npm - dd-trace - Versions diffs - 4.16.0 → 4.18.0 - Mend

dd-trace 4.16.0 → 4.18.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (71) hide show

package/packages/datadog-plugin-jest/src/util.js CHANGED Viewed

@@ -1,4 +1,8 @@
+const { readFileSync } = require('fs')
+const { parse, extract } = require('jest-docblock')
 const { getTestSuitePath } = require('../../dd-trace/src/plugins/util/test')
+const log = require('../../dd-trace/src/log')
 /**
  * There are two ways to call `test.each` in `jest`:
@@ -47,17 +51,56 @@ function getJestTestName (test) {
   return titles.join(' ')
 }
+function isMarkedAsUnskippable (test) {
+  let docblocks
+  try {
+    const testSource = readFileSync(test.path, 'utf8')
+    docblocks = parse(extract(testSource))
+  } catch (e) {
+    // If we have issues parsing the file, we'll assume no unskippable was passed
+    return false
+  }
+  // docblocks were correctly parsed but it does not include a @datadog block
+  if (!docblocks?.datadog) {
+    return false
+  }
+  try {
+    return JSON.parse(docblocks.datadog).unskippable
+  } catch (e) {
+    // If the @datadog block comment is present but malformed, we'll run the suite
+    log.warn('@datadog block comment is malformed.')
+    return true
+  }
+}
 function getJestSuitesToRun (skippableSuites, originalTests, rootDir) {
   return originalTests.reduce((acc, test) => {
     const relativePath = getTestSuitePath(test.path, rootDir)
     const shouldBeSkipped = skippableSuites.includes(relativePath)
+    if (isMarkedAsUnskippable(test)) {
+      acc.suitesToRun.push(test)
+      if (test?.context?.config?.testEnvironmentOptions) {
+        test.context.config.testEnvironmentOptions['_ddUnskippable'] = true
+        acc.hasUnskippableSuites = true
+        if (shouldBeSkipped) {
+          test.context.config.testEnvironmentOptions['_ddForcedToRun'] = true
+          acc.hasForcedToRunSuites = true
+        }
+      }
+      return acc
+    }
     if (shouldBeSkipped) {
       acc.skippedSuites.push(relativePath)
     } else {
       acc.suitesToRun.push(test)
     }
     return acc
-  }, { skippedSuites: [], suitesToRun: [] })
+  }, { skippedSuites: [], suitesToRun: [], hasUnskippableSuites: false, hasForcedToRunSuites: false })
 }
-module.exports = { getFormattedJestTestParameters, getJestTestName, getJestSuitesToRun }
+module.exports = { getFormattedJestTestParameters, getJestTestName, getJestSuitesToRun, isMarkedAsUnskippable }

package/packages/datadog-plugin-memcached/src/index.js CHANGED Viewed

@@ -9,15 +9,20 @@ class MemcachedPlugin extends CachePlugin {
   start ({ client, server, query }) {
     const address = getAddress(client, server, query)
+    const meta = {
+      'out.host': address[0],
+      [CLIENT_PORT_KEY]: address[1]
+    }
+    if (this.config.memcachedCommandEnabled) {
+      meta['memcached.command'] = query.command
+    }
     this.startSpan({
       service: this.serviceName({ pluginConfig: this.config, system: this.system }),
       resource: query.type,
       type: 'memcached',
-      meta: {
-        'memcached.command': query.command,
-        'out.host': address[0],
-        [CLIENT_PORT_KEY]: address[1]
-      }
+      meta
     })
   }
 }

package/packages/datadog-plugin-mocha/src/index.js CHANGED Viewed

@@ -11,7 +11,9 @@ const {
   getTestParametersString,
   getTestSuiteCommonTags,
   addIntelligentTestRunnerSpanTags,
-  TEST_SOURCE_START
+  TEST_SOURCE_START,
+  TEST_ITR_UNSKIPPABLE,
+  TEST_ITR_FORCED_RUN
 } = require('../../dd-trace/src/plugins/util/test')
 const { COMPONENT } = require('../../dd-trace/src/constants')
@@ -47,14 +49,21 @@ class MochaPlugin extends CiPlugin {
       this.tracer._exporter.exportCoverage(formattedCoverage)
     })
-    this.addSub('ci:mocha:test-suite:start', (suite) => {
+    this.addSub('ci:mocha:test-suite:start', ({ testSuite, isUnskippable, isForcedToRun }) => {
       const store = storage.getStore()
       const testSuiteMetadata = getTestSuiteCommonTags(
         this.command,
         this.frameworkVersion,
-        getTestSuitePath(suite.file, this.sourceRoot),
+        getTestSuitePath(testSuite, this.sourceRoot),
         'mocha'
       )
+      if (isUnskippable) {
+        testSuiteMetadata[TEST_ITR_UNSKIPPABLE] = 'true'
+      }
+      if (isForcedToRun) {
+        testSuiteMetadata[TEST_ITR_FORCED_RUN] = 'true'
+      }
       const testSuiteSpan = this.tracer.startSpan('mocha.test_suite', {
         childOf: this.testModuleSpan,
         tags: {
@@ -64,7 +73,7 @@ class MochaPlugin extends CiPlugin {
         }
       })
       this.enter(testSuiteSpan, store)
-      this._testSuites.set(suite.file, testSuiteSpan)
+      this._testSuites.set(testSuite, testSuiteSpan)
     })
     this.addSub('ci:mocha:test-suite:finish', (status) => {
@@ -139,13 +148,21 @@ class MochaPlugin extends CiPlugin {
       status,
       isSuitesSkipped,
       testCodeCoverageLinesTotal,
-      numSkippedSuites
+      numSkippedSuites,
+      hasForcedToRunSuites,
+      hasUnskippableSuites,
+      error
     }) => {
       if (this.testSessionSpan) {
         const { isSuitesSkippingEnabled, isCodeCoverageEnabled } = this.itrConfig || {}
         this.testSessionSpan.setTag(TEST_STATUS, status)
         this.testModuleSpan.setTag(TEST_STATUS, status)
+        if (error) {
+          this.testSessionSpan.setTag('error', error)
+          this.testModuleSpan.setTag('error', error)
+        }
         addIntelligentTestRunnerSpanTags(
           this.testSessionSpan,
           this.testModuleSpan,
@@ -155,7 +172,9 @@ class MochaPlugin extends CiPlugin {
             isCodeCoverageEnabled,
             testCodeCoverageLinesTotal,
             skippingCount: numSkippedSuites,
-            skippingType: 'suite'
+            skippingType: 'suite',
+            hasForcedToRunSuites,
+            hasUnskippableSuites
           }
         )

package/packages/datadog-plugin-next/src/index.js CHANGED Viewed

@@ -43,7 +43,7 @@ class NextPlugin extends ServerPlugin {
     this.addError(error, span)
   }
-  finish ({ req, res }) {
+  finish ({ req, res, nextRequest = {} }) {
     const store = storage.getStore()
     if (!store) return
@@ -52,7 +52,8 @@ class NextPlugin extends ServerPlugin {
     const error = span.context()._tags['error']
     if (!this.config.validateStatus(res.statusCode) && !error) {
-      span.setTag('error', true)
+      span.setTag('error', req.error || nextRequest.error || true)
+      web.addError(req, req.error || nextRequest.error || true)
     }
     span.addTags({
@@ -64,7 +65,7 @@ class NextPlugin extends ServerPlugin {
     span.finish()
   }
-  pageLoad ({ page, isAppPath }) {
+  pageLoad ({ page, isAppPath = false }) {
     const store = storage.getStore()
     if (!store) return

package/packages/datadog-plugin-playwright/src/index.js CHANGED Viewed

@@ -72,7 +72,7 @@ class PlaywrightPlugin extends CiPlugin {
       this.enter(span, store)
     })
-    this.addSub('ci:playwright:test:finish', ({ testStatus, steps, error }) => {
+    this.addSub('ci:playwright:test:finish', ({ testStatus, steps, error, extraTags }) => {
       const store = storage.getStore()
       const span = store && store.span
       if (!span) return
@@ -82,6 +82,9 @@ class PlaywrightPlugin extends CiPlugin {
       if (error) {
         span.setTag('error', error)
       }
+      if (extraTags) {
+        span.addTags(extraTags)
+      }
       steps.forEach(step => {
         const stepStartTime = step.startTime.getTime()

package/packages/dd-trace/src/appsec/channels.js CHANGED Viewed

@@ -11,5 +11,7 @@ module.exports = {
   incomingHttpRequestEnd: dc.channel('dd-trace:incomingHttpRequestEnd'),
   passportVerify: dc.channel('datadog:passport:verify:finish'),
   queryParser: dc.channel('datadog:query:read:finish'),
-  setCookieChannel: dc.channel('datadog:iast:set-cookie')
+  setCookieChannel: dc.channel('datadog:iast:set-cookie'),
+  nextBodyParsed: dc.channel('apm:next:body-parsed'),
+  nextQueryParsed: dc.channel('apm:next:query-parsed')
 }

package/packages/dd-trace/src/appsec/iast/analyzers/analyzers.js CHANGED Viewed

@@ -2,11 +2,13 @@
 module.exports = {
   'COMMAND_INJECTION_ANALYZER': require('./command-injection-analyzer'),
+  'HARCODED_SECRET_ANALYZER': require('./hardcoded-secret-analyzer'),
   'HSTS_HEADER_MISSING_ANALYZER': require('./hsts-header-missing-analyzer'),
   'INSECURE_COOKIE_ANALYZER': require('./insecure-cookie-analyzer'),
   'LDAP_ANALYZER': require('./ldap-injection-analyzer'),
   'NO_HTTPONLY_COOKIE_ANALYZER': require('./no-httponly-cookie-analyzer'),
   'NO_SAMESITE_COOKIE_ANALYZER': require('./no-samesite-cookie-analyzer'),
+  'NOSQL_MONGODB_INJECTION': require('./nosql-injection-mongodb-analyzer'),
   'PATH_TRAVERSAL_ANALYZER': require('./path-traversal-analyzer'),
   'SQL_INJECTION_ANALYZER': require('./sql-injection-analyzer'),
   'SSRF': require('./ssrf-analyzer'),

package/packages/dd-trace/src/appsec/iast/analyzers/hardcoded-secret-analyzer.js ADDED Viewed

@@ -0,0 +1,60 @@
+'use strict'
+const Analyzer = require('./vulnerability-analyzer')
+const { HARDCODED_SECRET } = require('../vulnerabilities')
+const { getRelativePath } = require('../path-line')
+const secretRules = require('./hardcoded-secrets-rules')
+class HardcodedSecretAnalyzer extends Analyzer {
+  constructor () {
+    super(HARDCODED_SECRET)
+  }
+  onConfigure () {
+    this.addSub('datadog:secrets:result', (secrets) => { this.analyze(secrets) })
+  }
+  analyze (secrets) {
+    if (!secrets?.file || !secrets.literals) return
+    const matches = secrets.literals
+      .filter(literal => literal.value && literal.locations?.length)
+      .map(literal => {
+        const match = secretRules.find(rule => literal.value.match(rule.regex))
+        return match ? { locations: literal.locations, ruleId: match.id } : undefined
+      })
+      .filter(match => !!match)
+    if (matches.length) {
+      const file = getRelativePath(secrets.file)
+      matches.forEach(match => {
+        match.locations
+          .filter(location => location.line)
+          .forEach(location => this._report({
+            file,
+            line: location.line,
+            column: location.column,
+            data: match.ruleId
+          }))
+      })
+    }
+  }
+  _getEvidence (value) {
+    return { value: `${value.data}` }
+  }
+  _getLocation (value) {
+    return {
+      path: value.file,
+      line: value.line,
+      column: value.column,
+      isInternal: false
+    }
+  }
+}
+module.exports = new HardcodedSecretAnalyzer()

package/packages/dd-trace/src/appsec/iast/analyzers/hardcoded-secrets-rules.js ADDED Viewed

@@ -0,0 +1,269 @@
+/* eslint-disable max-len */
+'use strict'
+module.exports = [
+  {
+    'id': 'adobe-client-secret',
+    'regex': /\b((p8e-)[a-z0-9]{32})(?:['"\s\x60;]|$)/i
+  },
+  {
+    'id': 'age-secret-key',
+    'regex': /AGE-SECRET-KEY-1[QPZRY9X8GF2TVDW0S3JN54KHCE6MUA7L]{58}/
+  },
+  {
+    'id': 'alibaba-access-key-id',
+    'regex': /\b((LTAI)[a-z0-9]{20})(?:['"\s\x60;]|$)/i
+  },
+  {
+    'id': 'authress-service-client-access-key',
+    'regex': /\b((?:sc|ext|scauth|authress)_[a-z0-9]{5,30}\.[a-z0-9]{4,6}\.acc[_-][a-z0-9-]{10,32}\.[a-z0-9+/_=-]{30,120})(?:['"\s\x60;]|$)/i
+  },
+  {
+    'id': 'aws-access-token',
+    'regex': /\b((A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16})(?:['"\s\x60;]|$)/
+  },
+  {
+    'id': 'clojars-api-token',
+    'regex': /(CLOJARS_)[a-z0-9]{60}/i
+  },
+  {
+    'id': 'databricks-api-token',
+    'regex': /\b(dapi[a-h0-9]{32})(?:['"\s\x60;]|$)/i
+  },
+  {
+    'id': 'digitalocean-access-token',
+    'regex': /\b(doo_v1_[a-f0-9]{64})(?:['"\s\x60;]|$)/i
+  },
+  {
+    'id': 'digitalocean-pat',
+    'regex': /\b(dop_v1_[a-f0-9]{64})(?:['"\s\x60;]|$)/i
+  },
+  {
+    'id': 'digitalocean-refresh-token',
+    'regex': /\b(dor_v1_[a-f0-9]{64})(?:['"\s\x60;]|$)/i
+  },
+  {
+    'id': 'doppler-api-token',
+    'regex': /(dp\.pt\.)[a-z0-9]{43}/i
+  },
+  {
+    'id': 'duffel-api-token',
+    'regex': /duffel_(test|live)_[a-z0-9_\-=]{43}/i
+  },
+  {
+    'id': 'dynatrace-api-token',
+    'regex': /dt0c01\.[a-z0-9]{24}\.[a-z0-9]{64}/i
+  },
+  {
+    'id': 'easypost-api-token',
+    'regex': /\bEZAK[a-z0-9]{54}/i
+  },
+  {
+    'id': 'flutterwave-public-key',
+    'regex': /FLWPUBK_TEST-[a-h0-9]{32}-X/i
+  },
+  {
+    'id': 'frameio-api-token',
+    'regex': /fio-u-[a-z0-9\-_=]{64}/i
+  },
+  {
+    'id': 'gcp-api-key',
+    'regex': /\b(AIza[0-9a-z\-_]{35})(?:['"\s\x60;]|$)/i
+  },
+  {
+    'id': 'github-app-token',
+    'regex': /(ghu|ghs)_[0-9a-zA-Z]{36}/
+  },
+  {
+    'id': 'github-fine-grained-pat',
+    'regex': /github_pat_[0-9a-zA-Z_]{82}/
+  },
+  {
+    'id': 'github-oauth',
+    'regex': /gho_[0-9a-zA-Z]{36}/
+  },
+  {
+    'id': 'github-pat',
+    'regex': /ghp_[0-9a-zA-Z]{36}/
+  },
+  {
+    'id': 'gitlab-pat',
+    'regex': /glpat-[0-9a-zA-Z\-_]{20}/
+  },
+  {
+    'id': 'gitlab-ptt',
+    'regex': /glptt-[0-9a-f]{40}/
+  },
+  {
+    'id': 'gitlab-rrt',
+    'regex': /GR1348941[0-9a-zA-Z\-_]{20}/
+  },
+  {
+    'id': 'grafana-api-key',
+    'regex': /\b(eyJrIjoi[a-z0-9]{70,400}={0,2})(?:['"\s\x60;]|$)/i
+  },
+  {
+    'id': 'grafana-cloud-api-token',
+    'regex': /\b(glc_[a-z0-9+/]{32,400}={0,2})(?:['"\s\x60;]|$)/i
+  },
+  {
+    'id': 'grafana-service-account-token',
+    'regex': /\b(glsa_[a-z0-9]{32}_[a-f0-9]{8})(?:['"\s\x60;]|$)/i
+  },
+  {
+    'id': 'hashicorp-tf-api-token',
+    'regex': /[a-z0-9]{14}\.atlasv1\.[a-z0-9\-_=]{60,70}/i
+  },
+  {
+    'id': 'jwt',
+    'regex': /\b(ey[a-zA-Z0-9]{17,}\.ey[a-zA-Z0-9/_-]{17,}\.(?:[a-zA-Z0-9/_-]{10,}={0,2})?)(?:['"\s\x60;]|$)/
+  },
+  {
+    'id': 'linear-api-key',
+    'regex': /lin_api_[a-z0-9]{40}/i
+  },
+  {
+    'id': 'npm-access-token',
+    'regex': /\b(npm_[a-z0-9]{36})(?:['"\s\x60;]|$)/i
+  },
+  {
+    'id': 'openai-api-key',
+    'regex': /\b(sk-[a-z0-9]{20}T3BlbkFJ[a-z0-9]{20})(?:['"\s\x60;]|$)/i
+  },
+  {
+    'id': 'planetscale-api-token',
+    'regex': /\b(pscale_tkn_[a-z0-9=\-_.]{32,64})(?:['"\s\x60;]|$)/i
+  },
+  {
+    'id': 'planetscale-oauth-token',
+    'regex': /\b(pscale_oauth_[a-z0-9=\-_.]{32,64})(?:['"\s\x60;]|$)/i
+  },
+  {
+    'id': 'planetscale-password',
+    'regex': /\b(pscale_pw_[a-z0-9=\-_.]{32,64})(?:['"\s\x60;]|$)/i
+  },
+  {
+    'id': 'postman-api-token',
+    'regex': /\b(PMAK-[a-f0-9]{24}-[a-f0-9]{34})(?:['"\s\x60;]|$)/i
+  },
+  {
+    'id': 'prefect-api-token',
+    'regex': /\b(pnu_[a-z0-9]{36})(?:['"\s\x60;]|$)/i
+  },
+  {
+    'id': 'private-key',
+    'regex': /-----BEGIN[ A-Z0-9_-]{0,100}PRIVATE KEY( BLOCK)?-----[\s\S]*KEY( BLOCK)?----/i
+  },
+  {
+    'id': 'pulumi-api-token',
+    'regex': /\b(pul-[a-f0-9]{40})(?:['"\s\x60;]|$)/i
+  },
+  {
+    'id': 'pypi-upload-token',
+    'regex': /pypi-AgEIcHlwaS5vcmc[A-Za-z0-9\-_]{50,1000}/
+  },
+  {
+    'id': 'readme-api-token',
+    'regex': /\b(rdme_[a-z0-9]{70})(?:['"\s\x60;]|$)/i
+  },
+  {
+    'id': 'rubygems-api-token',
+    'regex': /\b(rubygems_[a-f0-9]{48})(?:['"\s\x60;]|$)/i
+  },
+  {
+    'id': 'scalingo-api-token',
+    'regex': /tk-us-[a-zA-Z0-9-_]{48}/
+  },
+  {
+    'id': 'sendgrid-api-token',
+    'regex': /\b(SG\.[a-z0-9=_\-.]{66})(?:['"\s\x60;]|$)/i
+  },
+  {
+    'id': 'sendinblue-api-token',
+    'regex': /\b(xkeysib-[a-f0-9]{64}-[a-z0-9]{16})(?:['"\s\x60;]|$)/i
+  },
+  {
+    'id': 'shippo-api-token',
+    'regex': /\b(shippo_(live|test)_[a-f0-9]{40})(?:['"\s\x60;]|$)/i
+  },
+  {
+    'id': 'shopify-access-token',
+    'regex': /shpat_[a-fA-F0-9]{32}/
+  },
+  {
+    'id': 'shopify-custom-access-token',
+    'regex': /shpca_[a-fA-F0-9]{32}/
+  },
+  {
+    'id': 'shopify-private-app-access-token',
+    'regex': /shppa_[a-fA-F0-9]{32}/
+  },
+  {
+    'id': 'shopify-shared-secret',
+    'regex': /shpss_[a-fA-F0-9]{32}/
+  },
+  {
+    'id': 'slack-app-token',
+    'regex': /(xapp-\d-[A-Z0-9]+-\d+-[a-z0-9]+)/i
+  },
+  {
+    'id': 'slack-bot-token',
+    'regex': /(xoxb-[0-9]{10,13}-[0-9]{10,13}[a-zA-Z0-9-]*)/
+  },
+  {
+    'id': 'slack-config-access-token',
+    'regex': /(xoxe.xox[bp]-\d-[A-Z0-9]{163,166})/i
+  },
+  {
+    'id': 'slack-config-refresh-token',
+    'regex': /(xoxe-\d-[A-Z0-9]{146})/i
+  },
+  {
+    'id': 'slack-legacy-bot-token',
+    'regex': /(xoxb-[0-9]{8,14}-[a-zA-Z0-9]{18,26})/
+  },
+  {
+    'id': 'slack-legacy-token',
+    'regex': /(xox[os]-\d+-\d+-\d+-[a-fA-F\d]+)/
+  },
+  {
+    'id': 'slack-legacy-workspace-token',
+    'regex': /(xox[ar]-(?:\d-)?[0-9a-zA-Z]{8,48})/
+  },
+  {
+    'id': 'slack-user-token',
+    'regex': /(xox[pe](?:-[0-9]{10,13}){3}-[a-zA-Z0-9-]{28,34})/
+  },
+  {
+    'id': 'slack-webhook-url',
+    'regex': /(https?:\/\/)?hooks.slack.com\/(services|workflows)\/[A-Za-z0-9+/]{43,46}/
+  },
+  {
+    'id': 'square-access-token',
+    'regex': /\b(sq0atp-[0-9a-z\-_]{22})(?:['"\s\x60;]|$)/i
+  },
+  {
+    'id': 'square-secret',
+    'regex': /\b(sq0csp-[0-9a-z\-_]{43})(?:['"\s\x60;]|$)/i
+  },
+  {
+    'id': 'stripe-access-token',
+    'regex': /(sk|pk)_(test|live)_[0-9a-z]{10,32}/i
+  },
+  {
+    'id': 'telegram-bot-api-token',
+    'regex': /(?:^|[^0-9])([0-9]{5,16}:A[a-z0-9_-]{34})(?:$|[^a-z0-9_-])/i
+  },
+  {
+    'id': 'twilio-api-key',
+    'regex': /SK[0-9a-fA-F]{32}/
+  },
+  {
+    'id': 'vault-batch-token',
+    'regex': /\b(hvb\.[a-z0-9_-]{138,212})(?:['"\s\x60;]|$)/i
+  },
+  {
+    'id': 'vault-service-token',
+    'regex': /\b(hvs\.[a-z0-9_-]{90,100})(?:['"\s\x60;]|$)/i
+  }
+]

package/packages/dd-trace/src/appsec/iast/analyzers/hsts-header-missing-analyzer.js CHANGED Viewed

@@ -10,8 +10,11 @@ class HstsHeaderMissingAnalyzer extends MissingHeaderAnalyzer {
     super(HSTS_HEADER_MISSING, HSTS_HEADER_NAME)
   }
   _isVulnerableFromRequestAndResponse (req, res) {
-    const headerToCheck = res.getHeader(HSTS_HEADER_NAME)
-    return !this._isHeaderValid(headerToCheck) && this._isHttpsProtocol(req)
+    const headerValues = this._getHeaderValues(res, HSTS_HEADER_NAME)
+    return this._isHttpsProtocol(req) && (
+      headerValues.length === 0 ||
+      headerValues.some(headerValue => !this._isHeaderValid(headerValue))
+    )
   }
   _isHeaderValid (headerValue) {

package/packages/dd-trace/src/appsec/iast/analyzers/missing-header-analyzer.js CHANGED Viewed

@@ -28,6 +28,15 @@ class MissingHeaderAnalyzer extends Analyzer {
     }, (data) => this.analyze(data))
   }
+  _getHeaderValues (res, headerName) {
+    const headerValue = res.getHeader(headerName)
+    if (Array.isArray(headerValue)) {
+      return headerValue
+    } else {
+      return headerValue ? [headerValue.toString()] : []
+    }
+  }
   _getLocation () {
     return undefined
   }
@@ -41,7 +50,14 @@ class MissingHeaderAnalyzer extends Analyzer {
   }
   _getEvidence ({ res }) {
-    return { value: res.getHeader(this.headerName) }
+    const headerValues = this._getHeaderValues(res, this.headerName)
+    let value
+    if (headerValues.length === 1) {
+      value = headerValues[0]
+    } else if (headerValues.length > 0) {
+      value = JSON.stringify(headerValues)
+    }
+    return { value }
   }
   _isVulnerable ({ req, res }, context) {
@@ -56,9 +72,11 @@ class MissingHeaderAnalyzer extends Analyzer {
   }
   _isResponseHtml (res) {
-    const contentType = res.getHeader('content-type')
-    return contentType && HTML_CONTENT_TYPES.some(htmlContentType => {
-      return htmlContentType === contentType || contentType.startsWith(htmlContentType + ';')
+    const contentTypes = this._getHeaderValues(res, 'content-type')
+    return contentTypes.some(contentType => {
+      return contentType && HTML_CONTENT_TYPES.some(htmlContentType => {
+        return htmlContentType === contentType || contentType.startsWith(htmlContentType + ';')
+      })
     })
   }
 }