dd-trace 4.18.0 → 5.6.0

package/packages/dd-trace/src/appsec/blocking.js

@@ -3,93 +3,142 @@
 const log = require('../log')
 const blockedTemplates = require('./blocked_templates')
 
+const detectedSpecificEndpoints = {}
+
 let templateHtml = blockedTemplates.html
 let templateJson = blockedTemplates.json
+let templateGraphqlJson = blockedTemplates.graphqlJson
 let blockingConfiguration
 
-function blockWithRedirect (res, rootSpan, abortController) {
-  rootSpan.addTags({
-    'appsec.blocked': 'true'
-  })
+const specificBlockingTypes = {
+  GRAPHQL: 'graphql'
+}
 
+function getSpecificKey (method, url) {
+  return `${method}+${url}`
+}
+
+function addSpecificEndpoint (method, url, type) {
+  detectedSpecificEndpoints[getSpecificKey(method, url)] = type
+}
+
+function getBlockWithRedirectData (rootSpan) {
   let statusCode = blockingConfiguration.parameters.status_code
   if (!statusCode || statusCode < 300 || statusCode >= 400) {
     statusCode = 303
   }
-
-  res.writeHead(statusCode, {
+  const headers = {
     'Location': blockingConfiguration.parameters.location
-  }).end()
+  }
+
+  rootSpan.addTags({
+    'appsec.blocked': 'true'
+  })
 
-  if (abortController) {
-    abortController.abort()
+  return { headers, statusCode }
+}
+
+function getSpecificBlockingData (type) {
+  switch (type) {
+    case specificBlockingTypes.GRAPHQL:
+      return {
+        type: 'application/json',
+        body: templateGraphqlJson
+      }
   }
 }
 
-function blockWithContent (req, res, rootSpan, abortController) {
+function getBlockWithContentData (req, specificType, rootSpan) {
   let type
   let body
+  let statusCode
 
-  // parse the Accept header, ex: Accept: text/html, application/xhtml+xml, application/xml;q=0.9, */*;q=0.8
-  const accept = req.headers.accept && req.headers.accept.split(',').map((str) => str.split(';', 1)[0].trim())
+  const specificBlockingType = specificType || detectedSpecificEndpoints[getSpecificKey(req.method, req.url)]
+  if (specificBlockingType) {
+    const specificBlockingContent = getSpecificBlockingData(specificBlockingType)
+    type = specificBlockingContent?.type
+    body = specificBlockingContent?.body
+  }
 
-  if (!blockingConfiguration || blockingConfiguration.parameters.type === 'auto') {
-    if (accept && accept.includes('text/html') && !accept.includes('application/json')) {
-      type = 'text/html; charset=utf-8'
-      body = templateHtml
+  if (!type) {
+    // parse the Accept header, ex: Accept: text/html, application/xhtml+xml, application/xml;q=0.9, */*;q=0.8
+    const accept = req.headers.accept?.split(',').map((str) => str.split(';', 1)[0].trim())
+
+    if (!blockingConfiguration || blockingConfiguration.parameters.type === 'auto') {
+      if (accept?.includes('text/html') && !accept.includes('application/json')) {
+        type = 'text/html; charset=utf-8'
+        body = templateHtml
+      } else {
+        type = 'application/json'
+        body = templateJson
+      }
     } else {
-      type = 'application/json'
-      body = templateJson
+      if (blockingConfiguration.parameters.type === 'html') {
+        type = 'text/html; charset=utf-8'
+        body = templateHtml
+      } else {
+        type = 'application/json'
+        body = templateJson
+      }
     }
+  }
+
+  if (blockingConfiguration?.type === 'block_request' && blockingConfiguration.parameters.status_code) {
+    statusCode = blockingConfiguration.parameters.status_code
   } else {
-    if (blockingConfiguration.parameters.type === 'html') {
-      type = 'text/html; charset=utf-8'
-      body = templateHtml
-    } else {
-      type = 'application/json'
-      body = templateJson
-    }
+    statusCode = 403
+  }
+
+  const headers = {
+    'Content-Type': type,
+    'Content-Length': Buffer.byteLength(body)
   }
 
   rootSpan.addTags({
     'appsec.blocked': 'true'
   })
 
-  if (blockingConfiguration && blockingConfiguration.type === 'block_request' &&
-    blockingConfiguration.parameters.status_code) {
-    res.statusCode = blockingConfiguration.parameters.status_code
-  } else {
-    res.statusCode = 403
-  }
-  res.setHeader('Content-Type', type)
-  res.setHeader('Content-Length', Buffer.byteLength(body))
-  res.end(body)
+  return { body, statusCode, headers }
+}
 
-  if (abortController) {
-    abortController.abort()
+function getBlockingData (req, specificType, rootSpan) {
+  if (blockingConfiguration?.type === 'redirect_request' && blockingConfiguration.parameters.location) {
+    return getBlockWithRedirectData(rootSpan)
+  } else {
+    return getBlockWithContentData(req, specificType, rootSpan)
   }
 }
 
-function block (req, res, rootSpan, abortController) {
+function block (req, res, rootSpan, abortController, type) {
   if (res.headersSent) {
     log.warn('Cannot send blocking response when headers have already been sent')
     return
   }
 
-  if (blockingConfiguration && blockingConfiguration.type === 'redirect_request' &&
-      blockingConfiguration.parameters.location) {
-    blockWithRedirect(res, rootSpan, abortController)
-  } else {
-    blockWithContent(req, res, rootSpan, abortController)
-  }
+  const { body, headers, statusCode } = getBlockingData(req, type, rootSpan)
+
+  res.writeHead(statusCode, headers).end(body)
+
+  abortController?.abort()
 }
 
 function setTemplates (config) {
   if (config.appsec.blockedTemplateHtml) {
     templateHtml = config.appsec.blockedTemplateHtml
+  } else {
+    templateHtml = blockedTemplates.html
   }
+
   if (config.appsec.blockedTemplateJson) {
     templateJson = config.appsec.blockedTemplateJson
+  } else {
+    templateJson = blockedTemplates.json
+  }
+
+  if (config.appsec.blockedTemplateGraphql) {
+    templateGraphqlJson = config.appsec.blockedTemplateGraphql
+  } else {
+    templateGraphqlJson = blockedTemplates.graphqlJson
   }
 }
 
@@ -98,7 +147,10 @@ function updateBlockingConfiguration (newBlockingConfiguration) {
 }
 
 module.exports = {
+  addSpecificEndpoint,
   block,
+  specificBlockingTypes,
+  getBlockingData,
   setTemplates,
   updateBlockingConfiguration
 }

package/packages/dd-trace/src/appsec/channels.js

@@ -1,17 +1,21 @@
 'use strict'
 
-const dc = require('../../../diagnostics_channel')
+const dc = require('dc-polyfill')
 
 // TODO: use TBD naming convention
 module.exports = {
   bodyParser: dc.channel('datadog:body-parser:read:finish'),
   cookieParser: dc.channel('datadog:cookie-parser:read:finish'),
-  graphqlFinishExecute: dc.channel('apm:graphql:execute:finish'),
+  startGraphqlResolve: dc.channel('datadog:graphql:resolver:start'),
+  graphqlMiddlewareChannel: dc.tracingChannel('datadog:apollo:middleware'),
+  apolloChannel: dc.tracingChannel('datadog:apollo:request'),
+  apolloServerCoreChannel: dc.tracingChannel('datadog:apollo-server-core:request'),
   incomingHttpRequestStart: dc.channel('dd-trace:incomingHttpRequestStart'),
   incomingHttpRequestEnd: dc.channel('dd-trace:incomingHttpRequestEnd'),
   passportVerify: dc.channel('datadog:passport:verify:finish'),
   queryParser: dc.channel('datadog:query:read:finish'),
   setCookieChannel: dc.channel('datadog:iast:set-cookie'),
   nextBodyParsed: dc.channel('apm:next:body-parsed'),
-  nextQueryParsed: dc.channel('apm:next:query-parsed')
+  nextQueryParsed: dc.channel('apm:next:query-parsed'),
+  responseBody: dc.channel('datadog:express:response:json:start')
 }

package/packages/dd-trace/src/appsec/graphql.js

@@ -0,0 +1,146 @@
+'use strict'
+
+const { storage } = require('../../../datadog-core')
+const { addSpecificEndpoint, specificBlockingTypes, getBlockingData } = require('./blocking')
+const waf = require('./waf')
+const addresses = require('./addresses')
+const web = require('../plugins/util/web')
+const {
+  startGraphqlResolve,
+  graphqlMiddlewareChannel,
+  apolloChannel,
+  apolloServerCoreChannel
+} = require('./channels')
+
+const graphqlRequestData = new WeakMap()
+
+function enable () {
+  enableApollo()
+  enableGraphql()
+}
+
+function disable () {
+  disableApollo()
+  disableGraphql()
+}
+
+function onGraphqlStartResolve ({ context, resolverInfo }) {
+  const req = storage.getStore()?.req
+
+  if (!req) return
+
+  if (!resolverInfo || typeof resolverInfo !== 'object') return
+
+  const actions = waf.run({ ephemeral: { [addresses.HTTP_INCOMING_GRAPHQL_RESOLVER]: resolverInfo } }, req)
+  if (actions?.includes('block')) {
+    const requestData = graphqlRequestData.get(req)
+    if (requestData?.isInGraphqlRequest) {
+      requestData.blocked = true
+      context?.abortController?.abort()
+    }
+  }
+}
+
+function enterInApolloMiddleware (data) {
+  const req = data?.req || storage.getStore()?.req
+  if (!req) return
+
+  graphqlRequestData.set(req, {
+    inApolloMiddleware: true,
+    blocked: false
+  })
+}
+
+function enterInApolloServerCoreRequest () {
+  const req = storage.getStore()?.req
+  if (!req) return
+
+  graphqlRequestData.set(req, {
+    isInGraphqlRequest: true,
+    blocked: false
+  })
+}
+
+function exitFromApolloMiddleware (data) {
+  const req = data?.req || storage.getStore()?.req
+  const requestData = graphqlRequestData.get(req)
+  if (requestData) requestData.inApolloMiddleware = false
+}
+
+function enterInApolloRequest () {
+  const req = storage.getStore()?.req
+
+  const requestData = graphqlRequestData.get(req)
+  if (requestData?.inApolloMiddleware) {
+    requestData.isInGraphqlRequest = true
+    addSpecificEndpoint(req.method, req.originalUrl || req.url, specificBlockingTypes.GRAPHQL)
+  }
+}
+
+function beforeWriteApolloGraphqlResponse ({ abortController, abortData }) {
+  const req = storage.getStore()?.req
+  if (!req) return
+
+  const requestData = graphqlRequestData.get(req)
+
+  if (requestData?.blocked) {
+    const rootSpan = web.root(req)
+    if (!rootSpan) return
+
+    const blockingData = getBlockingData(req, specificBlockingTypes.GRAPHQL, rootSpan)
+    abortData.statusCode = blockingData.statusCode
+    abortData.headers = blockingData.headers
+    abortData.message = blockingData.body
+
+    abortController?.abort()
+  }
+
+  graphqlRequestData.delete(req)
+}
+
+function enableApollo () {
+  graphqlMiddlewareChannel.subscribe({
+    start: enterInApolloMiddleware,
+    end: exitFromApolloMiddleware
+  })
+
+  apolloServerCoreChannel.subscribe({
+    start: enterInApolloServerCoreRequest,
+    asyncEnd: beforeWriteApolloGraphqlResponse
+  })
+
+  apolloChannel.subscribe({
+    start: enterInApolloRequest,
+    asyncEnd: beforeWriteApolloGraphqlResponse
+  })
+}
+
+function disableApollo () {
+  graphqlMiddlewareChannel.unsubscribe({
+    start: enterInApolloMiddleware,
+    end: exitFromApolloMiddleware
+  })
+
+  apolloServerCoreChannel.unsubscribe({
+    start: enterInApolloServerCoreRequest,
+    asyncEnd: beforeWriteApolloGraphqlResponse
+  })
+
+  apolloChannel.unsubscribe({
+    start: enterInApolloRequest,
+    asyncEnd: beforeWriteApolloGraphqlResponse
+  })
+}
+
+function enableGraphql () {
+  startGraphqlResolve.subscribe(onGraphqlStartResolve)
+}
+
+function disableGraphql () {
+  if (startGraphqlResolve.hasSubscribers) startGraphqlResolve.unsubscribe(onGraphqlStartResolve)
+}
+
+module.exports = {
+  enable,
+  disable
+}

package/packages/dd-trace/src/appsec/iast/analyzers/analyzers.js

@@ -3,6 +3,7 @@
 module.exports = {
   'COMMAND_INJECTION_ANALYZER': require('./command-injection-analyzer'),
   'HARCODED_SECRET_ANALYZER': require('./hardcoded-secret-analyzer'),
+  'HEADER_INJECTION_ANALYZER': require('./header-injection-analyzer'),
   'HSTS_HEADER_MISSING_ANALYZER': require('./hsts-header-missing-analyzer'),
   'INSECURE_COOKIE_ANALYZER': require('./insecure-cookie-analyzer'),
   'LDAP_ANALYZER': require('./ldap-injection-analyzer'),
@@ -15,5 +16,6 @@ module.exports = {
   'UNVALIDATED_REDIRECT_ANALYZER': require('./unvalidated-redirect-analyzer'),
   'WEAK_CIPHER_ANALYZER': require('./weak-cipher-analyzer'),
   'WEAK_HASH_ANALYZER': require('./weak-hash-analyzer'),
+  'WEAK_RANDOMNESS_ANALYZER': require('./weak-randomness-analyzer'),
   'XCONTENTTYPE_HEADER_MISSING_ANALYZER': require('./xcontenttype-header-missing-analyzer')
 }

package/packages/dd-trace/src/appsec/iast/analyzers/command-injection-analyzer.js

@@ -8,7 +8,7 @@ class CommandInjectionAnalyzer extends InjectionAnalyzer {
   }
 
   onConfigure () {
-    this.addSub('datadog:child_process:execution:start', ({ command }) => this.analyze(command))
+    this.addSub('tracing:datadog:child_process:execution:start', ({ command }) => this.analyze(command))
   }
 }
 

package/packages/dd-trace/src/appsec/iast/analyzers/header-injection-analyzer.js

@@ -0,0 +1,105 @@
+'use strict'
+
+const InjectionAnalyzer = require('./injection-analyzer')
+const { HEADER_INJECTION } = require('../vulnerabilities')
+const { getNodeModulesPaths } = require('../path-line')
+const { HEADER_NAME_VALUE_SEPARATOR } = require('../vulnerabilities-formatter/constants')
+const { getRanges } = require('../taint-tracking/operations')
+const {
+  HTTP_REQUEST_COOKIE_NAME,
+  HTTP_REQUEST_COOKIE_VALUE,
+  HTTP_REQUEST_HEADER_VALUE
+} = require('../taint-tracking/source-types')
+
+const EXCLUDED_PATHS = getNodeModulesPaths('express')
+const EXCLUDED_HEADER_NAMES = [
+  'location',
+  'sec-websocket-location',
+  'sec-websocket-accept',
+  'upgrade',
+  'connection'
+]
+
+class HeaderInjectionAnalyzer extends InjectionAnalyzer {
+  constructor () {
+    super(HEADER_INJECTION)
+  }
+
+  onConfigure () {
+    this.addSub('datadog:http:server:response:set-header:finish', ({ name, value }) => {
+      if (Array.isArray(value)) {
+        for (let i = 0; i < value.length; i++) {
+          const headerValue = value[i]
+
+          this.analyze({ name, value: headerValue })
+        }
+      } else {
+        this.analyze({ name, value })
+      }
+    })
+  }
+
+  _isVulnerable ({ name, value }, iastContext) {
+    const lowerCasedHeaderName = name?.trim().toLowerCase()
+
+    if (this.isExcludedHeaderName(lowerCasedHeaderName) || typeof value !== 'string') return
+
+    const ranges = getRanges(iastContext, value)
+    if (ranges?.length > 0) {
+      return !(this.isCookieExclusion(lowerCasedHeaderName, ranges) ||
+        this.isSameHeaderExclusion(lowerCasedHeaderName, ranges) ||
+        this.isAccessControlAllowExclusion(lowerCasedHeaderName, ranges))
+    }
+
+    return false
+  }
+
+  _getEvidence (headerInfo, iastContext) {
+    const prefix = headerInfo.name + HEADER_NAME_VALUE_SEPARATOR
+    const prefixLength = prefix.length
+
+    const evidence = super._getEvidence(headerInfo.value, iastContext)
+    evidence.value = prefix + evidence.value
+    evidence.ranges = evidence.ranges.map(range => {
+      return {
+        ...range,
+        start: range.start + prefixLength,
+        end: range.end + prefixLength
+      }
+    })
+
+    return evidence
+  }
+
+  isExcludedHeaderName (name) {
+    return EXCLUDED_HEADER_NAMES.includes(name)
+  }
+
+  isCookieExclusion (name, ranges) {
+    if (name === 'set-cookie') {
+      return ranges
+        .every(range => range.iinfo.type === HTTP_REQUEST_COOKIE_VALUE || range.iinfo.type === HTTP_REQUEST_COOKIE_NAME)
+    }
+
+    return false
+  }
+
+  isAccessControlAllowExclusion (name, ranges) {
+    if (name?.startsWith('access-control-allow-')) {
+      return ranges
+        .every(range => range.iinfo.type === HTTP_REQUEST_HEADER_VALUE)
+    }
+
+    return false
+  }
+
+  isSameHeaderExclusion (name, ranges) {
+    return ranges.length === 1 && name === ranges[0].iinfo.parameterName?.toLowerCase()
+  }
+
+  _getExcludedPaths () {
+    return EXCLUDED_PATHS
+  }
+}
+
+module.exports = new HeaderInjectionAnalyzer()

package/packages/dd-trace/src/appsec/iast/analyzers/nosql-injection-mongodb-analyzer.js

@@ -9,7 +9,7 @@ const { storage } = require('../../../../../datadog-core')
 const { getIastContext } = require('../iast-context')
 const { HTTP_REQUEST_PARAMETER, HTTP_REQUEST_BODY } = require('../taint-tracking/source-types')
 
-const EXCLUDED_PATHS_FROM_STACK = getNodeModulesPaths('mongodb', 'mongoose')
+const EXCLUDED_PATHS_FROM_STACK = getNodeModulesPaths('mongodb', 'mongoose', 'mquery')
 const MONGODB_NOSQL_SECURE_MARK = getNextSecureMark()
 
 function iterateObjectStrings (target, fn, levelKeys = [], depth = 50, visited = new Set()) {
@@ -37,34 +37,39 @@ class NosqlInjectionMongodbAnalyzer extends InjectionAnalyzer {
   onConfigure () {
     this.configureSanitizers()
 
-    this.addSub('datadog:mongodb:collection:filter:start', ({ filters }) => {
+    const onStart = ({ filters }) => {
       const store = storage.getStore()
       if (store && !store.nosqlAnalyzed && filters?.length) {
         filters.forEach(filter => {
           this.analyze({ filter }, store)
         })
       }
-    })
 
-    this.addSub('datadog:mongoose:model:filter:start', ({ filters }) => {
-      const store = storage.getStore()
-      if (!store) return
+      return store
+    }
 
-      if (filters?.length) {
-        filters.forEach(filter => {
-          this.analyze({ filter }, store)
-        })
+    const onStartAndEnterWithStore = (message) => {
+      const store = onStart(message || {})
+      if (store) {
+        storage.enterWith({ ...store, nosqlAnalyzed: true, nosqlParentStore: store })
       }
+    }
 
-      storage.enterWith({ ...store, nosqlAnalyzed: true, mongooseParentStore: store })
-    })
-
-    this.addSub('datadog:mongoose:model:filter:finish', () => {
+    const onFinish = () => {
       const store = storage.getStore()
-      if (store?.mongooseParentStore) {
-        storage.enterWith(store.mongooseParentStore)
+      if (store?.nosqlParentStore) {
+        storage.enterWith(store.nosqlParentStore)
       }
-    })
+    }
+
+    this.addSub('datadog:mongodb:collection:filter:start', onStart)
+
+    this.addSub('datadog:mongoose:model:filter:start', onStartAndEnterWithStore)
+    this.addSub('datadog:mongoose:model:filter:finish', onFinish)
+
+    this.addSub('datadog:mquery:filter:prepare', onStart)
+    this.addSub('tracing:datadog:mquery:filter:start', onStartAndEnterWithStore)
+    this.addSub('tracing:datadog:mquery:filter:asyncEnd', onFinish)
   }
 
   configureSanitizers () {

package/packages/dd-trace/src/appsec/iast/analyzers/sql-injection-analyzer.js

@@ -4,8 +4,6 @@ const InjectionAnalyzer = require('./injection-analyzer')
 const { SQL_INJECTION } = require('../vulnerabilities')
 const { getRanges } = require('../taint-tracking/operations')
 const { storage } = require('../../../../../datadog-core')
-const { getIastContext } = require('../iast-context')
-const { addVulnerability } = require('../vulnerability-reporter')
 const { getNodeModulesPaths } = require('../path-line')
 
 const EXCLUDED_PATHS = getNodeModulesPaths('mysql', 'mysql2', 'sequelize', 'pg-pool', 'knex')
@@ -16,9 +14,9 @@ class SqlInjectionAnalyzer extends InjectionAnalyzer {
   }
 
   onConfigure () {
-    this.addSub('apm:mysql:query:start', ({ sql }) => this.analyze(sql, 'MYSQL'))
-    this.addSub('apm:mysql2:query:start', ({ sql }) => this.analyze(sql, 'MYSQL'))
-    this.addSub('apm:pg:query:start', ({ query }) => this.analyze(query.text, 'POSTGRES'))
+    this.addSub('apm:mysql:query:start', ({ sql }) => this.analyze(sql, undefined, 'MYSQL'))
+    this.addSub('apm:mysql2:query:start', ({ sql }) => this.analyze(sql, undefined, 'MYSQL'))
+    this.addSub('apm:pg:query:start', ({ query }) => this.analyze(query.text, undefined, 'POSTGRES'))
 
     this.addSub(
       'datadog:sequelize:query:start',
@@ -42,7 +40,7 @@ class SqlInjectionAnalyzer extends InjectionAnalyzer {
   getStoreAndAnalyze (query, dialect) {
     const parentStore = storage.getStore()
     if (parentStore) {
-      this.analyze(query, dialect, parentStore)
+      this.analyze(query, parentStore, dialect)
 
       storage.enterWith({ ...parentStore, sqlAnalyzed: true, sqlParentStore: parentStore })
     }
@@ -60,29 +58,10 @@ class SqlInjectionAnalyzer extends InjectionAnalyzer {
     return { value, ranges, dialect }
   }
 
-  analyze (value, dialect, store = storage.getStore()) {
+  analyze (value, store, dialect) {
+    store = store || storage.getStore()
     if (!(store && store.sqlAnalyzed)) {
-      const iastContext = getIastContext(store)
-      if (this._isInvalidContext(store, iastContext)) return
-      this._reportIfVulnerable(value, iastContext, dialect)
-    }
-  }
-
-  _reportIfVulnerable (value, context, dialect) {
-    if (this._isVulnerable(value, context) && this._checkOCE(context)) {
-      this._report(value, context, dialect)
-      return true
-    }
-    return false
-  }
-
-  _report (value, context, dialect) {
-    const evidence = this._getEvidence(value, context, dialect)
-    const location = this._getLocation()
-    if (!this._isExcluded(location)) {
-      const spanId = context && context.rootSpan && context.rootSpan.context().toSpanId()
-      const vulnerability = this._createVulnerability(this._type, evidence, spanId, location)
-      addVulnerability(context, vulnerability)
+      super.analyze(value, store, dialect)
     }
   }
 

package/packages/dd-trace/src/appsec/iast/analyzers/vulnerability-analyzer.js

@@ -22,8 +22,12 @@ class Analyzer extends SinkIastPlugin {
     return false
   }
 
-  _report (value, context) {
-    const evidence = this._getEvidence(value, context)
+  _report (value, context, meta) {
+    const evidence = this._getEvidence(value, context, meta)
+    this._reportEvidence(value, context, evidence)
+  }
+
+  _reportEvidence (value, context, evidence) {
     const location = this._getLocation(value)
     if (!this._isExcluded(location)) {
       const locationSourceMap = this._replaceLocationFromSourceMap(location)
@@ -33,9 +37,9 @@ class Analyzer extends SinkIastPlugin {
     }
   }
 
-  _reportIfVulnerable (value, context) {
+  _reportIfVulnerable (value, context, meta) {
     if (this._isVulnerable(value, context) && this._checkOCE(context, value)) {
-      this._report(value, context)
+      this._report(value, context, meta)
       return true
     }
     return false
@@ -71,11 +75,11 @@ class Analyzer extends SinkIastPlugin {
     return store && !iastContext
   }
 
-  analyze (value, store = storage.getStore()) {
+  analyze (value, store = storage.getStore(), meta) {
     const iastContext = getIastContext(store)
     if (this._isInvalidContext(store, iastContext)) return
 
-    this._reportIfVulnerable(value, iastContext)
+    this._reportIfVulnerable(value, iastContext, meta)
   }
 
   analyzeAll (...values) {