dd-trace 5.87.0 → 5.89.0

package/packages/datadog-plugin-cypress/src/support.js

@@ -1,5 +1,8 @@
 'use strict'
 
+const DD_CIVISIBILITY_TEST_EXECUTION_ID_COOKIE_NAME = 'datadog-ci-visibility-test-execution-id'
+let rumFlushWaitMillis = 500
+
 let isEarlyFlakeDetectionEnabled = false
 let isKnownTestsEnabled = false
 let knownTestsForSuite = []
@@ -15,9 +18,10 @@ const retryReasonsByTestName = new Map()
 // Track quarantined test errors - we catch them in Cypress.on('fail') but need to report to Datadog
 const quarantinedTestErrors = new Map()
 
-// We need to grab the original window as soon as possible,
-// in case the test changes the origin. If the test does change the origin,
-// any call to `cy.window()` will result in a cross origin error.
+// Track the most recently loaded window in the AUT. Updated via the 'window:load'
+// event so we always get the real app window (after cy.visit()), not the
+// about:blank window that exists when beforeEach runs. If the test later navigates
+// to a cross-origin URL, safeGetRum() handles the access error.
 let originalWindow
 
 // If the test is using multi domain with cy.origin, trying to access
@@ -165,18 +169,45 @@ beforeEach(function () {
     retryReasonsByTestName.delete(testName)
   }
 
+  cy.on('window:load', (win) => {
+    originalWindow = win
+  })
+
   cy.task('dd:beforeEach', {
     testName,
     testSuite: Cypress.mocha.getRootSuite().file,
   }).then(({ traceId, shouldSkip }) => {
-    Cypress.env('traceId', traceId)
+    if (traceId) {
+      cy.setCookie(DD_CIVISIBILITY_TEST_EXECUTION_ID_COOKIE_NAME, traceId).then(() => {
+        // When testIsolation:false, the page is not reset between tests, so the RUM session
+        // stopped in afterEach must be explicitly restarted so events in this test are
+        // associated with the new testExecutionId.
+        //
+        // After stopSession(), the RUM SDK creates a new session upon a user interaction
+        // (click, scroll, keydown, or touchstart). We dispatch a synthetic click on the window
+        // to trigger session renewal, then call startView() to establish a view boundary.
+        if (!isTestIsolationEnabled && originalWindow) {
+          const rum = safeGetRum(originalWindow)
+          if (rum) {
+            try {
+              const evt = new originalWindow.MouseEvent('click', { bubbles: true, cancelable: true })
+              // The browser-sdk addEventListener wrapper filters out untrusted synthetic events
+              // unless __ddIsTrusted is set. Set it so the click triggers expandOrRenewSession().
+              // See: https://github.com/DataDog/browser-sdk/blob/v6.27.1/packages/core/src/browser/addEventListener.ts#L119
+              Object.defineProperty(evt, '__ddIsTrusted', { value: true })
+              originalWindow.dispatchEvent(evt)
+            } catch {}
+            if (rum.startView) {
+              rum.startView()
+            }
+          }
+        }
+      })
+    }
     if (shouldSkip) {
       this.skip()
     }
   })
-  cy.window().then(win => {
-    originalWindow = win
-  })
 })
 
 before(function () {
@@ -195,6 +226,9 @@ before(function () {
       isImpactedTestsEnabled = suiteConfig.isImpactedTestsEnabled
       isModifiedTest = suiteConfig.isModifiedTest
       isTestIsolationEnabled = suiteConfig.isTestIsolationEnabled
+      if (Number.isFinite(suiteConfig.rumFlushWaitMillis)) {
+        rumFlushWaitMillis = suiteConfig.rumFlushWaitMillis
+      }
     }
   })
 })
@@ -224,6 +258,7 @@ afterEach(function () {
 
   const testInfo = {
     testName,
+    testItTitle: currentTest.title,
     testSuite: Cypress.mocha.getRootSuite().file,
     testSuiteAbsolutePath: Cypress.spec && Cypress.spec.absolute,
     // For quarantined tests, report the actual state (failed) to Datadog, not what Cypress thinks (passed)
@@ -238,11 +273,19 @@ afterEach(function () {
     isQuarantined: isQuarantinedTestThatFailed,
   }
   try {
-    testInfo.testSourceLine = Cypress.mocha.getRunner().currentRunnable.invocationDetails.line
+    const invocationDetails = Cypress.mocha.getRunner().currentRunnable.invocationDetails
+    testInfo.testSourceLine = invocationDetails.line
+    testInfo.testSourceStack = invocationDetails.stack
   } catch {}
 
-  if (safeGetRum(originalWindow)) {
+  const rum = safeGetRum(originalWindow)
+  if (rum) {
     testInfo.isRUMActive = true
+    if (rum.stopSession) {
+      rum.stopSession()
+      // eslint-disable-next-line cypress/no-unnecessary-waiting
+      cy.wait(rumFlushWaitMillis)
+    }
   }
   let coverage
   try {

package/packages/datadog-plugin-jest/src/index.js

@@ -182,9 +182,10 @@ class JestPlugin extends CiPlugin {
         config._ddTestSessionId = this.testSessionSpan.context().toTraceId()
         config._ddTestModuleId = this.testModuleSpan.context().toSpanId()
         config._ddTestCommand = this.testSessionSpan.context()._tags[TEST_COMMAND]
+        config._ddRequestErrorTags = this.getSessionRequestErrorTags()
         config._ddItrCorrelationId = this.itrCorrelationId
         config._ddIsEarlyFlakeDetectionEnabled = !!this.libraryConfig?.isEarlyFlakeDetectionEnabled
-        config._ddEarlyFlakeDetectionNumRetries = this.libraryConfig?.earlyFlakeDetectionNumRetries ?? 0
+        config._ddEarlyFlakeDetectionSlowTestRetries = this.libraryConfig?.earlyFlakeDetectionSlowTestRetries ?? {}
         config._ddRepositoryRoot = this.repositoryRoot
         config._ddIsFlakyTestRetriesEnabled = this.libraryConfig?.isFlakyTestRetriesEnabled ?? false
         config._ddIsTestManagementTestsEnabled = this.libraryConfig?.isTestManagementEnabled ?? false
@@ -208,6 +209,7 @@ class JestPlugin extends CiPlugin {
         _ddTestSessionId: testSessionId,
         _ddTestCommand: testCommand,
         _ddTestModuleId: testModuleId,
+        _ddRequestErrorTags: requestErrorTags,
         _ddItrCorrelationId: itrCorrelationId,
         _ddForcedToRun,
         _ddUnskippable,
@@ -219,7 +221,11 @@ class JestPlugin extends CiPlugin {
         'x-datadog-parent-id': testModuleId,
       })
 
-      const testSuiteMetadata = getTestSuiteCommonTags(testCommand, frameworkVersion, testSuite, 'jest')
+      const testSuiteMetadata = {
+        ...getTestSuiteCommonTags(testCommand, frameworkVersion, testSuite, 'jest'),
+        // requestErrorTags from test env options may be undefined
+        ...(requestErrorTags !== undefined && requestErrorTags !== null ? requestErrorTags : {}),
+      }
 
       if (_ddUnskippable) {
         const unskippableSuites = this.getUnskippableSuites(_ddUnskippable)
@@ -389,6 +395,7 @@ class JestPlugin extends CiPlugin {
       attemptToFixFailed,
       isAtrRetry,
       finalStatus,
+      earlyFlakeAbortReason,
     }) => {
       span.setTag(TEST_STATUS, status)
       if (finalStatus) {
@@ -409,6 +416,9 @@ class JestPlugin extends CiPlugin {
         span.setTag(TEST_IS_RETRY, 'true')
         span.setTag(TEST_RETRY_REASON, TEST_RETRY_REASON_TYPES.atr)
       }
+      if (earlyFlakeAbortReason) {
+        span.setTag(TEST_EARLY_FLAKE_ABORT_REASON, earlyFlakeAbortReason)
+      }
 
       this.telemetry.ciVisEvent(
         TELEMETRY_EVENT_FINISHED,

package/packages/datadog-plugin-jest/src/util.js

@@ -3,7 +3,7 @@
 const { readFileSync } = require('fs')
 const { parse } = require('../../../vendor/dist/jest-docblock')
 
-const { getTestSuitePath } = require('../../dd-trace/src/plugins/util/test')
+const { getTestSuitePath, getEfdRetryCount } = require('../../dd-trace/src/plugins/util/test')
 const log = require('../../dd-trace/src/log')
 
 /**
@@ -172,4 +172,5 @@ module.exports = {
   getJestTestName,
   getJestSuitesToRun,
   isMarkedAsUnskippable,
+  getEfdRetryCount,
 }

package/packages/datadog-plugin-kafkajs/src/consumer.js

@@ -40,14 +40,18 @@ class KafkajsConsumerPlugin extends ConsumerPlugin {
    * @returns {ConsumerBacklog}
    */
   transformCommit (commit) {
-    const { groupId, partition, offset, topic } = commit
-    return {
+    const { groupId, partition, offset, topic, clusterId } = commit
+    const backlog = {
       partition,
       topic,
       type: 'kafka_commit',
       offset: Number(offset),
       consumer_group: groupId,
     }
+    if (clusterId) {
+      backlog.kafka_cluster_id = clusterId
+    }
+    return backlog
   }
 
   commit (commitList) {
@@ -65,6 +69,22 @@ class KafkajsConsumerPlugin extends ConsumerPlugin {
     }
   }
 
+  start (ctx) {
+    if (!this.config.dsmEnabled) return
+    const { topic, message, groupId, clusterId } = ctx.extractedArgs || ctx
+    const headers = convertToTextMap(message?.headers)
+    if (!headers) return
+
+    const { span } = ctx.currentStore
+    const payloadSize = getMessageSize(message)
+    this.tracer.decodeDataStreamsContext(headers)
+    const edgeTags = ['direction:in', `group:${groupId}`, `topic:${topic}`, 'type:kafka']
+    if (clusterId) {
+      edgeTags.push(`kafka_cluster_id:${clusterId}`)
+    }
+    this.tracer.setCheckpoint(edgeTags, span, payloadSize)
+  }
+
   bindStart (ctx) {
     const { topic, partition, message, groupId, clusterId } = ctx.extractedArgs || ctx
 
@@ -89,16 +109,6 @@ class KafkajsConsumerPlugin extends ConsumerPlugin {
     }, ctx)
     if (message?.offset) span.setTag('kafka.message.offset', message?.offset)
 
-    if (this.config.dsmEnabled && headers) {
-      const payloadSize = getMessageSize(message)
-      this.tracer.decodeDataStreamsContext(headers)
-      const edgeTags = ['direction:in', `group:${groupId}`, `topic:${topic}`, 'type:kafka']
-      if (clusterId) {
-        edgeTags.push(`kafka_cluster_id:${clusterId}`)
-      }
-      this.tracer.setCheckpoint(edgeTags, span, payloadSize)
-    }
-
     if (afterStartCh.hasSubscribers) {
       afterStartCh.publish({ topic, partition, message, groupId, currentStore: ctx.currentStore })
     }

package/packages/datadog-plugin-kafkajs/src/producer.js

@@ -37,16 +37,20 @@ class KafkajsProducerPlugin extends ProducerPlugin {
    * @param {ProducerResponseItem} response
    * @returns {ProducerBacklog}
    */
-  transformProduceResponse (response) {
+  transformProduceResponse (response, clusterId) {
     // In produce protocol >=v3, the offset key changes from `offset` to `baseOffset`
     const { topicName: topic, partition, offset, baseOffset } = response
     const offsetAsLong = offset || baseOffset
-    return {
+    const backlog = {
       type: 'kafka_produce',
       partition,
       offset: offsetAsLong ? Number(offsetAsLong) : undefined,
       topic,
     }
+    if (clusterId) {
+      backlog.kafka_cluster_id = clusterId
+    }
+    return backlog
   }
 
   /**
@@ -56,6 +60,7 @@ class KafkajsProducerPlugin extends ProducerPlugin {
    */
   commit (ctx) {
     const commitList = ctx.result
+    const clusterId = ctx.clusterId
 
     if (!this.config.dsmEnabled) return
     if (!commitList || !Array.isArray(commitList)) return
@@ -65,12 +70,33 @@ class KafkajsProducerPlugin extends ProducerPlugin {
       'offset',
       'topic',
     ]
-    for (const commit of commitList.map(this.transformProduceResponse)) {
+    for (const commit of commitList.map(r => this.transformProduceResponse(r, clusterId))) {
       if (keys.some(key => !commit.hasOwnProperty(key))) continue
       this.tracer.setOffset(commit)
     }
   }
 
+  start (ctx) {
+    if (!this.config.dsmEnabled) return
+    const { topic, messages, clusterId, disableHeaderInjection, currentStore: { span } } = ctx
+
+    for (const message of messages) {
+      if (message !== null && typeof message === 'object') {
+        const payloadSize = getMessageSize(message)
+        const edgeTags = ['direction:out', `topic:${topic}`, 'type:kafka']
+
+        if (clusterId) {
+          edgeTags.push(`kafka_cluster_id:${clusterId}`)
+        }
+
+        const dataStreamsContext = this.tracer.setCheckpoint(edgeTags, span, payloadSize)
+        if (!disableHeaderInjection) {
+          DsmPathwayCodec.encode(dataStreamsContext, message.headers)
+        }
+      }
+    }
+  }
+
   bindStart (ctx) {
     const { topic, messages, bootstrapServers, clusterId, disableHeaderInjection } = ctx
     const span = this.startSpan({
@@ -89,25 +115,10 @@ class KafkajsProducerPlugin extends ProducerPlugin {
       span.setTag(BOOTSTRAP_SERVERS_KEY, bootstrapServers)
     }
     for (const message of messages) {
-      if (message !== null && typeof message === 'object') {
-        // message headers are not supported for kafka broker versions <0.11
-        if (!disableHeaderInjection) {
-          message.headers ??= {}
-          this.tracer.inject(span, 'text_map', message.headers)
-        }
-        if (this.config.dsmEnabled) {
-          const payloadSize = getMessageSize(message)
-          const edgeTags = ['direction:out', `topic:${topic}`, 'type:kafka']
-
-          if (clusterId) {
-            edgeTags.push(`kafka_cluster_id:${clusterId}`)
-          }
-
-          const dataStreamsContext = this.tracer.setCheckpoint(edgeTags, span, payloadSize)
-          if (!disableHeaderInjection) {
-            DsmPathwayCodec.encode(dataStreamsContext, message.headers)
-          }
-        }
+      // message headers are not supported for kafka broker versions <0.11
+      if (message !== null && typeof message === 'object' && !disableHeaderInjection) {
+        message.headers ??= {}
+        this.tracer.inject(span, 'text_map', message.headers)
       }
     }
 

package/packages/datadog-plugin-mocha/src/index.js

@@ -93,12 +93,15 @@ class MochaPlugin extends CiPlugin {
         return
       }
       const testSuite = getTestSuitePath(testSuiteAbsolutePath, this.sourceRoot)
-      const testSuiteMetadata = getTestSuiteCommonTags(
-        this.command,
-        this.frameworkVersion,
-        testSuite,
-        'mocha'
-      )
+      const testSuiteMetadata = {
+        ...getTestSuiteCommonTags(
+          this.command,
+          this.frameworkVersion,
+          testSuite,
+          'mocha'
+        ),
+        ...this.getSessionRequestErrorTags(),
+      }
       if (isUnskippable) {
         testSuiteMetadata[TEST_ITR_UNSKIPPABLE] = 'true'
         this.telemetry.count(TELEMETRY_ITR_UNSKIPPABLE, { testLevel: 'suite' })

package/packages/datadog-plugin-playwright/src/index.js

@@ -120,12 +120,15 @@ class PlaywrightPlugin extends CiPlugin {
       const testSuite = getTestSuitePath(testSuiteAbsolutePath, this.rootDir)
       const testSourceFile = getTestSuitePath(testSuiteAbsolutePath, this.repositoryRoot)
 
-      const testSuiteMetadata = getTestSuiteCommonTags(
-        this.command,
-        this.frameworkVersion,
-        testSuite,
-        'playwright'
-      )
+      const testSuiteMetadata = {
+        ...getTestSuiteCommonTags(
+          this.command,
+          this.frameworkVersion,
+          testSuite,
+          'playwright'
+        ),
+        ...this.getSessionRequestErrorTags(),
+      }
       if (testSourceFile) {
         testSuiteMetadata[TEST_SOURCE_FILE] = testSourceFile
         testSuiteMetadata[TEST_SOURCE_START] = 1
@@ -222,6 +225,7 @@ class PlaywrightPlugin extends CiPlugin {
             // for a test session. They can be passed the same way `DD_PLAYWRIGHT_WORKER` is passed.
             formattedSpan.meta[TEST_SESSION_ID] = this.testSessionSpan.context().toTraceId()
             formattedSpan.meta[TEST_MODULE_ID] = this.testModuleSpan.context().toSpanId()
+            Object.assign(formattedSpan.meta, this.getSessionRequestErrorTags())
             formattedSpan.meta[TEST_COMMAND] = this.command
             formattedSpan.meta[TEST_MODULE] = this.constructor.id
             // MISSING _trace.startTime and _trace.ticks - because by now the suite is already serialized

package/packages/datadog-plugin-vitest/src/index.js

@@ -275,9 +275,11 @@ class VitestPlugin extends CiPlugin {
     this.addBind('ci:vitest:test-suite:start', (ctx) => {
       const { testSuiteAbsolutePath, frameworkVersion } = ctx
 
+      // TODO: Handle case where the command is not set
       this.command = getValueFromEnvSources('DD_CIVISIBILITY_TEST_COMMAND')
       this.frameworkVersion = frameworkVersion
       const testSessionSpanContext = this.tracer.extract('text_map', {
+        // TODO: Handle case where the session ID or module ID is not set
         'x-datadog-trace-id': getValueFromEnvSources('DD_CIVISIBILITY_TEST_SESSION_ID'),
         'x-datadog-parent-id': getValueFromEnvSources('DD_CIVISIBILITY_TEST_MODULE_ID'),
       })
@@ -301,14 +303,17 @@ class VitestPlugin extends CiPlugin {
       }
 
       const testSuite = getTestSuitePath(testSuiteAbsolutePath, this.repositoryRoot)
-      const testSuiteMetadata = getTestSuiteCommonTags(
-        this.command,
-        this.frameworkVersion,
-        testSuite,
-        'vitest'
-      )
-      testSuiteMetadata[TEST_SOURCE_FILE] = testSuite
-      testSuiteMetadata[TEST_SOURCE_START] = 1
+      // Request error tags are applied to test spans in the main process (worker-report:trace handler)
+      const testSuiteMetadata = {
+        ...getTestSuiteCommonTags(
+          this.command,
+          this.frameworkVersion,
+          testSuite,
+          'vitest'
+        ),
+        [TEST_SOURCE_FILE]: testSuite,
+        [TEST_SOURCE_START]: 1,
+      }
 
       const codeOwners = this.getCodeOwners(testSuiteMetadata)
       if (codeOwners) {

package/packages/dd-trace/src/aiguard/sdk.js

@@ -175,7 +175,7 @@ class AIGuard extends NoopAIGuard {
           `AI Guard service call failed, status ${response.status}`,
           { errors: response.body?.errors })
       }
-      let action, reason, tags, blockingEnabled
+      let action, reason, tags, sdsFindings, blockingEnabled
       try {
         const attr = response.body.data.attributes
         if (!attr.action) {
@@ -184,6 +184,7 @@ class AIGuard extends NoopAIGuard {
         action = attr.action
         reason = attr.reason
         tags = attr.tags
+        sdsFindings = attr.sds_findings
         blockingEnabled = attr.is_blocking_enabled ?? false
       } catch (e) {
         appsecMetrics.count(AI_GUARD_TELEMETRY_REQUESTS, { error: true }).inc(1)
@@ -198,6 +199,9 @@ class AIGuard extends NoopAIGuard {
       if (tags?.length > 0) {
         metaStruct.attack_categories = tags
       }
+      if (sdsFindings?.length > 0) {
+        metaStruct.sds = sdsFindings
+      }
       if (shouldBlock) {
         span.setTag(AI_GUARD_BLOCKED_TAG_KEY, 'true')
         throw new AIGuardAbortError(reason, tags)

package/packages/dd-trace/src/appsec/iast/analyzers/cookie-analyzer.js

@@ -39,7 +39,7 @@ class CookieAnalyzer extends Analyzer {
   }
 
   _checkOCE (context, value) {
-    if (value && value.location) {
+    if (value?.location) {
       return true
     }
     return super._checkOCE(context, value)

package/packages/dd-trace/src/appsec/iast/analyzers/ssrf-analyzer.js

@@ -12,7 +12,7 @@ class SSRFAnalyzer extends InjectionAnalyzer {
     this.addSub('apm:http:client:request:start', ({ args }) => {
       if (typeof args.originalUrl === 'string') {
         this.analyze(args.originalUrl)
-      } else if (args.options && args.options.host) {
+      } else if (args.options?.host) {
         this.analyze(args.options.host)
       }
     })

package/packages/dd-trace/src/appsec/iast/analyzers/unvalidated-redirect-analyzer.js

@@ -36,7 +36,7 @@ class UnvalidatedRedirectAnalyzer extends InjectionAnalyzer {
   }
 
   isLocationHeader (name) {
-    return name && name.trim().toLowerCase() === 'location'
+    return name?.trim().toLowerCase() === 'location'
   }
 
   _isVulnerable (value, iastContext) {

package/packages/dd-trace/src/appsec/iast/analyzers/vulnerability-analyzer.js

@@ -1,7 +1,7 @@
 'use strict'
 
 const { storage } = require('../../../../../datadog-core')
-const { getNonDDCallSiteFrames } = require('../path-line')
+const { getCallSiteFramesForLocation } = require('../path-line')
 const { getIastContext, getIastStackTraceId } = require('../iast-context')
 const overheadController = require('../overhead-controller')
 const { SinkIastPlugin } = require('../iast-plugin')
@@ -35,9 +35,8 @@ class Analyzer extends SinkIastPlugin {
 
   _reportEvidence (value, context, evidence) {
     const callSiteFrames = getVulnerabilityCallSiteFrames()
-    const nonDDCallSiteFrames = getNonDDCallSiteFrames(callSiteFrames, this._getExcludedPaths())
-
-    const location = this._getLocation(value, nonDDCallSiteFrames)
+    const frames = getCallSiteFramesForLocation(callSiteFrames, this._getExcludedPaths())
+    const location = this._getLocation(value, frames)
 
     if (!this._isExcluded(location)) {
       const originalLocation = this._getOriginalLocation(location)
@@ -51,7 +50,7 @@ class Analyzer extends SinkIastPlugin {
         stackId
       )
 
-      addVulnerability(context, vulnerability, nonDDCallSiteFrames)
+      addVulnerability(context, vulnerability, frames)
     }
   }
 

package/packages/dd-trace/src/appsec/iast/path-line.js

@@ -8,29 +8,40 @@ const { getOriginalPathAndLineFromSourceMap } = require('./taint-tracking/rewrit
 const pathLine = {
   getNodeModulesPaths,
   getRelativePath,
-  getNonDDCallSiteFrames,
+  getCallSiteFramesForLocation,
   ddBasePath, // Exported only for test purposes
 }
 
 const EXCLUDED_PATHS = [
   path.join(path.sep, 'node_modules', 'dc-polyfill'),
 ]
-const EXCLUDED_PATH_PREFIXES = [
-  'node:diagnostics_channel',
-  'diagnostics_channel',
-  'node:child_process',
-  'child_process',
-  'node:async_hooks',
-  'async_hooks',
-  'node:internal/async_local_storage',
-]
 
-function getNonDDCallSiteFrames (callSiteFrames, externallyExcludedPaths) {
+/**
+ * Processes and filters call site frames to find the best location for a vulnerability.
+ * Returns client frames if available, otherwise falls back to all processed frames.
+ * Excludes dd-trace frames and all Node.js built-in/internal modules (node:*).
+ * @param {CallSiteFrame[]} callSiteFrames
+ * @param {string[]} externallyExcludedPaths
+ * @returns {CallSiteFrame[]} Client frames if available, otherwise all processed frames
+ *
+ * @typedef {object} CallSiteFrame
+ * @property {number} id
+ * @property {string} file - Original file path
+ * @property {number} line
+ * @property {number} column
+ * @property {string} function
+ * @property {string} class_name
+ * @property {boolean} isNative
+ * @property {string} [path] - Relative path, added during processing
+ * @property {boolean} [isInternal] - Whether the frame is internal, added during processing
+ */
+function getCallSiteFramesForLocation (callSiteFrames, externallyExcludedPaths) {
   if (!callSiteFrames) {
     return []
   }
 
-  const result = []
+  const allFrames = []
+  const clientFrames = []
 
   for (const callsite of callSiteFrames) {
     let filepath = callsite.file?.startsWith('file://') ? fileURLToPath(callsite.file) : callsite.file
@@ -47,18 +58,22 @@ function getNonDDCallSiteFrames (callSiteFrames, externallyExcludedPaths) {
       callsite.column = column
     }
 
-    if (
-      !isExcluded(callsite, externallyExcludedPaths) &&
-      (!filepath.includes(pathLine.ddBasePath) || globalThis.__DD_ESBUILD_IAST_WITH_NO_SM)
-    ) {
+    if (filepath) {
       callsite.path = getRelativePath(filepath)
       callsite.isInternal = !path.isAbsolute(filepath)
 
-      result.push(callsite)
+      allFrames.push(callsite)
+
+      if (
+        !isExcluded(callsite, externallyExcludedPaths) &&
+        (!filepath.includes(pathLine.ddBasePath) || globalThis.__DD_ESBUILD_IAST_WITH_NO_SM)
+      ) {
+        clientFrames.push(callsite)
+      }
     }
   }
 
-  return result
+  return clientFrames.length > 0 ? clientFrames : allFrames
 }
 
 function getRelativePath (filepath) {
@@ -67,10 +82,12 @@ function getRelativePath (filepath) {
 
 function isExcluded (callsite, externallyExcludedPaths) {
   if (callsite.isNative) return true
+
   const filename = globalThis.__DD_ESBUILD_IAST_WITH_SM ? callsite.path : callsite.file
-  if (!filename) {
+  if (!filename || filename.startsWith('node:')) {
     return true
   }
+
   let excludedPaths = EXCLUDED_PATHS
   if (externallyExcludedPaths) {
     excludedPaths = [...excludedPaths, ...externallyExcludedPaths]
@@ -82,12 +99,6 @@ function isExcluded (callsite, externallyExcludedPaths) {
     }
   }
 
-  for (const EXCLUDED_PATH_PREFIX of EXCLUDED_PATH_PREFIXES) {
-    if (filename.indexOf(EXCLUDED_PATH_PREFIX) === 0) {
-      return true
-    }
-  }
-
   return false
 }
 

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-analyzers/command-sensitive-analyzer.js

@@ -10,7 +10,7 @@ module.exports = function extractSensitiveRanges (evidence) {
     pattern.lastIndex = 0
 
     const regexResult = pattern.exec(evidence.value)
-    if (regexResult && regexResult.length > 1) {
+    if (regexResult?.length > 1) {
       const start = regexResult.index + (regexResult[0].length - regexResult[1].length)
       const end = start + regexResult[1].length
       return [{ start, end }]

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-handler.js

@@ -3,6 +3,7 @@
 
 const log = require('../../../../log')
 const vulnerabilities = require('../../vulnerabilities')
+const defaults = require('../../../../config/defaults')
 
 const { contains, intersects, remove } = require('./range-utils')
 
@@ -14,14 +15,12 @@ const sqlSensitiveAnalyzer = require('./sensitive-analyzers/sql-sensitive-analyz
 const taintedRangeBasedSensitiveAnalyzer = require('./sensitive-analyzers/tainted-range-based-sensitive-analyzer')
 const urlSensitiveAnalyzer = require('./sensitive-analyzers/url-sensitive-analyzer')
 
-const { DEFAULT_IAST_REDACTION_NAME_PATTERN, DEFAULT_IAST_REDACTION_VALUE_PATTERN } = require('./sensitive-regex')
-
 const REDACTED_SOURCE_BUFFER = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
 
 class SensitiveHandler {
   constructor () {
-    this._namePattern = new RegExp(DEFAULT_IAST_REDACTION_NAME_PATTERN, 'gmi')
-    this._valuePattern = new RegExp(DEFAULT_IAST_REDACTION_VALUE_PATTERN, 'gmi')
+    this._namePattern = new RegExp(/** @type {string} */ (defaults['iast.redactionNamePattern']), 'gmi')
+    this._valuePattern = new RegExp(/** @type {string} */ (defaults['iast.redactionValuePattern']), 'gmi')
 
     this._sensitiveAnalyzers = new Map()
     this._sensitiveAnalyzers.set(vulnerabilities.CODE_INJECTION, taintedRangeBasedSensitiveAnalyzer)