.github/workflows/main-branch-tests.yml

@@ -25,7 +25,7 @@ jobs:
   multios-unit-tests:
     strategy:
       matrix:
-        runs-on: [ macos-latest, windows-latest, ubuntu-latest ]
+        runs-on: [ macos-latest, windows-2019, ubuntu-latest ]
         go-version: ["1.19", "1.20", "1.21"]
       fail-fast: false
     uses: ./.github/workflows/multios-unit-tests.yml

.github/workflows/multios-unit-tests.yml

@@ -20,7 +20,7 @@ on:
 
 jobs:
   test-multi-os:
-    runs-on: ${{ inputs.runs-on }}
+    runs-on: "${{ (inputs.go-version == '1.19' && inputs.runs-on == 'windows-latest') && 'windows-2019' || inputs.runs-on }}"
     env:
       REPORT: gotestsum-report.xml # path to where test results will be saved
     steps:

.github/workflows/pull-request.yml

@@ -5,6 +5,9 @@ on:
     branches:
       - "**"
   merge_group:
+  push:
+    branches:
+      - 'mq-working-branch-**'
 
 concurrency: 
   group: ${{ github.ref }}

.github/workflows/unit-integration-tests.yml

@@ -51,6 +51,8 @@ jobs:
           DD_APM_ENABLED: true
           DD_BIND_HOST: "0.0.0.0"
           DD_API_KEY: "invalid_key_but_this_is_fine"
+          DD_TEST_AGENT_HOST: "localhost"
+          DD_TEST_AGENT_PORT: 9126
         # We need to specify a custom health-check. By default, this container will remain "unhealthy" since
         # we don't fully configure it with a valid API key (and possibly other reasons)
         # This command just checks for our ability to connect to port 8126
@@ -59,6 +61,18 @@ jobs:
         ports:
           - 8125:8125/udp
           - 8126:8126
+      testagent:
+        image: ghcr.io/datadog/dd-apm-test-agent/ddapm-test-agent:v1.11.0
+        ports:
+          - 9126:9126
+        env:
+          LOG_LEVEL: DEBUG
+          TRACE_LANGUAGE: golang
+          ENABLED_CHECKS: trace_stall,trace_count_header,trace_peer_service,trace_dd_service
+          PORT: 9126
+          DD_SUPPRESS_TRACE_PARSE_ERRORS: true
+          DD_POOL_TRACE_CHECK_FAILURES: true
+          DD_DISABLE_ERROR_RESPONSES: true
       cassandra:
         image: cassandra:3.7
         env:
@@ -188,6 +202,34 @@ jobs:
         shell: bash
         run: bash <(curl -s https://codecov.io/bash)
 
+      - name: Get Datadog APM Test Agent Logs
+        if: always()
+        shell: bash
+        run: docker logs ${{ job.services.testagent.id }}
+
+      - name: Get Datadog APM Test Agent Trace Check Summary Results
+        if: always()
+        shell: bash
+        run: |
+              RESPONSE=$(curl -s -w "\n%{http_code}" -o response.txt "http://127.0.0.1:9126/test/trace_check/failures?return_all=true")
+              RESPONSE_CODE=$(echo "$RESPONSE" | awk 'END {print $NF}')
+              SUMMARY_RESPONSE=$(curl -s -w "\n%{http_code}" -o summary_response.txt "http://127.0.0.1:9126/test/trace_check/summary?return_all=true")
+              SUMMARY_RESPONSE_CODE=$(echo "$SUMMARY_RESPONSE" | awk 'END {print $NF}')
+              if [[ $RESPONSE_CODE -eq 200 ]]; then
+                  echo " "
+                  cat response.txt
+                  echo " - All APM Test Agent Check Traces returned successful!"
+                  echo "APM Test Agent Check Traces Summary Results:"
+                  cat summary_response.txt | jq "."
+              else
+                  echo "APM Test Agent Check Traces failed with response code: $RESPONSE_CODE"
+                  echo "Failures:"
+                  cat response.txt
+                  echo "APM Test Agent Check Traces Summary Results:"
+                  cat summary_response.txt | jq "."
+                  exit 1
+              fi
+
       - name: Testing outlier google.golang.org/api
         run: |
               go get google.golang.org/api@v0.121.0 # version used to generate code

SECURITY.md

@@ -15,4 +15,15 @@ However, these scanners can report false positives if the vulnerabilities affect
 
 Given this information, please file an issue if you feel that golang.org/x/vuln/vulncheck has given a false negative and that our code is using a vulnerable function such that users of our code could be affected.
 
-If you have found a security issue in our code directly, please contact the security team at security@datadoghq.com, rather than filing a public issue.
+If you have found a security issue in our code directly, please contact the security team at security@datadoghq.com, rather than filing a public issue.
+
+## Vulnerabilities in Contrib Dependencies
+
+If you are using a vulnerability checker other than `golang.org/x/vuln/vulncheck` you may detect vulnerabilities in our contrib dependencies.
+In general we like to specify non-vulnerable minimum versions of dependencies when we can do so in a non-breaking way. To avoid breaking users of this library
+there may be contrib libraries that are deprecated/vulnerable but still appear in our go.mod file. If you are not using these contrib packages you are not vulnerable (i.e. if they do not appear in your go.sum file).
+At the next major version we will drop support for these packages. (e.g. as of dd-trace-go@v1 labstack/echo v3 is considered deprecated and users should migrate to labstack/echo.v4)
+
+Note that since library go.mod files only specify minimum version requirements you are welcome to specify a newer version of any dependencies to satisfy your tooling.
+For example, if you would like to require a library like `github.com/labstack/echo/v4` use version v4.10.0 you can do so by running `go get github.com/labstack/echo/v4@v4.10.0`.
+Additional documentation and details can be found [here](https://go.dev/ref/mod#go-get).

contrib/google.golang.org/grpc/appsec_test.go

@@ -30,15 +30,21 @@ func TestAppSec(t *testing.T) {
 		t.Skip("appsec disabled")
 	}
 
-	rig, err := newRig(false)
-	require.NoError(t, err)
-	defer rig.Close()
+	setup := func() (FixtureClient, mocktracer.Tracer, func()) {
+		rig, err := newRig(false)
+		require.NoError(t, err)
+
+		mt := mocktracer.Start()
 
-	client := rig.client
+		return rig.client, mt, func() {
+			rig.Close()
+			mt.Stop()
+		}
+	}
 
 	t.Run("unary", func(t *testing.T) {
-		mt := mocktracer.Start()
-		defer mt.Stop()
+		client, mt, cleanup := setup()
+		defer cleanup()
 
 		// Send a XSS attack in the payload along with the canary value in the RPC metadata
 		ctx := metadata.NewOutgoingContext(context.Background(), metadata.Pairs("dd-canary", "dd-test-scanner-log"))
@@ -58,8 +64,8 @@ func TestAppSec(t *testing.T) {
 	})
 
 	t.Run("stream", func(t *testing.T) {
-		mt := mocktracer.Start()
-		defer mt.Stop()
+		client, mt, cleanup := setup()
+		defer cleanup()
 
 		// Send a XSS attack in the payload along with the canary value in the RPC metadata
 		ctx := metadata.NewOutgoingContext(context.Background(), metadata.Pairs("dd-canary", "dd-test-scanner-log"))
@@ -110,15 +116,21 @@ func TestBlocking(t *testing.T) {
 		t.Skip("appsec disabled")
 	}
 
-	rig, err := newRig(false)
-	require.NoError(t, err)
-	defer rig.Close()
+	setup := func() (FixtureClient, mocktracer.Tracer, func()) {
+		rig, err := newRig(false)
+		require.NoError(t, err)
 
-	client := rig.client
+		mt := mocktracer.Start()
+
+		return rig.client, mt, func() {
+			rig.Close()
+			mt.Stop()
+		}
+	}
 
 	t.Run("unary-block", func(t *testing.T) {
-		mt := mocktracer.Start()
-		defer mt.Stop()
+		client, mt, cleanup := setup()
+		defer cleanup()
 
 		// Send a XSS attack in the payload along with the canary value in the RPC metadata
 		ctx := metadata.NewOutgoingContext(context.Background(), metadata.Pairs("dd-canary", "dd-test-scanner-log", "x-client-ip", "1.2.3.4"))
@@ -136,8 +148,8 @@ func TestBlocking(t *testing.T) {
 	})
 
 	t.Run("unary-no-block", func(t *testing.T) {
-		mt := mocktracer.Start()
-		defer mt.Stop()
+		client, _, cleanup := setup()
+		defer cleanup()
 
 		// Send a XSS attack in the payload along with the canary value in the RPC metadata
 		ctx := metadata.NewOutgoingContext(context.Background(), metadata.Pairs("dd-canary", "dd-test-scanner-log", "x-client-ip", "1.2.3.5"))
@@ -148,8 +160,8 @@ func TestBlocking(t *testing.T) {
 	})
 
 	t.Run("stream-block", func(t *testing.T) {
-		mt := mocktracer.Start()
-		defer mt.Stop()
+		client, mt, cleanup := setup()
+		defer cleanup()
 
 		ctx := metadata.NewOutgoingContext(context.Background(), metadata.Pairs("dd-canary", "dd-test-scanner-log", "x-client-ip", "1.2.3.4"))
 		stream, err := client.StreamPing(ctx)
@@ -168,8 +180,8 @@ func TestBlocking(t *testing.T) {
 	})
 
 	t.Run("stream-no-block", func(t *testing.T) {
-		mt := mocktracer.Start()
-		defer mt.Stop()
+		client, _, cleanup := setup()
+		defer cleanup()
 
 		ctx := metadata.NewOutgoingContext(context.Background(), metadata.Pairs("dd-canary", "dd-test-scanner-log", "x-client-ip", "1.2.3.5"))
 		stream, err := client.StreamPing(ctx)
@@ -197,14 +209,21 @@ func TestUserBlocking(t *testing.T) {
 		t.Skip("appsec disabled")
 	}
 
-	rig, err := newAppsecRig(false)
-	require.NoError(t, err)
-	defer rig.Close()
-	client := rig.client
+	setup := func() (FixtureClient, mocktracer.Tracer, func()) {
+		rig, err := newAppsecRig(false)
+		require.NoError(t, err)
 
-	t.Run("unary-block", func(t *testing.T) {
 		mt := mocktracer.Start()
-		defer mt.Stop()
+
+		return rig.client, mt, func() {
+			rig.Close()
+			mt.Stop()
+		}
+	}
+
+	t.Run("unary-block", func(t *testing.T) {
+		client, mt, cleanup := setup()
+		defer cleanup()
 
 		// Send a XSS attack in the payload along with the canary value in the RPC metadata
 		ctx := metadata.NewOutgoingContext(context.Background(), metadata.Pairs("user-id", "blocked-user-1"))
@@ -223,8 +242,8 @@ func TestUserBlocking(t *testing.T) {
 	})
 
 	t.Run("unary-no-block", func(t *testing.T) {
-		mt := mocktracer.Start()
-		defer mt.Stop()
+		client, _, cleanup := setup()
+		defer cleanup()
 
 		ctx := metadata.NewOutgoingContext(context.Background(), metadata.Pairs("user-id", "legit user"))
 		reply, err := client.Ping(ctx, &FixtureRequest{Name: "<script>alert('xss');</script>"})
@@ -236,8 +255,8 @@ func TestUserBlocking(t *testing.T) {
 	// This test checks that IP blocking happens BEFORE user blocking, since user blocking needs the request handler
 	// to be invoked while IP blocking doesn't
 	t.Run("unary-mixed-block", func(t *testing.T) {
-		mt := mocktracer.Start()
-		defer mt.Stop()
+		client, mt, cleanup := setup()
+		defer cleanup()
 
 		ctx := metadata.NewOutgoingContext(context.Background(), metadata.Pairs("user-id", "blocked-user-1", "x-forwarded-for", "1.2.3.4"))
 		reply, err := client.Ping(ctx, &FixtureRequest{})
@@ -253,8 +272,8 @@ func TestUserBlocking(t *testing.T) {
 	})
 
 	t.Run("stream-block", func(t *testing.T) {
-		mt := mocktracer.Start()
-		defer mt.Stop()
+		client, mt, cleanup := setup()
+		defer cleanup()
 
 		ctx := metadata.NewOutgoingContext(context.Background(), metadata.Pairs("user-id", "blocked-user-1"))
 		stream, err := client.StreamPing(ctx)
@@ -273,8 +292,8 @@ func TestUserBlocking(t *testing.T) {
 	})
 
 	t.Run("stream-no-block", func(t *testing.T) {
-		mt := mocktracer.Start()
-		defer mt.Stop()
+		client, _, cleanup := setup()
+		defer cleanup()
 
 		ctx := metadata.NewOutgoingContext(context.Background(), metadata.Pairs("user-id", "legit user"))
 		stream, err := client.StreamPing(ctx)
@@ -293,8 +312,8 @@ func TestUserBlocking(t *testing.T) {
 	// This test checks that IP blocking happens BEFORE user blocking, since user blocking needs the request handler
 	// to be invoked while IP blocking doesn't
 	t.Run("stream-mixed-block", func(t *testing.T) {
-		mt := mocktracer.Start()
-		defer mt.Stop()
+		client, mt, cleanup := setup()
+		defer cleanup()
 
 		ctx := metadata.NewOutgoingContext(context.Background(), metadata.Pairs("user-id", "blocked-user-1", "x-forwarded-for", "1.2.3.4"))
 		stream, err := client.StreamPing(ctx)

contrib/google.golang.org/grpc/grpc_test.go

@@ -39,11 +39,6 @@ import (
 func TestUnary(t *testing.T) {
 	assert := assert.New(t)
 
-	rig, err := newRig(true, WithServiceName("grpc"), WithRequestTags())
-	require.NoError(t, err, "error setting up rig")
-	defer rig.Close()
-	client := rig.client
-
 	for name, tt := range map[string]struct {
 		message     string
 		error       bool
@@ -67,6 +62,11 @@ func TestUnary(t *testing.T) {
 		},
 	} {
 		t.Run(name, func(t *testing.T) {
+			rig, err := newRig(true, WithServiceName("grpc"), WithRequestTags())
+			require.NoError(t, err, "error setting up rig")
+			defer rig.Close()
+			client := rig.client
+
 			mt := mocktracer.Start()
 			defer mt.Stop()
 

contrib/internal/fasthttptrace/fasthttpheaderscarrier.go

@@ -0,0 +1,41 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2016 Datadog, Inc.
+
+package fasthttptrace
+
+import (
+	"gopkg.in/DataDog/dd-trace-go.v1/ddtrace/tracer"
+
+	"github.com/valyala/fasthttp"
+)
+
+// FastHTTPHeadersCarrier implements tracer.TextMapWriter and tracer.TextMapReader on top
+// of fasthttp's RequestHeader object, allowing it to be used as a span context carrier for
+// distributed tracing.
+type FastHTTPHeadersCarrier struct {
+	ReqHeader *fasthttp.RequestHeader
+}
+
+var _ tracer.TextMapWriter = (*FastHTTPHeadersCarrier)(nil)
+var _ tracer.TextMapReader = (*FastHTTPHeadersCarrier)(nil)
+
+// ForeachKey iterates over fasthttp request header keys and values
+func (f *FastHTTPHeadersCarrier) ForeachKey(handler func(key, val string) error) error {
+	keys := f.ReqHeader.PeekKeys()
+	for _, key := range keys {
+		sKey := string(key)
+		v := f.ReqHeader.Peek(sKey)
+		if err := handler(sKey, string(v)); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// Set adds the given value to request header for key. Key will be lowercased to match
+// the metadata implementation.
+func (f *FastHTTPHeadersCarrier) Set(key, val string) {
+	f.ReqHeader.Set(key, val)
+}