npm - dd-trace - Versions diffs - 3.21.0 → 3.22.1 - Mend

dd-trace 3.21.0 → 3.22.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (92) hide show

package/packages/dd-trace/src/appsec/iast/vulnerability-reporter.js CHANGED Viewed

@@ -11,38 +11,6 @@ let tracer
 let resetVulnerabilityCacheTimer
 let deduplicationEnabled = true
-function createVulnerability (type, evidence, spanId, location) {
-  if (type && evidence) {
-    const _spanId = spanId || 0
-    return {
-      type,
-      evidence,
-      location: {
-        spanId: _spanId,
-        ...location
-      },
-      hash: createHash(type, location)
-    }
-  }
-  return null
-}
-function createHash (type, location) {
-  let hashSource
-  if (location) {
-    hashSource = `${type}:${location.path}:${location.line}`
-  } else {
-    hashSource = type
-  }
-  let hash = 0
-  let offset = 0
-  const size = hashSource.length
-  for (let i = 0; i < size; i++) {
-    hash = ((hash << 5) - hash) + hashSource.charCodeAt(offset++)
-  }
-  return hash
-}
 function addVulnerability (iastContext, vulnerability) {
   if (vulnerability && vulnerability.evidence && vulnerability.type &&
     vulnerability.location) {
@@ -133,7 +101,6 @@ function stop () {
 }
 module.exports = {
-  createVulnerability,
   addVulnerability,
   sendVulnerabilities,
   clearCache,

package/packages/dd-trace/src/appsec/recommended.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "version": "2.2",
   "metadata": {
-    "rules_version": "1.7.0"
+    "rules_version": "1.7.1"
   },
   "rules": [
     {
@@ -4390,7 +4390,7 @@
       "id": "dog-913-001",
       "name": "BurpCollaborator OOB domain",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
         "tool_name": "BurpCollaborator",
         "confidence": "1"
@@ -4604,7 +4604,7 @@
       "id": "dog-913-007",
       "name": "Interact.sh OOB domain",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
         "tool_name": "interact.sh",
         "confidence": "1"
@@ -5689,7 +5689,7 @@
       "id": "ua0-600-0xx",
       "name": "Joomla exploitation tool",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
         "tool_name": "Joomla exploitation tool",
         "confidence": "1"
@@ -5716,7 +5716,7 @@
       "id": "ua0-600-10x",
       "name": "Nessus",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
         "tool_name": "Nessus",
         "confidence": "1"
@@ -5743,7 +5743,7 @@
       "id": "ua0-600-12x",
       "name": "Arachni",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
         "tool_name": "Arachni",
         "confidence": "1"
@@ -5770,7 +5770,7 @@
       "id": "ua0-600-13x",
       "name": "Jorgee",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
         "tool_name": "Jorgee",
         "confidence": "1"
@@ -5824,7 +5824,7 @@
       "id": "ua0-600-15x",
       "name": "Metis",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
         "tool_name": "Metis",
         "confidence": "1"
@@ -5851,7 +5851,7 @@
       "id": "ua0-600-16x",
       "name": "SQL power injector",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
         "tool_name": "SQLPowerInjector",
         "confidence": "1"
@@ -5878,7 +5878,7 @@
       "id": "ua0-600-18x",
       "name": "N-Stealth",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
         "tool_name": "N-Stealth",
         "confidence": "1"
@@ -5905,7 +5905,7 @@
       "id": "ua0-600-19x",
       "name": "Brutus",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
         "tool_name": "Brutus",
         "confidence": "1"
@@ -5934,7 +5934,6 @@
       "tags": {
         "type": "security_scanner",
         "category": "attack_attempt",
-        "tool_name": "Shellshock",
         "confidence": "1"
       },
       "conditions": [
@@ -5986,7 +5985,7 @@
       "id": "ua0-600-22x",
       "name": "JAASCois",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
         "tool_name": "JAASCois",
         "confidence": "1"
@@ -6013,7 +6012,7 @@
       "id": "ua0-600-26x",
       "name": "Nsauditor",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
         "tool_name": "Nsauditor",
         "confidence": "1"
@@ -6040,7 +6039,7 @@
       "id": "ua0-600-27x",
       "name": "Paros",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
         "tool_name": "Paros",
         "confidence": "1"
@@ -6067,7 +6066,7 @@
       "id": "ua0-600-28x",
       "name": "DirBuster",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
         "tool_name": "DirBuster",
         "confidence": "1"
@@ -6094,7 +6093,7 @@
       "id": "ua0-600-29x",
       "name": "Pangolin",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
         "tool_name": "Pangolin",
         "confidence": "1"
@@ -6148,7 +6147,7 @@
       "id": "ua0-600-30x",
       "name": "SQLNinja",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
         "tool_name": "SQLNinja",
         "confidence": "1"
@@ -6175,7 +6174,7 @@
       "id": "ua0-600-31x",
       "name": "Nikto",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
         "tool_name": "Nikto",
         "confidence": "1"
@@ -6202,7 +6201,7 @@
       "id": "ua0-600-33x",
       "name": "BlackWidow",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
         "tool_name": "BlackWidow",
         "confidence": "1"
@@ -6229,7 +6228,7 @@
       "id": "ua0-600-34x",
       "name": "Grendel-Scan",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
         "tool_name": "Grendel-Scan",
         "confidence": "1"
@@ -6256,7 +6255,7 @@
       "id": "ua0-600-35x",
       "name": "Havij",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
         "tool_name": "Havij",
         "confidence": "1"
@@ -6283,7 +6282,7 @@
       "id": "ua0-600-36x",
       "name": "w3af",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
         "tool_name": "w3af",
         "confidence": "1"
@@ -6310,7 +6309,7 @@
       "id": "ua0-600-37x",
       "name": "Nmap",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
         "tool_name": "Nmap",
         "confidence": "1"
@@ -6337,7 +6336,7 @@
       "id": "ua0-600-39x",
       "name": "Nessus Scripted",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
         "tool_name": "Nessus",
         "confidence": "1"
@@ -6364,7 +6363,7 @@
       "id": "ua0-600-3xx",
       "name": "Evil Scanner",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
         "tool_name": "EvilScanner",
         "confidence": "1"
@@ -6391,7 +6390,7 @@
       "id": "ua0-600-40x",
       "name": "WebFuck",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
         "tool_name": "WebFuck",
         "confidence": "1"
@@ -6418,7 +6417,7 @@
       "id": "ua0-600-42x",
       "name": "OpenVAS",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
         "tool_name": "OpenVAS",
         "confidence": "1"
@@ -6445,7 +6444,7 @@
       "id": "ua0-600-43x",
       "name": "Spider-Pig",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
         "tool_name": "Spider-Pig",
         "confidence": "1"
@@ -6472,7 +6471,7 @@
       "id": "ua0-600-44x",
       "name": "Zgrab",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
         "tool_name": "Zgrab",
         "confidence": "1"
@@ -6499,7 +6498,7 @@
       "id": "ua0-600-45x",
       "name": "Zmeu",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
         "tool_name": "Zmeu",
         "confidence": "1"
@@ -6553,7 +6552,7 @@
       "id": "ua0-600-48x",
       "name": "Commix",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
         "tool_name": "Commix",
         "confidence": "1"
@@ -6580,7 +6579,7 @@
       "id": "ua0-600-49x",
       "name": "Gobuster",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
         "tool_name": "Gobuster",
         "confidence": "1"
@@ -6607,7 +6606,7 @@
       "id": "ua0-600-4xx",
       "name": "CGIchk",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
         "tool_name": "CGIchk",
         "confidence": "1"
@@ -6634,7 +6633,7 @@
       "id": "ua0-600-51x",
       "name": "FFUF",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
         "tool_name": "FFUF",
         "confidence": "1"
@@ -6661,7 +6660,7 @@
       "id": "ua0-600-52x",
       "name": "Nuclei",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
         "tool_name": "Nuclei",
         "confidence": "1"
@@ -6688,7 +6687,7 @@
       "id": "ua0-600-53x",
       "name": "Tsunami",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
         "tool_name": "Tsunami",
         "confidence": "1"
@@ -6715,7 +6714,7 @@
       "id": "ua0-600-54x",
       "name": "Nimbostratus",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
         "tool_name": "Nimbostratus",
         "confidence": "1"
@@ -6775,7 +6774,7 @@
       "id": "ua0-600-56x",
       "name": "Datadog test scanner - blocking version: user-agent",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
         "tool_name": "Datadog Canary Test",
         "confidence": "1"
@@ -6838,7 +6837,7 @@
       "id": "ua0-600-58x",
       "name": "wfuzz",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
         "tool_name": "wfuzz",
         "confidence": "1"
@@ -6892,7 +6891,7 @@
       "id": "ua0-600-5xx",
       "name": "Blind SQL Injection Brute Forcer",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
         "tool_name": "BSQLBF",
         "confidence": "1"
@@ -6919,7 +6918,7 @@
       "id": "ua0-600-60x",
       "name": "masscan",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
         "tool_name": "masscan",
         "confidence": "1"
@@ -6946,7 +6945,7 @@
       "id": "ua0-600-61x",
       "name": "WPScan",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
         "tool_name": "WPScan",
         "confidence": "1"
@@ -7026,7 +7025,7 @@
       "id": "ua0-600-7xx",
       "name": "SQLmap",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
         "tool_name": "SQLmap",
         "confidence": "1"
@@ -7053,7 +7052,7 @@
       "id": "ua0-600-9xx",
       "name": "Skipfish",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
         "tool_name": "Skipfish",
         "confidence": "1"
@@ -7077,4 +7076,4 @@
       "transformers": []
     }
   ]
-}
+}

package/packages/dd-trace/src/appsec/remote_config/capabilities.js CHANGED Viewed

@@ -6,5 +6,7 @@ module.exports = {
   ASM_DD_RULES: 1n << 3n,
   ASM_EXCLUSIONS: 1n << 4n,
   ASM_REQUEST_BLOCKING: 1n << 5n,
-  ASM_USER_BLOCKING: 1n << 7n
+  ASM_USER_BLOCKING: 1n << 7n,
+  ASM_CUSTOM_RULES: 1n << 8n,
+  ASM_CUSTOM_BLOCKING_RESPONSE: 1n << 9n
 }

package/packages/dd-trace/src/appsec/remote_config/index.js CHANGED Viewed

@@ -42,6 +42,8 @@ function enableWafUpdate (appsecConfig) {
     rc.updateCapabilities(RemoteConfigCapabilities.ASM_DD_RULES, true)
     rc.updateCapabilities(RemoteConfigCapabilities.ASM_EXCLUSIONS, true)
     rc.updateCapabilities(RemoteConfigCapabilities.ASM_REQUEST_BLOCKING, true)
+    rc.updateCapabilities(RemoteConfigCapabilities.ASM_CUSTOM_RULES, true)
+    rc.updateCapabilities(RemoteConfigCapabilities.ASM_CUSTOM_BLOCKING_RESPONSE, true)
     rc.on('ASM_DATA', noop)
     rc.on('ASM_DD', noop)
@@ -60,6 +62,8 @@ function disableWafUpdate () {
     rc.updateCapabilities(RemoteConfigCapabilities.ASM_DD_RULES, false)
     rc.updateCapabilities(RemoteConfigCapabilities.ASM_EXCLUSIONS, false)
     rc.updateCapabilities(RemoteConfigCapabilities.ASM_REQUEST_BLOCKING, false)
+    rc.updateCapabilities(RemoteConfigCapabilities.ASM_CUSTOM_RULES, false)
+    rc.updateCapabilities(RemoteConfigCapabilities.ASM_CUSTOM_BLOCKING_RESPONSE, false)
     rc.off('ASM_DATA', noop)
     rc.off('ASM_DD', noop)

package/packages/dd-trace/src/appsec/rule_manager.js CHANGED Viewed

@@ -2,6 +2,7 @@
 const waf = require('./waf')
 const { ACKNOWLEDGED, ERROR } = require('./remote_config/apply_states')
+const blocking = require('./blocking')
 let defaultRules
@@ -9,11 +10,17 @@ let appliedRulesData = new Map()
 let appliedRulesetId
 let appliedRulesOverride = new Map()
 let appliedExclusions = new Map()
+let appliedCustomRules = new Map()
+let appliedActions = new Map()
 function applyRules (rules, config) {
   defaultRules = rules
   waf.init(rules, config)
+  if (rules.actions) {
+    blocking.updateBlockingConfiguration(rules.actions.find(action => action.id === 'block'))
+  }
 }
 function updateWafFromRC ({ toUnapply, toApply, toModify }) {
@@ -24,6 +31,8 @@ function updateWafFromRC ({ toUnapply, toApply, toModify }) {
   let newRulesetId
   const newRulesOverride = new SpyMap(appliedRulesOverride)
   const newExclusions = new SpyMap(appliedExclusions)
+  const newCustomRules = new SpyMap(appliedCustomRules)
+  const newActions = new SpyMap(appliedActions)
   for (const item of toUnapply) {
     const { product, id } = item
@@ -33,11 +42,12 @@ function updateWafFromRC ({ toUnapply, toApply, toModify }) {
     } else if (product === 'ASM_DD') {
       if (appliedRulesetId === id) {
         newRuleset = defaultRules
-        newRulesetId = null
       }
     } else if (product === 'ASM') {
       newRulesOverride.delete(id)
       newExclusions.delete(id)
+      newCustomRules.delete(id)
+      newActions.delete(id)
     }
   }
@@ -51,7 +61,7 @@ function updateWafFromRC ({ toUnapply, toApply, toModify }) {
       batch.add(item)
     } else if (product === 'ASM_DD') {
-      if (appliedRulesetId && appliedRulesetId !== id) {
+      if (appliedRulesetId && appliedRulesetId !== id && newRuleset !== defaultRules) {
         item.apply_state = ERROR
         item.apply_error = 'Multiple ruleset received in ASM_DD'
       } else {
@@ -65,22 +75,41 @@ function updateWafFromRC ({ toUnapply, toApply, toModify }) {
         batch.add(item)
       }
     } else if (product === 'ASM') {
+      let batchConfiguration = false
       if (file && file.rules_override && file.rules_override.length) {
+        batchConfiguration = true
         newRulesOverride.set(id, file.rules_override)
       }
       if (file && file.exclusions && file.exclusions.length) {
+        batchConfiguration = true
         newExclusions.set(id, file.exclusions)
       }
-      batch.add(item)
+      if (file && file.custom_rules && file.custom_rules.length) {
+        batchConfiguration = true
+        newCustomRules.set(id, file.custom_rules)
+      }
+      if (file && file.actions && file.actions.length) {
+        newActions.set(id, file.actions)
+      }
+      // "actions" data is managed by tracer and not by waf
+      if (batchConfiguration) {
+        batch.add(item)
+      }
     }
   }
   let newApplyState = ACKNOWLEDGED
   let newApplyError
-  if (newRulesData.modified || newRuleset || newRulesOverride.modified || newExclusions.modified) {
+  if (newRulesData.modified ||
+    newRuleset ||
+    newRulesOverride.modified ||
+    newExclusions.modified ||
+    newCustomRules.modified) {
     const payload = newRuleset || {}
     if (newRulesData.modified) {
@@ -92,6 +121,9 @@ function updateWafFromRC ({ toUnapply, toApply, toModify }) {
     if (newExclusions.modified) {
       payload.exclusions = concatArrays(newExclusions)
     }
+    if (newCustomRules.modified) {
+      payload.custom_rules = concatArrays(newCustomRules)
+    }
     try {
       waf.update(payload)
@@ -108,6 +140,9 @@ function updateWafFromRC ({ toUnapply, toApply, toModify }) {
       if (newExclusions.modified) {
         appliedExclusions = newExclusions
       }
+      if (newCustomRules.modified) {
+        appliedCustomRules = newCustomRules
+      }
     } catch (err) {
       newApplyState = ERROR
       newApplyError = err.toString()
@@ -118,6 +153,11 @@ function updateWafFromRC ({ toUnapply, toApply, toModify }) {
     config.apply_state = newApplyState
     if (newApplyError) config.apply_error = newApplyError
   }
+  if (newActions.modified) {
+    blocking.updateBlockingConfiguration(concatArrays(newActions).find(action => action.id === 'block'))
+    appliedActions = newActions
+  }
 }
 // A Map with a new prop `modified`, a bool that indicates if the Map was modified
@@ -199,13 +239,16 @@ function copyRulesData (rulesData) {
 function clearAllRules () {
   waf.destroy()
+  blocking.updateBlockingConfiguration(undefined)
-  defaultRules = null
+  defaultRules = undefined
   appliedRulesData.clear()
-  appliedRulesetId = null
+  appliedRulesetId = undefined
   appliedRulesOverride.clear()
   appliedExclusions.clear()
+  appliedCustomRules.clear()
+  appliedActions.clear()
 }
 module.exports = {

package/packages/dd-trace/src/ci-visibility/exporters/agentless/coverage-writer.js CHANGED Viewed

@@ -1,16 +1,11 @@
 'use strict'
 const request = require('../../../exporters/common/request')
 const log = require('../../../log')
+const { safeJSONStringify } = require('../../../exporters/common/util')
 const { CoverageCIVisibilityEncoder } = require('../../../encode/coverage-ci-visibility')
 const BaseWriter = require('../../../exporters/common/writer')
-function safeJSONStringify (value) {
-  return JSON.stringify(value, (key, value) =>
-    key !== 'dd-api-key' ? value : undefined
-  )
-}
 class Writer extends BaseWriter {
   constructor ({ url, evpProxyPrefix = '' }) {
     super(...arguments)
@@ -34,7 +29,7 @@ class Writer extends BaseWriter {
     if (this._evpProxyPrefix) {
       options.path = `${this._evpProxyPrefix}/api/v2/citestcov`
       delete options.headers['dd-api-key']
-      options.headers['X-Datadog-EVP-Subdomain'] = 'event-platform-intake'
+      options.headers['X-Datadog-EVP-Subdomain'] = 'citestcov-intake'
     }
     log.debug(() => `Request to the intake: ${safeJSONStringify(options)}`)

package/packages/dd-trace/src/ci-visibility/exporters/agentless/index.js CHANGED Viewed

@@ -17,7 +17,7 @@ class AgentlessCiVisibilityExporter extends CiVisibilityExporter {
     this._url = url || new URL(`https://citestcycle-intake.${site}`)
     this._writer = new Writer({ url: this._url, tags })
-    this._coverageUrl = url || new URL(`https://event-platform-intake.${site}`)
+    this._coverageUrl = url || new URL(`https://citestcov-intake.${site}`)
     this._coverageWriter = new CoverageWriter({ url: this._coverageUrl })
     this._apiUrl = url || new URL(`https://api.${site}`)

package/packages/dd-trace/src/ci-visibility/exporters/agentless/writer.js CHANGED Viewed

@@ -1,16 +1,11 @@
 'use strict'
 const request = require('../../../exporters/common/request')
+const { safeJSONStringify } = require('../../../exporters/common/util')
 const log = require('../../../log')
 const { AgentlessCiVisibilityEncoder } = require('../../../encode/agentless-ci-visibility')
 const BaseWriter = require('../../../exporters/common/writer')
-function safeJSONStringify (value) {
-  return JSON.stringify(value, (key, value) =>
-    key !== 'dd-api-key' ? value : undefined
-  )
-}
 class Writer extends BaseWriter {
   constructor ({ url, tags, evpProxyPrefix = '' }) {
     super(...arguments)