datadog 2.25.0 → 2.27.0

data/ext/libdatadog_api/feature_flags.c

@@ -130,7 +130,7 @@ void feature_flags_init(VALUE core_module) {
 static VALUE configuration_new(VALUE klass, VALUE json_str) {
   struct ddog_ffe_Result_HandleConfiguration result = ddog_ffe_configuration_new(borrow_str(json_str));
   if (result.tag == DDOG_FFE_RESULT_HANDLE_CONFIGURATION_ERR_HANDLE_CONFIGURATION) {
-    rb_raise(feature_flags_error_class, "Failed to create configuration from JSON: %"PRIsVALUE, get_error_details_and_drop(&result.err));
+    raise_error(feature_flags_error_class, "Failed to create configuration from JSON: %"PRIsVALUE, get_error_details_and_drop(&result.err));
   }
   return TypedData_Wrap_Struct(klass, &configuration_data_type, result.ok);
 }
@@ -159,7 +159,7 @@ static ddog_ffe_ExpectedFlagType expected_type_from_value(VALUE expected_type) {
   } else if (id == id_float) {
     return DDOG_FFE_EXPECTED_FLAG_TYPE_FLOAT;
   } else {
-    rb_raise(feature_flags_error_class, "Internal: Unexpected flag type: %"PRIsVALUE, expected_type);
+    raise_error(feature_flags_error_class, "Internal: Unexpected flag type: %"PRIsVALUE, expected_type);
   }
 }
 
@@ -199,7 +199,7 @@ static int evaluation_context_foreach_callback(VALUE key, VALUE value, VALUE arg
   if (builder->attr_count >= builder->attr_capacity) {
     // This should never happen because evaluation_context_from_hash()
     // pre-allocates attr_capacity equal to iterated Hash size.
-    rb_raise(feature_flags_error_class, "Internal: Attribute count exceeded capacity");
+    raise_error(feature_flags_error_class, "Internal: Attribute count exceeded capacity");
   }
 
   ddog_ffe_AttributePair *attr = &builder->attrs[builder->attr_count];
@@ -354,7 +354,7 @@ static VALUE resolution_details_get_raw_value(VALUE self) {
       return Qnil;
     default:
       // This should never happen as we checked for all possible tag values.
-      rb_raise(feature_flags_error_class, "Internal: Unexpected ResolutionDetails value tag");
+      raise_error(feature_flags_error_class, "Internal: Unexpected ResolutionDetails value tag");
   }
 }
 
@@ -387,7 +387,7 @@ static VALUE resolution_details_get_flag_type(VALUE self) {
       return Qnil;
     default:
       // This should never happen as we checked for all possible tag values.
-      rb_raise(feature_flags_error_class, "Internal: Unexpected ResolutionDetails value tag");
+      raise_error(feature_flags_error_class, "Internal: Unexpected ResolutionDetails value tag");
   }
 }
 

data/ext/libdatadog_api/helpers.h

@@ -0,0 +1,27 @@
+#pragma once
+
+#include "datadog_ruby_common.h"
+
+// Raises a Ruby error if the `ddog_VoidResult` indicates an error.
+// The error message in `result.err` is appended to the provided `message`.
+//
+// @param[in] message (const char *) The error message
+// @param[in] result (ddog_VoidResult) A result to check
+#define CHECK_VOID_RESULT(message, result)                             \
+  do {                                                                         \
+    if (result.tag == DDOG_VOID_RESULT_ERR) {                                 \
+      raise_lib_error(message, result);                                        \
+    }                                                                          \
+  } while (0)
+
+// Raises a Ruby error for the error result.
+// The error message in `result.err` is appended to the provided `message`.
+//
+// @param[in] message (const char *) The error message
+// @param[in] result (struct { ddog_Error res; ... }) Any type of result
+#define raise_lib_error(message, result)                                        \
+  do { \
+    char error_msg[MAX_RAISE_MESSAGE_SIZE];  \
+    read_ddogerr_string_and_drop(&result.err, error_msg, MAX_RAISE_MESSAGE_SIZE); \
+    raise_error(rb_eRuntimeError, message ": %s", error_msg); \
+  } while (0)

data/ext/libdatadog_api/init.c

@@ -10,6 +10,10 @@ void ddsketch_init(VALUE core_module);
 
 void DDTRACE_EXPORT Init_libdatadog_api(void) {
   VALUE datadog_module = rb_define_module("Datadog");
+
+  // MUST be called before all other initialization
+  datadog_ruby_common_init();
+
   VALUE core_module = rb_define_module_under(datadog_module, "Core");
 
   crashtracker_init(core_module);

data/ext/libdatadog_extconf_helpers.rb

@@ -10,7 +10,7 @@ module Datadog
   module LibdatadogExtconfHelpers
     # Used to make sure the correct gem version gets loaded, as extconf.rb does not get run with "bundle exec" and thus
     # may see multiple libdatadog versions. See https://github.com/DataDog/dd-trace-rb/pull/2531 for the horror story.
-    LIBDATADOG_VERSION = '~> 24.0.1.1.0'
+    LIBDATADOG_VERSION = '~> 25.0.0.1.0'
 
     # Used as an workaround for a limitation with how dynamic linking works in environments where the datadog gem and
     # libdatadog are moved after the extension gets compiled.

data/lib/datadog/appsec/api_security/endpoint_collection/rails_collector.rb

@@ -19,7 +19,14 @@ module Datadog
             Enumerator.new do |yielder|
               @routes.each do |route|
                 if route.dispatcher?
-                  yielder.yield RailsRouteSerializer.serialize(route)
+                  if route.verb.include?('|')
+                    # report separate route for each method for multi-method routes
+                    route.verb.split('|').each do |method|
+                      yielder.yield RailsRouteSerializer.serialize(route, method_override: method)
+                    end
+                  else
+                    yielder.yield RailsRouteSerializer.serialize(route)
+                  end
                 elsif mounted_grape_app?(route.app.rack_app)
                   route.app.rack_app.routes.each do |grape_route|
                     yielder.yield GrapeRouteSerializer.serialize(grape_route, path_prefix: route.path.spec.to_s)

data/lib/datadog/appsec/api_security/endpoint_collection/rails_route_serializer.rb

@@ -10,8 +10,15 @@ module Datadog
 
           module_function
 
-          def serialize(route)
-            method = route.verb.empty? ? "*" : route.verb
+          def serialize(route, method_override: nil)
+            method = if method_override
+              method_override
+            elsif route.verb.empty?
+              "*"
+            else
+              route.verb
+            end
+
             path = route.path.spec.to_s.delete_suffix(FORMAT_SUFFIX)
 
             {

data/lib/datadog/appsec/component.rb

@@ -78,7 +78,7 @@ module Datadog
       end
 
       def reconfigure!
-        security_engine.reconfigure!
+        security_engine&.reconfigure!
       end
 
       def shutdown!

data/lib/datadog/appsec/context.rb

@@ -48,11 +48,11 @@ module Datadog
         result
       end
 
-      def run_rasp(type, persistent_data, ephemeral_data, timeout = WAF::LibDDWAF::DDWAF_RUN_TIMEOUT)
+      def run_rasp(type, persistent_data, ephemeral_data, timeout = WAF::LibDDWAF::DDWAF_RUN_TIMEOUT, phase: nil)
         result = @waf_runner.run(persistent_data, ephemeral_data, timeout)
 
-        Metrics::Telemetry.report_rasp(type, result)
-        @metrics.record_rasp(result)
+        Metrics::Telemetry.report_rasp(type, result, phase: phase)
+        @metrics.record_rasp(result, type: type, phase: phase)
 
         result
       end

data/lib/datadog/appsec/contrib/excon/integration.rb

@@ -24,7 +24,7 @@ module Datadog
           end
 
           def self.compatible?
-            super && version >= MINIMUM_VERSION
+            super && !!(version&.>= MINIMUM_VERSION)
           end
 
           def self.auto_instrument?

data/lib/datadog/appsec/contrib/excon/patcher.rb

@@ -9,7 +9,7 @@ module Datadog
           module_function
 
           def patched?
-            Patcher.instance_variable_get(:@patched)
+            !!Patcher.instance_variable_get(:@patched)
           end
 
           def target_version

data/lib/datadog/appsec/contrib/excon/ssrf_detection_middleware.rb

@@ -13,27 +13,62 @@ module Datadog
         # AppSec Middleware for Excon
         class SSRFDetectionMiddleware < ::Excon::Middleware::Base
           def request_call(data)
-            return super unless AppSec.rasp_enabled? && AppSec.active_context
+            context = AppSec.active_context
+            return super unless context && AppSec.rasp_enabled?
+
+            timeout = Datadog.configuration.appsec.waf_timeout
+            ephemeral_data = {
+              'server.io.net.url' => request_url(data),
+              'server.io.net.request.method' => data[:method].to_s.upcase,
+              'server.io.net.request.headers' => normalize_headers(data[:headers])
+            }
+
+            result = context.run_rasp(Ext::RASP_SSRF, {}, ephemeral_data, timeout, phase: Ext::RASP_REQUEST_PHASE)
+            handle(result, context: context) if result.match?
+
+            super
+          end
 
+          def response_call(data)
             context = AppSec.active_context
+            return super unless context && AppSec.rasp_enabled?
 
-            request_url = URI.join("#{data[:scheme]}://#{data[:host]}", data[:path]).to_s
-            ephemeral_data = {'server.io.net.url' => request_url}
+            timeout = Datadog.configuration.appsec.waf_timeout
+            ephemeral_data = {
+              'server.io.net.response.status' => data.dig(:response, :status).to_s,
+              'server.io.net.response.headers' => normalize_headers(data.dig(:response, :headers))
+            }
 
-            result = context.run_rasp(Ext::RASP_SSRF, {}, ephemeral_data, Datadog.configuration.appsec.waf_timeout)
+            result = context.run_rasp(Ext::RASP_SSRF, {}, ephemeral_data, timeout, phase: Ext::RASP_RESPONSE_PHASE)
+            handle(result, context: context) if result.match?
 
-            if result.match?
-              AppSec::Event.tag(context, result)
-              TraceKeeper.keep!(context.trace) if result.keep?
+            super
+          end
 
-              context.events.push(
-                AppSec::SecurityEvent.new(result, trace: context.trace, span: context.span)
-              )
+          private
 
-              AppSec::ActionsHandler.handle(result.actions)
+          def request_url(data)
+            klass = (data[:scheme] == 'https') ? URI::HTTPS : URI::HTTP
+            klass.build(host: data[:host], path: data[:path], query: data[:query]).to_s
+          end
+
+          def normalize_headers(headers)
+            return {} if headers.nil? || headers.empty?
+
+            headers.each_with_object({}) do |(key, value), memo|
+              memo[key.downcase] = value.is_a?(Array) ? value.join(', ') : value
             end
+          end
 
-            super
+          def handle(result, context:)
+            AppSec::Event.tag(context, result)
+            TraceKeeper.keep!(context.trace) if result.keep?
+
+            context.events.push(
+              AppSec::SecurityEvent.new(result, trace: context.trace, span: context.span)
+            )
+
+            AppSec::ActionsHandler.handle(result.actions)
           end
         end
       end

data/lib/datadog/appsec/contrib/faraday/ssrf_detection_middleware.rb

@@ -10,33 +10,50 @@ module Datadog
       module Faraday
         # AppSec SSRF detection Middleware for Faraday
         class SSRFDetectionMiddleware < ::Faraday::Middleware
-          def call(request_env)
+          def call(env)
             context = AppSec.active_context
+            return @app.call(env) unless context && AppSec.rasp_enabled?
 
-            return @app.call(request_env) unless context && AppSec.rasp_enabled?
-
+            timeout = Datadog.configuration.appsec.waf_timeout
             ephemeral_data = {
-              'server.io.net.url' => request_env.url.to_s
+              'server.io.net.url' => env.url.to_s,
+              'server.io.net.request.method' => env.method.to_s.upcase,
+              'server.io.net.request.headers' => env.request_headers.transform_keys(&:downcase)
             }
 
-            result = context.run_rasp(Ext::RASP_SSRF, {}, ephemeral_data, Datadog.configuration.appsec.waf_timeout)
+            result = context.run_rasp(Ext::RASP_SSRF, {}, ephemeral_data, timeout, phase: Ext::RASP_REQUEST_PHASE)
+            handle(result, context: context) if result.match?
+
+            @app.call(env).on_complete { |response_env| on_complete(response_env, context: context) }
+          end
+
+          private
+
+          def on_complete(env, context:)
+            timeout = Datadog.configuration.appsec.waf_timeout
 
-            if result.match?
-              AppSec::Event.tag(context, result)
-              TraceKeeper.keep!(context.trace) if result.keep?
+            response_headers = env.response_headers || {}
+            ephemeral_data = {
+              'server.io.net.response.status' => env.status.to_s,
+              'server.io.net.response.headers' => response_headers.transform_keys(&:downcase)
+            }
+
+            result = context.run_rasp(Ext::RASP_SSRF, {}, ephemeral_data, timeout, phase: Ext::RASP_RESPONSE_PHASE)
+            handle(result, context: context) if result.match?
+          end
 
-              context.events.push(
-                AppSec::SecurityEvent.new(result, trace: context.trace, span: context.span)
-              )
+          def handle(result, context:)
+            AppSec::Event.tag(context, result)
+            TraceKeeper.keep!(context.trace) if result.keep?
 
-              AppSec::ActionsHandler.handle(result.actions)
-            end
+            context.events.push(
+              AppSec::SecurityEvent.new(result, trace: context.trace, span: context.span)
+            )
 
-            @app.call(request_env)
+            AppSec::ActionsHandler.handle(result.actions)
           end
         end
       end
     end
   end
 end
-# rubocop:enable Naming/FileName

data/lib/datadog/appsec/contrib/rest_client/integration.rb

@@ -28,7 +28,7 @@ module Datadog
           end
 
           def self.compatible?
-            super && version >= MINIMUM_VERSION
+            super && !!(version&.>= MINIMUM_VERSION)
           end
 
           def self.auto_instrument?

data/lib/datadog/appsec/contrib/rest_client/patcher.rb

@@ -9,7 +9,7 @@ module Datadog
           module_function
 
           def patched?
-            Patcher.instance_variable_get(:@patched)
+            !!Patcher.instance_variable_get(:@patched)
           end
 
           def target_version

data/lib/datadog/appsec/contrib/rest_client/request_ssrf_detection_patch.rb

@@ -11,29 +11,65 @@ module Datadog
         # Module that adds SSRF detection to RestClient::Request#execute
         module RequestSSRFDetectionPatch
           def execute(&block)
-            return super unless AppSec.rasp_enabled? && AppSec.active_context
-
             context = AppSec.active_context
+            return super unless context && AppSec.rasp_enabled?
+
+            timeout = Datadog.configuration.appsec.waf_timeout
+            ephemeral_data = {
+              'server.io.net.url' => url,
+              'server.io.net.request.method' => method.to_s.upcase,
+              'server.io.net.request.headers' => normalize_request_headers
+            }
+
+            result = context.run_rasp(Ext::RASP_SSRF, {}, ephemeral_data, timeout, phase: Ext::RASP_REQUEST_PHASE)
+            handle(result, context: context) if result.match?
+
+            response = super
+
+            ephemeral_data = {
+              'server.io.net.response.status' => response.code.to_s,
+              'server.io.net.response.headers' => normalize_response_headers(response)
+            }
+
+            result = context.run_rasp(Ext::RASP_SSRF, {}, ephemeral_data, timeout, phase: Ext::RASP_RESPONSE_PHASE)
+            handle(result, context: context) if result.match?
 
-            ephemeral_data = {'server.io.net.url' => url}
-            result = context.run_rasp(Ext::RASP_SSRF, {}, ephemeral_data, Datadog.configuration.appsec.waf_timeout)
+            response
+          end
+
+          private
+
+          # NOTE: Starting version 2.1.0 headers are already normalized via internal
+          #       variable `@processed_headers_lowercase`. In case it's available,
+          #       we use it to avoid unnecessary transformation.
+          def normalize_request_headers
+            return @processed_headers_lowercase if defined?(@processed_headers_lowercase)
 
-            if result.match?
-              AppSec::Event.tag(context, result)
-              TraceKeeper.keep!(context.trace) if result.keep?
+            processed_headers.transform_keys(&:downcase)
+          end
+
+          # NOTE: Headers values are always an `Array` in `Net::HTTPResponse`,
+          #       but we want to avoid accidents and will wrap them in no-op
+          #       `Array` call just in case of a breaking change in the future
+          #
+          # FIXME: Steep has issues with `transform_values!` modifying the original
+          #        type and it failed with "Cannot allow block body" error
+          def normalize_response_headers(response) # steep:ignore MethodBodyTypeMismatch
+            response.net_http_res.to_hash.transform_values! { |value| Array(value).join(', ') } # steep:ignore BlockBodyTypeMismatch
+          end
 
-              context.events.push(
-                AppSec::SecurityEvent.new(result, trace: context.trace, span: context.span)
-              )
+          def handle(result, context:)
+            AppSec::Event.tag(context, result)
+            TraceKeeper.keep!(context.trace) if result.keep?
 
-              AppSec::ActionsHandler.handle(result.actions)
-            end
+            context.events.push(
+              AppSec::SecurityEvent.new(result, trace: context.trace, span: context.span)
+            )
 
-            super
+            AppSec::ActionsHandler.handle(result.actions)
           end
         end
       end
     end
   end
 end
-# rubocop:enable Naming/FileName

data/lib/datadog/appsec/ext.rb

@@ -6,6 +6,8 @@ module Datadog
       RASP_SQLI = 'sql_injection'
       RASP_LFI = 'lfi'
       RASP_SSRF = 'ssrf'
+      RASP_REQUEST_PHASE = 'request'
+      RASP_RESPONSE_PHASE = 'response'
 
       PRODUCT_BIT = 0b00000010
 

data/lib/datadog/appsec/metrics/collector.rb

@@ -13,6 +13,7 @@ module Datadog
           :duration_ns,
           :duration_ext_ns,
           :inputs_truncated,
+          :downstream_requests,
           keyword_init: true
         )
 
@@ -22,10 +23,13 @@ module Datadog
           @mutex = Mutex.new
 
           @waf = Store.new(
-            evals: 0, matches: 0, errors: 0, timeouts: 0, duration_ns: 0, duration_ext_ns: 0, inputs_truncated: 0
+            evals: 0, matches: 0, errors: 0, timeouts: 0, duration_ns: 0,
+            duration_ext_ns: 0, inputs_truncated: 0, downstream_requests: 0
           )
+
           @rasp = Store.new(
-            evals: 0, matches: 0, errors: 0, timeouts: 0, duration_ns: 0, duration_ext_ns: 0, inputs_truncated: 0
+            evals: 0, matches: 0, errors: 0, timeouts: 0, duration_ns: 0,
+            duration_ext_ns: 0, inputs_truncated: 0, downstream_requests: 0
           )
         end
 
@@ -41,7 +45,7 @@ module Datadog
           end
         end
 
-        def record_rasp(result)
+        def record_rasp(result, type:, phase: nil)
           @mutex.synchronize do
             @rasp.evals += 1
             @waf.matches += 1 if result.match?
@@ -50,6 +54,7 @@ module Datadog
             @rasp.duration_ns += result.duration_ns
             @rasp.duration_ext_ns += result.duration_ext_ns
             @rasp.inputs_truncated += 1 if result.input_truncated?
+            @rasp.downstream_requests += 1 if type == Ext::RASP_SSRF && phase == Ext::RASP_REQUEST_PHASE
           end
         end
       end

data/lib/datadog/appsec/metrics/exporter.rb

@@ -22,6 +22,13 @@ module Datadog
           span.set_tag('_dd.appsec.rasp.timeout', 1) unless metrics.timeouts.zero?
           span.set_tag('_dd.appsec.rasp.duration', convert_ns_to_us(metrics.duration_ns))
           span.set_tag('_dd.appsec.rasp.duration_ext', convert_ns_to_us(metrics.duration_ext_ns))
+
+          # NOTE: In case of downstream requests being analyzed additionally
+          #       with `Context.run_waf` method, we would need to share it
+          #       between two exporting methods
+          unless metrics.downstream_requests.zero?
+            span.set_tag('_dd.appsec.downstream_request', metrics.downstream_requests)
+          end
         end
 
         # private

data/lib/datadog/appsec/metrics/telemetry.rb

@@ -7,10 +7,15 @@ module Datadog
       module Telemetry
         module_function
 
-        def report_rasp(type, result)
+        def report_rasp(type, result, phase: nil)
           return if result.error?
 
-          tags = {rule_type: type, waf_version: Datadog::AppSec::WAF::VERSION::BASE_STRING}
+          tags = {rule_type: type, waf_version: WAF::VERSION::BASE_STRING}
+          tags[:rule_variant] = phase if phase
+
+          context = AppSec.active_context
+          tags[:event_rules_version] = context.waf_runner_ruleset_version if context
+
           namespace = Ext::TELEMETRY_METRICS_NAMESPACE
 
           AppSec.telemetry.inc(namespace, 'rasp.rule.eval', 1, tags: tags)

data/lib/datadog/appsec/metrics.rb

@@ -1,5 +1,10 @@
 # frozen_string_literal: true
 
+require_relative 'metrics/collector'
+require_relative 'metrics/exporter'
+require_relative 'metrics/telemetry'
+require_relative 'metrics/telemetry_exporter'
+
 module Datadog
   module AppSec
     # This namespace contains classes related to metrics collection and exportation.
@@ -7,8 +12,3 @@ module Datadog
     end
   end
 end
-
-require_relative 'metrics/collector'
-require_relative 'metrics/exporter'
-require_relative 'metrics/telemetry'
-require_relative 'metrics/telemetry_exporter'

data/lib/datadog/appsec/remote.rb

@@ -75,7 +75,8 @@ module Datadog
 
           matcher = Core::Remote::Dispatcher::Matcher::Product.new(ASM_PRODUCTS)
           receiver = Core::Remote::Dispatcher::Receiver.new(matcher) do |repository, changes|
-            next unless AppSec.security_engine
+            engine = AppSec.security_engine
+            next unless engine
 
             changes.each do |change|
               content = repository[change.path]
@@ -84,11 +85,10 @@ module Datadog
               case change.type
               when :insert, :update
                 # @type var content: Core::Remote::Configuration::Content
-                AppSec.security_engine.add_or_update_config(parse_content(content), path: change.path.to_s)
-
+                engine.add_or_update_config(parse_content(content), path: change.path.to_s)
                 content.applied
               when :delete
-                AppSec.security_engine.remove_config_at_path(change.path.to_s)
+                engine.remove_config_at_path(change.path.to_s)
               end
             end
 

data/lib/datadog/appsec.rb

@@ -22,8 +22,14 @@ module Datadog
         Datadog::AppSec::Context.active
       end
 
+      # NOTE:  This is a temporary workaround for type checking.
+      #
+      #        We want to move from possible nil-component to the disabled-component
+      #        on an initialization error. Technically, telemetry will be never
+      #        used if AppSec was not able to initialize, so it's safe to assume
+      #        that telemetry will never be used and will be nil at the same time.
       def telemetry
-        components.appsec&.telemetry
+        components.appsec&.telemetry || components.telemetry
       end
 
       def security_engine

data/lib/datadog/core/configuration/components.rb

@@ -49,6 +49,7 @@ module Datadog
             options[:statsd] = settings.runtime_metrics.statsd unless settings.runtime_metrics.statsd.nil?
             options[:services] = [settings.service] unless settings.service.nil?
             options[:experimental_runtime_id_enabled] = settings.runtime_metrics.experimental_runtime_id_enabled
+            options[:experimental_propagate_process_tags_enabled] = settings.experimental_propagate_process_tags_enabled
 
             Core::Runtime::Metrics.new(logger: logger, telemetry: telemetry, **options)
           end

data/lib/datadog/core/configuration/settings.rb

@@ -436,6 +436,23 @@ module Datadog
               o.default true
             end
 
+            # The profiler gathers data by sending `SIGPROF` unix signals to Ruby application threads.
+            #
+            # When using `Kernel#exec` on Linux, it can happen that a signal sent before calling `exec` arrives after
+            # the new process is running, causing it to fail with the `Profiling timer expired` error message.
+            # To avoid this, the profiler installs a monkey patch on `Kernel#exec` to stop profiling before actually
+            # calling `exec`.
+            # This monkey patch is available for Ruby 2.7+; let us know if you need it on earlier Rubies.
+            # For more details see https://github.com/DataDog/dd-trace-rb/issues/5101 .
+            #
+            # @default `DD_PROFILING_SHUTDOWN_ON_EXEC_ENABLED` environment variable as a boolean,
+            # otherwise `true`
+            option :shutdown_on_exec_enabled do |o|
+              o.env 'DD_PROFILING_SHUTDOWN_ON_EXEC_ENABLED'
+              o.type :bool
+              o.default true
+            end
+
             # Configures how much wall-time overhead the profiler targets. The profiler will dynamically adjust the
             # interval between samples it takes so as to try and maintain the property that it spends no longer than
             # this amount of wall-clock time profiling. For example, with the default value of 2%, the profiler will

data/lib/datadog/core/configuration/supported_configurations.rb

@@ -81,6 +81,7 @@ module Datadog
           "DD_PROFILING_NO_SIGNALS_WORKAROUND_ENABLED",
           "DD_PROFILING_OVERHEAD_TARGET_PERCENTAGE",
           "DD_PROFILING_PREVIEW_OTEL_CONTEXT_ENABLED",
+          "DD_PROFILING_SHUTDOWN_ON_EXEC_ENABLED",
           "DD_PROFILING_SIGHANDLER_SAMPLING_ENABLED",
           "DD_PROFILING_SKIP_MYSQL2_CHECK",
           "DD_PROFILING_TIMELINE_ENABLED",

data/lib/datadog/core/runtime/metrics.rb

@@ -8,6 +8,7 @@ require_relative '../environment/gc'
 require_relative '../environment/thread_count'
 require_relative '../environment/vm_cache'
 require_relative '../environment/yjit'
+require_relative '../environment/process'
 
 module Datadog
   module Core
@@ -24,6 +25,9 @@ module Datadog
 
           # Initialize the collection of runtime-id
           @runtime_id_enabled = options.fetch(:experimental_runtime_id_enabled, false)
+
+          # Initialized process tags support
+          @process_tags_enabled = options.fetch(:experimental_propagate_process_tags_enabled, false)
         end
 
         # Associate service with runtime metrics
@@ -111,6 +115,11 @@ module Datadog
 
             # Add runtime-id dynamically because it might change during runtime.
             options[:tags].concat(["runtime-id:#{Core::Environment::Identity.id}"]) if @runtime_id_enabled
+
+            # Add process tags when enabled
+            if @process_tags_enabled
+              options[:tags].concat(Core::Environment::Process.tags)
+            end
           end
         end
 
@@ -119,7 +128,8 @@ module Datadog
         attr_reader \
           :service_tags,
           :services,
-          :runtime_id_enabled
+          :runtime_id_enabled,
+          :process_tags_enabled
 
         def compile_service_tags!
           @service_tags = services.to_a.collect do |service|