From 1935b76b3e76530d7bcad851ca16d191636c045d Mon Sep 17 00:00:00 2001
From: Ugaitz Urien <ugaitz.urien@datadoghq.com>
Date: Wed, 14 Jun 2023 11:39:46 +0200
Subject: [PATCH] Add _dd.iast.enabled=1 metric out of request vulnerabilities
 tags (#3231)

* Add _dd.iast.enabled=1 in out of request vulnerabilities tags

* Rename constants.js to tags.js
---
 packages/dd-trace/src/appsec/iast/index.js                | 2 +-
 packages/dd-trace/src/appsec/iast/tags.js                 | 6 ++++++
 .../dd-trace/src/appsec/iast/vulnerability-reporter.js    | 8 +++++++-
 packages/dd-trace/test/appsec/iast/utils.js               | 2 ++
 .../test/appsec/iast/vulnerability-reporter.spec.js       | 5 ++++-
 5 files changed, 20 insertions(+), 3 deletions(-)
 create mode 100644 packages/dd-trace/src/appsec/iast/tags.js

diff --git a/packages/dd-trace/src/appsec/iast/index.js b/packages/dd-trace/src/appsec/iast/index.js
index 2b1c2725195..03d03097973 100644
--- a/packages/dd-trace/src/appsec/iast/index.js
+++ b/packages/dd-trace/src/appsec/iast/index.js
@@ -6,9 +6,9 @@ const overheadController = require('./overhead-controller')
 const dc = require('../../../../diagnostics_channel')
 const iastContextFunctions = require('./iast-context')
 const { enableTaintTracking, disableTaintTracking, createTransaction, removeTransaction } = require('./taint-tracking')
+const { IAST_ENABLED_TAG_KEY } = require('./tags')
 
 const telemetryLogs = require('./telemetry/logs')
-const IAST_ENABLED_TAG_KEY = '_dd.iast.enabled'
 
 // TODO Change to `apm:http:server:request:[start|close]` when the subscription
 //  order of the callbacks can be enforce
diff --git a/packages/dd-trace/src/appsec/iast/tags.js b/packages/dd-trace/src/appsec/iast/tags.js
new file mode 100644
index 00000000000..d61d5727dc1
--- /dev/null
+++ b/packages/dd-trace/src/appsec/iast/tags.js
@@ -0,0 +1,6 @@
+'use strict'
+
+module.exports = {
+  IAST_ENABLED_TAG_KEY: '_dd.iast.enabled',
+  IAST_JSON_TAG_KEY: '_dd.iast.json'
+}
diff --git a/packages/dd-trace/src/appsec/iast/vulnerability-reporter.js b/packages/dd-trace/src/appsec/iast/vulnerability-reporter.js
index 0cdce39fcbe..67a0f0855ed 100644
--- a/packages/dd-trace/src/appsec/iast/vulnerability-reporter.js
+++ b/packages/dd-trace/src/appsec/iast/vulnerability-reporter.js
@@ -1,8 +1,11 @@
+'use strict'
+
 const { MANUAL_KEEP } = require('../../../../../ext/tags')
 const LRU = require('lru-cache')
 const vulnerabilitiesFormatter = require('./vulnerabilities-formatter')
+const { IAST_ENABLED_TAG_KEY, IAST_JSON_TAG_KEY } = require('./tags')
+
 const VULNERABILITIES_KEY = 'vulnerabilities'
-const IAST_JSON_TAG_KEY = '_dd.iast.json'
 const VULNERABILITY_HASHES_MAX_SIZE = 1000
 const VULNERABILITY_HASHES = new LRU({ max: VULNERABILITY_HASHES_MAX_SIZE })
 const RESET_VULNERABILITY_CACHE_INTERVAL = 60 * 60 * 1000 // 1 hour
@@ -39,6 +42,9 @@ function sendVulnerabilities (vulnerabilities, rootSpan) {
       vulnerabilities.forEach((vulnerability) => {
         vulnerability.location.spanId = span.context().toSpanId()
       })
+      span.addTags({
+        [IAST_ENABLED_TAG_KEY]: 1
+      })
     }
 
     if (span && span.addTags) {
diff --git a/packages/dd-trace/test/appsec/iast/utils.js b/packages/dd-trace/test/appsec/iast/utils.js
index c3f5b652e3a..3e2ce6f8737 100644
--- a/packages/dd-trace/test/appsec/iast/utils.js
+++ b/packages/dd-trace/test/appsec/iast/utils.js
@@ -85,6 +85,7 @@ function testOutsideRequestHasVulnerability (fnToTest, vulnerability) {
     agent
       .use(traces => {
         expect(traces[0][0].meta['_dd.iast.json']).to.include(`"${vulnerability}"`)
+        expect(traces[0][0].metrics['_dd.iast.enabled']).to.be.equal(1)
       })
       .then(done)
       .catch(done)
@@ -152,6 +153,7 @@ function checkVulnerabilityInRequest (vulnerability, occurrencesAndLocation, cb,
   }
   agent
     .use(traces => {
+      expect(traces[0][0].metrics['_dd.iast.enabled']).to.be.equal(1)
       expect(traces[0][0].meta).to.have.property('_dd.iast.json')
       const vulnerabilitiesTrace = JSON.parse(traces[0][0].meta['_dd.iast.json'])
       expect(vulnerabilitiesTrace).to.not.be.null
diff --git a/packages/dd-trace/test/appsec/iast/vulnerability-reporter.spec.js b/packages/dd-trace/test/appsec/iast/vulnerability-reporter.spec.js
index 587801a8ec6..cdd1e37af31 100644
--- a/packages/dd-trace/test/appsec/iast/vulnerability-reporter.spec.js
+++ b/packages/dd-trace/test/appsec/iast/vulnerability-reporter.spec.js
@@ -108,7 +108,10 @@ describe('vulnerability-reporter', () => {
             { path: 'filename.js', line: 73 })
         addVulnerability(undefined, vulnerability)
         expect(fakeTracer.startSpan).to.have.been.calledOnceWithExactly('vulnerability', { type: 'vulnerability' })
-        expect(onTheFlySpan.addTags).to.have.been.calledOnceWithExactly({
+        expect(onTheFlySpan.addTags.firstCall).to.have.been.calledWithExactly({
+          '_dd.iast.enabled': 1
+        })
+        expect(onTheFlySpan.addTags.secondCall).to.have.been.calledWithExactly({
           'manual.keep': 'true',
           '_dd.iast.json': '{"sources":[],"vulnerabilities":[{"type":"INSECURE_HASHING","hash":3410512655,' +
             '"evidence":{"value":"sha1"},"location":{"spanId":42,"path":"filename.js","line":73}}]}'