Merge branch 'DataDog:master' into master

.github/workflows/README.md

@@ -28,15 +28,6 @@ _Action:_ Check the pull request complies with [the contribution guidelines](htt
 
 _Recovery:_ Manually verify the guideline compliance.
 
-### create-next-milestone [🔗](create-next-milestone.yaml)
-
-_Trigger:_ When closing a milestone.
-
-_Action:_ Create a new milestone by incrementing minor version.
-
-_Comment:_ Disabled as also covered by increment-milestone-on-tag.
-This will be removed after some testing.  
-
 ### draft-release-notes-on-tag [🔗](draft-release-notes-on-tag.yaml)
 
 _Trigger:_ When creating a tag, or manually (providing a tag)
@@ -62,6 +53,16 @@ _Recovery:_ Manually [close the related milestone and create a new one](https://
 
 _Notes:_ This action will not apply to release candidate versions using `-RC` tags.
 
+### update-docker-build-image [🔗](update-docker-build-image.yaml)
+
+_Trigger:_ Quarterly released, loosely [a day after the new image tag is created](https://github.com/DataDog/dd-trace-java-docker-build/blob/master/.github/workflows/docker-tag.yml).
+
+_Action:_ Update the Docker build image used in CircleCI and GitLab CI with the latest tag.
+
+_Recovery:_ Download artifacts and upload them manually to the related _download release_.
+
+_Notes:_  Manually trigger the action again given the desired image tag as input.
+
 ### update-download-releases [🔗](update-download-releases.yaml)
 
 _Trigger:_ When a release is published.
@@ -103,7 +104,7 @@ _Recovery:_ Manually trigger the action again.
 
 ## Code Quality and Security
 
-### analyze-changes [🔗](analyze-changes-with-github-codeql.yaml)
+### analyze-changes [🔗](analyze-changes.yaml)
 
 _Trigger:_ When pushing commits to `master` or any pull request targeting `master`.
 
@@ -121,7 +122,7 @@ _Trigger:_ When creating a PR commits to `master` or a `release/*` branch with a
 
 _Action:_ Notify the PR author through comments that about the Git Submodule update.
 
-### update-gradle-dependencies [🔗](update-gradle-dependencies.yml)
+### update-gradle-dependencies [🔗](update-gradle-dependencies.yaml)
 
 _Trigger:_ Every week or manually.
 

.github/workflows/update-docker-build-image.yaml

@@ -0,0 +1,74 @@
+name: Update Docker Build Image
+
+on:
+  schedule:
+    # A day after creating the tag from https://github.com/DataDog/dd-trace-java-docker-build/blob/master/.github/workflows/docker-tag.yml
+    - cron: '0 0 1 2,5,8,11 *'
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'The tag to use for the Docker build image'
+        required: true
+        default: 'vYY.MM-base'
+
+jobs:
+  update-docker-build-image:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write # Required to commit and push changes to a new branch
+      pull-requests: write # Required to create a pull request
+    steps:
+      - name: Checkout the repository
+        uses: actions/checkout@v2
+      - name: Download ghcommit CLI
+        run: |
+          curl https://github.com/planetscale/ghcommit/releases/download/v0.1.48/ghcommit_linux_amd64 -o /usr/local/bin/ghcommit -L
+          chmod +x /usr/local/bin/ghcommit
+      - name: Pick a branch name
+        id: define-branch
+        run: echo "branch=ci/update-docker-build-image-$(date +'%Y%m%d')" >> $GITHUB_OUTPUT
+      - name: Create branch
+        run: |
+          git checkout -b ${{ steps.define-branch.outputs.branch }}
+          git push -u origin ${{ steps.define-branch.outputs.branch }} --force
+      - name: Define the Docker build image tage to use
+        id: define-tag
+        run: |
+          if [ -n "${{ github.event.inputs.tag }}" ]; then
+            TAG=${{ github.event.inputs.tag }}
+          else
+            CURRENT_MONTH=$(date +%m)
+            CURRENT_YEAR=$(date +%y)
+            case $CURRENT_MONTH in
+              01) TAG_DATE="$(($CURRENT_YEAR - 1)).10" ;;
+              02|03|04) TAG_DATE="${CURRENT_YEAR}.01" ;;
+              05|06|07) TAG_DATE="${CURRENT_YEAR}.04" ;;
+              08|09|10) TAG_DATE="${CURRENT_YEAR}.07" ;;
+              11|12) TAG_DATE="${CURRENT_YEAR}.10" ;;
+            esac
+            TAG="v${TAG_DATE}-base"
+          fi
+          echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
+          echo "::notice::Using Docker build image tag: ${TAG}"
+      - name: Update the Docker build image in CircleCI config
+        run: |
+          sed -i 's|DOCKER_IMAGE_VERSION=.*|DOCKER_IMAGE_VERSION="${{ steps.define-tag.outputs.tag }}"|' .circleci/render_config.py
+      - name: Update the Docker build image in GitLab CI config
+        run: |
+          sed -i 's|image: ghcr.io/datadog/dd-trace-java-docker-build:.*|image: ghcr.io/datadog/dd-trace-java-docker-build:${{ steps.define-tag.outputs.tag }}|' .gitlab-ci.yml
+      - name: Commit and push changes
+        env:
+          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+        run: |
+          ghcommit --repository ${{ github.repository }} --branch ${{ steps.define-branch.outputs.branch }} --add .circleci/render_config.py --add .gitlab-ci.yml --message "feat(ci): Update Docker build image"
+      - name: Create pull request
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          gh pr create --title "Update Docker build image" \
+            --base master \
+            --head ${{ steps.define-branch.outputs.branch }} \
+            --label "comp: tooling" \
+            --label "type: enhancement" \
+            --label "tag: no release notes" \
+            --body "This PR updates the Docker build image to ${{ steps.define-tag.outputs.tag }}."

dd-java-agent/agent-iast/src/main/java/com/datadog/iast/model/VulnerabilityType.java

@@ -25,143 +25,143 @@
 
 public interface VulnerabilityType {
 
-  BitSet DB_EXCLUDED = new BitSet(SourceTypes.SQL_TABLE);
-
   VulnerabilityType WEAK_CIPHER =
-      type(VulnerabilityTypes.WEAK_CIPHER).excludedSources(DB_EXCLUDED).build();
+      type(VulnerabilityTypes.WEAK_CIPHER).excludedSources(Builder.DB_EXCLUDED).build();
   VulnerabilityType WEAK_HASH =
-      type(VulnerabilityTypes.WEAK_HASH).excludedSources(DB_EXCLUDED).build();
+      type(VulnerabilityTypes.WEAK_HASH).excludedSources(Builder.DB_EXCLUDED).build();
   VulnerabilityType INSECURE_COOKIE =
       type(VulnerabilityTypes.INSECURE_COOKIE)
           .hash(VulnerabilityType::evidenceHash)
-          .excludedSources(DB_EXCLUDED)
+          .excludedSources(Builder.DB_EXCLUDED)
           .build();
   VulnerabilityType NO_HTTPONLY_COOKIE =
       type(VulnerabilityTypes.NO_HTTPONLY_COOKIE)
           .hash(VulnerabilityType::evidenceHash)
-          .excludedSources(DB_EXCLUDED)
+          .excludedSources(Builder.DB_EXCLUDED)
           .build();
   VulnerabilityType HSTS_HEADER_MISSING =
       type(VulnerabilityTypes.HSTS_HEADER_MISSING)
           .hash(VulnerabilityType::serviceHash)
-          .excludedSources(DB_EXCLUDED)
+          .excludedSources(Builder.DB_EXCLUDED)
           .build();
   VulnerabilityType XCONTENTTYPE_HEADER_MISSING =
       type(VulnerabilityTypes.XCONTENTTYPE_HEADER_MISSING)
           .hash(VulnerabilityType::serviceHash)
-          .excludedSources(DB_EXCLUDED)
+          .excludedSources(Builder.DB_EXCLUDED)
           .build();
   VulnerabilityType NO_SAMESITE_COOKIE =
       type(VulnerabilityTypes.NO_SAMESITE_COOKIE)
           .hash(VulnerabilityType::evidenceHash)
-          .excludedSources(DB_EXCLUDED)
+          .excludedSources(Builder.DB_EXCLUDED)
           .build();
 
   VulnerabilityType SQL_INJECTION =
       type(VulnerabilityTypes.SQL_INJECTION).mark(SQL_INJECTION_MARK).build();
   VulnerabilityType COMMAND_INJECTION =
       type(VulnerabilityTypes.COMMAND_INJECTION)
           .mark(COMMAND_INJECTION_MARK)
-          .excludedSources(DB_EXCLUDED)
+          .excludedSources(Builder.DB_EXCLUDED)
           .build();
   VulnerabilityType PATH_TRAVERSAL =
       type(VulnerabilityTypes.PATH_TRAVERSAL)
           .separator(File.separatorChar)
           .mark(PATH_TRAVERSAL_MARK)
-          .excludedSources(DB_EXCLUDED)
+          .excludedSources(Builder.DB_EXCLUDED)
           .build();
   VulnerabilityType LDAP_INJECTION =
       type(VulnerabilityTypes.LDAP_INJECTION)
           .mark(LDAP_INJECTION_MARK)
-          .excludedSources(DB_EXCLUDED)
+          .excludedSources(Builder.DB_EXCLUDED)
           .build();
   VulnerabilityType SSRF =
-      type(VulnerabilityTypes.SSRF).mark(SSRF_MARK).excludedSources(DB_EXCLUDED).build();
+      type(VulnerabilityTypes.SSRF).mark(SSRF_MARK).excludedSources(Builder.DB_EXCLUDED).build();
   VulnerabilityType UNVALIDATED_REDIRECT =
       type(VulnerabilityTypes.UNVALIDATED_REDIRECT)
           .mark(UNVALIDATED_REDIRECT_MARK)
-          .excludedSources(DB_EXCLUDED)
+          .excludedSources(Builder.DB_EXCLUDED)
           .build();
   VulnerabilityType WEAK_RANDOMNESS =
-      type(VulnerabilityTypes.WEAK_RANDOMNESS).excludedSources(DB_EXCLUDED).build();
+      type(VulnerabilityTypes.WEAK_RANDOMNESS).excludedSources(Builder.DB_EXCLUDED).build();
 
   VulnerabilityType XPATH_INJECTION =
       type(VulnerabilityTypes.XPATH_INJECTION)
           .mark(XPATH_INJECTION_MARK)
-          .excludedSources(DB_EXCLUDED)
+          .excludedSources(Builder.DB_EXCLUDED)
           .build();
 
   VulnerabilityType TRUST_BOUNDARY_VIOLATION =
       type(VulnerabilityTypes.TRUST_BOUNDARY_VIOLATION)
           .mark(TRUST_BOUNDARY_VIOLATION_MARK)
-          .excludedSources(DB_EXCLUDED)
+          .excludedSources(Builder.DB_EXCLUDED)
           .build();
 
   VulnerabilityType XSS = type(VulnerabilityTypes.XSS).mark(XSS_MARK).build();
 
   VulnerabilityType HEADER_INJECTION =
       type(VulnerabilityTypes.HEADER_INJECTION)
           .mark(HEADER_INJECTION_MARK)
-          .excludedSources(DB_EXCLUDED)
+          .excludedSources(Builder.DB_EXCLUDED)
           .build();
 
   VulnerabilityType STACKTRACE_LEAK =
-      type(VulnerabilityTypes.STACKTRACE_LEAK).excludedSources(DB_EXCLUDED).build();
+      type(VulnerabilityTypes.STACKTRACE_LEAK).excludedSources(Builder.DB_EXCLUDED).build();
 
   VulnerabilityType VERB_TAMPERING =
-      type(VulnerabilityTypes.VERB_TAMPERING).excludedSources(DB_EXCLUDED).build();
+      type(VulnerabilityTypes.VERB_TAMPERING).excludedSources(Builder.DB_EXCLUDED).build();
 
   VulnerabilityType ADMIN_CONSOLE_ACTIVE =
       type(VulnerabilityTypes.ADMIN_CONSOLE_ACTIVE)
           .deduplicable(false)
           .hash(VulnerabilityType::serviceHash)
-          .excludedSources(DB_EXCLUDED)
+          .excludedSources(Builder.DB_EXCLUDED)
           .build();
 
   VulnerabilityType DEFAULT_HTML_ESCAPE_INVALID =
-      type(VulnerabilityTypes.DEFAULT_HTML_ESCAPE_INVALID).excludedSources(DB_EXCLUDED).build();
+      type(VulnerabilityTypes.DEFAULT_HTML_ESCAPE_INVALID)
+          .excludedSources(Builder.DB_EXCLUDED)
+          .build();
 
   VulnerabilityType SESSION_TIMEOUT =
-      type(VulnerabilityTypes.SESSION_TIMEOUT).excludedSources(DB_EXCLUDED).build();
+      type(VulnerabilityTypes.SESSION_TIMEOUT).excludedSources(Builder.DB_EXCLUDED).build();
 
   VulnerabilityType DIRECTORY_LISTING_LEAK =
-      type(VulnerabilityTypes.DIRECTORY_LISTING_LEAK).excludedSources(DB_EXCLUDED).build();
+      type(VulnerabilityTypes.DIRECTORY_LISTING_LEAK).excludedSources(Builder.DB_EXCLUDED).build();
   VulnerabilityType INSECURE_JSP_LAYOUT =
-      type(VulnerabilityTypes.INSECURE_JSP_LAYOUT).excludedSources(DB_EXCLUDED).build();
+      type(VulnerabilityTypes.INSECURE_JSP_LAYOUT).excludedSources(Builder.DB_EXCLUDED).build();
 
   VulnerabilityType HARDCODED_SECRET =
-      type(VulnerabilityTypes.HARDCODED_SECRET).excludedSources(DB_EXCLUDED).build();
+      type(VulnerabilityTypes.HARDCODED_SECRET).excludedSources(Builder.DB_EXCLUDED).build();
 
   VulnerabilityType INSECURE_AUTH_PROTOCOL =
       type(VulnerabilityTypes.INSECURE_AUTH_PROTOCOL)
           .hash(VulnerabilityType::evidenceHash)
-          .excludedSources(DB_EXCLUDED)
+          .excludedSources(Builder.DB_EXCLUDED)
           .build();
 
   VulnerabilityType REFLECTION_INJECTION =
       type(VulnerabilityTypes.REFLECTION_INJECTION)
           .mark(REFLECTION_INJECTION_MARK)
-          .excludedSources(DB_EXCLUDED)
+          .excludedSources(Builder.DB_EXCLUDED)
           .build();
 
   VulnerabilityType SESSION_REWRITING =
       type(VulnerabilityTypes.SESSION_REWRITING)
           .deduplicable(false)
           .hash(VulnerabilityType::serviceHash)
-          .excludedSources(DB_EXCLUDED)
+          .excludedSources(Builder.DB_EXCLUDED)
           .build();
 
   VulnerabilityType DEFAULT_APP_DEPLOYED =
       type(VulnerabilityTypes.DEFAULT_APP_DEPLOYED)
           .deduplicable(false)
           .hash(VulnerabilityType::serviceHash)
-          .excludedSources(DB_EXCLUDED)
+          .excludedSources(Builder.DB_EXCLUDED)
           .build();
 
   VulnerabilityType UNTRUSTED_DESERIALIZATION =
       type(VulnerabilityTypes.UNTRUSTED_DESERIALIZATION)
           .mark(UNTRUSTED_DESERIALIZATION_MARK)
-          .excludedSources(DB_EXCLUDED)
+          .excludedSources(Builder.DB_EXCLUDED)
           .build();
 
   /* All vulnerability types that have a mark. Should be updated if new vulnerabilityType with mark is added */
@@ -271,6 +271,13 @@ public String getName() {
   }
 
   class Builder {
+    private static final BitSet DB_EXCLUDED;
+
+    static {
+      DB_EXCLUDED = new BitSet(SourceTypes.STRINGS.length + 1);
+      DB_EXCLUDED.set(SourceTypes.SQL_TABLE);
+    }
+
     private final byte type;
     private char separator = ' ';
     private int mark = NOT_MARKED;

dd-java-agent/agent-iast/src/main/java/com/datadog/iast/taint/Ranges.java

@@ -438,7 +438,8 @@ public static Range[] excludeRangesBySource(Range[] ranges, BitSet source) {
     RangeBuilder newRanges = new RangeBuilder(ranges.length);
 
     for (Range range : ranges) {
-      if (!source.get(range.getSource().getOrigin())) {
+      if (range.getSource().getOrigin() == SourceTypes.NONE
+          || !source.get(range.getSource().getOrigin())) {
         newRanges.add(range);
       }
     }

dd-java-agent/instrumentation/vertx-web-4.0/build.gradle

@@ -2,7 +2,11 @@
 ext {
   // vertx-web doesn't support Java 17 until v4.2
   maxJavaVersionForTests = JavaVersion.VERSION_15
-  latestDepTestMaxJavaVersionForTests = JavaVersion.VERSION_17
+  // unbound it for latest
+  latestDepTestMinJavaVersionForTests = JavaVersion.VERSION_11
+  latestDepForkedTestMinJavaVersionForTests = JavaVersion.VERSION_11
+  latestDepTestMaxJavaVersionForTests = JavaVersion.VERSION_25
+  latestDepForkedTestMaxJavaVersionForTests = JavaVersion.VERSION_25
 }
 
 apply from: "$rootDir/gradle/java.gradle"
@@ -11,12 +15,13 @@ muzzle {
   pass {
     group = 'io.vertx'
     module = "vertx-web"
-    versions = "[4.0.0,5)"
+    versions = "[4.0.0,)"
     assertInverse = true
   }
 }
 
-addTestSuiteForDir('latestDepTest', 'test')
+addTestSuiteForDir('latestDepTest', 'latestDepTest')
+addTestSuiteExtendingForDir('latestDepForkedTest', 'latestDepTest', 'latestDepTest')
 
 configurations {
   testArtifacts
@@ -45,7 +50,13 @@ dependencies {
   testRuntimeOnly project(':dd-java-agent:instrumentation:jackson-core')
   testRuntimeOnly project(':dd-java-agent:instrumentation:netty-buffer-4')
 
-  // TODO support v>=4.5
-  latestDepTestImplementation group: 'io.vertx', name: 'vertx-web', version: '4.4.+'
-  latestDepTestImplementation group: 'io.vertx', name: 'vertx-web-client', version: '4.4.+'
+  latestDepTestImplementation group: 'io.vertx', name: 'vertx-web', version: '+'
+  latestDepTestImplementation group: 'io.vertx', name: 'vertx-web-client', version: '+'
+}
+
+[compileLatestDepTestJava, compileLatestDepForkedTestJava].each {
+  setJavaVersion(it, 11)
+}
+[compileLatestDepForkedTestGroovy, compileLatestDepTestGroovy].each {
+  it.javaLauncher = getJavaLauncherFor(11)
 }