dd-trace 3.23.0 → 3.24.0

package/MIGRATING.md

@@ -4,6 +4,45 @@ This guide describes the steps to upgrade dd-trace from a major version to the
 next. If you are having any issues related to migrating, please feel free to
 open an issue or contact our [support](https://www.datadoghq.com/support/) team.
 
+## 3.0 to 4.0
+
+### Node 14 is no longer supported
+
+Node.js 14 has reached EOL in April 2023 and is no longer supported. Generally
+speaking, we highly recommend always keeping Node.js up to date regardless of
+our support policy.
+
+### The `orphanable` option was removed
+
+This option was only useful internally for a single integration that has since
+been removed. It was never useful for manual instrumentation since all that is
+needed to orphan a span on creation is to use
+`tracer.trace('web.request', { childOf: null })`.
+
+### Support for `jest-jasmine2` has been removed
+
+The default test runner for Jest was changed to `jest-circus` around 2 years ago and
+is no longer supported by our Jest integration for CI Visibility. We recommend
+switching to `jest-circus` to anyone still using `jest-jasmine2`.
+
+### Support for older Next.js versions was removed
+
+We now support only Next.js 10.2 and up.
+
+### W3C headers are now prioritized over Datadog headers
+
+As we move towards open standards, we have decided to prioritize W3C Trace
+Context headers over our own vendor-specific headers for context propagation
+across services. For most applications this shouldn't change anything and
+distributed tracing should continue to work seamlessly.
+
+In some rare cases it's possible that some of the services involved in a trace
+are not instrumented by Datadog at all which can cause spans within the trace to
+become disconnected. While the data would still be available in the UI, the
+relationship between spans would no longer be visible. This can be addressed by
+restoring the previous behaviour using
+`DD_TRACE_PROPAGATION_STYLE='datadog,tracecontext'`.
+
 ## 2.0 to 3.0
 
 ### Node 12 is no longer supported

package/README.md

@@ -1,6 +1,7 @@
 # `dd-trace`: Node.js APM Tracer Library
 
-[![npm v3](https://img.shields.io/npm/v/dd-trace/latest?color=blue&label=dd-trace%40v3&logo=npm)](https://www.npmjs.com/package/dd-trace)
+[![npm v4](https://img.shields.io/npm/v/dd-trace/latest?color=blue&label=dd-trace%40v4&logo=npm)](https://www.npmjs.com/package/dd-trace)
+[![npm v3](https://img.shields.io/npm/v/dd-trace/latest-node14?color=blue&label=dd-trace%40v3&logo=npm)](https://www.npmjs.com/package/dd-trace/v/latest-node12)
 [![npm v2](https://img.shields.io/npm/v/dd-trace/latest-node12?color=blue&label=dd-trace%40v2&logo=npm)](https://www.npmjs.com/package/dd-trace/v/latest-node12)
 [![npm dev](https://img.shields.io/npm/v/dd-trace/dev?color=orange&label=dd-trace%40dev&logo=npm)](https://www.npmjs.com/package/dd-trace/v/dev)
 [![codecov](https://codecov.io/gh/DataDog/dd-trace-js/branch/master/graph/badge.svg)](https://codecov.io/gh/DataDog/dd-trace-js)
@@ -28,27 +29,28 @@ Most of the documentation for `dd-trace` is available on these webpages:
 | :---:                                                    | :---:                                                                                                  | :---:    | :---:           | :---:          | :---:       |
 | [`v1`](https://github.com/DataDog/dd-trace-js/tree/v1.x) | ![npm v1](https://img.shields.io/npm/v/dd-trace/legacy-v1?color=white&label=%20&style=flat-square)     | `>= v12` | **End of Life** | 2021-07-13     | 2022-02-25  |
 | [`v2`](https://github.com/DataDog/dd-trace-js/tree/v2.x) | ![npm v2](https://img.shields.io/npm/v/dd-trace/latest-node12?color=white&label=%20&style=flat-square) | `>= v12` | **Maintenance** | 2022-01-28     | 2023-08-15  |
-| [`v3`](https://github.com/DataDog/dd-trace-js/tree/v3.x) | ![npm v3](https://img.shields.io/npm/v/dd-trace/latest?color=white&label=%20&style=flat-square)        | `>= v14` | **Current**     | 2022-08-15     | Unknown     |
+| [`v3`](https://github.com/DataDog/dd-trace-js/tree/v3.x) | ![npm v3](https://img.shields.io/npm/v/dd-trace/latest-node14?color=white&label=%20&style=flat-square) | `>= v14` | **Maintenance** | 2022-08-15     | 2024-05-15  |
+| [`v4`](https://github.com/DataDog/dd-trace-js/tree/v4.x) | ![npm v4](https://img.shields.io/npm/v/dd-trace/latest?color=white&label=%20&style=flat-square)        | `>= v16` | **Current**     | 2023-05-12     | Unknown     |
 
-We currently maintain two release lines, namely `v2` and `v3`.
-Features and bug fixes that are merged are released to the `v3` line and, if appropriate, also the `v2` line.
+We currently maintain three release lines, namely `v2`, `v3` and `v4`.
+Features and bug fixes that are merged are released to the `v4` line and, if appropriate, also the `v2` and `v3` line.
 
-For any new projects it is recommended to use the `v3` release line:
+For any new projects it is recommended to use the `v4` release line:
 
 ```sh
 $ npm install dd-trace
 $ yarn add dd-trace
 ```
 
-However, existing projects that already use the `v2` release line, or projects that need to support Node.js v12, may use the `v2` release line.
+However, existing projects that already use the `v2` or `v3` release lines, or projects that need to support EOL versions of Node.js, may continue to use these release lines.
 This is done by specifying the version when installing the package.
-Note that we also publish to npm using a `latest-node12` tag that can also be used for install:
+Note that we also publish to npm using a `latest-node12` and `latest-node14` tag that can also be used for install:
 
 ```sh
-$ npm install dd-trace@2
-$ yarn add dd-trace@2
-$ npm install dd-trace@latest-node12
-$ yarn add dd-trace@latest-node12
+$ npm install dd-trace@3
+$ yarn add dd-trace@3
+$ npm install dd-trace@latest-node14
+$ yarn add dd-trace@latest-node14
 ```
 
 Any backwards-breaking functionality that is introduced into the library will result in an increase of the major version of the library and therefore a new release line.
@@ -153,6 +155,11 @@ $ yarn lint
 
 ### Experimental ESM Support
 
+> **Warning**
+> 
+> ESM support has been temporarily disabled starting from Node 20 as significant
+> changes are in progress.
+
 ESM support is currently in the experimental stages, while CJS has been supported
 since inception. This means that code loaded using `require()` should work fine
 but code loaded using `import` might not always work.

package/index.d.ts

@@ -749,6 +749,7 @@ interface Plugins {
   "elasticsearch": plugins.elasticsearch;
   "express": plugins.express;
   "fastify": plugins.fastify;
+  "fetch": plugins.fetch;
   "generic-pool": plugins.generic_pool;
   "google-cloud-pubsub": plugins.google_cloud_pubsub;
   "graphql": plugins.graphql;
@@ -1092,6 +1093,12 @@ declare namespace plugins {
    */
   interface fastify extends HttpServer {}
 
+  /**
+   * This plugin automatically instruments the
+   * [fetch](https://nodejs.org/api/globals.html#fetch) global.
+   */
+  interface fetch extends HttpClient {}
+
   /**
    * This plugin patches the [generic-pool](https://github.com/coopernurse/node-pool)
    * module to bind the callbacks the the caller context.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "dd-trace",
-  "version": "3.23.0",
+  "version": "3.24.0",
   "description": "Datadog APM tracing client for JavaScript",
   "main": "index.js",
   "typings": "index.d.ts",
@@ -19,7 +19,7 @@
     "test:appsec:ci": "nyc --no-clean --include \"packages/dd-trace/src/appsec/**/*.js\" --exclude \"packages/dd-trace/test/appsec/**/*.plugin.spec.js\" -- npm run test:appsec",
     "test:appsec:plugins": "mocha --colors --exit -r \"packages/dd-trace/test/setup/mocha.js\" \"packages/dd-trace/test/appsec/**/*.@($(echo $PLUGINS)).plugin.spec.js\"",
     "test:appsec:plugins:ci": "yarn services && nyc --no-clean --include \"packages/dd-trace/test/appsec/**/*.@($(echo $PLUGINS)).plugin.spec.js\" -- npm run test:appsec:plugins",
-    "test:trace:core": "tap packages/dd-trace/test/*.spec.js \"packages/dd-trace/test/{ci-visibility,encode,exporters,opentelemetry,opentracing,plugins,telemetry}/**/*.spec.js\"",
+    "test:trace:core": "tap packages/dd-trace/test/*.spec.js \"packages/dd-trace/test/{ci-visibility,config,encode,exporters,opentelemetry,opentracing,plugins,telemetry}/**/*.spec.js\"",
     "test:trace:core:ci": "npm run test:trace:core -- --coverage --nyc-arg=--include=\"packages/dd-trace/src/**/*.js\"",
     "test:instrumentations": "mocha --colors -r 'packages/dd-trace/test/setup/mocha.js' 'packages/datadog-instrumentations/test/**/*.spec.js'",
     "test:instrumentations:ci": "nyc --no-clean --include 'packages/datadog-instrumentations/src/**/*.js' -- npm run test:instrumentations",
@@ -68,12 +68,12 @@
   "dependencies": {
     "@datadog/native-appsec": "^3.2.0",
     "@datadog/native-iast-rewriter": "2.0.1",
-    "@datadog/native-iast-taint-tracking": "^1.4.1",
+    "@datadog/native-iast-taint-tracking": "^1.5.0",
     "@datadog/native-metrics": "^2.0.0",
-    "@datadog/pprof": "^2.2.1",
+    "@datadog/pprof": "2.2.3",
     "@datadog/sketches-js": "^2.1.0",
     "@opentelemetry/api": "^1.0.0",
-    "@opentelemetry/core": "<1.4.0",
+    "@opentelemetry/core": "^1.14.0",
     "crypto-randomuuid": "^1.0.0",
     "diagnostics_channel": "^1.1.0",
     "ignore": "^5.2.0",

package/packages/datadog-instrumentations/src/cookie.js

@@ -0,0 +1,21 @@
+'use strict'
+
+const shimmer = require('../../datadog-shimmer')
+const { channel, addHook } = require('./helpers/instrument')
+
+const cookieParseCh = channel('datadog:cookie:parse:finish')
+
+function wrapParse (originalParse) {
+  return function () {
+    const cookies = originalParse.apply(this, arguments)
+    if (cookieParseCh.hasSubscribers && cookies) {
+      cookieParseCh.publish({ cookies })
+    }
+    return cookies
+  }
+}
+
+addHook({ name: 'cookie', versions: ['>=0.4'] }, cookie => {
+  shimmer.wrap(cookie, 'parse', wrapParse)
+  return cookie
+})

package/packages/datadog-instrumentations/src/fetch.js

@@ -0,0 +1,48 @@
+'use strict'
+
+const shimmer = require('../../datadog-shimmer')
+const { channel } = require('./helpers/instrument')
+
+const startChannel = channel('apm:fetch:request:start')
+const finishChannel = channel('apm:fetch:request:finish')
+const errorChannel = channel('apm:fetch:request:error')
+
+function wrapFetch (fetch, Request) {
+  if (typeof fetch !== 'function') return fetch
+
+  return function (input, init) {
+    if (!startChannel.hasSubscribers) return fetch.apply(this, arguments)
+
+    const req = new Request(input, init)
+    const headers = req.headers
+    const message = { req, headers }
+
+    startChannel.publish(message)
+
+    // Request object is read-only so we need new objects to change headers.
+    arguments[0] = message.req
+    arguments[1] = { headers: message.headers }
+
+    return fetch.apply(this, arguments)
+      .then(
+        res => {
+          finishChannel.publish({ req, res })
+
+          return res
+        },
+        err => {
+          if (err.name !== 'AbortError') {
+            errorChannel.publish(err)
+          }
+
+          finishChannel.publish({ req })
+
+          throw err
+        }
+      )
+  }
+}
+
+if (globalThis.fetch) {
+  globalThis.fetch = shimmer.wrap(fetch, wrapFetch(fetch, globalThis.Request))
+}

package/packages/datadog-instrumentations/src/grpc/server.js

@@ -109,7 +109,7 @@ function wrapStream (call, requestResource, onCancel) {
 function wrapCallback (callback, call, requestResource, parentResource, onCancel) {
   return function (err, value, trailer, flags) {
     requestResource.runInAsyncScope(() => {
-      if (err instanceof Error) {
+      if (err) {
         errorChannel.publish(err)
         finishChannel.publish(err)
       } else {

package/packages/datadog-instrumentations/src/helpers/hooks.js

@@ -14,6 +14,7 @@ module.exports = {
   '@koa/router': () => require('../koa'),
   '@node-redis/client': () => require('../redis'),
   '@opensearch-project/opensearch': () => require('../opensearch'),
+  '@opentelemetry/sdk-trace-node': () => require('../otel-sdk-trace'),
   '@redis/client': () => require('../redis'),
   'amqp10': () => require('../amqp10'),
   'amqplib': () => require('../amqplib'),
@@ -25,6 +26,7 @@ module.exports = {
   'child_process': () => require('../child-process'),
   'node:child_process': () => require('../child-process'),
   'connect': () => require('../connect'),
+  'cookie': () => require('../cookie'),
   'couchbase': () => require('../couchbase'),
   'crypto': () => require('../crypto'),
   'cypress': () => require('../cypress'),

package/packages/datadog-instrumentations/src/helpers/register.js

@@ -7,16 +7,26 @@ const Hook = require('./hook')
 const requirePackageJson = require('../../../dd-trace/src/require-package-json')
 const log = require('../../../dd-trace/src/log')
 
+const { DD_TRACE_DISABLED_INSTRUMENTATIONS = '' } = process.env
+
 const hooks = require('./hooks')
 const instrumentations = require('./instrumentations')
 const names = Object.keys(hooks)
 const pathSepExpr = new RegExp(`\\${path.sep}`, 'g')
+const disabledInstrumentations = new Set(
+  DD_TRACE_DISABLED_INSTRUMENTATIONS ? DD_TRACE_DISABLED_INSTRUMENTATIONS.split(',') : []
+)
 
 const loadChannel = channel('dd-trace:instrumentation:load')
 
+// Globals
+require('../fetch')
+
 // TODO: make this more efficient
 
 for (const packageName of names) {
+  if (disabledInstrumentations.has(packageName)) continue
+
   Hook([packageName], (moduleExports, moduleName, moduleBaseDir, moduleVersion) => {
     moduleName = moduleName.replace(pathSepExpr, '/')
 

package/packages/datadog-instrumentations/src/jest.js

@@ -1,10 +1,8 @@
 'use strict'
-const semver = require('semver')
 
 const { addHook, channel, AsyncResource } = require('./helpers/instrument')
 const shimmer = require('../../datadog-shimmer')
 const log = require('../../dd-trace/src/log')
-const { version: ddTraceVersion } = require('../../../package.json')
 const {
   getCoveredFilenamesFromCoverage,
   JEST_WORKER_TRACE_PAYLOAD_CODE,
@@ -18,6 +16,7 @@ const {
   getJestTestName,
   getJestSuitesToRun
 } = require('../../datadog-plugin-jest/src/util')
+const { DD_MAJOR } = require('../../../version')
 
 const testSessionStartCh = channel('ci:jest:session:start')
 const testSessionFinishCh = channel('ci:jest:session:finish')
@@ -481,7 +480,7 @@ function jasmineAsyncInstallWraper (jasmineAsyncInstallExport, jestVersion) {
   }
 }
 
-if (semver.lt(ddTraceVersion, '4.0.0')) {
+if (DD_MAJOR < 4) {
   addHook({
     name: 'jest-jasmine2',
     versions: ['>=24.8.0'],

package/packages/datadog-instrumentations/src/next.js

@@ -4,7 +4,7 @@
 
 const { channel, addHook, AsyncResource } = require('./helpers/instrument')
 const shimmer = require('../../datadog-shimmer')
-const { MAJOR } = require('../../../version')
+const { DD_MAJOR } = require('../../../version')
 
 const startChannel = channel('apm:next:request:start')
 const finishChannel = channel('apm:next:request:finish')
@@ -171,7 +171,7 @@ addHook({ name: 'next', versions: ['>=11.1 <13.2'], file: 'dist/server/next-serv
 
 addHook({
   name: 'next',
-  versions: MAJOR >= 4 ? ['>=10.2 <11.1'] : ['>=9.5 <11.1'],
+  versions: DD_MAJOR >= 4 ? ['>=10.2 <11.1'] : ['>=9.5 <11.1'],
   file: 'dist/next-server/server/next-server.js'
 }, nextServer => {
   const Server = nextServer.default

package/packages/datadog-instrumentations/src/otel-sdk-trace.js

@@ -0,0 +1,18 @@
+'use strict'
+
+const { addHook } = require('./helpers/instrument')
+const shimmer = require('../../datadog-shimmer')
+const tracer = require('../../dd-trace')
+
+if (process.env.DD_TRACE_OTEL_ENABLED) {
+  addHook({
+    name: '@opentelemetry/sdk-trace-node',
+    file: 'build/src/NodeTracerProvider.js',
+    versions: ['*']
+  }, (mod) => {
+    shimmer.wrap(mod, 'NodeTracerProvider', () => {
+      return tracer.TracerProvider
+    })
+    return mod
+  })
+}

package/packages/datadog-plugin-fetch/src/index.js

@@ -0,0 +1,36 @@
+'use strict'
+
+const HttpClientPlugin = require('../../datadog-plugin-http/src/client')
+const { HTTP_HEADERS } = require('../../../ext/formats')
+
+class FetchPlugin extends HttpClientPlugin {
+  static get id () { return 'fetch' }
+
+  addTraceSub (eventName, handler) {
+    this.addSub(`apm:${this.constructor.id}:${this.operation}:${eventName}`, handler)
+  }
+
+  start (message) {
+    const req = message.req
+    const options = new URL(req.url)
+    const headers = options.headers = Object.fromEntries(req.headers.entries())
+
+    const args = { options }
+
+    super.start({ args })
+
+    message.req = new globalThis.Request(req, { headers })
+  }
+
+  _inject (span, headers) {
+    const carrier = {}
+
+    this.tracer.inject(span, HTTP_HEADERS, carrier)
+
+    for (const name in carrier) {
+      headers.append(name, carrier[name])
+    }
+  }
+}
+
+module.exports = FetchPlugin

package/packages/datadog-plugin-http/src/client.js

@@ -24,15 +24,17 @@ class HttpClientPlugin extends ClientPlugin {
     this.addSub(`apm:${this.constructor.id}:client:${this.operation}:${eventName}`, handler)
   }
 
-  start ({ args, http }) {
+  start ({ args, http = {} }) {
     const store = storage.getStore()
     const options = args.options
-    const agent = options.agent || options._defaultAgent || http.globalAgent
+    const agent = options.agent || options._defaultAgent || http.globalAgent || {}
     const protocol = options.protocol || agent.protocol || 'http:'
     const hostname = options.hostname || options.host || 'localhost'
     const host = options.port ? `${hostname}:${options.port}` : hostname
-    const path = options.path ? options.path.split(/[?#]/)[0] : '/'
+    const pathname = options.path || options.pathname
+    const path = pathname ? pathname.split(/[?#]/)[0] : '/'
     const uri = `${protocol}//${host}${path}`
+
     const allowed = this.config.filter(uri)
 
     const method = (options.method || 'GET').toUpperCase()
@@ -71,9 +73,11 @@ class HttpClientPlugin extends ClientPlugin {
   finish ({ req, res }) {
     const span = storage.getStore().span
     if (res) {
-      span.setTag(HTTP_STATUS_CODE, res.statusCode)
+      const status = res.status || res.statusCode
+
+      span.setTag(HTTP_STATUS_CODE, status)
 
-      if (!this.config.validateStatus(res.statusCode)) {
+      if (!this.config.validateStatus(status)) {
         span.setTag('error', 1)
       }
 
@@ -106,8 +110,14 @@ class HttpClientPlugin extends ClientPlugin {
 }
 
 function addResponseHeaders (res, span, config) {
+  if (!res.headers) return
+
+  const headers = typeof res.headers.entries === 'function'
+    ? Object.fromEntries(res.headers.entries())
+    : res.headers
+
   config.headers.forEach(key => {
-    const value = res.headers[key]
+    const value = headers[key]
 
     if (value) {
       span.setTag(`${HTTP_RESPONSE_HEADERS}.${key}`, value)
@@ -116,8 +126,12 @@ function addResponseHeaders (res, span, config) {
 }
 
 function addRequestHeaders (req, span, config) {
+  const headers = req.headers && typeof req.headers.entries === 'function'
+    ? Object.fromEntries(req.headers.entries())
+    : req.headers || req.getHeaders()
+
   config.headers.forEach(key => {
-    const value = req.getHeader(key)
+    const value = headers[key]
 
     if (value) {
       span.setTag(`${HTTP_REQUEST_HEADERS}.${key}`, Array.isArray(value) ? value.toString() : value)
@@ -193,7 +207,9 @@ function hasAmazonSignature (options) {
     }
   }
 
-  return options.path && options.path.toLowerCase().indexOf('x-amz-signature=') !== -1
+  const search = options.search || options.path
+
+  return search && search.toLowerCase().indexOf('x-amz-signature=') !== -1
 }
 
 function getServiceName (tracer, config, options) {

package/packages/datadog-plugin-mysql/src/index.js

@@ -8,9 +8,8 @@ class MySQLPlugin extends DatabasePlugin {
   static get system () { return 'mysql' }
 
   start (payload) {
-    const service = getServiceName(this.config, payload.conf)
-
-    this.startSpan(`${this.system}.query`, {
+    const service = this.serviceName(this.config, payload.conf, this.system)
+    this.startSpan(this.operationName(), {
       service,
       resource: payload.sql,
       type: 'sql',
@@ -27,12 +26,4 @@ class MySQLPlugin extends DatabasePlugin {
   }
 }
 
-function getServiceName (config, dbConfig) {
-  if (typeof config.service === 'function') {
-    return config.service(dbConfig)
-  }
-
-  return config.service
-}
-
 module.exports = MySQLPlugin

package/packages/datadog-plugin-tedious/src/index.js

@@ -9,8 +9,8 @@ class TediousPlugin extends DatabasePlugin {
   static get system () { return 'mssql' }
 
   start ({ queryOrProcedure, connectionConfig }) {
-    this.startSpan('tedious.request', {
-      service: this.config.service,
+    this.startSpan(this.operationName(), {
+      service: this.serviceName(this.config, this.system),
       resource: queryOrProcedure,
       type: 'sql',
       kind: 'client',

package/packages/dd-trace/src/appsec/iast/analyzers/analyzers.js

@@ -4,9 +4,12 @@ module.exports = {
   'COMMAND_INJECTION_ANALYZER': require('./command-injection-analyzer'),
   'INSECURE_COOKIE_ANALYZER': require('./insecure-cookie-analyzer'),
   'LDAP_ANALYZER': require('./ldap-injection-analyzer'),
+  'NO_HTTPONLY_COOKIE_ANALYZER': require('./no-httponly-cookie-analyzer'),
+  'NO_SAMESITE_COOKIE_ANALYZER': require('./no-samesite-cookie-analyzer'),
   'PATH_TRAVERSAL_ANALYZER': require('./path-traversal-analyzer'),
   'SQL_INJECTION_ANALYZER': require('./sql-injection-analyzer'),
   'SSRF': require('./ssrf-analyzer'),
+  'UNVALIDATED_REDIRECT_ANALYZER': require('./unvalidated-redirect-analyzer'),
   'WEAK_CIPHER_ANALYZER': require('./weak-cipher-analyzer'),
   'WEAK_HASH_ANALYZER': require('./weak-hash-analyzer')
 }

package/packages/dd-trace/src/appsec/iast/analyzers/cookie-analyzer.js

@@ -0,0 +1,52 @@
+'use strict'
+
+const Analyzer = require('./vulnerability-analyzer')
+const { getNodeModulesPaths } = require('../path-line')
+
+const EXCLUDED_PATHS = getNodeModulesPaths('express/lib/response.js')
+
+class CookieAnalyzer extends Analyzer {
+  constructor (type, propertyToBeSafe) {
+    super(type)
+    this.propertyToBeSafe = propertyToBeSafe.toLowerCase()
+    this.addSub('datadog:iast:set-cookie', (cookieInfo) => this.analyze(cookieInfo))
+  }
+
+  _isVulnerable ({ cookieProperties, cookieValue }) {
+    return cookieValue && !(cookieProperties && cookieProperties
+      .map(x => x.toLowerCase().trim()).includes(this.propertyToBeSafe))
+  }
+
+  _getEvidence ({ cookieName }) {
+    return { value: cookieName }
+  }
+
+  _createHashSource (type, evidence, location) {
+    return `${type}:${evidence.value}`
+  }
+
+  _getExcludedPaths () {
+    return EXCLUDED_PATHS
+  }
+  _checkOCE (context, value) {
+    if (value && value.location) {
+      return true
+    }
+    return super._checkOCE(context, value)
+  }
+
+  _getLocation (value) {
+    if (!value) {
+      return super._getLocation()
+    }
+
+    if (value.location) {
+      return value.location
+    }
+    const location = super._getLocation(value)
+    value.location = location
+    return location
+  }
+}
+
+module.exports = CookieAnalyzer

package/packages/dd-trace/src/appsec/iast/analyzers/insecure-cookie-analyzer.js

@@ -1,30 +1,11 @@
 'use strict'
 
-const Analyzer = require('./vulnerability-analyzer')
 const { INSECURE_COOKIE } = require('../vulnerabilities')
+const CookieAnalyzer = require('./cookie-analyzer')
 
-const EXCLUDED_PATHS = ['node_modules/express/lib/response.js', 'node_modules\\express\\lib\\response.js']
-
-class InsecureCookieAnalyzer extends Analyzer {
+class InsecureCookieAnalyzer extends CookieAnalyzer {
   constructor () {
-    super(INSECURE_COOKIE)
-    this.addSub('datadog:iast:set-cookie', (cookieInfo) => this.analyze(cookieInfo))
-  }
-
-  _isVulnerable ({ cookieProperties, cookieValue }) {
-    return cookieValue && !(cookieProperties && cookieProperties.map(x => x.toLowerCase().trim()).includes('secure'))
-  }
-
-  _getEvidence ({ cookieName }) {
-    return { value: cookieName }
-  }
-
-  _createHashSource (type, evidence, location) {
-    return `${type}:${evidence.value}`
-  }
-
-  _getExcludedPaths () {
-    return EXCLUDED_PATHS
+    super(INSECURE_COOKIE, 'secure')
   }
 }
 

package/packages/dd-trace/src/appsec/iast/analyzers/no-httponly-cookie-analyzer.js

@@ -0,0 +1,12 @@
+'use strict'
+
+const { NO_HTTPONLY_COOKIE } = require('../vulnerabilities')
+const CookieAnalyzer = require('./cookie-analyzer')
+
+class NoHttponlyCookieAnalyzer extends CookieAnalyzer {
+  constructor () {
+    super(NO_HTTPONLY_COOKIE, 'HttpOnly')
+  }
+}
+
+module.exports = new NoHttponlyCookieAnalyzer()

package/packages/dd-trace/src/appsec/iast/analyzers/no-samesite-cookie-analyzer.js

@@ -0,0 +1,12 @@
+'use strict'
+
+const { NO_SAMESITE_COOKIE } = require('../vulnerabilities')
+const CookieAnalyzer = require('./cookie-analyzer')
+
+class NoSamesiteCookieAnalyzer extends CookieAnalyzer {
+  constructor () {
+    super(NO_SAMESITE_COOKIE, 'SameSite=strict')
+  }
+}
+
+module.exports = new NoSamesiteCookieAnalyzer()