Add bot signature version to AppProtectWAFDetails (#1240)

Author: dhurley

docs/proto/proto.md

@@ -1278,6 +1278,7 @@ Represents App Protect WAF details
 | waf_location | [string](#string) |  | Location of WAF metadata file |
 | precompiled_publication | [bool](#bool) |  | Determines whether the publication of NGINX App Protect pre-compiled content from an external source is supported |
 | waf_release | [string](#string) |  | WAF release |
+| bot_signatures_version | [string](#string) |  | Bot Signatures version |
 
 
 

sdk/proto/nap.pb.go

@@ -21,6 +21,8 @@ message AppProtectWAFDetails {
   bool precompiled_publication = 6 [(gogoproto.jsontag) = "precompiled_publication"];
   // WAF release
   string waf_release = 7 [(gogoproto.jsontag) = "waf_release"];
+  // Bot Signatures version
+  string bot_signatures_version = 8 [(gogoproto.jsontag) = "bot_signatures_version"];
 }
 
 // Represents the health of App Protect WAF

sdk/proto/nap.proto

@@ -0,0 +1,54 @@
+/**
+ * Copyright (c) F5, Inc.
+ *
+ * This source code is licensed under the Apache License, Version 2.0 license found in the
+ * LICENSE file in the root directory of this source tree.
+ */
+
+package nap
+
+import (
+	"fmt"
+	"os"
+	"time"
+
+	"github.com/nginx/agent/v2/src/core"
+
+	"gopkg.in/yaml.v2"
+)
+
+// botSignaturesVersion gets the version of the bot signatures package that is
+// installed on the system, the version format is YYYY.MM.DD.
+func botSignaturesVersion(versionFile string) (string, error) {
+	// Check if bot signatures version file exists
+	logger.Debugf("Checking for the required NAP bot signatures version file - %v\n", versionFile)
+	installed, err := core.FileExists(versionFile)
+	if !installed && err == nil {
+		return "", nil
+	} else if err != nil {
+		return "", err
+	}
+
+	// Get the version bytes
+	versionBytes, err := os.ReadFile(versionFile)
+	if err != nil {
+		return "", err
+	}
+
+	// Read bytes into object
+	botSigVersionDateTime := napRevisionDateTime{}
+	err = yaml.Unmarshal([]byte(versionBytes), &botSigVersionDateTime)
+	if err != nil {
+		return "", err
+	}
+
+	// Convert revision date into the proper version format
+	botSigTime, err := time.Parse(time.RFC3339, botSigVersionDateTime.RevisionDatetime)
+	if err != nil {
+		return "", err
+	}
+	botSignatureReleaseVersion := fmt.Sprintf("%d.%02d.%02d", botSigTime.Year(), botSigTime.Month(), botSigTime.Day())
+	logger.Debugf("Converted bot signature version (%s) found in %s to - %s\n", botSigVersionDateTime.RevisionDatetime, BOT_SIGNATURES_UPDATE_FILE, botSignatureReleaseVersion)
+
+	return botSignatureReleaseVersion, nil
+}

src/extensions/nginx-app-protect/nap/bot_signatures.go

@@ -0,0 +1,71 @@
+/**
+ * Copyright (c) F5, Inc.
+ *
+ * This source code is licensed under the Apache License, Version 2.0 license found in the
+ * LICENSE file in the root directory of this source tree.
+ */
+
+package nap
+
+import (
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+const (
+	testBotSigVersionFile         = "/tmp/test-bot-sigs-version.yaml"
+	testBotSigVersionFileContents = `---
+checksum: nmlUse0aQzwLvuAaqDW/Jw
+filename: bot_signatures.bin.tgz
+revisionDatetime: 2025-08-21T11:30:33Z
+`
+)
+
+func Test_BotSignaturesVersion(t *testing.T) {
+	testCases := []struct {
+		testName       string
+		versionFile    string
+		botSigDateTime *napRevisionDateTime
+		expVersion     string
+		expError       error
+	}{
+		{
+			testName:    "BotSignaturesInstalled",
+			versionFile: testBotSigVersionFile,
+			botSigDateTime: &napRevisionDateTime{
+				RevisionDatetime: "2025-08-21T11:30:33Z",
+			},
+			expVersion: "2025.08.21",
+			expError:   nil,
+		},
+		{
+			testName:       "BotSignaturesNotInstalled",
+			versionFile:    BOT_SIGNATURES_UPDATE_FILE,
+			botSigDateTime: nil,
+			expVersion:     "",
+			expError:       nil,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.testName, func(t *testing.T) {
+			// Create a fake version file if required by test
+			if tc.botSigDateTime != nil {
+				err := os.WriteFile(tc.versionFile, []byte(testBotSigVersionFileContents), 0o644)
+				require.NoError(t, err)
+
+				defer func() {
+					err := os.Remove(tc.versionFile)
+					require.NoError(t, err)
+				}()
+			}
+
+			version, err := botSignaturesVersion(tc.versionFile)
+			assert.Equal(t, err, tc.expError)
+			assert.Equal(t, tc.expVersion, version)
+		})
+	}
+}

src/extensions/nginx-app-protect/nap/bot_signatures_test.go

@@ -25,6 +25,7 @@ const (
 	// THREAT_CAMPAIGN_VERSION_FILE  = "/opt/app_protect/var/update_files/threat_campaigns/version"
 	ATTACK_SIGNATURES_UPDATE_FILE = "/opt/app_protect/var/update_files/signatures/signature_update.yaml"
 	THREAT_CAMPAIGNS_UPDATE_FILE  = "/opt/app_protect/var/update_files/threat_campaigns/threat_campaign_update.yaml"
+	BOT_SIGNATURES_UPDATE_FILE    = "/opt/app_protect/var/update_files/bot_signatures/bot_signature_update.yaml"
 
 	APP_PROTECT_METADATA_FILE_PATH = "/etc/nms/app_protect_metadata.json"
 )

src/extensions/nginx-app-protect/nap/const.go

@@ -46,6 +46,7 @@ func NewNginxAppProtect(optDirPath, symLinkDir string) (*NginxAppProtect, error)
 		Release:                 NAPRelease{},
 		AttackSignaturesVersion: "",
 		ThreatCampaignsVersion:  "",
+		BotSignaturesVersion:    "",
 		optDirPath:              optDirPath,
 		symLinkDir:              symLinkDir,
 	}
@@ -77,10 +78,18 @@ func NewNginxAppProtect(optDirPath, symLinkDir string) (*NginxAppProtect, error)
 		return nil, err
 	}
 
+	// Get bot signatures version
+	botSigsVersion, err := botSignaturesVersion(BOT_SIGNATURES_UPDATE_FILE)
+	if err != nil && err.Error() != fmt.Sprintf(FILE_NOT_FOUND, BOT_SIGNATURES_UPDATE_FILE) {
+		return nil, err
+	}
+
 	// Update the NAP object with the values from NAP on the system
 	nap.Status = status.String()
 	nap.AttackSignaturesVersion = attackSigsVersion
 	nap.ThreatCampaignsVersion = threatCampaignsVersion
+	nap.BotSignaturesVersion = botSigsVersion
+
 	if napRelease != nil {
 		nap.Release = *napRelease
 	}
@@ -156,6 +165,7 @@ func (nap *NginxAppProtect) monitor(ctx context.Context, msgChannel chan NAPRepo
 			nap.Release = newNap.Release
 			nap.AttackSignaturesVersion = newNap.AttackSignaturesVersion
 			nap.ThreatCampaignsVersion = newNap.ThreatCampaignsVersion
+			nap.BotSignaturesVersion = newNap.BotSignaturesVersion
 			mu.Unlock()
 
 			// Send the update message through the channel
@@ -255,6 +265,7 @@ func (nap *NginxAppProtect) GenerateNAPReport() NAPReport {
 		Status:                  nap.Status,
 		AttackSignaturesVersion: nap.AttackSignaturesVersion,
 		ThreatCampaignsVersion:  nap.ThreatCampaignsVersion,
+		BotSignaturesVersion:    nap.BotSignaturesVersion,
 	}
 }
 
@@ -265,7 +276,8 @@ func (nap *NginxAppProtect) napReportIsEqual(incomingNAPReport NAPReport) bool {
 	return (currentNAPReport.NAPVersion == incomingNAPReport.NAPVersion) &&
 		(currentNAPReport.Status == incomingNAPReport.Status) &&
 		(currentNAPReport.AttackSignaturesVersion == incomingNAPReport.AttackSignaturesVersion) &&
-		(currentNAPReport.ThreatCampaignsVersion == incomingNAPReport.ThreatCampaignsVersion)
+		(currentNAPReport.ThreatCampaignsVersion == incomingNAPReport.ThreatCampaignsVersion) &&
+		(currentNAPReport.BotSignaturesVersion == incomingNAPReport.BotSignaturesVersion)
 }
 
 // napInstalled determines if NAP is installed on the system. If NAP is NOT installed on the

src/extensions/nginx-app-protect/nap/nap.go

@@ -17,6 +17,7 @@ type NginxAppProtect struct {
 	Release                 NAPRelease
 	AttackSignaturesVersion string
 	ThreatCampaignsVersion  string
+	BotSignaturesVersion    string
 	optDirPath              string
 	symLinkDir              string
 }
@@ -28,6 +29,7 @@ type NAPReport struct {
 	NAPRelease              string
 	AttackSignaturesVersion string
 	ThreatCampaignsVersion  string
+	BotSignaturesVersion    string
 }
 
 // NAPReportBundle is meant to capture the NAPReport before an update
@@ -100,6 +102,8 @@ type Metadata struct {
 	AttackSignatureUID               string            `json:"attackSignatureUID,omitempty"`
 	ThreatCampaignRevisionTimestamp  string            `json:"threatCampaignRevisionTimestamp,omitempty"`
 	ThreatCampaignUID                string            `json:"threatCampaignUID,omitempty"`
+	BotSignatureRevisionTimestamp    string            `json:"botSignatureRevisionTimestamp,omitempty"`
+	BotSignatureUID                  string            `json:"botSignatureUID,omitempty"`
 	Policies                         []*BundleMetadata `json:"policyMetadata,omitempty"`
 	Profiles                         []*BundleMetadata `json:"logProfileMetadata,omitempty"`
 }