chore(everything): merge main into v2 :salute_1:

.github/workflows/appsec.yml

@@ -42,6 +42,9 @@ concurrency:
  # Automatically cancel previous runs if a new one is triggered to conserve resources.
  group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.ref }}
 
+permissions:
+ contents: read
+
 jobs:
  # Prepare the cache of Go modules to share it will the other jobs.
  # This maximizes cache hits and minimizes the time spent downloading Go modules.

.github/workflows/datadog-static-analysis.yml

@@ -2,6 +2,10 @@ on: [push]
 
 name: Datadog Static Analysis
 
+permissions:
+ contents: read
+ pull-requests: write
+
 jobs:
  static-analysis:
  runs-on: ubuntu-latest

.github/workflows/ecosystems-label-issue copy.yml → .github/workflows/ecosystems-label-issue.yml

@@ -5,6 +5,9 @@ on:
  - reopened
  - opened
  - edited
+permissions:
+ contents: read
+ issues: write
 jobs:
  label_issues:
  if: contains(github.event.issue.title, 'contrib')

.github/workflows/ecosystems-label-pr.yml

@@ -7,6 +7,9 @@ on:
  - opened
  - reopened
  - edited
+permissions:
+ contents: read
+ pull-requests: write
 jobs:
  label_issues:
  runs-on: ubuntu-latest

.github/workflows/govulncheck.yml

@@ -14,6 +14,9 @@ on:
  - cron: '00 00 * * *'
  workflow_dispatch:
 
+permissions:
+ contents: read
+
 jobs:
  govulncheck-tests:
  runs-on: ubuntu-latest

.github/workflows/multios-unit-tests.yml

@@ -29,6 +29,9 @@ on:
 env:
  DD_APPSEC_WAF_TIMEOUT: 1m # Increase time WAF time budget to reduce CI flakiness
 
+permissions:
+ contents: read
+
 jobs:
  test-multi-os:
  runs-on: "${{ inputs.runs-on }}"

.github/workflows/parametric-tests.yml

@@ -21,6 +21,9 @@ on:
  schedule:
  - cron: '00 04 * * 2-6'
 
+permissions:
+ contents: read
+
 jobs:
  parametric-tests:
  if: github.event_name != 'pull_request' || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == 'DataDog/dd-trace-go')

.github/workflows/smoke-tests.yml

@@ -27,6 +27,9 @@ on:
 env:
  TEST_RESULTS: /tmp/test-results # path to where test results will be saved
 
+permissions:
+ contents: read
+
 jobs:
  go-get-u:
  # Run go get -u to upgrade dd-trace-go dependencies to their
@@ -90,7 +93,7 @@ jobs:
  ref: ${{ inputs.ref || github.ref }}
  - uses: actions/setup-go@v3
  with:
- go-version: "1.21"
+ go-version: "1.22"
  cache: true
  - name: go mod tidy
  run: |-
@@ -185,7 +188,7 @@ jobs:
  uses: docker/build-push-action@v5
  with:
  context: .
- file: ./internal/apps/setup-smoke-test/Dockerfile
+ file: ./internal/setup-smoke-test/Dockerfile
  push: false
  load: true
  tags: smoke-test

.github/workflows/stale.yml

@@ -4,6 +4,10 @@ on:
  schedule:
  - cron: '30 1 * * *'
 
+permissions:
+ contents: read
+ issues: write
+
 jobs:
  stale:
  runs-on: ubuntu-latest

.github/workflows/system-tests.yml

@@ -27,6 +27,9 @@ on:
  schedule:
  - cron: '00 04 * * 2-6'
 
+permissions:
+ contents: read
+
 jobs:
  system-tests:
  if: github.event_name != 'pull_request' || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == 'DataDog/dd-trace-go')
@@ -43,6 +46,8 @@ jobs:
  - uds-echo
  scenario:
  - DEFAULT
+ - INTEGRATIONS
+ - CROSSED_TRACING_LIBRARIES
  - APPSEC_DISABLED
  - APPSEC_BLOCKING
  - APPSEC_BLOCKING_FULL_DENYLIST
@@ -103,6 +108,8 @@ jobs:
  DD_API_KEY: ${{ secrets.DD_API_KEY }}
  SYSTEM_TESTS_E2E_DD_API_KEY: ${{ secrets.SYSTEM_TESTS_E2E_DD_API_KEY }}
  SYSTEM_TESTS_E2E_DD_APP_KEY: ${{ secrets.SYSTEM_TESTS_E2E_DD_APP_KEY }}
+ SYSTEM_TESTS_AWS_ACCESS_KEY_ID: ${{ secrets.SYSTEM_TESTS_IDM_AWS_ACCESS_KEY_ID }}
+ SYSTEM_TESTS_AWS_SECRET_ACCESS_KEY: ${{ secrets.SYSTEM_TESTS_IDM_AWS_SECRET_ACCESS_KEY }}
  name: Test (${{ matrix.weblog-variant }}, ${{ matrix.scenario }})
  steps:
  - name: Checkout system tests

.github/workflows/test-apps.cue

@@ -115,6 +115,10 @@ env: {
  DD_TAGS: "github_run_id:${{ github.run_id }} github_run_number:${{ github.run_number }} ${{ inputs['arg: tags'] }}",
 }
 
+permissions: {
+ contents: "read",
+}
+
 jobs: {
  for i, scenario in #scenarios {
  for j, env in #envs {

.github/workflows/test-apps.yml

@@ -64,6 +64,8 @@ name: Test Apps
 env:
  DD_ENV: github
  DD_TAGS: 'github_run_id:${{ github.run_id }} github_run_number:${{ github.run_number }} ${{ inputs[''arg: tags''] }}'
+permissions:
+ contents: read
 jobs:
  job-0-0:
  name: unit-of-work/v1 (prod)

.github/workflows/unit-integration-tests.yml

@@ -20,6 +20,9 @@ env:
  # without having to download a newer one.
  GOTOOLCHAIN: local
 
+permissions:
+ contents: read
+
 jobs:
  copyright:
  runs-on: ubuntu-latest
@@ -28,10 +31,14 @@ jobs:
  uses: actions/checkout@v3
  with:
  ref: ${{ inputs.ref || github.ref }}
- - name: Setup Go
+ - name: Setup Go 
  uses: ./.github/actions/setup-go
  with:
  go-version: ${{ inputs.go-version }}
+ - name: Setup go
+ uses: actions/setup-go@v5
+ with:
+ go-version: stable
  - name: Copyright
  run: |
  go run checkcopyright.go

appsec/appsec.go

@@ -33,7 +33,7 @@ var appsecDisabledLog sync.Once
 // Note that passing the raw bytes of the HTTP request body is not expected and would
 // result in inaccurate attack detection.
 // This function always returns nil when appsec is disabled.
-func MonitorParsedHTTPBody(ctx context.Context, body interface{}) error {
+func MonitorParsedHTTPBody(ctx context.Context, body any) error {
  if !appsec.Enabled() {
  appsecDisabledLog.Do(func() { log.Warn("appsec: not enabled. Body blocking checks won't be performed.") })
  return nil
@@ -60,7 +60,15 @@ func SetUser(ctx context.Context, id string, opts ...tracer.UserMonitoringOption
  appsecDisabledLog.Do(func() { log.Warn("appsec: not enabled. User blocking checks won't be performed.") })
  return nil
  }
- return sharedsec.MonitorUser(ctx, id)
+
+ op, errPtr := usersec.StartUserLoginOperation(ctx, usersec.UserLoginOperationArgs{})
+ op.Finish(usersec.UserLoginOperationRes{
+ UserID: id,
+ SessionID: getSessionID(opts...),
+ Success: true,
+ })
+
+ return *errPtr
 }
 
 // TrackUserLoginSuccessEvent sets a successful user login event, with the given
@@ -76,17 +84,7 @@ func SetUser(ctx context.Context, id string, opts ...tracer.UserMonitoringOption
 // Take-Over (ATO) monitoring, ultimately blocking the IP address and/or user id
 // associated to them.
 func TrackUserLoginSuccessEvent(ctx context.Context, uid string, md map[string]string, opts ...tracer.UserMonitoringOption) error {
- span := getRootSpan(ctx)
- if span == nil {
- return nil
- }
-
- const tagPrefix = "appsec.events.users.login.success."
- span.SetTag(tagPrefix+"track", true)
- for k, v := range md {
- span.SetTag(tagPrefix+k, v)
- }
- span.SetTag(ext.ManualKeep, true)
+ TrackCustomEvent(ctx, "users.login.success", md)
  return SetUser(ctx, uid, opts...)
 }
 
@@ -106,14 +104,15 @@ func TrackUserLoginFailureEvent(ctx context.Context, uid string, exists bool, md
  return
  }
 
- const tagPrefix = "appsec.events.users.login.failure."
- span.SetTag(tagPrefix+"track", true)
- span.SetTag(tagPrefix+"usr.id", uid)
- span.SetTag(tagPrefix+"usr.exists", exists)
- for k, v := range md {
- span.SetTag(tagPrefix+k, v)
- }
- span.SetTag(ext.ManualKeep, true)
+ // We need to do the first call to SetTag ourselves because the map taken by TrackCustomEvent is map[string]string
+ // and not map [string]any, so the `exists` boolean variable does not fit int
+ span.SetTag("appsec.events.users.login.failure.usr.exists", exists)
+ span.SetTag("appsec.events.users.login.failure.usr.id", uid)
+
+ TrackCustomEvent(ctx, "users.login.failure", md)
+
+ op, _ := usersec.StartUserLoginOperation(ctx, usersec.UserLoginOperationArgs{})
+ op.Finish(usersec.UserLoginOperationRes{UserID: uid, Success: false})
 }
 
 // TrackCustomEvent sets a custom event as service entry span tags. This span is
@@ -145,3 +144,13 @@ func getRootSpan(ctx context.Context) *tracer.Span {
  }
  return span.Root()
 }
+
+func getSessionID(opts ...tracer.UserMonitoringOption) string {
+ cfg := &tracer.UserMonitoringConfig{
+ Metadata: make(map[string]string),
+ }
+ for _, opt := range opts {
+ opt(cfg)
+ }
+ return cfg.SessionID
+}