dd-trace 3.20.0 → 3.21.0

package/index.d.ts

@@ -79,7 +79,8 @@ export declare interface Tracer extends opentracing.Tracer {
    * which case the span will finish at the end of the function execution.
    *
    * If the `orphanable` option is set to false, the function will not be traced
-   * unless there is already an active span or `childOf` option.
+   * unless there is already an active span or `childOf` option. Note that this
+   * option is deprecated and has been removed in version 4.0.
    */
   trace<T> (name: string, fn: (span?: Span, fn?: (error?: Error) => any) => T): T;
   trace<T> (name: string, options: TraceOptions & SpanOptions, fn: (span?: Span, done?: (error?: Error) => string) => T): T;
@@ -443,6 +444,11 @@ export declare interface TracerOptions {
        * Whether to enable vulnerability deduplication
        */
       deduplicationEnabled?: boolean
+      /**
+       * Whether to enable vulnerability redaction
+       * @default true
+       */
+      redactionEnabled?: boolean
     }
   };
 
@@ -491,6 +497,7 @@ export declare interface TracerOptions {
   /**
    * If false, require a parent in order to trace.
    * @default true
+   * @deprecated since version 4.0
    */
   orphanable?: boolean
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "dd-trace",
-  "version": "3.20.0",
+  "version": "3.21.0",
   "description": "Datadog APM tracing client for JavaScript",
   "main": "index.js",
   "typings": "index.d.ts",
@@ -36,6 +36,7 @@
     "test:integration:cucumber": "mocha --colors --timeout 30000 \"integration-tests/cucumber/*.spec.js\"",
     "test:integration:cypress": "mocha --colors --timeout 30000 \"integration-tests/cypress/*.spec.js\"",
     "test:integration:playwright": "mocha --colors --timeout 30000 \"integration-tests/playwright/*.spec.js\"",
+    "test:integration:serverless": "mocha --colors --timeout 30000 \"integration-tests/serverless/*.spec.js\"",
     "test:shimmer": "mocha --colors 'packages/datadog-shimmer/test/**/*.spec.js'",
     "test:shimmer:ci": "nyc --no-clean --include 'packages/datadog-shimmer/src/**/*.js' -- npm run test:shimmer",
     "leak:core": "node ./scripts/install_plugin_modules && (cd packages/memwatch && yarn) && NODE_PATH=./packages/memwatch/node_modules node --no-warnings ./node_modules/.bin/tape 'packages/dd-trace/test/leak/**/*.js'",
@@ -67,9 +68,9 @@
   "dependencies": {
     "@datadog/native-appsec": "^3.1.0",
     "@datadog/native-iast-rewriter": "2.0.1",
-    "@datadog/native-iast-taint-tracking": "^1.4.0",
-    "@datadog/native-metrics": "^1.6.0",
-    "@datadog/pprof": "^2.2.0",
+    "@datadog/native-iast-taint-tracking": "^1.4.1",
+    "@datadog/native-metrics": "^2.0.0",
+    "@datadog/pprof": "^2.2.1",
     "@datadog/sketches-js": "^2.1.0",
     "crypto-randomuuid": "^1.0.0",
     "diagnostics_channel": "^1.1.0",

package/packages/datadog-instrumentations/src/grpc/client.js

@@ -4,6 +4,8 @@ const types = require('./types')
 const { addHook, channel, AsyncResource } = require('../helpers/instrument')
 const shimmer = require('../../../datadog-shimmer')
 
+const nodeMajor = parseInt(process.versions.node.split('.')[0])
+
 const patched = new WeakSet()
 const instances = new WeakMap()
 
@@ -232,13 +234,15 @@ function patch (grpc) {
   return grpc
 }
 
-addHook({ name: 'grpc', versions: ['>=1.24.3'] }, patch)
+if (nodeMajor <= 14) {
+  addHook({ name: 'grpc', versions: ['>=1.24.3'] }, patch)
 
-addHook({ name: 'grpc', versions: ['>=1.24.3'], file: 'src/client.js' }, client => {
-  shimmer.wrap(client, 'makeClientConstructor', createWrapMakeClientConstructor())
+  addHook({ name: 'grpc', versions: ['>=1.24.3'], file: 'src/client.js' }, client => {
+    shimmer.wrap(client, 'makeClientConstructor', createWrapMakeClientConstructor())
 
-  return client
-})
+    return client
+  })
+}
 
 addHook({ name: '@grpc/grpc-js', versions: ['>=1.0.3'] }, patch)
 

package/packages/datadog-instrumentations/src/grpc/server.js

@@ -4,6 +4,8 @@ const types = require('./types')
 const { channel, addHook, AsyncResource } = require('../helpers/instrument')
 const shimmer = require('../../../datadog-shimmer')
 
+const nodeMajor = parseInt(process.versions.node.split('.')[0])
+
 const startChannel = channel('apm:grpc:server:request:start')
 const errorChannel = channel('apm:grpc:server:request:error')
 const updateChannel = channel('apm:grpc:server:request:update')
@@ -139,11 +141,13 @@ function isEmitter (obj) {
   return typeof obj.emit === 'function' && typeof obj.once === 'function'
 }
 
-addHook({ name: 'grpc', versions: ['>=1.24.3'], file: 'src/server.js' }, server => {
-  shimmer.wrap(server.Server.prototype, 'register', wrapRegister)
+if (nodeMajor <= 14) {
+  addHook({ name: 'grpc', versions: ['>=1.24.3'], file: 'src/server.js' }, server => {
+    shimmer.wrap(server.Server.prototype, 'register', wrapRegister)
 
-  return server
-})
+    return server
+  })
+}
 
 addHook({ name: '@grpc/grpc-js', versions: ['>=1.0.3'], file: 'build/src/server.js' }, server => {
   shimmer.wrap(server.Server.prototype, 'register', wrapRegister)

package/packages/datadog-instrumentations/src/helpers/register.js

@@ -22,6 +22,10 @@ for (const packageName of names) {
 
     hooks[packageName]()
 
+    if (!instrumentations[packageName]) {
+      return moduleExports
+    }
+
     for (const { name, file, versions, hook } of instrumentations[packageName]) {
       const fullFilename = filename(name, file)
 

package/packages/datadog-instrumentations/src/jest.js

@@ -1,13 +1,23 @@
 'use strict'
+const semver = require('semver')
+
 const { addHook, channel, AsyncResource } = require('./helpers/instrument')
 const shimmer = require('../../datadog-shimmer')
 const log = require('../../dd-trace/src/log')
+const { version: ddTraceVersion } = require('../../../package.json')
 const {
   getCoveredFilenamesFromCoverage,
   JEST_WORKER_TRACE_PAYLOAD_CODE,
   JEST_WORKER_COVERAGE_PAYLOAD_CODE,
-  getTestLineStart
+  getTestLineStart,
+  getTestSuitePath,
+  getTestParametersString
 } = require('../../dd-trace/src/plugins/util/test')
+const {
+  getFormattedJestTestParameters,
+  getJestTestName,
+  getJestSuitesToRun
+} = require('../../datadog-plugin-jest/src/util')
 
 const testSessionStartCh = channel('ci:jest:session:start')
 const testSessionFinishCh = channel('ci:jest:session:finish')
@@ -34,13 +44,6 @@ let skippableSuites = []
 let isCodeCoverageEnabled = false
 let isSuitesSkippingEnabled = false
 
-const {
-  getTestSuitePath,
-  getTestParametersString
-} = require('../../dd-trace/src/plugins/util/test')
-
-const { getFormattedJestTestParameters, getJestTestName } = require('../../datadog-plugin-jest/src/util')
-
 const sessionAsyncResource = new AsyncResource('bound-anonymous-fn')
 
 const specStatusToTestStatus = {
@@ -426,10 +429,7 @@ addHook({
     const testPaths = await getTestPaths.apply(this, arguments)
     const { tests } = testPaths
 
-    const filteredTests = tests.filter(({ path: testPath }) => {
-      const relativePath = testPath.replace(`${rootDir}/`, '')
-      return !skippableSuites.includes(relativePath)
-    })
+    const filteredTests = getJestSuitesToRun(skippableSuites, tests, rootDir)
 
     skippableSuites = []
 
@@ -451,6 +451,7 @@ addHook({
 }, jestConfigSyncWrapper)
 
 function jasmineAsyncInstallWraper (jasmineAsyncInstallExport, jestVersion) {
+  log.warn('jest-jasmine2 support is removed from dd-trace@v4. Consider changing to jest-circus as `testRunner`.')
   return function (globalConfig, globalInput) {
     globalInput._ddtrace = global._ddtrace
     shimmer.wrap(globalInput.jasmine.Spec.prototype, 'execute', execute => function (onComplete) {
@@ -480,11 +481,13 @@ function jasmineAsyncInstallWraper (jasmineAsyncInstallExport, jestVersion) {
   }
 }
 
-addHook({
-  name: 'jest-jasmine2',
-  versions: ['>=24.8.0'],
-  file: 'build/jasmineAsyncInstall.js'
-}, jasmineAsyncInstallWraper)
+if (semver.lt(ddTraceVersion, '4.0.0')) {
+  addHook({
+    name: 'jest-jasmine2',
+    versions: ['>=24.8.0'],
+    file: 'build/jasmineAsyncInstall.js'
+  }, jasmineAsyncInstallWraper)
+}
 
 addHook({
   name: 'jest-worker',

package/packages/datadog-instrumentations/src/next.js

@@ -4,6 +4,7 @@
 
 const { channel, addHook, AsyncResource } = require('./helpers/instrument')
 const shimmer = require('../../datadog-shimmer')
+const { MAJOR } = require('../../../version')
 
 const startChannel = channel('apm:next:request:start')
 const finishChannel = channel('apm:next:request:finish')
@@ -168,7 +169,11 @@ addHook({ name: 'next', versions: ['>=11.1 <13.2'], file: 'dist/server/next-serv
   return nextServer
 })
 
-addHook({ name: 'next', versions: ['>=9.5 <11.1'], file: 'dist/next-server/server/next-server.js' }, nextServer => {
+addHook({
+  name: 'next',
+  versions: MAJOR >= 4 ? ['>=10.2 <11.1'] : ['>=9.5 <11.1'],
+  file: 'dist/next-server/server/next-server.js'
+}, nextServer => {
   const Server = nextServer.default
 
   shimmer.wrap(Server.prototype, 'handleRequest', wrapHandleRequest)

package/packages/datadog-plugin-aws-sdk/src/base.js

@@ -38,6 +38,8 @@ class BaseAwsSdkPlugin extends Plugin {
         'service.name': serviceName,
         'aws.operation': operation,
         'aws.region': awsRegion,
+        'region': awsRegion,
+        'aws_service': awsService,
         'aws.service': awsService,
         'component': 'aws-sdk'
       }
@@ -60,6 +62,7 @@ class BaseAwsSdkPlugin extends Plugin {
       const { span } = store
       if (!span) return
       span.setTag('aws.region', region)
+      span.setTag('region', region)
     })
 
     this.addSub(`apm:aws:request:complete:${this.serviceIdentifier}`, ({ response }) => {

package/packages/datadog-plugin-aws-sdk/src/services/cloudwatchlogs.js

@@ -12,7 +12,8 @@ class CloudwatchLogs extends BaseAwsSdkPlugin {
 
     return Object.assign(tags, {
       'resource.name': `${operation} ${params.logGroupName}`,
-      'aws.cloudwatch.logs.log_group_name': params.logGroupName
+      'aws.cloudwatch.logs.log_group_name': params.logGroupName,
+      'loggroupname': params.logGroupName
     })
   }
 }

package/packages/datadog-plugin-aws-sdk/src/services/dynamodb.js

@@ -12,7 +12,8 @@ class DynamoDb extends BaseAwsSdkPlugin {
       if (params.TableName) {
         Object.assign(tags, {
           'resource.name': `${operation} ${params.TableName}`,
-          'aws.dynamodb.table_name': params.TableName
+          'aws.dynamodb.table_name': params.TableName,
+          'tablename': params.TableName
         })
       }
 
@@ -27,7 +28,8 @@ class DynamoDb extends BaseAwsSdkPlugin {
             // also add span type to match serverless convention
             Object.assign(tags, {
               'resource.name': `${operation} ${tableName}`,
-              'aws.dynamodb.table_name': tableName
+              'aws.dynamodb.table_name': tableName,
+              'tablename': tableName
             })
           }
         }

package/packages/datadog-plugin-aws-sdk/src/services/eventbridge.js

@@ -7,10 +7,11 @@ class EventBridge extends BaseAwsSdkPlugin {
 
   generateTags (params, operation, response) {
     if (!params || !params.source) return {}
-
+    const rulename = params.Name ? params.Name : ''
     return {
-      'resource.name': `${operation} ${params.source}`,
-      'aws.eventbridge.source': params.source
+      'resource.name': operation ? `${operation} ${params.source}` : params.source,
+      'aws.eventbridge.source': `${params.source}`,
+      'rulename': `${rulename}`
     }
   }
 

package/packages/datadog-plugin-aws-sdk/src/services/kinesis.js

@@ -9,7 +9,8 @@ class Kinesis extends BaseAwsSdkPlugin {
 
     return {
       'resource.name': `${operation} ${params.StreamName}`,
-      'aws.kinesis.stream_name': params.StreamName
+      'aws.kinesis.stream_name': params.StreamName,
+      'streamname': params.StreamName
     }
   }
 

package/packages/datadog-plugin-aws-sdk/src/services/lambda.js

@@ -13,6 +13,7 @@ class Lambda extends BaseAwsSdkPlugin {
 
     return Object.assign(tags, {
       'resource.name': `${operation} ${params.FunctionName}`,
+      'functionname': params.FunctionName,
       'aws.lambda': params.FunctionName
     })
   }

package/packages/datadog-plugin-aws-sdk/src/services/redshift.js

@@ -12,7 +12,8 @@ class Redshift extends BaseAwsSdkPlugin {
 
     return Object.assign(tags, {
       'resource.name': `${operation} ${params.ClusterIdentifier}`,
-      'aws.redshift.cluster_identifier': params.ClusterIdentifier
+      'aws.redshift.cluster_identifier': params.ClusterIdentifier,
+      'clusteridentifier': params.ClusterIdentifier
     })
   }
 }

package/packages/datadog-plugin-aws-sdk/src/services/s3.js

@@ -12,7 +12,8 @@ class S3 extends BaseAwsSdkPlugin {
 
     return Object.assign(tags, {
       'resource.name': `${operation} ${params.Bucket}`,
-      'aws.s3.bucket_name': params.Bucket
+      'aws.s3.bucket_name': params.Bucket,
+      'bucketname': params.Bucket
     })
   }
 }

package/packages/datadog-plugin-aws-sdk/src/services/sns.js

@@ -9,10 +9,17 @@ class Sns extends BaseAwsSdkPlugin {
     if (!params) return {}
 
     if (!params.TopicArn && !(response.data && response.data.TopicArn)) return {}
+    const TopicArn = params.TopicArn || response.data.TopicArn
+    // Split the ARN into its parts
+    // ex.'arn:aws:sns:us-east-1:123456789012:my-topic'
+    const arnParts = TopicArn.split(':')
 
+    // Get the topic name from the last part of the ARN
+    const topicName = arnParts[arnParts.length - 1]
     return {
       'resource.name': `${operation} ${params.TopicArn || response.data.TopicArn}`,
-      'aws.sns.topic_arn': params.TopicArn || response.data.TopicArn
+      'aws.sns.topic_arn': TopicArn,
+      'topicname': topicName
     }
 
     // TODO: should arn be sanitized or quantized in some way here,

package/packages/datadog-plugin-aws-sdk/src/services/sqs.js

@@ -59,10 +59,16 @@ class Sqs extends BaseAwsSdkPlugin {
     const tags = {}
 
     if (!params || (!params.QueueName && !params.QueueUrl)) return tags
+    // 'https://sqs.us-east-1.amazonaws.com/123456789012/my-queue';
+    let queueName = params.QueueName
+    if (params.QueueUrl) {
+      queueName = params.QueueUrl.split('/')[params.QueueUrl.split('/').length - 1]
+    }
 
     Object.assign(tags, {
       'resource.name': `${operation} ${params.QueueName || params.QueueUrl}`,
-      'aws.sqs.queue_name': params.QueueName || params.QueueUrl
+      'aws.sqs.queue_name': params.QueueName || params.QueueUrl,
+      'queuename': queueName
     })
 
     switch (operation) {

package/packages/datadog-plugin-http/src/client.js

@@ -45,7 +45,8 @@ class HttpClientPlugin extends Plugin {
           'resource.name': method,
           'span.type': 'http',
           'http.method': method,
-          'http.url': uri
+          'http.url': uri,
+          'out.host': hostname
         }
       })
 

package/packages/datadog-plugin-http2/src/client.js

@@ -52,7 +52,8 @@ class Http2ClientPlugin extends Plugin {
           'resource.name': method,
           'span.type': 'http',
           'http.method': method,
-          'http.url': uri
+          'http.url': uri,
+          'out.host': sessionDetails.host
         }
       })
 

package/packages/datadog-plugin-jest/src/util.js

@@ -1,3 +1,5 @@
+const { getTestSuitePath } = require('../../dd-trace/src/plugins/util/test')
+
 /**
  * There are two ways to call `test.each` in `jest`:
  * 1. With an array of arrays: https://jestjs.io/docs/api#1-testeachtablename-fn-timeout
@@ -45,4 +47,11 @@ function getJestTestName (test) {
   return titles.join(' ')
 }
 
-module.exports = { getFormattedJestTestParameters, getJestTestName }
+function getJestSuitesToRun (skippableSuites, originalTests, rootDir) {
+  return originalTests.filter(({ path: testPath }) => {
+    const relativePath = getTestSuitePath(testPath, rootDir)
+    return !skippableSuites.includes(relativePath)
+  })
+}
+
+module.exports = { getFormattedJestTestParameters, getJestTestName, getJestSuitesToRun }

package/packages/dd-trace/src/appsec/iast/analyzers/command-injection-analyzer.js

@@ -1,9 +1,10 @@
 'use strict'
 const InjectionAnalyzer = require('./injection-analyzer')
+const { COMMAND_INJECTION } = require('../vulnerabilities')
 
 class CommandInjectionAnalyzer extends InjectionAnalyzer {
   constructor () {
-    super('COMMAND_INJECTION')
+    super(COMMAND_INJECTION)
     this.addSub('datadog:child_process:execution:start', ({ command }) => this.analyze(command))
   }
 }

package/packages/dd-trace/src/appsec/iast/analyzers/ldap-injection-analyzer.js

@@ -1,9 +1,10 @@
 'use strict'
 const InjectionAnalyzer = require('./injection-analyzer')
+const { LDAP_INJECTION } = require('../vulnerabilities')
 
 class LdapInjectionAnalyzer extends InjectionAnalyzer {
   constructor () {
-    super('LDAP_INJECTION')
+    super(LDAP_INJECTION)
     this.addSub('datadog:ldapjs:client:search', ({ base, filter }) => this.analyzeAll(base, filter))
   }
 }

package/packages/dd-trace/src/appsec/iast/analyzers/path-traversal-analyzer.js

@@ -4,10 +4,11 @@ const path = require('path')
 const { getIastContext } = require('../iast-context')
 const { storage } = require('../../../../../datadog-core')
 const InjectionAnalyzer = require('./injection-analyzer')
+const { PATH_TRAVERSAL } = require('../vulnerabilities')
 
 class PathTraversalAnalyzer extends InjectionAnalyzer {
   constructor () {
-    super('PATH_TRAVERSAL')
+    super(PATH_TRAVERSAL)
     this.addSub('apm:fs:operation:start', obj => {
       const pathArguments = []
       if (obj.dest) {
@@ -40,13 +41,29 @@ class PathTraversalAnalyzer extends InjectionAnalyzer {
       this.analyze(pathArguments)
     })
 
-    this.exclusionList = [ path.join('node_modules', 'send') + path.sep ]
+    this.exclusionList = [
+      path.join('node_modules', 'send') + path.sep
+    ]
+
+    this.internalExclusionList = [
+      'node:fs',
+      'node:internal/fs',
+      'node:internal\\fs',
+      'fs.js',
+      'internal/fs',
+      'internal\\fs'
+    ]
   }
 
   _isExcluded (location) {
-    let ret = false
+    let ret = true
     if (location && location.path) {
-      ret = this.exclusionList.some(elem => location.path.includes(elem))
+      // Exclude from reporting those vulnerabilities which location is from an internal fs call
+      if (location.isInternal) {
+        ret = this.internalExclusionList.some(elem => location.path.includes(elem))
+      } else {
+        ret = this.exclusionList.some(elem => location.path.includes(elem))
+      }
     }
     return ret
   }
@@ -59,7 +76,7 @@ class PathTraversalAnalyzer extends InjectionAnalyzer {
 
     if (value && value.constructor === Array) {
       for (const val of value) {
-        if (this._isVulnerable(val, iastContext)) {
+        if (this._isVulnerable(val, iastContext) && this._checkOCE(iastContext)) {
           this._report(val, iastContext)
           // no support several evidences in the same vulnerability, just report the 1st one
           break

package/packages/dd-trace/src/appsec/iast/analyzers/sql-injection-analyzer.js

@@ -1,12 +1,48 @@
 'use strict'
+
 const InjectionAnalyzer = require('./injection-analyzer')
+const { SQL_INJECTION } = require('../vulnerabilities')
+const { getRanges } = require('../taint-tracking/operations')
+const { storage } = require('../../../../../datadog-core')
+const { getIastContext } = require('../iast-context')
+const { createVulnerability, addVulnerability } = require('../vulnerability-reporter')
 
 class SqlInjectionAnalyzer extends InjectionAnalyzer {
   constructor () {
-    super('SQL_INJECTION')
-    this.addSub('apm:mysql:query:start', ({ sql }) => this.analyze(sql))
-    this.addSub('apm:mysql2:query:start', ({ sql }) => this.analyze(sql))
-    this.addSub('apm:pg:query:start', ({ query }) => this.analyze(query.text))
+    super(SQL_INJECTION)
+    this.addSub('apm:mysql:query:start', ({ sql }) => this.analyze(sql, 'MYSQL'))
+    this.addSub('apm:mysql2:query:start', ({ sql }) => this.analyze(sql, 'MYSQL'))
+    this.addSub('apm:pg:query:start', ({ query }) => this.analyze(query.text, 'POSTGRES'))
+  }
+
+  _getEvidence (value, iastContext, dialect) {
+    const ranges = getRanges(iastContext, value)
+    return { value, ranges, dialect }
+  }
+
+  analyze (value, dialect) {
+    const store = storage.getStore()
+    const iastContext = getIastContext(store)
+    if (store && !iastContext) return
+    this._reportIfVulnerable(value, iastContext, dialect)
+  }
+
+  _reportIfVulnerable (value, context, dialect) {
+    if (this._isVulnerable(value, context) && this._checkOCE(context)) {
+      this._report(value, context, dialect)
+      return true
+    }
+    return false
+  }
+
+  _report (value, context, dialect) {
+    const evidence = this._getEvidence(value, context, dialect)
+    const location = this._getLocation()
+    if (!this._isExcluded(location)) {
+      const spanId = context && context.rootSpan && context.rootSpan.context().toSpanId()
+      const vulnerability = createVulnerability(this._type, evidence, spanId, location)
+      addVulnerability(context, vulnerability)
+    }
   }
 }
 

package/packages/dd-trace/src/appsec/iast/analyzers/weak-cipher-analyzer.js

@@ -1,5 +1,6 @@
 'use strict'
 const Analyzer = require('./vulnerability-analyzer')
+const { WEAK_CIPHER } = require('../vulnerabilities')
 
 const INSECURE_CIPHERS = new Set([
   'des', 'des-cbc', 'des-cfb', 'des-cfb1', 'des-cfb8', 'des-ecb', 'des-ede', 'des-ede-cbc', 'des-ede-cfb',
@@ -12,7 +13,7 @@ const INSECURE_CIPHERS = new Set([
 
 class WeakCipherAnalyzer extends Analyzer {
   constructor () {
-    super('WEAK_CIPHER')
+    super(WEAK_CIPHER)
     this.addSub('datadog:crypto:cipher:start', ({ algorithm }) => this.analyze(algorithm))
   }
 

package/packages/dd-trace/src/appsec/iast/analyzers/weak-hash-analyzer.js

@@ -1,5 +1,6 @@
 'use strict'
 const Analyzer = require('./vulnerability-analyzer')
+const { WEAK_HASH } = require('../vulnerabilities')
 
 const INSECURE_HASH_ALGORITHMS = new Set([
   'md4', 'md4WithRSAEncryption', 'RSA-MD4',
@@ -9,7 +10,7 @@ const INSECURE_HASH_ALGORITHMS = new Set([
 
 class WeakHashAnalyzer extends Analyzer {
   constructor () {
-    super('WEAK_HASH')
+    super(WEAK_HASH)
     this.addSub('datadog:crypto:hashing:start', ({ algorithm }) => this.analyze(algorithm))
   }
 

package/packages/dd-trace/src/appsec/iast/index.js

@@ -51,7 +51,7 @@ function onIncomingHttpRequestStart (data) {
         }
         if (rootSpan.addTags) {
           rootSpan.addTags({
-            [IAST_ENABLED_TAG_KEY]: isRequestAcquired ? '1' : '0'
+            [IAST_ENABLED_TAG_KEY]: isRequestAcquired ? 1 : 0
           })
         }
       }

package/packages/dd-trace/src/appsec/iast/path-line.js

@@ -45,7 +45,8 @@ function getFirstNonDDPathAndLineFromCallsites (callsites) {
       if (!isExcluded(callsite) && filepath.indexOf(pathLine.ddBasePath) === -1) {
         return {
           path: path.relative(process.cwd(), filepath),
-          line: callsite.getLineNumber()
+          line: callsite.getLineNumber(),
+          isInternal: !path.isAbsolute(filepath)
         }
       }
     }

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/range-utils.js

@@ -0,0 +1,37 @@
+'use strict'
+
+function contains (rangeContainer, rangeContained) {
+  if (rangeContainer.start > rangeContained.start) {
+    return false
+  }
+  return rangeContainer.end >= rangeContained.end
+}
+
+function intersects (rangeA, rangeB) {
+  return rangeB.start < rangeA.end && rangeB.end > rangeA.start
+}
+
+function remove (range, rangeToRemove) {
+  if (!intersects(range, rangeToRemove)) {
+    return [range]
+  } else if (contains(rangeToRemove, range)) {
+    return []
+  } else {
+    const result = []
+    if (rangeToRemove.start > range.start) {
+      const offset = rangeToRemove.start - range.start
+      result.push({ start: range.start, end: range.start + offset })
+    }
+    if (rangeToRemove.end < range.end) {
+      const offset = range.end - rangeToRemove.end
+      result.push({ start: rangeToRemove.end, end: rangeToRemove.end + offset })
+    }
+    return result
+  }
+}
+
+module.exports = {
+  contains,
+  intersects,
+  remove
+}