dd-trace 5.86.0 → 5.88.0

package/packages/datadog-plugin-kafkajs/src/consumer.js

@@ -40,14 +40,18 @@ class KafkajsConsumerPlugin extends ConsumerPlugin {
    * @returns {ConsumerBacklog}
    */
   transformCommit (commit) {
-    const { groupId, partition, offset, topic } = commit
-    return {
+    const { groupId, partition, offset, topic, clusterId } = commit
+    const backlog = {
       partition,
       topic,
       type: 'kafka_commit',
       offset: Number(offset),
       consumer_group: groupId,
     }
+    if (clusterId) {
+      backlog.kafka_cluster_id = clusterId
+    }
+    return backlog
   }
 
   commit (commitList) {
@@ -65,6 +69,22 @@ class KafkajsConsumerPlugin extends ConsumerPlugin {
     }
   }
 
+  start (ctx) {
+    if (!this.config.dsmEnabled) return
+    const { topic, message, groupId, clusterId } = ctx.extractedArgs || ctx
+    const headers = convertToTextMap(message?.headers)
+    if (!headers) return
+
+    const { span } = ctx.currentStore
+    const payloadSize = getMessageSize(message)
+    this.tracer.decodeDataStreamsContext(headers)
+    const edgeTags = ['direction:in', `group:${groupId}`, `topic:${topic}`, 'type:kafka']
+    if (clusterId) {
+      edgeTags.push(`kafka_cluster_id:${clusterId}`)
+    }
+    this.tracer.setCheckpoint(edgeTags, span, payloadSize)
+  }
+
   bindStart (ctx) {
     const { topic, partition, message, groupId, clusterId } = ctx.extractedArgs || ctx
 
@@ -89,16 +109,6 @@ class KafkajsConsumerPlugin extends ConsumerPlugin {
     }, ctx)
     if (message?.offset) span.setTag('kafka.message.offset', message?.offset)
 
-    if (this.config.dsmEnabled && headers) {
-      const payloadSize = getMessageSize(message)
-      this.tracer.decodeDataStreamsContext(headers)
-      const edgeTags = ['direction:in', `group:${groupId}`, `topic:${topic}`, 'type:kafka']
-      if (clusterId) {
-        edgeTags.push(`kafka_cluster_id:${clusterId}`)
-      }
-      this.tracer.setCheckpoint(edgeTags, span, payloadSize)
-    }
-
     if (afterStartCh.hasSubscribers) {
       afterStartCh.publish({ topic, partition, message, groupId, currentStore: ctx.currentStore })
     }

package/packages/datadog-plugin-kafkajs/src/producer.js

@@ -37,16 +37,20 @@ class KafkajsProducerPlugin extends ProducerPlugin {
    * @param {ProducerResponseItem} response
    * @returns {ProducerBacklog}
    */
-  transformProduceResponse (response) {
+  transformProduceResponse (response, clusterId) {
     // In produce protocol >=v3, the offset key changes from `offset` to `baseOffset`
     const { topicName: topic, partition, offset, baseOffset } = response
     const offsetAsLong = offset || baseOffset
-    return {
+    const backlog = {
       type: 'kafka_produce',
       partition,
       offset: offsetAsLong ? Number(offsetAsLong) : undefined,
       topic,
     }
+    if (clusterId) {
+      backlog.kafka_cluster_id = clusterId
+    }
+    return backlog
   }
 
   /**
@@ -56,6 +60,7 @@ class KafkajsProducerPlugin extends ProducerPlugin {
    */
   commit (ctx) {
     const commitList = ctx.result
+    const clusterId = ctx.clusterId
 
     if (!this.config.dsmEnabled) return
     if (!commitList || !Array.isArray(commitList)) return
@@ -65,12 +70,33 @@ class KafkajsProducerPlugin extends ProducerPlugin {
       'offset',
       'topic',
     ]
-    for (const commit of commitList.map(this.transformProduceResponse)) {
+    for (const commit of commitList.map(r => this.transformProduceResponse(r, clusterId))) {
       if (keys.some(key => !commit.hasOwnProperty(key))) continue
       this.tracer.setOffset(commit)
     }
   }
 
+  start (ctx) {
+    if (!this.config.dsmEnabled) return
+    const { topic, messages, clusterId, disableHeaderInjection, currentStore: { span } } = ctx
+
+    for (const message of messages) {
+      if (message !== null && typeof message === 'object') {
+        const payloadSize = getMessageSize(message)
+        const edgeTags = ['direction:out', `topic:${topic}`, 'type:kafka']
+
+        if (clusterId) {
+          edgeTags.push(`kafka_cluster_id:${clusterId}`)
+        }
+
+        const dataStreamsContext = this.tracer.setCheckpoint(edgeTags, span, payloadSize)
+        if (!disableHeaderInjection) {
+          DsmPathwayCodec.encode(dataStreamsContext, message.headers)
+        }
+      }
+    }
+  }
+
   bindStart (ctx) {
     const { topic, messages, bootstrapServers, clusterId, disableHeaderInjection } = ctx
     const span = this.startSpan({
@@ -89,25 +115,10 @@ class KafkajsProducerPlugin extends ProducerPlugin {
       span.setTag(BOOTSTRAP_SERVERS_KEY, bootstrapServers)
     }
     for (const message of messages) {
-      if (message !== null && typeof message === 'object') {
-        // message headers are not supported for kafka broker versions <0.11
-        if (!disableHeaderInjection) {
-          message.headers ??= {}
-          this.tracer.inject(span, 'text_map', message.headers)
-        }
-        if (this.config.dsmEnabled) {
-          const payloadSize = getMessageSize(message)
-          const edgeTags = ['direction:out', `topic:${topic}`, 'type:kafka']
-
-          if (clusterId) {
-            edgeTags.push(`kafka_cluster_id:${clusterId}`)
-          }
-
-          const dataStreamsContext = this.tracer.setCheckpoint(edgeTags, span, payloadSize)
-          if (!disableHeaderInjection) {
-            DsmPathwayCodec.encode(dataStreamsContext, message.headers)
-          }
-        }
+      // message headers are not supported for kafka broker versions <0.11
+      if (message !== null && typeof message === 'object' && !disableHeaderInjection) {
+        message.headers ??= {}
+        this.tracer.inject(span, 'text_map', message.headers)
       }
     }
 

package/packages/datadog-plugin-mocha/src/index.js

@@ -93,12 +93,15 @@ class MochaPlugin extends CiPlugin {
         return
       }
       const testSuite = getTestSuitePath(testSuiteAbsolutePath, this.sourceRoot)
-      const testSuiteMetadata = getTestSuiteCommonTags(
-        this.command,
-        this.frameworkVersion,
-        testSuite,
-        'mocha'
-      )
+      const testSuiteMetadata = {
+        ...getTestSuiteCommonTags(
+          this.command,
+          this.frameworkVersion,
+          testSuite,
+          'mocha'
+        ),
+        ...this.getSessionRequestErrorTags(),
+      }
       if (isUnskippable) {
         testSuiteMetadata[TEST_ITR_UNSKIPPABLE] = 'true'
         this.telemetry.count(TELEMETRY_ITR_UNSKIPPABLE, { testLevel: 'suite' })

package/packages/datadog-plugin-playwright/src/index.js

@@ -120,12 +120,15 @@ class PlaywrightPlugin extends CiPlugin {
       const testSuite = getTestSuitePath(testSuiteAbsolutePath, this.rootDir)
       const testSourceFile = getTestSuitePath(testSuiteAbsolutePath, this.repositoryRoot)
 
-      const testSuiteMetadata = getTestSuiteCommonTags(
-        this.command,
-        this.frameworkVersion,
-        testSuite,
-        'playwright'
-      )
+      const testSuiteMetadata = {
+        ...getTestSuiteCommonTags(
+          this.command,
+          this.frameworkVersion,
+          testSuite,
+          'playwright'
+        ),
+        ...this.getSessionRequestErrorTags(),
+      }
       if (testSourceFile) {
         testSuiteMetadata[TEST_SOURCE_FILE] = testSourceFile
         testSuiteMetadata[TEST_SOURCE_START] = 1
@@ -222,6 +225,7 @@ class PlaywrightPlugin extends CiPlugin {
             // for a test session. They can be passed the same way `DD_PLAYWRIGHT_WORKER` is passed.
             formattedSpan.meta[TEST_SESSION_ID] = this.testSessionSpan.context().toTraceId()
             formattedSpan.meta[TEST_MODULE_ID] = this.testModuleSpan.context().toSpanId()
+            Object.assign(formattedSpan.meta, this.getSessionRequestErrorTags())
             formattedSpan.meta[TEST_COMMAND] = this.command
             formattedSpan.meta[TEST_MODULE] = this.constructor.id
             // MISSING _trace.startTime and _trace.ticks - because by now the suite is already serialized

package/packages/datadog-plugin-vitest/src/index.js

@@ -275,9 +275,11 @@ class VitestPlugin extends CiPlugin {
     this.addBind('ci:vitest:test-suite:start', (ctx) => {
       const { testSuiteAbsolutePath, frameworkVersion } = ctx
 
+      // TODO: Handle case where the command is not set
       this.command = getValueFromEnvSources('DD_CIVISIBILITY_TEST_COMMAND')
       this.frameworkVersion = frameworkVersion
       const testSessionSpanContext = this.tracer.extract('text_map', {
+        // TODO: Handle case where the session ID or module ID is not set
         'x-datadog-trace-id': getValueFromEnvSources('DD_CIVISIBILITY_TEST_SESSION_ID'),
         'x-datadog-parent-id': getValueFromEnvSources('DD_CIVISIBILITY_TEST_MODULE_ID'),
       })
@@ -301,14 +303,17 @@ class VitestPlugin extends CiPlugin {
       }
 
       const testSuite = getTestSuitePath(testSuiteAbsolutePath, this.repositoryRoot)
-      const testSuiteMetadata = getTestSuiteCommonTags(
-        this.command,
-        this.frameworkVersion,
-        testSuite,
-        'vitest'
-      )
-      testSuiteMetadata[TEST_SOURCE_FILE] = testSuite
-      testSuiteMetadata[TEST_SOURCE_START] = 1
+      // Request error tags are applied to test spans in the main process (worker-report:trace handler)
+      const testSuiteMetadata = {
+        ...getTestSuiteCommonTags(
+          this.command,
+          this.frameworkVersion,
+          testSuite,
+          'vitest'
+        ),
+        [TEST_SOURCE_FILE]: testSuite,
+        [TEST_SOURCE_START]: 1,
+      }
 
       const codeOwners = this.getCodeOwners(testSuiteMetadata)
       if (codeOwners) {

package/packages/dd-trace/src/appsec/addresses.js

@@ -27,6 +27,12 @@ module.exports = {
   WAF_CONTEXT_PROCESSOR: 'waf.context.processor',
 
   HTTP_OUTGOING_URL: 'server.io.net.url',
+  HTTP_OUTGOING_METHOD: 'server.io.net.request.method',
+  HTTP_OUTGOING_HEADERS: 'server.io.net.request.headers',
+  HTTP_OUTGOING_RESPONSE_STATUS: 'server.io.net.response.status',
+  HTTP_OUTGOING_RESPONSE_HEADERS: 'server.io.net.response.headers',
+  HTTP_OUTGOING_RESPONSE_BODY: 'server.io.net.response.body',
+
   FS_OPERATION_PATH: 'server.io.fs.file',
 
   DB_STATEMENT: 'server.db.statement',
@@ -37,4 +43,9 @@ module.exports = {
 
   LOGIN_SUCCESS: 'server.business_logic.users.login.success',
   LOGIN_FAILURE: 'server.business_logic.users.login.failure',
+
+  PAYMENT_CREATION: 'server.business_logic.payment.creation',
+  PAYMENT_SUCCESS: 'server.business_logic.payment.success',
+  PAYMENT_FAILURE: 'server.business_logic.payment.failure',
+  PAYMENT_CANCELLATION: 'server.business_logic.payment.cancellation',
 }

package/packages/dd-trace/src/appsec/channels.js

@@ -23,6 +23,7 @@ module.exports = {
   fsOperationStart: dc.channel('apm:fs:operation:start'),
   graphqlMiddlewareChannel: dc.tracingChannel('datadog:apollo:middleware'),
   httpClientRequestStart: dc.channel('apm:http:client:request:start'),
+  httpClientResponseFinish: dc.channel('apm:http:client:response:finish'),
   incomingHttpRequestEnd: dc.channel('dd-trace:incomingHttpRequestEnd'),
   incomingHttpRequestStart: dc.channel('dd-trace:incomingHttpRequestStart'),
   multerParser: dc.channel('datadog:multer:read:finish'),
@@ -37,10 +38,13 @@ module.exports = {
   responseBody: dc.channel('datadog:express:response:json:start'),
   responseSetHeader: dc.channel('datadog:http:server:response:set-header:start'),
   responseWriteHead: dc.channel('apm:http:server:response:writeHead:start'),
-  routerParam: dc.channel('datadog:router:param:start'),
   routerMiddlewareError: dc.channel('apm:router:middleware:error'),
+  routerParam: dc.channel('datadog:router:param:start'),
   setCookieChannel: dc.channel('datadog:iast:set-cookie'),
   setUncaughtExceptionCaptureCallbackStart: dc.channel('datadog:process:setUncaughtExceptionCaptureCallback:start'),
   startGraphqlResolve: dc.channel('datadog:graphql:resolver:start'),
+  stripeCheckoutSessionCreate: dc.channel('datadog:stripe:checkoutSession:create:finish'),
+  stripeConstructEvent: dc.channel('datadog:stripe:constructEvent:finish'),
+  stripePaymentIntentCreate: dc.channel('datadog:stripe:paymentIntent:create:finish'),
   wafRunFinished: dc.channel('datadog:waf:run:finish'),
 }

package/packages/dd-trace/src/appsec/downstream_requests.js

@@ -0,0 +1,302 @@
+'use strict'
+
+const web = require('../plugins/util/web')
+const log = require('../log')
+const {
+  HTTP_OUTGOING_METHOD,
+  HTTP_OUTGOING_HEADERS,
+  HTTP_OUTGOING_RESPONSE_STATUS,
+  HTTP_OUTGOING_RESPONSE_HEADERS,
+  HTTP_OUTGOING_RESPONSE_BODY,
+} = require('./addresses')
+
+const KNUTH_FACTOR = 11400714819323199488n // eslint-disable-line unicorn/numeric-separators-style
+const UINT64_MAX = (1n << 64n) - 1n
+
+let config
+let samplingRate
+let globalRequestCounter
+let bodyAnalysisCount
+let downstreamAnalysisCount
+let redirectBodyCollectionDecisions
+
+function enable (_config) {
+  config = _config
+  globalRequestCounter = 0n
+  bodyAnalysisCount = new WeakMap()
+  downstreamAnalysisCount = new WeakMap()
+  redirectBodyCollectionDecisions = new WeakMap()
+
+  const bodyAnalysisSampleRate = config.appsec.apiSecurity?.downstreamBodyAnalysisSampleRate
+  samplingRate = Math.min(Math.max(bodyAnalysisSampleRate, 0), 1)
+
+  if (samplingRate !== bodyAnalysisSampleRate) {
+    log.warn(
+      'DD_API_SECURITY_DOWNSTREAM_BODY_ANALYSIS_SAMPLE_RATE value is %s and it\'s out of range',
+      bodyAnalysisSampleRate)
+  }
+}
+
+function disable () {
+  config = null
+  globalRequestCounter = null
+  bodyAnalysisCount = null
+  downstreamAnalysisCount = null
+  redirectBodyCollectionDecisions = null
+}
+
+/**
+ * Check we have a stored redirect body collection decision for a given URL.
+ * @param {import('http').IncomingMessage} req outgoing request.
+ * @param {string} outgoingUrl the URL being requested.
+ * @returns {boolean} the stored decision
+ */
+function consumeRedirectBodyCollectionDecision (req, outgoingUrl) {
+  const decisions = redirectBodyCollectionDecisions.get(req)
+  if (!decisions) return false
+
+  return decisions.delete(outgoingUrl)
+}
+
+/**
+ * Stores a redirect body collection decision for a follow-up request.
+ * @param {import('http').IncomingMessage} req outgoing request.
+ * @param {string} redirectUrl the URL to redirect to.
+ */
+function storeRedirectBodyCollectionDecision (req, redirectUrl) {
+  let decisions = redirectBodyCollectionDecisions.get(req)
+
+  if (!decisions) {
+    decisions = new Set()
+    redirectBodyCollectionDecisions.set(req, decisions)
+  }
+
+  decisions.add(redirectUrl)
+}
+
+/**
+ * Determines whether the current downstream request/responses bodies should be sampled for analysis.
+ * @param {import('http').IncomingMessage} req outgoing request.
+ * @param {string} outgoingUrl the URL being requested (to check for redirect decisions).
+ * @returns {boolean} true when the downstream response body should be captured.
+ */
+function shouldSampleBody (req, outgoingUrl) {
+  // Check if there's a stored decision from a previous redirect
+  const storedDecision = consumeRedirectBodyCollectionDecision(req, outgoingUrl)
+  if (storedDecision) return true
+
+  globalRequestCounter = (globalRequestCounter + 1n) & UINT64_MAX
+
+  const currentCount = bodyAnalysisCount.get(req) || 0
+  if (currentCount >= config.appsec.apiSecurity?.maxDownstreamRequestBodyAnalysis) {
+    return false
+  }
+
+  const hashed = (globalRequestCounter * KNUTH_FACTOR) % UINT64_MAX
+  // Replace 1000n with the accuraccy that we want to maintain
+  const threshold = (UINT64_MAX * BigInt(Math.round(samplingRate * 1000))) / 1000n
+
+  const shouldCollectBody = hashed <= threshold
+
+  // Track body analysis count if we're sampling the response body
+  if (shouldCollectBody) {
+    incrementBodyAnalysisCount(req)
+  }
+
+  return shouldCollectBody
+}
+
+/**
+ * Increments the number of downstream body analyses performed for the given request.
+ * @param {import('http').IncomingMessage} req outgoing request.
+ */
+function incrementBodyAnalysisCount (req) {
+  const currentCount = bodyAnalysisCount.get(req) || 0
+  bodyAnalysisCount.set(req, currentCount + 1)
+}
+
+/**
+ *
+ * @param {object} headers
+ * @returns {object} the headers with all keys converted to lowercase
+ */
+function lowercaseHeaderKeys (headers) {
+  return Object.fromEntries(Object.entries(headers).map(([key, value]) => [key.toLowerCase(), value]))
+}
+
+/**
+ * Extracts request data from the context for WAF analysis
+ * @param {object} ctx context for the outgoing downstream request.
+ * @returns {object} a map of addresses and request data.
+ */
+function extractRequestData (ctx) {
+  const addresses = {}
+
+  const options = ctx?.args?.options || {}
+
+  addresses[HTTP_OUTGOING_METHOD] = getMethod(options.method)
+
+  const headers = options?.headers
+  if (headers && Object.keys(headers).length > 0) {
+    addresses[HTTP_OUTGOING_HEADERS] = lowercaseHeaderKeys(headers)
+  }
+
+  return addresses
+}
+
+/**
+ * Checks if a response is a redirect
+ * @param {import('http').IncomingMessage} req incoming server request.
+ * @param {import('http').IncomingMessage} res downstream response object.
+ * @returns {boolean} is redirect.
+ */
+function handleRedirectResponse (req, res) {
+  const isRedirect = res.statusCode >= 300 && res.statusCode < 400
+  const redirectLocation = res.headers?.location || ''
+
+  if (isRedirect && redirectLocation) {
+    // Store the body collection decision for the redirect target
+    storeRedirectBodyCollectionDecision(req, redirectLocation)
+    return true
+  }
+
+  return false
+}
+
+/**
+ * Extracts response data for WAF analysis.
+ * @param {import('http').IncomingMessage} res downstream response object.
+ * @param {Buffer|string|object|null} responseBody response body.
+ * @returns {object} a map of addresses and response data.
+ */
+function extractResponseData (res, responseBody) {
+  const addresses = {}
+
+  if (res.statusCode) {
+    addresses[HTTP_OUTGOING_RESPONSE_STATUS] = String(res.statusCode)
+  }
+
+  const headers = res.headers
+  if (headers && Object.keys(headers).length > 0) {
+    addresses[HTTP_OUTGOING_RESPONSE_HEADERS] = headers
+  }
+
+  if (responseBody) {
+    // Parse the body based on content-type
+    const contentType = res.headers?.['content-type']
+    const body = parseBody(responseBody, contentType)
+
+    if (body) {
+      addresses[HTTP_OUTGOING_RESPONSE_BODY] = body
+    }
+  }
+
+  return addresses
+}
+
+/**
+ * Tracks how many downstream analyses were executed for a given request and updates tracing tags.
+ * @param {import('http').IncomingMessage} req outgoing request.
+ */
+function incrementDownstreamAnalysisCount (req) {
+  const currentCount = downstreamAnalysisCount.get(req) || 0
+  downstreamAnalysisCount.set(req, currentCount + 1)
+
+  const span = web.root(req)
+
+  if (span) {
+    span.setTag('_dd.appsec.downstream_request', currentCount + 1)
+  }
+}
+
+/**
+ * Returns the HTTP method to use for a downstream request, defaulting to GET.
+ * @param {string} method method supplied in the outgoing request options.
+ * @returns {string} validated HTTP method.
+ */
+function getMethod (method) {
+  return typeof method === 'string' && method ? method : 'GET'
+}
+
+/**
+ * Parses a downstream response body.
+ * @param {Buffer|string|object|null} body raw response body
+ * @param {string|null} contentType response content-type used to select the parser.
+ * @returns {object|null} parsed body object or null when not supported.
+ */
+function parseBody (body, contentType) {
+  if (!body || !contentType) {
+    return null
+  }
+
+  const mime = extractMimeType(contentType)
+
+  try {
+    if (mime === 'application/json' || mime === 'text/json') {
+      if (typeof body === 'string') {
+        return JSON.parse(body)
+      }
+
+      if (Buffer.isBuffer(body)) {
+        return JSON.parse(body.toString('utf8'))
+      }
+
+      return null
+    }
+
+    if (mime === 'application/x-www-form-urlencoded') {
+      const formBody = Buffer.isBuffer(body) ? body.toString('utf8') : String(body)
+      const params = new URLSearchParams(formBody)
+      const result = {}
+      for (const [key, value] of params.entries()) {
+        if (key in result) {
+          const existing = result[key]
+          if (Array.isArray(existing)) {
+            existing.push(value)
+          } else {
+            result[key] = [existing, value]
+          }
+        } else {
+          result[key] = value
+        }
+      }
+
+      return result
+    }
+
+    // multipart/form-data is mentioned in RFC but parsing is complex.
+    // Other content-types also discarded per RFC
+
+    return null
+  } catch {
+    // Parsing failed: return null to avoid sending malformed body to WAF
+    return null
+  }
+}
+
+/**
+ * Extracts the MIME type portion of a content-type header value.
+ * @param {string|null} contentType raw content-type header value.
+ * @returns {string|null} lowercase mime type
+ */
+function extractMimeType (contentType) {
+  if (typeof contentType !== 'string') {
+    return null
+  }
+
+  return contentType.split(';', 1)[0].trim().toLowerCase()
+}
+
+module.exports = {
+  enable,
+  disable,
+  shouldSampleBody,
+  handleRedirectResponse,
+  incrementDownstreamAnalysisCount,
+  extractRequestData,
+  extractResponseData,
+  // exports for tests
+  parseBody,
+  getMethod,
+  storeRedirectBodyCollectionDecision,
+}

package/packages/dd-trace/src/appsec/iast/analyzers/cookie-analyzer.js

@@ -39,7 +39,7 @@ class CookieAnalyzer extends Analyzer {
   }
 
   _checkOCE (context, value) {
-    if (value && value.location) {
+    if (value?.location) {
       return true
     }
     return super._checkOCE(context, value)

package/packages/dd-trace/src/appsec/iast/analyzers/ssrf-analyzer.js

@@ -12,7 +12,7 @@ class SSRFAnalyzer extends InjectionAnalyzer {
     this.addSub('apm:http:client:request:start', ({ args }) => {
       if (typeof args.originalUrl === 'string') {
         this.analyze(args.originalUrl)
-      } else if (args.options && args.options.host) {
+      } else if (args.options?.host) {
         this.analyze(args.options.host)
       }
     })

package/packages/dd-trace/src/appsec/iast/analyzers/unvalidated-redirect-analyzer.js

@@ -36,7 +36,7 @@ class UnvalidatedRedirectAnalyzer extends InjectionAnalyzer {
   }
 
   isLocationHeader (name) {
-    return name && name.trim().toLowerCase() === 'location'
+    return name?.trim().toLowerCase() === 'location'
   }
 
   _isVulnerable (value, iastContext) {

package/packages/dd-trace/src/appsec/iast/analyzers/vulnerability-analyzer.js

@@ -1,7 +1,7 @@
 'use strict'
 
 const { storage } = require('../../../../../datadog-core')
-const { getNonDDCallSiteFrames } = require('../path-line')
+const { getCallSiteFramesForLocation } = require('../path-line')
 const { getIastContext, getIastStackTraceId } = require('../iast-context')
 const overheadController = require('../overhead-controller')
 const { SinkIastPlugin } = require('../iast-plugin')
@@ -35,9 +35,8 @@ class Analyzer extends SinkIastPlugin {
 
   _reportEvidence (value, context, evidence) {
     const callSiteFrames = getVulnerabilityCallSiteFrames()
-    const nonDDCallSiteFrames = getNonDDCallSiteFrames(callSiteFrames, this._getExcludedPaths())
-
-    const location = this._getLocation(value, nonDDCallSiteFrames)
+    const frames = getCallSiteFramesForLocation(callSiteFrames, this._getExcludedPaths())
+    const location = this._getLocation(value, frames)
 
     if (!this._isExcluded(location)) {
       const originalLocation = this._getOriginalLocation(location)
@@ -51,7 +50,7 @@ class Analyzer extends SinkIastPlugin {
         stackId
       )
 
-      addVulnerability(context, vulnerability, nonDDCallSiteFrames)
+      addVulnerability(context, vulnerability, frames)
     }
   }