dd-trace 3.22.1 → 3.24.0

package/packages/datadog-plugin-cypress/src/plugin.js

@@ -133,6 +133,8 @@ module.exports = (on, config) => {
     'git.branch': branch
   } = testEnvironmentMetadata
 
+  const finishedTestsByFile = {}
+
   const testConfiguration = {
     repositoryUrl,
     sha,
@@ -158,6 +160,44 @@ module.exports = (on, config) => {
   let isCodeCoverageEnabled = false
   let testsToSkip = []
 
+  function getTestSpan (testName, testSuite) {
+    const testSuiteTags = {
+      [TEST_COMMAND]: command,
+      [TEST_COMMAND]: command,
+      [TEST_MODULE]: TEST_FRAMEWORK_NAME
+    }
+    if (testSuiteSpan) {
+      testSuiteTags[TEST_SUITE_ID] = testSuiteSpan.context().toSpanId()
+    }
+    if (testSessionSpan && testModuleSpan) {
+      testSuiteTags[TEST_SESSION_ID] = testSessionSpan.context().toTraceId()
+      testSuiteTags[TEST_MODULE_ID] = testModuleSpan.context().toSpanId()
+    }
+
+    const {
+      childOf,
+      resource,
+      ...testSpanMetadata
+    } = getTestSpanMetadata(tracer, testName, testSuite, config)
+
+    const codeOwners = getCodeOwnersForFilename(testSuite, codeOwnersEntries)
+
+    if (codeOwners) {
+      testSpanMetadata[TEST_CODE_OWNERS] = codeOwners
+    }
+
+    return tracer.startSpan(`${TEST_FRAMEWORK_NAME}.test`, {
+      childOf,
+      tags: {
+        [COMPONENT]: TEST_FRAMEWORK_NAME,
+        [ORIGIN_KEY]: CI_APP_ORIGIN,
+        ...testSpanMetadata,
+        ...testEnvironmentMetadata,
+        ...testSuiteTags
+      }
+    })
+  }
+
   on('before:run', (details) => {
     return getItrConfig(tracer, testConfiguration).then(({ err, itrConfig }) => {
       if (err) {
@@ -203,6 +243,58 @@ module.exports = (on, config) => {
       })
     })
   })
+  on('after:spec', (spec, { tests, stats }) => {
+    const cypressTests = tests || []
+    const finishedTests = finishedTestsByFile[spec.relative] || []
+
+    // Get tests that didn't go through `dd:afterEach` and haven't been skipped by ITR
+    // and create a skipped test span for each of them
+    cypressTests.filter(({ title }) => {
+      const cypressTestName = title.join(' ')
+      const isSkippedByItr = testsToSkip.find(test =>
+        cypressTestName === test.name && spec.relative === test.suite
+      )
+      const isTestFinished = finishedTests.find(({ testName }) => cypressTestName === testName)
+
+      return !isSkippedByItr && !isTestFinished
+    }).forEach(({ title }) => {
+      const skippedTestSpan = getTestSpan(title.join(' '), spec.relative)
+      skippedTestSpan.setTag(TEST_STATUS, 'skip')
+      skippedTestSpan.finish()
+    })
+
+    // Make sure that reported test statuses are the same as Cypress reports.
+    // This is not always the case, such as when an `after` hook fails:
+    // Cypress will report the last run test as failed, but we don't know that yet at `dd:afterEach`
+    let latestError
+    finishedTests.forEach((finishedTest) => {
+      const cypressTest = cypressTests.find(test => test.title.join(' ') === finishedTest.testName)
+      if (!cypressTest) {
+        return
+      }
+      if (cypressTest.displayError) {
+        latestError = new Error(cypressTest.displayError)
+      }
+      const cypressTestStatus = CYPRESS_STATUS_TO_TEST_STATUS[cypressTest.state]
+      // update test status
+      if (cypressTestStatus !== finishedTest.testStatus) {
+        finishedTest.testSpan.setTag(TEST_STATUS, cypressTestStatus)
+        finishedTest.testSpan.setTag('error', latestError)
+      }
+      finishedTest.testSpan.finish(finishedTest.finishTime)
+    })
+
+    if (testSuiteSpan) {
+      const status = getSuiteStatus(stats)
+      testSuiteSpan.setTag(TEST_STATUS, status)
+
+      if (latestError) {
+        testSuiteSpan.setTag('error', latestError)
+      }
+      testSuiteSpan.finish()
+      testSuiteSpan = null
+    }
+  })
 
   on('after:run', (suiteStats) => {
     if (testSessionSpan && testModuleSpan) {
@@ -254,15 +346,6 @@ module.exports = (on, config) => {
       })
       return null
     },
-    'dd:testSuiteFinish': (stats) => {
-      if (testSuiteSpan) {
-        const status = getSuiteStatus(stats)
-        testSuiteSpan.setTag(TEST_STATUS, status)
-        testSuiteSpan.finish()
-        testSuiteSpan = null
-      }
-      return null
-    },
     'dd:beforeEach': (test) => {
       const { testName, testSuite } = test
       // skip test
@@ -272,47 +355,14 @@ module.exports = (on, config) => {
         return { shouldSkip: true }
       }
 
-      const testSuiteTags = {
-        [TEST_COMMAND]: command,
-        [TEST_COMMAND]: command,
-        [TEST_MODULE]: TEST_FRAMEWORK_NAME
-      }
-      if (testSuiteSpan) {
-        testSuiteTags[TEST_SUITE_ID] = testSuiteSpan.context().toSpanId()
-      }
-      if (testSessionSpan && testModuleSpan) {
-        testSuiteTags[TEST_SESSION_ID] = testSessionSpan.context().toTraceId()
-        testSuiteTags[TEST_MODULE_ID] = testModuleSpan.context().toSpanId()
-      }
-
-      const {
-        childOf,
-        resource,
-        ...testSpanMetadata
-      } = getTestSpanMetadata(tracer, testName, testSuite, config)
-
-      const codeOwners = getCodeOwnersForFilename(testSuite, codeOwnersEntries)
-
-      if (codeOwners) {
-        testSpanMetadata[TEST_CODE_OWNERS] = codeOwners
-      }
-
       if (!activeSpan) {
-        activeSpan = tracer.startSpan(`${TEST_FRAMEWORK_NAME}.test`, {
-          childOf,
-          tags: {
-            [COMPONENT]: TEST_FRAMEWORK_NAME,
-            [ORIGIN_KEY]: CI_APP_ORIGIN,
-            ...testSpanMetadata,
-            ...testEnvironmentMetadata,
-            ...testSuiteTags
-          }
-        })
+        activeSpan = getTestSpan(testName, testSuite)
       }
+
       return activeSpan ? { traceId: activeSpan.context().toTraceId() } : {}
     },
     'dd:afterEach': ({ test, coverage }) => {
-      const { state, error, isRUMActive, testSourceLine } = test
+      const { state, error, isRUMActive, testSourceLine, testSuite, testName } = test
       if (activeSpan) {
         if (coverage && tracer._tracer._exporter.exportCoverage && isCodeCoverageEnabled) {
           const coverageFiles = getCoveredFilenamesFromCoverage(coverage)
@@ -326,8 +376,9 @@ module.exports = (on, config) => {
           }
           tracer._tracer._exporter.exportCoverage(formattedCoverage)
         }
+        const testStatus = CYPRESS_STATUS_TO_TEST_STATUS[state]
+        activeSpan.setTag(TEST_STATUS, testStatus)
 
-        activeSpan.setTag(TEST_STATUS, CYPRESS_STATUS_TO_TEST_STATUS[state])
         if (error) {
           activeSpan.setTag('error', error)
         }
@@ -337,7 +388,18 @@ module.exports = (on, config) => {
         if (testSourceLine) {
           activeSpan.setTag(TEST_SOURCE_START, testSourceLine)
         }
-        activeSpan.finish()
+        const finishedTest = {
+          testName,
+          testStatus,
+          finishTime: activeSpan._getTime(), // we store the finish time here
+          testSpan: activeSpan
+        }
+        if (finishedTestsByFile[testSuite]) {
+          finishedTestsByFile[testSuite].push(finishedTest)
+        } else {
+          finishedTestsByFile[testSuite] = [finishedTest]
+        }
+        // test spans are finished at after:spec
       }
       activeSpan = null
       return null

package/packages/datadog-plugin-cypress/src/support.js

@@ -16,9 +16,10 @@ before(() => {
 })
 
 after(() => {
-  cy.task('dd:testSuiteFinish', Cypress.mocha.getRunner().stats)
   cy.window().then(win => {
-    win.dispatchEvent(new Event('beforeunload'))
+    if (win.DD_RUM) {
+      win.dispatchEvent(new Event('beforeunload'))
+    }
   })
 })
 

package/packages/datadog-plugin-fetch/src/index.js

@@ -0,0 +1,36 @@
+'use strict'
+
+const HttpClientPlugin = require('../../datadog-plugin-http/src/client')
+const { HTTP_HEADERS } = require('../../../ext/formats')
+
+class FetchPlugin extends HttpClientPlugin {
+  static get id () { return 'fetch' }
+
+  addTraceSub (eventName, handler) {
+    this.addSub(`apm:${this.constructor.id}:${this.operation}:${eventName}`, handler)
+  }
+
+  start (message) {
+    const req = message.req
+    const options = new URL(req.url)
+    const headers = options.headers = Object.fromEntries(req.headers.entries())
+
+    const args = { options }
+
+    super.start({ args })
+
+    message.req = new globalThis.Request(req, { headers })
+  }
+
+  _inject (span, headers) {
+    const carrier = {}
+
+    this.tracer.inject(span, HTTP_HEADERS, carrier)
+
+    for (const name in carrier) {
+      headers.append(name, carrier[name])
+    }
+  }
+}
+
+module.exports = FetchPlugin

package/packages/datadog-plugin-http/src/client.js

@@ -24,15 +24,17 @@ class HttpClientPlugin extends ClientPlugin {
     this.addSub(`apm:${this.constructor.id}:client:${this.operation}:${eventName}`, handler)
   }
 
-  start ({ args, http }) {
+  start ({ args, http = {} }) {
     const store = storage.getStore()
     const options = args.options
-    const agent = options.agent || options._defaultAgent || http.globalAgent
+    const agent = options.agent || options._defaultAgent || http.globalAgent || {}
     const protocol = options.protocol || agent.protocol || 'http:'
     const hostname = options.hostname || options.host || 'localhost'
     const host = options.port ? `${hostname}:${options.port}` : hostname
-    const path = options.path ? options.path.split(/[?#]/)[0] : '/'
+    const pathname = options.path || options.pathname
+    const path = pathname ? pathname.split(/[?#]/)[0] : '/'
     const uri = `${protocol}//${host}${path}`
+
     const allowed = this.config.filter(uri)
 
     const method = (options.method || 'GET').toUpperCase()
@@ -71,9 +73,11 @@ class HttpClientPlugin extends ClientPlugin {
   finish ({ req, res }) {
     const span = storage.getStore().span
     if (res) {
-      span.setTag(HTTP_STATUS_CODE, res.statusCode)
+      const status = res.status || res.statusCode
+
+      span.setTag(HTTP_STATUS_CODE, status)
 
-      if (!this.config.validateStatus(res.statusCode)) {
+      if (!this.config.validateStatus(status)) {
         span.setTag('error', 1)
       }
 
@@ -106,8 +110,14 @@ class HttpClientPlugin extends ClientPlugin {
 }
 
 function addResponseHeaders (res, span, config) {
+  if (!res.headers) return
+
+  const headers = typeof res.headers.entries === 'function'
+    ? Object.fromEntries(res.headers.entries())
+    : res.headers
+
   config.headers.forEach(key => {
-    const value = res.headers[key]
+    const value = headers[key]
 
     if (value) {
       span.setTag(`${HTTP_RESPONSE_HEADERS}.${key}`, value)
@@ -116,8 +126,12 @@ function addResponseHeaders (res, span, config) {
 }
 
 function addRequestHeaders (req, span, config) {
+  const headers = req.headers && typeof req.headers.entries === 'function'
+    ? Object.fromEntries(req.headers.entries())
+    : req.headers || req.getHeaders()
+
   config.headers.forEach(key => {
-    const value = req.getHeader(key)
+    const value = headers[key]
 
     if (value) {
       span.setTag(`${HTTP_REQUEST_HEADERS}.${key}`, Array.isArray(value) ? value.toString() : value)
@@ -193,7 +207,9 @@ function hasAmazonSignature (options) {
     }
   }
 
-  return options.path && options.path.toLowerCase().indexOf('x-amz-signature=') !== -1
+  const search = options.search || options.path
+
+  return search && search.toLowerCase().indexOf('x-amz-signature=') !== -1
 }
 
 function getServiceName (tracer, config, options) {

package/packages/datadog-plugin-mysql/src/index.js

@@ -8,9 +8,8 @@ class MySQLPlugin extends DatabasePlugin {
   static get system () { return 'mysql' }
 
   start (payload) {
-    const service = getServiceName(this.config, payload.conf)
-
-    this.startSpan(`${this.system}.query`, {
+    const service = this.serviceName(this.config, payload.conf, this.system)
+    this.startSpan(this.operationName(), {
       service,
       resource: payload.sql,
       type: 'sql',
@@ -27,12 +26,4 @@ class MySQLPlugin extends DatabasePlugin {
   }
 }
 
-function getServiceName (config, dbConfig) {
-  if (typeof config.service === 'function') {
-    return config.service(dbConfig)
-  }
-
-  return config.service
-}
-
 module.exports = MySQLPlugin

package/packages/datadog-plugin-tedious/src/index.js

@@ -9,8 +9,8 @@ class TediousPlugin extends DatabasePlugin {
   static get system () { return 'mssql' }
 
   start ({ queryOrProcedure, connectionConfig }) {
-    this.startSpan('tedious.request', {
-      service: this.config.service,
+    this.startSpan(this.operationName(), {
+      service: this.serviceName(this.config, this.system),
       resource: queryOrProcedure,
       type: 'sql',
       kind: 'client',

package/packages/dd-trace/src/appsec/iast/analyzers/analyzers.js

@@ -4,9 +4,12 @@ module.exports = {
   'COMMAND_INJECTION_ANALYZER': require('./command-injection-analyzer'),
   'INSECURE_COOKIE_ANALYZER': require('./insecure-cookie-analyzer'),
   'LDAP_ANALYZER': require('./ldap-injection-analyzer'),
+  'NO_HTTPONLY_COOKIE_ANALYZER': require('./no-httponly-cookie-analyzer'),
+  'NO_SAMESITE_COOKIE_ANALYZER': require('./no-samesite-cookie-analyzer'),
   'PATH_TRAVERSAL_ANALYZER': require('./path-traversal-analyzer'),
   'SQL_INJECTION_ANALYZER': require('./sql-injection-analyzer'),
   'SSRF': require('./ssrf-analyzer'),
+  'UNVALIDATED_REDIRECT_ANALYZER': require('./unvalidated-redirect-analyzer'),
   'WEAK_CIPHER_ANALYZER': require('./weak-cipher-analyzer'),
   'WEAK_HASH_ANALYZER': require('./weak-hash-analyzer')
 }

package/packages/dd-trace/src/appsec/iast/analyzers/cookie-analyzer.js

@@ -0,0 +1,52 @@
+'use strict'
+
+const Analyzer = require('./vulnerability-analyzer')
+const { getNodeModulesPaths } = require('../path-line')
+
+const EXCLUDED_PATHS = getNodeModulesPaths('express/lib/response.js')
+
+class CookieAnalyzer extends Analyzer {
+  constructor (type, propertyToBeSafe) {
+    super(type)
+    this.propertyToBeSafe = propertyToBeSafe.toLowerCase()
+    this.addSub('datadog:iast:set-cookie', (cookieInfo) => this.analyze(cookieInfo))
+  }
+
+  _isVulnerable ({ cookieProperties, cookieValue }) {
+    return cookieValue && !(cookieProperties && cookieProperties
+      .map(x => x.toLowerCase().trim()).includes(this.propertyToBeSafe))
+  }
+
+  _getEvidence ({ cookieName }) {
+    return { value: cookieName }
+  }
+
+  _createHashSource (type, evidence, location) {
+    return `${type}:${evidence.value}`
+  }
+
+  _getExcludedPaths () {
+    return EXCLUDED_PATHS
+  }
+  _checkOCE (context, value) {
+    if (value && value.location) {
+      return true
+    }
+    return super._checkOCE(context, value)
+  }
+
+  _getLocation (value) {
+    if (!value) {
+      return super._getLocation()
+    }
+
+    if (value.location) {
+      return value.location
+    }
+    const location = super._getLocation(value)
+    value.location = location
+    return location
+  }
+}
+
+module.exports = CookieAnalyzer

package/packages/dd-trace/src/appsec/iast/analyzers/insecure-cookie-analyzer.js

@@ -1,30 +1,11 @@
 'use strict'
 
-const Analyzer = require('./vulnerability-analyzer')
 const { INSECURE_COOKIE } = require('../vulnerabilities')
+const CookieAnalyzer = require('./cookie-analyzer')
 
-const EXCLUDED_PATHS = ['node_modules/express/lib/response.js', 'node_modules\\express\\lib\\response.js']
-
-class InsecureCookieAnalyzer extends Analyzer {
+class InsecureCookieAnalyzer extends CookieAnalyzer {
   constructor () {
-    super(INSECURE_COOKIE)
-    this.addSub('datadog:iast:set-cookie', (cookieInfo) => this.analyze(cookieInfo))
-  }
-
-  _isVulnerable ({ cookieProperties, cookieValue }) {
-    return cookieValue && !(cookieProperties && cookieProperties.map(x => x.toLowerCase().trim()).includes('secure'))
-  }
-
-  _getEvidence ({ cookieName }) {
-    return { value: cookieName }
-  }
-
-  _createHashSource (type, evidence, location) {
-    return `${type}:${evidence.value}`
-  }
-
-  _getExcludedPaths () {
-    return EXCLUDED_PATHS
+    super(INSECURE_COOKIE, 'secure')
   }
 }
 

package/packages/dd-trace/src/appsec/iast/analyzers/no-httponly-cookie-analyzer.js

@@ -0,0 +1,12 @@
+'use strict'
+
+const { NO_HTTPONLY_COOKIE } = require('../vulnerabilities')
+const CookieAnalyzer = require('./cookie-analyzer')
+
+class NoHttponlyCookieAnalyzer extends CookieAnalyzer {
+  constructor () {
+    super(NO_HTTPONLY_COOKIE, 'HttpOnly')
+  }
+}
+
+module.exports = new NoHttponlyCookieAnalyzer()

package/packages/dd-trace/src/appsec/iast/analyzers/no-samesite-cookie-analyzer.js

@@ -0,0 +1,12 @@
+'use strict'
+
+const { NO_SAMESITE_COOKIE } = require('../vulnerabilities')
+const CookieAnalyzer = require('./cookie-analyzer')
+
+class NoSamesiteCookieAnalyzer extends CookieAnalyzer {
+  constructor () {
+    super(NO_SAMESITE_COOKIE, 'SameSite=strict')
+  }
+}
+
+module.exports = new NoSamesiteCookieAnalyzer()

package/packages/dd-trace/src/appsec/iast/analyzers/set-cookies-header-interceptor.js

@@ -14,24 +14,28 @@ class SetCookiesHeaderInterceptor extends Plugin {
           allCookies = [value]
         }
         const alreadyCheckedCookies = this._getAlreadyCheckedCookiesInResponse(res)
+
+        let location
         allCookies.forEach(cookieString => {
           if (!alreadyCheckedCookies.includes(cookieString)) {
             alreadyCheckedCookies.push(cookieString)
-            setCookieChannel.publish(this._parseCookie(cookieString))
+            const parsedCookie = this._parseCookie(cookieString, location)
+            setCookieChannel.publish(parsedCookie)
+            location = parsedCookie.location
           }
         })
       }
     })
   }
 
-  _parseCookie (cookieString) {
+  _parseCookie (cookieString, location) {
     const cookieParts = cookieString.split(';')
     const nameValueParts = cookieParts[0].split('=')
     const cookieName = nameValueParts[0]
     const cookieValue = nameValueParts.slice(1).join('=')
     const cookieProperties = cookieParts.slice(1).map(part => part.trim())
 
-    return { cookieName, cookieValue, cookieProperties, cookieString }
+    return { cookieName, cookieValue, cookieProperties, cookieString, location }
   }
 
   _getAlreadyCheckedCookiesInResponse (res) {

package/packages/dd-trace/src/appsec/iast/analyzers/sql-injection-analyzer.js

@@ -6,9 +6,9 @@ const { getRanges } = require('../taint-tracking/operations')
 const { storage } = require('../../../../../datadog-core')
 const { getIastContext } = require('../iast-context')
 const { addVulnerability } = require('../vulnerability-reporter')
+const { getNodeModulesPaths } = require('../path-line')
 
-const EXCLUDED_PATHS = ['node_modules/mysql2', 'node_modules/sequelize', 'node_modules\\mysql2',
-  'node_modules\\sequelize']
+const EXCLUDED_PATHS = getNodeModulesPaths('mysql2', 'sequelize')
 
 class SqlInjectionAnalyzer extends InjectionAnalyzer {
   constructor () {
@@ -28,7 +28,7 @@ class SqlInjectionAnalyzer extends InjectionAnalyzer {
 
     this.addSub('datadog:sequelize:query:finish', () => {
       const store = storage.getStore()
-      if (store.sequelizeParentStore) {
+      if (store && store.sequelizeParentStore) {
         storage.enterWith(store.sequelizeParentStore)
       }
     })

package/packages/dd-trace/src/appsec/iast/analyzers/unvalidated-redirect-analyzer.js

@@ -0,0 +1,48 @@
+'use strict'
+
+const InjectionAnalyzer = require('./injection-analyzer')
+const { UNVALIDATED_REDIRECT } = require('../vulnerabilities')
+const { getNodeModulesPaths } = require('../path-line')
+const { getRanges } = require('../taint-tracking/operations')
+const { HTTP_REQUEST_HEADER_VALUE } = require('../taint-tracking/origin-types')
+
+const EXCLUDED_PATHS = getNodeModulesPaths('express/lib/response.js')
+
+class UnvalidatedRedirectAnalyzer extends InjectionAnalyzer {
+  constructor () {
+    super(UNVALIDATED_REDIRECT)
+
+    this.addSub('datadog:http:server:response:set-header:finish', ({ name, value }) => this.analyze(name, value))
+  }
+
+  // TODO: In case the location header value is tainted, this analyzer should check the ranges of the tainted.
+  // And do not report a vulnerability if source of the ranges (range.iinfo.type) are exclusively url or path params
+  // to avoid false positives.
+  analyze (name, value) {
+    if (!this.isLocationHeader(name) || typeof value !== 'string') return
+
+    super.analyze(value)
+  }
+
+  isLocationHeader (name) {
+    return name && name.trim().toLowerCase() === 'location'
+  }
+
+  _isVulnerable (value, iastContext) {
+    if (!value) return false
+
+    const ranges = getRanges(iastContext, value)
+    return ranges && ranges.length > 0 && !this._isRefererHeader(ranges)
+  }
+
+  _isRefererHeader (ranges) {
+    return ranges && ranges.every(range => range.iinfo.type === HTTP_REQUEST_HEADER_VALUE &&
+      range.iinfo.parameterName && range.iinfo.parameterName.toLowerCase() === 'referer')
+  }
+
+  _getExcludedPaths () {
+    return EXCLUDED_PATHS
+  }
+}
+
+module.exports = new UnvalidatedRedirectAnalyzer()

package/packages/dd-trace/src/appsec/iast/analyzers/vulnerability-analyzer.js

@@ -38,7 +38,7 @@ class Analyzer extends Plugin {
 
   _report (value, context) {
     const evidence = this._getEvidence(value, context)
-    const location = this._getLocation()
+    const location = this._getLocation(value)
     if (!this._isExcluded(location)) {
       const spanId = context && context.rootSpan && context.rootSpan.context().toSpanId()
       const vulnerability = this._createVulnerability(this._type, evidence, spanId, location)
@@ -47,7 +47,7 @@ class Analyzer extends Plugin {
   }
 
   _reportIfVulnerable (value, context) {
-    if (this._isVulnerable(value, context) && this._checkOCE(context)) {
+    if (this._isVulnerable(value, context) && this._checkOCE(context, value)) {
       this._report(value, context)
       return true
     }
@@ -78,7 +78,7 @@ class Analyzer extends Plugin {
     for (let i = 0; i < values.length; i++) {
       const value = values[i]
       if (this._isVulnerable(value, iastContext)) {
-        if (this._checkOCE(iastContext)) {
+        if (this._checkOCE(iastContext, value)) {
           this._report(value, iastContext)
         }
         break

package/packages/dd-trace/src/appsec/iast/analyzers/weak-hash-analyzer.js

@@ -1,4 +1,7 @@
 'use strict'
+
+const path = require('path')
+
 const Analyzer = require('./vulnerability-analyzer')
 const { WEAK_HASH } = require('../vulnerabilities')
 
@@ -8,6 +11,17 @@ const INSECURE_HASH_ALGORITHMS = new Set([
   'RSA-SHA1', 'RSA-SHA1-2', 'sha1', 'md5-sha1', 'sha1WithRSAEncryption', 'ssl3-sha1'
 ].map(algorithm => algorithm.toLowerCase()))
 
+const EXCLUDED_LOCATIONS = [
+  path.join('node_modules', 'etag', 'index.js'),
+  path.join('node_modules', 'redlock', 'dist', 'cjs'),
+  path.join('node_modules', 'ws', 'lib', 'websocket-server.js'),
+  path.join('node_modules', 'mysql2', 'lib', 'auth_41.js'),
+  path.join('node_modules', '@mikro-orm', 'core', 'utils', 'Utils.js')
+]
+
+const EXCLUDED_PATHS_FROM_STACK = [
+  path.join('node_modules', 'object-hash', path.sep)
+]
 class WeakHashAnalyzer extends Analyzer {
   constructor () {
     super(WEAK_HASH)
@@ -20,6 +34,16 @@ class WeakHashAnalyzer extends Analyzer {
     }
     return false
   }
+
+  _isExcluded (location) {
+    return EXCLUDED_LOCATIONS.some(excludedLocation => {
+      return location.path.includes(excludedLocation)
+    })
+  }
+
+  _getExcludedPaths () {
+    return EXCLUDED_PATHS_FROM_STACK
+  }
 }
 
 module.exports = new WeakHashAnalyzer()