datadog 2.23.0 → 2.28.0

data/lib/datadog/appsec/metrics/collector.rb

@@ -13,6 +13,7 @@ module Datadog
           :duration_ns,
           :duration_ext_ns,
           :inputs_truncated,
+          :downstream_requests,
           keyword_init: true
         )
 
@@ -22,10 +23,13 @@ module Datadog
           @mutex = Mutex.new
 
           @waf = Store.new(
-            evals: 0, matches: 0, errors: 0, timeouts: 0, duration_ns: 0, duration_ext_ns: 0, inputs_truncated: 0
+            evals: 0, matches: 0, errors: 0, timeouts: 0, duration_ns: 0,
+            duration_ext_ns: 0, inputs_truncated: 0, downstream_requests: 0
           )
+
           @rasp = Store.new(
-            evals: 0, matches: 0, errors: 0, timeouts: 0, duration_ns: 0, duration_ext_ns: 0, inputs_truncated: 0
+            evals: 0, matches: 0, errors: 0, timeouts: 0, duration_ns: 0,
+            duration_ext_ns: 0, inputs_truncated: 0, downstream_requests: 0
           )
         end
 
@@ -41,7 +45,7 @@ module Datadog
           end
         end
 
-        def record_rasp(result)
+        def record_rasp(result, type:, phase: nil)
           @mutex.synchronize do
             @rasp.evals += 1
             @waf.matches += 1 if result.match?
@@ -50,6 +54,7 @@ module Datadog
             @rasp.duration_ns += result.duration_ns
             @rasp.duration_ext_ns += result.duration_ext_ns
             @rasp.inputs_truncated += 1 if result.input_truncated?
+            @rasp.downstream_requests += 1 if type == Ext::RASP_SSRF && phase == Ext::RASP_REQUEST_PHASE
           end
         end
       end

data/lib/datadog/appsec/metrics/exporter.rb

@@ -22,6 +22,13 @@ module Datadog
           span.set_tag('_dd.appsec.rasp.timeout', 1) unless metrics.timeouts.zero?
           span.set_tag('_dd.appsec.rasp.duration', convert_ns_to_us(metrics.duration_ns))
           span.set_tag('_dd.appsec.rasp.duration_ext', convert_ns_to_us(metrics.duration_ext_ns))
+
+          # NOTE: In case of downstream requests being analyzed additionally
+          #       with `Context.run_waf` method, we would need to share it
+          #       between two exporting methods
+          unless metrics.downstream_requests.zero?
+            span.set_tag('_dd.appsec.downstream_request', metrics.downstream_requests)
+          end
         end
 
         # private

data/lib/datadog/appsec/metrics/telemetry.rb

@@ -7,10 +7,15 @@ module Datadog
       module Telemetry
         module_function
 
-        def report_rasp(type, result)
+        def report_rasp(type, result, phase: nil)
           return if result.error?
 
-          tags = {rule_type: type, waf_version: Datadog::AppSec::WAF::VERSION::BASE_STRING}
+          tags = {rule_type: type, waf_version: WAF::VERSION::BASE_STRING}
+          tags[:rule_variant] = phase if phase
+
+          context = AppSec.active_context
+          tags[:event_rules_version] = context.waf_runner_ruleset_version if context
+
           namespace = Ext::TELEMETRY_METRICS_NAMESPACE
 
           AppSec.telemetry.inc(namespace, 'rasp.rule.eval', 1, tags: tags)

data/lib/datadog/appsec/metrics.rb

@@ -1,5 +1,10 @@
 # frozen_string_literal: true
 
+require_relative 'metrics/collector'
+require_relative 'metrics/exporter'
+require_relative 'metrics/telemetry'
+require_relative 'metrics/telemetry_exporter'
+
 module Datadog
   module AppSec
     # This namespace contains classes related to metrics collection and exportation.
@@ -7,8 +12,3 @@ module Datadog
     end
   end
 end
-
-require_relative 'metrics/collector'
-require_relative 'metrics/exporter'
-require_relative 'metrics/telemetry'
-require_relative 'metrics/telemetry_exporter'

data/lib/datadog/appsec/remote.rb

@@ -7,8 +7,6 @@ module Datadog
   module AppSec
     # Remote
     module Remote
-      class ReadError < StandardError; end
-
       class NoRulesError < StandardError; end
 
       class << self
@@ -77,7 +75,8 @@ module Datadog
 
           matcher = Core::Remote::Dispatcher::Matcher::Product.new(ASM_PRODUCTS)
           receiver = Core::Remote::Dispatcher::Receiver.new(matcher) do |repository, changes|
-            next unless AppSec.security_engine
+            engine = AppSec.security_engine
+            next unless engine
 
             changes.each do |change|
               content = repository[change.path]
@@ -85,11 +84,11 @@ module Datadog
 
               case change.type
               when :insert, :update
-                AppSec.security_engine.add_or_update_config(parse_content(content), path: change.path.to_s) # steep:ignore
-
-                content.applied # steep:ignore
+                # @type var content: Core::Remote::Configuration::Content
+                engine.add_or_update_config(parse_content(content), path: change.path.to_s)
+                content.applied
               when :delete
-                AppSec.security_engine.remove_config_at_path(change.path.to_s) # steep:ignore
+                engine.remove_config_at_path(change.path.to_s)
               end
             end
 
@@ -109,13 +108,7 @@ module Datadog
         end
 
         def parse_content(content)
-          data = content.data.read
-
-          content.data.rewind
-
-          raise ReadError, 'EOF reached' if data.nil?
-
-          JSON.parse(data)
+          JSON.parse(content.data)
         end
       end
     end

data/lib/datadog/appsec/security_engine/engine.rb

@@ -54,17 +54,17 @@ module Datadog
         end
 
         def add_or_update_config(config, path:)
-          @is_ruleset_update = path.include?('ASM_DD')
+          is_ruleset_update = path.include?('ASM_DD')
 
           # default config has to be removed when adding an ASM_DD config
-          remove_config_at_path(DEFAULT_RULES_CONFIG_PATH) if @is_ruleset_update
+          remove_config_at_path(DEFAULT_RULES_CONFIG_PATH) if is_ruleset_update
 
           diagnostics = @waf_builder.add_or_update_config(config, path: path)
           @reconfigured_ruleset_version = diagnostics['ruleset_version'] if diagnostics.key?('ruleset_version')
           report_configuration_diagnostics(diagnostics, action: 'update', telemetry: AppSec.telemetry)
 
           # we need to load default config if diagnostics contains top-level error for rules or processors
-          if @is_ruleset_update &&
+          if is_ruleset_update &&
               (diagnostics.key?('error') ||
               diagnostics.dig('rules', 'error') ||
               diagnostics.dig('processors', 'errors'))

data/lib/datadog/appsec/security_engine/result.rb

@@ -70,7 +70,8 @@ module Datadog
 
           def initialize(duration_ext_ns:, input_truncated:)
             @events = []
-            @actions = @attributes = {}
+            @actions = {}.freeze
+            @attributes = {}.freeze
             @duration_ns = 0
             @duration_ext_ns = duration_ext_ns
             @input_truncated = !!input_truncated

data/lib/datadog/appsec/security_engine/runner.rb

@@ -27,13 +27,13 @@ module Datadog
           persistent_data.reject! do |_, v|
             next false if v.is_a?(TrueClass) || v.is_a?(FalseClass)
 
-            v.nil? || v.empty?
+            v.nil? || (v.respond_to?(:empty?) && v.empty?)
           end
 
           ephemeral_data.reject! do |_, v|
             next false if v.is_a?(TrueClass) || v.is_a?(FalseClass)
 
-            v.nil? || v.empty?
+            v.nil? || (v.respond_to?(:empty?) && v.empty?)
           end
 
           result = try_run(persistent_data, ephemeral_data, timeout)

data/lib/datadog/appsec/utils/http/media_type.rb

@@ -4,14 +4,13 @@ module Datadog
   module AppSec
     module Utils
       module HTTP
-        # Implementation of media type for content negotiation
+        # Implementation of media type for HTTP headers
         #
         # See:
         # - https://www.rfc-editor.org/rfc/rfc7231#section-5.3.1
         # - https://www.rfc-editor.org/rfc/rfc7231#section-5.3.2
         class MediaType
-          class ParseError < ::StandardError
-          end
+          ParseError = Class.new(StandardError) # steep:ignore IncompatibleAssignment
 
           WILDCARD = '*'
 
@@ -19,7 +18,7 @@ module Datadog
           TOKEN_RE = /[-#$%&'*+.^_`|~A-Za-z0-9]+/.freeze
 
           # See: https://www.rfc-editor.org/rfc/rfc7231#section-3.1.1.1
-          PARAMETER_RE = %r{ # rubocop:disable Style/RegexpLiteral
+          PARAMETER_RE = %r{
             (?:
               (?<parameter_name>#{TOKEN_RE})
               =
@@ -46,39 +45,54 @@ module Datadog
 
           attr_reader :type, :subtype, :parameters
 
-          def initialize(media_type)
-            media_type_match = MEDIA_TYPE_RE.match(media_type)
+          def self.json?(media_type)
+            return false if media_type.nil? || media_type.empty?
 
-            raise ParseError, media_type.inspect if media_type_match.nil?
+            match = MEDIA_TYPE_RE.match(media_type)
+            return false if match.nil?
 
-            @type = (media_type_match['type'] || WILDCARD).downcase
-            @subtype = (media_type_match['subtype'] || WILDCARD).downcase
-            @parameters = {}
+            subtype = match['subtype']
+            return false if subtype.nil? || subtype.empty?
 
-            parameters = media_type_match['parameters']
+            subtype.downcase!
+            subtype == 'json' || subtype.end_with?('+json')
+          end
 
-            return if parameters.nil?
+          def initialize(media_type)
+            match = MEDIA_TYPE_RE.match(media_type)
+            raise ParseError, media_type.inspect if match.nil?
 
-            parameters.split(';').map(&:strip).each do |parameter|
-              parameter_match = PARAMETER_RE.match(parameter)
+            @type = match['type'] || WILDCARD
+            @type.downcase!
 
-              next if parameter_match.nil?
+            @subtype = match['subtype'] || WILDCARD
+            @subtype.downcase!
 
-              parameter_name = parameter_match['parameter_name']
-              parameter_value = parameter_match['parameter_value']
+            @parameters = {}
+
+            parameters = match['parameters']
+            return if parameters.nil? || parameters.empty?
 
-              next if parameter_name.nil? || parameter_value.nil?
+            parameters.scan(PARAMETER_RE) do |name, unquoted_value, quoted_value|
+              # NOTE: Order of unquoted_value and quoted_value does not matter,
+              #       as they are mutually exclusive by the regex.
+              # @type var value: ::String?
+              value = unquoted_value || quoted_value
+              next if name.nil? || value.nil?
 
-              @parameters[parameter_name.downcase] = parameter_value.downcase
+              # See https://github.com/soutaro/steep/issues/2051
+              name.downcase! # steep:ignore NoMethod
+              value.downcase!
+
+              # See https://github.com/soutaro/steep/issues/2051
+              @parameters[name] = value # steep:ignore ArgumentTypeMismatch
             end
           end
 
           def to_s
-            s = +"#{@type}/#{@subtype}"
-
-            s << ';' << @parameters.map { |k, v| "#{k}=#{v}" }.join(';') if @parameters.count > 0
+            return "#{@type}/#{@subtype}" if @parameters.empty?
 
-            s
+            "#{@type}/#{@subtype};#{@parameters.map { |k, v| "#{k}=#{v}" }.join(";")}"
           end
         end
       end

data/lib/datadog/appsec.rb

@@ -22,8 +22,14 @@ module Datadog
         Datadog::AppSec::Context.active
       end
 
+      # NOTE:  This is a temporary workaround for type checking.
+      #
+      #        We want to move from possible nil-component to the disabled-component
+      #        on an initialization error. Technically, telemetry will be never
+      #        used if AppSec was not able to initialize, so it's safe to assume
+      #        that telemetry will never be used and will be nil at the same time.
       def telemetry
-        components.appsec&.telemetry
+        components.appsec&.telemetry || components.telemetry
       end
 
       def security_engine

data/lib/datadog/core/configuration/components.rb

@@ -14,6 +14,7 @@ require_relative '../remote/component'
 require_relative '../../tracing/component'
 require_relative '../../profiling/component'
 require_relative '../../appsec/component'
+require_relative '../../ai_guard/component'
 require_relative '../../di/component'
 require_relative '../../open_feature/component'
 require_relative '../../error_tracking/component'
@@ -48,6 +49,7 @@ module Datadog
             options[:statsd] = settings.runtime_metrics.statsd unless settings.runtime_metrics.statsd.nil?
             options[:services] = [settings.service] unless settings.service.nil?
             options[:experimental_runtime_id_enabled] = settings.runtime_metrics.experimental_runtime_id_enabled
+            options[:experimental_propagate_process_tags_enabled] = settings.experimental_propagate_process_tags_enabled
 
             Core::Runtime::Metrics.new(logger: logger, telemetry: telemetry, **options)
           end
@@ -107,6 +109,7 @@ module Datadog
           :error_tracking,
           :dynamic_instrumentation,
           :appsec,
+          :ai_guard,
           :agent_info,
           :data_streams,
           :open_feature
@@ -143,6 +146,7 @@ module Datadog
           @runtime_metrics = self.class.build_runtime_metrics_worker(settings, @logger, telemetry)
           @health_metrics = self.class.build_health_metrics(settings, @logger, telemetry)
           @appsec = Datadog::AppSec::Component.build_appsec_component(settings, telemetry: telemetry)
+          @ai_guard = Datadog::AIGuard::Component.build(settings, logger: @logger, telemetry: telemetry)
           @open_feature = OpenFeature::Component.build(settings, agent_settings, logger: @logger, telemetry: telemetry)
           @dynamic_instrumentation = Datadog::DI::Component.build(settings, agent_settings, @logger, telemetry: telemetry)
           @error_tracking = Datadog::ErrorTracking::Component.build(settings, @tracer, @logger)
@@ -209,6 +213,9 @@ module Datadog
           # Decommission AppSec
           appsec&.shutdown!
 
+          # Shutdown AIGuard component
+          ai_guard&.shutdown!
+
           # Shutdown the old tracer, unless it's still being used.
           # (e.g. a custom tracer instance passed in.)
           tracer.shutdown! unless replacement && tracer.equal?(replacement.tracer)

data/lib/datadog/core/configuration/config_helper.rb

@@ -9,7 +9,7 @@ module Datadog
       class ConfigHelper
         def initialize(
           source_env: ENV,
-          supported_configurations: SUPPORTED_CONFIGURATIONS,
+          supported_configurations: SUPPORTED_CONFIGURATION_NAMES,
           aliases: ALIASES,
           alias_to_canonical: ALIAS_TO_CANONICAL,
           raise_on_unknown_env_var: false

data/lib/datadog/core/configuration/deprecations.rb

@@ -21,12 +21,12 @@ module Datadog
         end
 
         private_class_method def self.log_deprecated_environment_variables(logger, source_env, source_name, deprecations, alias_to_canonical)
-          deprecations.each do |deprecated_env_var, message|
+          deprecations.each do |deprecated_env_var|
             next unless source_env.key?(deprecated_env_var)
 
             Datadog::Core.log_deprecation(disallowed_next_major: false, logger: logger) do
               "#{deprecated_env_var} #{source_name} variable is deprecated" +
-                (alias_to_canonical[deprecated_env_var] ? ", use #{alias_to_canonical[deprecated_env_var]} instead." : ". #{message}.")
+                (alias_to_canonical[deprecated_env_var] ? ", use #{alias_to_canonical[deprecated_env_var]} instead." : ".")
             end
           end
         end

data/lib/datadog/core/configuration/option_definition.rb

@@ -42,7 +42,8 @@ module Datadog
         # Acts as DSL for building OptionDefinitions
         # @public_api
         class Builder
-          InvalidOptionError = Class.new(StandardError)
+          # Steep: https://github.com/soutaro/steep/issues/1880
+          InvalidOptionError = Class.new(StandardError) # steep:ignore IncompatibleAssignment
 
           attr_reader \
             :helpers
@@ -119,7 +120,8 @@ module Datadog
             env_parser(&options[:env_parser]) if options.key?(:env_parser)
             after_set(&options[:after_set]) if options.key?(:after_set)
             resetter(&options[:resetter]) if options.key?(:resetter)
-            setter(&options[:setter]) if options.key?(:setter)
+            # Steep: https://github.com/soutaro/steep/issues/1979
+            setter(&options[:setter]) if options.key?(:setter) # steep:ignore BlockTypeMismatch
             type(options[:type], **(options[:type_options] || {})) if options.key?(:type)
           end
 

data/lib/datadog/core/configuration/options.rb

@@ -40,14 +40,16 @@ module Datadog
 
           def default_helpers(name)
             option_name = name.to_sym
-            # @type var opt_getter: Configuration::OptionDefinition::helper_proc
-            opt_getter = proc do
+            # Steep: https://github.com/soutaro/steep/issues/335
+            # @type var opt_getter: Configuration::OptionDefinition::generic_proc
+            opt_getter = proc do # steep:ignore IncompatibleAssignment
               # These Procs uses `get/set_option`, but we only add them to the OptionDefinition helpers here.
               # Steep is right that these methods are not defined, but we only run these Procs in instance context.
               get_option(option_name) # steep:ignore NoMethod
             end
-            # @type var opt_setter: Configuration::OptionDefinition::helper_proc
-            opt_setter = proc do |value|
+            # Steep: https://github.com/soutaro/steep/issues/335
+            # @type var opt_setter: Configuration::OptionDefinition::generic_proc
+            opt_setter = proc do |value| # steep:ignore IncompatibleAssignment
               set_option(option_name, value) # steep:ignore NoMethod
             end
             {
@@ -127,7 +129,8 @@ module Datadog
           end
         end
 
-        InvalidOptionError = Class.new(StandardError)
+        # Steep: https://github.com/soutaro/steep/issues/1880
+        InvalidOptionError = Class.new(StandardError) # steep:ignore IncompatibleAssignment
       end
     end
   end

data/lib/datadog/core/configuration/settings.rb

@@ -170,6 +170,20 @@ module Datadog
           o.env Core::Environment::Ext::ENV_ENVIRONMENT
         end
 
+        # Configuration for container environments. For internal use only.
+        # @!visibility private
+        settings :container do
+          # Data supplied by the container runner to assist in uniquely identifying this process.
+          # Used in [Origin Detection](https://docs.datadoghq.com/developers/dogstatsd/unix_socket/?tab=host#origin-detection)
+          #
+          # @default `DD_EXTERNAL_ENV` environment variable, otherwise `nil`
+          # @return [String,nil]
+          option :external_env do |o|
+            o.type :string, nilable: true
+            o.env Core::Environment::Ext::ENV_EXTERNAL_ENV
+          end
+        end
+
         # Internal {Datadog::Statsd} metrics collection.
         #
         # @public_api
@@ -293,9 +307,6 @@ module Datadog
             #       for Ruby versions 2.x, 3.1.4+, 3.2.3+ and 3.3.0+
             #       (more details in {Datadog::Profiling::Component.enable_gc_profiling?})
             #
-            # @warn Due to a VM bug in the Ractor implementation (https://bugs.ruby-lang.org/issues/19112) this feature
-            #       stops working when Ractors get garbage collected.
-            #
             # @default `DD_PROFILING_GC_ENABLED` environment variable, otherwise `true`
             option :gc_enabled do |o|
               o.type :bool
@@ -425,6 +436,23 @@ module Datadog
               o.default true
             end
 
+            # The profiler gathers data by sending `SIGPROF` unix signals to Ruby application threads.
+            #
+            # When using `Kernel#exec` on Linux, it can happen that a signal sent before calling `exec` arrives after
+            # the new process is running, causing it to fail with the `Profiling timer expired` error message.
+            # To avoid this, the profiler installs a monkey patch on `Kernel#exec` to stop profiling before actually
+            # calling `exec`.
+            # This monkey patch is available for Ruby 2.7+; let us know if you need it on earlier Rubies.
+            # For more details see https://github.com/DataDog/dd-trace-rb/issues/5101 .
+            #
+            # @default `DD_PROFILING_SHUTDOWN_ON_EXEC_ENABLED` environment variable as a boolean,
+            # otherwise `true`
+            option :shutdown_on_exec_enabled do |o|
+              o.env 'DD_PROFILING_SHUTDOWN_ON_EXEC_ENABLED'
+              o.type :bool
+              o.default true
+            end
+
             # Configures how much wall-time overhead the profiler targets. The profiler will dynamically adjust the
             # interval between samples it takes so as to try and maintain the property that it spends no longer than
             # this amount of wall-clock time profiling. For example, with the default value of 2%, the profiler will

data/lib/datadog/core/configuration/supported_configurations.rb

@@ -8,8 +8,13 @@ require 'set'
 module Datadog
   module Core
     module Configuration
-      SUPPORTED_CONFIGURATIONS =
+      SUPPORTED_CONFIGURATION_NAMES =
         Set["DD_AGENT_HOST",
+          "DD_AI_GUARD_ENABLED",
+          "DD_AI_GUARD_ENDPOINT",
+          "DD_AI_GUARD_MAX_CONTENT_SIZE",
+          "DD_AI_GUARD_MAX_MESSAGES_LENGTH",
+          "DD_AI_GUARD_TIMEOUT",
           "DD_API_KEY",
           "DD_API_SECURITY_ENABLED",
           "DD_API_SECURITY_ENDPOINT_COLLECTION_ENABLED",
@@ -34,6 +39,7 @@ module Datadog
           "DD_APPSEC_TRACE_RATE_LIMIT",
           "DD_APPSEC_WAF_DEBUG",
           "DD_APPSEC_WAF_TIMEOUT",
+          "DD_APP_KEY",
           "DD_CRASHTRACKING_ENABLED",
           "DD_DATA_STREAMS_ENABLED",
           "DD_DBM_PROPAGATION_MODE",
@@ -42,11 +48,13 @@ module Datadog
           "DD_DYNAMIC_INSTRUMENTATION_PROBE_FILE",
           "DD_DYNAMIC_INSTRUMENTATION_REDACTED_IDENTIFIERS",
           "DD_DYNAMIC_INSTRUMENTATION_REDACTED_TYPES",
+          "DD_DYNAMIC_INSTRUMENTATION_REDACTION_EXCLUDED_IDENTIFIERS",
           "DD_ENV",
           "DD_ERROR_TRACKING_HANDLED_ERRORS",
           "DD_ERROR_TRACKING_HANDLED_ERRORS_INCLUDE",
           "DD_EXPERIMENTAL_FLAGGING_PROVIDER_ENABLED",
           "DD_EXPERIMENTAL_PROPAGATE_PROCESS_TAGS_ENABLED",
+          "DD_EXTERNAL_ENV",
           "DD_GIT_COMMIT_SHA",
           "DD_GIT_REPOSITORY_URL",
           "DD_HEALTH_METRICS_ENABLED",
@@ -74,6 +82,7 @@ module Datadog
           "DD_PROFILING_NO_SIGNALS_WORKAROUND_ENABLED",
           "DD_PROFILING_OVERHEAD_TARGET_PERCENTAGE",
           "DD_PROFILING_PREVIEW_OTEL_CONTEXT_ENABLED",
+          "DD_PROFILING_SHUTDOWN_ON_EXEC_ENABLED",
           "DD_PROFILING_SIGHANDLER_SAMPLING_ENABLED",
           "DD_PROFILING_SKIP_MYSQL2_CHECK",
           "DD_PROFILING_TIMELINE_ENABLED",

data/lib/datadog/core/crashtracking/tag_builder.rb

@@ -2,6 +2,7 @@
 
 require_relative '../tag_builder'
 require_relative '../utils'
+require_relative '../environment/process'
 
 module Datadog
   module Core
@@ -13,6 +14,11 @@ module Datadog
             'is_crash' => 'true',
           )
 
+          if settings.experimental_propagate_process_tags_enabled
+            process_tags = Environment::Process.serialized
+            hash['process_tags'] = process_tags unless process_tags.empty?
+          end
+
           Utils.encode_tags(hash)
         end
       end

data/lib/datadog/core/environment/cgroup.rb

@@ -10,40 +10,67 @@ module Datadog
       # about the current Linux container identity.
       # @see https://man7.org/linux/man-pages/man7/cgroups.7.html
       module Cgroup
-        LINE_REGEX = /^(\d+):([^:]*):(.+)$/.freeze
-
-        Descriptor = Struct.new(
-          :id,
-          :groups,
+        # A parsed cgroup entry from /proc/<pid>/cgroup
+        Entry = Struct.new(
+          :hierarchy,
+          :controllers,
           :path,
-          :controllers
+          :inode
         )
 
         module_function
 
-        def descriptors(process = 'self')
-          [].tap do |descriptors|
-            filepath = "/proc/#{process}/cgroup"
-
-            if File.exist?(filepath)
-              File.foreach("/proc/#{process}/cgroup") do |line|
-                line = line.strip
-                descriptors << parse(line) unless line.empty?
-              end
-            end
-          rescue => e
-            Datadog.logger.error(
-              "Error while parsing cgroup. Cause: #{e.class.name} #{e.message} Location: #{Array(e.backtrace).first}"
-            )
+        # Parses the /proc/self/cgroup file,
+        # @return [Array<Entry>] one entry for each valid cgroup line
+        def entries
+          filepath = '/proc/self/cgroup'
+          return [] unless File.exist?(filepath)
+
+          ret = []
+          File.foreach(filepath) do |entry_line|
+            ret << parse(entry_line) unless entry_line.empty?
           end
+          ret
         end
 
-        def parse(line)
-          id, groups, path = line.scan(LINE_REGEX).first
+        # Parses a single cgroup entry from /proc/<pid>/cgroup.
+        #
+        # Files can have cgroup v1 and v2 entries mixed. Their format is the same.
+        #
+        # Each entry has 3 colon-separated fields:
+        #   hierarchy-ID:controllers:path
+        # Examples:
+        #   10:memory:/docker/1234567890abcdef (cgroup v1)
+        #   0::/docker/1234567890abcdef (cgroup v2)
+        #
+        # @see https://man7.org/linux/man-pages/man7/cgroups.7.html#:~:text=%2Fproc%2Fpid%2Fcgroup
+        # @return [Entry]
+        def parse(entry_line)
+          hierarchy, controllers, path = entry_line.split(':', 3)
 
-          Descriptor.new(id, groups, path).tap do |descriptor|
-            descriptor.controllers = groups.split(',') unless groups.nil?
-          end
+          Entry.new(
+            hierarchy,
+            controllers,
+            path,
+            inode_for(controllers, path)
+          )
+        end
+
+        # We can find the container inode by running a file stat on the cgroup filesystem path.
+        # Example:
+        #   For the entry `0:cpu:/docker/abc123`,
+        #   we read `stat -c '%i' /sys/fs/cgroup/cpu/docker/abc123`
+        def inode_for(controllers, path)
+          return if controllers.nil? || path.nil?
+
+          # In cgroup v1, when multiple controllers are co-mounted, the controllers
+          # becomes part of the directory name (with commas preserved).
+          # Example entry:
+          #   For the line "10:cpu,cpuacct:/docker/abc123", the path is
+          #   "/sys/fs/cgroup/cpu,cpuacct/docker/abc123"
+          inode_path = File.join('/sys/fs/cgroup', controllers, path)
+
+          File.stat(inode_path).ino if File.exist?(inode_path)
         end
       end
     end