dd-trace 5.89.0 → 5.91.0

package/packages/datadog-plugin-langgraph/src/stream.js

@@ -0,0 +1,41 @@
+'use strict'
+
+const TracingPlugin = require('../../dd-trace/src/plugins/tracing')
+const { spanHasError } = require('../../dd-trace/src/llmobs/util')
+
+// We are only tracing Pregel.stream because Pregel.invoke calls stream internally resulting in
+// a graph with spans that look redundant.
+class PregelStreamPlugin extends TracingPlugin {
+  static id = 'langgraph_pregel_stream'
+  static prefix = 'tracing:orchestrion:@langchain/langgraph:Pregel_stream'
+
+  bindStart (ctx) {
+    this.startSpan('LangGraph', {
+      service: this.config.service,
+      kind: 'internal',
+      component: 'langgraph',
+    }, ctx)
+    return ctx.currentStore
+  }
+}
+class NextStreamPlugin extends TracingPlugin {
+  static id = 'langgraph_stream_next'
+  static prefix = 'tracing:orchestrion:@langchain/langgraph:Pregel_stream_next'
+
+  bindStart (ctx) {
+    return ctx.currentStore
+  }
+
+  asyncEnd (ctx) {
+    const span = ctx.currentStore?.span
+    if (!span) return
+    if (ctx.result.done === true || spanHasError(span)) {
+      span.finish()
+    }
+  }
+}
+
+module.exports = [
+  PregelStreamPlugin,
+  NextStreamPlugin,
+]

package/packages/datadog-plugin-playwright/src/index.js

@@ -114,11 +114,14 @@ class PlaywrightPlugin extends CiPlugin {
     })
 
     this.addBind('ci:playwright:test-suite:start', (ctx) => {
-      const { testSuiteAbsolutePath } = ctx
+      const { testSuiteAbsolutePath, testSourceFileAbsolutePath } = ctx
 
       const store = storage('legacy').getStore()
       const testSuite = getTestSuitePath(testSuiteAbsolutePath, this.rootDir)
-      const testSourceFile = getTestSuitePath(testSuiteAbsolutePath, this.repositoryRoot)
+      const testSourceFile = getTestSuitePath(
+        testSourceFileAbsolutePath || testSuiteAbsolutePath,
+        this.repositoryRoot
+      )
 
       const testSuiteMetadata = {
         ...getTestSuiteCommonTags(
@@ -238,12 +241,15 @@ class PlaywrightPlugin extends CiPlugin {
             // test_suite_absolute_path is just a hack because in the worker we don't have rootDir and repositoryRoot
             // but if we pass those the same way we pass `DD_PLAYWRIGHT_WORKER` this is not necessary
             const testSuitePath = getTestSuitePath(formattedSpan.meta.test_suite_absolute_path, this.rootDir)
-            const testSourceFile = getTestSuitePath(formattedSpan.meta.test_suite_absolute_path, this.repositoryRoot)
+            const testSourceAbsolutePath = formattedSpan.meta.test_source_absolute_path ||
+              formattedSpan.meta.test_suite_absolute_path
+            const testSourceFile = getTestSuitePath(testSourceAbsolutePath, this.repositoryRoot)
             // we need to rewrite this because this.rootDir and this.repositoryRoot are not available in the worker
             formattedSpan.meta[TEST_SUITE] = testSuitePath
             formattedSpan.meta[TEST_SOURCE_FILE] = testSourceFile
             formattedSpan.resource = `${testSuitePath}.${formattedSpan.meta[TEST_NAME]}`
             delete formattedSpan.meta.test_suite_absolute_path
+            delete formattedSpan.meta.test_source_absolute_path
           }
           formattedTrace.push(formattedSpan)
         }
@@ -259,20 +265,25 @@ class PlaywrightPlugin extends CiPlugin {
       const {
         testName,
         testSuiteAbsolutePath,
+        testSourceFileAbsolutePath,
         testSourceLine,
         browserName,
         isDisabled,
       } = ctx
       const store = storage('legacy').getStore()
       const testSuite = getTestSuitePath(testSuiteAbsolutePath, this.rootDir)
-      const testSourceFile = getTestSuitePath(testSuiteAbsolutePath, this.repositoryRoot)
+      const testSourceFile = getTestSuitePath(
+        testSourceFileAbsolutePath || testSuiteAbsolutePath,
+        this.repositoryRoot
+      )
       const span = this.startTestSpan(
         testName,
         testSuiteAbsolutePath,
         testSuite,
         testSourceFile,
         testSourceLine,
-        browserName
+        browserName,
+        testSourceFileAbsolutePath
       )
 
       if (isDisabled) {
@@ -408,6 +419,7 @@ class PlaywrightPlugin extends CiPlugin {
     this.addSub('ci:playwright:test:skip', ({
       testName,
       testSuiteAbsolutePath,
+      testSourceFileAbsolutePath,
       testSourceLine,
       browserName,
       isNew,
@@ -416,14 +428,18 @@ class PlaywrightPlugin extends CiPlugin {
       isQuarantined,
     }) => {
       const testSuite = getTestSuitePath(testSuiteAbsolutePath, this.rootDir)
-      const testSourceFile = getTestSuitePath(testSuiteAbsolutePath, this.repositoryRoot)
+      const testSourceFile = getTestSuitePath(
+        testSourceFileAbsolutePath || testSuiteAbsolutePath,
+        this.repositoryRoot
+      )
       const span = this.startTestSpan(
         testName,
         testSuiteAbsolutePath,
         testSuite,
         testSourceFile,
         testSourceLine,
-        browserName
+        browserName,
+        testSourceFileAbsolutePath
       )
 
       span.setTag(TEST_STATUS, 'skip')
@@ -446,7 +462,15 @@ class PlaywrightPlugin extends CiPlugin {
   }
 
   // TODO: this runs both in worker and main process (main process: skipped tests that do not go through _runTest)
-  startTestSpan (testName, testSuiteAbsolutePath, testSuite, testSourceFile, testSourceLine, browserName) {
+  startTestSpan (
+    testName,
+    testSuiteAbsolutePath,
+    testSuite,
+    testSourceFile,
+    testSourceLine,
+    browserName,
+    testSourceFileAbsolutePath
+  ) {
     const testSuiteSpan = this._testSuiteSpansByTestSuiteAbsolutePath.get(testSuiteAbsolutePath)
 
     const extraTags = {
@@ -462,6 +486,9 @@ class PlaywrightPlugin extends CiPlugin {
     }
 
     extraTags.test_suite_absolute_path = testSuiteAbsolutePath
+    if (testSourceFileAbsolutePath) {
+      extraTags.test_source_absolute_path = testSourceFileAbsolutePath
+    }
 
     return super.startTestSpan(testName, testSuite, testSuiteSpan, extraTags)
   }

package/packages/dd-trace/src/aiguard/noop.js

@@ -2,7 +2,7 @@
 
 class NoopAIGuard {
   evaluate (messages, opts) {
-    return Promise.resolve({ action: 'ALLOW', reason: 'AI Guard is not enabled' })
+    return Promise.resolve({ action: 'ALLOW', reason: 'AI Guard is not enabled', tags: [], sds: [] })
   }
 }
 

package/packages/dd-trace/src/aiguard/sdk.js

@@ -4,6 +4,8 @@ const rfdc = require('../../../../vendor/dist/rfdc')({ proto: false, circles: fa
 const log = require('../log')
 const telemetryMetrics = require('../telemetry/metrics')
 const tracerVersion = require('../../../../package.json').version
+const { keepTrace } = require('../priority_sampler')
+const { AI_GUARD } = require('../standalone/product')
 const NoopAIGuard = require('./noop')
 const executeRequest = require('./client')
 const {
@@ -23,11 +25,12 @@ const appsecMetrics = telemetryMetrics.manager.namespace('appsec')
 const ALLOW = 'ALLOW'
 
 class AIGuardAbortError extends Error {
-  constructor (reason, tags) {
+  constructor (reason, tags, sds) {
     super(reason)
     this.name = 'AIGuardAbortError'
     this.reason = reason
     this.tags = tags
+    this.sds = sds || []
   }
 }
 
@@ -135,7 +138,7 @@ class AIGuard extends NoopAIGuard {
     if (!this.#initialized) {
       return super.evaluate(messages, opts)
     }
-    const { block = false } = opts ?? {}
+    const { block = true } = opts ?? {}
     return this.#tracer.trace(AI_GUARD_RESOURCE, {}, async (span) => {
       const last = messages[messages.length - 1]
       const target = this.#isToolCall(last) ? 'tool' : 'prompt'
@@ -152,6 +155,12 @@ class AIGuard extends NoopAIGuard {
       span.meta_struct = {
         [AI_GUARD_META_STRUCT_KEY]: metaStruct,
       }
+      const rootSpan = span.context()?._trace?.started?.[0]
+      if (rootSpan) {
+        // keepTrace must be called before executeRequest so the sampling decision
+        // is propagated correctly to outgoing HTTP client calls.
+        keepTrace(rootSpan, AI_GUARD)
+      }
       let response
       try {
         const payload = {
@@ -184,7 +193,7 @@ class AIGuard extends NoopAIGuard {
         action = attr.action
         reason = attr.reason
         tags = attr.tags
-        sdsFindings = attr.sds_findings
+        sdsFindings = attr.sds_findings || []
         blockingEnabled = attr.is_blocking_enabled ?? false
       } catch (e) {
         appsecMetrics.count(AI_GUARD_TELEMETRY_REQUESTS, { error: true }).inc(1)
@@ -204,9 +213,9 @@ class AIGuard extends NoopAIGuard {
       }
       if (shouldBlock) {
         span.setTag(AI_GUARD_BLOCKED_TAG_KEY, 'true')
-        throw new AIGuardAbortError(reason, tags)
+        throw new AIGuardAbortError(reason, tags, sdsFindings)
       }
-      return { action, reason, tags }
+      return { action, reason, tags, sds: sdsFindings }
     })
   }
 }

package/packages/dd-trace/src/appsec/api_security_sampler.js

@@ -70,8 +70,25 @@ function isSampled (key) {
   return sampledRequests.has(key)
 }
 
+function getRouteOrEndpoint (context, statusCode) {
+  // First try to get the route from the context paths
+  const route = context?.paths?.join('') || ''
+  if (route) {
+    return route
+  }
+
+  // If route is not available, fallback to http.endpoint
+  if (statusCode !== 404) {
+    const endpoint = context?.span?.context()?._tags?.['http.endpoint']
+    if (endpoint) {
+      return endpoint
+    }
+  }
+
+  return ''
+}
+
 function computeKey (req, res) {
-  const route = web.getContext(req)?.paths?.join('') || ''
   const method = req.method
   const status = res.statusCode
 
@@ -79,6 +96,10 @@ function computeKey (req, res) {
     log.warn('[ASM] Unsupported groupkey for API security')
     return null
   }
+
+  const context = web.getContext(req)
+  const route = getRouteOrEndpoint(context, status)
+
   return method + route + status
 }
 

package/packages/dd-trace/src/appsec/index.js

@@ -68,7 +68,7 @@ function enable (_config) {
 
     appsecRemoteConfig.enableWafUpdate(_config.appsec)
 
-    Reporter.init(_config.appsec)
+    Reporter.init(_config.appsec, _config.inferredProxyServicesEnabled)
 
     apiSecuritySampler.configure(_config)
 
@@ -174,6 +174,13 @@ function incomingHttpStartTranslator ({ req, res, abortController }) {
     [HTTP_CLIENT_IP]: clientIp,
   })
 
+  if (config.inferredProxyServicesEnabled) {
+    const context = web.getContext(req)
+    if (context?.inferredProxySpan) {
+      context.inferredProxySpan.setTag('_dd.appsec.enabled', 1)
+    }
+  }
+
   const requestHeaders = { ...req.headers }
   delete requestHeaders.cookie
 
@@ -226,6 +233,9 @@ function incomingHttpEndTranslator ({ req, res }) {
     persistent[addresses.HTTP_INCOMING_QUERY] = query
   }
 
+  // This hook runs before span finish, so ensure route/endpoint tags are available before API Security sampling runs.
+  web.setRouteOrEndpointTag(req)
+
   if (apiSecuritySampler.sampleRequest(req, res, true)) {
     persistent[addresses.WAF_CONTEXT_PROCESSOR] = { 'extract-schema': true }
   }

package/packages/dd-trace/src/appsec/reporter.js

@@ -34,6 +34,7 @@ const config = {
   maxHeadersCollected: 0,
   headersRedaction: false,
   raspBodyCollection: false,
+  inferredProxyServicesEnabled: false,
 }
 
 const metricsQueue = new Map()
@@ -103,11 +104,12 @@ const NON_EXTENDED_REQUEST_HEADERS = new Set([...requestHeadersList, ...eventHea
 const NON_EXTENDED_RESPONSE_HEADERS = new Set(responseHeaderList)
 const REDACTED_HEADERS = new Set(redactedHeadersList)
 
-function init (_config) {
+function init (_config, inferredProxyServicesEnabled) {
   config.headersExtendedCollectionEnabled = _config.extendedHeadersCollection.enabled
   config.maxHeadersCollected = _config.extendedHeadersCollection.maxHeaders
   config.headersRedaction = _config.extendedHeadersCollection.redaction
   config.raspBodyCollection = _config.rasp.bodyCollection
+  config.inferredProxyServicesEnabled = inferredProxyServicesEnabled
 }
 
 function formatHeaderName (name) {
@@ -298,9 +300,11 @@ function reportWafConfigUpdate (product, rcConfigId, diagnostics, wafVersion) {
   }
 }
 
-function reportMetrics (metrics, raspRule) {
-  const store = storage('legacy').getStore()
-  const rootSpan = store?.req && web.root(store.req)
+function reportMetrics (metrics, raspRule, req) {
+  if (!req) {
+    req = storage('legacy').getStore()?.req
+  }
+  const rootSpan = req && web.root(req)
 
   if (!rootSpan) return
 
@@ -309,9 +313,9 @@ function reportMetrics (metrics, raspRule) {
   }
 
   if (raspRule) {
-    updateRaspRequestsMetricTags(metrics, store.req, raspRule)
+    updateRaspRequestsMetricTags(metrics, req, raspRule)
   } else {
-    updateWafRequestsMetricTags(metrics, store.req)
+    updateWafRequestsMetricTags(metrics, req)
   }
 
   reportTruncationMetrics(rootSpan, metrics)
@@ -331,9 +335,11 @@ function reportTruncationMetrics (rootSpan, metrics) {
   }
 }
 
-function reportAttack ({ events: attackData, actions }) {
-  const store = storage('legacy').getStore()
-  const req = store?.req
+function reportAttack ({ events: attackData, actions }, req) {
+  if (!req) {
+    req = storage('legacy').getStore()?.req
+  }
+
   const rootSpan = web.root(req)
   if (!rootSpan) return
 
@@ -362,6 +368,14 @@ function reportAttack ({ events: attackData, actions }) {
 
   rootSpan.addTags(newTags)
 
+  // Add _dd.appsec.json tag to inferred proxy span
+  if (config.inferredProxyServicesEnabled) {
+    const context = web.getContext(req)
+    if (context?.inferredProxySpan) {
+      context.inferredProxySpan.setTag('_dd.appsec.json', newTags['_dd.appsec.json'])
+    }
+  }
+
   // TODO this should be deleted in a major
   if (config.raspBodyCollection && isRaspAttack(attackData)) {
     reportRequestBody(rootSpan, req.body, true)
@@ -463,10 +477,13 @@ function isSchemaAttribute (attribute) {
   return attribute.startsWith('_dd.appsec.s.')
 }
 
-function reportAttributes (attributes) {
+function reportAttributes (attributes, req) {
   if (!attributes) return
 
-  const req = storage('legacy').getStore()?.req
+  if (!req) {
+    req = storage('legacy').getStore()?.req
+  }
+
   const rootSpan = web.root(req)
 
   if (!rootSpan) return

package/packages/dd-trace/src/appsec/waf/index.js

@@ -122,7 +122,7 @@ function run (data, req, raspRule) {
   }
 
   const wafContext = waf.wafManager.getWAFContext(req)
-  const result = wafContext.run(data, raspRule)
+  const result = wafContext.run(data, raspRule, req)
 
   if (result?.keep) {
     if (limiter.isAllowed()) {

package/packages/dd-trace/src/appsec/waf/waf_context_wrapper.js

@@ -22,7 +22,7 @@ class WAFContextWrapper {
     this.cachedUserIdResults = new Map()
   }
 
-  run ({ persistent, ephemeral }, raspRule) {
+  run ({ persistent, ephemeral }, raspRule, req) {
     if (this.ddwafContext.disposed) {
       log.warn('[ASM] Calling run on a disposed context')
       if (raspRule) {
@@ -141,10 +141,10 @@ class WAFContextWrapper {
       metrics.wafTimeout = result.timeout
 
       if (ruleTriggered) {
-        Reporter.reportAttack(result)
+        Reporter.reportAttack(result, req)
       }
 
-      Reporter.reportAttributes(result.attributes)
+      Reporter.reportAttributes(result.attributes, req)
 
       return result
     } catch (err) {
@@ -156,7 +156,7 @@ class WAFContextWrapper {
         wafRunFinished.publish({ payload })
       }
 
-      Reporter.reportMetrics(metrics, raspRule)
+      Reporter.reportMetrics(metrics, raspRule, req)
     }
   }
 

package/packages/dd-trace/src/config/defaults.js

@@ -106,6 +106,7 @@ const defaultsWithoutSupportedConfigurationEntry = {
   isGCPFunction: false,
   instrumentationSource: 'manual',
   isServiceUserProvided: false,
+  isServiceNameInferred: true,
   lookup: undefined,
   plugins: true,
 }

package/packages/dd-trace/src/config/index.js

@@ -722,8 +722,10 @@ class Config {
     // Priority:
     // DD_SERVICE > tags.service > OTEL_SERVICE_NAME > NX_TASK_TARGET_PROJECT (if DD_ENABLE_NX_SERVICE_NAME) > default
     let serviceName = DD_SERVICE || tags.service || OTEL_SERVICE_NAME
+    let isServiceNameInferred
     if (!serviceName && NX_TASK_TARGET_PROJECT) {
       if (isTrue(DD_ENABLE_NX_SERVICE_NAME)) {
+        isServiceNameInferred = true
         serviceName = NX_TASK_TARGET_PROJECT
       } else if (DD_MAJOR < 6) {
         // Warn about v6 behavior change for Nx projects
@@ -734,6 +736,7 @@ class Config {
       }
     }
     setString(target, 'service', serviceName)
+    if (serviceName) setBoolean(target, 'isServiceNameInferred', isServiceNameInferred ?? false)
     if (DD_SERVICE_MAPPING) {
       target.serviceMapping = Object.fromEntries(
         DD_SERVICE_MAPPING.split(',').map(x => x.trim().split(':'))
@@ -1004,7 +1007,11 @@ class Config {
     setUnit(opts, 'sampleRate', options.sampleRate ?? options.ingestion.sampleRate)
     opts['sampler.rateLimit'] = maybeInt(options.rateLimit ?? options.ingestion.rateLimit)
     setSamplingRule(opts, 'sampler.rules', options.samplingRules)
-    setString(opts, 'service', options.service || tags.service)
+    const optService = options.service || tags.service
+    setString(opts, 'service', optService)
+    if (optService) {
+      setBoolean(opts, 'isServiceNameInferred', false)
+    }
     opts.serviceMapping = options.serviceMapping
     setString(opts, 'site', options.site)
     if (options.spanAttributeSchema) {
@@ -1661,6 +1668,7 @@ function getAgentUrl (url, options) {
     !options.port &&
     !getEnv('DD_AGENT_HOST') &&
     !getEnv('DD_TRACE_AGENT_PORT') &&
+    !isTrue(getEnv('DD_CIVISIBILITY_AGENTLESS_ENABLED')) &&
     fs.existsSync('/var/run/datadog/apm.socket')
   ) {
     return new URL('unix:///var/run/datadog/apm.socket')

package/packages/dd-trace/src/config/supported-configurations.json

@@ -2182,6 +2182,13 @@
         "default": "true"
       }
     ],
+    "DD_TRACE_AZURE_DURABLE_FUNCTIONS_ENABLED": [
+      {
+        "implementation": "B",
+        "type": "boolean",
+        "default": "true"
+      }
+    ],
     "DD_TRACE_AZURE_EVENTHUBS_BATCH_LINKS_ENABLED": [
       {
         "implementation": "A",
@@ -2988,6 +2995,13 @@
         "default": "true"
       }
     ],
+    "DD_TRACE_LANGGRAPH_ENABLED": [
+      {
+        "implementation": "C",
+        "type": "boolean",
+        "default": "true"
+      }
+    ],
     "DD_TRACE_LDAPJS_ENABLED": [
       {
         "implementation": "A",

package/packages/dd-trace/src/constants.js

@@ -17,11 +17,13 @@ module.exports = {
   SAMPLING_MECHANISM_SPAN: 8,
   SAMPLING_MECHANISM_REMOTE_USER: 11,
   SAMPLING_MECHANISM_REMOTE_DYNAMIC: 12,
+  SAMPLING_MECHANISM_AI_GUARD: 13,
   SPAN_SAMPLING_MECHANISM: '_dd.span_sampling.mechanism',
   SPAN_SAMPLING_RULE_RATE: '_dd.span_sampling.rule_rate',
   SPAN_SAMPLING_MAX_PER_SECOND: '_dd.span_sampling.max_per_second',
   DATADOG_LAMBDA_EXTENSION_PATH: '/opt/extensions/datadog-agent',
   DECISION_MAKER_KEY: '_dd.p.dm',
+  SAMPLING_KNUTH_RATE: '_dd.p.ksr',
   PROCESS_ID: 'process_id',
   ERROR_TYPE: 'error.type',
   ERROR_MESSAGE: 'error.message',

package/packages/dd-trace/src/crashtracking/crashtracker.js

@@ -74,7 +74,7 @@ class Crashtracker {
         timeout_ms: 3000,
       },
       timeout: { secs: 5, nanos: 0 },
-      demangle_names: false,
+      demangle_names: true,
       signals: [],
       resolve_frames: resolveMode,
     }

package/packages/dd-trace/src/debugger/devtools_client/config.js

@@ -2,8 +2,11 @@
 
 const { workerData: { config: parentConfig, parentThreadId, configPort } } = require('node:worker_threads')
 const { getAgentUrl } = require('../../agent/url')
+const processTags = require('../../process-tags')
 const log = require('./log')
 
+processTags.initialize()
+
 const config = module.exports = {
   ...parentConfig,
   parentThreadId,

package/packages/dd-trace/src/dogstatsd.js

@@ -26,6 +26,7 @@ class DogStatsDClient {
   constructor (options = {}) {
     if (options.metricsProxyUrl) {
       this._httpOptions = {
+        method: 'POST',
         url: options.metricsProxyUrl.toString(),
         path: '/dogstatsd/v2/proxy',
       }

package/packages/dd-trace/src/encode/agentless-ci-visibility.js

@@ -265,14 +265,7 @@ class AgentlessCiVisibilityEncoder extends AgentEncoder {
     }
     const startTime = Date.now()
 
-    const rawEvents = trace.map(formatSpan)
-
-    const testSessionEvents = rawEvents.filter(
-      event => event.type === 'test_session_end' || event.type === 'test_suite_end' || event.type === 'test_module_end'
-    )
-
-    const isTestSessionTrace = !!testSessionEvents.length
-    const events = isTestSessionTrace ? testSessionEvents : rawEvents
+    const events = trace.map(formatSpan)
 
     this._eventCount += events.length