dd-trace 5.36.0 → 5.37.0

package/packages/datadog-plugin-dd-trace-api/src/index.js

@@ -28,7 +28,7 @@ module.exports = class DdTraceApiPlugin extends Plugin {
     })
 
     const handleEvent = (name) => {
-      const counter = apiMetrics.count('dd_trace_api.called', [
+      const counter = apiMetrics.count('public_api.called', [
         `name:${name.replaceAll(':', '.')}`,
         'api_version:v1',
         injectionEnabledTag
@@ -74,8 +74,6 @@ module.exports = class DdTraceApiPlugin extends Plugin {
             const proxyVal = proxy()
             objectMap.set(proxyVal, ret.value)
             ret.value = proxyVal
-          } else if (ret.value && typeof ret.value === 'object') {
-            throw new TypeError(`Objects need proxies when returned via API (${name})`)
           }
         } catch (e) {
           ret.error = e

package/packages/datadog-plugin-graphql/src/utils.js

@@ -27,7 +27,14 @@ function extractErrorIntoSpanEvent (config, span, exc) {
   if (config.graphqlErrorExtensions) {
     for (const ext of config.graphqlErrorExtensions) {
       if (exc.extensions?.[ext]) {
-        attributes[`extensions.${ext}`] = exc.extensions[ext].toString()
+        const value = exc.extensions[ext]
+
+        // We should only stringify the value if it is not of type number or boolean
+        if (typeof value === 'number' || typeof value === 'boolean') {
+          attributes[`extensions.${ext}`] = value
+        } else {
+          attributes[`extensions.${ext}`] = String(value)
+        }
       }
     }
   }

package/packages/datadog-plugin-jest/src/index.js

@@ -24,7 +24,9 @@ const {
   TEST_IS_RUM_ACTIVE,
   TEST_BROWSER_DRIVER,
   getFormattedError,
-  TEST_RETRY_REASON
+  TEST_RETRY_REASON,
+  TEST_MANAGEMENT_ENABLED,
+  TEST_MANAGEMENT_IS_QUARANTINED
 } = require('../../dd-trace/src/plugins/util/test')
 const { COMPONENT } = require('../../dd-trace/src/constants')
 const id = require('../../dd-trace/src/id')
@@ -106,6 +108,7 @@ class JestPlugin extends CiPlugin {
       error,
       isEarlyFlakeDetectionEnabled,
       isEarlyFlakeDetectionFaulty,
+      isQuarantinedTestsEnabled,
       onDone
     }) => {
       this.testSessionSpan.setTag(TEST_STATUS, status)
@@ -137,6 +140,9 @@ class JestPlugin extends CiPlugin {
       if (isEarlyFlakeDetectionFaulty) {
         this.testSessionSpan.setTag(TEST_EARLY_FLAKE_ABORT_REASON, 'faulty')
       }
+      if (isQuarantinedTestsEnabled) {
+        this.testSessionSpan.setTag(TEST_MANAGEMENT_ENABLED, 'true')
+      }
 
       this.testModuleSpan.finish()
       this.telemetry.ciVisEvent(TELEMETRY_EVENT_FINISHED, 'module')
@@ -166,6 +172,7 @@ class JestPlugin extends CiPlugin {
         config._ddEarlyFlakeDetectionNumRetries = this.libraryConfig?.earlyFlakeDetectionNumRetries ?? 0
         config._ddRepositoryRoot = this.repositoryRoot
         config._ddIsFlakyTestRetriesEnabled = this.libraryConfig?.isFlakyTestRetriesEnabled ?? false
+        config._ddIsQuarantinedTestsEnabled = this.libraryConfig?.isQuarantinedTestsEnabled ?? false
         config._ddFlakyTestRetriesCount = this.libraryConfig?.flakyTestRetriesCount
         config._ddIsDiEnabled = this.libraryConfig?.isDiEnabled ?? false
         config._ddIsKnownTestsEnabled = this.libraryConfig?.isKnownTestsEnabled ?? false
@@ -325,12 +332,15 @@ class JestPlugin extends CiPlugin {
       this.activeTestSpan = span
     })
 
-    this.addSub('ci:jest:test:finish', ({ status, testStartLine }) => {
+    this.addSub('ci:jest:test:finish', ({ status, testStartLine, isQuarantined }) => {
       const span = storage('legacy').getStore().span
       span.setTag(TEST_STATUS, status)
       if (testStartLine) {
         span.setTag(TEST_SOURCE_START, testStartLine)
       }
+      if (isQuarantined) {
+        span.setTag(TEST_MANAGEMENT_IS_QUARANTINED, 'true')
+      }
 
       const spanTags = span.context()._tags
       this.telemetry.ciVisEvent(

package/packages/datadog-plugin-mocha/src/index.js

@@ -31,7 +31,9 @@ const {
   MOCHA_IS_PARALLEL,
   TEST_IS_RUM_ACTIVE,
   TEST_BROWSER_DRIVER,
-  TEST_RETRY_REASON
+  TEST_RETRY_REASON,
+  TEST_MANAGEMENT_ENABLED,
+  TEST_MANAGEMENT_IS_QUARANTINED
 } = require('../../dd-trace/src/plugins/util/test')
 const { COMPONENT } = require('../../dd-trace/src/constants')
 const {
@@ -48,6 +50,8 @@ const {
 const id = require('../../dd-trace/src/id')
 const log = require('../../dd-trace/src/log')
 
+const BREAKPOINT_SET_GRACE_PERIOD_MS = 200
+
 function getTestSuiteLevelVisibilityTags (testSuiteSpan) {
   const testSuiteSpanContext = testSuiteSpan.context()
   const suiteTags = {
@@ -279,7 +283,12 @@ class MochaPlugin extends CiPlugin {
             this.runningTestProbe = { file, line }
             this.testErrorStackIndex = stackIndex
             test._ddShouldWaitForHitProbe = true
-            // TODO: we're not waiting for setProbePromise to be resolved, so there might be race conditions
+            const waitUntil = Date.now() + BREAKPOINT_SET_GRACE_PERIOD_MS
+            while (Date.now() < waitUntil) {
+              // TODO: To avoid a race condition, we should wait until `probeInformation.setProbePromise` has resolved.
+              // However, Mocha doesn't have a mechanism for waiting asyncrounously here, so for now, we'll have to
+              // fall back to a fixed syncronous delay.
+            }
           }
         }
 
@@ -302,6 +311,7 @@ class MochaPlugin extends CiPlugin {
       error,
       isEarlyFlakeDetectionEnabled,
       isEarlyFlakeDetectionFaulty,
+      isQuarantinedTestsEnabled,
       isParallel
     }) => {
       if (this.testSessionSpan) {
@@ -318,6 +328,10 @@ class MochaPlugin extends CiPlugin {
           this.testSessionSpan.setTag(MOCHA_IS_PARALLEL, 'true')
         }
 
+        if (isQuarantinedTestsEnabled) {
+          this.testSessionSpan.setTag(TEST_MANAGEMENT_ENABLED, 'true')
+        }
+
         addIntelligentTestRunnerSpanTags(
           this.testSessionSpan,
           this.testModuleSpan,
@@ -390,7 +404,8 @@ class MochaPlugin extends CiPlugin {
       isNew,
       isEfdRetry,
       testStartLine,
-      isParallel
+      isParallel,
+      isQuarantined
     } = testInfo
 
     const testName = removeEfdStringFromTestName(testInfo.testName)
@@ -409,6 +424,10 @@ class MochaPlugin extends CiPlugin {
       extraTags[MOCHA_IS_PARALLEL] = 'true'
     }
 
+    if (isQuarantined) {
+      extraTags[TEST_MANAGEMENT_IS_QUARANTINED] = 'true'
+    }
+
     const testSuite = getTestSuitePath(testSuiteAbsolutePath, this.sourceRoot)
     const testSuiteSpan = this._testSuites.get(testSuite)
 

package/packages/datadog-plugin-mongodb-core/src/index.js

@@ -11,8 +11,9 @@ class MongodbCorePlugin extends DatabasePlugin {
   start ({ ns, ops, options = {}, name }) {
     const query = getQuery(ops)
     const resource = truncate(getResource(this, ns, query, name))
-    this.startSpan(this.operationName(), {
-      service: this.serviceName({ pluginConfig: this.config }),
+    const service = this.serviceName({ pluginConfig: this.config })
+    const span = this.startSpan(this.operationName(), {
+      service,
       resource,
       type: 'mongodb',
       kind: 'client',
@@ -24,6 +25,7 @@ class MongodbCorePlugin extends DatabasePlugin {
         'out.port': options.port
       }
     })
+    ops = this.injectDbmCommand(span, ops, service)
   }
 
   getPeerService (tags) {
@@ -34,6 +36,30 @@ class MongodbCorePlugin extends DatabasePlugin {
     }
     return super.getPeerService(tags)
   }
+
+  injectDbmCommand (span, command, serviceName) {
+    const dbmTraceComment = this.createDbmComment(span, serviceName)
+
+    if (!dbmTraceComment) {
+      return command
+    }
+
+    // create a copy of the command to avoid mutating the original
+    const dbmTracedCommand = { ...command }
+
+    if (dbmTracedCommand.comment) {
+      // if the command already has a comment, append the dbm trace comment
+      if (typeof dbmTracedCommand.comment === 'string') {
+        dbmTracedCommand.comment += `,${dbmTraceComment}`
+      } else if (Array.isArray(dbmTracedCommand.comment)) {
+        dbmTracedCommand.comment.push(dbmTraceComment)
+      } // do nothing if the comment is not a string or an array
+    } else {
+      dbmTracedCommand.comment = dbmTraceComment
+    }
+
+    return dbmTracedCommand
+  }
 }
 
 function sanitizeBigInt (data) {

package/packages/datadog-plugin-openai/src/tracing.js

@@ -15,7 +15,6 @@ let normalize
 
 function safeRequire (path) {
   try {
-    // eslint-disable-next-line import/no-extraneous-dependencies
     return require(path)
   } catch {
     return null
@@ -796,7 +795,7 @@ function truncateApiKey (apiKey) {
 
 function tagChatCompletionRequestContent (contents, messageIdx, tags) {
   if (typeof contents === 'string') {
-    tags[`openai.request.messages.${messageIdx}.content`] = contents
+    tags[`openai.request.messages.${messageIdx}.content`] = normalize(contents)
   } else if (Array.isArray(contents)) {
     // content can also be an array of objects
     // which represent text input or image url

package/packages/datadog-plugin-playwright/src/index.js

@@ -11,12 +11,15 @@ const {
   TEST_SOURCE_START,
   TEST_CODE_OWNERS,
   TEST_SOURCE_FILE,
-  TEST_CONFIGURATION_BROWSER_NAME,
+  TEST_PARAMETERS,
   TEST_IS_NEW,
   TEST_IS_RETRY,
   TEST_EARLY_FLAKE_ENABLED,
   TELEMETRY_TEST_SESSION,
-  TEST_RETRY_REASON
+  TEST_RETRY_REASON,
+  TEST_MANAGEMENT_IS_QUARANTINED,
+  TEST_MANAGEMENT_ENABLED,
+  TEST_BROWSER_NAME
 } = require('../../dd-trace/src/plugins/util/test')
 const { RESOURCE_NAME } = require('../../../ext/tags')
 const { COMPONENT } = require('../../dd-trace/src/constants')
@@ -38,7 +41,12 @@ class PlaywrightPlugin extends CiPlugin {
     this.numFailedTests = 0
     this.numFailedSuites = 0
 
-    this.addSub('ci:playwright:session:finish', ({ status, isEarlyFlakeDetectionEnabled, onDone }) => {
+    this.addSub('ci:playwright:session:finish', ({
+      status,
+      isEarlyFlakeDetectionEnabled,
+      isQuarantinedTestsEnabled,
+      onDone
+    }) => {
       this.testModuleSpan.setTag(TEST_STATUS, status)
       this.testSessionSpan.setTag(TEST_STATUS, status)
 
@@ -56,6 +64,10 @@ class PlaywrightPlugin extends CiPlugin {
         this.testSessionSpan.setTag('error', error)
       }
 
+      if (isQuarantinedTestsEnabled) {
+        this.testSessionSpan.setTag(TEST_MANAGEMENT_ENABLED, 'true')
+      }
+
       this.testModuleSpan.finish()
       this.telemetry.ciVisEvent(TELEMETRY_EVENT_FINISHED, 'module')
       this.testSessionSpan.finish()
@@ -128,7 +140,16 @@ class PlaywrightPlugin extends CiPlugin {
 
       this.enter(span, store)
     })
-    this.addSub('ci:playwright:test:finish', ({ testStatus, steps, error, extraTags, isNew, isEfdRetry, isRetry }) => {
+    this.addSub('ci:playwright:test:finish', ({
+      testStatus,
+      steps,
+      error,
+      extraTags,
+      isNew,
+      isEfdRetry,
+      isRetry,
+      isQuarantined
+    }) => {
       const store = storage('legacy').getStore()
       const span = store && store.span
       if (!span) return
@@ -151,6 +172,9 @@ class PlaywrightPlugin extends CiPlugin {
       if (isRetry) {
         span.setTag(TEST_IS_RETRY, 'true')
       }
+      if (isQuarantined) {
+        span.setTag(TEST_MANAGEMENT_IS_QUARANTINED, 'true')
+      }
 
       steps.forEach(step => {
         const stepStartTime = step.startTime.getTime()
@@ -202,7 +226,9 @@ class PlaywrightPlugin extends CiPlugin {
       extraTags[TEST_SOURCE_FILE] = testSourceFile || testSuite
     }
     if (browserName) {
-      extraTags[TEST_CONFIGURATION_BROWSER_NAME] = browserName
+      // Added as parameter too because it should affect the test fingerprint
+      extraTags[TEST_PARAMETERS] = JSON.stringify({ arguments: { browser: browserName }, metadata: {} })
+      extraTags[TEST_BROWSER_NAME] = browserName
     }
 
     return super.startTestSpan(testName, testSuite, testSuiteSpan, extraTags)

package/packages/datadog-plugin-vitest/src/index.js

@@ -18,7 +18,9 @@ const {
   TEST_IS_NEW,
   TEST_EARLY_FLAKE_ENABLED,
   TEST_EARLY_FLAKE_ABORT_REASON,
-  TEST_RETRY_REASON
+  TEST_RETRY_REASON,
+  TEST_MANAGEMENT_ENABLED,
+  TEST_MANAGEMENT_IS_QUARANTINED
 } = require('../../dd-trace/src/plugins/util/test')
 const { COMPONENT } = require('../../dd-trace/src/constants')
 const {
@@ -48,6 +50,20 @@ class VitestPlugin extends CiPlugin {
       onDone(!testsForThisTestSuite.includes(testName))
     })
 
+    this.addSub('ci:vitest:test:is-quarantined', ({ quarantinedTests, testSuiteAbsolutePath, testName, onDone }) => {
+      const testSuite = getTestSuitePath(testSuiteAbsolutePath, this.repositoryRoot)
+      const isQuarantined = quarantinedTests
+        ?.vitest
+        ?.suites
+        ?.[testSuite]
+        ?.tests
+        ?.[testName]
+        ?.properties
+        ?.quarantined
+
+      onDone(isQuarantined ?? false)
+    })
+
     this.addSub('ci:vitest:is-early-flake-detection-faulty', ({
       knownTests,
       testFilepaths,
@@ -66,6 +82,7 @@ class VitestPlugin extends CiPlugin {
       testSuiteAbsolutePath,
       isRetry,
       isNew,
+      isQuarantined,
       mightHitProbe,
       isRetryReasonEfd
     }) => {
@@ -84,6 +101,9 @@ class VitestPlugin extends CiPlugin {
       if (isRetryReasonEfd) {
         extraTags[TEST_RETRY_REASON] = 'efd'
       }
+      if (isQuarantined) {
+        extraTags[TEST_MANAGEMENT_IS_QUARANTINED] = 'true'
+      }
 
       const span = this.startTestSpan(
         testName,
@@ -257,6 +277,7 @@ class VitestPlugin extends CiPlugin {
       testCodeCoverageLinesTotal,
       isEarlyFlakeDetectionEnabled,
       isEarlyFlakeDetectionFaulty,
+      isQuarantinedTestsEnabled,
       onFinish
     }) => {
       this.testSessionSpan.setTag(TEST_STATUS, status)
@@ -275,6 +296,9 @@ class VitestPlugin extends CiPlugin {
       if (isEarlyFlakeDetectionFaulty) {
         this.testSessionSpan.setTag(TEST_EARLY_FLAKE_ABORT_REASON, 'faulty')
       }
+      if (isQuarantinedTestsEnabled) {
+        this.testSessionSpan.setTag(TEST_MANAGEMENT_ENABLED, 'true')
+      }
       this.testModuleSpan.finish()
       this.telemetry.ciVisEvent(TELEMETRY_EVENT_FINISHED, 'module')
       this.testSessionSpan.finish()

package/packages/dd-trace/src/appsec/iast/analyzers/code-injection-analyzer.js

@@ -1,12 +1,12 @@
 'use strict'
 
-const InjectionAnalyzer = require('./injection-analyzer')
 const { CODE_INJECTION } = require('../vulnerabilities')
+const StoredInjectionAnalyzer = require('./stored-injection-analyzer')
 const { INSTRUMENTED_SINK } = require('../telemetry/iast-metric')
 const { storage } = require('../../../../../datadog-core')
 const { getIastContext } = require('../iast-context')
 
-class CodeInjectionAnalyzer extends InjectionAnalyzer {
+class CodeInjectionAnalyzer extends StoredInjectionAnalyzer {
   constructor () {
     super(CODE_INJECTION)
     this.evalInstrumentedInc = false
@@ -31,10 +31,6 @@ class CodeInjectionAnalyzer extends InjectionAnalyzer {
     this.addSub('datadog:vm:run-script:start', ({ code }) => this.analyze(code))
     this.addSub('datadog:vm:source-text-module:start', ({ code }) => this.analyze(code))
   }
-
-  _areRangesVulnerable () {
-    return true
-  }
 }
 
 module.exports = new CodeInjectionAnalyzer()

package/packages/dd-trace/src/appsec/iast/analyzers/injection-analyzer.js

@@ -5,8 +5,13 @@ const { SQL_ROW_VALUE } = require('../taint-tracking/source-types')
 
 class InjectionAnalyzer extends Analyzer {
   _isVulnerable (value, iastContext) {
-    const ranges = value && getRanges(iastContext, value)
+    let ranges = value && getRanges(iastContext, value)
     if (ranges?.length > 0) {
+      ranges = this._filterSecureRanges(ranges)
+      if (!ranges?.length) {
+        this._incrementSuppressedMetric(iastContext)
+      }
+
       return this._areRangesVulnerable(ranges)
     }
 
@@ -21,6 +26,15 @@ class InjectionAnalyzer extends Analyzer {
   _areRangesVulnerable (ranges) {
     return ranges?.some(range => range.iinfo.type !== SQL_ROW_VALUE)
   }
+
+  _filterSecureRanges (ranges) {
+    return ranges?.filter(range => !this._isRangeSecure(range))
+  }
+
+  _isRangeSecure (range) {
+    const { secureMarks } = range
+    return (secureMarks & this._secureMark) === this._secureMark
+  }
 }
 
 module.exports = InjectionAnalyzer

package/packages/dd-trace/src/appsec/iast/analyzers/nosql-injection-mongodb-analyzer.js

@@ -4,29 +4,13 @@ const InjectionAnalyzer = require('./injection-analyzer')
 const { NOSQL_MONGODB_INJECTION } = require('../vulnerabilities')
 const { getRanges, addSecureMark } = require('../taint-tracking/operations')
 const { getNodeModulesPaths } = require('../path-line')
-const { getNextSecureMark } = require('../taint-tracking/secure-marks-generator')
 const { storage } = require('../../../../../datadog-core')
 const { getIastContext } = require('../iast-context')
 const { HTTP_REQUEST_PARAMETER, HTTP_REQUEST_BODY } = require('../taint-tracking/source-types')
 
 const EXCLUDED_PATHS_FROM_STACK = getNodeModulesPaths('mongodb', 'mongoose', 'mquery')
-const MONGODB_NOSQL_SECURE_MARK = getNextSecureMark()
-
-function iterateObjectStrings (target, fn, levelKeys = [], depth = 20, visited = new Set()) {
-  if (target !== null && typeof target === 'object') {
-    Object.keys(target).forEach((key) => {
-      const nextLevelKeys = [...levelKeys, key]
-      const val = target[key]
-
-      if (typeof val === 'string') {
-        fn(val, nextLevelKeys, target, key)
-      } else if (depth > 0 && !visited.has(val)) {
-        iterateObjectStrings(val, fn, nextLevelKeys, depth - 1, visited)
-        visited.add(val)
-      }
-    })
-  }
-}
+const { NOSQL_MONGODB_INJECTION_MARK } = require('../taint-tracking/secure-marks')
+const { iterateObjectStrings } = require('../utils')
 
 class NosqlInjectionMongodbAnalyzer extends InjectionAnalyzer {
   constructor () {
@@ -88,7 +72,7 @@ class NosqlInjectionMongodbAnalyzer extends InjectionAnalyzer {
                 const currentLevelKey = levelKeys[i]
 
                 if (i === levelsLength - 1) {
-                  parentObj[currentLevelKey] = addSecureMark(iastContext, value, MONGODB_NOSQL_SECURE_MARK)
+                  parentObj[currentLevelKey] = addSecureMark(iastContext, value, NOSQL_MONGODB_INJECTION_MARK)
                 } else {
                   parentObj = parentObj[currentLevelKey]
                 }
@@ -106,7 +90,7 @@ class NosqlInjectionMongodbAnalyzer extends InjectionAnalyzer {
       if (iastContext) { // do nothing if we are not in an iast request
         iterateObjectStrings(sanitizedObject, function (value, levelKeys, parent, lastKey) {
           try {
-            parent[lastKey] = addSecureMark(iastContext, value, MONGODB_NOSQL_SECURE_MARK)
+            parent[lastKey] = addSecureMark(iastContext, value, NOSQL_MONGODB_INJECTION_MARK)
           } catch {
             // if it is a readonly property, do nothing
           }
@@ -121,8 +105,7 @@ class NosqlInjectionMongodbAnalyzer extends InjectionAnalyzer {
 
   _isVulnerableRange (range) {
     const rangeType = range?.iinfo?.type
-    const isVulnerableType = rangeType === HTTP_REQUEST_PARAMETER || rangeType === HTTP_REQUEST_BODY
-    return isVulnerableType && (range.secureMarks & MONGODB_NOSQL_SECURE_MARK) !== MONGODB_NOSQL_SECURE_MARK
+    return rangeType === HTTP_REQUEST_PARAMETER || rangeType === HTTP_REQUEST_BODY
   }
 
   _isVulnerable (value, iastContext) {
@@ -137,10 +120,15 @@ class NosqlInjectionMongodbAnalyzer extends InjectionAnalyzer {
       const allRanges = []
 
       iterateObjectStrings(value.filter, (val, nextLevelKeys) => {
-        const ranges = getRanges(iastContext, val)
+        let ranges = getRanges(iastContext, val)
         if (ranges?.length) {
           const filteredRanges = []
 
+          ranges = this._filterSecureRanges(ranges)
+          if (!ranges.length) {
+            this._incrementSuppressedMetric(iastContext)
+          }
+
           for (const range of ranges) {
             if (this._isVulnerableRange(range)) {
               isVulnerable = true
@@ -175,4 +163,3 @@ class NosqlInjectionMongodbAnalyzer extends InjectionAnalyzer {
 }
 
 module.exports = new NosqlInjectionMongodbAnalyzer()
-module.exports.MONGODB_NOSQL_SECURE_MARK = MONGODB_NOSQL_SECURE_MARK

package/packages/dd-trace/src/appsec/iast/analyzers/sql-injection-analyzer.js

@@ -1,14 +1,14 @@
 'use strict'
 
-const InjectionAnalyzer = require('./injection-analyzer')
 const { SQL_INJECTION } = require('../vulnerabilities')
 const { getRanges } = require('../taint-tracking/operations')
 const { storage } = require('../../../../../datadog-core')
 const { getNodeModulesPaths } = require('../path-line')
+const StoredInjectionAnalyzer = require('./stored-injection-analyzer')
 
 const EXCLUDED_PATHS = getNodeModulesPaths('mysql', 'mysql2', 'sequelize', 'pg-pool', 'knex')
 
-class SqlInjectionAnalyzer extends InjectionAnalyzer {
+class SqlInjectionAnalyzer extends StoredInjectionAnalyzer {
   constructor () {
     super(SQL_INJECTION)
   }
@@ -82,10 +82,6 @@ class SqlInjectionAnalyzer extends InjectionAnalyzer {
       return knexDialect.toUpperCase()
     }
   }
-
-  _areRangesVulnerable () {
-    return true
-  }
 }
 
 module.exports = new SqlInjectionAnalyzer()

package/packages/dd-trace/src/appsec/iast/analyzers/stored-injection-analyzer.js

@@ -0,0 +1,11 @@
+'use strict'
+
+const InjectionAnalyzer = require('./injection-analyzer')
+
+class StoredInjectionAnalyzer extends InjectionAnalyzer {
+  _areRangesVulnerable (ranges) {
+    return ranges?.length > 0
+  }
+}
+
+module.exports = StoredInjectionAnalyzer

package/packages/dd-trace/src/appsec/iast/analyzers/template-injection-analyzer.js

@@ -1,9 +1,9 @@
 'use strict'
 
-const InjectionAnalyzer = require('./injection-analyzer')
 const { TEMPLATE_INJECTION } = require('../vulnerabilities')
+const StoredInjectionAnalyzer = require('./stored-injection-analyzer')
 
-class TemplateInjectionAnalyzer extends InjectionAnalyzer {
+class TemplateInjectionAnalyzer extends StoredInjectionAnalyzer {
   constructor () {
     super(TEMPLATE_INJECTION)
   }
@@ -13,10 +13,6 @@ class TemplateInjectionAnalyzer extends InjectionAnalyzer {
     this.addSub('datadog:handlebars:register-partial:start', ({ partial }) => this.analyze(partial))
     this.addSub('datadog:pug:compile:start', ({ source }) => this.analyze(source))
   }
-
-  _areRangesVulnerable () {
-    return true
-  }
 }
 
 module.exports = new TemplateInjectionAnalyzer()

package/packages/dd-trace/src/appsec/iast/analyzers/vulnerability-analyzer.js

@@ -10,11 +10,14 @@ const {
   getVulnerabilityCallSiteFrames,
   replaceCallSiteFromSourceMap
 } = require('../vulnerability-reporter')
+const { getMarkFromVulnerabilityType } = require('../taint-tracking/secure-marks')
+const { SUPPRESSED_VULNERABILITIES } = require('../telemetry/iast-metric')
 
 class Analyzer extends SinkIastPlugin {
   constructor (type) {
     super()
     this._type = type
+    this._secureMark = getMarkFromVulnerabilityType(type)
   }
 
   _isVulnerable (value, context) {
@@ -75,11 +78,17 @@ class Analyzer extends SinkIastPlugin {
     if (locationFromSourceMap?.path) {
       originalLocation.path = locationFromSourceMap.path
     }
+
     if (locationFromSourceMap?.line) {
       originalLocation.line = locationFromSourceMap.line
     }
-    if (locationFromSourceMap?.column) {
-      originalLocation.column = locationFromSourceMap.column
+
+    if (location?.class_name) {
+      originalLocation.class = location.class_name
+    }
+
+    if (location?.function) {
+      originalLocation.method = location.function
     }
 
     return originalLocation
@@ -149,6 +158,17 @@ class Analyzer extends SinkIastPlugin {
     return hash
   }
 
+  _getSuppressedMetricTag () {
+    if (!this._suppressedMetricTag) {
+      this._suppressedMetricTag = SUPPRESSED_VULNERABILITIES.formatTags(this._type)[0]
+    }
+    return this._suppressedMetricTag
+  }
+
+  _incrementSuppressedMetric (iastContext) {
+    SUPPRESSED_VULNERABILITIES.inc(iastContext, this._getSuppressedMetricTag())
+  }
+
   addSub (iastSubOrChannelName, handler) {
     const iastSub = typeof iastSubOrChannelName === 'string'
       ? { channelName: iastSubOrChannelName }

package/packages/dd-trace/src/appsec/iast/index.js

@@ -15,6 +15,7 @@ const {
 const { IAST_ENABLED_TAG_KEY } = require('./tags')
 const iastTelemetry = require('./telemetry')
 const { enable: enableFsPlugin, disable: disableFsPlugin, IAST_MODULE } = require('../rasp/fs-plugin')
+const securityControls = require('./security-controls')
 
 // TODO Change to `apm:http:server:request:[start|close]` when the subscription
 //  order of the callbacks can be enforce
@@ -35,6 +36,7 @@ function enable (config, _tracer) {
   requestClose.subscribe(onIncomingHttpRequestEnd)
   overheadController.configure(config.iast)
   overheadController.startGlobalContext()
+  securityControls.configure(config.iast)
   vulnerabilityReporter.start(config, _tracer)
 
   isEnabled = true