Merge branch 'main' into mtoff/header-tags

.github/workflows/appsec.yml

@@ -90,12 +90,12 @@ jobs:
 
   macos:
     name: ${{ matrix.runs-on }} go${{ matrix.go-version }}
-    runs-on: macos-11 # oldest macos runner available - the full macOS matrix is in go-libddwaf
+    runs-on: ${{ matrix.runs-on }}
     needs: go-mod-caching
     strategy:
       matrix:
-        runs-on: [ macos-11, macos-14 ] # oldest and newest macos runners available - macos-14 mainly is here to cover the fact it is an ARM machine
-        go-version: [ "1.22", "1.21", "1.20" ]
+        runs-on: [ macos-12, macos-14 ] # oldest and newest macos runners available - macos-14 mainly is here to cover the fact it is an ARM machine
+        go-version: [ "1.22", "1.21" ]
       fail-fast: true # saving some CI time - macos runners too long to get
     steps:
       - uses: actions/checkout@v4
@@ -124,9 +124,6 @@ jobs:
         run: |
           set -euxo pipefail
           cgocheck="GOEXPERIMENT=cgocheck2"
-          if [[ "$(go version)" =~ go1.20 ]]; then
-            cgocheck="GODEBUG=cgocheck=2"
-          fi
           for cgo in "0" "1"; do
             for appsec_enabled_env in "" "DD_APPSEC_ENABLED=true" "DD_APPSEC_ENABLED=false"; do
                 for cgocheck_env in "" "$cgocheck"; do
@@ -190,14 +187,9 @@ jobs:
     needs: go-mod-caching
     strategy:
       matrix:
-        go-version: [ "1.22", "1.21", "1.20" ]
-        distribution: [ bookworm, bullseye, buster, alpine ]
+        go-version: [ "1.22", "1.21" ]
+        distribution: [ bookworm, bullseye, alpine ]
         platform: [ linux/amd64, linux/arm64 ]
-        exclude:
-          - go-version: "1.21"
-            distribution: buster
-          - go-version: "1.22"
-            distribution: buster
 
       fail-fast: false
     steps:
@@ -266,6 +258,7 @@ jobs:
 
   test-app-smoke-tests:
     name: Smoke Tests
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.owner == 'DataDog'
     uses: DataDog/appsec-go-test-app/.github/workflows/smoke-tests.yml@main
     with:
       dd-trace-go-version: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}

.github/workflows/datadog-static-analysis.yml

@@ -0,0 +1,21 @@
+on: [push]
+
+name: Datadog Static Analysis
+
+jobs:
+  static-analysis:
+    runs-on: ubuntu-latest
+    name: Datadog Static Analyzer
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v3
+    - name: Check code meets quality and security standards
+      id: datadog-static-analysis
+      uses: DataDog/datadog-static-analyzer-github-action@v1
+      with:
+        dd_api_key: ${{ secrets.STATIC_ANALYZER_API_KEY }}
+        dd_app_key: ${{ secrets.STATIC_ANALYZER_APP_KEY }}
+        dd_service: dd-trace-go
+        dd_env: ci
+        dd_site: datadoghq.com
+        cpu_count: 2

.github/workflows/main-branch-tests.yml

@@ -22,7 +22,7 @@ jobs:
   unit-integration-tests:
     strategy:
       matrix:
-        go-version: ["1.20", "1.21", "1.22"]
+        go-version: [ "1.21", "1.22" ]
       fail-fast: false
     uses: ./.github/workflows/unit-integration-tests.yml
     with:
@@ -33,7 +33,7 @@ jobs:
     strategy:
       matrix:
         runs-on: [ macos-latest, windows-latest, ubuntu-latest ]
-        go-version: ["1.20", "1.21", "1.22"]
+        go-version: [ "1.21", "1.22" ]
       fail-fast: false
     uses: ./.github/workflows/multios-unit-tests.yml
     with:

.github/workflows/multios-unit-tests.yml

@@ -31,7 +31,7 @@ env:
 
 jobs:
   test-multi-os:
-    runs-on: "${{ (inputs.go-version == '1.20' && inputs.runs-on == 'windows-latest') && 'windows-2019' || inputs.runs-on }}"
+    runs-on: "${{ inputs.runs-on }}"
     env:
       REPORT: gotestsum-report.xml # path to where test results will be saved
       DD_APPSEC_WAF_TIMEOUT: 1h

.github/workflows/parametric-tests.yml

@@ -43,7 +43,7 @@ jobs:
 
       - uses: actions/setup-go@v3
         with:
-          go-version: "1.20"
+          go-version: "oldstable"
 
       - name: Build runner
         uses: ./.github/actions/install_runner

.github/workflows/pull-request.yml

@@ -18,6 +18,6 @@ jobs:
     name: PR Unit and Integration Tests
     uses: ./.github/workflows/unit-integration-tests.yml
     with:
-      go-version: "1.20"
+      go-version: "1.21"
       ref: ${{ github.ref }}
     secrets: inherit

.github/workflows/smoke-tests.yml

@@ -76,7 +76,7 @@ jobs:
           ref: ${{ inputs.ref || github.ref }}
       - uses: actions/setup-go@v3
         with:
-          go-version: "stable"
+          go-version: "1.21"
           cache: true
       - name: go mod tidy
         run: |-
@@ -99,7 +99,7 @@ jobs:
       matrix:
         # TODO: cross-compilation from/to different hardware architectures once
         #       github provides native ARM runners.
-        go: [ "1.20", "1.21", "1.22" ]
+        go: [ "1.21", "1.22", "1.23-rc" ]
         build-env: [ alpine, bookworm, bullseye ]
         build-with-cgo: [ 0, 1 ]
         deployment-env: [ alpine, debian11, debian12, al2, al2023, busybox, scratch ]

.github/workflows/system-tests.yml

@@ -48,6 +48,7 @@ jobs:
           - APPSEC_BLOCKING_FULL_DENYLIST
           - APPSEC_REQUEST_BLOCKING
           - APPSEC_API_SECURITY
+          - APPSEC_RASP
           - APM_TRACING_E2E
           - APM_TRACING_E2E_SINGLE_SPAN
           - APM_TRACING_E2E_OTEL

.github/workflows/unit-integration-tests.yml

@@ -39,8 +39,9 @@ jobs:
       - name: golangci-lint
         uses: reviewdog/action-golangci-lint@v2
         with:
+          golangci_lint_flags: "--timeout 10m" # We are hitting timeout when there is no cache
           go_version: ${{ inputs.go-version }}
-          golangci_lint_version: v1.52.2
+          golangci_lint_version: v1.59.1
           fail_on_error: true
           reporter: github-pr-review
 
@@ -81,7 +82,7 @@ jobs:
           DD_POOL_TRACE_CHECK_FAILURES: true
           DD_DISABLE_ERROR_RESPONSES: true
       cassandra:
-        image: cassandra:3.7
+        image: cassandra:3.11
         env:
           JVM_OPTS: "-Xms750m -Xmx750m"
         ports:

.gitlab-ci.yml

@@ -4,8 +4,8 @@ stages:
   - test-apps
 
 variables:
-  # This base image is created here: https://gitlab.ddbuild.io/DataDog/apm-reliability/benchmarking-platform/-/pipelines/30723596
-  BASE_CI_IMAGE: 486234852809.dkr.ecr.us-east-1.amazonaws.com/ci/benchmarking-platform:dd-trace-go-30723596
+  # This base image is created here: https://gitlab.ddbuild.io/DataDog/apm-reliability/benchmarking-platform/-/pipelines/38806487
+  BASE_CI_IMAGE: 486234852809.dkr.ecr.us-east-1.amazonaws.com/ci/benchmarking-platform:dd-trace-go-38806487
   INDEX_FILE: index.txt
   KUBERNETES_SERVICE_ACCOUNT_OVERWRITE: dd-trace-go
   FF_USE_LEGACY_KUBERNETES_EXECUTION_STRATEGY: "true"

.gitlab/macrobenchmarks.yml

@@ -30,11 +30,14 @@ variables:
     GO_PROF_APP_BUILD_VARIANT: "candidate"
     DD_TRACE_GO_VERSION: "latest"
 
+    LOAD_TESTS: io-bound,cpu-bound,cgo-cpu-bound,cpu-bound-x-client-ip-enabled
+    PARALLELIZE: "true"
 
   # Workaround: Currently we're not running the benchmarks on every PR, but GitHub still shows them as pending.
   # By marking the benchmarks as allow_failure, this should go away. (This workaround should be removed once the
   # benchmarks get changed to run on every PR)
   allow_failure: true
+
 go122-baseline:
   extends: .benchmarks
   variables:
@@ -44,8 +47,7 @@ go122-baseline:
     ENABLE_APPSEC: "false"
     DD_PROFILING_EXECUTION_TRACE_ENABLED: "false"
     GO_VERSION: "1.22.1"
-    LOAD_TESTS: normal_operation_io-bound,high_load_io-bound|normal_operation_cpu-bound,high_load_cpu-bound|normal_operation_cgo-cpu-bound,high_load_cgo-cpu-bound|normal_operation_cpu-bound-x-client-ip-enabled,high_load_cpu-bound-x-client-ip-enabled
-    PARALLELIZE: "true"
+
 go122-only-trace:
   extends: .benchmarks
   variables:
@@ -55,8 +57,7 @@ go122-only-trace:
     ENABLE_APPSEC: "false"
     DD_PROFILING_EXECUTION_TRACE_ENABLED: "false"
     GO_VERSION: "1.22.1"
-    LOAD_TESTS: normal_operation_io-bound,high_load_io-bound|normal_operation_cpu-bound,high_load_cpu-bound|normal_operation_cgo-cpu-bound,high_load_cgo-cpu-bound|normal_operation_cpu-bound-x-client-ip-enabled,high_load_cpu-bound-x-client-ip-enabled
-    PARALLELIZE: "true"
+
 go122-only-profile:
   extends: .benchmarks
   variables:
@@ -66,8 +67,7 @@ go122-only-profile:
     ENABLE_APPSEC: "false"
     DD_PROFILING_EXECUTION_TRACE_ENABLED: "false"
     GO_VERSION: "1.22.1"
-    LOAD_TESTS: normal_operation_io-bound,high_load_io-bound|normal_operation_cpu-bound,high_load_cpu-bound|normal_operation_cgo-cpu-bound,high_load_cgo-cpu-bound|normal_operation_cpu-bound-x-client-ip-enabled,high_load_cpu-bound-x-client-ip-enabled
-    PARALLELIZE: "true"
+
 go122-profile-trace:
   extends: .benchmarks
   variables:
@@ -77,8 +77,7 @@ go122-profile-trace:
     ENABLE_APPSEC: "false"
     DD_PROFILING_EXECUTION_TRACE_ENABLED: "false"
     GO_VERSION: "1.22.1"
-    LOAD_TESTS: normal_operation_io-bound,high_load_io-bound|normal_operation_cpu-bound,high_load_cpu-bound|normal_operation_cgo-cpu-bound,high_load_cgo-cpu-bound|normal_operation_cpu-bound-x-client-ip-enabled,high_load_cpu-bound-x-client-ip-enabled
-    PARALLELIZE: "true"
+
 go122-trace-asm:
   extends: .benchmarks
   variables:
@@ -88,8 +87,7 @@ go122-trace-asm:
     ENABLE_APPSEC: "true"
     DD_PROFILING_EXECUTION_TRACE_ENABLED: "false"
     GO_VERSION: "1.22.1"
-    LOAD_TESTS: normal_operation_io-bound,high_load_io-bound|normal_operation_cpu-bound,high_load_cpu-bound|normal_operation_cgo-cpu-bound,high_load_cgo-cpu-bound|normal_operation_cpu-bound-x-client-ip-enabled,high_load_cpu-bound-x-client-ip-enabled
-    PARALLELIZE: "true"
+
 go122-profile-trace-asm:
   extends: .benchmarks
   variables:
@@ -99,8 +97,7 @@ go122-profile-trace-asm:
     ENABLE_APPSEC: "true"
     DD_PROFILING_EXECUTION_TRACE_ENABLED: "false"
     GO_VERSION: "1.22.1"
-    LOAD_TESTS: normal_operation_io-bound,high_load_io-bound|normal_operation_cpu-bound,high_load_cpu-bound|normal_operation_cgo-cpu-bound,high_load_cgo-cpu-bound|normal_operation_cpu-bound-x-client-ip-enabled,high_load_cpu-bound-x-client-ip-enabled
-    PARALLELIZE: "true"
+
 go120-baseline:
   extends: .benchmarks
   variables:
@@ -110,8 +107,7 @@ go120-baseline:
     ENABLE_APPSEC: "false"
     DD_PROFILING_EXECUTION_TRACE_ENABLED: "false"
     GO_VERSION: "1.20.14"
-    LOAD_TESTS: normal_operation_io-bound,high_load_io-bound|normal_operation_cpu-bound,high_load_cpu-bound|normal_operation_cgo-cpu-bound,high_load_cgo-cpu-bound|normal_operation_cpu-bound-x-client-ip-enabled,high_load_cpu-bound-x-client-ip-enabled
-    PARALLELIZE: "true"
+
 go120-only-trace:
   extends: .benchmarks
   variables:
@@ -121,8 +117,7 @@ go120-only-trace:
     ENABLE_APPSEC: "false"
     DD_PROFILING_EXECUTION_TRACE_ENABLED: "false"
     GO_VERSION: "1.20.14"
-    LOAD_TESTS: normal_operation_io-bound,high_load_io-bound|normal_operation_cpu-bound,high_load_cpu-bound|normal_operation_cgo-cpu-bound,high_load_cgo-cpu-bound|normal_operation_cpu-bound-x-client-ip-enabled,high_load_cpu-bound-x-client-ip-enabled
-    PARALLELIZE: "true"
+
 go120-only-profile:
   extends: .benchmarks
   variables:
@@ -132,8 +127,7 @@ go120-only-profile:
     ENABLE_APPSEC: "false"
     DD_PROFILING_EXECUTION_TRACE_ENABLED: "false"
     GO_VERSION: "1.20.14"
-    LOAD_TESTS: normal_operation_io-bound,high_load_io-bound|normal_operation_cpu-bound,high_load_cpu-bound|normal_operation_cgo-cpu-bound,high_load_cgo-cpu-bound|normal_operation_cpu-bound-x-client-ip-enabled,high_load_cpu-bound-x-client-ip-enabled
-    PARALLELIZE: "true"
+
 go120-profile-trace:
   extends: .benchmarks
   variables:
@@ -143,8 +137,7 @@ go120-profile-trace:
     ENABLE_APPSEC: "false"
     DD_PROFILING_EXECUTION_TRACE_ENABLED: "false"
     GO_VERSION: "1.20.14"
-    LOAD_TESTS: normal_operation_io-bound,high_load_io-bound|normal_operation_cpu-bound,high_load_cpu-bound|normal_operation_cgo-cpu-bound,high_load_cgo-cpu-bound|normal_operation_cpu-bound-x-client-ip-enabled,high_load_cpu-bound-x-client-ip-enabled
-    PARALLELIZE: "true"
+
 go120-trace-asm:
   extends: .benchmarks
   variables:
@@ -154,8 +147,7 @@ go120-trace-asm:
     ENABLE_APPSEC: "true"
     DD_PROFILING_EXECUTION_TRACE_ENABLED: "false"
     GO_VERSION: "1.20.14"
-    LOAD_TESTS: normal_operation_io-bound,high_load_io-bound|normal_operation_cpu-bound,high_load_cpu-bound|normal_operation_cgo-cpu-bound,high_load_cgo-cpu-bound|normal_operation_cpu-bound-x-client-ip-enabled,high_load_cpu-bound-x-client-ip-enabled
-    PARALLELIZE: "true"
+
 go120-profile-trace-asm:
   extends: .benchmarks
   variables:
@@ -165,5 +157,3 @@ go120-profile-trace-asm:
     ENABLE_APPSEC: "true"
     DD_PROFILING_EXECUTION_TRACE_ENABLED: "false"
     GO_VERSION: "1.20.14"
-    LOAD_TESTS: normal_operation_io-bound,high_load_io-bound|normal_operation_cpu-bound,high_load_cpu-bound|normal_operation_cgo-cpu-bound,high_load_cgo-cpu-bound|normal_operation_cpu-bound-x-client-ip-enabled,high_load_cpu-bound-x-client-ip-enabled
-    PARALLELIZE: "true"

CODEOWNERS

@@ -28,6 +28,9 @@ go.sum
 /datastreams                    @Datadog/data-streams-monitoring
 /internal/datastreams           @Datadog/data-streams-monitoring
 
+# civisibility
+/internal/civisibility          @DataDog/ci-app-libraries
+
 # Gitlab configuration
 .gitlab-ci.yml                  @DataDog/dd-trace-go-guild @DataDog/apm-core-reliability-and-performance
 /.gitlab-ci                     @DataDog/dd-trace-go-guild @DataDog/apm-core-reliability-and-performance

README.md

@@ -43,48 +43,9 @@ If you installed more packages than you intended, you can use `go mod tidy` to r
  - [Application Security Monitoring](https://docs.datadoghq.com/security_platform/application_security/setup_and_configure/?code-lang=go)
  - If you are migrating from an older version of the tracer (e.g. 0.6.x) you may also find the [migration document](MIGRATING.md) we've put together helpful.
 
-### Support Policy
+### Go Support Policy
 
-Datadog APM for Go is built upon dependencies defined in specific versions of the host operating system, Go releases, and the Datadog Agent/API. For Go the two latest releases are [GA](#support-ga) supported and the version before that is in [Maintenance](#support-maintenance). We do make efforts to support older releases, but generally these releases are considered [Legacy](#support-legacy). This library only officially supports [first class ports](https://github.com/golang/go/wiki/PortingPolicy#first-class-ports) of Go.
-
-| **Level**                                              | **Support provided**                                                                                                                                                         |
-|--------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| <span id="support-ga">General Availability (GA)</span> | Full implementation of all features. Full support for new features, bug & security fixes.                                                                                    |
-| <span id="support-maintenance">Maintenance</span>      | Full implementation of existing features. May receive new features. Support for bug & security fixes only.                                                                   |
-| <span id="support-legacy">Legacy</span>                | Legacy implementation. May have limited function, but no maintenance provided. Not guaranteed to compile the latest version of dd-trace-go. [Contact our customer support team for special requests.](https://www.datadoghq.com/support/) |
-
-### Supported Versions
-<!-- NOTE: When updating the below section ensure you update the minimum supported version listed in the public docs here: https://docs.datadoghq.com/tracing/setup_overview/setup/go/?tab=containers#compatibility-requirements -->
-| **Go Version** | **Support level**                   |
-|----------------|-------------------------------------|
-| 1.22           | [GA](#support-ga)                   |
-| 1.21           | [GA](#support-ga)                   |
-| 1.20           | [Maintenance](#support-maintenance) |
-| 1.19           | [Legacy](#support-legacy)           |
-
-* Datadog's Trace Agent >= 5.21.1
-
-
-#### Package Versioning
-
-A **Minor** version change will be released whenever a new version of Go is released. At that time the newest version of Go is added to [GA](#support-ga), the second oldest supported version moved to [Maintenance](#support-maintenance) and the oldest previously supported version dropped to [Legacy](#support-legacy).
-**For example**:
-For a dd-trace-go version 1.37.*
-
-| Go Version | Support                             |
-|------------|-------------------------------------|
-| 1.18       | [GA](#support-ga)                   |
-| 1.17       | [GA](#support-ga)                   |
-| 1.16       | [Maintenance](#support-maintenance) |
-
-Then after Go 1.19 is released there will be a new dd-trace-go version 1.38.0 with support:
-
-| Go Version | Support                             |
-|------------|-------------------------------------|
-| 1.19       | [GA](#support-ga)                   |
-| 1.18       | [GA](#support-ga)                   |
-| 1.17       | [Maintenance](#support-maintenance) |
-| 1.16       | [Legacy](#support-legacy)           |
+Datadog APM for Go is built upon dependencies defined in specific versions of the host operating system, Go releases, and the Datadog Agent/API. dd-trace-go supports the two latest releases of Go, matching the [official Go policy](https://go.dev/doc/devel/release#policy). This library only officially supports [first class ports](https://go.dev/wiki/PortingPolicy) of Go.
 
 ### Contributing
 
@@ -105,4 +66,4 @@ If you're only interested in the tests for a specific integration it can be usef
 For example if you're running tests that need the `mysql` database container to be up:
 ```shell
 docker compose -f docker-compose.yaml -p dd-trace-go up -d mysql
-```
+```

appsec/events/block.go

@@ -11,8 +11,6 @@ import "errors"
 
 var _ error = (*BlockingSecurityEvent)(nil)
 
-var securityError = &BlockingSecurityEvent{}
-
 // BlockingSecurityEvent is the error type returned by function calls blocked by appsec.
 // Even though appsec takes care of responding automatically to the blocked requests, it
 // is your duty to abort the request handlers that are calling functions blocked by appsec.
@@ -29,5 +27,6 @@ func (*BlockingSecurityEvent) Error() string {
 
 // IsSecurityError returns true if the error is a security event.
 func IsSecurityError(err error) bool {
-	return errors.Is(err, securityError)
+	var secErr *BlockingSecurityEvent
+	return errors.As(err, &secErr)
 }