dd-trace 5.88.0 → 5.90.0

package/packages/datadog-plugin-playwright/src/index.js

@@ -114,11 +114,14 @@ class PlaywrightPlugin extends CiPlugin {
     })
 
     this.addBind('ci:playwright:test-suite:start', (ctx) => {
-      const { testSuiteAbsolutePath } = ctx
+      const { testSuiteAbsolutePath, testSourceFileAbsolutePath } = ctx
 
       const store = storage('legacy').getStore()
       const testSuite = getTestSuitePath(testSuiteAbsolutePath, this.rootDir)
-      const testSourceFile = getTestSuitePath(testSuiteAbsolutePath, this.repositoryRoot)
+      const testSourceFile = getTestSuitePath(
+        testSourceFileAbsolutePath || testSuiteAbsolutePath,
+        this.repositoryRoot
+      )
 
       const testSuiteMetadata = {
         ...getTestSuiteCommonTags(
@@ -238,12 +241,15 @@ class PlaywrightPlugin extends CiPlugin {
             // test_suite_absolute_path is just a hack because in the worker we don't have rootDir and repositoryRoot
             // but if we pass those the same way we pass `DD_PLAYWRIGHT_WORKER` this is not necessary
             const testSuitePath = getTestSuitePath(formattedSpan.meta.test_suite_absolute_path, this.rootDir)
-            const testSourceFile = getTestSuitePath(formattedSpan.meta.test_suite_absolute_path, this.repositoryRoot)
+            const testSourceAbsolutePath = formattedSpan.meta.test_source_absolute_path ||
+              formattedSpan.meta.test_suite_absolute_path
+            const testSourceFile = getTestSuitePath(testSourceAbsolutePath, this.repositoryRoot)
             // we need to rewrite this because this.rootDir and this.repositoryRoot are not available in the worker
             formattedSpan.meta[TEST_SUITE] = testSuitePath
             formattedSpan.meta[TEST_SOURCE_FILE] = testSourceFile
             formattedSpan.resource = `${testSuitePath}.${formattedSpan.meta[TEST_NAME]}`
             delete formattedSpan.meta.test_suite_absolute_path
+            delete formattedSpan.meta.test_source_absolute_path
           }
           formattedTrace.push(formattedSpan)
         }
@@ -259,20 +265,25 @@ class PlaywrightPlugin extends CiPlugin {
       const {
         testName,
         testSuiteAbsolutePath,
+        testSourceFileAbsolutePath,
         testSourceLine,
         browserName,
         isDisabled,
       } = ctx
       const store = storage('legacy').getStore()
       const testSuite = getTestSuitePath(testSuiteAbsolutePath, this.rootDir)
-      const testSourceFile = getTestSuitePath(testSuiteAbsolutePath, this.repositoryRoot)
+      const testSourceFile = getTestSuitePath(
+        testSourceFileAbsolutePath || testSuiteAbsolutePath,
+        this.repositoryRoot
+      )
       const span = this.startTestSpan(
         testName,
         testSuiteAbsolutePath,
         testSuite,
         testSourceFile,
         testSourceLine,
-        browserName
+        browserName,
+        testSourceFileAbsolutePath
       )
 
       if (isDisabled) {
@@ -408,6 +419,7 @@ class PlaywrightPlugin extends CiPlugin {
     this.addSub('ci:playwright:test:skip', ({
       testName,
       testSuiteAbsolutePath,
+      testSourceFileAbsolutePath,
       testSourceLine,
       browserName,
       isNew,
@@ -416,14 +428,18 @@ class PlaywrightPlugin extends CiPlugin {
       isQuarantined,
     }) => {
       const testSuite = getTestSuitePath(testSuiteAbsolutePath, this.rootDir)
-      const testSourceFile = getTestSuitePath(testSuiteAbsolutePath, this.repositoryRoot)
+      const testSourceFile = getTestSuitePath(
+        testSourceFileAbsolutePath || testSuiteAbsolutePath,
+        this.repositoryRoot
+      )
       const span = this.startTestSpan(
         testName,
         testSuiteAbsolutePath,
         testSuite,
         testSourceFile,
         testSourceLine,
-        browserName
+        browserName,
+        testSourceFileAbsolutePath
       )
 
       span.setTag(TEST_STATUS, 'skip')
@@ -446,7 +462,15 @@ class PlaywrightPlugin extends CiPlugin {
   }
 
   // TODO: this runs both in worker and main process (main process: skipped tests that do not go through _runTest)
-  startTestSpan (testName, testSuiteAbsolutePath, testSuite, testSourceFile, testSourceLine, browserName) {
+  startTestSpan (
+    testName,
+    testSuiteAbsolutePath,
+    testSuite,
+    testSourceFile,
+    testSourceLine,
+    browserName,
+    testSourceFileAbsolutePath
+  ) {
     const testSuiteSpan = this._testSuiteSpansByTestSuiteAbsolutePath.get(testSuiteAbsolutePath)
 
     const extraTags = {
@@ -462,6 +486,9 @@ class PlaywrightPlugin extends CiPlugin {
     }
 
     extraTags.test_suite_absolute_path = testSuiteAbsolutePath
+    if (testSourceFileAbsolutePath) {
+      extraTags.test_source_absolute_path = testSourceFileAbsolutePath
+    }
 
     return super.startTestSpan(testName, testSuite, testSuiteSpan, extraTags)
   }

package/packages/dd-trace/src/aiguard/noop.js

@@ -2,7 +2,7 @@
 
 class NoopAIGuard {
   evaluate (messages, opts) {
-    return Promise.resolve({ action: 'ALLOW', reason: 'AI Guard is not enabled' })
+    return Promise.resolve({ action: 'ALLOW', reason: 'AI Guard is not enabled', tags: [], sds: [] })
   }
 }
 

package/packages/dd-trace/src/aiguard/sdk.js

@@ -4,6 +4,8 @@ const rfdc = require('../../../../vendor/dist/rfdc')({ proto: false, circles: fa
 const log = require('../log')
 const telemetryMetrics = require('../telemetry/metrics')
 const tracerVersion = require('../../../../package.json').version
+const { keepTrace } = require('../priority_sampler')
+const { AI_GUARD } = require('../standalone/product')
 const NoopAIGuard = require('./noop')
 const executeRequest = require('./client')
 const {
@@ -23,11 +25,12 @@ const appsecMetrics = telemetryMetrics.manager.namespace('appsec')
 const ALLOW = 'ALLOW'
 
 class AIGuardAbortError extends Error {
-  constructor (reason, tags) {
+  constructor (reason, tags, sds) {
     super(reason)
     this.name = 'AIGuardAbortError'
     this.reason = reason
     this.tags = tags
+    this.sds = sds || []
   }
 }
 
@@ -135,7 +138,7 @@ class AIGuard extends NoopAIGuard {
     if (!this.#initialized) {
       return super.evaluate(messages, opts)
     }
-    const { block = false } = opts ?? {}
+    const { block = true } = opts ?? {}
     return this.#tracer.trace(AI_GUARD_RESOURCE, {}, async (span) => {
       const last = messages[messages.length - 1]
       const target = this.#isToolCall(last) ? 'tool' : 'prompt'
@@ -152,6 +155,12 @@ class AIGuard extends NoopAIGuard {
       span.meta_struct = {
         [AI_GUARD_META_STRUCT_KEY]: metaStruct,
       }
+      const rootSpan = span.context()?._trace?.started?.[0]
+      if (rootSpan) {
+        // keepTrace must be called before executeRequest so the sampling decision
+        // is propagated correctly to outgoing HTTP client calls.
+        keepTrace(rootSpan, AI_GUARD)
+      }
       let response
       try {
         const payload = {
@@ -175,7 +184,7 @@ class AIGuard extends NoopAIGuard {
           `AI Guard service call failed, status ${response.status}`,
           { errors: response.body?.errors })
       }
-      let action, reason, tags, blockingEnabled
+      let action, reason, tags, sdsFindings, blockingEnabled
       try {
         const attr = response.body.data.attributes
         if (!attr.action) {
@@ -184,6 +193,7 @@ class AIGuard extends NoopAIGuard {
         action = attr.action
         reason = attr.reason
         tags = attr.tags
+        sdsFindings = attr.sds_findings || []
         blockingEnabled = attr.is_blocking_enabled ?? false
       } catch (e) {
         appsecMetrics.count(AI_GUARD_TELEMETRY_REQUESTS, { error: true }).inc(1)
@@ -198,11 +208,14 @@ class AIGuard extends NoopAIGuard {
       if (tags?.length > 0) {
         metaStruct.attack_categories = tags
       }
+      if (sdsFindings?.length > 0) {
+        metaStruct.sds = sdsFindings
+      }
       if (shouldBlock) {
         span.setTag(AI_GUARD_BLOCKED_TAG_KEY, 'true')
-        throw new AIGuardAbortError(reason, tags)
+        throw new AIGuardAbortError(reason, tags, sdsFindings)
       }
-      return { action, reason, tags }
+      return { action, reason, tags, sds: sdsFindings }
     })
   }
 }

package/packages/dd-trace/src/appsec/api_security_sampler.js

@@ -70,8 +70,25 @@ function isSampled (key) {
   return sampledRequests.has(key)
 }
 
+function getRouteOrEndpoint (context, statusCode) {
+  // First try to get the route from the context paths
+  const route = context?.paths?.join('') || ''
+  if (route) {
+    return route
+  }
+
+  // If route is not available, fallback to http.endpoint
+  if (statusCode !== 404) {
+    const endpoint = context?.span?.context()?._tags?.['http.endpoint']
+    if (endpoint) {
+      return endpoint
+    }
+  }
+
+  return ''
+}
+
 function computeKey (req, res) {
-  const route = web.getContext(req)?.paths?.join('') || ''
   const method = req.method
   const status = res.statusCode
 
@@ -79,6 +96,10 @@ function computeKey (req, res) {
     log.warn('[ASM] Unsupported groupkey for API security')
     return null
   }
+
+  const context = web.getContext(req)
+  const route = getRouteOrEndpoint(context, status)
+
   return method + route + status
 }
 

package/packages/dd-trace/src/appsec/index.js

@@ -68,7 +68,7 @@ function enable (_config) {
 
     appsecRemoteConfig.enableWafUpdate(_config.appsec)
 
-    Reporter.init(_config.appsec)
+    Reporter.init(_config.appsec, _config.inferredProxyServicesEnabled)
 
     apiSecuritySampler.configure(_config)
 
@@ -174,6 +174,13 @@ function incomingHttpStartTranslator ({ req, res, abortController }) {
     [HTTP_CLIENT_IP]: clientIp,
   })
 
+  if (config.inferredProxyServicesEnabled) {
+    const context = web.getContext(req)
+    if (context?.inferredProxySpan) {
+      context.inferredProxySpan.setTag('_dd.appsec.enabled', 1)
+    }
+  }
+
   const requestHeaders = { ...req.headers }
   delete requestHeaders.cookie
 
@@ -226,6 +233,9 @@ function incomingHttpEndTranslator ({ req, res }) {
     persistent[addresses.HTTP_INCOMING_QUERY] = query
   }
 
+  // This hook runs before span finish, so ensure route/endpoint tags are available before API Security sampling runs.
+  web.setRouteOrEndpointTag(req)
+
   if (apiSecuritySampler.sampleRequest(req, res, true)) {
     persistent[addresses.WAF_CONTEXT_PROCESSOR] = { 'extract-schema': true }
   }

package/packages/dd-trace/src/appsec/reporter.js

@@ -34,6 +34,7 @@ const config = {
   maxHeadersCollected: 0,
   headersRedaction: false,
   raspBodyCollection: false,
+  inferredProxyServicesEnabled: false,
 }
 
 const metricsQueue = new Map()
@@ -103,11 +104,12 @@ const NON_EXTENDED_REQUEST_HEADERS = new Set([...requestHeadersList, ...eventHea
 const NON_EXTENDED_RESPONSE_HEADERS = new Set(responseHeaderList)
 const REDACTED_HEADERS = new Set(redactedHeadersList)
 
-function init (_config) {
+function init (_config, inferredProxyServicesEnabled) {
   config.headersExtendedCollectionEnabled = _config.extendedHeadersCollection.enabled
   config.maxHeadersCollected = _config.extendedHeadersCollection.maxHeaders
   config.headersRedaction = _config.extendedHeadersCollection.redaction
   config.raspBodyCollection = _config.rasp.bodyCollection
+  config.inferredProxyServicesEnabled = inferredProxyServicesEnabled
 }
 
 function formatHeaderName (name) {
@@ -298,9 +300,11 @@ function reportWafConfigUpdate (product, rcConfigId, diagnostics, wafVersion) {
   }
 }
 
-function reportMetrics (metrics, raspRule) {
-  const store = storage('legacy').getStore()
-  const rootSpan = store?.req && web.root(store.req)
+function reportMetrics (metrics, raspRule, req) {
+  if (!req) {
+    req = storage('legacy').getStore()?.req
+  }
+  const rootSpan = req && web.root(req)
 
   if (!rootSpan) return
 
@@ -309,9 +313,9 @@ function reportMetrics (metrics, raspRule) {
   }
 
   if (raspRule) {
-    updateRaspRequestsMetricTags(metrics, store.req, raspRule)
+    updateRaspRequestsMetricTags(metrics, req, raspRule)
   } else {
-    updateWafRequestsMetricTags(metrics, store.req)
+    updateWafRequestsMetricTags(metrics, req)
   }
 
   reportTruncationMetrics(rootSpan, metrics)
@@ -331,9 +335,11 @@ function reportTruncationMetrics (rootSpan, metrics) {
   }
 }
 
-function reportAttack ({ events: attackData, actions }) {
-  const store = storage('legacy').getStore()
-  const req = store?.req
+function reportAttack ({ events: attackData, actions }, req) {
+  if (!req) {
+    req = storage('legacy').getStore()?.req
+  }
+
   const rootSpan = web.root(req)
   if (!rootSpan) return
 
@@ -362,6 +368,14 @@ function reportAttack ({ events: attackData, actions }) {
 
   rootSpan.addTags(newTags)
 
+  // Add _dd.appsec.json tag to inferred proxy span
+  if (config.inferredProxyServicesEnabled) {
+    const context = web.getContext(req)
+    if (context?.inferredProxySpan) {
+      context.inferredProxySpan.setTag('_dd.appsec.json', newTags['_dd.appsec.json'])
+    }
+  }
+
   // TODO this should be deleted in a major
   if (config.raspBodyCollection && isRaspAttack(attackData)) {
     reportRequestBody(rootSpan, req.body, true)
@@ -463,10 +477,13 @@ function isSchemaAttribute (attribute) {
   return attribute.startsWith('_dd.appsec.s.')
 }
 
-function reportAttributes (attributes) {
+function reportAttributes (attributes, req) {
   if (!attributes) return
 
-  const req = storage('legacy').getStore()?.req
+  if (!req) {
+    req = storage('legacy').getStore()?.req
+  }
+
   const rootSpan = web.root(req)
 
   if (!rootSpan) return

package/packages/dd-trace/src/appsec/waf/index.js

@@ -122,7 +122,7 @@ function run (data, req, raspRule) {
   }
 
   const wafContext = waf.wafManager.getWAFContext(req)
-  const result = wafContext.run(data, raspRule)
+  const result = wafContext.run(data, raspRule, req)
 
   if (result?.keep) {
     if (limiter.isAllowed()) {

package/packages/dd-trace/src/appsec/waf/waf_context_wrapper.js

@@ -22,7 +22,7 @@ class WAFContextWrapper {
     this.cachedUserIdResults = new Map()
   }
 
-  run ({ persistent, ephemeral }, raspRule) {
+  run ({ persistent, ephemeral }, raspRule, req) {
     if (this.ddwafContext.disposed) {
       log.warn('[ASM] Calling run on a disposed context')
       if (raspRule) {
@@ -141,10 +141,10 @@ class WAFContextWrapper {
       metrics.wafTimeout = result.timeout
 
       if (ruleTriggered) {
-        Reporter.reportAttack(result)
+        Reporter.reportAttack(result, req)
       }
 
-      Reporter.reportAttributes(result.attributes)
+      Reporter.reportAttributes(result.attributes, req)
 
       return result
     } catch (err) {
@@ -156,7 +156,7 @@ class WAFContextWrapper {
         wafRunFinished.publish({ payload })
       }
 
-      Reporter.reportMetrics(metrics, raspRule)
+      Reporter.reportMetrics(metrics, raspRule, req)
     }
   }
 

package/packages/dd-trace/src/ci-visibility/exporters/ci-visibility-exporter.js

@@ -234,6 +234,7 @@ class CiVisibilityExporter extends BufferingExporter {
         testManagementAttemptToFixRetries ?? this._config.testManagementAttemptToFixRetries,
       isImpactedTestsEnabled: isImpactedTestsEnabled && this._config.isImpactedTestsEnabled,
       isCoverageReportUploadEnabled,
+      isKeepingCoverageConfiguration: this._config.isKeepingCoverageConfiguration,
     }
   }
 

package/packages/dd-trace/src/config/index.js

@@ -352,6 +352,7 @@ class Config {
       DD_TELEMETRY_HEARTBEAT_INTERVAL,
       DD_TELEMETRY_LOG_COLLECTION_ENABLED,
       DD_TELEMETRY_METRICS_ENABLED,
+      DD_TEST_TIA_KEEP_COV_CONFIG,
       DD_TRACE_128_BIT_TRACEID_GENERATION_ENABLED,
       DD_TRACE_128_BIT_TRACEID_LOGGING_ENABLED,
       DD_TRACE_AGENT_PORT,
@@ -757,6 +758,7 @@ class Config {
     unprocessedTarget['telemetry.heartbeatInterval'] = DD_TELEMETRY_HEARTBEAT_INTERVAL
     setBoolean(target, 'telemetry.logCollection', DD_TELEMETRY_LOG_COLLECTION_ENABLED)
     setBoolean(target, 'telemetry.metrics', DD_TELEMETRY_METRICS_ENABLED)
+    setBoolean(target, 'isKeepingCoverageConfiguration', DD_TEST_TIA_KEEP_COV_CONFIG)
     setBoolean(target, 'traceId128BitGenerationEnabled', DD_TRACE_128_BIT_TRACEID_GENERATION_ENABLED)
     setBoolean(target, 'traceId128BitLoggingEnabled', DD_TRACE_128_BIT_TRACEID_LOGGING_ENABLED)
     warnIfPropagationStyleConflict(
@@ -1659,6 +1661,7 @@ function getAgentUrl (url, options) {
     !options.port &&
     !getEnv('DD_AGENT_HOST') &&
     !getEnv('DD_TRACE_AGENT_PORT') &&
+    !isTrue(getEnv('DD_CIVISIBILITY_AGENTLESS_ENABLED')) &&
     fs.existsSync('/var/run/datadog/apm.socket')
   ) {
     return new URL('unix:///var/run/datadog/apm.socket')

package/packages/dd-trace/src/config/supported-configurations.json

@@ -1770,6 +1770,16 @@
         ]
       }
     ],
+    "DD_TEST_TIA_KEEP_COV_CONFIG": [
+      {
+        "implementation": "A",
+        "type": "boolean",
+        "default": "false",
+        "configurationNames": [
+          "isKeepingCoverageConfiguration"
+        ]
+      }
+    ],
     "DD_TEST_SESSION_NAME": [
       {
         "implementation": "A",
@@ -2172,6 +2182,13 @@
         "default": "true"
       }
     ],
+    "DD_TRACE_AZURE_DURABLE_FUNCTIONS_ENABLED": [
+      {
+        "implementation": "B",
+        "type": "boolean",
+        "default": "true"
+      }
+    ],
     "DD_TRACE_AZURE_EVENTHUBS_BATCH_LINKS_ENABLED": [
       {
         "implementation": "A",

package/packages/dd-trace/src/constants.js

@@ -17,6 +17,7 @@ module.exports = {
   SAMPLING_MECHANISM_SPAN: 8,
   SAMPLING_MECHANISM_REMOTE_USER: 11,
   SAMPLING_MECHANISM_REMOTE_DYNAMIC: 12,
+  SAMPLING_MECHANISM_AI_GUARD: 13,
   SPAN_SAMPLING_MECHANISM: '_dd.span_sampling.mechanism',
   SPAN_SAMPLING_RULE_RATE: '_dd.span_sampling.rule_rate',
   SPAN_SAMPLING_MAX_PER_SECOND: '_dd.span_sampling.max_per_second',

package/packages/dd-trace/src/datastreams/checkpointer.js

@@ -60,6 +60,19 @@ class DataStreamsCheckpointer {
 
     return ctx
   }
+
+  /**
+   * Records a transaction ID at a named checkpoint without pathway propagation.
+   * Tags the active span (or the provided span) with the transaction ID and checkpoint name.
+   * @param {string} transactionId - The transaction identifier to track.
+   * @param {string} checkpointName - The logical checkpoint name.
+   * @param {object|null} [span=null] - Span to tag. Defaults to the currently active span.
+   */
+  trackTransaction (transactionId, checkpointName, span = null) {
+    if (!this.config.dsmEnabled) return
+    const activeSpan = span ?? this.tracer.scope().active()
+    this.dsmProcessor.trackTransaction(transactionId, checkpointName, activeSpan)
+  }
 }
 
 module.exports = {

package/packages/dd-trace/src/datastreams/index.js

@@ -71,6 +71,7 @@ const DsmPathwayCodec = lazyClass(() => require('./pathway').DsmPathwayCodec, []
 const DataStreamsCheckpointer = lazyClass(() => require('./checkpointer').DataStreamsCheckpointer, [
   'setProduceCheckpoint',
   'setConsumeCheckpoint',
+  'trackTransaction',
 ])
 
 /**
@@ -79,6 +80,7 @@ const DataStreamsCheckpointer = lazyClass(() => require('./checkpointer').DataSt
 const DataStreamsManager = lazyClass(() => require('./manager').DataStreamsManager, [
   'setCheckpoint',
   'decodeDataStreamsContext',
+  'trackTransaction',
 ])
 
 // TODO: Are all those methods actually public?
@@ -92,6 +94,7 @@ const DataStreamsProcessor = lazyClass(() => require('./processor').DataStreamsP
   'setCheckpoint',
   'recordOffset',
   'setOffset',
+  'trackTransaction',
   'setUrl',
   'trySampleSchema',
   'canSampleSchema',

package/packages/dd-trace/src/datastreams/manager.js

@@ -22,6 +22,15 @@ class DataStreamsManager {
     DataStreamsContext.setDataStreamsContext(ctx)
     return ctx
   }
+
+  /**
+   * @param {string} transactionId
+   * @param {string} checkpointName
+   * @param {object|null} [span=null]
+   */
+  trackTransaction (transactionId, checkpointName, span = null) {
+    this._dataStreamsProcessor.trackTransaction(transactionId, checkpointName, span)
+  }
 }
 
 module.exports = { DataStreamsManager }