npm - dd-trace - Versions diffs - 5.58.0 → 5.60.0 - Mend

dd-trace 5.58.0 → 5.60.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (179) hide show

package/packages/datadog-plugin-google-cloud-vertexai/src/utils.js CHANGED Viewed

@@ -1,3 +1,5 @@
+'use strict'
 function extractModel (instance) {
   const model = instance.model || instance.resourcePath || instance.publisherModelEndpoint
   return model?.split('/').pop()

package/packages/datadog-plugin-graphql/src/utils.js CHANGED Viewed

@@ -1,3 +1,5 @@
+'use strict'
 function extractErrorIntoSpanEvent (config, span, exc) {
   const attributes = {}

package/packages/datadog-plugin-hono/src/index.js ADDED Viewed

@@ -0,0 +1,28 @@
+'use strict'
+const RouterPlugin = require('../../datadog-plugin-router/src')
+const web = require('../../dd-trace/src/plugins/util/web')
+class HonoPlugin extends RouterPlugin {
+  static get id () {
+    return 'hono'
+  }
+  constructor (...args) {
+    super(...args)
+    this.addSub('apm:hono:request:handle', ({ req }) => {
+      this.setFramework(req, 'hono', this.config)
+    })
+    this.addSub('apm:hono:request:route', ({ req, route }) => {
+      web.setRoute(req, route)
+    })
+    this.addSub('apm:hono:request:error', ({ req, error }) => {
+      web.addError(req, error)
+    })
+  }
+}
+module.exports = HonoPlugin

package/packages/datadog-plugin-jest/src/index.js CHANGED Viewed

@@ -1,3 +1,5 @@
+'use strict'
 const CiPlugin = require('../../dd-trace/src/plugins/ci_plugin')
 const { storage } = require('../../datadog-core')
 const { getEnvironmentVariable } = require('../../dd-trace/src/config-helper')

package/packages/datadog-plugin-jest/src/util.js CHANGED Viewed

@@ -1,3 +1,5 @@
+'use strict'
 const { readFileSync } = require('fs')
 const { parse, extract } = require('jest-docblock')

package/packages/datadog-plugin-kafkajs/src/batch-consumer.js CHANGED Viewed

@@ -1,3 +1,5 @@
+'use strict'
 const ConsumerPlugin = require('../../dd-trace/src/plugins/consumer')
 const { getMessageSize } = require('../../dd-trace/src/datastreams')
 const { convertToTextMap } = require('./utils')

package/packages/datadog-plugin-langchain/src/tracing.js CHANGED Viewed

@@ -40,9 +40,14 @@ class BaseLangChainTracingPlugin extends TracingPlugin {
     // Runnable interfaces have an `lc_namespace` property
     const ns = ctx.self.lc_namespace || ctx.namespace
-    const resource = ctx.resource = [...ns, ctx.self.constructor.name].join('.')
-    const handler = this.handlers[type]
+    const resourceParts = [...ns, ctx.self.constructor.name]
+    if (type === 'tool') {
+      resourceParts.push(ctx.instance.name)
+    }
+    const resource = ctx.resource = resourceParts.join('.')
+    const handler = this.handlers[type] || this.handlers.default
     const instance = ctx.instance
     const apiKey = handler.extractApiKey(instance)
@@ -78,7 +83,7 @@ class BaseLangChainTracingPlugin extends TracingPlugin {
     const { type } = ctx
-    const handler = this.handlers[type]
+    const handler = this.handlers[type] || this.handlers.default
     const tags = handler.getSpanEndTags(ctx, span) || {}
     span.addTags(tags)
@@ -139,11 +144,38 @@ class EmbeddingsEmbedDocumentsPlugin extends BaseLangChainTracingPlugin {
   }
 }
+class ToolInvokePlugin extends BaseLangChainTracingPlugin {
+  static get id () { return 'langchain_tool_invoke' }
+  static get lcType () { return 'tool' }
+  static get prefix () {
+    return 'tracing:orchestrion:@langchain/core:Tool_invoke'
+  }
+}
+class VectorStoreSimilaritySearchPlugin extends BaseLangChainTracingPlugin {
+  static get id () { return 'langchain_vectorstore_similarity_search' }
+  static get lcType () { return 'similarity_search' }
+  static get prefix () {
+    return 'tracing:orchestrion:@langchain/core:VectorStore_similaritySearch'
+  }
+}
+class VectorStoreSimilaritySearchWithScorePlugin extends BaseLangChainTracingPlugin {
+  static get id () { return 'langchain_vectorstore_similarity_search_with_score' }
+  static get lcType () { return 'similarity_search' }
+  static get prefix () {
+    return 'tracing:orchestrion:@langchain/core:VectorStore_similaritySearchWithScore'
+  }
+}
 module.exports = [
   RunnableSequenceInvokePlugin,
   RunnableSequenceBatchPlugin,
   BaseChatModelGeneratePlugin,
   BaseLLMGeneratePlugin,
   EmbeddingsEmbedQueryPlugin,
-  EmbeddingsEmbedDocumentsPlugin
+  EmbeddingsEmbedDocumentsPlugin,
+  ToolInvokePlugin,
+  VectorStoreSimilaritySearchPlugin,
+  VectorStoreSimilaritySearchWithScorePlugin
 ]

package/packages/datadog-plugin-nyc/src/index.js CHANGED Viewed

@@ -1,3 +1,5 @@
+'use strict'
 const CiPlugin = require('../../dd-trace/src/plugins/ci_plugin')
 class NycPlugin extends CiPlugin {

package/packages/datadog-plugin-openai/src/stream-helpers.js ADDED Viewed

@@ -0,0 +1,114 @@
+'use strict'
+/**
+ * Combines legacy OpenAI streamed chunks into a single object.
+ * These legacy chunks are returned as buffers instead of individual objects.
+ * @param {readonly Uint8Array[]} chunks
+ * @returns {Array<Record<string, any>>}
+ */
+function convertBuffersToObjects (chunks) {
+  return Buffer
+    .concat(chunks) // combine the buffers
+    .toString() // stringify
+    .split(/(?=data:)/) // split on "data:"
+    .map(chunk => chunk.replaceAll('\n', '').slice(6)) // remove newlines and 'data: ' from the front
+    .slice(0, -1) // remove the last [DONE] message
+    .map(JSON.parse) // parse all of the returned objects
+}
+/**
+ * Common function for combining chunks with n choices into a single response body.
+ * The shared logic will add a new choice index entry if it doesn't exist, and otherwise
+ * hand off to a onChoice handler to add that choice to the previously stored choice.
+ *
+ * @param {Array<Record<string, any>>} chunks
+ * @param {number} n
+ * @param {function(Record<string, any>, Record<string, any>): void} onChoice
+ * @returns {Record<string, any>}
+ */
+function constructResponseFromStreamedChunks (chunks, n, onChoice) {
+  const body = { ...chunks[0], choices: Array.from({ length: n }) }
+  for (const chunk of chunks) {
+    body.usage = chunk.usage
+    for (const choice of chunk.choices) {
+      const choiceIdx = choice.index
+      const oldChoice = body.choices.find(choice => choice?.index === choiceIdx)
+      if (!oldChoice) {
+        body.choices[choiceIdx] = choice
+        continue
+      }
+      if (!oldChoice.finish_reason) {
+        oldChoice.finish_reason = choice.finish_reason
+      }
+      onChoice(choice, oldChoice)
+    }
+  }
+  return body
+}
+/**
+ * Constructs the entire response from a stream of OpenAI completion chunks,
+ * mainly combining the text choices of each chunk into a single string per choice.
+ * @param {Array<Record<string, any>>} chunks
+ * @param {number} n the number of choices to expect in the response
+ * @returns {Record<string, any>}
+ */
+function constructCompletionResponseFromStreamedChunks (chunks, n) {
+  return constructResponseFromStreamedChunks(chunks, n, (choice, oldChoice) => {
+    const text = choice.text
+    if (text) {
+      if (oldChoice.text) {
+        oldChoice.text += text
+      } else {
+        oldChoice.text = text
+      }
+    }
+  })
+}
+/**
+ * Constructs the entire response from a stream of OpenAI chat completion chunks,
+ * mainly combining the text choices of each chunk into a single string per choice.
+ * @param {Array<Record<string, any>>} chunks
+ * @param {number} n the number of choices to expect in the response
+ * @returns {Record<string, any>}
+ */
+function constructChatCompletionResponseFromStreamedChunks (chunks, n) {
+  return constructResponseFromStreamedChunks(chunks, n, (choice, oldChoice) => {
+    const delta = choice.delta
+    if (!delta) return
+    const content = delta.content
+    if (content) {
+      if (oldChoice.delta.content) {
+        oldChoice.delta.content += content
+      } else {
+        oldChoice.delta.content = content
+      }
+    }
+    const tools = delta.tool_calls
+    if (!tools) return
+    oldChoice.delta.tool_calls = tools.map((newTool, toolIdx) => {
+      const oldTool = oldChoice.delta.tool_calls?.[toolIdx]
+      if (oldTool) {
+        oldTool.function.arguments += newTool.function.arguments
+        return oldTool
+      }
+      return newTool
+    })
+  })
+}
+module.exports = {
+  convertBuffersToObjects,
+  constructCompletionResponseFromStreamedChunks,
+  constructChatCompletionResponseFromStreamedChunks
+}

package/packages/datadog-plugin-openai/src/tracing.js CHANGED Viewed

@@ -10,6 +10,11 @@ const { MEASURED } = require('../../../ext/tags')
 const { estimateTokens } = require('./token-estimator')
 const makeUtilities = require('../../dd-trace/src/plugins/util/llm')
+const {
+  convertBuffersToObjects,
+  constructCompletionResponseFromStreamedChunks,
+  constructChatCompletionResponseFromStreamedChunks
+} = require('./stream-helpers')
 let normalize
@@ -48,6 +53,39 @@ class OpenAiTracingPlugin extends TracingPlugin {
       normalize = utilities.normalize
     }
+    this.addSub('apm:openai:request:chunk', ({ ctx, chunk, done }) => {
+      if (!ctx.chunks) ctx.chunks = []
+      if (chunk) ctx.chunks.push(chunk)
+      if (!done) return
+      let chunks = ctx.chunks
+      if (chunks.length === 0) return
+      const firstChunk = chunks[0]
+      // OpenAI in legacy versions returns chunked buffers instead of objects.
+      // These buffers will need to be combined and coalesced into a list of object chunks.
+      if (firstChunk instanceof Buffer) {
+        chunks = convertBuffersToObjects(chunks)
+      }
+      const methodName = ctx.currentStore.normalizedMethodName
+      let n = 1
+      const prompt = ctx.args[0].prompt
+      if (Array.isArray(prompt) && typeof prompt[0] !== 'number') {
+        n *= prompt.length
+      }
+      let response = {}
+      if (methodName === 'createCompletion') {
+        response = constructCompletionResponseFromStreamedChunks(chunks, n)
+      } else if (methodName === 'createChatCompletion') {
+        response = constructChatCompletionResponseFromStreamedChunks(chunks, n)
+      }
+      ctx.result = { data: response }
+    })
   }
   configure (config) {

package/packages/datadog-plugin-oracledb/src/connection-parser.js CHANGED Viewed

@@ -1,3 +1,5 @@
+'use strict'
 const { URL } = require('url')
 const log = require('../../dd-trace/src/log')

package/packages/datadog-plugin-protobufjs/src/index.js CHANGED Viewed

@@ -1,3 +1,5 @@
+'use strict'
 const SchemaPlugin = require('../../dd-trace/src/plugins/schema')
 const SchemaExtractor = require('./schema_iterator')

package/packages/datadog-plugin-protobufjs/src/schema_iterator.js CHANGED Viewed

@@ -1,3 +1,5 @@
+'use strict'
 const PROTOBUF = 'protobuf'
 const {
   SCHEMA_DEFINITION,

package/packages/datadog-plugin-selenium/src/index.js CHANGED Viewed

@@ -1,3 +1,5 @@
+'use strict'
 const CiPlugin = require('../../dd-trace/src/plugins/ci_plugin')
 const { storage } = require('../../datadog-core')

package/packages/datadog-plugin-vitest/src/index.js CHANGED Viewed

@@ -1,3 +1,5 @@
+'use strict'
 const CiPlugin = require('../../dd-trace/src/plugins/ci_plugin')
 const { storage } = require('../../datadog-core')
 const { getEnvironmentVariable } = require('../../dd-trace/src/config-helper')

package/packages/dd-trace/src/appsec/iast/iast-context.js CHANGED Viewed

@@ -1,3 +1,5 @@
+'use strict'
 const IAST_CONTEXT_KEY = Symbol('_dd.iast.context')
 const IAST_TRANSACTION_ID = Symbol('_dd.iast.transactionId')
@@ -52,7 +54,9 @@ function cleanIastContext (store, context, iastContext) {
     context[IAST_CONTEXT_KEY] = null
   }
   if (iastContext) {
-    Object.keys(iastContext).forEach(key => delete iastContext[key])
+    if (typeof iastContext === 'object') { // eslint-disable-line eslint-rules/eslint-safe-typeof-object
+      Object.keys(iastContext).forEach(key => delete iastContext[key])
+    }
     return true
   }
   return false

package/packages/dd-trace/src/appsec/iast/index.js CHANGED Viewed

@@ -1,3 +1,5 @@
+'use strict'
 const vulnerabilityReporter = require('./vulnerability-reporter')
 const { enableAllAnalyzers, disableAllAnalyzers } = require('./analyzers')
 const web = require('../../plugins/util/web')

package/packages/dd-trace/src/appsec/iast/overhead-controller.js CHANGED Viewed

@@ -1,6 +1,6 @@
 'use strict'
-const LRUCache = require('lru-cache')
+const { LRUCache } = require('lru-cache')
 const web = require('../../plugins/util/web')
 const vulnerabilities = require('./vulnerabilities')

package/packages/dd-trace/src/appsec/iast/taint-tracking/rewriter-esm.mjs CHANGED Viewed

@@ -1,5 +1,3 @@
-'use strict'
 import path from 'path'
 import { URL } from 'url'
 import { getName } from '../telemetry/verbosity.js'

package/packages/dd-trace/src/appsec/iast/taint-tracking/rewriter.js CHANGED Viewed

@@ -1,5 +1,7 @@
 'use strict'
+/* eslint n/no-unsupported-features/node-builtins: ['error', { ignores: ['module.register'] }] */
 const Module = require('module')
 const { pathToFileURL } = require('url')
 const { MessageChannel } = require('worker_threads')

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-regex.js CHANGED Viewed

@@ -1,3 +1,5 @@
+'use strict'
 // eslint-disable-next-line @stylistic/max-len
 const DEFAULT_IAST_REDACTION_NAME_PATTERN = '(?:p(?:ass)?w(?:or)?d|pass(?:_?phrase)?|secret|(?:api_?|private_?|public_?|access_?|secret_?)key(?:_?id)?|token|consumer_?(?:id|key|secret)|sign(?:ed|ature)?|auth(?:entication|orization)?|(?:sur|last)name|user(?:name)?|address|e?mail)'
 // eslint-disable-next-line @stylistic/max-len

package/packages/dd-trace/src/appsec/iast/vulnerabilities.js CHANGED Viewed

@@ -1,3 +1,5 @@
+'use strict'
 module.exports = {
   COMMAND_INJECTION: 'COMMAND_INJECTION',
   CODE_INJECTION: 'CODE_INJECTION',

package/packages/dd-trace/src/appsec/iast/vulnerability-reporter.js CHANGED Viewed

@@ -1,6 +1,6 @@
 'use strict'
-const LRU = require('lru-cache')
+const { LRUCache } = require('lru-cache')
 const vulnerabilitiesFormatter = require('./vulnerabilities-formatter')
 const { IAST_ENABLED_TAG_KEY, IAST_JSON_TAG_KEY } = require('./tags')
 const { keepTrace } = require('../../priority_sampler')
@@ -10,7 +10,7 @@ const { ASM } = require('../../standalone/product')
 const VULNERABILITIES_KEY = 'vulnerabilities'
 const VULNERABILITY_HASHES_MAX_SIZE = 1000
-const VULNERABILITY_HASHES = new LRU({ max: VULNERABILITY_HASHES_MAX_SIZE })
+const VULNERABILITY_HASHES = new LRUCache({ max: VULNERABILITY_HASHES_MAX_SIZE })
 const RESET_VULNERABILITY_CACHE_INTERVAL = 60 * 60 * 1000 // 1 hour
 let tracer
@@ -114,7 +114,7 @@ function isDuplicatedVulnerability (vulnerability) {
 }
 function getVulnerabilityCallSiteFrames () {
-  return getCallsiteFrames(stackTraceMaxDepth)
+  return getCallsiteFrames(stackTraceMaxDepth, getVulnerabilityCallSiteFrames)
 }
 function replaceCallSiteFromSourceMap (callsite) {

package/packages/dd-trace/src/appsec/rasp/fs-plugin.js CHANGED Viewed

@@ -14,25 +14,31 @@ const enabledFor = {
 let fsPlugin
-function enterWith (fsProps, store = storage('legacy').getStore()) {
+function getStoreToStart (fsProps, store = storage('legacy').getStore()) {
   if (store && !store.fs?.opExcluded) {
-    storage('legacy').enterWith({
+    return {
       ...store,
       fs: {
         ...store.fs,
         ...fsProps,
         parentStore: store
       }
-    })
+    }
   }
+  return store
 }
 class AppsecFsPlugin extends Plugin {
   enable () {
-    this.addSub('apm:fs:operation:start', this._onFsOperationStart)
-    this.addSub('apm:fs:operation:finish', this._onFsOperationFinishOrRenderEnd)
-    this.addSub('tracing:datadog:express:response:render:start', this._onResponseRenderStart)
-    this.addSub('tracing:datadog:express:response:render:end', this._onFsOperationFinishOrRenderEnd)
+    this.addBind('apm:fs:operation:start', this._onFsOperationStart)
+    this.addBind('apm:fs:operation:finish', this._onFsOperationFinishOrRenderEnd)
+    this.addBind('tracing:datadog:express:response:render:start', this._onResponseRenderStart)
+    this.addBind('tracing:datadog:express:response:render:end', this._onFsOperationFinishOrRenderEnd)
+    // TODO Remove this when dc-polyfill is fixed&updated
+    //  hack to node 18 and early 20.x
+    //  with dc-polyfill addBind is not enough to force a channel.hasSubscribers === true
+    this.addSub('tracing:datadog:express:response:render:start', () => {})
     super.configure(true)
   }
@@ -44,19 +50,20 @@ class AppsecFsPlugin extends Plugin {
   _onFsOperationStart () {
     const store = storage('legacy').getStore()
     if (store) {
-      enterWith({ root: store.fs?.root === undefined }, store)
+      return getStoreToStart({ root: store.fs?.root === undefined }, store)
     }
   }
   _onResponseRenderStart () {
-    enterWith({ opExcluded: true })
+    return getStoreToStart({ opExcluded: true })
   }
   _onFsOperationFinishOrRenderEnd () {
     const store = storage('legacy').getStore()
-    if (store?.fs?.parentStore) {
-      storage('legacy').enterWith(store.fs.parentStore)
+    if (store?.fs) {
+      return store.fs.parentStore
     }
+    return store
   }
 }

package/packages/dd-trace/src/appsec/rasp/utils.js CHANGED Viewed

@@ -41,7 +41,7 @@ function handleResult (result, req, res, abortController, config, raspRule) {
   const ruleTriggered = !!result?.events?.length
   if (generateStackTraceAction && enabled && canReportStackTrace(rootSpan, maxStackTraces)) {
-    const frames = getCallsiteFrames(maxDepth)
+    const frames = getCallsiteFrames(maxDepth, handleResult)
     reportStackTrace(
       rootSpan,

package/packages/dd-trace/src/appsec/recommended.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "version": "2.2",
   "metadata": {
-    "rules_version": "1.14.2"
+    "rules_version": "1.15.0"
   },
   "rules": [
     {
@@ -2985,7 +2985,7 @@
                 "address": "graphql.server.resolver"
               }
             ],
-            "regex": "\\b(?:(?:l(?:(?:utimes|chmod)(?:Sync)?|(?:stat|ink)Sync)|w(?:rite(?:(?:File|v)(?:Sync)?|Sync)|atchFile)|u(?:n(?:watchFile|linkSync)|times(?:Sync)?)|s(?:(?:ymlink|tat)Sync|pawn(?:File|Sync))|ex(?:ec(?:File(?:Sync)?|Sync)|istsSync)|a(?:ppendFile|ccess)(?:Sync)?|(?:Caveat|Inode)s|open(?:dir)?Sync|new\\s+Function|Availability|\\beval)\\s*\\(|m(?:ain(?:Module\\s*(?:\\W*\\s*(?:constructor|require)|\\[)|\\s*(?:\\W*\\s*(?:constructor|require)|\\[))|kd(?:temp(?:Sync)?|irSync)\\s*\\(|odule\\.exports\\s*=)|c(?:(?:(?:h(?:mod|own)|lose)Sync|reate(?:Write|Read)Stream|p(?:Sync)?)\\s*\\(|o(?:nstructor\\s*(?:\\W*\\s*_load|\\[)|pyFile(?:Sync)?\\s*\\())|f(?:(?:(?:s(?:(?:yncS)?|tatS)|datas(?:yncS)?)ync|ch(?:mod|own)(?:Sync)?)\\s*\\(|u(?:nction\\s*\\(\\s*\\)\\s*{|times(?:Sync)?\\s*\\())|r(?:e(?:(?:ad(?:(?:File|link|dir)?Sync|v(?:Sync)?)|nameSync)\\s*\\(|quire\\s*(?:\\W*\\s*main|\\[))|m(?:Sync)?\\s*\\()|process\\s*(?:\\W*\\s*(?:mainModule|binding)|\\[)|t(?:his\\.constructor|runcateSync\\s*\\()|_(?:\\$\\$ND_FUNC\\$\\$_|_js_function)|global\\s*(?:\\W*\\s*process|\\[)|String\\s*\\.\\s*fromCharCode|binding\\s*\\[)",
+            "regex": "\\b(?:(?:l(?:(?:utimes|chmod)(?:Sync)?|(?:stat|ink)Sync)|w(?:rite(?:(?:File|v)(?:Sync)?|Sync)|atchFile)|u(?:n(?:watchFile|linkSync)|times(?:Sync)?)|s(?:(?:ymlink|tat)Sync|pawn(?:File|Sync))|ex(?:ec(?:File(?:Sync)?|Sync)|istsSync)|a(?:ppendFile|ccess)(?:Sync)?|(?:Caveat|Inode)s|open(?:dir)?Sync|new\\s+Function|Availability|\\beval)\\s*\\(|m(?:ain(?:Module\\s*(?:\\W*\\s*(?:constructor|require)|\\[)|\\s*(?:\\W*\\s*(?:constructor|require)|\\[))|kd(?:temp(?:Sync)?|irSync)\\s*\\(|odule\\.exports\\s*=)|c(?:(?:(?:h(?:mod|own)|lose)Sync|reate(?:Write|Read)Stream|p(?:Sync)?)\\s*\\(|o(?:nstructor\\s*(?:\\W*\\s*_load|\\[)|pyFile(?:Sync)?\\s*\\())|f(?:(?:(?:s(?:(?:yncS)?|tatS)|datas(?:yncS)?)ync|ch(?:mod|own)(?:Sync)?)\\s*\\(|u(?:nction\\s*\\(\\s*\\)\\s*{|times(?:Sync)?\\s*\\())|r(?:e(?:(?:ad(?:(?:File|link|dir)?Sync|v(?:Sync)?)|nameSync)\\s*\\(|quire\\s*(?:\\W*\\s*main\\b|\\[))|m(?:Sync)?\\s*\\()|process\\s*(?:\\W*\\s*(?:mainModule|binding)|\\[)|t(?:his\\.constructor|runcateSync\\s*\\()|_(?:\\$\\$ND_FUNC\\$\\$_|_js_function)|global\\s*(?:\\W*\\s*process|\\[)|String\\s*\\.\\s*fromCharCode|binding\\s*\\[)",
             "options": {
               "case_sensitive": true,
               "min_length": 3
@@ -5656,6 +5656,52 @@
       ],
       "transformers": []
     },
+    {
+      "id": "dog-932-110",
+      "name": "Python: Subprocess-based command injection",
+      "tags": {
+        "type": "command_injection",
+        "category": "attack_attempt",
+        "confidence": "0",
+        "module": "waf"
+      },
+      "conditions": [
+        {
+          "parameters": {
+            "inputs": [
+              {
+                "address": "server.request.query"
+              },
+              {
+                "address": "server.request.body"
+              },
+              {
+                "address": "server.request.path_params"
+              },
+              {
+                "address": "server.request.headers.no_cookies"
+              },
+              {
+                "address": "grpc.server.request.message"
+              },
+              {
+                "address": "graphql.server.all_resolvers"
+              },
+              {
+                "address": "graphql.server.resolver"
+              }
+            ],
+            "regex": "(?s)\\bsubprocess\\b.*\\b(?:check_output|run|Popen|call|check_call)\\b",
+            "options": {
+              "case_sensitive": true,
+              "min_length": 14
+            }
+          },
+          "operator": "match_regex"
+        }
+      ],
+      "transformers": []
+    },
     {
       "id": "dog-934-001",
       "name": "XXE - XML file loads external entity",
@@ -9074,6 +9120,28 @@
       "evaluate": true,
       "output": true
     },
+    {
+      "id": "decode-auth-jwt",
+      "generator": "jwt_decode",
+      "min_version": "1.25.0",
+      "parameters": {
+        "mappings": [
+          {
+            "inputs": [
+              {
+                "address": "server.request.headers.no_cookies",
+                "key_path": [
+                  "authorization"
+                ]
+              }
+            ],
+            "output": "server.request.jwt"
+          }
+        ]
+      },
+      "evaluate": true,
+      "output": false
+    },
     {
       "id": "http-network-fingerprint",
       "generator": "http_network_fingerprint",
@@ -9918,6 +9986,24 @@
         "category": "payment"
       }
     },
+    {
+      "id": "c542c147-3883-43d6-a067-178e4a7bd65d",
+      "name": "Password",
+      "key": {
+        "operator": "match_regex",
+        "parameters": {
+          "regex": "\\bpass(?:[_-]?word|wd)?\\b|\\bpwd\\b",
+          "options": {
+            "case_sensitive": false,
+            "min_length": 3
+          }
+        }
+      },
+      "tags": {
+        "type": "password",
+        "category": "credentials"
+      }
+    },
     {
       "id": "18b608bd7a764bff5b2344c0",
       "name": "Phone number",