Merge branch 'master' into mhlidd/httpserverdecorator_cleanup

Author: mhlidd

.gitlab-ci.yml

@@ -25,7 +25,7 @@ variables:
   BUILD_JOB_NAME: "build"
   DEPENDENCY_CACHE_POLICY: pull
   BUILD_CACHE_POLICY: pull
-  GRADLE_VERSION: "8.5" # must match gradle-wrapper.properties
+  GRADLE_VERSION: "8.14.3" # must match gradle-wrapper.properties
   MAVEN_REPOSITORY_PROXY: "http://artifactual.artifactual.all-clusters.local-dc.fabric.dog:8081/repository/maven-central/"
   GRADLE_PLUGIN_PROXY: "http://artifactual.artifactual.all-clusters.local-dc.fabric.dog:8081/repository/gradle-plugin-portal-proxy/"
   BUILDER_IMAGE_VERSION_PREFIX: "v25.06-" # use either an empty string (e.g. "") for latest images or a version followed by a hyphen (e.g. "v25.05-")

.gitlab/upload_ciapp.sh

@@ -35,5 +35,20 @@ junit_upload() {
         ./results
 }
 
+# Upload code coverage results to Datadog
+coverage_upload() {
+    DD_API_KEY=$1 \
+    [email protected]:DataDog/dd-trace-java.git \
+        datadog-ci coverage upload --ignored-paths=./test-published-dependencies .
+}
+
 # Upload test results to production environment like all other CI jobs
 junit_upload "$DATADOG_API_KEY_PROD"
+junit_upload_status=$?
+
+coverage_upload "$DATADOG_API_KEY_PROD"
+coverage_upload_status=$?
+
+if [[ $junit_upload_status -ne 0 || $coverage_upload_status -ne 0 ]]; then
+  exit 1
+fi

buildSrc/build.gradle.kts

@@ -46,7 +46,7 @@ dependencies {
   implementation("org.ow2.asm", "asm", "9.8")
   implementation("org.ow2.asm", "asm-tree", "9.8")
 
-  testImplementation("org.spockframework", "spock-core", "2.2-groovy-3.0")
+  testImplementation("org.spockframework", "spock-core", "2.3-groovy-3.0")
   testImplementation("org.codehaus.groovy", "groovy-all", "3.0.17")
 }
 

buildSrc/call-site-instrumentation-plugin/build.gradle.kts

@@ -37,7 +37,7 @@ dependencies {
   implementation("com.github.javaparser", "javaparser-symbol-solver-core", "3.24.4")
 
   testImplementation("net.bytebuddy", "byte-buddy", "1.17.5")
-  testImplementation("org.spockframework", "spock-core", "2.0-groovy-3.0")
+  testImplementation("org.spockframework", "spock-core", "2.3-groovy-3.0")
   testImplementation("org.objenesis", "objenesis", "3.0.1")
   testImplementation("org.codehaus.groovy", "groovy-all", "3.0.17")
   testImplementation("javax.servlet", "javax.servlet-api", "3.0.1")
@@ -68,7 +68,7 @@ val copyCallSiteSources = tasks.register<Copy>("copyCallSiteSources") {
 }
 
 tasks {
-  withType<AbstractCompile>() {
+  withType<AbstractCompile> {
     dependsOn(copyCallSiteSources)
   }
 }

communication/src/main/java/datadog/communication/ddagent/SharedCommunicationObjects.java

@@ -30,7 +30,7 @@ public class SharedCommunicationObjects {
   public OkHttpClient okHttpClient;
   public HttpUrl agentUrl;
   public Monitoring monitoring;
-  private DDAgentFeaturesDiscovery featuresDiscovery;
+  private volatile DDAgentFeaturesDiscovery featuresDiscovery;
   private ConfigurationPoller configurationPoller;
 
   public SharedCommunicationObjects() {
@@ -139,28 +139,34 @@ public void setFeaturesDiscovery(DDAgentFeaturesDiscovery featuresDiscovery) {
   }
 
   public DDAgentFeaturesDiscovery featuresDiscovery(Config config) {
-    if (featuresDiscovery == null) {
-      createRemaining(config);
-      featuresDiscovery =
-          new DDAgentFeaturesDiscovery(
-              okHttpClient,
-              monitoring,
-              agentUrl,
-              config.isTraceAgentV05Enabled(),
-              config.isTracerMetricsEnabled());
-
-      if (paused) {
-        // defer remote discovery until remote I/O is allowed
-      } else {
-        if (AGENT_THREAD_GROUP.equals(Thread.currentThread().getThreadGroup())) {
-          featuresDiscovery.discover(); // safe to run on same thread
-        } else {
-          // avoid performing blocking I/O operation on application thread
-          AgentTaskScheduler.INSTANCE.execute(featuresDiscovery::discover);
+    DDAgentFeaturesDiscovery ret = featuresDiscovery;
+    if (ret == null) {
+      synchronized (this) {
+        if (featuresDiscovery == null) {
+          createRemaining(config);
+          ret =
+              new DDAgentFeaturesDiscovery(
+                  okHttpClient,
+                  monitoring,
+                  agentUrl,
+                  config.isTraceAgentV05Enabled(),
+                  config.isTracerMetricsEnabled());
+
+          if (paused) {
+            // defer remote discovery until remote I/O is allowed
+          } else {
+            if (AGENT_THREAD_GROUP.equals(Thread.currentThread().getThreadGroup())) {
+              ret.discover(); // safe to run on same thread
+            } else {
+              // avoid performing blocking I/O operation on application thread
+              AgentTaskScheduler.INSTANCE.execute(ret::discover);
+            }
+          }
+          featuresDiscovery = ret;
         }
       }
     }
-    return featuresDiscovery;
+    return ret;
   }
 
   private static final class FixedConfigUrlSupplier implements Supplier<String> {

dd-java-agent/agent-iast/src/main/java/com/datadog/iast/HttpRouteHandler.java

@@ -0,0 +1,16 @@
+package com.datadog.iast;
+
+import datadog.trace.api.gateway.RequestContext;
+import datadog.trace.api.gateway.RequestContextSlot;
+import java.util.function.BiConsumer;
+
+public class HttpRouteHandler implements BiConsumer<RequestContext, String> {
+
+  @Override
+  public void accept(final RequestContext ctx, final String route) {
+    final IastRequestContext iastCtx = ctx.getData(RequestContextSlot.IAST);
+    if (iastCtx != null) {
+      iastCtx.setRoute(route);
+    }
+  }
+}

dd-java-agent/agent-iast/src/main/java/com/datadog/iast/IastRequestContext.java

@@ -36,6 +36,7 @@ public class IastRequestContext implements IastContext, HasMetricCollector {
   @Nullable private volatile String xForwardedProto;
   @Nullable private volatile String contentType;
   @Nullable private volatile String authorization;
+  @Nullable private volatile String route;
 
   /**
    * Use {@link IastRequestContext#IastRequestContext(TaintedObjects)} instead as we require more
@@ -121,6 +122,15 @@ public void setAuthorization(final String authorization) {
     this.authorization = authorization;
   }
 
+  @Nullable
+  public String getRoute() {
+    return route;
+  }
+
+  public void setRoute(final String route) {
+    this.route = route;
+  }
+
   public OverheadContext getOverheadContext() {
     return overheadContext;
   }

dd-java-agent/agent-iast/src/main/java/com/datadog/iast/IastSystem.java

@@ -122,6 +122,7 @@ public static void start(
     registerRequestStartedCallback(ss, addTelemetry, dependencies);
     registerRequestEndedCallback(ss, addTelemetry, dependencies);
     registerHeadersCallback(ss);
+    registerHttpRouteCallback(ss);
     registerGrpcServerRequestMessageCallback(ss);
     maybeApplySecurityControls(instrumentation);
     LOGGER.debug("IAST started");
@@ -246,6 +247,10 @@ private static void registerHeadersCallback(final SubscriptionService ss) {
     ss.registerCallback(event, handler);
   }
 
+  private static void registerHttpRouteCallback(final SubscriptionService ss) {
+    ss.registerCallback(Events.get().httpRoute(), new HttpRouteHandler());
+  }
+
   private static void registerGrpcServerRequestMessageCallback(final SubscriptionService ss) {
     ss.registerCallback(Events.get().grpcServerRequestMessage(), new GrpcRequestMessageHandler());
   }

dd-java-agent/agent-iast/src/main/java/com/datadog/iast/overhead/OverheadController.java

@@ -233,7 +233,7 @@ public boolean consumeQuota(
           Object methodTag = rootSpan.getTag(Tags.HTTP_METHOD);
           method = (methodTag == null) ? "" : methodTag.toString();
           Object routeTag = rootSpan.getTag(Tags.HTTP_ROUTE);
-          path = (routeTag == null) ? "" : routeTag.toString();
+          path = (routeTag == null) ? getHttpRouteFromRequestContext(span) : routeTag.toString();
         }
         if (!maybeSkipVulnerability(ctx, type, method, path)) {
           return operation.consumeQuota(ctx);
@@ -316,6 +316,19 @@ public OverheadContext getContext(@Nullable final AgentSpan span) {
       return globalContext;
     }
 
+    @Nullable
+    public String getHttpRouteFromRequestContext(@Nullable final AgentSpan span) {
+      String httpRoute = null;
+      final RequestContext requestContext = span != null ? span.getRequestContext() : null;
+      if (requestContext != null) {
+        IastRequestContext iastRequestContext = requestContext.getData(RequestContextSlot.IAST);
+        if (iastRequestContext != null) {
+          httpRoute = iastRequestContext.getRoute();
+        }
+      }
+      return httpRoute == null ? "" : httpRoute;
+    }
+
     static int computeSamplingParameter(final float pct) {
       if (pct >= 100) {
         return 100;

dd-java-agent/agent-iast/src/test/groovy/com/datadog/iast/HttpRouteHandlerTest.groovy

@@ -0,0 +1,39 @@
+package com.datadog.iast
+
+import datadog.trace.api.gateway.RequestContext
+import datadog.trace.api.gateway.RequestContextSlot
+import datadog.trace.test.util.DDSpecification
+import groovy.transform.CompileDynamic
+
+@CompileDynamic
+class HttpRouteHandlerTest extends DDSpecification {
+  void 'route is set'() {
+    given:
+    final handler = new HttpRouteHandler()
+    final iastCtx = Mock(IastRequestContext)
+    final ctx = Mock(RequestContext)
+    ctx.getData(RequestContextSlot.IAST) >> iastCtx
+
+    when:
+    handler.accept(ctx, '/foo')
+
+    then:
+    1 * ctx.getData(RequestContextSlot.IAST) >> iastCtx
+    1 * iastCtx.setRoute('/foo')
+    0 * _
+  }
+
+  void 'does nothing when context missing'() {
+    given:
+    final handler = new HttpRouteHandler()
+    final ctx = Mock(RequestContext)
+    ctx.getData(RequestContextSlot.IAST) >> null
+
+    when:
+    handler.accept(ctx, '/foo')
+
+    then:
+    1 * ctx.getData(RequestContextSlot.IAST) >> null
+    0 * _
+  }
+}