Summary

This release adds the http.url tag to the list of collected security tags (documentation). This tag will now hold the full http request's URL for server requests instead of the http request's path, so be sure to check that it doesn't break anything on your side when switching over to this version.

Additionally, some more changes were made to a few contribs:

• echo.v4: it is now possible to skip tracing for some endpoints using the WithIgnoreRequest option.
• gocql: errors can now be selectively ignored using the WithErrorCheck option.
• kafka-go: tracing of the FetchMessage() reader method is now possible.

A couple of improvements and fixes can also be found in the list of changes below.

Changes

General

• go.mod: update github.com/gin-gonic/gin to v1.7.7 (#1341)
• go.mod: bump several dependency versions to avoid vulnerabilities (#1338)

Tracer

• contrib/gocql/gocql: add WithErrorCheck option (#1316)
• contrib/labstack/echo.v4: add WithIgnoreRequest option (#1356), thanks @chrusty
• contrib/segmentio/kafka-go: add tracing of FetchMessage() calls (#1283), thanks @roccoblues
• contrib/net/http: copy request in RoundTrip (#1254)
• ddtrace/tracer: fix race in SetOperationName (#1376)

ASM

• contrib: store the http request's URL in span tags (#1350)

Full Changelog: v1.39.1...v1.40.0

Summary

This release fixes a bug in the profiler library which caused the service tag to sometimes be missing from uploaded profiles. This resulted in profiles appearing on Datadog with the service name unnamed-service.

Changes

Profiler

• profiler: don't clobber tags when uploading profiles or metrics by @nsrip-dd in #1377

Full Changelog: v1.39.0...v1.39.1

Summary

With this release, the Go tracer now starts reporting a set of security monitoring tags for each server request without the need to enable ASM. Currently, the collected tags are http.client_ip, http.useragent, http.status_code and http.method, and more will come with future releases. More information about this can be found in the Datadog documentation.
Other additions include a new integration for the logrus logging package, and overriding the sampling decision of a trace
in downstream services is now possible. Additionally, a new tag aws.request_id was added to spans for the aws-sdk-go
integration. On top of this the tracer has a new option, WithUniversalVersion, which removes the limitation of having the service name
match the name defined when starting the tracer for version tracking.
Some more fixes and improvements were made which you can find in the changelog below.

Changes

Repo

• ci: rename branch v1 into main (#1313)
• go.mod: update DataDog/sketches-go to 1.2.1 (#1051)
• go.mod: update several modules to avoid security flaws (#1330)

APM

• contrib/gorm.io/gorm.v1: add context example (#1221)
• ddtrace/tracer: fixed precedence ordering of configuration options (#1232)
• ddtrace/tracer: allow changes of priority even when the root is non-local (#1241)
• contrib/net/http: add dynamic resource naming (#1142)
• aws: add request id to trace (#1266)
• ddtrace/tracer: add WithUniversalVersion option (#1272)
• contrib/sirupsen/logrus: Add context logging hook (#1240)
• ddtrace/tracer: add sample_rate_limit field to startup log. (#1230)
• ddtrace/tracer: handle parent-id header of 0 for synthetics (#1285)
• contrib/internal/httptrace: set http.host tag on request Host not URL.host (#1327)
• contrib/database/sql: sql comment tag injection experimental feature (#1226)
• internal/telemetry: add missing fields to match spec (#1354)

ASM

• contrib: store http.route in span tags (#1342)
• contrib/internal/httptrace: store IP related request headers in span tags (#1346)
• contrib/internal/httptrace: store client ip in span tags (#1328)
• contrib: refactor http request span tags and store user agent in span tags (#1286)

Profiler

• profiler: collect profiles concurrently (#1282)
• profiler: rename pid tag to process_id (#1296)

Full Changelog: v1.38.1...v1.39.0

This release contains a set of small fixes for Application Security Monitoring (ASM) and Profiler.

• ASM: fix compilation errors when CGO is disabled or when using MacOS 12.3.1 (#1261)
• Profiler: get the correct profile for the experimental goroutine wait profile (#1262)

Full Changelog: v1.38.0...v1.38.1

This release comes with new Application Security Monitoring capabilities including sensitive data obfuscation for security events, a new set of metrics to monitor the WAF execution and security rules processing, as well as the latest version of the security rules which includes NoSQL-injection monitoring.
On a side note, AppSec has been renamed to ASM (Application Security Monitoring) and will be referred to as such in the future.

On the Tracer side, the service.name tag was removed from the spans for kubernetes and the resource.name tag is now set using the context's route for gofiber/fiber.

The Profiler introduces a new CPUProfileRate option to allow users to use a specific CPU profiling rate.

Features

Tracer

• contrib/k8s.io/client-go/kubernetes: remove the tracer service tag (#1211) (thanks @meowfaceman)
• contrib/gofiber/fiber.v2: resource name should use route instead of path (#1215) (thanks @AsgerNoer)

Application Security Monitoring

• internal/appsec: security events obfuscation (#1237)
• internal/appsec/waf: add WAF and security rules monitoring metrics (#1225)
• internal/appsec: update security rules to v1.3.1 including NoSQL-injection monitoring (#1244)

Profiler

• profiler: add CPUProfileRate option (#1243)

Fixes

Tracer

• contrib/go-chi: remove the chi.v4 package in favor of chi.v5 (#1233)
• contrib/net/http: fix status reporting for empty replies (#1140)
• contrib/gin-gonic/gin: fix incomplete examples (#1212) (thanks @ajones)

Profiler

• ddtrace/tracer: update profile endpoint label when SetTag updates resource name for a span (#1203)

Full Changelog: v1.37.1...v1.38.0

This release contains fixes to the AppSec security rules where a Local-File Injection rule has been improved in order to avoid some false positives, and the monitoring of HTTP request cookies has been temporarily disabled until the AppSec obfuscator is added in the near future to the library.

Full Changelog: v1.37.0...v1.37.1

This release comes with the new AppSec capability to monitor the parsed HTTP body thanks to a new public appsec package. This package provides a function - appsec.MonitorParsedHTTPBody() - that should be called from within your http request handlers with the parsed http body payload, such as returned by json.Unmarshal(), proto.Unmarshal() or any other parser.
It also introduces support for the web framework gin, as well as the latest AppSec security rules which include the new OGNL & Cassandra injection detections.

Additionally, this update provides a new user monitoring tracing function - tracer.SetUser() - allowing to associate user attributes to a trace. This allows to add user context to traces which can then be leveraged by Datadog's monitoring, for example by identifying the user of an AppSec attack.

The profiler's code hotspots and endpoints is now enabled by default in order to connect APM traces and profiles.

Note that dd-trace-go's go.mod file has been updated to now include every dependency required by dd-trace-go and its integrations. It now lists the minimum secure versions required, according to the Go module registry of vulnerabilities.

Features

• all: commit full go.mod and go.sum files (#1188)

APM

• contrib/database/sql: fix support for drivers using deprecated interfaces (#1167)
• contrib/database/sql: trace connection time (#1154)
• contrib/gorilla/mux: provide a new function wrapper for gorilla router (#1175)
• contrib/segmentio/kafka-go: add tracing for kafka writer and reader (#1152)
• ddtrace/tracer: overall CPU & memory performance improvements (#1184, #1160, #1186, #1134, #1183)
• ddtrace/tracer: Add B3 flag to PropagatorConfig (#1148)
• ddtrace/tracer: provide a new user monitoring tracing function to associate a user to a trace (#1196)
• ddtrace/tracer: disable Datadog internal tag propagation (#1182)
• ddtrace/tracer: fix a bug with the x-datadog-tags header parser (#1155)
• ddtrace/tracer: fix top_level computation with DD_SERVICE_MAPPING (#1150)

AppSec

• contrib/gin-gonic: add AppSec monitoring of http requests and responses (#1165)
• contrib/google.golang.org/grpc: monitor grpc metadata headers (#1190)
• contrib/labstack/echo.v4: fix http response monitoring (#1177)
• appsec: provide a new function to monitor the parsed http body (#1178)
• internal/appsec/waf: fix the parsing of AppSec security rules (#1189)
• internal/appsec: update the security rules to v1.2.6, including new OGNL & Cassandra injections and various improvements (#1191)

Profiler

• profiler, ddtrace/tracer: enable code hotspots & endpoints by default with 100% CPU profiling (#1169)
• profiler: don't upload full profiles if delta profiling is enabled (#1187)
• profiler: Inc DefaultBlockRate from 10µs to 100ms (#1192)

This release contains a small patch that disables service propagation in the Tracer.

ddtrace/tracer: disable Datadog internal tag propagation (#1182)

To view the changes check out the list of commits

This version comes with the Application Security (AppSec) public beta which includes a broader security coverage of HTTP servers, now also extended to gRPC servers. It is powered by new security rules that allow monitoring the OWASP Top 10 attack attempts, such as SQL injections, Log4Shell and Server-Side Request Forgeries.

It also includes many APM tracing improvements, along with a fix for a regression introduced in v1.35.0.

Features

AppSec

• contrib/go-chi: integrate AppSec monitoring of http requests and responses (#1130)
• contrib/google.golang.org/grpc: monitor received RPC messages (#1105)
• internal/appsec: monitor HTTP response status codes (#1096)
• internal/appsec: enhanced monitoring of HTTP cookies (#1108)
• internal/appsec: monitor URL parameters of HTTP requests (#1106)
• internal/appsec: log http response headers into request spans on security events (#1107)
• internal/appsec: rate-limit AppSec traces to 100 per second (#1131)

APM Tracer

• contrib/gocql/gocql: support Scanner and Batch (#1117) (Thanks @jack-at-circle)
• contrib/go-chi option to ignore requests. (#1124) (Thanks @Anvay-Rajhansa)
• contrib/net/http: use ignoreRequest in WrapHandler (#1049)
• contrib/labstack/{echo, echo.v4}: add support for noDebugStack (#1097)
• contrib/google.golang.org/grpc: Fallback to GlobalConfig serviceName if missing (#1027) (Thanks @vasyharan)
• contrib/net/http: Add TraceAndServe and TraceConfig from contrib/internal/httputil (#1063) (Thanks @soh335)
• ddtrace/tracer: Use DD_AGENT_HOST to set trace agent hostname before querying the trace-agent for its features (#1126) (Thanks @carflo)
• ddtrace/tracer: fix tracer.StartSpanFromContext race condition on opts arg (#1127)
• ddtrace/tracer: propagate _dd.p.upstream_services tags (#1082)

Profiler

• profiler: log configuration at profiling start (#1114)

Fixes

• ddtrace/tracer: only drop P0s when client-side stats are enabled (#1139)

To view all changes check out the list of commits and the 1.36.0 milestone.

Features

• profiler: Code Hotspots and Endpoint Filtering (#966)
• profiler: Add WithDeltaProfiles() option (#1038)
• ddtrace/tracer: add support for DD_SERVICE_MAPPING (#1077)
• ddtrace/tracer: obfuscate stats (#1069)
• ddtrace/tracer: use UDS connection when relevant socket paths are available (#1048)
• ddtrace/tracer: support for DD_TRACE_ENABLED environment variable (#991)
• contrib/go-redis/redis.v8: add WithSkipRawCommand option and fix resource (#1091)
• contrib/labstack/echo.v4: add appsec integration (#1042)
• contrib/gin-gonic: add option to ignore request (#1061)
• contrib/elastic/go-elasticsearch: Add support for github.com/elastic/go-elasticsearch (#1017)
• contrib/database/sql: add Option to prevent starting new traces (#1013)
• contrib/net/http: add method RTWithSpanOptions (#1005)

Fixes

• internal/appsec: update the recommended security rules to v1.2.4 (#1098)
• contrib/internal/httputil: return correct wrapped response writer (#1078)
• internal/appsec/waf: strip libddwaf.a (#1056)

To view all changes check out new commits and the 1.35.0 milestone.