Add _dd.iast.enabled=1 metric out of request vulnerabilities tags (#3231

) * Add _dd.iast.enabled=1 in out of request vulnerabilities tags * Rename constants.js to tags.js
DataDog · Jun 23, 2023 · 1935b76 · 1935b76
1 parent 9f6551f
commit 1935b76
Show file tree

Hide file tree

Showing 5 changed files with 20 additions and 3 deletions.
diff --git a/packages/dd-trace/src/appsec/iast/index.js b/packages/dd-trace/src/appsec/iast/index.js
@@ -6,9 +6,9 @@ const overheadController = require('./overhead-controller')
 const dc = require('../../../../diagnostics_channel')
 const iastContextFunctions = require('./iast-context')
 const { enableTaintTracking, disableTaintTracking, createTransaction, removeTransaction } = require('./taint-tracking')
+const { IAST_ENABLED_TAG_KEY } = require('./tags')
 
 const telemetryLogs = require('./telemetry/logs')
-const IAST_ENABLED_TAG_KEY = '_dd.iast.enabled'
 
 // TODO Change to `apm:http:server:request:[start|close]` when the subscription
 //  order of the callbacks can be enforce

diff --git a/packages/dd-trace/src/appsec/iast/tags.js b/packages/dd-trace/src/appsec/iast/tags.js
@@ -0,0 +1,6 @@
+'use strict'
+
+module.exports = {
+  IAST_ENABLED_TAG_KEY: '_dd.iast.enabled',
+  IAST_JSON_TAG_KEY: '_dd.iast.json'
+}
diff --git a/packages/dd-trace/src/appsec/iast/vulnerability-reporter.js b/packages/dd-trace/src/appsec/iast/vulnerability-reporter.js
@@ -1,8 +1,11 @@
+'use strict'
+
 const { MANUAL_KEEP } = require('../../../../../ext/tags')
 const LRU = require('lru-cache')
 const vulnerabilitiesFormatter = require('./vulnerabilities-formatter')
+const { IAST_ENABLED_TAG_KEY, IAST_JSON_TAG_KEY } = require('./tags')
+
 const VULNERABILITIES_KEY = 'vulnerabilities'
-const IAST_JSON_TAG_KEY = '_dd.iast.json'
 const VULNERABILITY_HASHES_MAX_SIZE = 1000
 const VULNERABILITY_HASHES = new LRU({ max: VULNERABILITY_HASHES_MAX_SIZE })
 const RESET_VULNERABILITY_CACHE_INTERVAL = 60 * 60 * 1000 // 1 hour
@@ -39,6 +42,9 @@ function sendVulnerabilities (vulnerabilities, rootSpan) {
       vulnerabilities.forEach((vulnerability) => {
         vulnerability.location.spanId = span.context().toSpanId()
       })
+      span.addTags({
+        [IAST_ENABLED_TAG_KEY]: 1
+      })
     }
 
     if (span && span.addTags) {

diff --git a/packages/dd-trace/test/appsec/iast/utils.js b/packages/dd-trace/test/appsec/iast/utils.js
@@ -85,6 +85,7 @@ function testOutsideRequestHasVulnerability (fnToTest, vulnerability) {
     agent
       .use(traces => {
         expect(traces[0][0].meta['_dd.iast.json']).to.include(`"${vulnerability}"`)
+        expect(traces[0][0].metrics['_dd.iast.enabled']).to.be.equal(1)
       })
       .then(done)
       .catch(done)
@@ -152,6 +153,7 @@ function checkVulnerabilityInRequest (vulnerability, occurrencesAndLocation, cb,
   }
   agent
     .use(traces => {
+      expect(traces[0][0].metrics['_dd.iast.enabled']).to.be.equal(1)
       expect(traces[0][0].meta).to.have.property('_dd.iast.json')
       const vulnerabilitiesTrace = JSON.parse(traces[0][0].meta['_dd.iast.json'])
       expect(vulnerabilitiesTrace).to.not.be.null

diff --git a/packages/dd-trace/test/appsec/iast/vulnerability-reporter.spec.js b/packages/dd-trace/test/appsec/iast/vulnerability-reporter.spec.js
@@ -108,7 +108,10 @@ describe('vulnerability-reporter', () => {
             { path: 'filename.js', line: 73 })
         addVulnerability(undefined, vulnerability)
         expect(fakeTracer.startSpan).to.have.been.calledOnceWithExactly('vulnerability', { type: 'vulnerability' })
-        expect(onTheFlySpan.addTags).to.have.been.calledOnceWithExactly({
+        expect(onTheFlySpan.addTags.firstCall).to.have.been.calledWithExactly({
+          '_dd.iast.enabled': 1
+        })
+        expect(onTheFlySpan.addTags.secondCall).to.have.been.calledWithExactly({
           'manual.keep': 'true',
           '_dd.iast.json': '{"sources":[],"vulnerabilities":[{"type":"INSECURE_HASHING","hash":3410512655,' +
             '"evidence":{"value":"sha1"},"location":{"spanId":42,"path":"filename.js","line":73}}]}'