dd-trace 4.11.1 → 4.16.0

package/packages/datadog-plugin-cypress/src/plugin.js

@@ -20,10 +20,12 @@ const {
   finishAllTraceSpans,
   getCoveredFilenamesFromCoverage,
   getTestSuitePath,
-  addIntelligentTestRunnerSpanTags
+  addIntelligentTestRunnerSpanTags,
+  TEST_SKIPPED_BY_ITR
 } = require('../../dd-trace/src/plugins/util/test')
 const { ORIGIN_KEY, COMPONENT } = require('../../dd-trace/src/constants')
 const log = require('../../dd-trace/src/log')
+const NoopTracer = require('../../dd-trace/src/noop/tracer')
 
 const TEST_FRAMEWORK_NAME = 'cypress'
 
@@ -118,9 +120,32 @@ function getSkippableTests (isSuitesSkippingEnabled, tracer, testConfiguration)
   })
 }
 
+const noopTask = {
+  'dd:testSuiteStart': () => {
+    return null
+  },
+  'dd:beforeEach': () => {
+    return {}
+  },
+  'dd:afterEach': () => {
+    return null
+  },
+  'dd:addTags': () => {
+    return null
+  }
+}
+
 module.exports = (on, config) => {
   let isTestsSkipped = false
+  const skippedTests = []
   const tracer = require('../../dd-trace')
+
+  // The tracer was not init correctly for whatever reason (such as invalid DD_SITE)
+  if (tracer._tracer instanceof NoopTracer) {
+    // We still need to register these tasks or the support file will fail
+    return on('task', noopTask)
+  }
+
   const testEnvironmentMetadata = getTestEnvironmentMetadata(TEST_FRAMEWORK_NAME)
 
   const {
@@ -248,19 +273,23 @@ module.exports = (on, config) => {
     const cypressTests = tests || []
     const finishedTests = finishedTestsByFile[spec.relative] || []
 
-    // Get tests that didn't go through `dd:afterEach` and haven't been skipped by ITR
+    // Get tests that didn't go through `dd:afterEach`
     // and create a skipped test span for each of them
     cypressTests.filter(({ title }) => {
       const cypressTestName = title.join(' ')
-      const isSkippedByItr = testsToSkip.find(test =>
-        cypressTestName === test.name && spec.relative === test.suite
-      )
       const isTestFinished = finishedTests.find(({ testName }) => cypressTestName === testName)
 
-      return !isSkippedByItr && !isTestFinished
+      return !isTestFinished
     }).forEach(({ title }) => {
-      const skippedTestSpan = getTestSpan(title.join(' '), spec.relative)
+      const cypressTestName = title.join(' ')
+      const isSkippedByItr = testsToSkip.find(test =>
+        cypressTestName === test.name && spec.relative === test.suite
+      )
+      const skippedTestSpan = getTestSpan(cypressTestName, spec.relative)
       skippedTestSpan.setTag(TEST_STATUS, 'skip')
+      if (isSkippedByItr) {
+        skippedTestSpan.setTag(TEST_SKIPPED_BY_ITR, 'true')
+      }
       skippedTestSpan.finish()
     })
 
@@ -309,7 +338,9 @@ module.exports = (on, config) => {
         {
           isSuitesSkipped: isTestsSkipped,
           isSuitesSkippingEnabled,
-          isCodeCoverageEnabled
+          isCodeCoverageEnabled,
+          skippingType: 'test',
+          skippingCount: skippedTests.length
         }
       )
 
@@ -320,12 +351,16 @@ module.exports = (on, config) => {
     }
 
     return new Promise(resolve => {
-      if (tracer._tracer._exporter.flush) {
-        tracer._tracer._exporter.flush(() => {
+      const exporter = tracer._tracer._exporter
+      if (!exporter) {
+        return resolve(null)
+      }
+      if (exporter.flush) {
+        exporter.flush(() => {
           resolve(null)
         })
-      } else {
-        tracer._tracer._exporter._writer.flush(() => {
+      } else if (exporter._writer) {
+        exporter._writer.flush(() => {
           resolve(null)
         })
       }
@@ -353,6 +388,7 @@ module.exports = (on, config) => {
       if (testsToSkip.find(test => {
         return testName === test.name && testSuite === test.suite
       })) {
+        skippedTests.push(test)
         isTestsSkipped = true
         return { shouldSkip: true }
       }
@@ -366,7 +402,7 @@ module.exports = (on, config) => {
     'dd:afterEach': ({ test, coverage }) => {
       const { state, error, isRUMActive, testSourceLine, testSuite, testName } = test
       if (activeSpan) {
-        if (coverage && tracer._tracer._exporter.exportCoverage && isCodeCoverageEnabled) {
+        if (coverage && isCodeCoverageEnabled && tracer._tracer._exporter && tracer._tracer._exporter.exportCoverage) {
           const coverageFiles = getCoveredFilenamesFromCoverage(coverage)
           const relativeCoverageFiles = coverageFiles.map(file => getTestSuitePath(file, rootDir))
           const { _traceId, _spanId } = testSuiteSpan.context()

package/packages/datadog-plugin-graphql/src/index.js

@@ -56,9 +56,9 @@ function getVariablesFilter (config) {
 
 function getHooks (config) {
   const noop = () => { }
-  const execute = (config.hooks && config.hooks.execute) || noop
-  const parse = (config.hooks && config.hooks.parse) || noop
-  const validate = (config.hooks && config.hooks.validate) || noop
+  const execute = config.hooks?.execute || noop
+  const parse = config.hooks?.parse || noop
+  const validate = config.hooks?.validate || noop
 
   return { execute, parse, validate }
 }

package/packages/datadog-plugin-graphql/src/resolve.js

@@ -8,13 +8,14 @@ class GraphQLResolvePlugin extends TracingPlugin {
   static get id () { return 'graphql' }
   static get operation () { return 'resolve' }
 
-  start ({ info, context }) {
+  start ({ info, context, args }) {
     const path = getPath(info, this.config)
 
     if (!shouldInstrument(this.config, path)) return
-
     const computedPathString = path.join('.')
 
+    addResolver(context, info, args)
+
     if (this.config.collapse) {
       if (!context[collapsedPathSym]) {
         context[collapsedPathSym] = {}
@@ -108,4 +109,28 @@ function withCollapse (responsePathAsArray) {
   }
 }
 
+function addResolver (context, info, args) {
+  if (info.rootValue && !info.rootValue[info.fieldName]) {
+    return
+  }
+
+  if (!context.resolvers) {
+    context.resolvers = {}
+  }
+
+  const resolvers = context.resolvers
+
+  if (!resolvers[info.fieldName]) {
+    if (args && Object.keys(args).length) {
+      resolvers[info.fieldName] = [args]
+    } else {
+      resolvers[info.fieldName] = []
+    }
+  } else {
+    if (args && Object.keys(args).length) {
+      resolvers[info.fieldName].push(args)
+    }
+  }
+}
+
 module.exports = GraphQLResolvePlugin

package/packages/datadog-plugin-jest/src/index.js

@@ -49,7 +49,8 @@ class JestPlugin extends CiPlugin {
       isSuitesSkipped,
       isSuitesSkippingEnabled,
       isCodeCoverageEnabled,
-      testCodeCoverageLinesTotal
+      testCodeCoverageLinesTotal,
+      numSkippedSuites
     }) => {
       this.testSessionSpan.setTag(TEST_STATUS, status)
       this.testModuleSpan.setTag(TEST_STATUS, status)
@@ -57,7 +58,14 @@ class JestPlugin extends CiPlugin {
       addIntelligentTestRunnerSpanTags(
         this.testSessionSpan,
         this.testModuleSpan,
-        { isSuitesSkipped, isSuitesSkippingEnabled, isCodeCoverageEnabled, testCodeCoverageLinesTotal }
+        {
+          isSuitesSkipped,
+          isSuitesSkippingEnabled,
+          isCodeCoverageEnabled,
+          testCodeCoverageLinesTotal,
+          skippingType: 'suite',
+          skippingCount: numSkippedSuites
+        }
       )
 
       this.testModuleSpan.finish()

package/packages/datadog-plugin-jest/src/util.js

@@ -48,10 +48,16 @@ function getJestTestName (test) {
 }
 
 function getJestSuitesToRun (skippableSuites, originalTests, rootDir) {
-  return originalTests.filter(({ path: testPath }) => {
-    const relativePath = getTestSuitePath(testPath, rootDir)
-    return !skippableSuites.includes(relativePath)
-  })
+  return originalTests.reduce((acc, test) => {
+    const relativePath = getTestSuitePath(test.path, rootDir)
+    const shouldBeSkipped = skippableSuites.includes(relativePath)
+    if (shouldBeSkipped) {
+      acc.skippedSuites.push(relativePath)
+    } else {
+      acc.suitesToRun.push(test)
+    }
+    return acc
+  }, { skippedSuites: [], suitesToRun: [] })
 }
 
 module.exports = { getFormattedJestTestParameters, getJestTestName, getJestSuitesToRun }

package/packages/datadog-plugin-mocha/src/index.js

@@ -135,7 +135,12 @@ class MochaPlugin extends CiPlugin {
       this._testNameToParams[name] = params
     })
 
-    this.addSub('ci:mocha:session:finish', ({ status, isSuitesSkipped, testCodeCoverageLinesTotal }) => {
+    this.addSub('ci:mocha:session:finish', ({
+      status,
+      isSuitesSkipped,
+      testCodeCoverageLinesTotal,
+      numSkippedSuites
+    }) => {
       if (this.testSessionSpan) {
         const { isSuitesSkippingEnabled, isCodeCoverageEnabled } = this.itrConfig || {}
         this.testSessionSpan.setTag(TEST_STATUS, status)
@@ -144,7 +149,14 @@ class MochaPlugin extends CiPlugin {
         addIntelligentTestRunnerSpanTags(
           this.testSessionSpan,
           this.testModuleSpan,
-          { isSuitesSkipped, isSuitesSkippingEnabled, isCodeCoverageEnabled, testCodeCoverageLinesTotal }
+          {
+            isSuitesSkipped,
+            isSuitesSkippingEnabled,
+            isCodeCoverageEnabled,
+            testCodeCoverageLinesTotal,
+            skippingCount: numSkippedSuites,
+            skippingType: 'suite'
+          }
         )
 
         this.testModuleSpan.finish()

package/packages/datadog-plugin-mongodb-core/src/index.js

@@ -36,10 +36,14 @@ class MongodbCorePlugin extends DatabasePlugin {
   }
 }
 
+function sanitizeBigInt (data) {
+  return JSON.stringify(data, (_key, value) => typeof value === 'bigint' ? value.toString() : value)
+}
+
 function getQuery (cmd) {
   if (!cmd || typeof cmd !== 'object' || Array.isArray(cmd)) return
-  if (cmd.query) return JSON.stringify(limitDepth(cmd.query))
-  if (cmd.filter) return JSON.stringify(limitDepth(cmd.filter))
+  if (cmd.query) return sanitizeBigInt(limitDepth(cmd.query))
+  if (cmd.filter) return sanitizeBigInt(limitDepth(cmd.filter))
 }
 
 function getResource (plugin, ns, query, operationName) {

package/packages/datadog-plugin-mysql/src/index.js

@@ -9,7 +9,7 @@ class MySQLPlugin extends DatabasePlugin {
 
   start (payload) {
     const service = this.serviceName({ pluginConfig: this.config, dbConfig: payload.conf, system: this.system })
-    this.startSpan(this.operationName(), {
+    const span = this.startSpan(this.operationName(), {
       service,
       resource: payload.sql,
       type: 'sql',
@@ -22,7 +22,7 @@ class MySQLPlugin extends DatabasePlugin {
         [CLIENT_PORT_KEY]: payload.conf.port
       }
     })
-    payload.sql = this.injectDbmQuery(payload.sql, service)
+    payload.sql = this.injectDbmQuery(span, payload.sql, service)
   }
 }
 

package/packages/datadog-plugin-next/src/index.js

@@ -4,6 +4,7 @@ const ServerPlugin = require('../../dd-trace/src/plugins/server')
 const { storage } = require('../../datadog-core')
 const analyticsSampler = require('../../dd-trace/src/analytics_sampler')
 const { COMPONENT } = require('../../dd-trace/src/constants')
+const web = require('../../dd-trace/src/plugins/util/web')
 
 class NextPlugin extends ServerPlugin {
   static get id () {
@@ -16,7 +17,7 @@ class NextPlugin extends ServerPlugin {
     this.addSub('apm:next:page:load', message => this.pageLoad(message))
   }
 
-  start ({ req, res }) {
+  bindStart ({ req, res }) {
     const store = storage.getStore()
     const childOf = store ? store.span : store
     const span = this.tracer.startSpan(this.operationName(), {
@@ -33,9 +34,13 @@ class NextPlugin extends ServerPlugin {
 
     analyticsSampler.sample(span, this.config.measured, true)
 
-    this.enter(span, store)
-
     this._requests.set(span, req)
+
+    return { ...store, span }
+  }
+
+  error ({ span, error }) {
+    this.addError(error, span)
   }
 
   finish ({ req, res }) {
@@ -59,7 +64,7 @@ class NextPlugin extends ServerPlugin {
     span.finish()
   }
 
-  pageLoad ({ page }) {
+  pageLoad ({ page, isAppPath }) {
     const store = storage.getStore()
 
     if (!store) return
@@ -69,15 +74,27 @@ class NextPlugin extends ServerPlugin {
 
     // Only use error page names if there's not already a name
     const current = span.context()._tags['next.page']
-    if (current && (page === '/404' || page === '/500' || page === '/_error')) {
+    if (current && ['/404', '/500', '/_error', '/_not-found'].includes(page)) {
       return
     }
 
+    // remove ending /route or /page for appDir projects
+    if (isAppPath) page = page.substring(0, page.lastIndexOf('/'))
+
+    // This is for static files whose 'page' includes the whole file path
+    // For normal page matches, like /api/hello/[name] and a req.url like /api/hello/world,
+    // nothing should happen
+    // For page matches like /User/something/public/text.txt and req.url like /text.txt,
+    // it should disregard the extra absolute path Next.js sometimes sets
+    if (page.includes(req.url)) page = req.url
+
     span.addTags({
       [COMPONENT]: this.constructor.id,
       'resource.name': `${req.method} ${page}`.trim(),
       'next.page': page
     })
+
+    web.setRoute(req, page)
   }
 
   configure (config) {

package/packages/datadog-plugin-pg/src/index.js

@@ -12,7 +12,7 @@ class PGPlugin extends DatabasePlugin {
     const service = this.serviceName({ pluginConfig: this.config, params })
     const originalStatement = this.maybeTruncate(query.text)
 
-    this.startSpan(this.operationName(), {
+    const span = this.startSpan(this.operationName(), {
       service,
       resource: originalStatement,
       type: 'sql',
@@ -27,7 +27,7 @@ class PGPlugin extends DatabasePlugin {
       }
     })
 
-    query.__ddInjectableQuery = this.injectDbmQuery(query.text, service, !!query.name)
+    query.__ddInjectableQuery = this.injectDbmQuery(span, query.text, service, !!query.name)
   }
 }
 

package/packages/dd-trace/src/appsec/addresses.js

@@ -12,6 +12,7 @@ module.exports = {
   HTTP_INCOMING_RESPONSE_CODE: 'server.response.status',
   HTTP_INCOMING_RESPONSE_HEADERS: 'server.response.headers.no_cookies',
   // TODO: 'server.response.trailers',
+  HTTP_INCOMING_GRAPHQL_RESOLVERS: 'graphql.server.all_resolvers',
 
   HTTP_CLIENT_IP: 'http.client_ip',
 

package/packages/dd-trace/src/appsec/channels.js

@@ -5,6 +5,8 @@ const dc = require('../../../diagnostics_channel')
 // TODO: use TBD naming convention
 module.exports = {
   bodyParser: dc.channel('datadog:body-parser:read:finish'),
+  cookieParser: dc.channel('datadog:cookie-parser:read:finish'),
+  graphqlFinishExecute: dc.channel('apm:graphql:execute:finish'),
   incomingHttpRequestStart: dc.channel('dd-trace:incomingHttpRequestStart'),
   incomingHttpRequestEnd: dc.channel('dd-trace:incomingHttpRequestEnd'),
   passportVerify: dc.channel('datadog:passport:verify:finish'),

package/packages/dd-trace/src/appsec/iast/analyzers/ldap-injection-analyzer.js

@@ -1,6 +1,9 @@
 'use strict'
 const InjectionAnalyzer = require('./injection-analyzer')
 const { LDAP_INJECTION } = require('../vulnerabilities')
+const { getNodeModulesPaths } = require('../path-line')
+
+const EXCLUDED_PATHS = getNodeModulesPaths('ldapjs-promise')
 
 class LdapInjectionAnalyzer extends InjectionAnalyzer {
   constructor () {
@@ -10,6 +13,10 @@ class LdapInjectionAnalyzer extends InjectionAnalyzer {
   onConfigure () {
     this.addSub('datadog:ldapjs:client:search', ({ base, filter }) => this.analyzeAll(base, filter))
   }
+
+  _getExcludedPaths () {
+    return EXCLUDED_PATHS
+  }
 }
 
 module.exports = new LdapInjectionAnalyzer()

package/packages/dd-trace/src/appsec/iast/analyzers/sql-injection-analyzer.js

@@ -8,7 +8,7 @@ const { getIastContext } = require('../iast-context')
 const { addVulnerability } = require('../vulnerability-reporter')
 const { getNodeModulesPaths } = require('../path-line')
 
-const EXCLUDED_PATHS = getNodeModulesPaths('mysql2', 'sequelize')
+const EXCLUDED_PATHS = getNodeModulesPaths('mysql', 'mysql2', 'sequelize', 'pg-pool')
 
 class SqlInjectionAnalyzer extends InjectionAnalyzer {
   constructor () {
@@ -20,21 +20,33 @@ class SqlInjectionAnalyzer extends InjectionAnalyzer {
     this.addSub('apm:mysql2:query:start', ({ sql }) => this.analyze(sql, 'MYSQL'))
     this.addSub('apm:pg:query:start', ({ query }) => this.analyze(query.text, 'POSTGRES'))
 
-    this.addSub('datadog:sequelize:query:start', ({ sql, dialect }) => {
-      const parentStore = storage.getStore()
-      if (parentStore) {
-        this.analyze(sql, dialect.toUpperCase())
-
-        storage.enterWith({ ...parentStore, sqlAnalyzed: true, sequelizeParentStore: parentStore })
-      }
-    })
-
-    this.addSub('datadog:sequelize:query:finish', () => {
-      const store = storage.getStore()
-      if (store && store.sequelizeParentStore) {
-        storage.enterWith(store.sequelizeParentStore)
-      }
-    })
+    this.addSub(
+      'datadog:sequelize:query:start',
+      ({ sql, dialect }) => this.getStoreAndAnalyze(sql, dialect.toUpperCase())
+    )
+    this.addSub('datadog:sequelize:query:finish', () => this.returnToParentStore())
+
+    this.addSub('datadog:pg:pool:query:start', ({ query }) => this.getStoreAndAnalyze(query.text, 'POSTGRES'))
+    this.addSub('datadog:pg:pool:query:finish', () => this.returnToParentStore())
+
+    this.addSub('datadog:mysql:pool:query:start', ({ sql }) => this.getStoreAndAnalyze(sql, 'MYSQL'))
+    this.addSub('datadog:mysql:pool:query:finish', () => this.returnToParentStore())
+  }
+
+  getStoreAndAnalyze (query, dialect) {
+    const parentStore = storage.getStore()
+    if (parentStore) {
+      this.analyze(query, dialect, parentStore)
+
+      storage.enterWith({ ...parentStore, sqlAnalyzed: true, sqlParentStore: parentStore })
+    }
+  }
+
+  returnToParentStore () {
+    const store = storage.getStore()
+    if (store && store.sqlParentStore) {
+      storage.enterWith(store.sqlParentStore)
+    }
   }
 
   _getEvidence (value, iastContext, dialect) {
@@ -42,8 +54,7 @@ class SqlInjectionAnalyzer extends InjectionAnalyzer {
     return { value, ranges, dialect }
   }
 
-  analyze (value, dialect) {
-    const store = storage.getStore()
+  analyze (value, dialect, store = storage.getStore()) {
     if (!(store && store.sqlAnalyzed)) {
       const iastContext = getIastContext(store)
       if (this._isInvalidContext(store, iastContext)) return

package/packages/dd-trace/src/appsec/iast/analyzers/vulnerability-analyzer.js

@@ -6,6 +6,7 @@ const { addVulnerability } = require('../vulnerability-reporter')
 const { getIastContext } = require('../iast-context')
 const overheadController = require('../overhead-controller')
 const { SinkIastPlugin } = require('../iast-plugin')
+const { getOriginalPathAndLineFromSourceMap } = require('../taint-tracking/rewriter')
 
 class Analyzer extends SinkIastPlugin {
   constructor (type) {
@@ -25,8 +26,9 @@ class Analyzer extends SinkIastPlugin {
     const evidence = this._getEvidence(value, context)
     const location = this._getLocation(value)
     if (!this._isExcluded(location)) {
+      const locationSourceMap = this._replaceLocationFromSourceMap(location)
       const spanId = context && context.rootSpan && context.rootSpan.context().toSpanId()
-      const vulnerability = this._createVulnerability(this._type, evidence, spanId, location)
+      const vulnerability = this._createVulnerability(this._type, evidence, spanId, locationSourceMap)
       addVulnerability(context, vulnerability)
     }
   }
@@ -47,6 +49,22 @@ class Analyzer extends SinkIastPlugin {
     return getFirstNonDDPathAndLine(this._getExcludedPaths())
   }
 
+  _replaceLocationFromSourceMap (location) {
+    if (location) {
+      const { path, line, column } = getOriginalPathAndLineFromSourceMap(location)
+      if (path) {
+        location.path = path
+      }
+      if (line) {
+        location.line = line
+      }
+      if (column) {
+        location.column = column
+      }
+    }
+    return location
+  }
+
   _getExcludedPaths () {}
 
   _isInvalidContext (store, iastContext) {

package/packages/dd-trace/src/appsec/iast/path-line.js

@@ -47,6 +47,7 @@ function getFirstNonDDPathAndLineFromCallsites (callsites, externallyExcludedPat
         return {
           path: path.relative(process.cwd(), filepath),
           line: callsite.getLineNumber(),
+          column: callsite.getColumnNumber(),
           isInternal: !path.isAbsolute(filepath)
         }
       }

package/packages/dd-trace/src/appsec/iast/taint-tracking/operations.js

@@ -66,7 +66,7 @@ function taintObject (iastContext, object, type, keyTainting, keyType) {
               const taintedProperty = TaintedUtils.newTaintedString(transactionId, key, property, keyType)
               parent[taintedProperty] = tainted
             } else {
-              parent[property] = tainted
+              parent[key] = tainted
             }
           }
         } else if (typeof value === 'object' && !visited.has(value)) {

package/packages/dd-trace/src/appsec/iast/taint-tracking/rewriter.js

@@ -10,12 +10,51 @@ const { getRewriteFunction } = require('./rewriter-telemetry')
 
 let rewriter
 let getPrepareStackTrace
+
+let getRewriterOriginalPathAndLineFromSourceMap = function (path, line, column) {
+  return { path, line, column }
+}
+
+function isFlagPresent (flag) {
+  return process.env.NODE_OPTIONS?.includes(flag) ||
+    process.execArgv?.some(arg => arg.includes(flag))
+}
+
+function getGetOriginalPathAndLineFromSourceMapFunction (chainSourceMap, getOriginalPathAndLineFromSourceMap) {
+  if (chainSourceMap) {
+    return function (path, line, column) {
+      // if --enable-source-maps is present stacktraces of the rewritten files contain the original path, file and
+      // column because the sourcemap chaining is done during the rewriting process so we can skip it
+      if (isPrivateModule(path) && isNotLibraryFile(path)) {
+        return { path, line, column }
+      } else {
+        return getOriginalPathAndLineFromSourceMap(path, line, column)
+      }
+    }
+  } else {
+    return getOriginalPathAndLineFromSourceMap
+  }
+}
+
 function getRewriter (telemetryVerbosity) {
   if (!rewriter) {
-    const iastRewriter = require('@datadog/native-iast-rewriter')
-    const Rewriter = iastRewriter.Rewriter
-    getPrepareStackTrace = iastRewriter.getPrepareStackTrace
-    rewriter = new Rewriter({ csiMethods, telemetryVerbosity: getName(telemetryVerbosity) })
+    try {
+      const iastRewriter = require('@datadog/native-iast-rewriter')
+      const Rewriter = iastRewriter.Rewriter
+      getPrepareStackTrace = iastRewriter.getPrepareStackTrace
+
+      const chainSourceMap = isFlagPresent('--enable-source-maps')
+      const getOriginalPathAndLineFromSourceMap = iastRewriter.getOriginalPathAndLineFromSourceMap
+      if (getOriginalPathAndLineFromSourceMap) {
+        getRewriterOriginalPathAndLineFromSourceMap =
+          getGetOriginalPathAndLineFromSourceMapFunction(chainSourceMap, getOriginalPathAndLineFromSourceMap)
+      }
+
+      rewriter = new Rewriter({ csiMethods, telemetryVerbosity: getName(telemetryVerbosity), chainSourceMap })
+    } catch (e) {
+      iastLog.error('Unable to initialize TaintTracking Rewriter')
+        .errorAndPublish(e)
+    }
   }
   return rewriter
 }
@@ -74,6 +113,10 @@ function disableRewriter () {
   Error.prepareStackTrace = originalPrepareStackTrace
 }
 
+function getOriginalPathAndLineFromSourceMap ({ path, line, column }) {
+  return getRewriterOriginalPathAndLineFromSourceMap(path, line, column)
+}
+
 module.exports = {
-  enableRewriter, disableRewriter
+  enableRewriter, disableRewriter, getOriginalPathAndLineFromSourceMap
 }

package/packages/dd-trace/src/appsec/iast/telemetry/index.js

@@ -5,11 +5,20 @@ const telemetryLogs = require('./log')
 const { Verbosity, getVerbosity } = require('./verbosity')
 const { initRequestNamespace, finalizeRequestNamespace, globalNamespace } = require('./namespaces')
 
+function isIastMetricsEnabled (metrics) {
+  // TODO: let DD_TELEMETRY_METRICS_ENABLED as undefined in config.js to avoid read here the env property
+  return process.env.DD_TELEMETRY_METRICS_ENABLED !== undefined ? metrics : true
+}
+
 class Telemetry {
   configure (config, verbosity) {
-    // in order to telemetry be enabled, tracer telemetry and metrics collection have to be enabled
-    this.enabled = config && config.telemetry && config.telemetry.enabled && config.telemetry.metrics
-    this.verbosity = this.enabled ? getVerbosity(verbosity) : Verbosity.OFF
+    const telemetryAndMetricsEnabled = config &&
+      config.telemetry &&
+      config.telemetry.enabled &&
+      isIastMetricsEnabled(config.telemetry.metrics)
+
+    this.verbosity = telemetryAndMetricsEnabled ? getVerbosity(verbosity) : Verbosity.OFF
+    this.enabled = this.verbosity !== Verbosity.OFF
 
     if (this.enabled) {
       telemetryMetrics.manager.set('iast', globalNamespace)
@@ -30,13 +39,13 @@ class Telemetry {
   }
 
   onRequestStart (context) {
-    if (this.isEnabled() && this.verbosity !== Verbosity.OFF) {
+    if (this.isEnabled()) {
       initRequestNamespace(context)
     }
   }
 
   onRequestEnd (context, rootSpan) {
-    if (this.isEnabled() && this.verbosity !== Verbosity.OFF) {
+    if (this.isEnabled()) {
       finalizeRequestNamespace(context, rootSpan)
     }
   }