Merge branch 'master' into bdu/remove-groovy-from-buildSrc

Author: bric3

dd-java-agent/agent-aiguard/src/main/java/com/datadog/aiguard/AIGuardInternal.java

@@ -273,9 +273,9 @@ public Evaluation evaluate(final List<Message> messages, final Options options)
         WafMetricCollector.get().aiGuardRequest(action, shouldBlock);
         if (shouldBlock) {
           span.setTag(BLOCKED_TAG, true);
-          throw new AIGuardAbortError(action, reason, tags);
+          throw new AIGuardAbortError(action, reason, tags, sdsFindings);
         }
-        return new Evaluation(action, reason, tags);
+        return new Evaluation(action, reason, tags, sdsFindings);
       }
     } catch (AIGuardAbortError e) {
       span.addThrowable(e);

dd-java-agent/agent-aiguard/src/test/groovy/com/datadog/aiguard/AIGuardInternalTests.groovy

@@ -210,11 +210,13 @@ class AIGuardInternalTests extends DDSpecification {
       error.action == suite.action
       error.reason == suite.reason
       error.tags == suite.tags
+      error.sds == []
     } else {
       error == null
       eval.action == suite.action
       eval.reason == suite.reason
       eval.tags == suite.tags
+      eval.sds == []
     }
     assertTelemetry('ai_guard.requests', "action:$suite.action", "block:$throwAbortError", 'error:false')
 
@@ -411,14 +413,15 @@ class AIGuardInternalTests extends DDSpecification {
     Map<String, Object> receivedMeta
 
     when:
-    aiguard.evaluate(PROMPT, AIGuard.Options.DEFAULT)
+    final result = aiguard.evaluate(PROMPT, AIGuard.Options.DEFAULT)
 
     then:
     1 * span.setMetaStruct(AIGuardInternal.META_STRUCT_TAG, _) >> {
       receivedMeta = it[1] as Map<String, Object>
       return span
     }
     receivedMeta.sds == sdsFindings
+    result.sds == sdsFindings
   }
 
   void 'test evaluate with empty sds findings'() {
@@ -427,19 +430,41 @@ class AIGuardInternalTests extends DDSpecification {
     Map<String, Object> receivedMeta
 
     when:
-    aiguard.evaluate(PROMPT, AIGuard.Options.DEFAULT)
+    final result = aiguard.evaluate(PROMPT, AIGuard.Options.DEFAULT)
 
     then:
     1 * span.setMetaStruct(AIGuardInternal.META_STRUCT_TAG, _) >> {
       receivedMeta = it[1] as Map<String, Object>
       return span
     }
     !receivedMeta.containsKey('sds')
+    result.sds == (sdsFindings ?: [])
 
     where:
     sdsFindings << [null, []]
   }
 
+  void 'test evaluate with sds findings in abort error'() {
+    given:
+    final sdsFindings = [
+      [
+        rule_display_name: 'Credit Card Number',
+        rule_tag: 'credit_card',
+        category: 'pii',
+        matched_text: '4111111111111111',
+        location: [start_index: 10, end_index_exclusive: 26, path: 'messages[0].content[0].text']
+      ]
+    ]
+    final aiguard = mockClient(200, [data: [attributes: [action: 'ABORT', reason: 'PII detected', tags: ['pii'], sds_findings: sdsFindings, is_blocking_enabled: true]]])
+
+    when:
+    aiguard.evaluate(PROMPT, new AIGuard.Options().block(true))
+
+    then:
+    final error = thrown(AIGuard.AIGuardAbortError)
+    error.sds == sdsFindings
+  }
+
   void 'test missing tool name'() {
     given:
     final aiguard = mockClient(200, [data: [attributes: [action: 'ALLOW', reason: 'Just do it']]])

dd-java-agent/agent-ci-visibility/src/main/java/datadog/trace/civisibility/CiVisibilitySystem.java

@@ -18,6 +18,7 @@
 import datadog.trace.api.git.GitInfoProvider;
 import datadog.trace.bootstrap.ContextStore;
 import datadog.trace.bootstrap.instrumentation.api.AgentTracer;
+import datadog.trace.civisibility.compiler.CompilerModuleExporter;
 import datadog.trace.civisibility.config.ExecutionSettings;
 import datadog.trace.civisibility.config.JvmInfo;
 import datadog.trace.civisibility.coverage.file.instrumentation.CoverageClassTransformer;
@@ -75,6 +76,10 @@ public static void start(Instrumentation inst, SharedCommunicationObjects sco) {
 
     sco.createRemaining(config);
 
+    if (config.isCiVisibilityCompilerPluginAutoConfigurationEnabled()) {
+      inst.addTransformer(new CompilerModuleExporter(inst));
+    }
+
     CiVisibilityMetricCollector metricCollector =
         config.isCiVisibilityTelemetryEnabled()
             ? new CiVisibilityMetricCollectorImpl()

dd-java-agent/agent-ci-visibility/src/main/java/datadog/trace/civisibility/compiler/CompilerModuleExporter.java

@@ -0,0 +1,65 @@
+package datadog.trace.civisibility.compiler;
+
+import datadog.trace.util.JDK9ModuleAccess;
+import java.lang.instrument.ClassFileTransformer;
+import java.lang.instrument.Instrumentation;
+import java.security.ProtectionDomain;
+import java.util.concurrent.ConcurrentHashMap;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * Exports jdk.compiler internal packages to the classloader that loads dd-javac-plugin.
+ *
+ * <p>On JDK 16+ (strong encapsulation), dd-javac-plugin's CompilerModuleOpener uses burningwave to
+ * export these packages. On JDK 26+, burningwave fails due to Unsafe restrictions (JEP 471/498).
+ * This transformer intercepts dd-javac-plugin class loading and does the export using
+ * Instrumentation.redefineModule() instead.
+ *
+ * <p>Each Maven compilation step (compile, testCompile) may use a different classloader, so we
+ * track which classloaders have already been exported to and re-export for new ones.
+ */
+public class CompilerModuleExporter implements ClassFileTransformer {
+
+  private static final Logger LOGGER = LoggerFactory.getLogger(CompilerModuleExporter.class);
+
+  private static final String COMPILER_PLUGIN_CLASS_PREFIX = "datadog/compiler/";
+  private static final String[] COMPILER_PACKAGES = {
+    "com.sun.tools.javac.api",
+    "com.sun.tools.javac.code",
+    "com.sun.tools.javac.comp",
+    "com.sun.tools.javac.tree",
+    "com.sun.tools.javac.util"
+  };
+
+  private final Instrumentation inst;
+  private final ConcurrentHashMap<ClassLoader, Boolean> exportedClassLoaders =
+      new ConcurrentHashMap<>();
+
+  public CompilerModuleExporter(Instrumentation inst) {
+    this.inst = inst;
+  }
+
+  @Override
+  public byte[] transform(
+      ClassLoader loader,
+      String className,
+      Class<?> classBeingRedefined,
+      ProtectionDomain protectionDomain,
+      byte[] classfileBuffer) {
+    if (loader != null && className != null && className.startsWith(COMPILER_PLUGIN_CLASS_PREFIX)) {
+      exportedClassLoaders.computeIfAbsent(loader, this::exportJdkCompilerModule);
+    }
+    return null; // no bytecode modification
+  }
+
+  private Boolean exportJdkCompilerModule(ClassLoader loader) {
+    try {
+      JDK9ModuleAccess.exportModuleToUnnamedModule(inst, "jdk.compiler", COMPILER_PACKAGES, loader);
+      LOGGER.debug("Exported jdk.compiler to classloader {}", loader);
+    } catch (Throwable e) {
+      LOGGER.debug("Could not export jdk.compiler packages for compiler plugin", e);
+    }
+    return Boolean.TRUE;
+  }
+}

dd-java-agent/instrumentation/websocket/jakarta-websocket-2.0/build.gradle

@@ -22,7 +22,10 @@ dependencies {
 
   testRuntimeOnly project(":dd-java-agent:instrumentation:websocket:javax-websocket-1.0")
   testImplementation group: 'org.glassfish.tyrus', name: 'tyrus-container-inmemory', version: '2.0.0'
-  latestDepTestImplementation group: 'org.glassfish.tyrus', name: 'tyrus-container-inmemory', version: '+'
+  // `tyrus 2.3.0-M1` pulls `grizzly 5.0.0`, whose POM imports a missing `grizzly-bom 5.0.0-SNAPSHOT`.
+  // See issue: https://github.com/eclipse-ee4j/glassfish-grizzly/issues/2278
+  // This fix must be revisited once correct version of `grizzly-bom` will be released.
+  latestDepTestImplementation group: 'org.glassfish.tyrus', name: 'tyrus-container-inmemory', version: '2.2.+'
 }
 
 tasks.named('latestDepTest', Test) {

dd-smoke-tests/gradle/src/test/groovy/datadog/smoketest/GradleDaemonSmokeTest.groovy

@@ -20,9 +20,6 @@ import spock.lang.IgnoreIf
 import spock.lang.Shared
 import spock.lang.TempDir
 
-@IgnoreIf(reason = "TODO: Fix for Java 26. Javac plugin fails to populate source tags correctly.", value = {
-  JavaVirtualMachine.isJavaVersionAtLeast(26)
-})
 class GradleDaemonSmokeTest extends AbstractGradleTest {
 
   private static final String TEST_SERVICE_NAME = "test-gradle-service"

dd-smoke-tests/maven/src/test/groovy/datadog/smoketest/MavenSmokeTest.groovy

@@ -25,9 +25,6 @@ import java.util.concurrent.TimeoutException
 
 import static org.junit.jupiter.api.Assumptions.assumeTrue
 
-@IgnoreIf(reason = "TODO: Fix for Java 26. Maven compiler fails to compile the tests for Java 26-ea.", value = {
-  JavaVirtualMachine.isJavaVersionAtLeast(26)
-})
 @IgnoreIf(reason = "IBM8 has flaky AES-GCM TLS failures when downloading Maven artifacts", value = {
   JavaVirtualMachine.isIbm8()
 })

dd-smoke-tests/maven/src/test/resources/test_successful_maven_run_junit_platform_runner/pom.xml

@@ -57,7 +57,7 @@
       <dependency>
         <groupId>org.apache.groovy</groupId>
         <artifactId>groovy-bom</artifactId>
-        <version>4.0.28</version>
+        <version>4.0.30</version>
         <type>pom</type>
         <scope>import</scope>
       </dependency>

dd-trace-api/src/main/java/datadog/trace/api/aiguard/AIGuard.java

@@ -69,12 +69,15 @@ public static class AIGuardAbortError extends RuntimeException {
     private final Action action;
     private final String reason;
     private final List<String> tags;
+    private final List<?> sds;
 
-    public AIGuardAbortError(final Action action, final String reason, final List<String> tags) {
+    public AIGuardAbortError(
+        final Action action, final String reason, final List<String> tags, final List<?> sds) {
       super(reason);
       this.action = action;
       this.reason = reason;
       this.tags = tags;
+      this.sds = sds != null ? sds : Collections.emptyList();
     }
 
     public Action getAction() {
@@ -88,6 +91,10 @@ public String getReason() {
     public List<String> getTags() {
       return tags;
     }
+
+    public List<?> getSds() {
+      return sds;
+    }
   }
 
   /**
@@ -149,18 +156,22 @@ public static class Evaluation {
     final Action action;
     final String reason;
     final List<String> tags;
+    final List<?> sds;
 
     /**
      * Creates a new evaluation result.
      *
      * @param action the recommended action for the evaluated content
      * @param reason human-readable explanation for the decision
      * @param tags list of tags associated with the evaluation (e.g. indirect-prompt-injection)
+     * @param sds list of Sensitive Data Scanner findings
      */
-    public Evaluation(final Action action, final String reason, final List<String> tags) {
+    public Evaluation(
+        final Action action, final String reason, final List<String> tags, final List<?> sds) {
       this.action = action;
       this.reason = reason;
       this.tags = tags;
+      this.sds = sds != null ? sds : Collections.emptyList();
     }
 
     /**
@@ -189,6 +200,15 @@ public String getReason() {
     public List<String> getTags() {
       return tags;
     }
+
+    /**
+     * Returns the list of Sensitive Data Scanner findings.
+     *
+     * @return list of SDS findings.
+     */
+    public List<?> getSds() {
+      return sds;
+    }
   }
 
   /**

dd-trace-api/src/main/java/datadog/trace/api/aiguard/noop/NoOpEvaluator.java

@@ -13,6 +13,6 @@ public final class NoOpEvaluator implements Evaluator {
 
   @Override
   public Evaluation evaluate(final List<Message> messages, final Options options) {
-    return new Evaluation(ALLOW, "AI Guard is not enabled", emptyList());
+    return new Evaluation(ALLOW, "AI Guard is not enabled", emptyList(), emptyList());
   }
 }