.github/workflows/appsec.yml

@@ -26,7 +26,7 @@ jobs:
   native:
     strategy:
       matrix:
-        runs-on: [ macos-12, macos-11, macos-10.15, ubuntu-22.04, ubuntu-20.04, windows-latest ]
+        runs-on: [ macos-13, macos-12, macos-11, ubuntu-22.04, ubuntu-20.04, windows-latest ]
         go-version: [ "1.20", "1.19", "1.18" ]
         cgo_enabled: # test it compiles with and without cgo
           - 0

.github/workflows/smoke-tests.yml

@@ -27,7 +27,9 @@ jobs:
           go-version: 1.18
           cache: true
       - name: go get -u
-        run: go get -u $PACKAGES
+        run: |
+          go get -u $PACKAGES
+          go mod tidy
       - name: Compile dd-trace-go
         run: go build -tags appsec $PACKAGES
       - name: Test dd-trace-go

.github/workflows/system-tests.yml

@@ -11,7 +11,13 @@ on:
     branches:
       - "**"
   merge_group:
-  workflow_dispatch: {}
+  workflow_dispatch:
+      inputs:
+          ref:
+              description: 'System Tests ref/tag/branch'
+              required: true
+              default: main
+              type: string
   schedule:
     - cron:  '00 04 * * 2-6'
 
@@ -21,22 +27,59 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
+        weblog-variant:
+          - net-http
+          - echo
+          - chi
+          - gin
+        scenario:
+          - DEFAULT
+          - APPSEC_DISABLED
+          - APPSEC_BLOCKING
+          - APPSEC_IP_BLOCKING
+          - APPSEC_REQUEST_BLOCKING
+          - APM_TRACING_E2E
+          - APM_TRACING_E2E_SINGLE_SPAN
         include:
-          - library: golang
-            weblog-variant: net-http
-          - library: golang
-            weblog-variant: gorilla
-          - library: golang
-            weblog-variant: echo
-          - library: golang
-            weblog-variant: chi
-          - library: golang
-            weblog-variant: gin
+          - weblog-variant: net-http
+            scenario: REMOTE_CONFIG_MOCKED_BACKEND_ASM_FEATURES
+          - weblog-variant: net-http
+            scenario: REMOTE_CONFIG_MOCKED_BACKEND_ASM_FEATURES
+          - weblog-variant: net-http
+            scenario: REMOTE_CONFIG_MOCKED_BACKEND_ASM_DD
+          # AppSec scenarios that don't depend on the integrations, so we just run on the net/http variant
+          - weblog-variant: net-http
+            scenario: APPSEC_RATE_LIMITER
+          - weblog-variant: net-http
+            scenario: APPSEC_CUSTOM_RULES
+          - weblog-variant: net-http
+            scenario: APPSEC_MISSING_RULES
+          - weblog-variant: net-http
+            scenario: APPSEC_CORRUPTED_RULES
+          - weblog-variant: net-http
+            scenario: APPSEC_LOW_WAF_TIMEOUT
+          - weblog-variant: net-http
+            scenario: APPSEC_CUSTOM_OBFUSCATION
+          # APM scenarios requiring specific environment settings
+          - scenario: APM_TRACING_E2E
+            env:
+              DD_API_KEY=$SYSTEM_TESTS_E2E_DD_API_KEY
+              DD_APPLICATION_KEY=$SYSTEM_TESTS_E2E_DD_APP_KEY
+              DD_SITE="datadoghq.com"
+          - scenario: APM_TRACING_E2E_SINGLE_SPAN
+            env:
+              DD_API_KEY=$SYSTEM_TESTS_E2E_DD_API_KEY
+              DD_APPLICATION_KEY=$SYSTEM_TESTS_E2E_DD_APP_KEY
+              DD_SITE="datadoghq.com"
+
       fail-fast: false
     env:
       TEST_LIBRARY: golang
       WEBLOG_VARIANT: ${{ matrix.weblog-variant }}
       DD_API_KEY: ${{ secrets.DD_API_KEY }}
+      SYSTEM_TESTS_E2E_DD_API_KEY: ${{ secrets.SYSTEM_TESTS_E2E_DD_API_KEY }}
+      SYSTEM_TESTS_E2E_DD_APP_KEY: ${{ secrets.SYSTEM_TESTS_E2E_DD_APP_KEY }}
+    name: Test (${{ matrix.weblog-variant }}, ${{ matrix.scenario }})
     steps:
       - name: Setup python 3.9
         uses: actions/setup-python@v4
@@ -47,6 +90,7 @@ jobs:
         uses: actions/checkout@v2
         with:
           repository: 'DataDog/system-tests'
+          ref: ${{ inputs.ref }}
 
       - name: Checkout dd-trace-go
         uses: actions/checkout@v2
@@ -57,49 +101,7 @@ jobs:
         run: ./build.sh
 
       - name: Run
-        run: ./run.sh
-
-      - name: Run APM E2E default tests
-        env:
-          DD_API_KEY: ${{ secrets.SYSTEM_TESTS_E2E_DD_API_KEY }}
-          DD_APPLICATION_KEY: ${{ secrets.SYSTEM_TESTS_E2E_DD_APP_KEY }}
-          DD_SITE: "datadoghq.com"
-        run: ./run.sh APM_TRACING_E2E
-
-      - name: Run APM E2E Single Span tests
-        env:
-          DD_API_KEY: ${{ secrets.SYSTEM_TESTS_E2E_DD_API_KEY }}
-          DD_APPLICATION_KEY: ${{ secrets.SYSTEM_TESTS_E2E_DD_APP_KEY }}
-          DD_SITE: "datadoghq.com"
-        run: ./run.sh APM_TRACING_E2E_SINGLE_SPAN
-
-      - name: Run ASM blocking scenario
-        env:
-          DD_API_KEY: ${{ secrets.SYSTEM_TESTS_E2E_DD_API_KEY }}
-          DD_APPLICATION_KEY: ${{ secrets.SYSTEM_TESTS_E2E_DD_APP_KEY }}
-          DD_SITE: "datadoghq.com"
-        run: ./run.sh APPSEC_BLOCKING
-
-      - name: Run ASM request blocking scenario
-        env:
-          DD_API_KEY: ${{ secrets.SYSTEM_TESTS_E2E_DD_API_KEY }}
-          DD_APPLICATION_KEY: ${{ secrets.SYSTEM_TESTS_E2E_DD_APP_KEY }}
-          DD_SITE: "datadoghq.com"
-        run: ./run.sh APPSEC_REQUEST_BLOCKING
-
-      - name: Run ASM_FEATURES remote configuration test
-        env:
-          DD_API_KEY: ${{ secrets.SYSTEM_TESTS_E2E_DD_API_KEY }}
-          DD_APPLICATION_KEY: ${{ secrets.SYSTEM_TESTS_E2E_DD_APP_KEY }}
-          DD_SITE: "datadoghq.com"
-        run: ./run.sh REMOTE_CONFIG_MOCKED_BACKEND_ASM_FEATURES
-
-      - name: Run ASM_DD remote configuration test
-        env:
-          DD_API_KEY: ${{ secrets.SYSTEM_TESTS_E2E_DD_API_KEY }}
-          DD_APPLICATION_KEY: ${{ secrets.SYSTEM_TESTS_E2E_DD_APP_KEY }}
-          DD_SITE: "datadoghq.com"
-        run: ./run.sh REMOTE_CONFIG_MOCKED_BACKEND_ASM_DD
+        run: env ${{ matrix.env }} ./run.sh ${{ matrix.scenario }}
 
       - name: Compress artifact
         if: ${{ always() }}
@@ -109,5 +111,5 @@ jobs:
         uses: actions/upload-artifact@v2
         if: ${{ always() }}
         with:
-          name: logs_${{ matrix.weblog-variant }}
+          name: logs_${{ matrix.weblog-variant }}_${{ matrix.scenario }}
           path: artifact.tar.gz

.github/workflows/unit-integration-tests.yml

@@ -19,38 +19,7 @@ jobs:
         run: |
           go run checkcopyright.go
 
-  # Deprecated
-  # TODO remove this once the golangci-lint job is stable.
   lint:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-        with:
-          repository: 'DataDog/dd-trace-go'
-      - name: gofmt
-        run: |
-          if [ "$(gofmt -e -l . | wc -l)" -gt 0 ]; then
-            gofmt -e -l .
-            exit 1
-          fi
-
-      - name: goimports
-        run: |
-          go install golang.org/x/tools/cmd/goimports
-          if [ "$(~/go/bin/goimports -e -l -local gopkg.in/DataDog/dd-trace-go.v1 . | wc -l)" -gt 0 ]; then
-            echo "Run 'goimports -w -local gopkg.in/DataDog/dd-trace-go.v1 .' to format code."
-            ~/go/bin/goimports -d -local gopkg.in/DataDog/dd-trace-go.v1 .
-            exit 1
-          fi
-
-      - name: lint
-        run: |
-          go install golang.org/x/lint/golint@latest
-          curl https://raw.githubusercontent.com/alecthomas/gometalinter/master/scripts/install.sh | sh # https://github.com/alecthomas/gometalinter#binary-releases
-          ./bin/gometalinter --disable-all --vendor --deadline=120s --enable=golint ./...
-
-  golangci-lint:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/setup-go@v4
@@ -233,6 +202,10 @@ jobs:
           KAFKA_BROKER_ID: 1
         ports:
           - 9092:9092
+      localstack:
+        image: localstack/localstack:latest
+        ports:
+          - 4566:4566
     steps:
       - name: Checkout
         uses: actions/checkout@v2

.golangci.yml

@@ -9,3 +9,4 @@ linters:
   - gofmt
   - goimports
   - revive
+  - bodyclose

CODEOWNERS

@@ -19,3 +19,6 @@
 
 # telemetry
 /internal/telemetry             @DataDog/apm-go
+
+# linter rules
+.golangci.yml                   @DataDog/tracing-go @DataDog/profiling-go @DataDog/appsec-go

appsec/appsec.go

@@ -13,6 +13,7 @@ package appsec
 
 import (
 	"context"
+	"sync"
 
 	"gopkg.in/DataDog/dd-trace-go.v1/ddtrace/ext"
 	"gopkg.in/DataDog/dd-trace-go.v1/ddtrace/tracer"
@@ -22,17 +23,22 @@ import (
 	"gopkg.in/DataDog/dd-trace-go.v1/internal/log"
 )
 
+var appsecDisabledLog sync.Once
+
 // MonitorParsedHTTPBody runs the security monitoring rules on the given *parsed*
-// HTTP request body. The given context must be the HTTP request context as returned
+// HTTP request body and returns if the HTTP request is suspicious and configured to be blocked.
+// The given context must be the HTTP request context as returned
 // by the Context() method of an HTTP request. Calls to this function are ignored if
 // AppSec is disabled or the given context is incorrect.
 // Note that passing the raw bytes of the HTTP request body is not expected and would
 // result in inaccurate attack detection.
-func MonitorParsedHTTPBody(ctx context.Context, body interface{}) {
-	if appsec.Enabled() {
-		httpsec.MonitorParsedBody(ctx, body)
+// This function always returns nil when appsec is disabled.
+func MonitorParsedHTTPBody(ctx context.Context, body interface{}) error {
+	if !appsec.Enabled() {
+		appsecDisabledLog.Do(func() { log.Warn("appsec: not enabled. Body blocking checks won't be performed.") })
+		return nil
 	}
-	// bonus: use sync.Once to log a debug message once if AppSec is disabled
+	return httpsec.MonitorParsedBody(ctx, body)
 }
 
 // SetUser wraps tracer.SetUser() and extends it with user blocking.
@@ -51,7 +57,7 @@ func SetUser(ctx context.Context, id string, opts ...tracer.UserMonitoringOption
 	}
 	tracer.SetUser(s, id, opts...)
 	if !appsec.Enabled() {
-		log.Debug("appsec: not enabled. User blocking checks won't be performed.")
+		appsecDisabledLog.Do(func() { log.Warn("appsec: not enabled. User blocking checks won't be performed.") })
 		return nil
 	}
 	return sharedsec.MonitorUser(ctx, id)

contrib/99designs/gqlgen/option.go

@@ -9,6 +9,7 @@ import (
 	"math"
 
 	"gopkg.in/DataDog/dd-trace-go.v1/internal/globalconfig"
+	"gopkg.in/DataDog/dd-trace-go.v1/internal/namingschema"
 )
 
 const defaultServiceName = "graphql"
@@ -22,7 +23,11 @@ type config struct {
 type Option func(t *config)
 
 func defaults(t *config) {
-	t.serviceName = defaultServiceName
+	t.serviceName = namingschema.NewServiceNameSchema(
+		"",
+		defaultServiceName,
+		namingschema.WithVersionOverride(namingschema.SchemaV0, defaultServiceName),
+	).GetName()
 	t.analyticsRate = globalconfig.AnalyticsRate()
 }
 

contrib/99designs/gqlgen/tracer.go

@@ -47,13 +47,14 @@ import (
 	"strings"
 	"time"
 
-	"github.com/99designs/gqlgen/graphql"
-	"github.com/vektah/gqlparser/v2/ast"
-
 	"gopkg.in/DataDog/dd-trace-go.v1/ddtrace"
 	"gopkg.in/DataDog/dd-trace-go.v1/ddtrace/ext"
 	"gopkg.in/DataDog/dd-trace-go.v1/ddtrace/tracer"
+	"gopkg.in/DataDog/dd-trace-go.v1/internal/namingschema"
 	"gopkg.in/DataDog/dd-trace-go.v1/internal/telemetry"
+
+	"github.com/99designs/gqlgen/graphql"
+	"github.com/vektah/gqlparser/v2/ast"
 )
 
 const componentName = "99designs/gqlgen"
@@ -63,8 +64,6 @@ func init() {
 }
 
 const (
-	defaultGraphqlOperation = "graphql.request"
-
 	readOp       = "graphql.read"
 	parsingOp    = "graphql.parse"
 	validationOp = "graphql.validate"
@@ -106,7 +105,6 @@ func (t *gqlTracer) InterceptResponse(ctx context.Context, next graphql.Response
 	var (
 		octx *graphql.OperationContext
 	)
-	name := defaultGraphqlOperation
 	if graphql.HasOperationContext(ctx) {
 		// Variables in the operation will be left out of the tags
 		// until obfuscation is implemented in the agent.
@@ -118,15 +116,14 @@ func (t *gqlTracer) InterceptResponse(ctx context.Context, next graphql.Response
 				// Return early and do not create these spans.
 				return next(ctx)
 			}
-			name = fmt.Sprintf("%s.%s", ext.SpanTypeGraphQL, octx.Operation.Operation)
 		}
 		if octx.RawQuery != "" {
 			opts = append(opts, tracer.ResourceName(octx.RawQuery))
 		}
 		opts = append(opts, tracer.StartTime(octx.Stats.OperationStart))
 	}
 	var span ddtrace.Span
-	span, ctx = tracer.StartSpanFromContext(ctx, name, opts...)
+	span, ctx = tracer.StartSpanFromContext(ctx, serverSpanName(octx), opts...)
 	defer func() {
 		var errs []string
 		for _, err := range graphql.GetErrors(ctx) {
@@ -157,6 +154,16 @@ func (t *gqlTracer) InterceptResponse(ctx context.Context, next graphql.Response
 	return next(ctx)
 }
 
+func serverSpanName(octx *graphql.OperationContext) string {
+	nameV0 := "graphql.request"
+	if octx != nil && octx.Operation != nil {
+		nameV0 = fmt.Sprintf("%s.%s", ext.SpanTypeGraphQL, octx.Operation.Operation)
+	}
+	return namingschema.NewGraphqlServerOp(
+		namingschema.WithVersionOverride(namingschema.SchemaV0, nameV0),
+	).GetName()
+}
+
 // Ensure all of these interfaces are implemented.
 var _ interface {
 	graphql.HandlerExtension