dd-trace 4.0.0-pre-5e89884 → 4.0.0-pre-4e7da80

package/index.d.ts

@@ -77,6 +77,10 @@ export declare interface Tracer extends opentracing.Tracer {
    * span will finish when that callback is called.
    * * The function doesn't accept a callback and doesn't return a promise, in
    * which case the span will finish at the end of the function execution.
+   *
+   * If the `orphanable` option is set to false, the function will not be traced
+   * unless there is already an active span or `childOf` option. Note that this
+   * option is deprecated and has been removed in version 4.0.
    */
   trace<T> (name: string, fn: (span?: Span, fn?: (error?: Error) => any) => T): T;
   trace<T> (name: string, options: TraceOptions & SpanOptions, fn: (span?: Span, done?: (error?: Error) => string) => T): T;
@@ -440,6 +444,11 @@ export declare interface TracerOptions {
        * Whether to enable vulnerability deduplication
        */
       deduplicationEnabled?: boolean
+      /**
+       * Whether to enable vulnerability redaction
+       * @default true
+       */
+      redactionEnabled?: boolean
     }
   };
 
@@ -485,6 +494,13 @@ export declare interface TracerOptions {
    */
   logLevel?: 'error' | 'debug'
 
+  /**
+   * If false, require a parent in order to trace.
+   * @default true
+   * @deprecated since version 4.0
+   */
+  orphanable?: boolean
+
   /**
    * Enables DBM to APM link using tag injection.
    * @default 'disabled'

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "dd-trace",
-  "version": "4.0.0-pre-5e89884",
+  "version": "4.0.0-pre-4e7da80",
   "description": "Datadog APM tracing client for JavaScript",
   "main": "index.js",
   "typings": "index.d.ts",
@@ -36,6 +36,7 @@
     "test:integration:cucumber": "mocha --colors --timeout 30000 \"integration-tests/cucumber/*.spec.js\"",
     "test:integration:cypress": "mocha --colors --timeout 30000 \"integration-tests/cypress/*.spec.js\"",
     "test:integration:playwright": "mocha --colors --timeout 30000 \"integration-tests/playwright/*.spec.js\"",
+    "test:integration:serverless": "mocha --colors --timeout 30000 \"integration-tests/serverless/*.spec.js\"",
     "test:shimmer": "mocha --colors 'packages/datadog-shimmer/test/**/*.spec.js'",
     "test:shimmer:ci": "nyc --no-clean --include 'packages/datadog-shimmer/src/**/*.js' -- npm run test:shimmer",
     "leak:core": "node ./scripts/install_plugin_modules && (cd packages/memwatch && yarn) && NODE_PATH=./packages/memwatch/node_modules node --no-warnings ./node_modules/.bin/tape 'packages/dd-trace/test/leak/**/*.js'",
@@ -67,9 +68,9 @@
   "dependencies": {
     "@datadog/native-appsec": "^3.1.0",
     "@datadog/native-iast-rewriter": "2.0.1",
-    "@datadog/native-iast-taint-tracking": "^1.4.0",
-    "@datadog/native-metrics": "^1.6.0",
-    "@datadog/pprof": "^2.2.0",
+    "@datadog/native-iast-taint-tracking": "^1.4.1",
+    "@datadog/native-metrics": "^2.0.0",
+    "@datadog/pprof": "^2.2.1",
     "@datadog/sketches-js": "^2.1.0",
     "crypto-randomuuid": "^1.0.0",
     "diagnostics_channel": "^1.1.0",

package/packages/datadog-instrumentations/src/jest.js

@@ -454,6 +454,7 @@ addHook({
 }, jestConfigSyncWrapper)
 
 function jasmineAsyncInstallWraper (jasmineAsyncInstallExport, jestVersion) {
+  log.warn('jest-jasmine2 support is removed from dd-trace@v4. Consider changing to jest-circus as `testRunner`.')
   return function (globalConfig, globalInput) {
     globalInput._ddtrace = global._ddtrace
     shimmer.wrap(globalInput.jasmine.Spec.prototype, 'execute', execute => function (onComplete) {

package/packages/datadog-instrumentations/src/next.js

@@ -4,6 +4,7 @@
 
 const { channel, addHook, AsyncResource } = require('./helpers/instrument')
 const shimmer = require('../../datadog-shimmer')
+const { MAJOR } = require('../../../version')
 
 const startChannel = channel('apm:next:request:start')
 const finishChannel = channel('apm:next:request:finish')
@@ -168,7 +169,11 @@ addHook({ name: 'next', versions: ['>=11.1 <13.2'], file: 'dist/server/next-serv
   return nextServer
 })
 
-addHook({ name: 'next', versions: ['>=9.5 <11.1'], file: 'dist/next-server/server/next-server.js' }, nextServer => {
+addHook({
+  name: 'next',
+  versions: MAJOR >= 4 ? ['>=10.2 <11.1'] : ['>=9.5 <11.1'],
+  file: 'dist/next-server/server/next-server.js'
+}, nextServer => {
   const Server = nextServer.default
 
   shimmer.wrap(Server.prototype, 'handleRequest', wrapHandleRequest)

package/packages/datadog-plugin-aws-sdk/src/base.js

@@ -38,6 +38,8 @@ class BaseAwsSdkPlugin extends Plugin {
         'service.name': serviceName,
         'aws.operation': operation,
         'aws.region': awsRegion,
+        'region': awsRegion,
+        'aws_service': awsService,
         'aws.service': awsService,
         'component': 'aws-sdk'
       }
@@ -60,6 +62,7 @@ class BaseAwsSdkPlugin extends Plugin {
       const { span } = store
       if (!span) return
       span.setTag('aws.region', region)
+      span.setTag('region', region)
     })
 
     this.addSub(`apm:aws:request:complete:${this.serviceIdentifier}`, ({ response }) => {

package/packages/datadog-plugin-aws-sdk/src/services/cloudwatchlogs.js

@@ -12,7 +12,8 @@ class CloudwatchLogs extends BaseAwsSdkPlugin {
 
     return Object.assign(tags, {
       'resource.name': `${operation} ${params.logGroupName}`,
-      'aws.cloudwatch.logs.log_group_name': params.logGroupName
+      'aws.cloudwatch.logs.log_group_name': params.logGroupName,
+      'loggroupname': params.logGroupName
     })
   }
 }

package/packages/datadog-plugin-aws-sdk/src/services/dynamodb.js

@@ -12,7 +12,8 @@ class DynamoDb extends BaseAwsSdkPlugin {
       if (params.TableName) {
         Object.assign(tags, {
           'resource.name': `${operation} ${params.TableName}`,
-          'aws.dynamodb.table_name': params.TableName
+          'aws.dynamodb.table_name': params.TableName,
+          'tablename': params.TableName
         })
       }
 
@@ -27,7 +28,8 @@ class DynamoDb extends BaseAwsSdkPlugin {
             // also add span type to match serverless convention
             Object.assign(tags, {
               'resource.name': `${operation} ${tableName}`,
-              'aws.dynamodb.table_name': tableName
+              'aws.dynamodb.table_name': tableName,
+              'tablename': tableName
             })
           }
         }

package/packages/datadog-plugin-aws-sdk/src/services/eventbridge.js

@@ -7,10 +7,11 @@ class EventBridge extends BaseAwsSdkPlugin {
 
   generateTags (params, operation, response) {
     if (!params || !params.source) return {}
-
+    const rulename = params.Name ? params.Name : ''
     return {
-      'resource.name': `${operation} ${params.source}`,
-      'aws.eventbridge.source': params.source
+      'resource.name': operation ? `${operation} ${params.source}` : params.source,
+      'aws.eventbridge.source': `${params.source}`,
+      'rulename': `${rulename}`
     }
   }
 

package/packages/datadog-plugin-aws-sdk/src/services/kinesis.js

@@ -9,7 +9,8 @@ class Kinesis extends BaseAwsSdkPlugin {
 
     return {
       'resource.name': `${operation} ${params.StreamName}`,
-      'aws.kinesis.stream_name': params.StreamName
+      'aws.kinesis.stream_name': params.StreamName,
+      'streamname': params.StreamName
     }
   }
 

package/packages/datadog-plugin-aws-sdk/src/services/lambda.js

@@ -13,6 +13,7 @@ class Lambda extends BaseAwsSdkPlugin {
 
     return Object.assign(tags, {
       'resource.name': `${operation} ${params.FunctionName}`,
+      'functionname': params.FunctionName,
       'aws.lambda': params.FunctionName
     })
   }

package/packages/datadog-plugin-aws-sdk/src/services/redshift.js

@@ -12,7 +12,8 @@ class Redshift extends BaseAwsSdkPlugin {
 
     return Object.assign(tags, {
       'resource.name': `${operation} ${params.ClusterIdentifier}`,
-      'aws.redshift.cluster_identifier': params.ClusterIdentifier
+      'aws.redshift.cluster_identifier': params.ClusterIdentifier,
+      'clusteridentifier': params.ClusterIdentifier
     })
   }
 }

package/packages/datadog-plugin-aws-sdk/src/services/s3.js

@@ -12,7 +12,8 @@ class S3 extends BaseAwsSdkPlugin {
 
     return Object.assign(tags, {
       'resource.name': `${operation} ${params.Bucket}`,
-      'aws.s3.bucket_name': params.Bucket
+      'aws.s3.bucket_name': params.Bucket,
+      'bucketname': params.Bucket
     })
   }
 }

package/packages/datadog-plugin-aws-sdk/src/services/sns.js

@@ -9,10 +9,17 @@ class Sns extends BaseAwsSdkPlugin {
     if (!params) return {}
 
     if (!params.TopicArn && !(response.data && response.data.TopicArn)) return {}
+    const TopicArn = params.TopicArn || response.data.TopicArn
+    // Split the ARN into its parts
+    // ex.'arn:aws:sns:us-east-1:123456789012:my-topic'
+    const arnParts = TopicArn.split(':')
 
+    // Get the topic name from the last part of the ARN
+    const topicName = arnParts[arnParts.length - 1]
     return {
       'resource.name': `${operation} ${params.TopicArn || response.data.TopicArn}`,
-      'aws.sns.topic_arn': params.TopicArn || response.data.TopicArn
+      'aws.sns.topic_arn': TopicArn,
+      'topicname': topicName
     }
 
     // TODO: should arn be sanitized or quantized in some way here,

package/packages/datadog-plugin-aws-sdk/src/services/sqs.js

@@ -59,10 +59,16 @@ class Sqs extends BaseAwsSdkPlugin {
     const tags = {}
 
     if (!params || (!params.QueueName && !params.QueueUrl)) return tags
+    // 'https://sqs.us-east-1.amazonaws.com/123456789012/my-queue';
+    let queueName = params.QueueName
+    if (params.QueueUrl) {
+      queueName = params.QueueUrl.split('/')[params.QueueUrl.split('/').length - 1]
+    }
 
     Object.assign(tags, {
       'resource.name': `${operation} ${params.QueueName || params.QueueUrl}`,
-      'aws.sqs.queue_name': params.QueueName || params.QueueUrl
+      'aws.sqs.queue_name': params.QueueName || params.QueueUrl,
+      'queuename': queueName
     })
 
     switch (operation) {

package/packages/datadog-plugin-http/src/client.js

@@ -45,7 +45,8 @@ class HttpClientPlugin extends Plugin {
           'resource.name': method,
           'span.type': 'http',
           'http.method': method,
-          'http.url': uri
+          'http.url': uri,
+          'out.host': hostname
         }
       })
 

package/packages/datadog-plugin-http2/src/client.js

@@ -52,7 +52,8 @@ class Http2ClientPlugin extends Plugin {
           'resource.name': method,
           'span.type': 'http',
           'http.method': method,
-          'http.url': uri
+          'http.url': uri,
+          'out.host': sessionDetails.host
         }
       })
 

package/packages/datadog-plugin-kafkajs/src/consumer.js

@@ -33,6 +33,8 @@ function extract (tracer, bufferMap) {
   const textMap = {}
 
   for (const key of Object.keys(bufferMap)) {
+    if (bufferMap[key] === null || bufferMap[key] === undefined) continue
+
     textMap[key] = bufferMap[key].toString()
   }
 

package/packages/dd-trace/src/appsec/iast/analyzers/command-injection-analyzer.js

@@ -1,9 +1,10 @@
 'use strict'
 const InjectionAnalyzer = require('./injection-analyzer')
+const { COMMAND_INJECTION } = require('../vulnerabilities')
 
 class CommandInjectionAnalyzer extends InjectionAnalyzer {
   constructor () {
-    super('COMMAND_INJECTION')
+    super(COMMAND_INJECTION)
     this.addSub('datadog:child_process:execution:start', ({ command }) => this.analyze(command))
   }
 }

package/packages/dd-trace/src/appsec/iast/analyzers/ldap-injection-analyzer.js

@@ -1,9 +1,10 @@
 'use strict'
 const InjectionAnalyzer = require('./injection-analyzer')
+const { LDAP_INJECTION } = require('../vulnerabilities')
 
 class LdapInjectionAnalyzer extends InjectionAnalyzer {
   constructor () {
-    super('LDAP_INJECTION')
+    super(LDAP_INJECTION)
     this.addSub('datadog:ldapjs:client:search', ({ base, filter }) => this.analyzeAll(base, filter))
   }
 }

package/packages/dd-trace/src/appsec/iast/analyzers/path-traversal-analyzer.js

@@ -4,10 +4,11 @@ const path = require('path')
 const { getIastContext } = require('../iast-context')
 const { storage } = require('../../../../../datadog-core')
 const InjectionAnalyzer = require('./injection-analyzer')
+const { PATH_TRAVERSAL } = require('../vulnerabilities')
 
 class PathTraversalAnalyzer extends InjectionAnalyzer {
   constructor () {
-    super('PATH_TRAVERSAL')
+    super(PATH_TRAVERSAL)
     this.addSub('apm:fs:operation:start', obj => {
       const pathArguments = []
       if (obj.dest) {
@@ -40,13 +41,29 @@ class PathTraversalAnalyzer extends InjectionAnalyzer {
       this.analyze(pathArguments)
     })
 
-    this.exclusionList = [ path.join('node_modules', 'send') + path.sep ]
+    this.exclusionList = [
+      path.join('node_modules', 'send') + path.sep
+    ]
+
+    this.internalExclusionList = [
+      'node:fs',
+      'node:internal/fs',
+      'node:internal\\fs',
+      'fs.js',
+      'internal/fs',
+      'internal\\fs'
+    ]
   }
 
   _isExcluded (location) {
-    let ret = false
+    let ret = true
     if (location && location.path) {
-      ret = this.exclusionList.some(elem => location.path.includes(elem))
+      // Exclude from reporting those vulnerabilities which location is from an internal fs call
+      if (location.isInternal) {
+        ret = this.internalExclusionList.some(elem => location.path.includes(elem))
+      } else {
+        ret = this.exclusionList.some(elem => location.path.includes(elem))
+      }
     }
     return ret
   }
@@ -59,7 +76,7 @@ class PathTraversalAnalyzer extends InjectionAnalyzer {
 
     if (value && value.constructor === Array) {
       for (const val of value) {
-        if (this._isVulnerable(val, iastContext)) {
+        if (this._isVulnerable(val, iastContext) && this._checkOCE(iastContext)) {
           this._report(val, iastContext)
           // no support several evidences in the same vulnerability, just report the 1st one
           break

package/packages/dd-trace/src/appsec/iast/analyzers/sql-injection-analyzer.js

@@ -1,12 +1,48 @@
 'use strict'
+
 const InjectionAnalyzer = require('./injection-analyzer')
+const { SQL_INJECTION } = require('../vulnerabilities')
+const { getRanges } = require('../taint-tracking/operations')
+const { storage } = require('../../../../../datadog-core')
+const { getIastContext } = require('../iast-context')
+const { createVulnerability, addVulnerability } = require('../vulnerability-reporter')
 
 class SqlInjectionAnalyzer extends InjectionAnalyzer {
   constructor () {
-    super('SQL_INJECTION')
-    this.addSub('apm:mysql:query:start', ({ sql }) => this.analyze(sql))
-    this.addSub('apm:mysql2:query:start', ({ sql }) => this.analyze(sql))
-    this.addSub('apm:pg:query:start', ({ query }) => this.analyze(query.text))
+    super(SQL_INJECTION)
+    this.addSub('apm:mysql:query:start', ({ sql }) => this.analyze(sql, 'MYSQL'))
+    this.addSub('apm:mysql2:query:start', ({ sql }) => this.analyze(sql, 'MYSQL'))
+    this.addSub('apm:pg:query:start', ({ query }) => this.analyze(query.text, 'POSTGRES'))
+  }
+
+  _getEvidence (value, iastContext, dialect) {
+    const ranges = getRanges(iastContext, value)
+    return { value, ranges, dialect }
+  }
+
+  analyze (value, dialect) {
+    const store = storage.getStore()
+    const iastContext = getIastContext(store)
+    if (store && !iastContext) return
+    this._reportIfVulnerable(value, iastContext, dialect)
+  }
+
+  _reportIfVulnerable (value, context, dialect) {
+    if (this._isVulnerable(value, context) && this._checkOCE(context)) {
+      this._report(value, context, dialect)
+      return true
+    }
+    return false
+  }
+
+  _report (value, context, dialect) {
+    const evidence = this._getEvidence(value, context, dialect)
+    const location = this._getLocation()
+    if (!this._isExcluded(location)) {
+      const spanId = context && context.rootSpan && context.rootSpan.context().toSpanId()
+      const vulnerability = createVulnerability(this._type, evidence, spanId, location)
+      addVulnerability(context, vulnerability)
+    }
   }
 }
 

package/packages/dd-trace/src/appsec/iast/analyzers/weak-cipher-analyzer.js

@@ -1,5 +1,6 @@
 'use strict'
 const Analyzer = require('./vulnerability-analyzer')
+const { WEAK_CIPHER } = require('../vulnerabilities')
 
 const INSECURE_CIPHERS = new Set([
   'des', 'des-cbc', 'des-cfb', 'des-cfb1', 'des-cfb8', 'des-ecb', 'des-ede', 'des-ede-cbc', 'des-ede-cfb',
@@ -12,7 +13,7 @@ const INSECURE_CIPHERS = new Set([
 
 class WeakCipherAnalyzer extends Analyzer {
   constructor () {
-    super('WEAK_CIPHER')
+    super(WEAK_CIPHER)
     this.addSub('datadog:crypto:cipher:start', ({ algorithm }) => this.analyze(algorithm))
   }
 

package/packages/dd-trace/src/appsec/iast/analyzers/weak-hash-analyzer.js

@@ -1,5 +1,6 @@
 'use strict'
 const Analyzer = require('./vulnerability-analyzer')
+const { WEAK_HASH } = require('../vulnerabilities')
 
 const INSECURE_HASH_ALGORITHMS = new Set([
   'md4', 'md4WithRSAEncryption', 'RSA-MD4',
@@ -9,7 +10,7 @@ const INSECURE_HASH_ALGORITHMS = new Set([
 
 class WeakHashAnalyzer extends Analyzer {
   constructor () {
-    super('WEAK_HASH')
+    super(WEAK_HASH)
     this.addSub('datadog:crypto:hashing:start', ({ algorithm }) => this.analyze(algorithm))
   }
 

package/packages/dd-trace/src/appsec/iast/path-line.js

@@ -45,7 +45,8 @@ function getFirstNonDDPathAndLineFromCallsites (callsites) {
       if (!isExcluded(callsite) && filepath.indexOf(pathLine.ddBasePath) === -1) {
         return {
           path: path.relative(process.cwd(), filepath),
-          line: callsite.getLineNumber()
+          line: callsite.getLineNumber(),
+          isInternal: !path.isAbsolute(filepath)
         }
       }
     }

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/range-utils.js

@@ -0,0 +1,37 @@
+'use strict'
+
+function contains (rangeContainer, rangeContained) {
+  if (rangeContainer.start > rangeContained.start) {
+    return false
+  }
+  return rangeContainer.end >= rangeContained.end
+}
+
+function intersects (rangeA, rangeB) {
+  return rangeB.start < rangeA.end && rangeB.end > rangeA.start
+}
+
+function remove (range, rangeToRemove) {
+  if (!intersects(range, rangeToRemove)) {
+    return [range]
+  } else if (contains(rangeToRemove, range)) {
+    return []
+  } else {
+    const result = []
+    if (rangeToRemove.start > range.start) {
+      const offset = rangeToRemove.start - range.start
+      result.push({ start: range.start, end: range.start + offset })
+    }
+    if (rangeToRemove.end < range.end) {
+      const offset = range.end - rangeToRemove.end
+      result.push({ start: rangeToRemove.end, end: rangeToRemove.end + offset })
+    }
+    return result
+  }
+}
+
+module.exports = {
+  contains,
+  intersects,
+  remove
+}

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-analyzers/command-sensitive-analyzer.js

@@ -0,0 +1,29 @@
+'use strict'
+
+const iastLog = require('../../../iast-log')
+
+const COMMAND_PATTERN = '^(?:\\s*(?:sudo|doas)\\s+)?\\b\\S+\\b(.*)'
+
+class CommandSensitiveAnalyzer {
+  constructor () {
+    this._pattern = new RegExp(COMMAND_PATTERN, 'gmi')
+  }
+
+  extractSensitiveRanges (evidence) {
+    try {
+      this._pattern.lastIndex = 0
+
+      const regexResult = this._pattern.exec(evidence.value)
+      if (regexResult && regexResult.length > 1) {
+        const start = regexResult.index + (regexResult[0].length - regexResult[1].length)
+        const end = start + regexResult[1].length
+        return [{ start, end }]
+      }
+    } catch (e) {
+      iastLog.debug(e)
+    }
+    return []
+  }
+}
+
+module.exports = CommandSensitiveAnalyzer

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-analyzers/ldap-sensitive-analyzer.js

@@ -0,0 +1,35 @@
+'use strict'
+
+const iastLog = require('../../../iast-log')
+
+const LDAP_PATTERN = '\\(.*?(?:~=|=|<=|>=)(?<LITERAL>[^)]+)\\)'
+
+class LdapSensitiveAnalyzer {
+  constructor () {
+    this._pattern = new RegExp(LDAP_PATTERN, 'gmi')
+  }
+
+  extractSensitiveRanges (evidence) {
+    try {
+      this._pattern.lastIndex = 0
+      const tokens = []
+
+      let regexResult = this._pattern.exec(evidence.value)
+      while (regexResult != null) {
+        if (!regexResult.groups.LITERAL) continue
+        // Computing indices manually since NodeJs 12 does not support d flag on regular expressions
+        // TODO Get indices from group by adding d flag in regular expression
+        const start = regexResult.index + (regexResult[0].length - regexResult.groups.LITERAL.length - 1)
+        const end = start + regexResult.groups.LITERAL.length
+        tokens.push({ start, end })
+        regexResult = this._pattern.exec(evidence.value)
+      }
+      return tokens
+    } catch (e) {
+      iastLog.debug(e)
+    }
+    return []
+  }
+}
+
+module.exports = LdapSensitiveAnalyzer

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-analyzers/sql-sensitive-analyzer.js

@@ -0,0 +1,95 @@
+'use strict'
+
+const iastLog = require('../../../iast-log')
+
+const STRING_LITERAL = '\'(?:\'\'|[^\'])*\''
+const POSTGRESQL_ESCAPED_LITERAL = '\\$([^$]*)\\$.*?\\$\\1\\$'
+const MYSQL_STRING_LITERAL = '"(?:\\\\"|[^"])*"|\'(?:\\\\\'|[^\'])*\''
+const LINE_COMMENT = '--.*$'
+const BLOCK_COMMENT = '/\\*[\\s\\S]*\\*/'
+const EXPONENT = '(?:E[-+]?\\d+[fd]?)?'
+const INTEGER_NUMBER = '(?<!\\w)\\d+'
+const DECIMAL_NUMBER = '\\d*\\.\\d+'
+const HEX_NUMBER = 'x\'[0-9a-f]+\'|0x[0-9a-f]+'
+const BIN_NUMBER = 'b\'[0-9a-f]+\'|0b[0-9a-f]+'
+const NUMERIC_LITERAL =
+  `[-+]?(?:${
+    [
+      HEX_NUMBER,
+      BIN_NUMBER,
+      DECIMAL_NUMBER + EXPONENT,
+      INTEGER_NUMBER + EXPONENT
+    ].join('|')
+  })`
+
+class SqlSensitiveAnalyzer {
+  constructor () {
+    this._patterns = {
+      MYSQL: new RegExp(
+        [
+          NUMERIC_LITERAL,
+          MYSQL_STRING_LITERAL,
+          LINE_COMMENT,
+          BLOCK_COMMENT
+        ].join('|'),
+        'gmi'
+      ),
+      POSTGRES: new RegExp(
+        [
+          NUMERIC_LITERAL,
+          POSTGRESQL_ESCAPED_LITERAL,
+          STRING_LITERAL,
+          LINE_COMMENT,
+          BLOCK_COMMENT
+        ].join('|'),
+        'gmi'
+      )
+    }
+  }
+
+  extractSensitiveRanges (evidence) {
+    try {
+      const pattern = this._patterns[evidence.dialect]
+      pattern.lastIndex = 0
+      const tokens = []
+
+      let regexResult = pattern.exec(evidence.value)
+      while (regexResult != null) {
+        let start = regexResult.index
+        let end = regexResult.index + regexResult[0].length
+        const startChar = evidence.value.charAt(start)
+        if (startChar === '\'' || startChar === '"') {
+          start++
+          end--
+        } else if (end > start + 1) {
+          const nextChar = evidence.value.charAt(start + 1)
+          if (startChar === '/' && nextChar === '*') {
+            start += 2
+            end -= 2
+          } else if (startChar === '-' && startChar === nextChar) {
+            start += 2
+          } else if (startChar.toLowerCase() === 'q' && nextChar === '\'') {
+            start += 3
+            end -= 2
+          } else if (startChar === '$') {
+            const match = regexResult[0]
+            const size = match.indexOf('$', 1) + 1
+            if (size > 1) {
+              start += size
+              end -= size
+            }
+          }
+        }
+
+        tokens.push({ start, end })
+        regexResult = pattern.exec(evidence.value)
+      }
+      return tokens
+    } catch (e) {
+      iastLog.debug(e)
+    }
+    return []
+  }
+}
+
+module.exports = SqlSensitiveAnalyzer