Merge remote-tracking branch 'origin/master' into typo/evaluator-type-mismatch

Author: typotter

.github/dependabot.yml

@@ -1,36 +1,38 @@
+# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
 version: 2
 updates:
-- package-ecosystem: github-actions
-  directory: /
-  schedule:
-    interval: weekly
-  labels:
-  - 'comp: tooling'
-  - 'tag: dependencies'
-  - 'tag: no release notes'
-  commit-message:
-    prefix: 'chore(ci): '
-  groups:
-    gh-actions-packages:
-      patterns:
-      - '*'
-  cooldown:
-    default-days: 14
-- package-ecosystem: gradle
-  directory: /
-  schedule:
-    interval: weekly
-  allow:
-  - dependency-name: gradle
-  ignore:
-  - dependency-name: gradle
-    update-types:
-    - version-update:semver-major
-  labels:
-  - 'comp: tooling'
-  - 'tag: dependencies'
-  - 'tag: no release notes'
-  commit-message:
-    prefix: 'chore(build): '
-  cooldown:
-    default-days: 14
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+    labels:
+      - 'comp: tooling'
+      - 'tag: dependencies'
+      - 'tag: no release notes'
+    commit-message:
+      prefix: 'chore(ci): '
+    groups:
+      gh-actions-packages:
+        patterns:
+          - '*'
+    cooldown:
+      default-days: 2
+
+  - package-ecosystem: gradle
+    directory: /
+    schedule:
+      interval: weekly
+    allow:
+      - dependency-name: gradle
+    ignore:
+      - dependency-name: gradle
+        update-types:
+          - version-update:semver-major
+    labels:
+      - 'comp: tooling'
+      - 'tag: dependencies'
+      - 'tag: no release notes'
+    commit-message:
+      prefix: 'chore(build): '
+    cooldown:
+      default-days: 2

.github/workflows/analyze-changes.yaml

@@ -20,7 +20,7 @@ jobs:
         with:
           submodules: 'recursive'
       - name: Cache Gradle dependencies
-        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
         with:
           path: |
             ~/.gradle/caches
@@ -30,7 +30,7 @@ jobs:
             ${{ runner.os }}-gradle-
         
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
+        uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
         with:
           languages: 'java'
           build-mode: 'manual'
@@ -43,7 +43,7 @@ jobs:
           ./gradlew clean :dd-java-agent:shadowJar --build-cache --parallel --stacktrace --no-daemon --max-workers=4
 
       - name: Perform CodeQL Analysis and upload results to GitHub Security tab
-        uses: github/codeql-action/analyze@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
+        uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
 
   trivy:
     name: Analyze changes with Trivy
@@ -60,7 +60,7 @@ jobs:
           submodules: 'recursive'
 
       - name: Cache Gradle dependencies
-        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
         with:
           path: |
             ~/.gradle/caches
@@ -102,7 +102,7 @@ jobs:
           TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
+        uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
         if: always()
         with:
           sarif_file: 'trivy-results.sarif'

.github/workflows/run-system-tests.yaml

@@ -30,7 +30,7 @@ jobs:
           fetch-depth: 0
 
       - name: Cache Gradle dependencies
-        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
         with:
           path: |
             ~/.gradle/caches

communication/gradle.lockfile

@@ -36,7 +36,7 @@ com.thoughtworks.qdox:qdox:1.12.1=codenarc
 commons-fileupload:commons-fileupload:1.5=testCompileClasspath,testRuntimeClasspath
 commons-io:commons-io:2.11.0=testCompileClasspath,testRuntimeClasspath
 commons-io:commons-io:2.20.0=spotbugs
-de.thetaphi:forbiddenapis:3.10=compileClasspath
+de.thetaphi:forbiddenapis:3.10=compileClasspath,testCompileClasspath,testRuntimeClasspath
 io.leangen.geantyref:geantyref:1.3.16=testRuntimeClasspath
 jaxen:jaxen:2.0.0=spotbugs
 junit:junit:4.12=testCompileClasspath,testRuntimeClasspath

dd-java-agent/agent-aiguard/gradle.lockfile

@@ -36,7 +36,7 @@ com.vaadin.external.google:android-json:0.0.20131108.vaadin1=testCompileClasspat
 commons-fileupload:commons-fileupload:1.5=testCompileClasspath,testRuntimeClasspath
 commons-io:commons-io:2.11.0=testCompileClasspath,testRuntimeClasspath
 commons-io:commons-io:2.20.0=spotbugs
-de.thetaphi:forbiddenapis:3.10=compileClasspath
+de.thetaphi:forbiddenapis:3.10=compileClasspath,testCompileClasspath,testRuntimeClasspath
 io.leangen.geantyref:geantyref:1.3.16=testRuntimeClasspath
 jaxen:jaxen:2.0.0=spotbugs
 net.bytebuddy:byte-buddy-agent:1.18.3=testCompileClasspath,testRuntimeClasspath

dd-java-agent/agent-aiguard/src/main/java/com/datadog/aiguard/AIGuardInternal.java

@@ -73,6 +73,7 @@ public BadConfigurationException(final String message) {
   static final String META_STRUCT_MESSAGES = "messages";
   static final String META_STRUCT_CATEGORIES = "attack_categories";
   static final String META_STRUCT_SDS = "sds";
+  static final String META_STRUCT_TAG_PROBS = "tag_probs";
 
   public static void install() {
     final Config config = Config.get();
@@ -258,13 +259,18 @@ public Evaluation evaluate(final List<Message> messages, final Options options)
         final List<String> tags = (List<String>) result.get("tags");
         @SuppressWarnings("unchecked")
         final List<?> sdsFindings = (List<?>) result.get("sds_findings");
+        @SuppressWarnings("unchecked")
+        final Map<String, Number> tagProbs = (Map<String, Number>) result.get("tag_probs");
         span.setTag(ACTION_TAG, action);
         if (reason != null) {
           span.setTag(REASON_TAG, reason);
         }
         if (tags != null && !tags.isEmpty()) {
           metaStruct.put(META_STRUCT_CATEGORIES, tags);
         }
+        if (tagProbs != null && !tagProbs.isEmpty()) {
+          metaStruct.put(META_STRUCT_TAG_PROBS, tagProbs);
+        }
         if (sdsFindings != null && !sdsFindings.isEmpty()) {
           metaStruct.put(META_STRUCT_SDS, sdsFindings);
         }
@@ -273,9 +279,9 @@ public Evaluation evaluate(final List<Message> messages, final Options options)
         WafMetricCollector.get().aiGuardRequest(action, shouldBlock);
         if (shouldBlock) {
           span.setTag(BLOCKED_TAG, true);
-          throw new AIGuardAbortError(action, reason, tags, sdsFindings);
+          throw new AIGuardAbortError(action, reason, tags, tagProbs, sdsFindings);
         }
-        return new Evaluation(action, reason, tags, sdsFindings);
+        return new Evaluation(action, reason, tags, tagProbs, sdsFindings);
       }
     } catch (AIGuardAbortError e) {
       span.addThrowable(e);

dd-java-agent/agent-aiguard/src/test/groovy/com/datadog/aiguard/AIGuardInternalTests.groovy

@@ -168,7 +168,7 @@ class AIGuardInternalTests extends DDSpecification {
         return mockResponse(
           request,
           200,
-          [data: [attributes: [action: suite.action, reason: suite.reason, tags: suite.tags ?: [], is_blocking_enabled: suite.blocking]]]
+          [data: [attributes: [action: suite.action, reason: suite.reason, tags: suite.tags ?: [], tag_probs: suite.tagProbabilities ?: [:], is_blocking_enabled: suite.blocking]]]
           )
       }
     }
@@ -210,12 +210,14 @@ class AIGuardInternalTests extends DDSpecification {
       error.action == suite.action
       error.reason == suite.reason
       error.tags == suite.tags
+      error.tagProbabilities == suite.tagProbabilities
       error.sds == []
     } else {
       error == null
       eval.action == suite.action
       eval.reason == suite.reason
       eval.tags == suite.tags
+      eval.tagProbabilities == suite.tagProbabilities
       eval.sds == []
     }
     assertTelemetry('ai_guard.requests', "action:$suite.action", "block:$throwAbortError", 'error:false')
@@ -555,6 +557,9 @@ class AIGuardInternalTests extends DDSpecification {
     if (suite.tags) {
       assert meta.attack_categories == suite.tags
     }
+    if (suite.tagProbabilities)  {
+      assert meta.tag_probs == suite.tagProbabilities
+    }
     final receivedMessages = snakeCaseJson(meta.messages)
     final expectedMessages = snakeCaseJson(suite.messages)
     JSONAssert.assertEquals(expectedMessages, receivedMessages, JSONCompareMode.NON_EXTENSIBLE)
@@ -774,15 +779,17 @@ class AIGuardInternalTests extends DDSpecification {
     private final AIGuard.Action action
     private final String reason
     private final List<String> tags
+    private final Map<String, Double> tagProbabilities
     private final boolean blocking
     private final String description
     private final String target
     private final List<AIGuard.Message> messages
 
-    TestSuite(AIGuard.Action action, String reason, List<String> tags, boolean blocking, String description, String target, List<AIGuard.Message> messages) {
+    TestSuite(AIGuard.Action action, String reason, Map<String, Double> tagProbabilities, boolean blocking, String description, String target, List<AIGuard.Message> messages) {
       this.action = action
       this.reason = reason
-      this.tags = tags
+      this.tags = new ArrayList<>(tagProbabilities.keySet())
+      this.tagProbabilities = tagProbabilities
       this.blocking = blocking
       this.description = description
       this.target = target
@@ -791,9 +798,9 @@ class AIGuardInternalTests extends DDSpecification {
 
     static List<TestSuite> build() {
       def actionValues = [
-        [ALLOW, 'Go ahead', []],
-        [DENY, 'Nope', ['deny_everything', 'test_deny']],
-        [ABORT, 'Kill it with fire', ['alarm_tag', 'abort_everything']]
+        [ALLOW, 'Go ahead', [:]],
+        [DENY, 'Nope', ['deny_everything': 0.2D, 'test_deny': 0.8D]],
+        [ABORT, 'Kill it with fire', ['alarm_tag': 0.1D, 'abort_everything': 0.9D]]
       ]
       def blockingValues = [true, false]
       def suiteValues = [

dd-java-agent/agent-bootstrap/gradle.lockfile

@@ -39,7 +39,7 @@ com.thoughtworks.qdox:qdox:1.12.1=codenarc
 commons-fileupload:commons-fileupload:1.5=jmhRuntimeClasspath,testCompileClasspath,testRuntimeClasspath
 commons-io:commons-io:2.11.0=jmhRuntimeClasspath,testCompileClasspath,testRuntimeClasspath
 commons-io:commons-io:2.20.0=spotbugs
-de.thetaphi:forbiddenapis:3.10=compileClasspath,jmhCompileClasspath
+de.thetaphi:forbiddenapis:3.10=compileClasspath,jmhCompileClasspath,jmhRuntimeClasspath,testCompileClasspath,testRuntimeClasspath
 io.leangen.geantyref:geantyref:1.3.16=jmhRuntimeClasspath,testRuntimeClasspath
 io.sqreen:libsqreen:17.3.0=jmhRuntimeClasspath,testRuntimeClasspath
 javax.servlet:javax.servlet-api:3.1.0=jmhRuntimeClasspath,testCompileClasspath,testRuntimeClasspath
@@ -109,8 +109,8 @@ org.ow2.asm:asm-tree:9.9=jacocoAnt,spotbugs
 org.ow2.asm:asm-util:9.7.1=jmhRuntimeClasspath,testRuntimeClasspath
 org.ow2.asm:asm-util:9.9=spotbugs
 org.ow2.asm:asm:9.0=jmh,jmhCompileClasspath
-org.ow2.asm:asm:9.7.1=jmhRuntimeClasspath,testRuntimeClasspath
 org.ow2.asm:asm:9.9=jacocoAnt,spotbugs
+org.ow2.asm:asm:9.9.1=jmhRuntimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.slf4j:jcl-over-slf4j:1.7.30=jmhRuntimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.slf4j:jul-to-slf4j:1.7.30=jmhRuntimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.slf4j:log4j-over-slf4j:1.7.30=jmhRuntimeClasspath,testCompileClasspath,testRuntimeClasspath

dd-java-agent/agent-bootstrap/src/test/groovy/datadog/trace/bootstrap/instrumentation/decorator/BaseDecoratorTest.groovy

@@ -5,11 +5,16 @@ import datadog.trace.bootstrap.instrumentation.api.AgentSpan
 import datadog.trace.bootstrap.instrumentation.api.AgentSpanContext
 import datadog.trace.bootstrap.instrumentation.api.ErrorPriorities
 import datadog.trace.bootstrap.instrumentation.api.Tags
+import datadog.trace.config.inversion.ConfigHelper
 import datadog.trace.test.util.DDSpecification
 import spock.lang.Shared
 
 class BaseDecoratorTest extends DDSpecification {
 
+  def setupSpec() {
+    ConfigHelper.get().setConfigInversionStrict(ConfigHelper.StrictnessPolicy.TEST)
+  }
+
   @Shared
   def decorator = newDecorator()
 

dd-java-agent/agent-ci-visibility/civisibility-instrumentation-test-fixtures/gradle.lockfile

@@ -43,7 +43,7 @@ com.vaadin.external.google:android-json:0.0.20131108.vaadin1=compileClasspath,ru
 commons-fileupload:commons-fileupload:1.5=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 commons-io:commons-io:2.11.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 commons-io:commons-io:2.20.0=spotbugs
-de.thetaphi:forbiddenapis:3.10=compileClasspath
+de.thetaphi:forbiddenapis:3.10=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 io.leangen.geantyref:geantyref:1.3.16=testRuntimeClasspath
 io.sqreen:libsqreen:17.3.0=runtimeClasspath,testRuntimeClasspath
 javax.servlet:javax.servlet-api:3.1.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
@@ -111,7 +111,7 @@ org.ow2.asm:asm-tree:9.9.1=runtimeClasspath,testRuntimeClasspath
 org.ow2.asm:asm-util:9.7.1=runtimeClasspath,testRuntimeClasspath
 org.ow2.asm:asm-util:9.9=spotbugs
 org.ow2.asm:asm:9.9=jacocoAnt,spotbugs
-org.ow2.asm:asm:9.9.1=runtimeClasspath,testRuntimeClasspath
+org.ow2.asm:asm:9.9.1=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.skyscreamer:jsonassert:1.5.1=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.slf4j:jcl-over-slf4j:1.7.30=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.slf4j:jul-to-slf4j:1.7.30=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath