+                _wafRaspError = code;
+            }
+            else
+            {
+                _wafError = code;
+            }
+        }
+    }
+
     internal void AddRaspSpanMetrics(ulong duration, ulong durationWithBindings, bool timeout)
     {
         lock (_sync)

tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.cs

@@ -73,6 +73,7 @@ internal readonly partial struct SecurityCoordinator
                          ? additiveContext.RunWithEphemeral(args, _security.Settings.WafTimeoutMicroSeconds, isRasp)
                          : additiveContext.Run(args, _security.Settings.WafTimeoutMicroSeconds);
 
+            SetErrorInformation(isRasp, result);
             SecurityReporter.RecordTelemetry(result);
         }
         catch (Exception ex) when (ex is not BlockException)
@@ -94,6 +95,14 @@ internal readonly partial struct SecurityCoordinator
         return result;
     }
 
+    private void SetErrorInformation(bool isRasp, IResult? result)
+    {
+        if (result is not null)
+        {
+            _localRootSpan.Context.TraceContext.AppSecRequestContext.CheckWAFError((int)result.ReturnCode, isRasp);
+        }
+    }
+
     internal static Span TryGetRoot(Span span) => span.Context.TraceContext?.RootSpan ?? span;
 
     public IResult? RunWafForUser(string? userId = null, string? userLogin = null, string? userSessionId = null, bool fromSdk = false, Dictionary<string, string>? otherTags = null)
@@ -129,6 +138,7 @@ internal readonly partial struct SecurityCoordinator
 
                 // run the WAF and execute the results
                 result = additiveContext.Run(userAddresses, _security.Settings.WafTimeoutMicroSeconds);
+                SetErrorInformation(false, result);
                 additiveContext.CommitUserRuns(userAddresses, fromSdk);
                 RecordTelemetry(result);
 

tracer/src/Datadog.Trace/Tags.cs

@@ -614,6 +614,16 @@ public static partial class Tags
         /// </summary>
         internal const string AppSecWafVersion = "_dd.appsec.waf.version";
 
+        /// <summary>
+        /// The most relevant WAF error code during a request
+        /// </summary>
+        public const string WafError = "_dd.appsec.waf.error";
+
+        /// <summary>
+        /// The most relevant WAF error code during a request when using RASP
+        /// </summary>
+        public const string RaspWafError = "_dd.appsec.rasp.error";
+
         /// <summary>
         ///  String-serialized JSON array, each item being a map containing:
         ///  Error(e) - the error string.

tracer/test/Datadog.Trace.Security.Unit.Tests/AppSecContextTests.cs

@@ -0,0 +1,35 @@
+// <copyright file="AppSecContextTests.cs" company="Datadog">
+// Unless explicitly stated otherwise all files in this repository are licensed under the Apache 2 License.
+// This product includes software developed at Datadog (https://www.datadoghq.com/). Copyright 2017 Datadog, Inc.
+// </copyright>
+
+using System.Collections.Generic;
+using Datadog.Trace.Configuration;
+using Datadog.Trace.Tagging;
+using FluentAssertions;
+using Xunit;
+
+namespace Datadog.Trace.Security.Unit.Tests;
+
+public class AppSecContextTests
+{
+    [InlineData(-2, -2, -1, -2, -1)]
+    [InlineData(2, -2, -1, null, -1)]
+    [InlineData(2, 2, 1, null, null)]
+    [Theory]
+    public void GivenAQuery_WhenWAFError_ThenSpanHasErrorTags(int raspErrorCode, int wafErrorCode, int wafErrorCode2, int? expectedRaspErrorCode, int? expectedWafErrorCode)
+    {
+        var settings = TracerSettings.Create(new Dictionary<string, object>());
+        var tracer = new Tracer(settings, null, null, null, null);
+        var rootTestScope = (Scope)tracer.StartActive("test.trace");
+
+        var appSecContext = rootTestScope.Span.Context.TraceContext.AppSecRequestContext;
+        appSecContext.CheckWAFError(raspErrorCode, true);
+        appSecContext.CheckWAFError(wafErrorCode, false);
+        appSecContext.CheckWAFError(wafErrorCode2, false);
+        TraceTagCollection tags = new();
+        appSecContext.CloseWebSpan(tags, rootTestScope.Span);
+        tags.GetTag(Tags.WafError).Should().Be(expectedWafErrorCode?.ToString());
+        tags.GetTag(Tags.RaspWafError).Should().Be(expectedRaspErrorCode?.ToString());
+    }
+}