v5.26.0 proposal #4888
Merged
v5.26.0 proposal #4888
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…" (#4867) - this reverts commit 1d2543c. - reverts a change that would automatically inject tracing headers into AWS requests - this appears to break S3 requests (and DynamoDB?) when using AWS SDK v2 - we don't have any reports of other services or of AWS SDK v3 breaking - for follow up work we need to make this a configurable environment variable instead of just an init setting - this is because folks using the lambda layer need to configure the tracer via env vars - alternatively we only block s3 and dynamo? however there could be other services that fail... - alternatively we only block aws sdk v2? however it seems that a bunch of the services are fine... - internal stuff: APMS-13694, APMS-13713 - more discussion in #4717
* Add exclusions for header injection vulnerability * Rewrite fn to get a partial value from accept-encoding header to reflect it in transfer/content-encoding * Fix linting problems
* Fix integration by preventing unsafe access to properties. --------- Co-authored-by: William Conti <william.conti@datadoghq.com> Co-authored-by: William Conti <58711692+wconti27@users.noreply.github.com>
* Add support for inferred spans to be created for proxies. Initially supports AWS API Gateway and creates a span when the required headers are attached on the received request. --------- Co-authored-by: wantsui <wan.tsui@datadoghq.com>
* add tracer version to top-level payload * fix dd-trace.version to be ddtrace.version tag
![datadog-datadog-prod-us1[bot]](https://avatars.githubusercontent.com/u/365230?s=60&v=4){kind=small}
| env: | ||
| DD_INJECTION_ENABLED: 'true' | ||
| steps: | ||
| - uses: actions/checkout@v4 |
There was a problem hiding this comment.
🟠 Code Vulnerability
Workflow depends on a GitHub actions pinned by tag (...read more)
Overall package sizeSelf size: 8.03 MB Dependency sizes| name | version | self size | total size | |------|---------|-----------|------------| | @datadog/libdatadog | 0.2.2 | 29.27 MB | 29.27 MB | | @datadog/native-appsec | 8.3.0 | 19.37 MB | 19.38 MB | | @datadog/native-iast-taint-tracking | 3.2.0 | 13.9 MB | 13.91 MB | | @datadog/pprof | 5.4.1 | 9.76 MB | 10.13 MB | | protobufjs | 7.2.5 | 2.77 MB | 5.16 MB | | @datadog/native-iast-rewriter | 2.5.0 | 2.51 MB | 2.65 MB | | @opentelemetry/core | 1.14.0 | 872.87 kB | 1.47 MB | | @datadog/native-metrics | 3.0.1 | 1.06 MB | 1.46 MB | | @opentelemetry/api | 1.8.0 | 1.21 MB | 1.21 MB | | import-in-the-middle | 1.11.2 | 112.74 kB | 826.22 kB | | msgpack-lite | 0.1.26 | 201.16 kB | 281.59 kB | | opentracing | 0.14.7 | 194.81 kB | 194.81 kB | | lru-cache | 7.18.3 | 133.92 kB | 133.92 kB | | pprof-format | 2.1.0 | 111.69 kB | 111.69 kB | | @datadog/sketches-js | 2.1.0 | 109.9 kB | 109.9 kB | | semver | 7.6.3 | 95.82 kB | 95.82 kB | | lodash.sortby | 4.7.0 | 75.76 kB | 75.76 kB | | ignore | 5.3.1 | 51.46 kB | 51.46 kB | | int64-buffer | 0.1.10 | 49.18 kB | 49.18 kB | | shell-quote | 1.8.1 | 44.96 kB | 44.96 kB | | istanbul-lib-coverage | 3.2.0 | 29.34 kB | 29.34 kB | | rfdc | 1.3.1 | 25.21 kB | 25.21 kB | | @isaacs/ttlcache | 1.4.1 | 25.2 kB | 25.2 kB | | tlhunter-sorted-set | 0.1.0 | 24.94 kB | 24.94 kB | | limiter | 1.1.5 | 23.17 kB | 23.17 kB | | dc-polyfill | 0.1.4 | 23.1 kB | 23.1 kB | | retry | 0.13.1 | 18.85 kB | 18.85 kB | | jest-docblock | 29.7.0 | 8.99 kB | 12.76 kB | | crypto-randomuuid | 1.0.0 | 11.18 kB | 11.18 kB | | koalas | 1.0.2 | 6.47 kB | 6.47 kB | | path-to-regexp | 0.1.10 | 6.38 kB | 6.38 kB | | module-details-from-path | 1.0.3 | 4.47 kB | 4.47 kB |🤖 This report was automatically generated by heaviest-objects-in-the-universe |
|
could you include #4863? It fixes a customer issue |
rochdev
force-pushed
the
v5.26.0-proposal
branch
from
2a6b953 to
228f4ae
Compare
| DD_INJECTION_ENABLED: 'true' | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/setup-node@v3 |
There was a problem hiding this comment.
🟠 Code Vulnerability
Workflow depends on a GitHub actions pinned by tag (...read more)
* Template injection vulnerability detection in handlebars * template injection vulnerability detection in pug * fix lint and naming issues * create separate job for template injection * add support to registerPartial function * add tests for pug render function
rochdev
force-pushed
the
v5.26.0-proposal
branch
from
228f4ae to
1fc0e28
Compare
…rvice is instrumented and fix typo (#4851) * [DSM] Set checkpoints for DSM with SQS & Kinesis for consumers even when the producer did not have DSM enabled * [DSM] Send checkpoints to DSM if its enabled even if there is no streamName
rochdev
force-pushed
the
v5.26.0-proposal
branch
from
f0a2515 to
34a9335
Compare
* Update dd native-appsec waf bindings to v8.3.0 * Update WAF recommended rules to v1.13.3
* add support to api security sampling * fix express plugin schema extraction * use priority simpler to get span priority * use lru cache package * use route path instead of url * use route.path or url to generate the key * use ttlcache * Fix standalone integration test * Increase test timeout * simplify force sample * avoid checking is sampled twice * use route.path or url to generate the key * remove unnecessary tests of sample delay * fix non experimental options test * remove unused isSampled * always sample request if delay is 0 --------- Co-authored-by: Igor Unanua <igor.unanua@datadoghq.com> Co-authored-by: simon-id <simon.id@datadoghq.com>
…ith invalid traces (#4874) * initial commit * updating _links and when links are created * logging * add link to instrumentation * updating integrations to include span links * fixing syntax error * fixing ci tests * updating unit test * fix ci * fixing moleculer tests * safe checking all contexts before getting links
* Add span pointer info on S3 `putObject`, `copyObject`, and `completeMultipartUpload` requests. * Unit tests * small improvement * Create `addSpanPointer()` so we don't have to export a context with 0s for trace+span id; add debug logs * Add integration test for completeMultipartUpload; update unit test * Rename to `addSpanPointers()` * Update comments and make getting eTag more reliable * Validate parameters before calling `generateS3PointerHash` * add unit tests * Rename var to `SPAN_LINK_POINTER_KIND`; standardize the hashing function. * Set the span link kind in the `addSpanPointer()` functions so that downstream callers don't have to worry about passing it. * Move constants to constants.js; move `generatePointerHash` to util.js
* log.error accepting multiple arguments * clean up * warn, info, debug methods * Update packages/dd-trace/src/log/writer.js Co-authored-by: Attila Szegedi <szegedi@users.noreply.github.com> * attila suggestion * include error type in the telemetry log * remove optional chaining to work in node 12 * remove optional chainingand ?? to work in node 12 --------- Co-authored-by: Attila Szegedi <szegedi@users.noreply.github.com>
rochdev
force-pushed
the
v5.26.0-proposal
branch
from
34a9335 to
a73247a
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## v5.x #4888 +/- ##
=======================================
Coverage ? 80.34%
=======================================
Files ? 292
Lines ? 13606
Branches ? 0
=======================================
Hits ? 10932
Misses ? 2674
Partials ? 0 ☔ View full report in Codecov by Sentry. 🚨 Try these New Features:
|
…oot, not the project's root dir or working directory (#4903)
rochdev
force-pushed
the
v5.26.0-proposal
branch
from
a73247a to
331dd73
Compare
bengl
approved these changes
Nov 19, 2024
bengl
approved these changes
Nov 19, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
add2338291] - (SEMVER-PATCH) Increase timeout on RASP integration test for windows (Carles Capell) #4907920d2a2768] - (SEMVER-PATCH) [test optimization] Report code coverage relative to the repository root, not the project's root dir or working directory (Juan Antonio Fernández de Alba) #4903a41951c2c6] - (SEMVER-MINOR) log template messages and errors (Igor Unanua) #48569c081c81d2] - (SEMVER-PATCH) disable merge queue (Bryan English) #49056392a2e12b] - (SEMVER-MINOR) [serverless] Add S3 Span Pointers (Nicholas Hulston) #48752072a1f0e7] - (SEMVER-PATCH) improve output for release proposal script (Roch Devost) #48979de411aa0c] - (SEMVER-PATCH) automate release notes from github actions (Roch Devost) #4893f0df061a4b] - (SEMVER-MINOR) Adding Span Link support for distributed tracing header extractions with invalid traces (mhlidd) #487461c5a3218e] - (SEMVER-PATCH) Upgrade cross-spawn to v7.0.5 - patched ReDoS (Carles Capell) #4899bdbeb024b0] - (SEMVER-MINOR) add support to api security sampling (ishabi) #47551670ef921d] - (SEMVER-PATCH) Adding new ST scenarios for rasp (Ugaitz Urien) #4883170a97cc95] - (SEMVER-MINOR) Update WAF rules and bindings (Carles Capell) #489151bea5452e] - (SEMVER-PATCH) [DSM] Set checkpoints for DSM even when there is no context if the service is instrumented and fix typo (Eric Firth) #4851a8896ee676] - (SEMVER-PATCH) update release script to also create pr (Roch Devost) #488025ae8e737e] - (SEMVER-PATCH) Ignore elasticsearch 8.16.0 from esm tests (Ugaitz Urien) #4892985cb1db96] - (SEMVER-MINOR) Template injection vulnerability detection in handlebars and pug (ishabi) #482759e9a2a75f] - (SEMVER-PATCH) [test optimization] Fix active span being null in cypress (Juan Antonio Fernández de Alba) #48639146f26c93] - (SEMVER-PATCH) Removex-forwardedfrom ipHeaderList (simon-id) #488283e11a3e13] - (SEMVER-PATCH) add namespace support for async storage (Roch Devost) #47751ce47d2ba0] - (SEMVER-PATCH) chore(llmobs): tracer version tagging (Sam Brenner) #48857addced607] - (SEMVER-MINOR) add crashtracking with libdatadog native binding (Roch Devost) #469236903cc982] - (SEMVER-PATCH) skip warning if propagator is baggage (Ida Liu) #48669794630aa0] - (SEMVER-PATCH) add more node version test to unsupported guardrails matrix (Roch Devost) #48791e1a2a1014] - (SEMVER-PATCH) add guardrail to completely bail out in very old versions (Roch Devost) #487829ff735a64] - (SEMVER-MINOR) feat(tracing): AWS API Gateway Inferred Span Support (William Conti) #4837b81d9d84bf] - (SEMVER-MINOR) Prevent errors in Express 5.x applications (wantsui) #48720a44e6e4dc] - (SEMVER-PATCH) Have one version tag in metrics (Attila Szegedi) #48570a411ee6e1] - (SEMVER-PATCH) add release proposal script for use locally (Roch Devost) #485370e99bd56b] - (SEMVER-MINOR) Add exclusions for header injection vulnerability (Carles Capell) #4841367bd2d65c] - (SEMVER-PATCH) Discard non-web traces when searching for a vulnerability not being present (Carles Capell) #48711ee8000111] - (SEMVER-PATCH) Revert "always enable tracing header injection for AWS requests (always enable tracing header injection for AWS requests #4717)" (Thomas Hunter II) #4867