Merge branch 'master' into smola/enable-api-security-by-default

Author: smola

benchmark/Dockerfile

@@ -1,14 +1,20 @@
 # Petclinic download and compilation stage
 FROM eclipse-temurin:17-jammy as petclinic
 
+ARG SPRING_PETCLINIC_COMMIT=cefaf55dd124d0635abfe857c3c99a3d3ea62017
+
 RUN apt-get update \
   && apt-get -y install git  \
   && apt-get -y clean \
   && rm -rf /var/lib/apt/lists/*
 
-RUN git clone --depth 1 --branch main --single-branch https://github.com/spring-projects/spring-petclinic.git \
-  && cd spring-petclinic \
-  && ./mvnw dependency:go-offline
+RUN set -eux;\
+  git init spring-petclinic;\
+  cd spring-petclinic;\
+  git remote add origin https://github.com/spring-projects/spring-petclinic.git;\
+  git fetch --depth 1 origin ${SPRING_PETCLINIC_COMMIT};\
+  git checkout ${SPRING_PETCLINIC_COMMIT};\
+  ./mvnw dependency:go-offline
 
 RUN cd spring-petclinic \
   && ./mvnw package -Dmaven.test.skip=true \

benchmark/load/petclinic/benchmark.json

@@ -30,12 +30,6 @@
         "JAVA_OPTS": "-javaagent:${TRACER} -Ddd.appsec.enabled=true"
       }
     },
-    "appsec_no_iast": {
-      "env": {
-        "VARIANT": "appsec_no_iast",
-        "JAVA_OPTS": "-javaagent:${TRACER} -Ddd.appsec.enabled=true -Ddd.iast.enabled=false"
-      }
-    },
     "iast": {
       "env": {
         "VARIANT": "iast",

benchmark/startup/petclinic/benchmark.json

@@ -24,12 +24,6 @@
         "JAVA_OPTS": "-Ddd.appsec.enabled=true"
       }
     },
-    "appsec_no_iast": {
-      "env": {
-        "VARIANT": "appsec",
-        "JAVA_OPTS": "-Ddd.appsec.enabled=true -Ddd.iast.enabled=false"
-      }
-    },
     "iast": {
       "env": {
         "VARIANT": "iast",

dd-java-agent/src/main/java/datadog/trace/bootstrap/AgentBootstrap.java

@@ -46,6 +46,7 @@
 public final class AgentBootstrap {
   static final String LIB_INJECTION_ENABLED_ENV_VAR = "DD_INJECTION_ENABLED";
   static final String LIB_INJECTION_FORCE_SYS_PROP = "dd.inject.force";
+  static final String LIB_INSTRUMENTATION_SOURCE_SYS_PROP = "dd.instrumentation.source";
 
   private static final Class<?> thisClass = AgentBootstrap.class;
   private static final int MAX_EXCEPTION_CHAIN_LENGTH = 99;
@@ -134,6 +135,12 @@ private static void agentmainImpl(
       return;
     }
 
+    if (getConfig(LIB_INJECTION_ENABLED_ENV_VAR)) {
+      recordInstrumentationSource("ssi");
+    } else {
+      recordInstrumentationSource("cmd_line");
+    }
+
     final URL agentJarURL = installAgentJar(inst);
     final Class<?> agentClass;
     try {
@@ -164,6 +171,10 @@ static boolean getConfig(String configName) {
     }
   }
 
+  private static void recordInstrumentationSource(String source) {
+    SystemUtils.trySetProperty(LIB_INSTRUMENTATION_SOURCE_SYS_PROP, source);
+  }
+
   static boolean exceptionCauseChainContains(Throwable ex, String exClassName) {
     Set<Throwable> stack = Collections.newSetFromMap(new IdentityHashMap<>());
     Throwable t = ex;

dd-java-agent/src/main/java/datadog/trace/bootstrap/SystemUtils.java

@@ -23,6 +23,14 @@ public static String tryGetProperty(String property) {
     }
   }
 
+  public static String trySetProperty(String property, String value) {
+    try {
+      return System.setProperty(property, value);
+    } catch (SecurityException e) {
+      return null;
+    }
+  }
+
   public static String getPropertyOrDefault(String property, String defaultValue) {
     try {
       return System.getProperty(property, defaultValue);

dd-java-agent/src/test/groovy/datadog/trace/agent/InstrumenterUnloadTest.groovy

@@ -26,16 +26,26 @@ class InstrumenterUnloadTest extends Specification {
       , ["DD_API_KEY": API_KEY]
       , new PrintStream(testOutput))
 
-    int unloadCount = 0
+    boolean canaryUnloaded = false
+    int unloadedInstrumentationCount = 0
     new ByteArrayInputStream((testOutput.toByteArray())).eachLine {
       System.out.println(it)
+      if (it =~ /(?i)unload.*Canary/) {
+        canaryUnloaded = true
+      }
       if (it =~ /(?i)unload.* datadog.trace.instrumentation./) {
-        unloadCount++
+        unloadedInstrumentationCount++
       }
     }
 
+    if (!canaryUnloaded) {
+      System.out.println("WARNING: Canary class was not unloaded!")
+    }
+
     then:
     returnCode == 0
-    unloadCount > 0
+    // skip check if we couldn't even unload our Canary class, as that
+    // indicates full GC didn't happen enough to trigger any unloading
+    !canaryUnloaded || unloadedInstrumentationCount > 0
   }
 }

dd-java-agent/src/test/java/jvmbootstraptest/UnloadingChecker.java

@@ -1,13 +1,32 @@
 package jvmbootstraptest;
 
+import static java.util.concurrent.TimeUnit.MINUTES;
+
 import datadog.trace.test.util.GCUtils;
+import java.lang.management.ClassLoadingMXBean;
+import java.lang.management.ManagementFactory;
 
 public class UnloadingChecker {
-  public static void main(final String[] args) {
-    try {
-      GCUtils.awaitGC();
-    } catch (InterruptedException e) {
-      e.printStackTrace();
+  static class Canary {}
+
+  public static void main(final String[] args) throws Exception {
+    ClassLoadingMXBean classLoadingMXBean = ManagementFactory.getClassLoadingMXBean();
+    long initialUnloadCount = classLoadingMXBean.getUnloadedClassCount();
+
+    // load an isolated class which we know can be unloaded after a full GC
+    new IsolatingClassLoader().loadClass("jvmbootstraptest.UnloadingChecker$Canary");
+
+    long waitNanos = MINUTES.toNanos(2);
+    long startNanos = System.nanoTime();
+
+    while (System.nanoTime() - startNanos < waitNanos) {
+      try {
+        GCUtils.awaitGC();
+      } catch (Throwable ignore) {
+      }
+      if (initialUnloadCount < classLoadingMXBean.getUnloadedClassCount()) {
+        break; // some class unloading has taken place, stop and check results
+      }
     }
   }
 }

dd-smoke-tests/jboss-modules/build.gradle

@@ -1,4 +1,9 @@
 
+ext {
+  // see https://datadoghq.atlassian.net/wiki/x/H4S2NQE
+  excludeJdk = ['IBM8']
+}
+
 apply from: "$rootDir/gradle/java.gradle"
 description = 'JBoss Modules Smoke Tests.'
 

dd-trace-api/src/main/java/datadog/trace/api/ConfigDefaults.java

@@ -240,6 +240,9 @@ public final class ConfigDefaults {
   static final boolean DEFAULT_TELEMETRY_LOG_COLLECTION_ENABLED = true;
   static final int DEFAULT_TELEMETRY_DEPENDENCY_RESOLUTION_QUEUE_SIZE = 100000;
 
+  static final boolean DEFAULT_SSI_INJECTION_FORCE = false;
+  static final String DEFAULT_INSTRUMENTATION_SOURCE = "manual";
+
   static final Set<String> DEFAULT_TRACE_EXPERIMENTAL_FEATURES_ENABLED =
       new HashSet<>(
           asList("DD_TAGS", "DD_LOGS_INJECTION", "DD_EXPERIMENTAL_PROPAGATE_PROCESS_TAGS_ENABLED"));

dd-trace-api/src/main/java/datadog/trace/api/config/GeneralConfig.java

@@ -103,5 +103,9 @@ public final class GeneralConfig {
 
   public static final String STACK_TRACE_LENGTH_LIMIT = "stack.trace.length.limit";
 
+  public static final String SSI_INJECTION_ENABLED = "injection.enabled";
+  public static final String SSI_INJECTION_FORCE = "inject.force";
+  public static final String INSTRUMENTATION_SOURCE = "instrumentation.source";
+
   private GeneralConfig() {}
 }