From 990e73c55fb070225bdb853ab2334efe7c151dc2 Mon Sep 17 00:00:00 2001
From: Anil Mahtani <929854+Anilm3@users.noreply.github.com>
Date: Tue, 10 Dec 2024 15:31:55 +0000
Subject: [PATCH] Release v1.22.0 (#362)

---
 CHANGELOG.md | 30 ++++++++++++++++++++++++++++++
 version      |  2 +-
 2 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4ed6a553b..297f9f0a5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,4 +1,34 @@
 # libddwaf release
+## v1.22.0 ([unstable](https://github.com/DataDog/libddwaf/blob/master/README.md#versioning-semantics))
+### New features
+
+This new version of `libddwaf` introduces an important new feature: module-based rule evaluation precedence. This new feature ensures that rules are evaluated in a specified order, based on the module they belong to, which specifies the absolute precedence of the rules contained within it, as well as a set of criteria which determines the relative precedence within the module.
+
+Rules within a module are organised based on whether they are in blocking mode or monitoring mode, with the former always having precedence over the latter. In addition, two rules of the same mode are then organised based on whether they belong to the base ruleset (datadog-owned) or the custom ruleset (customer-owned), as some modules give precedence to one over the other.
+
+The modules defined in this version, in their evaluation order, are the following:
+- `network-acl`: specifically containing IP denylist rules. In this module, precedence is given to rules within the base ruleset over the custom ruleset. Additionally, this module does not adhere to the user-provided timeout.
+- `authentication-acl`: specifically containing user denylist rules. In this module, precedence is given to rules within the base ruleset over the custom ruleset. Additionally, this module does not adhere to the user-provided timeout.
+- `custom-acl`: this module contains custom denylist rules, without restriction on the type of inputs targeted. As the name suggests, precedence is given to rules within the custom ruleset.
+- `configuration`: this module contains rules for detecting misconfigurations and / or configuration restrictions, giving also precedence to rules within the custom ruleset.
+- `business-logic`: containing rules used to identify and / or block business logic events, also giving precedence to rules within the custom ruleset.
+- `rasp`: containing exclusively exploit prevention rules. To ensure the effectivenes of exploit prevention rules, this module gives precedence to rules within the base ruleset.
+- `waf`:  this module contains rules for detecting attacks exclusively based on the request inputs. Rules within this module are organised by rule type, in what is known as rule collections. This organisation is primarily used to ensure that only a single match of a given type is generated per context, but it also has a marginal impact on the rule evaluation order, as rules are clustered together by type as much as possible. In addition, precedence is given to rules within the custom ruleset rather than the base ruleset.
+
+**Note** that while some modules have "lower" precedence, the reality is that they are often evaluated independently of other modules, as is the case for the `rasp` and `business-logic` modules
+
+Finally, this release also includes a number of fixes and improvements on the exploit prevention heuristics to limit the potential for false positives.
+
+### Release changelog
+
+#### Changes
+- Module-based rule evaluation precedence ([#353](https://github.com/DataDog/libddwaf/pull/353))
+
+#### Fixes
+- Prevent scheme matches in isolation ([#360](https://github.com/DataDog/libddwaf/pull/360))
+- Improve parsing of numbers in SQL tokenizers ([#359](https://github.com/DataDog/libddwaf/pull/359))
+
+
 ## v1.21.0 ([unstable](https://github.com/DataDog/libddwaf/blob/master/README.md#versioning-semantics))
 ### New features
 
diff --git a/version b/version
index e4264e984..80a81c0e7 100644
--- a/version
+++ b/version
@@ -1 +1 @@
-1.21.0
\ No newline at end of file
+1.22.0
\ No newline at end of file