npm - dd-trace - Versions diffs - 5.53.0 → 5.54.0 - Mend

dd-trace 5.53.0 → 5.54.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (319) hide show

package/packages/dd-trace/src/appsec/iast/taint-tracking/operations.js CHANGED Viewed

@@ -41,47 +41,23 @@ function removeTransaction (iastContext) {
 }
 function newTaintedString (iastContext, string, name, type) {
-  let result
   const transactionId = iastContext?.[IAST_TRANSACTION_ID]
-  if (transactionId) {
-    result = TaintedUtils.newTaintedString(transactionId, string, name, type)
-  } else {
-    result = string
-  }
-  return result
+  return transactionId ? TaintedUtils.newTaintedString(transactionId, string, name, type) : string
 }
 function newTaintedObject (iastContext, obj, name, type) {
-  let result
   const transactionId = iastContext?.[IAST_TRANSACTION_ID]
-  if (transactionId) {
-    result = TaintedUtils.newTaintedObject(transactionId, obj, name, type)
-  } else {
-    result = obj
-  }
-  return result
+  return transactionId ? TaintedUtils.newTaintedObject(transactionId, obj, name, type) : obj
 }
 function isTainted (iastContext, string) {
-  let result
   const transactionId = iastContext?.[IAST_TRANSACTION_ID]
-  if (transactionId) {
-    result = TaintedUtils.isTainted(transactionId, string)
-  } else {
-    result = false
-  }
-  return result
+  return transactionId ? TaintedUtils.isTainted(transactionId, string) : false
 }
 function getRanges (iastContext, string) {
-  let result
   const transactionId = iastContext?.[IAST_TRANSACTION_ID]
-  if (transactionId) {
-    result = TaintedUtils.getRanges(transactionId, string)
-  } else {
-    result = []
-  }
-  return result
+  return transactionId ? TaintedUtils.getRanges(transactionId, string) : []
 }
 function addSecureMark (iastContext, string, mark, createNewTainted = true) {

package/packages/dd-trace/src/appsec/iast/taint-tracking/plugin.js CHANGED Viewed

@@ -129,13 +129,7 @@ class TaintTrackingPlugin extends SourceIastPlugin {
       { channelName: 'datadog:url:parse:finish' },
       ({ input, base, parsed, isURL }) => {
         const iastContext = getIastContext(storage('legacy').getStore())
-        let ranges
-        if (base) {
-          ranges = getRanges(iastContext, base)
-        } else {
-          ranges = getRanges(iastContext, input)
-        }
+        const ranges = getRanges(iastContext, base || input)
         if (ranges?.length) {
           if (isURL) {

package/packages/dd-trace/src/appsec/iast/taint-tracking/plugins/kafka.js CHANGED Viewed

@@ -1,7 +1,6 @@
 'use strict'
 const shimmer = require('../../../../../../datadog-shimmer')
-const { storage } = require('../../../../../../datadog-core')
 const { getIastContext } = require('../../iast-context')
 const { KAFKA_MESSAGE_KEY, KAFKA_MESSAGE_VALUE } = require('../source-types')
 const { newTaintedObject, newTaintedString } = require('../operations')
@@ -10,7 +9,7 @@ const { SourceIastPlugin } = require('../../iast-plugin')
 class KafkaConsumerIastPlugin extends SourceIastPlugin {
   onConfigure () {
     this.addSub({ channelName: 'dd-trace:kafkajs:consumer:afterStart', tag: [KAFKA_MESSAGE_KEY, KAFKA_MESSAGE_VALUE] },
-      ({ message }) => this.taintKafkaMessage(message)
+      ({ message, currentStore }) => this.taintKafkaMessage(message, currentStore)
     )
   }
@@ -21,8 +20,8 @@ class KafkaConsumerIastPlugin extends SourceIastPlugin {
     }
   }
-  taintKafkaMessage (message) {
-    const iastContext = getIastContext(storage('legacy').getStore())
+  taintKafkaMessage (message, currentStore) {
+    const iastContext = getIastContext(currentStore)
     if (iastContext && message) {
       const { key, value } = message

package/packages/dd-trace/src/appsec/iast/taint-tracking/rewriter-esm.mjs CHANGED Viewed

@@ -12,7 +12,7 @@ const ddTraceDir = path.join(currentUrl.pathname, '..', '..', '..', '..', '..',
 let port, rewriter, iastEnabled
 export async function initialize (data) {
-  if (rewriter) return Promise.reject(new Error('ALREADY INITIALIZED'))
+  if (rewriter) throw new Error('ALREADY INITIALIZED')
   const { csiMethods, telemetryVerbosity, chainSourceMap, orchestrionConfig } = data
   port = data.port

package/packages/dd-trace/src/appsec/iast/taint-tracking/rewriter.js CHANGED Viewed

@@ -41,11 +41,9 @@ function setGetOriginalPathAndLineFromSourceMapFunction (chainSourceMap, { getOr
     ? (path, line, column) => {
       // if --enable-source-maps is present stacktraces of the rewritten files contain the original path, file and
       // column because the sourcemap chaining is done during the rewriting process so we can skip it
-        if (isPrivateModule(path) && !isDdTrace(path)) {
-          return { path, line, column }
-        } else {
-          return getOriginalPathAndLineFromSourceMap(path, line, column)
-        }
+        return isPrivateModule(path) && !isDdTrace(path)
+          ? { path, line, column }
+          : getOriginalPathAndLineFromSourceMap(path, line, column)
       }
     : getOriginalPathAndLineFromSourceMap
 }
@@ -138,7 +136,7 @@ function esmRewritePostProcess (rewritten, filename) {
   if (metrics?.status === 'modified') {
     if (filename.startsWith('file://')) {
-      filename = filename.substring(7)
+      filename = filename.slice(7)
     }
     cacheRewrittenSourceMap(filename, rewritten.content)
@@ -157,7 +155,7 @@ function shimPrepareStackTrace () {
     return
   }
   const pstDescriptor = Object.getOwnPropertyDescriptor(global.Error, 'prepareStackTrace')
-  if (pstDescriptor?.configurable || pstDescriptor?.writable) {
+  if (!pstDescriptor || pstDescriptor.configurable || pstDescriptor.writable) {
     Object.defineProperty(global.Error, 'prepareStackTrace', getPrepareStackTraceAccessor())
   }
   shimmedPrepareStackTrace = true

package/packages/dd-trace/src/appsec/iast/taint-tracking/taint-tracking-impl.js CHANGED Viewed

@@ -71,7 +71,7 @@ function notString () {
 }
 function isValidCsiMethod (fn, protos) {
-  return protos.some(proto => fn === proto)
+  return protos.includes(fn)
 }
 function getCsiFn (cb, getContext, ...protos) {
@@ -90,7 +90,7 @@ function getCsiFn (cb, getContext, ...protos) {
 function csiMethodsDefaults (names, excluded, getContext) {
   const impl = {}
   names.forEach(name => {
-    if (excluded.indexOf(name) !== -1) return
+    if (excluded.includes(name)) return
     impl[name] = getCsiFn(
       (transactionId, res, target, ...rest) => TaintedUtils[name](transactionId, res, target, ...rest),
       getContext,

package/packages/dd-trace/src/appsec/iast/telemetry/span-tags.js CHANGED Viewed

@@ -10,10 +10,10 @@ function addMetricsToSpan (rootSpan, metrics, tagPrefix) {
       const name = taggedMetricName(data)
       let total = flattenMap.get(name)
       const value = flatten(data)
-      if (!total) {
-        total = value
-      } else {
+      if (total) {
         total += value
+      } else {
+        total = value
       }
       flattenMap.set(name, total)
     })
@@ -34,9 +34,9 @@ function flatten (metricData) {
 function taggedMetricName (data) {
   const metric = data.metric
   const tags = filterTags(data.tags)
-  return !tags?.length
-    ? metric
-    : `${metric}.${processTagValue(tags)}`
+  return tags?.length
+    ? `${metric}.${processTagValue(tags)}`
+    : metric
 }
 function filterTags (tags) {

package/packages/dd-trace/src/appsec/iast/telemetry/verbosity.js CHANGED Viewed

@@ -18,7 +18,7 @@ function isInfoAllowed (value) {
 function getVerbosity (verbosity) {
   if (verbosity) {
     verbosity = verbosity.toUpperCase()
-    return Verbosity[verbosity] !== undefined ? Verbosity[verbosity] : Verbosity.INFORMATION
+    return Verbosity[verbosity] === undefined ? Verbosity.INFORMATION : Verbosity[verbosity]
   } else {
     return Verbosity.INFORMATION
   }

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-analyzers/command-sensitive-analyzer.js CHANGED Viewed

@@ -2,7 +2,7 @@
 const log = require('../../../../../log')
-const COMMAND_PATTERN = '^(?:\\s*(?:sudo|doas)\\s+)?\\b\\S+\\b\\s(.*)'
+const COMMAND_PATTERN = String.raw`^(?:\s*(?:sudo|doas)\s+)?\b\S+\b\s(.*)`
 const pattern = new RegExp(COMMAND_PATTERN, 'gmi')
 module.exports = function extractSensitiveRanges (evidence) {

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-analyzers/ldap-sensitive-analyzer.js CHANGED Viewed

@@ -2,7 +2,7 @@
 const log = require('../../../../../log')
-const LDAP_PATTERN = '\\(.*?(?:~=|=|<=|>=)(?<LITERAL>[^)]+)\\)'
+const LDAP_PATTERN = String.raw`\(.*?(?:~=|=|<=|>=)(?<LITERAL>[^)]+)\)`
 const pattern = new RegExp(LDAP_PATTERN, 'gmi')
 module.exports = function extractSensitiveRanges (evidence) {

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-analyzers/sql-sensitive-analyzer.js CHANGED Viewed

@@ -3,13 +3,13 @@
 const log = require('../../../../../log')
 const STRING_LITERAL = '\'(?:\'\'|[^\'])*\''
-const POSTGRESQL_ESCAPED_LITERAL = '\\$([^$]*)\\$.*?\\$\\1\\$'
-const MYSQL_STRING_LITERAL = '"(?:\\\\"|[^"])*"|\'(?:\\\\\'|[^\'])*\''
+const POSTGRESQL_ESCAPED_LITERAL = String.raw`\$([^$]*)\$.*?\$\1\$`
+const MYSQL_STRING_LITERAL = String.raw`"(?:\\"|[^"])*"|'(?:\\'|[^'])*'`
 const LINE_COMMENT = '--.*$'
-const BLOCK_COMMENT = '/\\*[\\s\\S]*\\*/'
-const EXPONENT = '(?:E[-+]?\\d+[fd]?)?'
-const INTEGER_NUMBER = '(?<!\\w)\\d+'
-const DECIMAL_NUMBER = '\\d*\\.\\d+'
+const BLOCK_COMMENT = String.raw`/\*[\s\S]*\*/`
+const EXPONENT = String.raw`(?:E[-+]?\d+[fd]?)?`
+const INTEGER_NUMBER = String.raw`(?<!\w)\d+`
+const DECIMAL_NUMBER = String.raw`\d*\.\d+`
 const HEX_NUMBER = 'x\'[0-9a-f]+\'|0x[0-9a-f]+'
 const BIN_NUMBER = 'b\'[0-9a-f]+\'|0b[0-9a-f]+'
 const NUMERIC_LITERAL =
@@ -21,7 +21,7 @@ const NUMERIC_LITERAL =
       INTEGER_NUMBER + EXPONENT
     ].join('|')
   })`
-const ORACLE_ESCAPED_LITERAL = 'q\'<.*?>\'|q\'\\(.*?\\)\'|q\'\\{.*?\\}\'|q\'\\[.*?\\]\'|q\'(?<ESCAPE>.).*?\\k<ESCAPE>\''
+const ORACLE_ESCAPED_LITERAL = String.raw`q'<.*?>'|q'\(.*?\)'|q'\{.*?\}'|q'\[.*?\]'|q'(?<ESCAPE>.).*?\k<ESCAPE>'`
 const patterns = {
   ANSI: new RegExp( // Default

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-handler.js CHANGED Viewed

@@ -1,4 +1,5 @@
 'use strict'
+/* eslint-disable unicorn/prefer-string-slice */
 const log = require('../../../../log')
 const vulnerabilities = require('../../vulnerabilities')
@@ -82,7 +83,7 @@ class SensitiveHandler {
     for (let i = 0; i < value.length; i++) {
       if (nextTainted != null && nextTainted.start === i) {
-        this.writeValuePart(valueParts, value.substring(start, i), sourceIndex)
+        this.writeValuePart(valueParts, value.slice(start, i), sourceIndex)
         sourceIndex = sourcesIndexes[nextTaintedIndex]
@@ -113,16 +114,14 @@ class SensitiveHandler {
           nextSensitive = entries.length > 0 ? entries[0] : null
         }
-        if (this.isSensibleSource(sources[sourceIndex])) {
-          if (!sources[sourceIndex].redacted) {
-            redactedSources.push(sourceIndex)
-            sources[sourceIndex].pattern = ''.padEnd(sources[sourceIndex].value.length, REDACTED_SOURCE_BUFFER)
-            sources[sourceIndex].redacted = true
-          }
+        if (this.isSensibleSource(sources[sourceIndex]) && !sources[sourceIndex].redacted) {
+          redactedSources.push(sourceIndex)
+          sources[sourceIndex].pattern = ''.padEnd(sources[sourceIndex].value.length, REDACTED_SOURCE_BUFFER)
+          sources[sourceIndex].redacted = true
         }
-        if (redactedSources.indexOf(sourceIndex) > -1) {
-          const partValue = value.substring(i, i + (nextTainted.end - nextTainted.start))
+        if (redactedSources.includes(sourceIndex)) {
+          const partValue = value.slice(i, i + (nextTainted.end - nextTainted.start))
           this.writeRedactedValuePart(
             valueParts,
             partValue.length,
@@ -135,7 +134,7 @@ class SensitiveHandler {
           redactedSourcesContext[sourceIndex] = []
         } else {
           const substringEnd = Math.min(nextTainted.end, value.length)
-          this.writeValuePart(valueParts, value.substring(nextTainted.start, substringEnd), sourceIndex)
+          this.writeValuePart(valueParts, value.slice(nextTainted.start, substringEnd), sourceIndex)
         }
         start = i + (nextTainted.end - nextTainted.start)
@@ -144,7 +143,7 @@ class SensitiveHandler {
         nextTaintedIndex++
         sourceIndex = null
       } else if (nextSensitive != null && nextSensitive.start === i) {
-        this.writeValuePart(valueParts, value.substring(start, i), sourceIndex)
+        this.writeValuePart(valueParts, value.slice(start, i), sourceIndex)
         if (nextTainted != null && intersects(nextSensitive, nextTainted)) {
           sourceIndex = sourcesIndexes[nextTaintedIndex]
@@ -171,7 +170,7 @@ class SensitiveHandler {
     }
     if (start < value.length) {
-      this.writeValuePart(valueParts, value.substring(start))
+      this.writeValuePart(valueParts, value.slice(start))
     }
     return { redactedValueParts: valueParts, redactedSources }
@@ -197,10 +196,10 @@ class SensitiveHandler {
   writeValuePart (valueParts, value, source) {
     if (value.length > 0) {
-      if (source != null) {
-        valueParts.push({ value, source })
-      } else {
+      if (source == null) {
         valueParts.push({ value })
+      } else {
+        valueParts.push({ value, source })
       }
     }
   }
@@ -214,7 +213,9 @@ class SensitiveHandler {
     sourceRedactionContext,
     isSensibleSource
   ) {
-    if (sourceIndex != null) {
+    if (sourceIndex == null) {
+      valueParts.push({ redacted: true })
+    } else {
       const placeholder = source.value.includes(partValue)
         ? source.pattern
         : '*'.repeat(length)
@@ -252,9 +253,9 @@ class SensitiveHandler {
             _value.substring(_sourceRedactionContext.start - offset, _sourceRedactionContext.end - offset)
           const indexOfPartValueInPattern = source.value.indexOf(sensitive)
-          const pattern = indexOfPartValueInPattern > -1
-            ? placeholder.substring(indexOfPartValueInPattern, indexOfPartValueInPattern + sensitive.length)
-            : placeholder.substring(_sourceRedactionContext.start, _sourceRedactionContext.end)
+          const pattern = indexOfPartValueInPattern === -1
+            ? placeholder.substring(_sourceRedactionContext.start, _sourceRedactionContext.end)
+            : placeholder.substring(indexOfPartValueInPattern, indexOfPartValueInPattern + sensitive.length)
           valueParts.push({
             redacted: true,
@@ -262,7 +263,7 @@ class SensitiveHandler {
             pattern
           })
-          _value = _value.substring(pattern.length)
+          _value = _value.slice(pattern.length)
           offset += pattern.length
         })
@@ -273,8 +274,6 @@ class SensitiveHandler {
           })
         }
       }
-    } else {
-      valueParts.push({ redacted: true })
     }
   }
@@ -282,7 +281,7 @@ class SensitiveHandler {
     if (redactionNamePattern) {
       try {
         this._namePattern = new RegExp(redactionNamePattern, 'gmi')
-      } catch (e) {
+      } catch {
         log.warn('[ASM] Redaction name pattern is not valid')
       }
     }
@@ -290,7 +289,7 @@ class SensitiveHandler {
     if (redactionValuePattern) {
       try {
         this._valuePattern = new RegExp(redactionValuePattern, 'gmi')
-      } catch (e) {
+      } catch {
         log.warn('[ASM] Redaction value pattern is not valid')
       }
     }

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-regex.js CHANGED Viewed

@@ -1,7 +1,7 @@
-// eslint-disable-next-line @stylistic/js/max-len
+// eslint-disable-next-line @stylistic/max-len
 const DEFAULT_IAST_REDACTION_NAME_PATTERN = '(?:p(?:ass)?w(?:or)?d|pass(?:_?phrase)?|secret|(?:api_?|private_?|public_?|access_?|secret_?)key(?:_?id)?|token|consumer_?(?:id|key|secret)|sign(?:ed|ature)?|auth(?:entication|orization)?|(?:sur|last)name|user(?:name)?|address|e?mail)'
-// eslint-disable-next-line @stylistic/js/max-len
-const DEFAULT_IAST_REDACTION_VALUE_PATTERN = '(?:bearer\\s+[a-z0-9\\._\\-]+|glpat-[\\w\\-]{20}|gh[opsu]_[0-9a-zA-Z]{36}|ey[I-L][\\w=\\-]+\\.ey[I-L][\\w=\\-]+(?:\\.[\\w.+/=\\-]+)?|(?:[\\-]{5}BEGIN[a-z\\s]+PRIVATE\\sKEY[\\-]{5}[^\\-]+[\\-]{5}END[a-z\\s]+PRIVATE\\sKEY[\\-]{5}|ssh-rsa\\s*[a-z0-9/\\.+]{100,})|[\\w\\.-]+@[a-zA-Z\\d\\.-]+\\.[a-zA-Z]{2,})'
+// eslint-disable-next-line @stylistic/max-len
+const DEFAULT_IAST_REDACTION_VALUE_PATTERN = String.raw`(?:bearer\s+[a-z0-9\._\-]+|glpat-[\w\-]{20}|gh[opsu]_[0-9a-zA-Z]{36}|ey[I-L][\w=\-]+\.ey[I-L][\w=\-]+(?:\.[\w.+/=\-]+)?|(?:[\-]{5}BEGIN[a-z\s]+PRIVATE\sKEY[\-]{5}[^\-]+[\-]{5}END[a-z\s]+PRIVATE\sKEY[\-]{5}|ssh-rsa\s*[a-z0-9/\.+]{100,})|[\w\.-]+@[a-zA-Z\d\.-]+\.[a-zA-Z]{2,})`
 module.exports = {
   DEFAULT_IAST_REDACTION_NAME_PATTERN,

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/index.js CHANGED Viewed

@@ -57,14 +57,14 @@ class VulnerabilityFormatter {
     evidence.ranges.forEach((range, rangeIndex) => {
       if (fromIndex < range.start) {
-        valueParts.push({ value: evidence.value.substring(fromIndex, range.start) })
+        valueParts.push({ value: evidence.value.slice(fromIndex, range.start) })
       }
-      valueParts.push({ value: evidence.value.substring(range.start, range.end), source: sourcesIndexes[rangeIndex] })
+      valueParts.push({ value: evidence.value.slice(range.start, range.end), source: sourcesIndexes[rangeIndex] })
       fromIndex = range.end
     })
     if (fromIndex < evidence.value.length) {
-      valueParts.push({ value: evidence.value.substring(fromIndex) })
+      valueParts.push({ value: evidence.value.slice(fromIndex) })
     }
     return { valueParts }
@@ -72,7 +72,7 @@ class VulnerabilityFormatter {
   formatEvidence (type, evidence, sourcesIndexes, sources) {
     if (evidence.value === undefined) {
-      return undefined
+      return
     }
     return this._redactVulnearbilities

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/utils.js CHANGED Viewed

@@ -7,7 +7,7 @@ const STRINGIFY_RANGE_KEY = 'DD_' + crypto.randomBytes(20).toString('hex')
 const STRINGIFY_SENSITIVE_KEY = STRINGIFY_RANGE_KEY + 'SENSITIVE'
 const STRINGIFY_SENSITIVE_NOT_STRING_KEY = STRINGIFY_SENSITIVE_KEY + 'NOTSTRING'
-// eslint-disable-next-line @stylistic/js/max-len
+// eslint-disable-next-line @stylistic/max-len
 const KEYS_REGEX_WITH_SENSITIVE_RANGES = new RegExp(`(?:"(${STRINGIFY_RANGE_KEY}_\\d+_))|(?:"(${STRINGIFY_SENSITIVE_KEY}_\\d+_(\\d+)_))|("${STRINGIFY_SENSITIVE_NOT_STRING_KEY}_\\d+_([\\s0-9.a-zA-Z]*)")`, 'gm')
 const KEYS_REGEX_WITHOUT_SENSITIVE_RANGES = new RegExp(`"(${STRINGIFY_RANGE_KEY}_\\d+_)`, 'gm')
@@ -99,22 +99,17 @@ function stringifyWithRanges (obj, objRanges, loadSensitiveRanges = false) {
         } else {
           currentLevelClone[key] = val
         }
-      } else if (Array.isArray(val)) {
-        currentLevelClone[key] = []
       } else {
-        currentLevelClone[key] = {}
+        currentLevelClone[key] = Array.isArray(val) ? [] : {}
       }
     })
     value = JSON.stringify(cloneObj, null, 2)
     if (counter > 0) {
-      let keysRegex
-      if (loadSensitiveRanges) {
-        keysRegex = KEYS_REGEX_WITH_SENSITIVE_RANGES
-      } else {
-        keysRegex = KEYS_REGEX_WITHOUT_SENSITIVE_RANGES
-      }
+      const keysRegex = loadSensitiveRanges
+        ? KEYS_REGEX_WITH_SENSITIVE_RANGES
+        : KEYS_REGEX_WITHOUT_SENSITIVE_RANGES
       keysRegex.lastIndex = 0
       let regexRes = keysRegex.exec(value)
@@ -141,7 +136,7 @@ function stringifyWithRanges (obj, objRanges, loadSensitiveRanges = false) {
           sensitiveRanges.push({
             start: offset,
-            end: offset + parseInt(regexRes[3])
+            end: offset + Number.parseInt(regexRes[3])
           })
           value = value.replace(sensitiveId, '')

package/packages/dd-trace/src/appsec/iast/vulnerability-reporter.js CHANGED Viewed

@@ -79,17 +79,15 @@ function isValidVulnerability (vulnerability) {
 }
 function sendVulnerabilities (vulnerabilities, span) {
-  if (vulnerabilities && vulnerabilities.length) {
-    if (span && span.addTags) {
-      const validatedVulnerabilities = vulnerabilities.filter(isValidVulnerability)
-      const jsonToSend = vulnerabilitiesFormatter.toJson(validatedVulnerabilities)
-      if (jsonToSend.vulnerabilities.length > 0) {
-        const tags = {}
-        // TODO: Store this outside of the span and set the tag in the exporter.
-        tags[IAST_JSON_TAG_KEY] = JSON.stringify(jsonToSend)
-        span.addTags(tags)
-      }
+  if (vulnerabilities?.length && span?.addTags) {
+    const validatedVulnerabilities = vulnerabilities.filter(isValidVulnerability)
+    const jsonToSend = vulnerabilitiesFormatter.toJson(validatedVulnerabilities)
+    if (jsonToSend.vulnerabilities.length > 0) {
+      const tags = {}
+      // TODO: Store this outside of the span and set the tag in the exporter.
+      tags[IAST_JSON_TAG_KEY] = JSON.stringify(jsonToSend)
+      span.addTags(tags)
     }
   }
   return IAST_JSON_TAG_KEY

package/packages/dd-trace/src/appsec/index.js CHANGED Viewed

@@ -58,7 +58,7 @@ function enable (_config) {
     remoteConfig.enableWafUpdate(_config.appsec)
-    Reporter.setRateLimit(_config.appsec.rateLimit)
+    Reporter.init(_config.appsec)
     apiSecuritySampler.configure(_config)

package/packages/dd-trace/src/appsec/rasp/index.js CHANGED Viewed

@@ -22,8 +22,8 @@ function removeAllListeners (emitter, event) {
     }
     cleaned = true
-    for (let i = 0; i < listeners.length; ++i) {
-      emitter.on(event, listeners[i])
+    for (const listener of listeners) {
+      emitter.on(event, listener)
     }
   }
 }
@@ -41,19 +41,7 @@ function findDatadogRaspAbortError (err, deep = 10) {
 function handleUncaughtExceptionMonitor (error) {
   if (!blockOnDatadogRaspAbortError({ error })) return
-  if (!process.hasUncaughtExceptionCaptureCallback()) {
-    const cleanUp = removeAllListeners(process, 'uncaughtException')
-    const handler = () => {
-      process.removeListener('uncaughtException', handler)
-    }
-    setTimeout(() => {
-      process.removeListener('uncaughtException', handler)
-      cleanUp()
-    })
-    process.on('uncaughtException', handler)
-  } else {
+  if (process.hasUncaughtExceptionCaptureCallback()) {
     // uncaughtException event is not executed when hasUncaughtExceptionCaptureCallback is true
     let previousCb
     const cb = ({ currentCallback, abortController }) => {
@@ -78,6 +66,18 @@ function handleUncaughtExceptionMonitor (error) {
         process.setUncaughtExceptionCaptureCallback(previousCb)
       })
     }
+  } else {
+    const cleanUp = removeAllListeners(process, 'uncaughtException')
+    const handler = () => {
+      process.removeListener('uncaughtException', handler)
+    }
+    setTimeout(() => {
+      process.removeListener('uncaughtException', handler)
+      cleanUp()
+    })
+    process.on('uncaughtException', handler)
   }
 }

package/packages/dd-trace/src/appsec/rasp/lfi.js CHANGED Viewed

@@ -88,6 +88,7 @@ function pathToStr (path) {
   if (!path) return
   if (typeof path === 'string' ||
+      // eslint-disable-next-line unicorn/no-instanceof-builtins
       path instanceof String ||
       path instanceof Buffer ||
       path instanceof URL) {
@@ -104,7 +105,7 @@ function shouldAnalyze (path, fs) {
 function shouldAnalyzeURLFile (path, fs) {
   if (path.startsWith('file://')) {
-    return shouldAnalyze(path.substring(7), fs)
+    return shouldAnalyze(path.slice(7), fs)
   }
 }