dd-trace 4.16.0 → 4.18.0

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/index.js

@@ -1,12 +1,16 @@
+'use strict'
+
 const sensitiveHandler = require('./evidence-redaction/sensitive-handler')
+const { stringifyWithRanges } = require('./utils')
 
 class VulnerabilityFormatter {
   constructor () {
     this._redactVulnearbilities = true
   }
 
-  setRedactVulnerabilities (shouldRedactVulnerabilities) {
+  setRedactVulnerabilities (shouldRedactVulnerabilities, redactionNamePattern, redactionValuePattern) {
     this._redactVulnearbilities = shouldRedactVulnerabilities
+    sensitiveHandler.setRedactionPatterns(redactionNamePattern, redactionValuePattern)
   }
 
   extractSourcesFromVulnerability (vulnerability) {
@@ -38,6 +42,13 @@ class VulnerabilityFormatter {
   getUnredactedValueParts (evidence, sourcesIndexes) {
     const valueParts = []
     let fromIndex = 0
+
+    if (typeof evidence.value === 'object' && evidence.rangesToApply) {
+      const { value, ranges } = stringifyWithRanges(evidence.value, evidence.rangesToApply)
+      evidence.value = value
+      evidence.ranges = ranges
+    }
+
     evidence.ranges.forEach((range, rangeIndex) => {
       if (fromIndex < range.start) {
         valueParts.push({ value: evidence.value.substring(fromIndex, range.start) })
@@ -45,14 +56,16 @@ class VulnerabilityFormatter {
       valueParts.push({ value: evidence.value.substring(range.start, range.end), source: sourcesIndexes[rangeIndex] })
       fromIndex = range.end
     })
+
     if (fromIndex < evidence.value.length) {
       valueParts.push({ value: evidence.value.substring(fromIndex) })
     }
+
     return { valueParts }
   }
 
   formatEvidence (type, evidence, sourcesIndexes, sources) {
-    if (!evidence.ranges) {
+    if (!evidence.ranges && !evidence.rangesToApply) {
       if (typeof evidence.value === 'undefined') {
         return undefined
       } else {

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/utils.js

@@ -0,0 +1,169 @@
+'use strict'
+
+const crypto = require('crypto')
+const { DEFAULT_IAST_REDACTION_VALUE_PATTERN } = require('./evidence-redaction/sensitive-regex')
+
+const STRINGIFY_RANGE_KEY = 'DD_' + crypto.randomBytes(20).toString('hex')
+const STRINGIFY_SENSITIVE_KEY = STRINGIFY_RANGE_KEY + 'SENSITIVE'
+const STRINGIFY_SENSITIVE_NOT_STRING_KEY = STRINGIFY_SENSITIVE_KEY + 'NOTSTRING'
+
+// eslint-disable-next-line max-len
+const KEYS_REGEX_WITH_SENSITIVE_RANGES = new RegExp(`(?:"(${STRINGIFY_RANGE_KEY}_\\d+_))|(?:"(${STRINGIFY_SENSITIVE_KEY}_\\d+_(\\d+)_))|("${STRINGIFY_SENSITIVE_NOT_STRING_KEY}_\\d+_([\\s0-9.a-zA-Z]*)")`, 'gm')
+const KEYS_REGEX_WITHOUT_SENSITIVE_RANGES = new RegExp(`"(${STRINGIFY_RANGE_KEY}_\\d+_)`, 'gm')
+
+const sensitiveValueRegex = new RegExp(DEFAULT_IAST_REDACTION_VALUE_PATTERN, 'gmi')
+
+function iterateObject (target, fn, levelKeys = [], depth = 50) {
+  Object.keys(target).forEach((key) => {
+    const nextLevelKeys = [...levelKeys, key]
+    const val = target[key]
+
+    fn(val, nextLevelKeys, target, key)
+
+    if (val !== null && typeof val === 'object') {
+      iterateObject(val, fn, nextLevelKeys, depth - 1)
+    }
+  })
+}
+
+function stringifyWithRanges (obj, objRanges, loadSensitiveRanges = false) {
+  let value
+  const ranges = []
+  const sensitiveRanges = []
+  objRanges = objRanges || {}
+
+  if (objRanges || loadSensitiveRanges) {
+    const cloneObj = Array.isArray(obj) ? [] : {}
+    let counter = 0
+    const allRanges = {}
+    const sensitiveKeysMapping = {}
+
+    iterateObject(obj, (val, levelKeys, parent, key) => {
+      let currentLevelClone = cloneObj
+      for (let i = 0; i < levelKeys.length - 1; i++) {
+        let levelKey = levelKeys[i]
+
+        if (!currentLevelClone[levelKey]) {
+          const sensitiveKey = sensitiveKeysMapping[levelKey]
+          if (currentLevelClone[sensitiveKey]) {
+            levelKey = sensitiveKey
+          }
+        }
+
+        currentLevelClone = currentLevelClone[levelKey]
+      }
+
+      if (loadSensitiveRanges) {
+        const sensitiveKey = sensitiveKeysMapping[key]
+        if (sensitiveKey) {
+          key = sensitiveKey
+        } else {
+          sensitiveValueRegex.lastIndex = 0
+
+          if (sensitiveValueRegex.test(key)) {
+            const current = counter++
+            const id = `${STRINGIFY_SENSITIVE_KEY}_${current}_${key.length}_`
+            key = `${id}${key}`
+          }
+        }
+      }
+
+      if (typeof val === 'string') {
+        const ranges = objRanges[levelKeys.join('.')]
+        if (ranges) {
+          const current = counter++
+          const id = `${STRINGIFY_RANGE_KEY}_${current}_`
+
+          allRanges[id] = ranges
+          currentLevelClone[key] = `${id}${val}`
+        } else {
+          currentLevelClone[key] = val
+        }
+        if (loadSensitiveRanges) {
+          const current = counter++
+          const id = `${STRINGIFY_SENSITIVE_KEY}_${current}_${val.length}_`
+
+          currentLevelClone[key] = `${id}${currentLevelClone[key]}`
+        }
+      } else if (typeof val !== 'object' || val === null) {
+        if (loadSensitiveRanges) {
+          const current = counter++
+          const id = `${STRINGIFY_SENSITIVE_NOT_STRING_KEY}_${current}_`
+
+          // this is special, in the final string we should modify "key_value_[null|false|true]..."
+          // by null|false|..... ignoring the beginning and ending quotes
+          currentLevelClone[key] = id + val
+        } else {
+          currentLevelClone[key] = val
+        }
+      } else if (Array.isArray(val)) {
+        currentLevelClone[key] = []
+      } else {
+        currentLevelClone[key] = {}
+      }
+    })
+
+    value = JSON.stringify(cloneObj, null, 2)
+
+    if (counter > 0) {
+      let keysRegex
+      if (loadSensitiveRanges) {
+        keysRegex = KEYS_REGEX_WITH_SENSITIVE_RANGES
+      } else {
+        keysRegex = KEYS_REGEX_WITHOUT_SENSITIVE_RANGES
+      }
+      keysRegex.lastIndex = 0
+
+      let regexRes = keysRegex.exec(value)
+      while (regexRes) {
+        const offset = regexRes.index + 1 // +1 to increase the " char
+
+        if (regexRes[1]) {
+          // is a range
+          const rangesId = regexRes[1]
+          value = value.replace(rangesId, '')
+
+          const updatedRanges = allRanges[rangesId].map(range => {
+            return {
+              ...range,
+              start: range.start + offset,
+              end: range.end + offset
+            }
+          })
+
+          ranges.push(...updatedRanges)
+        } else if (regexRes[2]) {
+          // is a sensitive string literal
+          const sensitiveId = regexRes[2]
+
+          sensitiveRanges.push({
+            start: offset,
+            end: offset + parseInt(regexRes[3])
+          })
+
+          value = value.replace(sensitiveId, '')
+        } else if (regexRes[4]) {
+          // is a sensitive value (number, null, false, ...)
+          const sensitiveId = regexRes[4]
+          const originalValue = regexRes[5]
+
+          sensitiveRanges.push({
+            start: regexRes.index,
+            end: regexRes.index + originalValue.length
+          })
+
+          value = value.replace(sensitiveId, originalValue)
+        }
+
+        keysRegex.lastIndex = 0
+        regexRes = keysRegex.exec(value)
+      }
+    }
+  } else {
+    value = JSON.stringify(obj, null, 2)
+  }
+
+  return { value, ranges, sensitiveRanges }
+}
+
+module.exports = { stringifyWithRanges }

package/packages/dd-trace/src/appsec/iast/vulnerabilities.js

@@ -1,10 +1,12 @@
 module.exports = {
   COMMAND_INJECTION: 'COMMAND_INJECTION',
+  HARDCODED_SECRET: 'HARDCODED_SECRET',
   HSTS_HEADER_MISSING: 'HSTS_HEADER_MISSING',
   INSECURE_COOKIE: 'INSECURE_COOKIE',
   LDAP_INJECTION: 'LDAP_INJECTION',
   NO_HTTPONLY_COOKIE: 'NO_HTTPONLY_COOKIE',
   NO_SAMESITE_COOKIE: 'NO_SAMESITE_COOKIE',
+  NOSQL_MONGODB_INJECTION: 'NOSQL_MONGODB_INJECTION',
   PATH_TRAVERSAL: 'PATH_TRAVERSAL',
   SQL_INJECTION: 'SQL_INJECTION',
   SSRF: 'SSRF',

package/packages/dd-trace/src/appsec/iast/vulnerability-reporter.js

@@ -95,7 +95,11 @@ function deduplicateVulnerabilities (vulnerabilities) {
 
 function start (config, _tracer) {
   deduplicationEnabled = config.iast.deduplicationEnabled
-  vulnerabilitiesFormatter.setRedactVulnerabilities(config.iast.redactionEnabled)
+  vulnerabilitiesFormatter.setRedactVulnerabilities(
+    config.iast.redactionEnabled,
+    config.iast.redactionNamePattern,
+    config.iast.redactionValuePattern
+  )
   if (deduplicationEnabled) {
     startClearCacheTimer()
   }

package/packages/dd-trace/src/appsec/index.js

@@ -10,7 +10,9 @@ const {
   incomingHttpRequestStart,
   incomingHttpRequestEnd,
   passportVerify,
-  queryParser
+  queryParser,
+  nextBodyParsed,
+  nextQueryParsed
 } = require('./channels')
 const waf = require('./waf')
 const addresses = require('./addresses')
@@ -30,6 +32,8 @@ function enable (_config) {
   if (isEnabled) return
 
   try {
+    appsecTelemetry.enable(_config.telemetry)
+
     setTemplates(_config)
 
     RuleManager.applyRules(_config.appsec.rules, _config.appsec)
@@ -38,11 +42,11 @@ function enable (_config) {
 
     Reporter.setRateLimit(_config.appsec.rateLimit)
 
-    appsecTelemetry.enable(_config.telemetry)
-
     incomingHttpRequestStart.subscribe(incomingHttpStartTranslator)
     incomingHttpRequestEnd.subscribe(incomingHttpEndTranslator)
     bodyParser.subscribe(onRequestBodyParsed)
+    nextBodyParsed.subscribe(onRequestBodyParsed)
+    nextQueryParsed.subscribe(onRequestQueryParsed)
     queryParser.subscribe(onRequestQueryParsed)
     cookieParser.subscribe(onRequestCookieParser)
     graphqlFinishExecute.subscribe(onGraphqlFinishExecute)
@@ -117,6 +121,10 @@ function incomingHttpEndTranslator ({ req, res }) {
     payload[addresses.HTTP_INCOMING_COOKIES] = req.cookies
   }
 
+  if (req.query && typeof req.query === 'object') {
+    payload[addresses.HTTP_INCOMING_QUERY] = req.query
+  }
+
   waf.run(payload, req)
 
   waf.disposeContext(req)
@@ -124,38 +132,48 @@ function incomingHttpEndTranslator ({ req, res }) {
   Reporter.finishRequest(req, res)
 }
 
-function onRequestBodyParsed ({ req, res, abortController }) {
+function onRequestBodyParsed ({ req, res, body, abortController }) {
+  if (body === undefined || body === null) return
+
+  if (!req) {
+    const store = storage.getStore()
+    req = store?.req
+  }
+
   const rootSpan = web.root(req)
   if (!rootSpan) return
 
-  if (req.body === undefined || req.body === null) return
-
   const results = waf.run({
-    [addresses.HTTP_INCOMING_BODY]: req.body
+    [addresses.HTTP_INCOMING_BODY]: body
   }, req)
 
   handleResults(results, req, res, rootSpan, abortController)
 }
 
-function onRequestQueryParsed ({ req, res, abortController }) {
+function onRequestQueryParsed ({ req, res, query, abortController }) {
+  if (!query || typeof query !== 'object') return
+
+  if (!req) {
+    const store = storage.getStore()
+    req = store?.req
+  }
+
   const rootSpan = web.root(req)
   if (!rootSpan) return
 
-  if (!req.query || typeof req.query !== 'object') return
-
   const results = waf.run({
-    [addresses.HTTP_INCOMING_QUERY]: req.query
+    [addresses.HTTP_INCOMING_QUERY]: query
   }, req)
 
   handleResults(results, req, res, rootSpan, abortController)
 }
 
 function onRequestCookieParser ({ req, res, abortController, cookies }) {
+  if (!cookies || typeof cookies !== 'object') return
+
   const rootSpan = web.root(req)
   if (!rootSpan) return
 
-  if (!cookies || typeof cookies !== 'object') return
-
   const results = waf.run({
     [addresses.HTTP_INCOMING_COOKIES]: cookies
   }, req)

package/packages/dd-trace/src/appsec/remote_config/manager.js

@@ -3,11 +3,12 @@
 const { URL, format } = require('url')
 const uuid = require('crypto-randomuuid')
 const { EventEmitter } = require('events')
-const Scheduler = require('./scheduler')
 const tracerVersion = require('../../../../../package.json').version
 const request = require('../../exporters/common/request')
 const log = require('../../log')
+const { getExtraServices } = require('../../service-naming/extra-services')
 const { UNACKNOWLEDGED, ACKNOWLEDGED, ERROR } = require('./apply_states')
+const Scheduler = require('./scheduler')
 
 const clientId = uuid()
 
@@ -57,7 +58,8 @@ class RemoteConfigManager extends EventEmitter {
           tracer_version: tracerVersion,
           service: config.service,
           env: config.env,
-          app_version: config.version
+          app_version: config.version,
+          extra_services: []
         },
         capabilities: DEFAULT_CAPABILITY // updated by `updateCapabilities()`
       },
@@ -113,8 +115,14 @@ class RemoteConfigManager extends EventEmitter {
     this.state.client.products = this.eventNames().filter(e => typeof e === 'string')
   }
 
+  getPayload () {
+    this.state.client.client_tracer.extra_services = getExtraServices()
+
+    return JSON.stringify(this.state)
+  }
+
   poll (cb) {
-    request(JSON.stringify(this.state), this.requestOptions, (err, data, statusCode) => {
+    request(this.getPayload(), this.requestOptions, (err, data, statusCode) => {
       // 404 means RC is disabled, ignore it
       if (statusCode === 404) return cb()
 

package/packages/dd-trace/src/appsec/waf/waf_context_wrapper.js

@@ -2,6 +2,12 @@
 
 const log = require('../../log')
 const Reporter = require('../reporter')
+const addresses = require('../addresses')
+
+// TODO: remove once ephemeral addresses are implemented
+const preventDuplicateAddresses = new Set([
+  addresses.HTTP_INCOMING_QUERY
+])
 
 class WAFContextWrapper {
   constructor (ddwafContext, requiredAddresses, wafTimeout, wafVersion, rulesVersion) {
@@ -10,16 +16,21 @@ class WAFContextWrapper {
     this.wafTimeout = wafTimeout
     this.wafVersion = wafVersion
     this.rulesVersion = rulesVersion
+    this.addressesToSkip = new Set()
   }
 
   run (params) {
     const inputs = {}
     let someInputAdded = false
+    const newAddressesToSkip = new Set(this.addressesToSkip)
 
     // TODO: possible optimizaion: only send params that haven't already been sent with same value to this wafContext
     for (const key of Object.keys(params)) {
-      if (this.requiredAddresses.has(key)) {
+      if (this.requiredAddresses.has(key) && !this.addressesToSkip.has(key)) {
         inputs[key] = params[key]
+        if (preventDuplicateAddresses.has(key)) {
+          newAddressesToSkip.add(key)
+        }
         someInputAdded = true
       }
     }
@@ -33,6 +44,8 @@ class WAFContextWrapper {
 
       const end = process.hrtime.bigint()
 
+      this.addressesToSkip = newAddressesToSkip
+
       const ruleTriggered = !!result.events?.length
       const blockTriggered = result.actions?.includes('block')
 

package/packages/dd-trace/src/ci-visibility/intelligent-test-runner/get-itr-configuration.js

@@ -1,5 +1,6 @@
 const request = require('../../exporters/common/request')
 const id = require('../../id')
+const log = require('../../log')
 
 function getItrConfiguration ({
   url,
@@ -72,8 +73,9 @@ function getItrConfiguration ({
             }
           }
         } = JSON.parse(res)
-
-        done(null, { isCodeCoverageEnabled, isSuitesSkippingEnabled })
+        const config = { isCodeCoverageEnabled, isSuitesSkippingEnabled }
+        log.debug(() => `Received settings: ${config}`)
+        done(null, config)
       } catch (err) {
         done(err)
       }

package/packages/dd-trace/src/ci-visibility/intelligent-test-runner/get-skippable-suites.js

@@ -1,4 +1,5 @@
 const request = require('../../exporters/common/request')
+const log = require('../../log')
 
 function getSkippableSuites ({
   url,
@@ -73,6 +74,7 @@ function getSkippableSuites ({
             }
             return { suite, name }
           })
+        log.debug(() => `Number of received skippable ${testLevel}s: ${skippableSuites.length}`)
         done(null, skippableSuites)
       } catch (err) {
         done(err)

package/packages/dd-trace/src/config.js

@@ -10,7 +10,7 @@ const coalesce = require('koalas')
 const tagger = require('./tagger')
 const { isTrue, isFalse } = require('./util')
 const { GIT_REPOSITORY_URL, GIT_COMMIT_SHA } = require('./plugins/util/tags')
-const { getGitMetadataFromGitProperties } = require('./git_properties')
+const { getGitMetadataFromGitProperties, removeUserSensitiveInfo } = require('./git_properties')
 const { updateConfig } = require('./telemetry')
 const { getIsGCPFunction, getIsAzureFunctionConsumptionPlan } = require('./serverless')
 
@@ -179,6 +179,11 @@ class Config {
       false
     )
 
+    const DD_TRACE_MEMCACHED_COMMAND_ENABLED = coalesce(
+      process.env.DD_TRACE_MEMCACHED_COMMAND_ENABLED,
+      false
+    )
+
     const DD_SERVICE = options.service ||
       process.env.DD_SERVICE ||
       process.env.DD_SERVICE_NAME ||
@@ -246,7 +251,7 @@ class Config {
     )
     const DD_TELEMETRY_METRICS_ENABLED = coalesce(
       process.env.DD_TELEMETRY_METRICS_ENABLED,
-      false
+      true
     )
     const DD_TRACE_AGENT_PROTOCOL_VERSION = coalesce(
       options.protocolVersion,
@@ -442,7 +447,7 @@ ken|consumer_?(?:id|key|secret)|sign(?:ed|ature)?|auth(?:entication|orization)?)
       5 // seconds
     )
 
-    const iastOptions = options.experimental && options.experimental.iast
+    const iastOptions = options?.experimental?.iast
     const DD_IAST_ENABLED = coalesce(
       iastOptions &&
       (iastOptions === true || iastOptions.enabled === true),
@@ -456,7 +461,7 @@ ken|consumer_?(?:id|key|secret)|sign(?:ed|ature)?|auth(?:entication|orization)?)
 
     const defaultIastRequestSampling = 30
     const iastRequestSampling = coalesce(
-      parseInt(iastOptions && iastOptions.requestSampling),
+      parseInt(iastOptions?.requestSampling),
       parseInt(process.env.DD_IAST_REQUEST_SAMPLING),
       defaultIastRequestSampling
     )
@@ -464,31 +469,43 @@ ken|consumer_?(?:id|key|secret)|sign(?:ed|ature)?|auth(?:entication|orization)?)
       iastRequestSampling > 100 ? defaultIastRequestSampling : iastRequestSampling
 
     const DD_IAST_MAX_CONCURRENT_REQUESTS = coalesce(
-      parseInt(iastOptions && iastOptions.maxConcurrentRequests),
+      parseInt(iastOptions?.maxConcurrentRequests),
       parseInt(process.env.DD_IAST_MAX_CONCURRENT_REQUESTS),
       2
     )
 
     const DD_IAST_MAX_CONTEXT_OPERATIONS = coalesce(
-      parseInt(iastOptions && iastOptions.maxContextOperations),
+      parseInt(iastOptions?.maxContextOperations),
       parseInt(process.env.DD_IAST_MAX_CONTEXT_OPERATIONS),
       2
     )
 
     const DD_IAST_DEDUPLICATION_ENABLED = coalesce(
-      iastOptions && iastOptions.deduplicationEnabled,
+      iastOptions?.deduplicationEnabled,
       process.env.DD_IAST_DEDUPLICATION_ENABLED && isTrue(process.env.DD_IAST_DEDUPLICATION_ENABLED),
       true
     )
 
     const DD_IAST_REDACTION_ENABLED = coalesce(
-      iastOptions && iastOptions.redactionEnabled,
+      iastOptions?.redactionEnabled,
       !isFalse(process.env.DD_IAST_REDACTION_ENABLED),
       true
     )
 
+    const DD_IAST_REDACTION_NAME_PATTERN = coalesce(
+      iastOptions?.redactionNamePattern,
+      process.env.DD_IAST_REDACTION_NAME_PATTERN,
+      null
+    )
+
+    const DD_IAST_REDACTION_VALUE_PATTERN = coalesce(
+      iastOptions?.redactionValuePattern,
+      process.env.DD_IAST_REDACTION_VALUE_PATTERN,
+      null
+    )
+
     const DD_IAST_TELEMETRY_VERBOSITY = coalesce(
-      iastOptions && iastOptions.telemetryVerbosity,
+      iastOptions?.telemetryVerbosity,
       process.env.DD_IAST_TELEMETRY_VERBOSITY,
       'INFORMATION'
     )
@@ -583,8 +600,8 @@ ken|consumer_?(?:id|key|secret)|sign(?:ed|ature)?|auth(?:entication|orization)?)
     this.telemetry = {
       enabled: DD_TRACE_EXPORTER !== 'datadog' && isTrue(DD_TRACE_TELEMETRY_ENABLED),
       heartbeatInterval: DD_TELEMETRY_HEARTBEAT_INTERVAL,
-      logCollection: isTrue(DD_TELEMETRY_LOG_COLLECTION_ENABLED),
       debug: isTrue(DD_TELEMETRY_DEBUG),
+      logCollection: isTrue(DD_TELEMETRY_LOG_COLLECTION_ENABLED),
       metrics: isTrue(DD_TELEMETRY_METRICS_ENABLED)
     }
     this.protocolVersion = DD_TRACE_AGENT_PROTOCOL_VERSION
@@ -615,6 +632,8 @@ ken|consumer_?(?:id|key|secret)|sign(?:ed|ature)?|auth(?:entication|orization)?)
       maxContextOperations: DD_IAST_MAX_CONTEXT_OPERATIONS,
       deduplicationEnabled: DD_IAST_DEDUPLICATION_ENABLED,
       redactionEnabled: DD_IAST_REDACTION_ENABLED,
+      redactionNamePattern: DD_IAST_REDACTION_NAME_PATTERN,
+      redactionValuePattern: DD_IAST_REDACTION_VALUE_PATTERN,
       telemetryVerbosity: DD_IAST_TELEMETRY_VERBOSITY
     }
 
@@ -629,10 +648,15 @@ ken|consumer_?(?:id|key|secret)|sign(?:ed|ature)?|auth(?:entication|orization)?)
 
     this.openaiSpanCharLimit = DD_OPENAI_SPAN_CHAR_LIMIT
 
+    // Requires an accompanying DD_APM_OBFUSCATION_MEMCACHED_KEEP_COMMAND=true in the agent
+    this.memcachedCommandEnabled = isTrue(DD_TRACE_MEMCACHED_COMMAND_ENABLED)
+
     if (this.gitMetadataEnabled) {
-      this.repositoryUrl = coalesce(
-        process.env.DD_GIT_REPOSITORY_URL,
-        this.tags[GIT_REPOSITORY_URL]
+      this.repositoryUrl = removeUserSensitiveInfo(
+        coalesce(
+          process.env.DD_GIT_REPOSITORY_URL,
+          this.tags[GIT_REPOSITORY_URL]
+        )
       )
       this.commitSHA = coalesce(
         process.env.DD_GIT_COMMIT_SHA,

package/packages/dd-trace/src/format.js

@@ -4,6 +4,7 @@ const constants = require('./constants')
 const tags = require('../../../ext/tags')
 const id = require('./id')
 const { isError } = require('./util')
+const { registerExtraService } = require('./service-naming/extra-services')
 
 const SAMPLING_PRIORITY_KEY = constants.SAMPLING_PRIORITY_KEY
 const SAMPLING_RULE_DECISION = constants.SAMPLING_RULE_DECISION
@@ -76,6 +77,8 @@ function extractTags (trace, span) {
   const tracerService = span.tracer()._service.toLowerCase()
   if (tags['service.name']?.toLowerCase() !== tracerService) {
     span.setTag(BASE_SERVICE, tracerService)
+
+    registerExtraService(tags['service.name'])
   }
 
   for (const tag in tags) {

package/packages/dd-trace/src/git_properties.js

@@ -1,6 +1,20 @@
 const commitSHARegex = /git\.commit\.sha=([a-f\d]{40})/
 const repositoryUrlRegex = /git\.repository_url=([\w\d:@/.-]+)/
 
+function removeUserSensitiveInfo (repositoryUrl) {
+  try {
+    // repository URLs can contain username and password, so we want to filter those out
+    const parsedUrl = new URL(repositoryUrl)
+    if (parsedUrl.username || parsedUrl.password) {
+      return `${parsedUrl.origin}${parsedUrl.pathname}`
+    }
+    return repositoryUrl
+  } catch (e) {
+    // if protocol isn't https, no password will be used
+    return repositoryUrl
+  }
+}
+
 function getGitMetadataFromGitProperties (gitPropertiesString) {
   if (!gitPropertiesString) {
     return {}
@@ -9,24 +23,11 @@ function getGitMetadataFromGitProperties (gitPropertiesString) {
   const repositoryUrlMatch = gitPropertiesString.match(repositoryUrlRegex)
 
   const repositoryUrl = repositoryUrlMatch ? repositoryUrlMatch[1] : undefined
-  let parsedUrl = repositoryUrl
-
-  if (repositoryUrl) {
-    try {
-      // repository URLs can contain username and password, so we want to filter those out
-      parsedUrl = new URL(repositoryUrl)
-      if (parsedUrl.password) {
-        parsedUrl = `${parsedUrl.origin}${parsedUrl.pathname}`
-      }
-    } catch (e) {
-      // if protocol isn't https, no password will be used
-    }
-  }
 
   return {
     commitSHA: commitSHAMatch ? commitSHAMatch[1] : undefined,
-    repositoryUrl: parsedUrl
+    repositoryUrl: removeUserSensitiveInfo(repositoryUrl)
   }
 }
 
-module.exports = { getGitMetadataFromGitProperties }
+module.exports = { getGitMetadataFromGitProperties, removeUserSensitiveInfo }

package/packages/dd-trace/src/plugin_manager.js

@@ -136,7 +136,8 @@ module.exports = class PluginManager {
       headerTags,
       dbmPropagationMode,
       dsmEnabled,
-      clientIpEnabled
+      clientIpEnabled,
+      memcachedCommandEnabled
     } = this._tracerConfig
 
     const sharedConfig = {}
@@ -151,6 +152,7 @@ module.exports = class PluginManager {
 
     sharedConfig.dbmPropagationMode = dbmPropagationMode
     sharedConfig.dsmEnabled = dsmEnabled
+    sharedConfig.memcachedCommandEnabled = memcachedCommandEnabled
 
     if (serviceMapping && serviceMapping[name]) {
       sharedConfig.service = serviceMapping[name]