dd-trace 2.33.0 → 2.34.0

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-analyzers/sql-sensitive-analyzer.js

@@ -0,0 +1,95 @@
+'use strict'
+
+const iastLog = require('../../../iast-log')
+
+const STRING_LITERAL = '\'(?:\'\'|[^\'])*\''
+const POSTGRESQL_ESCAPED_LITERAL = '\\$([^$]*)\\$.*?\\$\\1\\$'
+const MYSQL_STRING_LITERAL = '"(?:\\\\"|[^"])*"|\'(?:\\\\\'|[^\'])*\''
+const LINE_COMMENT = '--.*$'
+const BLOCK_COMMENT = '/\\*[\\s\\S]*\\*/'
+const EXPONENT = '(?:E[-+]?\\d+[fd]?)?'
+const INTEGER_NUMBER = '(?<!\\w)\\d+'
+const DECIMAL_NUMBER = '\\d*\\.\\d+'
+const HEX_NUMBER = 'x\'[0-9a-f]+\'|0x[0-9a-f]+'
+const BIN_NUMBER = 'b\'[0-9a-f]+\'|0b[0-9a-f]+'
+const NUMERIC_LITERAL =
+  `[-+]?(?:${
+    [
+      HEX_NUMBER,
+      BIN_NUMBER,
+      DECIMAL_NUMBER + EXPONENT,
+      INTEGER_NUMBER + EXPONENT
+    ].join('|')
+  })`
+
+class SqlSensitiveAnalyzer {
+  constructor () {
+    this._patterns = {
+      MYSQL: new RegExp(
+        [
+          NUMERIC_LITERAL,
+          MYSQL_STRING_LITERAL,
+          LINE_COMMENT,
+          BLOCK_COMMENT
+        ].join('|'),
+        'gmi'
+      ),
+      POSTGRES: new RegExp(
+        [
+          NUMERIC_LITERAL,
+          POSTGRESQL_ESCAPED_LITERAL,
+          STRING_LITERAL,
+          LINE_COMMENT,
+          BLOCK_COMMENT
+        ].join('|'),
+        'gmi'
+      )
+    }
+  }
+
+  extractSensitiveRanges (evidence) {
+    try {
+      const pattern = this._patterns[evidence.dialect]
+      pattern.lastIndex = 0
+      const tokens = []
+
+      let regexResult = pattern.exec(evidence.value)
+      while (regexResult != null) {
+        let start = regexResult.index
+        let end = regexResult.index + regexResult[0].length
+        const startChar = evidence.value.charAt(start)
+        if (startChar === '\'' || startChar === '"') {
+          start++
+          end--
+        } else if (end > start + 1) {
+          const nextChar = evidence.value.charAt(start + 1)
+          if (startChar === '/' && nextChar === '*') {
+            start += 2
+            end -= 2
+          } else if (startChar === '-' && startChar === nextChar) {
+            start += 2
+          } else if (startChar.toLowerCase() === 'q' && nextChar === '\'') {
+            start += 3
+            end -= 2
+          } else if (startChar === '$') {
+            const match = regexResult[0]
+            const size = match.indexOf('$', 1) + 1
+            if (size > 1) {
+              start += size
+              end -= size
+            }
+          }
+        }
+
+        tokens.push({ start, end })
+        regexResult = pattern.exec(evidence.value)
+      }
+      return tokens
+    } catch (e) {
+      iastLog.debug(e)
+    }
+    return []
+  }
+}
+
+module.exports = SqlSensitiveAnalyzer

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-handler.js

@@ -0,0 +1,144 @@
+'use strict'
+
+const vulnerabilities = require('../../vulnerabilities')
+
+const { contains, intersects, remove } = require('./range-utils')
+
+const CommandSensitiveAnalyzer = require('./sensitive-analyzers/command-sensitive-analyzer')
+const LdapSensitiveAnalyzer = require('./sensitive-analyzers/ldap-sensitive-analyzer')
+const SqlSensitiveAnalyzer = require('./sensitive-analyzers/sql-sensitive-analyzer')
+
+// eslint-disable-next-line max-len
+const DEFAULT_IAST_REDACTION_NAME_PATTERN = '(?:p(?:ass)?w(?:or)?d|pass(?:_?phrase)?|secret|(?:api_?|private_?|public_?|access_?|secret_?)key(?:_?id)?|token|consumer_?(?:id|key|secret)|sign(?:ed|ature)?|auth(?:entication|orization)?)'
+// eslint-disable-next-line max-len
+const DEFAULT_IAST_REDACTION_VALUE_PATTERN = '(?:bearer\\s+[a-z0-9\\._\\-]+|glpat-[\\w\\-]{20}|gh[opsu]_[0-9a-zA-Z]{36}|ey[I-L][\\w=\\-]+\\.ey[I-L][\\w=\\-]+(?:\\.[\\w.+/=\\-]+)?|(?:[\\-]{5}BEGIN[a-z\\s]+PRIVATE\\sKEY[\\-]{5}[^\\-]+[\\-]{5}END[a-z\\s]+PRIVATE\\sKEY[\\-]{5}|ssh-rsa\\s*[a-z0-9/\\.+]{100,}))'
+
+class SensitiveHandler {
+  constructor () {
+    this._namePattern = new RegExp(DEFAULT_IAST_REDACTION_NAME_PATTERN, 'gmi')
+    this._valuePattern = new RegExp(DEFAULT_IAST_REDACTION_VALUE_PATTERN, 'gmi')
+
+    this._sensitiveAnalyzers = new Map()
+    this._sensitiveAnalyzers.set(vulnerabilities.COMMAND_INJECTION, new CommandSensitiveAnalyzer())
+    this._sensitiveAnalyzers.set(vulnerabilities.LDAP_INJECTION, new LdapSensitiveAnalyzer())
+    this._sensitiveAnalyzers.set(vulnerabilities.SQL_INJECTION, new SqlSensitiveAnalyzer())
+  }
+
+  isSensibleName (name) {
+    this._namePattern.lastIndex = 0
+    return this._namePattern.test(name)
+  }
+
+  isSensibleValue (value) {
+    this._valuePattern.lastIndex = 0
+    return this._valuePattern.test(value)
+  }
+
+  isSensibleSource (source) {
+    return source != null && (this.isSensibleName(source.name) || this.isSensibleValue(source.value))
+  }
+
+  scrubEvidence (vulnerabilityType, evidence, sourcesIndexes, sources) {
+    const sensitiveAnalyzer = this._sensitiveAnalyzers.get(vulnerabilityType)
+    if (sensitiveAnalyzer) {
+      const sensitiveRanges = sensitiveAnalyzer.extractSensitiveRanges(evidence)
+      return this.toRedactedJson(evidence, sensitiveRanges, sourcesIndexes, sources)
+    }
+    return null
+  }
+
+  toRedactedJson (evidence, sensitive, sourcesIndexes, sources) {
+    const valueParts = []
+    const redactedSources = []
+
+    const { value, ranges } = evidence
+
+    let start = 0
+    let nextTaintedIndex = 0
+    let sourceIndex
+
+    let nextTainted = ranges.shift()
+    let nextSensitive = sensitive.shift()
+
+    for (let i = 0; i < value.length; i++) {
+      if (nextTainted != null && nextTainted.start === i) {
+        this.writeValuePart(valueParts, value.substring(start, i), sourceIndex)
+
+        sourceIndex = sourcesIndexes[nextTaintedIndex]
+
+        while (nextSensitive != null && contains(nextTainted, nextSensitive)) {
+          sourceIndex != null && redactedSources.push(sourceIndex)
+          nextSensitive = sensitive.shift()
+        }
+
+        if (nextSensitive != null && intersects(nextSensitive, nextTainted)) {
+          sourceIndex != null && redactedSources.push(sourceIndex)
+
+          const entries = remove(nextSensitive, nextTainted)
+          nextSensitive = entries.length > 0 ? entries[0] : null
+        }
+
+        this.isSensibleSource(sources[sourceIndex]) && redactedSources.push(sourceIndex)
+
+        if (redactedSources.indexOf(sourceIndex) > -1) {
+          this.writeRedactedValuePart(valueParts, sourceIndex)
+        } else {
+          const substringEnd = Math.min(nextTainted.end, value.length)
+          this.writeValuePart(valueParts, value.substring(nextTainted.start, substringEnd), sourceIndex)
+        }
+
+        start = i + (nextTainted.end - nextTainted.start)
+        i = start - 1
+        nextTainted = ranges.shift()
+        nextTaintedIndex++
+        sourceIndex = null
+      } else if (nextSensitive != null && nextSensitive.start === i) {
+        this.writeValuePart(valueParts, value.substring(start, i), sourceIndex)
+        if (nextTainted != null && intersects(nextSensitive, nextTainted)) {
+          sourceIndex = sourcesIndexes[nextTaintedIndex]
+          sourceIndex != null && redactedSources.push(sourceIndex)
+
+          for (const entry of remove(nextSensitive, nextTainted)) {
+            if (entry.start === i) {
+              nextSensitive = entry
+            } else {
+              sensitive.push(entry)
+            }
+          }
+        }
+
+        this.writeRedactedValuePart(valueParts)
+
+        start = i + (nextSensitive.end - nextSensitive.start)
+        i = start - 1
+        nextSensitive = sensitive.shift()
+      }
+    }
+
+    if (start < value.length) {
+      this.writeValuePart(valueParts, value.substring(start))
+    }
+
+    return { redactedValueParts: valueParts, redactedSources }
+  }
+
+  writeValuePart (valueParts, value, source) {
+    if (value.length > 0) {
+      if (source != null) {
+        valueParts.push({ value, source })
+      } else {
+        valueParts.push({ value })
+      }
+    }
+  }
+
+  writeRedactedValuePart (valueParts, source) {
+    if (source != null) {
+      valueParts.push({ redacted: true, source })
+    } else {
+      valueParts.push({ redacted: true })
+    }
+  }
+}
+
+module.exports = new SensitiveHandler()

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/index.js

@@ -0,0 +1,113 @@
+const sensitiveHandler = require('./evidence-redaction/sensitive-handler')
+
+class VulnerabilityFormatter {
+  constructor () {
+    this._redactVulnearbilities = true
+  }
+
+  setRedactVulnerabilities (shouldRedactVulnerabilities) {
+    this._redactVulnearbilities = shouldRedactVulnerabilities
+  }
+
+  extractSourcesFromVulnerability (vulnerability) {
+    if (!vulnerability.evidence.ranges) {
+      return []
+    }
+    return vulnerability.evidence.ranges.map(range => (
+      {
+        origin: range.iinfo.type,
+        name: range.iinfo.parameterName,
+        value: range.iinfo.parameterValue
+      }
+    ))
+  }
+
+  getRedactedValueParts (type, evidence, sourcesIndexes, sources) {
+    const scrubbingResult = sensitiveHandler.scrubEvidence(type, evidence, sourcesIndexes, sources)
+    if (scrubbingResult) {
+      const { redactedValueParts, redactedSources } = scrubbingResult
+      redactedSources.forEach(i => {
+        delete sources[i].value
+        sources[i].redacted = true
+      })
+      return { valueParts: redactedValueParts }
+    }
+
+    return this.getUnredactedValueParts(evidence, sourcesIndexes)
+  }
+
+  getUnredactedValueParts (evidence, sourcesIndexes) {
+    const valueParts = []
+    let fromIndex = 0
+    evidence.ranges.forEach((range, rangeIndex) => {
+      if (fromIndex < range.start) {
+        valueParts.push({ value: evidence.value.substring(fromIndex, range.start) })
+      }
+      valueParts.push({ value: evidence.value.substring(range.start, range.end), source: sourcesIndexes[rangeIndex] })
+      fromIndex = range.end
+    })
+    if (fromIndex < evidence.value.length) {
+      valueParts.push({ value: evidence.value.substring(fromIndex) })
+    }
+    return { valueParts }
+  }
+
+  formatEvidence (type, evidence, sourcesIndexes, sources) {
+    if (!evidence.ranges) {
+      return { value: evidence.value }
+    }
+
+    return this._redactVulnearbilities
+      ? this.getRedactedValueParts(type, evidence, sourcesIndexes, sources)
+      : this.getUnredactedValueParts(evidence, sourcesIndexes)
+  }
+
+  formatVulnerability (vulnerability, sourcesIndexes, sources) {
+    const formattedVulnerability = {
+      type: vulnerability.type,
+      hash: vulnerability.hash,
+      evidence: this.formatEvidence(vulnerability.type, vulnerability.evidence, sourcesIndexes, sources),
+      location: {
+        spanId: vulnerability.location.spanId
+      }
+    }
+    if (vulnerability.location.path) {
+      formattedVulnerability.location.path = vulnerability.location.path
+    }
+    if (vulnerability.location.line) {
+      formattedVulnerability.location.line = vulnerability.location.line
+    }
+    return formattedVulnerability
+  }
+
+  toJson (vulnerabilitiesToFormat) {
+    const sources = []
+
+    const vulnerabilities = vulnerabilitiesToFormat.map(vulnerability => {
+      const vulnerabilitySources = this.extractSourcesFromVulnerability(vulnerability)
+      const sourcesIndexes = []
+      vulnerabilitySources.forEach((source) => {
+        let sourceIndex = sources.findIndex(
+          existingSource =>
+            existingSource.origin === source.origin &&
+            existingSource.name === source.name &&
+            existingSource.value === source.value
+        )
+        if (sourceIndex === -1) {
+          sourceIndex = sources.length
+          sources.push(source)
+        }
+        sourcesIndexes.push(sourceIndex)
+      })
+
+      return this.formatVulnerability(vulnerability, sourcesIndexes, sources)
+    })
+
+    return {
+      sources,
+      vulnerabilities
+    }
+  }
+}
+
+module.exports = new VulnerabilityFormatter()

package/packages/dd-trace/src/appsec/iast/vulnerabilities.js

@@ -0,0 +1,8 @@
+module.exports = {
+  WEAK_HASH: 'WEAK_HASH',
+  WEAK_CIPHER: 'WEAK_CIPHER',
+  SQL_INJECTION: 'SQL_INJECTION',
+  PATH_TRAVERSAL: 'PATH_TRAVERSAL',
+  COMMAND_INJECTION: 'COMMAND_INJECTION',
+  LDAP_INJECTION: 'LDAP_INJECTION'
+}

package/packages/dd-trace/src/appsec/iast/vulnerability-reporter.js

@@ -1,5 +1,6 @@
 const { MANUAL_KEEP } = require('../../../../../ext/tags')
 const LRU = require('lru-cache')
+const vulnerabilitiesFormatter = require('./vulnerabilities-formatter')
 const VULNERABILITIES_KEY = 'vulnerabilities'
 const IAST_JSON_TAG_KEY = '_dd.iast.json'
 const VULNERABILITY_HASHES_MAX_SIZE = 1000
@@ -60,57 +61,6 @@ function isValidVulnerability (vulnerability) {
     vulnerability.location && vulnerability.location.spanId
 }
 
-function formatEvidence (evidence, sourcesIndexes) {
-  if (!evidence.ranges) {
-    return { value: evidence.value }
-  }
-
-  const valueParts = []
-  let fromIndex = 0
-  evidence.ranges.forEach((range, rangeIndex) => {
-    if (fromIndex < range.start) {
-      valueParts.push({ value: evidence.value.substring(fromIndex, range.start) })
-    }
-    valueParts.push({ value: evidence.value.substring(range.start, range.end), source: sourcesIndexes[rangeIndex] })
-    fromIndex = range.end
-  })
-  if (fromIndex < evidence.value.length) {
-    valueParts.push({ value: evidence.value.substring(fromIndex) })
-  }
-  return { valueParts }
-}
-
-function extractSourcesFromVulnerability (vulnerability) {
-  if (!vulnerability.evidence.ranges) {
-    return []
-  }
-  return vulnerability.evidence.ranges.map(range => (
-    {
-      origin: range.iinfo.type,
-      name: range.iinfo.parameterName,
-      value: range.iinfo.parameterValue
-    }
-  ))
-}
-
-function jsonVulnerabilityFromVulnerability (vulnerability, sourcesIndexes) {
-  const jsonVulnerability = {
-    type: vulnerability.type,
-    hash: vulnerability.hash,
-    evidence: formatEvidence(vulnerability.evidence, sourcesIndexes),
-    location: {
-      spanId: vulnerability.location.spanId
-    }
-  }
-  if (vulnerability.location.path) {
-    jsonVulnerability.location.path = vulnerability.location.path
-  }
-  if (vulnerability.location.line) {
-    jsonVulnerability.location.line = vulnerability.location.line
-  }
-  return jsonVulnerability
-}
-
 function sendVulnerabilities (vulnerabilities, rootSpan) {
   if (vulnerabilities && vulnerabilities.length) {
     let span = rootSpan
@@ -124,31 +74,8 @@ function sendVulnerabilities (vulnerabilities, rootSpan) {
     }
 
     if (span && span.addTags) {
-      const jsonToSend = {
-        sources: [],
-        vulnerabilities: []
-      }
-
-      deduplicateVulnerabilities(vulnerabilities).forEach((vulnerability) => {
-        if (isValidVulnerability(vulnerability)) {
-          const sourcesIndexes = []
-          const vulnerabilitySources = extractSourcesFromVulnerability(vulnerability)
-          vulnerabilitySources.forEach((source) => {
-            let sourceIndex = jsonToSend.sources.findIndex(
-              existingSource =>
-                existingSource.origin === source.origin &&
-                existingSource.name === source.name &&
-                existingSource.value === source.value
-            )
-            if (sourceIndex === -1) {
-              sourceIndex = jsonToSend.sources.length
-              jsonToSend.sources.push(source)
-            }
-            sourcesIndexes.push(sourceIndex)
-          })
-          jsonToSend.vulnerabilities.push(jsonVulnerabilityFromVulnerability(vulnerability, sourcesIndexes))
-        }
-      })
+      const validAndDedupVulnerabilities = deduplicateVulnerabilities(vulnerabilities).filter(isValidVulnerability)
+      const jsonToSend = vulnerabilitiesFormatter.toJson(validAndDedupVulnerabilities)
 
       if (jsonToSend.vulnerabilities.length > 0) {
         const tags = {}
@@ -194,6 +121,7 @@ function deduplicateVulnerabilities (vulnerabilities) {
 
 function start (config, _tracer) {
   deduplicationEnabled = config.iast.deduplicationEnabled
+  vulnerabilitiesFormatter.setRedactVulnerabilities(config.iast.redactionEnabled)
   if (deduplicationEnabled) {
     startClearCacheTimer()
   }

package/packages/dd-trace/src/config.js

@@ -2,13 +2,15 @@
 
 const fs = require('fs')
 const os = require('os')
+const uuid = require('crypto-randomuuid')
 const URL = require('url').URL
 const log = require('./log')
 const pkg = require('./pkg')
 const coalesce = require('koalas')
 const tagger = require('./tagger')
 const { isTrue, isFalse } = require('./util')
-const uuid = require('crypto-randomuuid')
+const { GIT_REPOSITORY_URL, GIT_COMMIT_SHA } = require('./plugins/util/tags')
+const { getGitMetadataFromGitProperties } = require('./git_properties')
 
 const fromEntries = Object.fromEntries || (entries =>
   entries.reduce((obj, [k, v]) => Object.assign(obj, { [k]: v }), {}))
@@ -156,6 +158,8 @@ class Config {
       process.env.DD_SERVICE_NAME ||
       this.tags.service ||
       process.env.AWS_LAMBDA_FUNCTION_NAME ||
+      process.env.FUNCTION_NAME || // Google Cloud Function Name set by deprecated runtimes
+      process.env.K_SERVICE || // Google Cloud Function Name set by newer runtimes
       pkg.name ||
       'node'
     const DD_SERVICE_MAPPING = coalesce(
@@ -180,9 +184,18 @@ class Config {
       process.env.DD_TRACE_STARTUP_LOGS,
       false
     )
+
+    const inAWSLambda = process.env.AWS_LAMBDA_FUNCTION_NAME !== undefined
+
+    const isDeprecatedGCPFunction = process.env.FUNCTION_NAME !== undefined && process.env.GCP_PROJECT !== undefined
+    const isNewerGCPFunction = process.env.K_SERVICE !== undefined && process.env.FUNCTION_TARGET !== undefined
+    const isGCPFunction = isDeprecatedGCPFunction || isNewerGCPFunction
+
+    const inServerlessEnvironment = inAWSLambda || isGCPFunction
+
     const DD_TRACE_TELEMETRY_ENABLED = coalesce(
       process.env.DD_TRACE_TELEMETRY_ENABLED,
-      !process.env.AWS_LAMBDA_FUNCTION_NAME
+      !inServerlessEnvironment
     )
     const DD_TELEMETRY_DEBUG_ENABLED = coalesce(
       process.env.DD_TELEMETRY_DEBUG_ENABLED,
@@ -266,7 +279,7 @@ class Config {
     const DD_TRACE_STATS_COMPUTATION_ENABLED = coalesce(
       options.stats,
       process.env.DD_TRACE_STATS_COMPUTATION_ENABLED,
-      false
+      isGCPFunction
     )
 
     const DD_TRACE_128_BIT_TRACEID_GENERATION_ENABLED = coalesce(
@@ -333,12 +346,10 @@ ken|consumer_?(?:id|key|secret)|sign(?:ed|ature)?|auth(?:entication|orization)?)
       maybeFile(process.env.DD_APPSEC_HTTP_BLOCKED_TEMPLATE_JSON)
     )
 
-    const inAWSLambda = process.env.AWS_LAMBDA_FUNCTION_NAME !== undefined
-
     const remoteConfigOptions = options.remoteConfig || {}
     const DD_REMOTE_CONFIGURATION_ENABLED = coalesce(
       process.env.DD_REMOTE_CONFIGURATION_ENABLED && isTrue(process.env.DD_REMOTE_CONFIGURATION_ENABLED),
-      !inAWSLambda
+      !inServerlessEnvironment
     )
     const DD_REMOTE_CONFIG_POLL_INTERVAL_SECONDS = coalesce(
       parseInt(remoteConfigOptions.pollInterval),
@@ -385,11 +396,22 @@ ken|consumer_?(?:id|key|secret)|sign(?:ed|ature)?|auth(?:entication|orization)?)
       true
     )
 
+    const DD_IAST_REDACTION_ENABLED = coalesce(
+      iastOptions && iastOptions.redactionEnabled,
+      !isFalse(process.env.DD_IAST_REDACTION_ENABLED),
+      true
+    )
+
     const DD_CIVISIBILITY_GIT_UPLOAD_ENABLED = coalesce(
       process.env.DD_CIVISIBILITY_GIT_UPLOAD_ENABLED,
       true
     )
 
+    const DD_TRACE_GIT_METADATA_ENABLED = coalesce(
+      process.env.DD_TRACE_GIT_METADATA_ENABLED,
+      true
+    )
+
     const ingestion = options.ingestion || {}
     const dogstatsd = coalesce(options.dogstatsd, {})
     const sampler = {
@@ -421,7 +443,7 @@ ken|consumer_?(?:id|key|secret)|sign(?:ed|ature)?|auth(?:entication|orization)?)
       })
     }
 
-    const defaultFlushInterval = inAWSLambda ? 0 : 2000
+    const defaultFlushInterval = inServerlessEnvironment ? 0 : 2000
 
     this.tracing = !isFalse(DD_TRACING_ENABLED)
     this.dbmPropagationMode = DD_DBM_PROPAGATION_MODE
@@ -494,7 +516,8 @@ ken|consumer_?(?:id|key|secret)|sign(?:ed|ature)?|auth(?:entication|orization)?)
       requestSampling: DD_IAST_REQUEST_SAMPLING,
       maxConcurrentRequests: DD_IAST_MAX_CONCURRENT_REQUESTS,
       maxContextOperations: DD_IAST_MAX_CONTEXT_OPERATIONS,
-      deduplicationEnabled: DD_IAST_DEDUPLICATION_ENABLED
+      deduplicationEnabled: DD_IAST_DEDUPLICATION_ENABLED,
+      redactionEnabled: DD_IAST_REDACTION_ENABLED
     }
 
     this.isCiVisibility = isTrue(DD_IS_CIVISIBILITY)
@@ -503,6 +526,31 @@ ken|consumer_?(?:id|key|secret)|sign(?:ed|ature)?|auth(?:entication|orization)?)
     this.isGitUploadEnabled = this.isCiVisibility &&
       (this.isIntelligentTestRunnerEnabled && !isFalse(DD_CIVISIBILITY_GIT_UPLOAD_ENABLED))
 
+    this.gitMetadataEnabled = isTrue(DD_TRACE_GIT_METADATA_ENABLED)
+
+    if (this.gitMetadataEnabled) {
+      this.repositoryUrl = coalesce(
+        process.env.DD_GIT_REPOSITORY_URL,
+        this.tags[GIT_REPOSITORY_URL]
+      )
+      this.commitSHA = coalesce(
+        process.env.DD_GIT_COMMIT_SHA,
+        this.tags[GIT_COMMIT_SHA]
+      )
+      if (!this.repositoryUrl || !this.commitSHA) {
+        const DD_GIT_PROPERTIES_FILE = coalesce(
+          process.env.DD_GIT_PROPERTIES_FILE,
+          `${process.cwd()}/git.properties`
+        )
+        const gitPropertiesString = maybeFile(DD_GIT_PROPERTIES_FILE)
+        if (gitPropertiesString) {
+          const { commitSHA, repositoryUrl } = getGitMetadataFromGitProperties(gitPropertiesString)
+          this.commitSHA = this.commitSHA || commitSHA
+          this.repositoryUrl = this.repositoryUrl || repositoryUrl
+        }
+      }
+    }
+
     this.stats = {
       enabled: isTrue(DD_TRACE_STATS_COMPUTATION_ENABLED)
     }
@@ -510,6 +558,8 @@ ken|consumer_?(?:id|key|secret)|sign(?:ed|ature)?|auth(?:entication|orization)?)
     this.traceId128BitGenerationEnabled = isTrue(DD_TRACE_128_BIT_TRACEID_GENERATION_ENABLED)
     this.traceId128BitLoggingEnabled = isTrue(DD_TRACE_128_BIT_TRACEID_LOGGING_ENABLED)
 
+    this.isGCPFunction = isGCPFunction
+
     tagger.add(this.tags, {
       service: this.service,
       env: this.env,

package/packages/dd-trace/src/constants.js

@@ -25,5 +25,7 @@ module.exports = {
   ERROR_MESSAGE: 'error.message',
   ERROR_STACK: 'error.stack',
   COMPONENT: 'component',
-  CLIENT_PORT_KEY: 'network.destination.port'
+  CLIENT_PORT_KEY: 'network.destination.port',
+  SCI_REPOSITORY_URL: '_dd.git.repository_url',
+  SCI_COMMIT_SHA: '_dd.git.commit.sha'
 }

package/packages/dd-trace/src/git_metadata_tagger.js

@@ -0,0 +1,17 @@
+const { SCI_COMMIT_SHA, SCI_REPOSITORY_URL } = require('./constants')
+
+class GitMetadataTagger {
+  constructor (config) {
+    this._config = config
+  }
+
+  tagGitMetadata (spanContext) {
+    if (this._config.gitMetadataEnabled) {
+      // These tags are added only to the local root span
+      spanContext._trace.tags[SCI_COMMIT_SHA] = this._config.commitSHA
+      spanContext._trace.tags[SCI_REPOSITORY_URL] = this._config.repositoryUrl
+    }
+  }
+}
+
+module.exports = GitMetadataTagger

package/packages/dd-trace/src/git_properties.js

@@ -0,0 +1,32 @@
+const commitSHARegex = /git\.commit\.sha=([a-f\d]{40})/
+const repositoryUrlRegex = /git\.repository_url=([\w\d:@/.-]+)/
+
+function getGitMetadataFromGitProperties (gitPropertiesString) {
+  if (!gitPropertiesString) {
+    return {}
+  }
+  const commitSHAMatch = gitPropertiesString.match(commitSHARegex)
+  const repositoryUrlMatch = gitPropertiesString.match(repositoryUrlRegex)
+
+  const repositoryUrl = repositoryUrlMatch ? repositoryUrlMatch[1] : undefined
+  let parsedUrl = repositoryUrl
+
+  if (repositoryUrl) {
+    try {
+      // repository URLs can contain username and password, so we want to filter those out
+      parsedUrl = new URL(repositoryUrl)
+      if (parsedUrl.password) {
+        parsedUrl = `${parsedUrl.origin}${parsedUrl.pathname}`
+      }
+    } catch (e) {
+      // if protocol isn't https, no password will be used
+    }
+  }
+
+  return {
+    commitSHA: commitSHAMatch ? commitSHAMatch[1] : undefined,
+    repositoryUrl: parsedUrl
+  }
+}
+
+module.exports = { getGitMetadataFromGitProperties }