dd-trace 3.11.0 → 3.12.0

package/LICENSE-3rdparty.csv

@@ -63,4 +63,5 @@ dev,sinon,BSD-3-Clause,Copyright 2010-2017 Christian Johansen
 dev,sinon-chai,WTFPL and BSD-2-Clause,Copyright 2004 Sam Hocevar 2012–2017 Domenic Denicola
 dev,tape,MIT,Copyright James Halliday
 dev,wait-on,MIT,Copyright 2015 Jeff Barczewski
+file,aws-lambda-nodejs-runtime-interface-client,Apache 2.0,Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
 file,profile.proto,Apache license 2.0,Copyright 2016 Google Inc.

package/index.d.ts

@@ -242,6 +242,11 @@ export declare interface TracerOptions {
    */
   service?: string;
 
+  /**
+   * Provide service name mappings for each plugin.
+   */
+  serviceMapping?: { [key: string]: string };
+
   /**
    * The url of the trace agent that the tracer will submit to.
    * Takes priority over hostname and port, if set.
@@ -521,6 +526,17 @@ export declare interface TracerOptions {
      */
     blockedTemplateJson?: string,
   };
+
+  /**
+   * Configuration of ASM Remote Configuration
+   */
+  remoteConfig?: {
+    /**
+     * Specifies the remote configuration polling interval in seconds
+     * @default 5
+     */
+    pollInterval?: number,
+  }
 }
 
 /**

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "dd-trace",
-  "version": "3.11.0",
+  "version": "3.12.0",
   "description": "Datadog APM tracing client for JavaScript",
   "main": "index.js",
   "typings": "index.d.ts",
@@ -16,12 +16,14 @@
     "services": "node ./scripts/install_plugin_modules && node packages/dd-trace/test/setup/services",
     "tdd": "node scripts/tdd.js",
     "test": "SERVICES=* yarn services && mocha --colors --exit --expose-gc 'packages/dd-trace/test/setup/node.js' 'packages/*/test/**/*.spec.js'",
-    "test:trace:core": "mocha --colors --exit --expose-gc --file packages/dd-trace/test/setup/core.js --exclude \"packages/dd-trace/test/profiling/**/*.spec.js\" --exclude \"packages/dd-trace/test/appsec/iast/**/*.plugin.spec.js\" \"packages/dd-trace/test/**/*.spec.js\"",
-    "test:trace:core:ci": "nyc --no-clean --include \"packages/dd-trace/src/**/*.js\" --exclude \"packages/dd-trace/src/profiling/**/*.js\" --exclude \"packages/dd-trace/test/appsec/iast/**/*.plugin.spec.js\" -- npm run test:trace:core -- --reporter mocha-multi-reporters --reporter-options configFile=mocha-reporter.json",
+    "test:trace:core": "mocha --colors --exit --expose-gc --file packages/dd-trace/test/setup/core.js --exclude \"packages/dd-trace/test/lambda/**/*.spec.js\" --exclude \"packages/dd-trace/test/profiling/**/*.spec.js\" --exclude \"packages/dd-trace/test/appsec/iast/**/*.plugin.spec.js\" \"packages/dd-trace/test/**/*.spec.js\"",
+    "test:trace:core:ci": "nyc --no-clean --include \"packages/dd-trace/src/**/*.js\" --exclude \"packages/dd-trace/src/lambda/**/*.spec.js\" --exclude \"packages/dd-trace/src/profiling/**/*.js\" --exclude \"packages/dd-trace/test/appsec/iast/**/*.plugin.spec.js\" -- npm run test:trace:core -- --reporter mocha-multi-reporters --reporter-options configFile=mocha-reporter.json",
     "test:instrumentations": "mocha --colors --file 'packages/dd-trace/test/setup/core.js' 'packages/datadog-instrumentations/test/**/*.spec.js'",
     "test:instrumentations:ci": "nyc --no-clean --include 'packages/datadog-instrumentations/src/**/*.js' -- npm run test:instrumentations",
     "test:core": "mocha --colors --file packages/datadog-core/test/setup.js 'packages/datadog-core/test/**/*.spec.js'",
     "test:core:ci": "nyc --no-clean --include 'packages/datadog-core/src/**/*.js' -- npm run test:core",
+    "test:lambda": "mocha --colors --exit --file \"packages/dd-trace/test/setup/core.js\" \"packages/dd-trace/test/lambda/**/*.spec.js\"",
+    "test:lambda:ci": "nyc --no-clean --include \"packages/dd-trace/src/lambda/**/*.js\" -- npm run test:lambda",
     "test:plugins": "mocha --colors --exit --file \"packages/dd-trace/test/setup/core.js\" \"packages/datadog-instrumentations/test/@($(echo $PLUGINS)).spec.js\" \"packages/datadog-plugin-@($(echo $PLUGINS))/test/**/*.spec.js\" \"packages/dd-trace/test/appsec/iast/**/*.@($(echo $PLUGINS)).plugin.spec.js\"",
     "test:plugins:ci": "yarn services && nyc --no-clean --include \"packages/datadog-instrumentations/src/@($(echo $PLUGINS)).js\" --include \"packages/datadog-instrumentations/src/@($(echo $PLUGINS))/**/*.js\" --include \"packages/datadog-plugin-@($(echo $PLUGINS))/src/**/*.js\" --include \"packages/dd-trace/test/appsec/iast/**/*.@($(echo $PLUGINS)).plugin.spec.js\" -- npm run test:plugins",
     "test:plugins:upstream": "node ./packages/dd-trace/test/plugins/suite.js",
@@ -60,7 +62,7 @@
   "dependencies": {
     "@datadog/native-appsec": "2.0.0",
     "@datadog/native-iast-rewriter": "1.1.2",
-    "@datadog/native-iast-taint-tracking": "1.0.0",
+    "@datadog/native-iast-taint-tracking": "1.1.0",
     "@datadog/native-metrics": "^1.5.0",
     "@datadog/pprof": "^1.1.1",
     "@datadog/sketches-js": "^2.1.0",

package/packages/datadog-instrumentations/src/helpers/register.js

@@ -57,3 +57,10 @@ function getVersion (moduleBaseDir) {
 function filename (name, file) {
   return [name, file].filter(val => val).join('/')
 }
+
+module.exports = {
+  filename,
+  getVersion,
+  matchVersion,
+  pathSepExpr
+}

package/packages/datadog-instrumentations/src/mocha.js

@@ -89,6 +89,12 @@ function getTestAsyncResource (test) {
   return testToAr.get(originalFn)
 }
 
+function getSuitesToRun (originalSuites) {
+  return originalSuites.filter(suite =>
+    !suitesToSkip.includes(getTestSuitePath(suite.file, process.cwd()))
+  )
+}
+
 function mochaHook (Runner) {
   if (patched.has(Runner)) return Runner
 
@@ -279,11 +285,6 @@ function mochaHook (Runner) {
       }
     })
 
-    // We remove the suites that we skip through ITR
-    this.suite.suites = this.suite.suites.filter(suite =>
-      !suitesToSkip.includes(getTestSuitePath(suite.file, process.cwd()))
-    )
-
     return run.apply(this, arguments)
   })
 
@@ -323,6 +324,10 @@ addHook({
     if (!itrConfigurationCh.hasSubscribers) {
       return run.apply(this, arguments)
     }
+    this.options.delay = true
+
+    const runner = run.apply(this, arguments)
+
     const onReceivedSkippableSuites = ({ err, skippableSuites }) => {
       if (err) {
         log.error(err)
@@ -330,16 +335,18 @@ addHook({
       } else {
         suitesToSkip = skippableSuites
       }
-      run.apply(this, arguments)
+      // We remove the suites that we skip through ITR
+      runner.suite.suites = getSuitesToRun(runner.suite.suites)
+      global.run()
     }
 
     const onReceivedConfiguration = ({ err }) => {
       if (err) {
         log.error(err)
-        return run.apply(this, arguments)
+        return global.run()
       }
       if (!skippableSuitesCh.hasSubscribers) {
-        return run.apply(this, arguments)
+        return global.run()
       }
 
       skippableSuitesCh.publish({
@@ -352,6 +359,7 @@ addHook({
         onDone: mochaRunAsyncResource.bind(onReceivedConfiguration)
       })
     })
+    return runner
   })
   return Mocha
 })
@@ -362,6 +370,23 @@ addHook({
   file: 'lib/runner.js'
 }, mochaHook)
 
+addHook({
+  name: 'mocha',
+  versions: ['>=5.2.0'],
+  file: 'lib/cli/run-helpers.js'
+}, (run) => {
+  shimmer.wrap(run, 'runMocha', runMocha => async function () {
+    const mocha = arguments[0]
+    /**
+     * This attaches `run` to the global context, which we'll call after
+     * our configuration and skippable suites requests
+     */
+    mocha.options.delay = true
+    return runMocha.apply(this, arguments)
+  })
+  return run
+})
+
 addHook({
   name: 'mocha',
   versions: ['>=5.2.0'],

package/packages/datadog-instrumentations/src/pg.js

@@ -41,7 +41,12 @@ function wrapQuery (query) {
     const asyncResource = new AsyncResource('bound-anonymous-fn')
     const processId = this.processID
     return asyncResource.runInAsyncScope(() => {
-      startCh.publish({ params: this.connectionParameters, originalQuery: pgQuery.text, query: pgQuery, processId })
+      startCh.publish({
+        params: this.connectionParameters,
+        originalQuery: pgQuery.text,
+        query: pgQuery,
+        processId
+      })
 
       const finish = asyncResource.bind(function (error) {
         if (error) {

package/packages/datadog-plugin-http/src/client.js

@@ -117,7 +117,7 @@ function addRequestHeaders (req, span, config) {
     const value = req.getHeader(key)
 
     if (value) {
-      span.setTag(`${HTTP_REQUEST_HEADERS}.${key}`, value)
+      span.setTag(`${HTTP_REQUEST_HEADERS}.${key}`, Array.isArray(value) ? value.toString() : value)
     }
   })
 }

package/packages/datadog-plugin-jest/src/index.js

@@ -15,7 +15,7 @@ const {
   TEST_SUITE_ID,
   TEST_COMMAND,
   TEST_ITR_TESTS_SKIPPED,
-  TEST_SESSION_ITR_CODE_COVERAGE_ENABLED,
+  TEST_SESSION_CODE_COVERAGE_ENABLED,
   TEST_SESSION_ITR_SKIPPING_ENABLED,
   TEST_CODE_COVERAGE_LINES_TOTAL
 } = require('../../dd-trace/src/plugins/util/test')
@@ -77,7 +77,7 @@ class JestPlugin extends CiPlugin {
       testSessionSpan.setTag(TEST_STATUS, status)
       testSessionSpan.setTag(TEST_ITR_TESTS_SKIPPED, isSuitesSkipped ? 'true' : 'false')
       testSessionSpan.setTag(TEST_SESSION_ITR_SKIPPING_ENABLED, isSuitesSkippingEnabled ? 'true' : 'false')
-      testSessionSpan.setTag(TEST_SESSION_ITR_CODE_COVERAGE_ENABLED, isCodeCoverageEnabled ? 'true' : 'false')
+      testSessionSpan.setTag(TEST_SESSION_CODE_COVERAGE_ENABLED, isCodeCoverageEnabled ? 'true' : 'false')
 
       if (testCodeCoverageLinesTotal !== undefined) {
         testSessionSpan.setTag(TEST_CODE_COVERAGE_LINES_TOTAL, testCodeCoverageLinesTotal)

package/packages/datadog-plugin-mocha/src/index.js

@@ -16,7 +16,7 @@ const {
   TEST_SESSION_ID,
   TEST_COMMAND,
   TEST_ITR_TESTS_SKIPPED,
-  TEST_SESSION_ITR_CODE_COVERAGE_ENABLED,
+  TEST_SESSION_CODE_COVERAGE_ENABLED,
   TEST_SESSION_ITR_SKIPPING_ENABLED
 } = require('../../dd-trace/src/plugins/util/test')
 const { COMPONENT } = require('../../dd-trace/src/constants')
@@ -145,7 +145,7 @@ class MochaPlugin extends CiPlugin {
         this.testSessionSpan.setTag(TEST_STATUS, status)
         this.testSessionSpan.setTag(TEST_ITR_TESTS_SKIPPED, isSuitesSkipped ? 'true' : 'false')
         this.testSessionSpan.setTag(TEST_SESSION_ITR_SKIPPING_ENABLED, isSuitesSkippingEnabled ? 'true' : 'false')
-        this.testSessionSpan.setTag(TEST_SESSION_ITR_CODE_COVERAGE_ENABLED, isCodeCoverageEnabled ? 'true' : 'false')
+        this.testSessionSpan.setTag(TEST_SESSION_CODE_COVERAGE_ENABLED, isCodeCoverageEnabled ? 'true' : 'false')
 
         this.testSessionSpan.finish()
         finishAllTraceSpans(this.testSessionSpan)

package/packages/datadog-plugin-pg/src/index.js

@@ -26,7 +26,7 @@ class PGPlugin extends DatabasePlugin {
       }
     })
 
-    query.text = this.injectDbmQuery(query.text)
+    query.text = this.injectDbmQuery(query.text, service)
   }
 }
 

package/packages/dd-trace/src/appsec/iast/analyzers/vulnerability-analyzer.js

@@ -57,16 +57,16 @@ class Analyzer extends Plugin {
   }
 
   analyze (value) {
-    const iastContext = getIastContext(storage.getStore())
-    if (!iastContext) return
-
+    const store = storage.getStore()
+    const iastContext = getIastContext(store)
+    if (store && !iastContext) return
     this._reportIfVulnerable(value, iastContext)
   }
 
   analyzeAll (...values) {
-    const iastContext = getIastContext(storage.getStore())
-    if (!iastContext) return
-
+    const store = storage.getStore()
+    const iastContext = getIastContext(store)
+    if (store && !iastContext) return
     for (let i = 0; i < values.length; i++) {
       const value = values[i]
       if (this._isVulnerable(value, iastContext)) {

package/packages/dd-trace/src/appsec/iast/index.js

@@ -1,4 +1,4 @@
-const { sendVulnerabilities } = require('./vulnerability-reporter')
+const { sendVulnerabilities, setTracer } = require('./vulnerability-reporter')
 const { enableAllAnalyzers, disableAllAnalyzers } = require('./analyzers')
 const web = require('../../plugins/util/web')
 const { storage } = require('../../../../datadog-core')
@@ -14,17 +14,20 @@ const IAST_ENABLED_TAG_KEY = '_dd.iast.enabled'
 const requestStart = dc.channel('dd-trace:incomingHttpRequestStart')
 const requestClose = dc.channel('dd-trace:incomingHttpRequestEnd')
 
-function enable (config) {
+function enable (config, _tracer) {
   enableAllAnalyzers()
   enableTaintTracking()
   requestStart.subscribe(onIncomingHttpRequestStart)
   requestClose.subscribe(onIncomingHttpRequestEnd)
   overheadController.configure(config.iast)
+  overheadController.startGlobalContext()
+  setTracer(_tracer)
 }
 
 function disable () {
   disableAllAnalyzers()
   disableTaintTracking()
+  overheadController.finishGlobalContext()
   if (requestStart.hasSubscribers) requestStart.unsubscribe(onIncomingHttpRequestStart)
   if (requestClose.hasSubscribers) requestClose.unsubscribe(onIncomingHttpRequestEnd)
 }
@@ -57,7 +60,9 @@ function onIncomingHttpRequestEnd (data) {
     const store = storage.getStore()
     const iastContext = iastContextFunctions.getIastContext(storage.getStore())
     if (iastContext && iastContext.rootSpan) {
-      sendVulnerabilities(iastContext, iastContext.rootSpan)
+      const vulnerabilities = iastContext.vulnerabilities
+      const rootSpan = iastContext.rootSpan
+      sendVulnerabilities(vulnerabilities, rootSpan)
       removeTransaction(iastContext)
     }
     // TODO web.getContext(data.req) is required when the request is aborted

package/packages/dd-trace/src/appsec/iast/overhead-controller.js

@@ -2,8 +2,11 @@
 
 const OVERHEAD_CONTROLLER_CONTEXT_KEY = 'oce'
 const REPORT_VULNERABILITY = 'REPORT_VULNERABILITY'
+const INTERVAL_RESET_GLOBAL_CONTEXT = 60 * 1000
 
 const GLOBAL_OCE_CONTEXT = {}
+
+let resetGlobalContextInterval
 let config = {}
 let availableRequest = 0
 const OPERATIONS = {
@@ -80,11 +83,27 @@ function configure (cfg) {
   availableRequest = config.maxConcurrentRequests
 }
 
-_resetGlobalContext()
+function startGlobalContext () {
+  if (resetGlobalContextInterval) return
+  _resetGlobalContext()
+  resetGlobalContextInterval = setInterval(() => {
+    _resetGlobalContext()
+  }, INTERVAL_RESET_GLOBAL_CONTEXT)
+  resetGlobalContextInterval.unref && resetGlobalContextInterval.unref()
+}
+
+function finishGlobalContext () {
+  if (resetGlobalContextInterval) {
+    clearInterval(resetGlobalContextInterval)
+    resetGlobalContextInterval = null
+  }
+}
 
 module.exports = {
   OVERHEAD_CONTROLLER_CONTEXT_KEY,
   OPERATIONS,
+  startGlobalContext,
+  finishGlobalContext,
   _resetGlobalContext,
   initializeRequestContext,
   hasQuota,

package/packages/dd-trace/src/appsec/iast/taint-tracking/csi-methods.js

@@ -4,7 +4,12 @@ const csiMethods = [
   { src: 'plusOperator', operator: true },
   { src: 'trim' },
   { src: 'trimStart', dst: 'trim' },
-  { src: 'trimEnd' }
+  { src: 'trimEnd' },
+  { src: 'concat' },
+  { src: 'substring' },
+  { src: 'substr' },
+  { src: 'slice' },
+  { src: 'replace' }
 ]
 
 module.exports = {

package/packages/dd-trace/src/appsec/iast/taint-tracking/taint-tracking-impl.js

@@ -9,7 +9,12 @@ function noop (res) { return res }
 const TaintTrackingDummy = {
   plusOperator: noop,
   trim: noop,
-  trimEnd: noop
+  trimEnd: noop,
+  concat: noop,
+  substring: noop,
+  substr: noop,
+  slice: noop,
+  replace: noop
 }
 
 function getTransactionId () {
@@ -54,7 +59,19 @@ function getCsiFn (cb, ...protos) {
   return getFilteredCsiFn(cb, filter)
 }
 
-const TaintTracking = {
+function csiMethodsDefaults (names, excluded) {
+  const impl = {}
+  names.forEach(name => {
+    if (excluded.indexOf(name) !== -1) return
+    impl[name] = getCsiFn(
+      (transactionId, res, target, ...rest) => TaintedUtils[name](transactionId, res, target, ...rest),
+      String.prototype[name]
+    )
+  })
+  return impl
+}
+
+const csiMethodsOverrides = {
   plusOperator: function (res, op1, op2) {
     try {
       if (notString(res) || (notString(op1) && notString(op2))) { return res }
@@ -72,13 +89,14 @@ const TaintTracking = {
     (transactionId, res, target) => TaintedUtils.trim(transactionId, res, target),
     String.prototype.trim,
     String.prototype.trimStart
-  ),
-  trimEnd: getCsiFn(
-    (transactionId, res, target) => TaintedUtils.trimEnd(transactionId, res, target),
-    String.prototype.trimEnd
   )
 }
 
+const TaintTracking = {
+  ...csiMethodsDefaults(Object.keys(TaintTrackingDummy), Object.keys(csiMethodsOverrides)),
+  ...csiMethodsOverrides
+}
+
 module.exports = {
   TaintTracking,
   TaintTrackingDummy

package/packages/dd-trace/src/appsec/iast/vulnerability-reporter.js

@@ -5,13 +5,16 @@ const IAST_JSON_TAG_KEY = '_dd.iast.json'
 const VULNERABILITY_HASHES_MAX_SIZE = 1000
 const VULNERABILITY_HASHES = new LRU({ max: VULNERABILITY_HASHES_MAX_SIZE })
 
+let tracer
+
 function createVulnerability (type, evidence, spanId, location) {
-  if (type && evidence && spanId) {
+  if (type && evidence) {
+    const _spanId = spanId || 0
     return {
       type,
       evidence,
       location: {
-        spanId,
+        spanId: _spanId,
         ...location
       },
       hash: createHash(type, location)
@@ -37,10 +40,14 @@ function createHash (type, location) {
 }
 
 function addVulnerability (iastContext, vulnerability) {
-  if (iastContext && vulnerability && vulnerability.evidence && vulnerability.type &&
-    vulnerability.location && vulnerability.location.spanId) {
-    iastContext[VULNERABILITIES_KEY] = iastContext[VULNERABILITIES_KEY] || []
-    iastContext[VULNERABILITIES_KEY].push(vulnerability)
+  if (vulnerability && vulnerability.evidence && vulnerability.type &&
+    vulnerability.location) {
+    if (iastContext && iastContext.rootSpan) {
+      iastContext[VULNERABILITIES_KEY] = iastContext[VULNERABILITIES_KEY] || []
+      iastContext[VULNERABILITIES_KEY].push(vulnerability)
+    } else {
+      sendVulnerabilities([vulnerability])
+    }
   }
 }
 
@@ -101,43 +108,53 @@ function jsonVulnerabilityFromVulnerability (vulnerability, sourcesIndexes) {
   return jsonVulnerability
 }
 
-function sendVulnerabilities (iastContext) {
-  if (iastContext && iastContext.rootSpan && iastContext[VULNERABILITIES_KEY] &&
-    iastContext[VULNERABILITIES_KEY].length && iastContext.rootSpan.addTags) {
-    const span = iastContext.rootSpan
-    const allVulnerabilities = iastContext[VULNERABILITIES_KEY]
-    const jsonToSend = {
-      sources: [],
-      vulnerabilities: []
+function sendVulnerabilities (vulnerabilities, rootSpan) {
+  if (vulnerabilities && vulnerabilities.length) {
+    let span = rootSpan
+    if (!span && tracer) {
+      span = tracer.startSpan('vulnerability', {
+        type: 'vulnerability'
+      })
+      vulnerabilities.forEach((vulnerability) => {
+        vulnerability.location.spanId = span.context().toSpanId()
+      })
     }
 
-    deduplicateVulnerabilities(allVulnerabilities).forEach((vulnerability) => {
-      if (isValidVulnerability(vulnerability)) {
-        const sourcesIndexes = []
-        const vulnerabilitySources = extractSourcesFromVulnerability(vulnerability)
-        vulnerabilitySources.forEach((source) => {
-          let sourceIndex = jsonToSend.sources.findIndex(
-            existingSource =>
-              existingSource.origin === source.origin &&
-              existingSource.name === source.name &&
-              existingSource.value === source.value
-          )
-          if (sourceIndex === -1) {
-            sourceIndex = jsonToSend.sources.length
-            jsonToSend.sources.push(source)
-          }
-          sourcesIndexes.push(sourceIndex)
-        })
-        jsonToSend.vulnerabilities.push(jsonVulnerabilityFromVulnerability(vulnerability, sourcesIndexes))
+    if (span && span.addTags) {
+      const jsonToSend = {
+        sources: [],
+        vulnerabilities: []
+      }
+
+      deduplicateVulnerabilities(vulnerabilities).forEach((vulnerability) => {
+        if (isValidVulnerability(vulnerability)) {
+          const sourcesIndexes = []
+          const vulnerabilitySources = extractSourcesFromVulnerability(vulnerability)
+          vulnerabilitySources.forEach((source) => {
+            let sourceIndex = jsonToSend.sources.findIndex(
+              existingSource =>
+                existingSource.origin === source.origin &&
+                existingSource.name === source.name &&
+                existingSource.value === source.value
+            )
+            if (sourceIndex === -1) {
+              sourceIndex = jsonToSend.sources.length
+              jsonToSend.sources.push(source)
+            }
+            sourcesIndexes.push(sourceIndex)
+          })
+          jsonToSend.vulnerabilities.push(jsonVulnerabilityFromVulnerability(vulnerability, sourcesIndexes))
+        }
+      })
+
+      if (jsonToSend.vulnerabilities.length > 0) {
+        const tags = {}
+        // TODO: Store this outside of the span and set the tag in the exporter.
+        tags[IAST_JSON_TAG_KEY] = JSON.stringify(jsonToSend)
+        tags[MANUAL_KEEP] = 'true'
+        span.addTags(tags)
+        if (!rootSpan) span.finish()
       }
-    })
-
-    if (jsonToSend.vulnerabilities.length > 0) {
-      const tags = {}
-      // TODO: Store this outside of the span and set the tag in the exporter.
-      tags[IAST_JSON_TAG_KEY] = JSON.stringify(jsonToSend)
-      tags[MANUAL_KEEP] = 'true'
-      span.addTags(tags)
     }
   }
   return IAST_JSON_TAG_KEY
@@ -159,9 +176,14 @@ function deduplicateVulnerabilities (vulnerabilities) {
   return deduplicated
 }
 
+function setTracer (_tracer) {
+  tracer = _tracer
+}
+
 module.exports = {
   createVulnerability,
   addVulnerability,
   sendVulnerabilities,
-  clearCache
+  clearCache,
+  setTracer
 }