dd-trace 4.13.1 → 4.15.0

package/index.d.ts

@@ -649,7 +649,7 @@ export declare interface DogStatsD {
    * Increments a metric by the specified value, optionally specifying tags.
    * @param {string} stat The dot-separated metric name.
    * @param {number} value The amount to increment the stat by.
-   * @param {[tag:string]:string|number} tags Tags to pass along, such as `[ 'foo:bar' ]`. Values are combined with config.tags.
+   * @param {[tag:string]:string|number} tags Tags to pass along, such as `{ foo: 'bar' }`. Values are combined with config.tags.
    */
   increment(stat: string, value?: number, tags?: { [tag: string]: string|number }): void
 
@@ -657,7 +657,7 @@ export declare interface DogStatsD {
    * Decrements a metric by the specified value, optionally specifying tags.
    * @param {string} stat The dot-separated metric name.
    * @param {number} value The amount to decrement the stat by.
-   * @param {[tag:string]:string|number} tags Tags to pass along, such as `[ 'foo:bar' ]`. Values are combined with config.tags.
+   * @param {[tag:string]:string|number} tags Tags to pass along, such as `{ foo: 'bar' }`. Values are combined with config.tags.
    */
   decrement(stat: string, value?: number, tags?: { [tag: string]: string|number }): void
 
@@ -665,7 +665,7 @@ export declare interface DogStatsD {
    * Sets a distribution value, optionally specifying tags.
    * @param {string} stat The dot-separated metric name.
    * @param {number} value The amount to increment the stat by.
-   * @param {[tag:string]:string|number} tags Tags to pass along, such as `[ 'foo:bar' ]`. Values are combined with config.tags.
+   * @param {[tag:string]:string|number} tags Tags to pass along, such as `{ foo: 'bar' }`. Values are combined with config.tags.
    */
   distribution(stat: string, value?: number, tags?: { [tag: string]: string|number }): void
 
@@ -673,7 +673,7 @@ export declare interface DogStatsD {
    * Sets a gauge value, optionally specifying tags.
    * @param {string} stat The dot-separated metric name.
    * @param {number} value The amount to increment the stat by.
-   * @param {[tag:string]:string|number} tags Tags to pass along, such as `[ 'foo:bar' ]`. Values are combined with config.tags.
+   * @param {[tag:string]:string|number} tags Tags to pass along, such as `{ foo: 'bar' }`. Values are combined with config.tags.
    */
   gauge(stat: string, value?: number, tags?: { [tag: string]: string|number }): void
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "dd-trace",
-  "version": "4.13.1",
+  "version": "4.15.0",
   "description": "Datadog APM tracing client for JavaScript",
   "main": "index.js",
   "typings": "index.d.ts",
@@ -18,7 +18,7 @@
     "test:appsec": "mocha --colors --exit -r \"packages/dd-trace/test/setup/mocha.js\" --exclude \"packages/dd-trace/test/appsec/**/*.plugin.spec.js\" \"packages/dd-trace/test/appsec/**/*.spec.js\"",
     "test:appsec:ci": "nyc --no-clean --include \"packages/dd-trace/src/appsec/**/*.js\" --exclude \"packages/dd-trace/test/appsec/**/*.plugin.spec.js\" -- npm run test:appsec",
     "test:appsec:plugins": "mocha --colors --exit -r \"packages/dd-trace/test/setup/mocha.js\" \"packages/dd-trace/test/appsec/**/*.@($(echo $PLUGINS)).plugin.spec.js\"",
-    "test:appsec:plugins:ci": "yarn services && nyc --no-clean --include \"packages/dd-trace/test/appsec/**/*.@($(echo $PLUGINS)).plugin.spec.js\" -- npm run test:appsec:plugins",
+    "test:appsec:plugins:ci": "yarn services && nyc --no-clean --include \"packages/dd-trace/src/appsec/**/*.js\" -- npm run test:appsec:plugins",
     "test:trace:core": "tap packages/dd-trace/test/*.spec.js \"packages/dd-trace/test/{ci-visibility,encode,exporters,opentelemetry,opentracing,plugins,service-naming,telemetry}/**/*.spec.js\"",
     "test:trace:core:ci": "npm run test:trace:core -- --coverage --nyc-arg=--include=\"packages/dd-trace/src/**/*.js\"",
     "test:instrumentations": "mocha --colors -r 'packages/dd-trace/test/setup/mocha.js' 'packages/datadog-instrumentations/test/**/*.spec.js'",
@@ -68,7 +68,7 @@
   },
   "dependencies": {
     "@datadog/native-appsec": "^3.2.0",
-    "@datadog/native-iast-rewriter": "2.0.1",
+    "@datadog/native-iast-rewriter": "2.1.3",
     "@datadog/native-iast-taint-tracking": "1.5.0",
     "@datadog/native-metrics": "^2.0.0",
     "@datadog/pprof": "3.2.0",

package/packages/datadog-instrumentations/src/graphql.js

@@ -188,7 +188,7 @@ function wrapExecute (execute) {
             executeErrorCh.publish(error)
           }
 
-          finishExecuteCh.publish({ res, args })
+          finishExecuteCh.publish({ res, args, context })
         })
       })
     }
@@ -205,7 +205,7 @@ function wrapResolve (resolve) {
 
     if (!context) return resolve.apply(this, arguments)
 
-    const field = assertField(context, info)
+    const field = assertField(context, info, args)
 
     return callInAsyncScope(resolve, field.asyncResource, this, arguments, (err) => {
       updateFieldCh.publish({ field, info, err })
@@ -250,7 +250,7 @@ function pathToArray (path) {
   return flattened.reverse()
 }
 
-function assertField (context, info) {
+function assertField (context, info, args) {
   const pathInfo = info && info.path
 
   const path = pathToArray(pathInfo)
@@ -272,7 +272,8 @@ function assertField (context, info) {
       childResource.runInAsyncScope(() => {
         startResolveCh.publish({
           info,
-          context
+          context,
+          args
         })
       })
 

package/packages/datadog-instrumentations/src/mocha.js

@@ -441,6 +441,9 @@ addHook({
   file: 'lib/cli/run-helpers.js'
 }, (run) => {
   shimmer.wrap(run, 'runMocha', runMocha => async function () {
+    if (!testStartCh.hasSubscribers) {
+      return runMocha.apply(this, arguments)
+    }
     const mocha = arguments[0]
     /**
      * This attaches `run` to the global context, which we'll call after

package/packages/datadog-instrumentations/src/mysql.js

@@ -17,7 +17,7 @@ addHook({ name: 'mysql', file: 'lib/Connection.js', versions: ['>=2'] }, Connect
       return query.apply(this, arguments)
     }
 
-    const sql = arguments[0].sql ? arguments[0].sql : arguments[0]
+    const sql = arguments[0].sql || arguments[0]
     const conf = this.config
     const payload = { sql, conf }
 
@@ -66,9 +66,47 @@ addHook({ name: 'mysql', file: 'lib/Connection.js', versions: ['>=2'] }, Connect
 })
 
 addHook({ name: 'mysql', file: 'lib/Pool.js', versions: ['>=2'] }, Pool => {
+  const startPoolQueryCh = channel('datadog:mysql:pool:query:start')
+  const finishPoolQueryCh = channel('datadog:mysql:pool:query:finish')
+
   shimmer.wrap(Pool.prototype, 'getConnection', getConnection => function (cb) {
     arguments[0] = AsyncResource.bind(cb)
     return getConnection.apply(this, arguments)
   })
+
+  shimmer.wrap(Pool.prototype, 'query', query => function () {
+    if (!startPoolQueryCh.hasSubscribers) {
+      return query.apply(this, arguments)
+    }
+
+    const asyncResource = new AsyncResource('bound-anonymous-fn')
+
+    const sql = arguments[0].sql || arguments[0]
+
+    return asyncResource.runInAsyncScope(() => {
+      startPoolQueryCh.publish({ sql })
+
+      const finish = asyncResource.bind(function () {
+        finishPoolQueryCh.publish()
+      })
+
+      const cb = arguments[arguments.length - 1]
+      if (typeof cb === 'function') {
+        arguments[arguments.length - 1] = shimmer.wrap(cb, function () {
+          finish()
+          return cb.apply(this, arguments)
+        })
+      }
+
+      const retval = query.apply(this, arguments)
+
+      if (retval && retval.then) {
+        retval.then(finish).catch(finish)
+      }
+
+      return retval
+    })
+  })
+
   return Pool
 })

package/packages/datadog-plugin-cypress/src/plugin.js

@@ -25,6 +25,7 @@ const {
 } = require('../../dd-trace/src/plugins/util/test')
 const { ORIGIN_KEY, COMPONENT } = require('../../dd-trace/src/constants')
 const log = require('../../dd-trace/src/log')
+const NoopTracer = require('../../dd-trace/src/noop/tracer')
 
 const TEST_FRAMEWORK_NAME = 'cypress'
 
@@ -119,10 +120,32 @@ function getSkippableTests (isSuitesSkippingEnabled, tracer, testConfiguration)
   })
 }
 
+const noopTask = {
+  'dd:testSuiteStart': () => {
+    return null
+  },
+  'dd:beforeEach': () => {
+    return {}
+  },
+  'dd:afterEach': () => {
+    return null
+  },
+  'dd:addTags': () => {
+    return null
+  }
+}
+
 module.exports = (on, config) => {
   let isTestsSkipped = false
   const skippedTests = []
   const tracer = require('../../dd-trace')
+
+  // The tracer was not init correctly for whatever reason (such as invalid DD_SITE)
+  if (tracer._tracer instanceof NoopTracer) {
+    // We still need to register these tasks or the support file will fail
+    return on('task', noopTask)
+  }
+
   const testEnvironmentMetadata = getTestEnvironmentMetadata(TEST_FRAMEWORK_NAME)
 
   const {
@@ -328,12 +351,16 @@ module.exports = (on, config) => {
     }
 
     return new Promise(resolve => {
-      if (tracer._tracer._exporter.flush) {
-        tracer._tracer._exporter.flush(() => {
+      const exporter = tracer._tracer._exporter
+      if (!exporter) {
+        return resolve(null)
+      }
+      if (exporter.flush) {
+        exporter.flush(() => {
           resolve(null)
         })
-      } else {
-        tracer._tracer._exporter._writer.flush(() => {
+      } else if (exporter._writer) {
+        exporter._writer.flush(() => {
           resolve(null)
         })
       }
@@ -375,7 +402,7 @@ module.exports = (on, config) => {
     'dd:afterEach': ({ test, coverage }) => {
       const { state, error, isRUMActive, testSourceLine, testSuite, testName } = test
       if (activeSpan) {
-        if (coverage && tracer._tracer._exporter.exportCoverage && isCodeCoverageEnabled) {
+        if (coverage && isCodeCoverageEnabled && tracer._tracer._exporter && tracer._tracer._exporter.exportCoverage) {
           const coverageFiles = getCoveredFilenamesFromCoverage(coverage)
           const relativeCoverageFiles = coverageFiles.map(file => getTestSuitePath(file, rootDir))
           const { _traceId, _spanId } = testSuiteSpan.context()

package/packages/datadog-plugin-graphql/src/resolve.js

@@ -8,13 +8,14 @@ class GraphQLResolvePlugin extends TracingPlugin {
   static get id () { return 'graphql' }
   static get operation () { return 'resolve' }
 
-  start ({ info, context }) {
+  start ({ info, context, args }) {
     const path = getPath(info, this.config)
 
     if (!shouldInstrument(this.config, path)) return
-
     const computedPathString = path.join('.')
 
+    addResolver(context, info, args)
+
     if (this.config.collapse) {
       if (!context[collapsedPathSym]) {
         context[collapsedPathSym] = {}
@@ -108,4 +109,28 @@ function withCollapse (responsePathAsArray) {
   }
 }
 
+function addResolver (context, info, args) {
+  if (info.rootValue && !info.rootValue[info.fieldName]) {
+    return
+  }
+
+  if (!context.resolvers) {
+    context.resolvers = {}
+  }
+
+  const resolvers = context.resolvers
+
+  if (!resolvers[info.fieldName]) {
+    if (args && Object.keys(args).length) {
+      resolvers[info.fieldName] = [args]
+    } else {
+      resolvers[info.fieldName] = []
+    }
+  } else {
+    if (args && Object.keys(args).length) {
+      resolvers[info.fieldName].push(args)
+    }
+  }
+}
+
 module.exports = GraphQLResolvePlugin

package/packages/dd-trace/src/appsec/addresses.js

@@ -12,6 +12,7 @@ module.exports = {
   HTTP_INCOMING_RESPONSE_CODE: 'server.response.status',
   HTTP_INCOMING_RESPONSE_HEADERS: 'server.response.headers.no_cookies',
   // TODO: 'server.response.trailers',
+  HTTP_INCOMING_GRAPHQL_RESOLVERS: 'graphql.server.all_resolvers',
 
   HTTP_CLIENT_IP: 'http.client_ip',
 

package/packages/dd-trace/src/appsec/channels.js

@@ -5,6 +5,7 @@ const dc = require('../../../diagnostics_channel')
 // TODO: use TBD naming convention
 module.exports = {
   bodyParser: dc.channel('datadog:body-parser:read:finish'),
+  graphqlFinishExecute: dc.channel('apm:graphql:execute:finish'),
   incomingHttpRequestStart: dc.channel('dd-trace:incomingHttpRequestStart'),
   incomingHttpRequestEnd: dc.channel('dd-trace:incomingHttpRequestEnd'),
   passportVerify: dc.channel('datadog:passport:verify:finish'),

package/packages/dd-trace/src/appsec/iast/analyzers/ldap-injection-analyzer.js

@@ -1,6 +1,9 @@
 'use strict'
 const InjectionAnalyzer = require('./injection-analyzer')
 const { LDAP_INJECTION } = require('../vulnerabilities')
+const { getNodeModulesPaths } = require('../path-line')
+
+const EXCLUDED_PATHS = getNodeModulesPaths('ldapjs-promise')
 
 class LdapInjectionAnalyzer extends InjectionAnalyzer {
   constructor () {
@@ -10,6 +13,10 @@ class LdapInjectionAnalyzer extends InjectionAnalyzer {
   onConfigure () {
     this.addSub('datadog:ldapjs:client:search', ({ base, filter }) => this.analyzeAll(base, filter))
   }
+
+  _getExcludedPaths () {
+    return EXCLUDED_PATHS
+  }
 }
 
 module.exports = new LdapInjectionAnalyzer()

package/packages/dd-trace/src/appsec/iast/analyzers/sql-injection-analyzer.js

@@ -8,7 +8,7 @@ const { getIastContext } = require('../iast-context')
 const { addVulnerability } = require('../vulnerability-reporter')
 const { getNodeModulesPaths } = require('../path-line')
 
-const EXCLUDED_PATHS = getNodeModulesPaths('mysql2', 'sequelize', 'pg-pool')
+const EXCLUDED_PATHS = getNodeModulesPaths('mysql', 'mysql2', 'sequelize', 'pg-pool')
 
 class SqlInjectionAnalyzer extends InjectionAnalyzer {
   constructor () {
@@ -20,37 +20,33 @@ class SqlInjectionAnalyzer extends InjectionAnalyzer {
     this.addSub('apm:mysql2:query:start', ({ sql }) => this.analyze(sql, 'MYSQL'))
     this.addSub('apm:pg:query:start', ({ query }) => this.analyze(query.text, 'POSTGRES'))
 
-    this.addSub('datadog:sequelize:query:start', ({ sql, dialect }) => {
-      const parentStore = storage.getStore()
-      if (parentStore) {
-        this.analyze(sql, dialect.toUpperCase(), parentStore)
-
-        storage.enterWith({ ...parentStore, sqlAnalyzed: true, sequelizeParentStore: parentStore })
-      }
-    })
-
-    this.addSub('datadog:sequelize:query:finish', () => {
-      const store = storage.getStore()
-      if (store && store.sequelizeParentStore) {
-        storage.enterWith(store.sequelizeParentStore)
-      }
-    })
-
-    this.addSub('datadog:pg:pool:query:start', ({ query }) => {
-      const parentStore = storage.getStore()
-      if (parentStore) {
-        this.analyze(query.text, 'POSTGRES', parentStore)
-
-        storage.enterWith({ ...parentStore, sqlAnalyzed: true, pgPoolParentStore: parentStore })
-      }
-    })
-
-    this.addSub('datadog:pg:pool:query:finish', () => {
-      const store = storage.getStore()
-      if (store && store.pgPoolParentStore) {
-        storage.enterWith(store.pgPoolParentStore)
-      }
-    })
+    this.addSub(
+      'datadog:sequelize:query:start',
+      ({ sql, dialect }) => this.getStoreAndAnalyze(sql, dialect.toUpperCase())
+    )
+    this.addSub('datadog:sequelize:query:finish', () => this.returnToParentStore())
+
+    this.addSub('datadog:pg:pool:query:start', ({ query }) => this.getStoreAndAnalyze(query.text, 'POSTGRES'))
+    this.addSub('datadog:pg:pool:query:finish', () => this.returnToParentStore())
+
+    this.addSub('datadog:mysql:pool:query:start', ({ sql }) => this.getStoreAndAnalyze(sql, 'MYSQL'))
+    this.addSub('datadog:mysql:pool:query:finish', () => this.returnToParentStore())
+  }
+
+  getStoreAndAnalyze (query, dialect) {
+    const parentStore = storage.getStore()
+    if (parentStore) {
+      this.analyze(query, dialect, parentStore)
+
+      storage.enterWith({ ...parentStore, sqlAnalyzed: true, sqlParentStore: parentStore })
+    }
+  }
+
+  returnToParentStore () {
+    const store = storage.getStore()
+    if (store && store.sqlParentStore) {
+      storage.enterWith(store.sqlParentStore)
+    }
   }
 
   _getEvidence (value, iastContext, dialect) {

package/packages/dd-trace/src/appsec/iast/analyzers/vulnerability-analyzer.js

@@ -6,6 +6,7 @@ const { addVulnerability } = require('../vulnerability-reporter')
 const { getIastContext } = require('../iast-context')
 const overheadController = require('../overhead-controller')
 const { SinkIastPlugin } = require('../iast-plugin')
+const { getOriginalPathAndLineFromSourceMap } = require('../taint-tracking/rewriter')
 
 class Analyzer extends SinkIastPlugin {
   constructor (type) {
@@ -25,8 +26,9 @@ class Analyzer extends SinkIastPlugin {
     const evidence = this._getEvidence(value, context)
     const location = this._getLocation(value)
     if (!this._isExcluded(location)) {
+      const locationSourceMap = this._replaceLocationFromSourceMap(location)
       const spanId = context && context.rootSpan && context.rootSpan.context().toSpanId()
-      const vulnerability = this._createVulnerability(this._type, evidence, spanId, location)
+      const vulnerability = this._createVulnerability(this._type, evidence, spanId, locationSourceMap)
       addVulnerability(context, vulnerability)
     }
   }
@@ -47,6 +49,22 @@ class Analyzer extends SinkIastPlugin {
     return getFirstNonDDPathAndLine(this._getExcludedPaths())
   }
 
+  _replaceLocationFromSourceMap (location) {
+    if (location) {
+      const { path, line, column } = getOriginalPathAndLineFromSourceMap(location)
+      if (path) {
+        location.path = path
+      }
+      if (line) {
+        location.line = line
+      }
+      if (column) {
+        location.column = column
+      }
+    }
+    return location
+  }
+
   _getExcludedPaths () {}
 
   _isInvalidContext (store, iastContext) {

package/packages/dd-trace/src/appsec/iast/path-line.js

@@ -47,6 +47,7 @@ function getFirstNonDDPathAndLineFromCallsites (callsites, externallyExcludedPat
         return {
           path: path.relative(process.cwd(), filepath),
           line: callsite.getLineNumber(),
+          column: callsite.getColumnNumber(),
           isInternal: !path.isAbsolute(filepath)
         }
       }

package/packages/dd-trace/src/appsec/iast/taint-tracking/rewriter.js

@@ -10,12 +10,51 @@ const { getRewriteFunction } = require('./rewriter-telemetry')
 
 let rewriter
 let getPrepareStackTrace
+
+let getRewriterOriginalPathAndLineFromSourceMap = function (path, line, column) {
+  return { path, line, column }
+}
+
+function isFlagPresent (flag) {
+  return process.env.NODE_OPTIONS?.includes(flag) ||
+    process.execArgv?.some(arg => arg.includes(flag))
+}
+
+function getGetOriginalPathAndLineFromSourceMapFunction (chainSourceMap, getOriginalPathAndLineFromSourceMap) {
+  if (chainSourceMap) {
+    return function (path, line, column) {
+      // if --enable-source-maps is present stacktraces of the rewritten files contain the original path, file and
+      // column because the sourcemap chaining is done during the rewriting process so we can skip it
+      if (isPrivateModule(path) && isNotLibraryFile(path)) {
+        return { path, line, column }
+      } else {
+        return getOriginalPathAndLineFromSourceMap(path, line, column)
+      }
+    }
+  } else {
+    return getOriginalPathAndLineFromSourceMap
+  }
+}
+
 function getRewriter (telemetryVerbosity) {
   if (!rewriter) {
-    const iastRewriter = require('@datadog/native-iast-rewriter')
-    const Rewriter = iastRewriter.Rewriter
-    getPrepareStackTrace = iastRewriter.getPrepareStackTrace
-    rewriter = new Rewriter({ csiMethods, telemetryVerbosity: getName(telemetryVerbosity) })
+    try {
+      const iastRewriter = require('@datadog/native-iast-rewriter')
+      const Rewriter = iastRewriter.Rewriter
+      getPrepareStackTrace = iastRewriter.getPrepareStackTrace
+
+      const chainSourceMap = isFlagPresent('--enable-source-maps')
+      const getOriginalPathAndLineFromSourceMap = iastRewriter.getOriginalPathAndLineFromSourceMap
+      if (getOriginalPathAndLineFromSourceMap) {
+        getRewriterOriginalPathAndLineFromSourceMap =
+          getGetOriginalPathAndLineFromSourceMapFunction(chainSourceMap, getOriginalPathAndLineFromSourceMap)
+      }
+
+      rewriter = new Rewriter({ csiMethods, telemetryVerbosity: getName(telemetryVerbosity), chainSourceMap })
+    } catch (e) {
+      iastLog.error('Unable to initialize TaintTracking Rewriter')
+        .errorAndPublish(e)
+    }
   }
   return rewriter
 }
@@ -74,6 +113,10 @@ function disableRewriter () {
   Error.prepareStackTrace = originalPrepareStackTrace
 }
 
+function getOriginalPathAndLineFromSourceMap ({ path, line, column }) {
+  return getRewriterOriginalPathAndLineFromSourceMap(path, line, column)
+}
+
 module.exports = {
-  enableRewriter, disableRewriter
+  enableRewriter, disableRewriter, getOriginalPathAndLineFromSourceMap
 }

package/packages/dd-trace/src/appsec/index.js

@@ -4,15 +4,17 @@ const log = require('../log')
 const RuleManager = require('./rule_manager')
 const remoteConfig = require('./remote_config')
 const {
+  bodyParser,
+  graphqlFinishExecute,
   incomingHttpRequestStart,
   incomingHttpRequestEnd,
-  bodyParser,
   passportVerify,
   queryParser
 } = require('./channels')
 const waf = require('./waf')
 const addresses = require('./addresses')
 const Reporter = require('./reporter')
+const appsecTelemetry = require('./telemetry')
 const web = require('../plugins/util/web')
 const { extractIp } = require('../plugins/util/ip_extractor')
 const { HTTP_CLIENT_IP } = require('../../../../ext/tags')
@@ -35,10 +37,13 @@ function enable (_config) {
 
     Reporter.setRateLimit(_config.appsec.rateLimit)
 
+    appsecTelemetry.enable(_config.telemetry)
+
     incomingHttpRequestStart.subscribe(incomingHttpStartTranslator)
     incomingHttpRequestEnd.subscribe(incomingHttpEndTranslator)
     bodyParser.subscribe(onRequestBodyParsed)
     queryParser.subscribe(onRequestQueryParsed)
+    graphqlFinishExecute.subscribe(onGraphqlFinishExecute)
 
     if (_config.appsec.eventTracking.enabled) {
       passportVerify.subscribe(onPassportVerify)
@@ -158,6 +163,20 @@ function onPassportVerify ({ credentials, user }) {
   passportTrackEvent(credentials, user, rootSpan, config.appsec.eventTracking.mode)
 }
 
+function onGraphqlFinishExecute ({ context }) {
+  const store = storage.getStore()
+  const req = store?.req
+
+  if (!req) return
+
+  const resolvers = context?.resolvers
+
+  if (!resolvers || typeof resolvers !== 'object') return
+
+  // Don't collect blocking result because it only works in monitor mode.
+  waf.run({ [addresses.HTTP_INCOMING_GRAPHQL_RESOLVERS]: resolvers }, req)
+}
+
 function handleResults (actions, req, res, rootSpan, abortController) {
   if (!actions || !req || !res || !rootSpan || !abortController) return
 
@@ -172,12 +191,15 @@ function disable () {
 
   RuleManager.clearAllRules()
 
+  appsecTelemetry.disable()
+
   remoteConfig.disableWafUpdate()
 
   // Channel#unsubscribe() is undefined for non active channels
+  if (bodyParser.hasSubscribers) bodyParser.unsubscribe(onRequestBodyParsed)
+  if (graphqlFinishExecute.hasSubscribers) graphqlFinishExecute.unsubscribe(onGraphqlFinishExecute)
   if (incomingHttpRequestStart.hasSubscribers) incomingHttpRequestStart.unsubscribe(incomingHttpStartTranslator)
   if (incomingHttpRequestEnd.hasSubscribers) incomingHttpRequestEnd.unsubscribe(incomingHttpEndTranslator)
-  if (bodyParser.hasSubscribers) bodyParser.unsubscribe(onRequestBodyParsed)
   if (queryParser.hasSubscribers) queryParser.unsubscribe(onRequestQueryParsed)
   if (passportVerify.hasSubscribers) passportVerify.unsubscribe(onPassportVerify)
 }

package/packages/dd-trace/src/appsec/recommended.json

@@ -1,7 +1,7 @@
 {
   "version": "2.2",
   "metadata": {
-    "rules_version": "1.7.1"
+    "rules_version": "1.7.2"
   },
   "rules": [
     {
@@ -1743,7 +1743,10 @@
               "sys/hypervisor",
               "sys/kernel",
               "sys/module",
-              "sys/power"
+              "sys/power",
+              "windows\\win.ini",
+              "default\\ntuser.dat",
+              "/var/run/secrets/kubernetes.io/serviceaccount"
             ]
           },
           "operator": "phrase_match"
@@ -2312,7 +2315,8 @@
         }
       ],
       "transformers": [
-        "lowercase"
+        "lowercase",
+        "cmdLine"
       ]
     },
     {
@@ -2950,7 +2954,7 @@
                 "address": "grpc.server.request.message"
               }
             ],
-            "regex": "[\\s\\\"'`;\\/0-9=\\x0B\\x09\\x0C\\x3B\\x2C\\x28\\x3B]on(?:d(?:r(?:ag(?:en(?:ter|d)|leave|start|over)?|op)|urationchange|blclick)|s(?:e(?:ek(?:ing|ed)|arch|lect)|u(?:spend|bmit)|talled|croll|how)|m(?:ouse(?:(?:lea|mo)ve|o(?:ver|ut)|enter|down|up)|essage)|p(?:a(?:ge(?:hide|show)|(?:st|us)e)|lay(?:ing)?|rogress)|c(?:anplay(?:through)?|o(?:ntextmenu|py)|hange|lick|ut)|a(?:nimation(?:iteration|start|end)|(?:fterprin|bor)t)|t(?:o(?:uch(?:cancel|start|move|end)|ggle)|imeupdate)|f(?:ullscreen(?:change|error)|ocus(?:out|in)?)|(?:(?:volume|hash)chang|o(?:ff|n)lin)e|b(?:efore(?:unload|print)|lur)|load(?:ed(?:meta)?data|start)?|r(?:es(?:ize|et)|atechange)|key(?:press|down|up)|w(?:aiting|heel)|in(?:valid|put)|e(?:nded|rror)|unload)[\\s\\x0B\\x09\\x0C\\x3B\\x2C\\x28\\x3B]*?=[^=]",
+            "regex": "\\bon(?:d(?:r(?:ag(?:en(?:ter|d)|leave|start|over)?|op)|urationchange|blclick)|s(?:e(?:ek(?:ing|ed)|arch|lect)|u(?:spend|bmit)|talled|croll|how)|m(?:ouse(?:(?:lea|mo)ve|o(?:ver|ut)|enter|down|up)|essage)|p(?:a(?:ge(?:hide|show)|(?:st|us)e)|lay(?:ing)?|rogress|aste|ointer(?:cancel|down|enter|leave|move|out|over|rawupdate|up))|c(?:anplay(?:through)?|o(?:ntextmenu|py)|hange|lick|ut)|a(?:nimation(?:iteration|start|end)|(?:fterprin|bor)t|uxclick|fterscriptexecute)|t(?:o(?:uch(?:cancel|start|move|end)|ggle)|imeupdate)|f(?:ullscreen(?:change|error)|ocus(?:out|in)?|inish)|(?:(?:volume|hash)chang|o(?:ff|n)lin)e|b(?:efore(?:unload|print)|lur)|load(?:ed(?:meta)?data|start|end)?|r(?:es(?:ize|et)|atechange)|key(?:press|down|up)|w(?:aiting|heel)|in(?:valid|put)|e(?:nded|rror)|unload)[\\s\\x0B\\x09\\x0C\\x3B\\x2C\\x28\\x3B]*?=[^=]",
             "options": {
               "min_length": 8
             }
@@ -4636,6 +4640,46 @@
       ],
       "transformers": []
     },
+    {
+      "id": "dog-913-008",
+      "name": "Netsparker OOB domain",
+      "tags": {
+        "type": "commercial_scanner",
+        "category": "attack_attempt",
+        "tool_name": "Netsparker",
+        "confidence": "0"
+      },
+      "conditions": [
+        {
+          "parameters": {
+            "inputs": [
+              {
+                "address": "server.request.query"
+              },
+              {
+                "address": "server.request.body"
+              },
+              {
+                "address": "server.request.path_params"
+              },
+              {
+                "address": "server.request.headers.no_cookies"
+              },
+              {
+                "address": "grpc.server.request.message"
+              }
+            ],
+            "regex": "\\b(?:\\.|(?:\\\\|&#)(?:0*46|x0*2e);)r87(?:\\.|(?:\\\\|&#)(?:0*46|x0*2e);)(?:me|com)\\b",
+            "options": {
+              "case_sensitive": false,
+              "min_length": 7
+            }
+          },
+          "operator": "match_regex"
+        }
+      ],
+      "transformers": []
+    },
     {
       "id": "dog-931-001",
       "name": "RFI: URL Payload to well known RFI target",
@@ -4699,6 +4743,56 @@
       ],
       "transformers": []
     },
+    {
+      "id": "dog-941-001",
+      "name": "XSS in source property",
+      "tags": {
+        "type": "xss",
+        "category": "attack_attempt",
+        "confidence": "0"
+      },
+      "conditions": [
+        {
+          "parameters": {
+            "inputs": [
+              {
+                "address": "server.request.headers.no_cookies",
+                "key_path": [
+                  "user-agent"
+                ]
+              },
+              {
+                "address": "server.request.headers.no_cookies",
+                "key_path": [
+                  "referer"
+                ]
+              },
+              {
+                "address": "server.request.query"
+              },
+              {
+                "address": "server.request.body"
+              },
+              {
+                "address": "server.request.path_params"
+              },
+              {
+                "address": "grpc.server.request.message"
+              }
+            ],
+            "regex": "<(?:iframe|esi:include)(?:(?:\\s|/)*\\w+=[\"'\\w]+)*(?:\\s|/)*src(?:doc)?=[\"']?(?:data:|javascript:|http:|//)[^\\s'\"]+['\"]?",
+            "options": {
+              "min_length": 14
+            }
+          },
+          "operator": "match_regex"
+        }
+      ],
+      "transformers": [
+        "removeNulls",
+        "urlDecodeUni"
+      ]
+    },
     {
       "id": "dog-942-001",
       "name": "Blind XSS callback domains",
@@ -5428,12 +5522,14 @@
                 "address": "grpc.server.request.message"
               }
             ],
-            "regex": "(?i)[&|]\\s*cat\\s+\\/etc\\/[\\w\\.\\/]*passwd\\s*[&|]"
+            "regex": "(?i)[&|]\\s*cat\\s*\\/etc\\/[\\w\\.\\/]*passwd\\s*[&|]"
           },
           "operator": "match_regex"
         }
       ],
-      "transformers": []
+      "transformers": [
+        "cmdLine"
+      ]
     },
     {
       "id": "sqr-000-010",
@@ -7014,7 +7110,10 @@
                 ]
               }
             ],
-            "regex": "mozilla/4\\.0 \\(compatible(; msie 6\\.0; win32)?\\)"
+            "regex": "mozilla/4\\.0 \\(compatible(; msie (?:6\\.0; win32|4\\.0; Windows NT))?\\)",
+            "options": {
+              "case_sensitive": false
+            }
           },
           "operator": "match_regex"
         }
@@ -7076,4 +7175,4 @@
       "transformers": []
     }
   ]
-}
+}

package/packages/dd-trace/src/appsec/reporter.js

@@ -3,6 +3,12 @@
 const Limiter = require('../rate_limiter')
 const { storage } = require('../../../datadog-core')
 const web = require('../plugins/util/web')
+const {
+  incrementWafInitMetric,
+  updateWafRequestsMetricTags,
+  incrementWafUpdatesMetric,
+  incrementWafRequestsMetric
+} = require('./telemetry')
 
 // default limiter, configurable with setRateLimit()
 let limiter = new Limiter(100)
@@ -63,6 +69,18 @@ function formatHeaderName (name) {
     .toLowerCase()
 }
 
+function reportWafInit (wafVersion, rulesInfo) {
+  metricsQueue.set('_dd.appsec.waf.version', wafVersion)
+
+  metricsQueue.set('_dd.appsec.event_rules.loaded', rulesInfo.loaded)
+  metricsQueue.set('_dd.appsec.event_rules.error_count', rulesInfo.failed)
+  if (rulesInfo.failed) metricsQueue.set('_dd.appsec.event_rules.errors', JSON.stringify(rulesInfo.errors))
+
+  metricsQueue.set('manual.keep', 'true')
+
+  incrementWafInitMetric(wafVersion, rulesInfo.version)
+}
+
 function reportMetrics (metrics) {
   // TODO: metrics should be incremental, there already is an RFC to report metrics
   const store = storage.getStore()
@@ -80,6 +98,8 @@ function reportMetrics (metrics) {
   if (metrics.rulesVersion) {
     rootSpan.setTag('_dd.appsec.event_rules.version', metrics.rulesVersion)
   }
+
+  updateWafRequestsMetricTags(metrics, store.req)
 }
 
 function reportAttack (attackData) {
@@ -132,6 +152,8 @@ function finishRequest (req, res) {
     metricsQueue.clear()
   }
 
+  incrementWafRequestsMetric(req)
+
   if (!rootSpan.context()._tags['appsec.event']) return
 
   const newTags = filterHeaders(res.getHeaders(), RESPONSE_HEADERS_PASSLIST, 'http.response.headers.')
@@ -151,8 +173,10 @@ module.exports = {
   metricsQueue,
   filterHeaders,
   formatHeaderName,
+  reportWafInit,
   reportMetrics,
   reportAttack,
+  reportWafUpdate: incrementWafUpdatesMetric,
   finishRequest,
   setRateLimit
 }

package/packages/dd-trace/src/appsec/telemetry.js

@@ -0,0 +1,132 @@
+'use strict'
+
+const telemetryMetrics = require('../telemetry/metrics')
+
+const appsecMetrics = telemetryMetrics.manager.namespace('appsec')
+
+const DD_TELEMETRY_WAF_RESULT_TAGS = Symbol('_dd.appsec.telemetry.waf.result.tags')
+
+const tags = {
+  REQUEST_BLOCKED: 'request_blocked',
+  RULE_TRIGGERED: 'rule_triggered',
+  WAF_TIMEOUT: 'waf_timeout',
+  WAF_VERSION: 'waf_version',
+  EVENT_RULES_VERSION: 'event_rules_version'
+}
+
+const metricsStoreMap = new WeakMap()
+
+let enabled = false
+
+function enable (telemetryConfig) {
+  enabled = telemetryConfig?.enabled && telemetryConfig.metrics
+}
+
+function disable () {
+  enabled = false
+}
+
+function getStore (req) {
+  let store = metricsStoreMap.get(req)
+  if (!store) {
+    store = {}
+    metricsStoreMap.set(req, store)
+  }
+  return store
+}
+
+function getVersionsTags (wafVersion, rulesVersion) {
+  return {
+    [tags.WAF_VERSION]: wafVersion,
+    [tags.EVENT_RULES_VERSION]: rulesVersion
+  }
+}
+
+function trackWafDurations (metrics, versionsTags) {
+  if (metrics.duration) {
+    appsecMetrics.distribution('waf.duration', versionsTags).track(metrics.duration)
+  }
+  if (metrics.durationExt) {
+    appsecMetrics.distribution('waf.duration_ext', versionsTags).track(metrics.durationExt)
+  }
+}
+
+function getOrCreateMetricTags ({ wafVersion, rulesVersion }, req, versionsTags) {
+  const store = getStore(req)
+
+  let metricTags = store[DD_TELEMETRY_WAF_RESULT_TAGS]
+  if (!metricTags) {
+    metricTags = {
+      [tags.REQUEST_BLOCKED]: false,
+      [tags.RULE_TRIGGERED]: false,
+      [tags.WAF_TIMEOUT]: false,
+
+      ...versionsTags
+    }
+    store[DD_TELEMETRY_WAF_RESULT_TAGS] = metricTags
+  }
+  return metricTags
+}
+
+function updateWafRequestsMetricTags (metrics, req) {
+  if (!req || !enabled) return
+
+  const versionsTags = getVersionsTags(metrics.wafVersion, metrics.rulesVersion)
+
+  trackWafDurations(metrics, versionsTags)
+
+  const metricTags = getOrCreateMetricTags(metrics, req, versionsTags)
+
+  const { blockTriggered, ruleTriggered, wafTimeout } = metrics
+
+  if (blockTriggered) {
+    metricTags[tags.REQUEST_BLOCKED] = blockTriggered
+  }
+  if (ruleTriggered) {
+    metricTags[tags.RULE_TRIGGERED] = ruleTriggered
+  }
+  if (wafTimeout) {
+    metricTags[tags.WAF_TIMEOUT] = wafTimeout
+  }
+
+  return metricTags
+}
+
+function incrementWafInitMetric (wafVersion, rulesVersion) {
+  if (!enabled) return
+
+  const versionsTags = getVersionsTags(wafVersion, rulesVersion)
+
+  appsecMetrics.count('waf.init', versionsTags).inc()
+}
+
+function incrementWafUpdatesMetric (wafVersion, rulesVersion) {
+  if (!enabled) return
+
+  const versionsTags = getVersionsTags(wafVersion, rulesVersion)
+
+  appsecMetrics.count('waf.updates', versionsTags).inc()
+}
+
+function incrementWafRequestsMetric (req) {
+  if (!req || !enabled) return
+
+  const store = getStore(req)
+
+  const metricTags = store[DD_TELEMETRY_WAF_RESULT_TAGS]
+  if (metricTags) {
+    appsecMetrics.count('waf.requests', metricTags).inc()
+  }
+
+  metricsStoreMap.delete(req)
+}
+
+module.exports = {
+  enable,
+  disable,
+
+  updateWafRequestsMetricTags,
+  incrementWafInitMetric,
+  incrementWafUpdatesMetric,
+  incrementWafRequestsMetric
+}

package/packages/dd-trace/src/appsec/waf/index.js

@@ -39,7 +39,7 @@ function update (newRules) {
   if (!waf.wafManager) throw new Error('Cannot update disabled WAF')
 
   try {
-    waf.wafManager.ddwaf.update(newRules)
+    waf.wafManager.update(newRules)
   } catch (err) {
     log.error('Could not apply rules from remote config')
     throw err

package/packages/dd-trace/src/appsec/waf/waf_context_wrapper.js

@@ -4,11 +4,12 @@ const log = require('../../log')
 const Reporter = require('../reporter')
 
 class WAFContextWrapper {
-  constructor (ddwafContext, requiredAddresses, wafTimeout, rulesInfo) {
+  constructor (ddwafContext, requiredAddresses, wafTimeout, rulesInfo, wafVersion) {
     this.ddwafContext = ddwafContext
     this.requiredAddresses = requiredAddresses
     this.wafTimeout = wafTimeout
-    this.rulesInfo = rulesInfo
+    this.rulesVersion = rulesInfo.version
+    this.wafVersion = wafVersion
   }
 
   run (params) {
@@ -32,13 +33,20 @@ class WAFContextWrapper {
 
       const end = process.hrtime.bigint()
 
+      const ruleTriggered = !!result.data && result.data !== '[]'
+      const blockTriggered = result.actions?.includes('block')
+
       Reporter.reportMetrics({
         duration: result.totalRuntime / 1e3,
         durationExt: parseInt(end - start) / 1e3,
-        rulesVersion: this.rulesInfo.version
+        rulesVersion: this.rulesVersion,
+        ruleTriggered,
+        blockTriggered,
+        wafVersion: this.wafVersion,
+        wafTimeout: result.timeout
       })
 
-      if (result.data && result.data !== '[]') {
+      if (ruleTriggered) {
         Reporter.reportAttack(result.data)
       }
 

package/packages/dd-trace/src/appsec/waf/waf_manager.js

@@ -11,7 +11,9 @@ class WAFManager {
     this.config = config
     this.wafTimeout = config.wafTimeout
     this.ddwaf = this._loadDDWAF(rules)
-    this._reportMetrics()
+    this.ddwafVersion = this.ddwaf.constructor.version()
+
+    Reporter.reportWafInit(this.ddwafVersion, this.ddwaf.rulesInfo)
   }
 
   _loadDDWAF (rules) {
@@ -28,18 +30,6 @@ class WAFManager {
     }
   }
 
-  _reportMetrics () {
-    Reporter.metricsQueue.set('_dd.appsec.waf.version', this.ddwaf.constructor.version())
-
-    const { loaded, failed, errors } = this.ddwaf.rulesInfo
-
-    Reporter.metricsQueue.set('_dd.appsec.event_rules.loaded', loaded)
-    Reporter.metricsQueue.set('_dd.appsec.event_rules.error_count', failed)
-    if (failed) Reporter.metricsQueue.set('_dd.appsec.event_rules.errors', JSON.stringify(errors))
-
-    Reporter.metricsQueue.set('manual.keep', 'true')
-  }
-
   getWAFContext (req) {
     let wafContext = contexts.get(req)
 
@@ -48,7 +38,8 @@ class WAFManager {
         this.ddwaf.createContext(),
         this.ddwaf.requiredAddresses,
         this.wafTimeout,
-        this.ddwaf.rulesInfo
+        this.ddwaf.rulesInfo,
+        this.ddwafVersion
       )
       contexts.set(req, wafContext)
     }
@@ -56,6 +47,12 @@ class WAFManager {
     return wafContext
   }
 
+  update (newRules) {
+    this.ddwaf.update(newRules)
+
+    Reporter.reportWafUpdate(this.ddwafVersion, this.ddwaf.rulesInfo.version)
+  }
+
   destroy () {
     if (this.ddwaf) {
       this.ddwaf.dispose()

package/packages/dd-trace/src/dogstatsd.js

@@ -5,6 +5,7 @@ const request = require('./exporters/common/request')
 const dgram = require('dgram')
 const isIP = require('net').isIP
 const log = require('./log')
+const { URL, format } = require('url')
 
 const MAX_BUFFER_SIZE = 1024 // limit from the agent
 
@@ -13,9 +14,7 @@ const TYPE_GAUGE = 'g'
 const TYPE_DISTRIBUTION = 'd'
 
 class DogStatsDClient {
-  constructor (options) {
-    options = options || {}
-
+  constructor (options = {}) {
     if (options.metricsProxyUrl) {
       this._httpOptions = {
         url: options.metricsProxyUrl.toString(),
@@ -50,6 +49,8 @@ class DogStatsDClient {
   flush () {
     const queue = this._enqueue()
 
+    log.debug(`Flushing ${queue.length} metrics via ${this._httpOptions ? 'HTTP' : 'UDP'}`)
+
     if (this._queue.length === 0) return
 
     this._queue = []
@@ -141,6 +142,44 @@ class DogStatsDClient {
 
     return socket
   }
+
+  static generateClientConfig (config = {}) {
+    const tags = []
+
+    if (config.tags) {
+      Object.keys(config.tags)
+        .filter(key => typeof config.tags[key] === 'string')
+        .filter(key => {
+          // Skip runtime-id unless enabled as cardinality may be too high
+          if (key !== 'runtime-id') return true
+          return (config.experimental && config.experimental.runtimeId)
+        })
+        .forEach(key => {
+          // https://docs.datadoghq.com/tagging/#defining-tags
+          const value = config.tags[key].replace(/[^a-z0-9_:./-]/ig, '_')
+
+          tags.push(`${key}:${value}`)
+        })
+    }
+
+    const clientConfig = {
+      host: config.dogstatsd.hostname,
+      port: config.dogstatsd.port,
+      tags
+    }
+
+    if (config.url) {
+      clientConfig.metricsProxyUrl = config.url
+    } else if (config.port) {
+      clientConfig.metricsProxyUrl = new URL(format({
+        protocol: 'http:',
+        hostname: config.hostname || 'localhost',
+        port: config.port
+      }))
+    }
+
+    return clientConfig
+  }
 }
 
 class NoopDogStatsDClient {
@@ -155,8 +194,9 @@ class NoopDogStatsDClient {
 
 // This is a simplified user-facing proxy to the underlying DogStatsDClient instance
 class CustomMetrics {
-  constructor (options) {
-    this.dogstatsd = new DogStatsDClient(options)
+  constructor (config) {
+    const clientConfig = DogStatsDClient.generateClientConfig(config)
+    this.dogstatsd = new DogStatsDClient(clientConfig)
   }
 
   increment (stat, value = 1, tags) {

package/packages/dd-trace/src/plugins/tracing.js

@@ -55,7 +55,7 @@ class TracingPlugin extends Plugin {
   start () {} // implemented by individual plugins
 
   finish () {
-    this.activeSpan.finish()
+    this.activeSpan?.finish()
   }
 
   error (error) {

package/packages/dd-trace/src/plugins/util/test.js

@@ -139,13 +139,13 @@ function removeInvalidMetadata (metadata) {
   return Object.keys(metadata).reduce((filteredTags, tag) => {
     if (tag === GIT_REPOSITORY_URL) {
       if (!validateGitRepositoryUrl(metadata[GIT_REPOSITORY_URL])) {
-        log.error('DD_GIT_REPOSITORY_URL must be a valid URL')
+        log.error(`Repository URL is not a valid repository URL: ${metadata[GIT_REPOSITORY_URL]}.`)
         return filteredTags
       }
     }
     if (tag === GIT_COMMIT_SHA) {
       if (!validateGitCommitSha(metadata[GIT_COMMIT_SHA])) {
-        log.error('DD_GIT_COMMIT_SHA must be a full-length git SHA')
+        log.error(`Git commit SHA must be a full-length git SHA: ${metadata[GIT_COMMIT_SHA]}.`)
         return filteredTags
       }
     }

package/packages/dd-trace/src/profiling/profilers/wall.js

@@ -6,9 +6,11 @@ const dc = require('../../../../diagnostics_channel')
 const { HTTP_METHOD, HTTP_ROUTE, RESOURCE_NAME, SPAN_TYPE } = require('../../../../../ext/tags')
 const { WEB } = require('../../../../../ext/types')
 const runtimeMetrics = require('../../runtime_metrics')
+const telemetryMetrics = require('../../telemetry/metrics')
 
 const beforeCh = dc.channel('dd-trace:storage:before')
 const enterCh = dc.channel('dd-trace:storage:enter')
+const profilerTelemetryMetrics = telemetryMetrics.manager.namespace('profilers')
 
 let kSampleCount
 
@@ -168,6 +170,16 @@ class NativeWallProfiler {
     }
   }
 
+  _reportV8bug (maybeBug) {
+    const tag = `v8_profiler_bug_workaround_enabled:${this._v8ProfilerBugWorkaroundEnabled}`
+    const metric = `v8_cpu_profiler${maybeBug ? '_maybe' : ''}_stuck_event_loop`
+    this._logger?.warn(`Wall profiler: ${maybeBug ? 'possible ' : ''}v8 profiler stuck event loop detected.`)
+    // report as runtime metric (can be removed in the future when telemetry is mature)
+    runtimeMetrics.increment(`runtime.node.profiler.${metric}`, tag, true)
+    // report as telemetry metric
+    profilerTelemetryMetrics.count(metric, [tag]).inc()
+  }
+
   _stop (restart) {
     if (!this._started) return
     if (this._codeHotspotsEnabled) {
@@ -178,12 +190,8 @@ class NativeWallProfiler {
     const profile = this._pprof.time.stop(restart, this._codeHotspotsEnabled ? generateLabels : undefined)
     if (restart) {
       const v8BugDetected = this._pprof.time.v8ProfilerStuckEventLoopDetected()
-      if (v8BugDetected === 1) {
-        this._logger?.warn('Wall profiler: possible v8 profiler stuck event loop detected.')
-        runtimeMetrics.increment('runtime.node.profiler.v8_cpu_profiler_maybe_stuck_event_loop', undefined, true)
-      } else if (v8BugDetected === 2) {
-        this._logger?.warn('Wall profiler: v8 profiler stuck event loop detected.')
-        runtimeMetrics.increment('runtime.node.profiler.v8_cpu_profiler_stuck_event_loop', undefined, true)
+      if (v8BugDetected !== 0) {
+        this._reportV8bug(v8BugDetected === 1)
       }
     }
     return profile

package/packages/dd-trace/src/proxy.js

@@ -30,17 +30,7 @@ class Tracer extends NoopProxy {
 
       if (config.dogstatsd) {
         // Custom Metrics
-        this.dogstatsd = new dogstatsd.CustomMetrics({
-          host: config.dogstatsd.hostname,
-          port: config.dogstatsd.port,
-          tags: [
-            // these are the Runtime Metrics default tags
-            // Python also uses these as default Custom Metrics tags
-            `service:${config.tags.service}`,
-            `env:${config.tags.env}`,
-            `version:${config.tags.version}`
-          ]
-        })
+        this.dogstatsd = new dogstatsd.CustomMetrics(config)
 
         setInterval(() => {
           this.dogstatsd.flush()

package/packages/dd-trace/src/runtime_metrics.js

@@ -2,7 +2,6 @@
 
 // TODO: capture every second and flush every 10 seconds
 
-const { URL, format } = require('url')
 const v8 = require('v8')
 const os = require('os')
 const { DogStatsDClient } = require('./dogstatsd')
@@ -27,21 +26,7 @@ reset()
 
 module.exports = {
   start (config) {
-    const tags = []
-
-    Object.keys(config.tags)
-      .filter(key => typeof config.tags[key] === 'string')
-      .filter(key => {
-        // Skip runtime-id unless enabled as cardinality may be too high
-        if (key !== 'runtime-id') return true
-        return (config.experimental && config.experimental.runtimeId)
-      })
-      .forEach(key => {
-        // https://docs.datadoghq.com/tagging/#defining-tags
-        const value = config.tags[key].replace(/[^a-z0-9_:./-]/ig, '_')
-
-        tags.push(`${key}:${value}`)
-      })
+    const clientConfig = DogStatsDClient.generateClientConfig(config)
 
     try {
       nativeMetrics = require('@datadog/native-metrics')
@@ -51,22 +36,6 @@ module.exports = {
       nativeMetrics = null
     }
 
-    const clientConfig = {
-      host: config.dogstatsd.hostname,
-      port: config.dogstatsd.port,
-      tags
-    }
-
-    if (config.url) {
-      clientConfig.metricsProxyUrl = config.url
-    } else if (config.port) {
-      clientConfig.metricsProxyUrl = new URL(format({
-        protocol: 'http:',
-        hostname: config.hostname || 'localhost',
-        port: config.port
-      }))
-    }
-
     client = new DogStatsDClient(clientConfig)
 
     time = process.hrtime()

package/packages/dd-trace/src/util.js

@@ -66,7 +66,7 @@ function globMatch (pattern, subject) {
 function calculateDDBasePath (dirname) {
   const dirSteps = dirname.split(path.sep)
   const packagesIndex = dirSteps.lastIndexOf('packages')
-  return dirSteps.slice(0, packagesIndex).join(path.sep) + path.sep
+  return dirSteps.slice(0, packagesIndex + 1).join(path.sep) + path.sep
 }
 
 module.exports = {