dd-trace 4.17.0 → 4.19.0

package/packages/datadog-instrumentations/src/playwright.js

@@ -1,5 +1,6 @@
 const { addHook, channel, AsyncResource } = require('./helpers/instrument')
 const shimmer = require('../../datadog-shimmer')
+const { parseAnnotations } = require('../../dd-trace/src/plugins/util/test')
 
 const testStartCh = channel('ci:playwright:test:start')
 const testFinishCh = channel('ci:playwright:test:finish')
@@ -103,7 +104,11 @@ function testBeginHandler (test) {
   })
 }
 
-function testEndHandler (test, testStatus, error) {
+function testEndHandler (test, annotations, testStatus, error) {
+  let annotationTags
+  if (annotations.length) {
+    annotationTags = parseAnnotations(annotations)
+  }
   const { _requireFile: testSuiteAbsolutePath, results, _type } = test
 
   if (_type === 'beforeAll' || _type === 'afterAll') {
@@ -113,7 +118,7 @@ function testEndHandler (test, testStatus, error) {
   const testResult = results[results.length - 1]
   const testAsyncResource = testToAr.get(test)
   testAsyncResource.runInAsyncScope(() => {
-    testFinishCh.publish({ testStatus, steps: testResult.steps, error })
+    testFinishCh.publish({ testStatus, steps: testResult.steps, error, extraTags: annotationTags })
   })
 
   if (!testSuiteToTestStatuses.has(testSuiteAbsolutePath)) {
@@ -172,7 +177,7 @@ function dispatcherHook (dispatcherExport) {
         const { results } = test
         const testResult = results[results.length - 1]
 
-        testEndHandler(test, STATUS_TO_TEST_STATUS[testResult.status], testResult.error)
+        testEndHandler(test, params.annotations, STATUS_TO_TEST_STATUS[testResult.status], testResult.error)
       }
     })
 
@@ -200,10 +205,10 @@ function dispatcherHookNew (dispatcherExport, runWrapper) {
       const test = getTestByTestId(dispatcher, testId)
       testBeginHandler(test)
     })
-    worker.on('testEnd', ({ testId, status, errors }) => {
+    worker.on('testEnd', ({ testId, status, errors, annotations }) => {
       const test = getTestByTestId(dispatcher, testId)
 
-      testEndHandler(test, STATUS_TO_TEST_STATUS[status], errors && errors[0])
+      testEndHandler(test, annotations, STATUS_TO_TEST_STATUS[status], errors && errors[0])
     })
 
     return worker
@@ -230,7 +235,7 @@ function runnerHook (runnerExport, playwrightVersion) {
       // because they were skipped
       tests.forEach(test => {
         testBeginHandler(test)
-        testEndHandler(test, 'skip')
+        testEndHandler(test, [], 'skip')
       })
     })
 

package/packages/datadog-instrumentations/src/restify.js

@@ -50,7 +50,20 @@ function wrapFn (fn) {
     enterChannel.publish({ req, route })
 
     try {
-      return fn.apply(this, arguments)
+      const result = fn.apply(this, arguments)
+      if (result && typeof result === 'object' && typeof result.then === 'function') {
+        return result.then(function () {
+          nextChannel.publish({ req })
+          finishChannel.publish({ req })
+          return arguments
+        }).catch(function (error) {
+          errorChannel.publish({ req, error })
+          nextChannel.publish({ req })
+          finishChannel.publish({ req })
+          throw error
+        })
+      }
+      return result
     } catch (error) {
       errorChannel.publish({ req, error })
       nextChannel.publish({ req })

package/packages/datadog-plugin-http/src/client.js

@@ -76,6 +76,7 @@ class HttpClientPlugin extends ClientPlugin {
   }
 
   finish ({ req, res, span }) {
+    if (!span) return
     if (res) {
       const status = res.status || res.statusCode
 
@@ -98,6 +99,7 @@ class HttpClientPlugin extends ClientPlugin {
   }
 
   error ({ span, error }) {
+    if (!span) return
     if (error) {
       span.addTags({
         [ERROR_TYPE]: error.name,

package/packages/datadog-plugin-jest/src/index.js

@@ -54,11 +54,17 @@ class JestPlugin extends CiPlugin {
       testCodeCoverageLinesTotal,
       numSkippedSuites,
       hasUnskippableSuites,
-      hasForcedToRunSuites
+      hasForcedToRunSuites,
+      error
     }) => {
       this.testSessionSpan.setTag(TEST_STATUS, status)
       this.testModuleSpan.setTag(TEST_STATUS, status)
 
+      if (error) {
+        this.testSessionSpan.setTag('error', error)
+        this.testModuleSpan.setTag('error', error)
+      }
+
       addIntelligentTestRunnerSpanTags(
         this.testSessionSpan,
         this.testModuleSpan,
@@ -150,9 +156,11 @@ class JestPlugin extends CiPlugin {
       })
     })
 
-    this.addSub('ci:jest:test-suite:finish', ({ status, errorMessage }) => {
+    this.addSub('ci:jest:test-suite:finish', ({ status, errorMessage, error }) => {
       this.testSuiteSpan.setTag(TEST_STATUS, status)
-      if (errorMessage) {
+      if (error) {
+        this.testSuiteSpan.setTag('error', error)
+      } else if (errorMessage) {
         this.testSuiteSpan.setTag('error', new Error(errorMessage))
       }
       this.testSuiteSpan.finish()

package/packages/datadog-plugin-kafkajs/src/consumer.js

@@ -1,5 +1,6 @@
 'use strict'
 
+const { getMessageSize, CONTEXT_PROPAGATION_KEY } = require('../../dd-trace/src/datastreams/processor')
 const ConsumerPlugin = require('../../dd-trace/src/plugins/consumer')
 
 class KafkajsConsumerPlugin extends ConsumerPlugin {
@@ -7,13 +8,8 @@ class KafkajsConsumerPlugin extends ConsumerPlugin {
   static get operation () { return 'consume' }
 
   start ({ topic, partition, message, groupId }) {
-    if (this.config.dsmEnabled) {
-      this.tracer.decodeDataStreamsContext(message.headers['dd-pathway-ctx'])
-      this.tracer
-        .setCheckpoint(['direction:in', `group:${groupId}`, `topic:${topic}`, 'type:kafka'])
-    }
     const childOf = extract(this.tracer, message.headers)
-    this.startSpan({
+    const span = this.startSpan({
       childOf,
       resource: topic,
       type: 'worker',
@@ -26,6 +22,12 @@ class KafkajsConsumerPlugin extends ConsumerPlugin {
         'kafka.partition': partition
       }
     })
+    if (this.config.dsmEnabled) {
+      const payloadSize = getMessageSize(message)
+      this.tracer.decodeDataStreamsContext(message.headers[CONTEXT_PROPAGATION_KEY])
+      this.tracer
+        .setCheckpoint(['direction:in', `group:${groupId}`, `topic:${topic}`, 'type:kafka'], span, payloadSize)
+    }
   }
 }
 

package/packages/datadog-plugin-kafkajs/src/producer.js

@@ -2,6 +2,8 @@
 
 const ProducerPlugin = require('../../dd-trace/src/plugins/producer')
 const { encodePathwayContext } = require('../../dd-trace/src/datastreams/pathway')
+const { getMessageSize, CONTEXT_PROPAGATION_KEY } = require('../../dd-trace/src/datastreams/processor')
+
 const BOOTSTRAP_SERVERS_KEY = 'messaging.kafka.bootstrap.servers'
 
 class KafkajsProducerPlugin extends ProducerPlugin {
@@ -11,11 +13,6 @@ class KafkajsProducerPlugin extends ProducerPlugin {
 
   start ({ topic, messages, bootstrapServers }) {
     let pathwayCtx
-    if (this.config.dsmEnabled) {
-      const dataStreamsContext = this.tracer
-        .setCheckpoint(['direction:out', `topic:${topic}`, 'type:kafka'])
-      pathwayCtx = encodePathwayContext(dataStreamsContext)
-    }
     const span = this.startSpan({
       resource: topic,
       meta: {
@@ -31,8 +28,14 @@ class KafkajsProducerPlugin extends ProducerPlugin {
     }
     for (const message of messages) {
       if (typeof message === 'object') {
-        if (this.config.dsmEnabled) message.headers['dd-pathway-ctx'] = pathwayCtx
         this.tracer.inject(span, 'text_map', message.headers)
+        if (this.config.dsmEnabled) {
+          const payloadSize = getMessageSize(message)
+          const dataStreamsContext = this.tracer
+            .setCheckpoint(['direction:out', `topic:${topic}`, 'type:kafka'], span, payloadSize)
+          pathwayCtx = encodePathwayContext(dataStreamsContext)
+          message.headers[CONTEXT_PROPAGATION_KEY] = pathwayCtx
+        }
       }
     }
   }

package/packages/datadog-plugin-mocha/src/index.js

@@ -150,13 +150,19 @@ class MochaPlugin extends CiPlugin {
       testCodeCoverageLinesTotal,
       numSkippedSuites,
       hasForcedToRunSuites,
-      hasUnskippableSuites
+      hasUnskippableSuites,
+      error
     }) => {
       if (this.testSessionSpan) {
         const { isSuitesSkippingEnabled, isCodeCoverageEnabled } = this.itrConfig || {}
         this.testSessionSpan.setTag(TEST_STATUS, status)
         this.testModuleSpan.setTag(TEST_STATUS, status)
 
+        if (error) {
+          this.testSessionSpan.setTag('error', error)
+          this.testModuleSpan.setTag('error', error)
+        }
+
         addIntelligentTestRunnerSpanTags(
           this.testSessionSpan,
           this.testModuleSpan,

package/packages/datadog-plugin-next/src/index.js

@@ -43,7 +43,7 @@ class NextPlugin extends ServerPlugin {
     this.addError(error, span)
   }
 
-  finish ({ req, res }) {
+  finish ({ req, res, nextRequest = {} }) {
     const store = storage.getStore()
 
     if (!store) return
@@ -52,7 +52,8 @@ class NextPlugin extends ServerPlugin {
     const error = span.context()._tags['error']
 
     if (!this.config.validateStatus(res.statusCode) && !error) {
-      span.setTag('error', true)
+      span.setTag('error', req.error || nextRequest.error || true)
+      web.addError(req, req.error || nextRequest.error || true)
     }
 
     span.addTags({
@@ -64,7 +65,7 @@ class NextPlugin extends ServerPlugin {
     span.finish()
   }
 
-  pageLoad ({ page, isAppPath }) {
+  pageLoad ({ page, isAppPath = false }) {
     const store = storage.getStore()
 
     if (!store) return

package/packages/datadog-plugin-playwright/src/index.js

@@ -72,7 +72,7 @@ class PlaywrightPlugin extends CiPlugin {
 
       this.enter(span, store)
     })
-    this.addSub('ci:playwright:test:finish', ({ testStatus, steps, error }) => {
+    this.addSub('ci:playwright:test:finish', ({ testStatus, steps, error, extraTags }) => {
       const store = storage.getStore()
       const span = store && store.span
       if (!span) return
@@ -82,6 +82,9 @@ class PlaywrightPlugin extends CiPlugin {
       if (error) {
         span.setTag('error', error)
       }
+      if (extraTags) {
+        span.addTags(extraTags)
+      }
 
       steps.forEach(step => {
         const stepStartTime = step.startTime.getTime()

package/packages/dd-trace/src/appsec/channels.js

@@ -1,6 +1,6 @@
 'use strict'
 
-const dc = require('../../../diagnostics_channel')
+const dc = require('dc-polyfill')
 
 // TODO: use TBD naming convention
 module.exports = {

package/packages/dd-trace/src/appsec/iast/analyzers/analyzers.js

@@ -2,6 +2,7 @@
 
 module.exports = {
   'COMMAND_INJECTION_ANALYZER': require('./command-injection-analyzer'),
+  'HARCODED_SECRET_ANALYZER': require('./hardcoded-secret-analyzer'),
   'HSTS_HEADER_MISSING_ANALYZER': require('./hsts-header-missing-analyzer'),
   'INSECURE_COOKIE_ANALYZER': require('./insecure-cookie-analyzer'),
   'LDAP_ANALYZER': require('./ldap-injection-analyzer'),

package/packages/dd-trace/src/appsec/iast/analyzers/hardcoded-secret-analyzer.js

@@ -0,0 +1,60 @@
+'use strict'
+
+const Analyzer = require('./vulnerability-analyzer')
+const { HARDCODED_SECRET } = require('../vulnerabilities')
+const { getRelativePath } = require('../path-line')
+
+const secretRules = require('./hardcoded-secrets-rules')
+
+class HardcodedSecretAnalyzer extends Analyzer {
+  constructor () {
+    super(HARDCODED_SECRET)
+  }
+
+  onConfigure () {
+    this.addSub('datadog:secrets:result', (secrets) => { this.analyze(secrets) })
+  }
+
+  analyze (secrets) {
+    if (!secrets?.file || !secrets.literals) return
+
+    const matches = secrets.literals
+      .filter(literal => literal.value && literal.locations?.length)
+      .map(literal => {
+        const match = secretRules.find(rule => literal.value.match(rule.regex))
+
+        return match ? { locations: literal.locations, ruleId: match.id } : undefined
+      })
+      .filter(match => !!match)
+
+    if (matches.length) {
+      const file = getRelativePath(secrets.file)
+
+      matches.forEach(match => {
+        match.locations
+          .filter(location => location.line)
+          .forEach(location => this._report({
+            file,
+            line: location.line,
+            column: location.column,
+            data: match.ruleId
+          }))
+      })
+    }
+  }
+
+  _getEvidence (value) {
+    return { value: `${value.data}` }
+  }
+
+  _getLocation (value) {
+    return {
+      path: value.file,
+      line: value.line,
+      column: value.column,
+      isInternal: false
+    }
+  }
+}
+
+module.exports = new HardcodedSecretAnalyzer()

package/packages/dd-trace/src/appsec/iast/analyzers/hardcoded-secrets-rules.js

@@ -0,0 +1,269 @@
+/* eslint-disable max-len */
+'use strict'
+
+module.exports = [
+  {
+    'id': 'adobe-client-secret',
+    'regex': /\b((p8e-)[a-z0-9]{32})(?:['"\s\x60;]|$)/i
+  },
+  {
+    'id': 'age-secret-key',
+    'regex': /AGE-SECRET-KEY-1[QPZRY9X8GF2TVDW0S3JN54KHCE6MUA7L]{58}/
+  },
+  {
+    'id': 'alibaba-access-key-id',
+    'regex': /\b((LTAI)[a-z0-9]{20})(?:['"\s\x60;]|$)/i
+  },
+  {
+    'id': 'authress-service-client-access-key',
+    'regex': /\b((?:sc|ext|scauth|authress)_[a-z0-9]{5,30}\.[a-z0-9]{4,6}\.acc[_-][a-z0-9-]{10,32}\.[a-z0-9+/_=-]{30,120})(?:['"\s\x60;]|$)/i
+  },
+  {
+    'id': 'aws-access-token',
+    'regex': /\b((A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16})(?:['"\s\x60;]|$)/
+  },
+  {
+    'id': 'clojars-api-token',
+    'regex': /(CLOJARS_)[a-z0-9]{60}/i
+  },
+  {
+    'id': 'databricks-api-token',
+    'regex': /\b(dapi[a-h0-9]{32})(?:['"\s\x60;]|$)/i
+  },
+  {
+    'id': 'digitalocean-access-token',
+    'regex': /\b(doo_v1_[a-f0-9]{64})(?:['"\s\x60;]|$)/i
+  },
+  {
+    'id': 'digitalocean-pat',
+    'regex': /\b(dop_v1_[a-f0-9]{64})(?:['"\s\x60;]|$)/i
+  },
+  {
+    'id': 'digitalocean-refresh-token',
+    'regex': /\b(dor_v1_[a-f0-9]{64})(?:['"\s\x60;]|$)/i
+  },
+  {
+    'id': 'doppler-api-token',
+    'regex': /(dp\.pt\.)[a-z0-9]{43}/i
+  },
+  {
+    'id': 'duffel-api-token',
+    'regex': /duffel_(test|live)_[a-z0-9_\-=]{43}/i
+  },
+  {
+    'id': 'dynatrace-api-token',
+    'regex': /dt0c01\.[a-z0-9]{24}\.[a-z0-9]{64}/i
+  },
+  {
+    'id': 'easypost-api-token',
+    'regex': /\bEZAK[a-z0-9]{54}/i
+  },
+  {
+    'id': 'flutterwave-public-key',
+    'regex': /FLWPUBK_TEST-[a-h0-9]{32}-X/i
+  },
+  {
+    'id': 'frameio-api-token',
+    'regex': /fio-u-[a-z0-9\-_=]{64}/i
+  },
+  {
+    'id': 'gcp-api-key',
+    'regex': /\b(AIza[0-9a-z\-_]{35})(?:['"\s\x60;]|$)/i
+  },
+  {
+    'id': 'github-app-token',
+    'regex': /(ghu|ghs)_[0-9a-zA-Z]{36}/
+  },
+  {
+    'id': 'github-fine-grained-pat',
+    'regex': /github_pat_[0-9a-zA-Z_]{82}/
+  },
+  {
+    'id': 'github-oauth',
+    'regex': /gho_[0-9a-zA-Z]{36}/
+  },
+  {
+    'id': 'github-pat',
+    'regex': /ghp_[0-9a-zA-Z]{36}/
+  },
+  {
+    'id': 'gitlab-pat',
+    'regex': /glpat-[0-9a-zA-Z\-_]{20}/
+  },
+  {
+    'id': 'gitlab-ptt',
+    'regex': /glptt-[0-9a-f]{40}/
+  },
+  {
+    'id': 'gitlab-rrt',
+    'regex': /GR1348941[0-9a-zA-Z\-_]{20}/
+  },
+  {
+    'id': 'grafana-api-key',
+    'regex': /\b(eyJrIjoi[a-z0-9]{70,400}={0,2})(?:['"\s\x60;]|$)/i
+  },
+  {
+    'id': 'grafana-cloud-api-token',
+    'regex': /\b(glc_[a-z0-9+/]{32,400}={0,2})(?:['"\s\x60;]|$)/i
+  },
+  {
+    'id': 'grafana-service-account-token',
+    'regex': /\b(glsa_[a-z0-9]{32}_[a-f0-9]{8})(?:['"\s\x60;]|$)/i
+  },
+  {
+    'id': 'hashicorp-tf-api-token',
+    'regex': /[a-z0-9]{14}\.atlasv1\.[a-z0-9\-_=]{60,70}/i
+  },
+  {
+    'id': 'jwt',
+    'regex': /\b(ey[a-zA-Z0-9]{17,}\.ey[a-zA-Z0-9/_-]{17,}\.(?:[a-zA-Z0-9/_-]{10,}={0,2})?)(?:['"\s\x60;]|$)/
+  },
+  {
+    'id': 'linear-api-key',
+    'regex': /lin_api_[a-z0-9]{40}/i
+  },
+  {
+    'id': 'npm-access-token',
+    'regex': /\b(npm_[a-z0-9]{36})(?:['"\s\x60;]|$)/i
+  },
+  {
+    'id': 'openai-api-key',
+    'regex': /\b(sk-[a-z0-9]{20}T3BlbkFJ[a-z0-9]{20})(?:['"\s\x60;]|$)/i
+  },
+  {
+    'id': 'planetscale-api-token',
+    'regex': /\b(pscale_tkn_[a-z0-9=\-_.]{32,64})(?:['"\s\x60;]|$)/i
+  },
+  {
+    'id': 'planetscale-oauth-token',
+    'regex': /\b(pscale_oauth_[a-z0-9=\-_.]{32,64})(?:['"\s\x60;]|$)/i
+  },
+  {
+    'id': 'planetscale-password',
+    'regex': /\b(pscale_pw_[a-z0-9=\-_.]{32,64})(?:['"\s\x60;]|$)/i
+  },
+  {
+    'id': 'postman-api-token',
+    'regex': /\b(PMAK-[a-f0-9]{24}-[a-f0-9]{34})(?:['"\s\x60;]|$)/i
+  },
+  {
+    'id': 'prefect-api-token',
+    'regex': /\b(pnu_[a-z0-9]{36})(?:['"\s\x60;]|$)/i
+  },
+  {
+    'id': 'private-key',
+    'regex': /-----BEGIN[ A-Z0-9_-]{0,100}PRIVATE KEY( BLOCK)?-----[\s\S]*KEY( BLOCK)?----/i
+  },
+  {
+    'id': 'pulumi-api-token',
+    'regex': /\b(pul-[a-f0-9]{40})(?:['"\s\x60;]|$)/i
+  },
+  {
+    'id': 'pypi-upload-token',
+    'regex': /pypi-AgEIcHlwaS5vcmc[A-Za-z0-9\-_]{50,1000}/
+  },
+  {
+    'id': 'readme-api-token',
+    'regex': /\b(rdme_[a-z0-9]{70})(?:['"\s\x60;]|$)/i
+  },
+  {
+    'id': 'rubygems-api-token',
+    'regex': /\b(rubygems_[a-f0-9]{48})(?:['"\s\x60;]|$)/i
+  },
+  {
+    'id': 'scalingo-api-token',
+    'regex': /tk-us-[a-zA-Z0-9-_]{48}/
+  },
+  {
+    'id': 'sendgrid-api-token',
+    'regex': /\b(SG\.[a-z0-9=_\-.]{66})(?:['"\s\x60;]|$)/i
+  },
+  {
+    'id': 'sendinblue-api-token',
+    'regex': /\b(xkeysib-[a-f0-9]{64}-[a-z0-9]{16})(?:['"\s\x60;]|$)/i
+  },
+  {
+    'id': 'shippo-api-token',
+    'regex': /\b(shippo_(live|test)_[a-f0-9]{40})(?:['"\s\x60;]|$)/i
+  },
+  {
+    'id': 'shopify-access-token',
+    'regex': /shpat_[a-fA-F0-9]{32}/
+  },
+  {
+    'id': 'shopify-custom-access-token',
+    'regex': /shpca_[a-fA-F0-9]{32}/
+  },
+  {
+    'id': 'shopify-private-app-access-token',
+    'regex': /shppa_[a-fA-F0-9]{32}/
+  },
+  {
+    'id': 'shopify-shared-secret',
+    'regex': /shpss_[a-fA-F0-9]{32}/
+  },
+  {
+    'id': 'slack-app-token',
+    'regex': /(xapp-\d-[A-Z0-9]+-\d+-[a-z0-9]+)/i
+  },
+  {
+    'id': 'slack-bot-token',
+    'regex': /(xoxb-[0-9]{10,13}-[0-9]{10,13}[a-zA-Z0-9-]*)/
+  },
+  {
+    'id': 'slack-config-access-token',
+    'regex': /(xoxe.xox[bp]-\d-[A-Z0-9]{163,166})/i
+  },
+  {
+    'id': 'slack-config-refresh-token',
+    'regex': /(xoxe-\d-[A-Z0-9]{146})/i
+  },
+  {
+    'id': 'slack-legacy-bot-token',
+    'regex': /(xoxb-[0-9]{8,14}-[a-zA-Z0-9]{18,26})/
+  },
+  {
+    'id': 'slack-legacy-token',
+    'regex': /(xox[os]-\d+-\d+-\d+-[a-fA-F\d]+)/
+  },
+  {
+    'id': 'slack-legacy-workspace-token',
+    'regex': /(xox[ar]-(?:\d-)?[0-9a-zA-Z]{8,48})/
+  },
+  {
+    'id': 'slack-user-token',
+    'regex': /(xox[pe](?:-[0-9]{10,13}){3}-[a-zA-Z0-9-]{28,34})/
+  },
+  {
+    'id': 'slack-webhook-url',
+    'regex': /(https?:\/\/)?hooks.slack.com\/(services|workflows)\/[A-Za-z0-9+/]{43,46}/
+  },
+  {
+    'id': 'square-access-token',
+    'regex': /\b(sq0atp-[0-9a-z\-_]{22})(?:['"\s\x60;]|$)/i
+  },
+  {
+    'id': 'square-secret',
+    'regex': /\b(sq0csp-[0-9a-z\-_]{43})(?:['"\s\x60;]|$)/i
+  },
+  {
+    'id': 'stripe-access-token',
+    'regex': /(sk|pk)_(test|live)_[0-9a-z]{10,32}/i
+  },
+  {
+    'id': 'telegram-bot-api-token',
+    'regex': /(?:^|[^0-9])([0-9]{5,16}:A[a-z0-9_-]{34})(?:$|[^a-z0-9_-])/i
+  },
+  {
+    'id': 'twilio-api-key',
+    'regex': /SK[0-9a-fA-F]{32}/
+  },
+  {
+    'id': 'vault-batch-token',
+    'regex': /\b(hvb\.[a-z0-9_-]{138,212})(?:['"\s\x60;]|$)/i
+  },
+  {
+    'id': 'vault-service-token',
+    'regex': /\b(hvs\.[a-z0-9_-]{90,100})(?:['"\s\x60;]|$)/i
+  }
+]

package/packages/dd-trace/src/appsec/iast/analyzers/hsts-header-missing-analyzer.js

@@ -10,8 +10,11 @@ class HstsHeaderMissingAnalyzer extends MissingHeaderAnalyzer {
     super(HSTS_HEADER_MISSING, HSTS_HEADER_NAME)
   }
   _isVulnerableFromRequestAndResponse (req, res) {
-    const headerToCheck = res.getHeader(HSTS_HEADER_NAME)
-    return !this._isHeaderValid(headerToCheck) && this._isHttpsProtocol(req)
+    const headerValues = this._getHeaderValues(res, HSTS_HEADER_NAME)
+    return this._isHttpsProtocol(req) && (
+      headerValues.length === 0 ||
+      headerValues.some(headerValue => !this._isHeaderValid(headerValue))
+    )
   }
 
   _isHeaderValid (headerValue) {

package/packages/dd-trace/src/appsec/iast/analyzers/missing-header-analyzer.js

@@ -28,6 +28,15 @@ class MissingHeaderAnalyzer extends Analyzer {
     }, (data) => this.analyze(data))
   }
 
+  _getHeaderValues (res, headerName) {
+    const headerValue = res.getHeader(headerName)
+    if (Array.isArray(headerValue)) {
+      return headerValue
+    } else {
+      return headerValue ? [headerValue.toString()] : []
+    }
+  }
+
   _getLocation () {
     return undefined
   }
@@ -41,7 +50,14 @@ class MissingHeaderAnalyzer extends Analyzer {
   }
 
   _getEvidence ({ res }) {
-    return { value: res.getHeader(this.headerName) }
+    const headerValues = this._getHeaderValues(res, this.headerName)
+    let value
+    if (headerValues.length === 1) {
+      value = headerValues[0]
+    } else if (headerValues.length > 0) {
+      value = JSON.stringify(headerValues)
+    }
+    return { value }
   }
 
   _isVulnerable ({ req, res }, context) {
@@ -56,9 +72,11 @@ class MissingHeaderAnalyzer extends Analyzer {
   }
 
   _isResponseHtml (res) {
-    const contentType = res.getHeader('content-type')
-    return contentType && HTML_CONTENT_TYPES.some(htmlContentType => {
-      return htmlContentType === contentType || contentType.startsWith(htmlContentType + ';')
+    const contentTypes = this._getHeaderValues(res, 'content-type')
+    return contentTypes.some(contentType => {
+      return contentType && HTML_CONTENT_TYPES.some(htmlContentType => {
+        return htmlContentType === contentType || contentType.startsWith(htmlContentType + ';')
+      })
     })
   }
 }