Disable APM tracing (standalone billing)

index.d.ts

@@ -345,6 +345,12 @@ declare namespace tracer {
    * List of options available to the tracer.
    */
   export interface TracerOptions {
+    /**
+     * Whether to disable APM Tracing
+     * @default true
+     */
+    apmTracingEnabled?: boolean
+
     /**
      * Whether to enable trace ID injection in log records to be able to correlate
      * traces with logs.
@@ -528,6 +534,10 @@ declare namespace tracer {
       appsec?: {
         /**
          * Configuration of Standalone ASM mode
+         * Deprecated in favor of `apmTracingEnabled`.
+         *
+         * @deprecated
+         * @hidden
          */
         standalone?: {
           /**

integration-tests/standalone-asm.spec.js

@@ -47,7 +47,7 @@ describe('Standalone ASM', () => {
     function assertKeep (payload) {
       const { meta, metrics } = payload
 
-      assert.propertyVal(meta, '_dd.p.appsec', '1')
+      assert.propertyVal(meta, '_dd.p.ts', '02')
 
       assert.propertyVal(metrics, '_sampling_priority_v1', USER_KEEP)
       assert.propertyVal(metrics, '_dd.apm.enabled', 0)
@@ -57,7 +57,7 @@ describe('Standalone ASM', () => {
       const { metrics } = payload
       assert.propertyVal(metrics, '_sampling_priority_v1', AUTO_REJECT)
       assert.propertyVal(metrics, '_dd.apm.enabled', 0)
-      assert.notProperty(metrics, '_dd.p.appsec')
+      assert.notProperty(metrics, '_dd.p.ts')
     }
 
     async function doWarmupRequests (procOrUrl, number = 3) {
@@ -99,7 +99,7 @@ describe('Standalone ASM', () => {
 
           const { meta, metrics } = fifthReq[0]
           assert.notProperty(meta, 'manual.keep')
-          assert.notProperty(meta, '_dd.p.appsec')
+          assert.notProperty(meta, '_dd.p.ts')
 
           assert.propertyVal(metrics, '_sampling_priority_v1', AUTO_KEEP)
           assert.propertyVal(metrics, '_dd.apm.enabled', 0)
@@ -207,7 +207,7 @@ describe('Standalone ASM', () => {
       })
 
       // proc/propagation-with-event triggers an appsec event and calls downstream proc2/down with no event
-      it('should keep if parent trace is (prio:2, _dd.p.appsec:1) but there is no event in the local trace',
+      it('should keep if parent trace is (prio:2, _dd.p.ts:02) but there is no event in the local trace',
         async () => {
           await doWarmupRequests(proc)
           await doWarmupRequests(proc2)
@@ -284,7 +284,7 @@ describe('Standalone ASM', () => {
         const { meta, metrics } = payload[0][0]
         assert.property(meta, '_dd.iast.json') // WEAK_HASH and XCONTENTTYPE_HEADER_MISSING reported
 
-        assert.notProperty(meta, '_dd.p.appsec')
+        assert.notProperty(meta, '_dd.p.ts')
         assert.notProperty(metrics, '_dd.apm.enabled')
       })
     })
@@ -304,7 +304,7 @@ describe('Standalone ASM', () => {
         const { meta, metrics } = payload[0][0]
         assert.property(meta, '_dd.appsec.json') // crs-942-100 triggered
 
-        assert.notProperty(meta, '_dd.p.appsec')
+        assert.notProperty(meta, '_dd.p.ts')
         assert.notProperty(metrics, '_dd.apm.enabled')
       })
     })

package.json

@@ -23,7 +23,7 @@
     "test:appsec:plugins:ci": "yarn services && nyc --no-clean --include \"packages/dd-trace/src/appsec/**/*.js\" -- npm run test:appsec:plugins",
     "test:debugger": "mocha -r 'packages/dd-trace/test/setup/mocha.js' 'packages/dd-trace/test/debugger/**/*.spec.js'",
     "test:debugger:ci": "nyc --no-clean --include 'packages/dd-trace/src/debugger/**/*.js' -- npm run test:debugger",
-    "test:trace:core": "tap packages/dd-trace/test/*.spec.js \"packages/dd-trace/test/{ci-visibility,datastreams,encode,exporters,opentelemetry,opentracing,plugins,service-naming,telemetry}/**/*.spec.js\"",
+    "test:trace:core": "tap packages/dd-trace/test/*.spec.js \"packages/dd-trace/test/{ci-visibility,datastreams,encode,exporters,opentelemetry,opentracing,plugins,service-naming,standalone,telemetry}/**/*.spec.js\"",
     "test:trace:core:ci": "npm run test:trace:core -- --coverage --nyc-arg=--include=\"packages/dd-trace/src/**/*.js\"",
     "test:instrumentations": "mocha -r 'packages/dd-trace/test/setup/mocha.js' 'packages/datadog-instrumentations/test/**/*.spec.js'",
     "test:instrumentations:ci": "nyc --no-clean --include 'packages/datadog-instrumentations/src/**/*.js' -- npm run test:instrumentations",

packages/dd-trace/src/appsec/iast/index.js

@@ -21,7 +21,6 @@ const { enable: enableFsPlugin, disable: disableFsPlugin, IAST_MODULE } = requir
 const requestStart = dc.channel('dd-trace:incomingHttpRequestStart')
 const requestClose = dc.channel('dd-trace:incomingHttpRequestEnd')
 const iastResponseEnd = dc.channel('datadog:iast:response-end')
-
 let isEnabled = false
 
 function enable (config, _tracer) {

packages/dd-trace/src/appsec/iast/vulnerability-reporter.js

@@ -3,11 +3,10 @@
 const LRU = require('lru-cache')
 const vulnerabilitiesFormatter = require('./vulnerabilities-formatter')
 const { IAST_ENABLED_TAG_KEY, IAST_JSON_TAG_KEY } = require('./tags')
-const standalone = require('../standalone')
-const { SAMPLING_MECHANISM_APPSEC } = require('../../constants')
 const { keepTrace } = require('../../priority_sampler')
 const { reportStackTrace, getCallsiteFrames, canReportStackTrace, STACK_TRACE_NAMESPACES } = require('../stack_trace')
 const { getOriginalPathAndLineFromSourceMap } = require('./taint-tracking/rewriter')
+const { ASM } = require('../../standalone/product')
 
 const VULNERABILITIES_KEY = 'vulnerabilities'
 const VULNERABILITY_HASHES_MAX_SIZE = 1000
@@ -51,8 +50,7 @@ function addVulnerability (iastContext, vulnerability, callSiteFrames) {
 
   if (!span) return
 
-  keepTrace(span, SAMPLING_MECHANISM_APPSEC)
-  standalone.sample(span)
+  keepTrace(span, ASM)
 
   if (stackTraceEnabled && canReportStackTrace(span, maxStackTraces, STACK_TRACE_NAMESPACES.IAST)) {
     const originalCallSiteList = callSiteFrames.map(callsite => replaceCallSiteFromSourceMap(callsite))

packages/dd-trace/src/appsec/reporter.js

@@ -13,9 +13,8 @@ const {
   getRequestMetrics
 } = require('./telemetry')
 const zlib = require('zlib')
-const standalone = require('./standalone')
-const { SAMPLING_MECHANISM_APPSEC } = require('../constants')
 const { keepTrace } = require('../priority_sampler')
+const { ASM } = require('../standalone/product')
 
 // default limiter, configurable with setRateLimit()
 let limiter = new Limiter(100)
@@ -129,9 +128,7 @@ function reportAttack (attackData) {
   }
 
   if (limiter.isAllowed()) {
-    keepTrace(rootSpan, SAMPLING_MECHANISM_APPSEC)
-
-    standalone.sample(rootSpan)
+    keepTrace(rootSpan, ASM)
   }
 
   // TODO: maybe add this to format.js later (to take decision as late as possible)
@@ -186,9 +183,7 @@ function finishRequest (req, res) {
   if (metricsQueue.size) {
     rootSpan.addTags(Object.fromEntries(metricsQueue))
 
-    keepTrace(rootSpan, SAMPLING_MECHANISM_APPSEC)
-
-    standalone.sample(rootSpan)
+    keepTrace(rootSpan, ASM)
 
     metricsQueue.clear()
   }

packages/dd-trace/src/appsec/sdk/track_event.js

@@ -3,11 +3,10 @@
 const log = require('../../log')
 const { getRootSpan } = require('./utils')
 const { setUserTags } = require('./set_user')
-const standalone = require('../standalone')
 const waf = require('../waf')
-const { SAMPLING_MECHANISM_APPSEC } = require('../../constants')
 const { keepTrace } = require('../../priority_sampler')
 const addresses = require('../addresses')
+const { ASM } = require('../../standalone/product')
 
 function trackUserLoginSuccessEvent (tracer, user, metadata) {
   // TODO: better user check here and in _setUser() ?
@@ -79,8 +78,7 @@ function trackEvent (eventName, fields, sdkMethodName, rootSpan) {
 
   rootSpan.addTags(tags)
 
-  keepTrace(rootSpan, SAMPLING_MECHANISM_APPSEC)
-  standalone.sample(rootSpan)
+  keepTrace(rootSpan, ASM)
 }
 
 function runWaf (eventName, user) {

packages/dd-trace/src/appsec/user_tracking.js

@@ -5,9 +5,8 @@ const log = require('../log')
 const telemetry = require('./telemetry')
 const addresses = require('./addresses')
 const { keepTrace } = require('../priority_sampler')
-const { SAMPLING_MECHANISM_APPSEC } = require('../constants')
-const standalone = require('./standalone')
 const waf = require('./waf')
+const { ASM } = require('../standalone/product')
 
 // the RFC doesn't include '_id', but it's common in MongoDB
 const USER_ID_FIELDS = ['id', '_id', 'email', 'username', 'login', 'user']
@@ -151,8 +150,7 @@ function trackLogin (framework, login, user, success, rootSpan) {
     persistent[addresses.LOGIN_FAILURE] = null
   }
 
-  keepTrace(rootSpan, SAMPLING_MECHANISM_APPSEC)
-  standalone.sample(rootSpan)
+  keepTrace(rootSpan, ASM)
 
   rootSpan.addTags(newTags)
 

packages/dd-trace/src/config.js

@@ -443,6 +443,7 @@ class Config {
 
     const defaults = setHiddenProperty(this, '_defaults', {})
 
+    this._setBoolean(defaults, 'apmTracingEnabled', true)
     this._setValue(defaults, 'appsec.apiSecurity.enabled', true)
     this._setValue(defaults, 'appsec.apiSecurity.sampleDelay', 30)
     this._setValue(defaults, 'appsec.blockedTemplateGraphql', undefined)
@@ -456,7 +457,6 @@ class Config {
     this._setValue(defaults, 'appsec.rateLimit', 100)
     this._setValue(defaults, 'appsec.rules', undefined)
     this._setValue(defaults, 'appsec.sca.enabled', null)
-    this._setValue(defaults, 'appsec.standalone.enabled', undefined)
     this._setValue(defaults, 'appsec.stackTrace.enabled', true)
     this._setValue(defaults, 'appsec.stackTrace.maxDepth', 32)
     this._setValue(defaults, 'appsec.stackTrace.maxStackTraces', 2)
@@ -581,6 +581,7 @@ class Config {
       DD_AGENT_HOST,
       DD_API_SECURITY_ENABLED,
       DD_API_SECURITY_SAMPLE_DELAY,
+      DD_APM_TRACING_ENABLED,
       DD_APPSEC_AUTO_USER_INSTRUMENTATION_MODE,
       DD_APPSEC_AUTOMATED_USER_EVENTS_TRACKING,
       DD_APPSEC_ENABLED,
@@ -716,6 +717,10 @@ class Config {
     tagger.add(tags, DD_TRACE_TAGS)
     tagger.add(tags, DD_TRACE_GLOBAL_TAGS)
 
+    this._setBoolean(env, 'apmTracingEnabled', coalesce(
+      DD_APM_TRACING_ENABLED,
+      DD_EXPERIMENTAL_APPSEC_STANDALONE_ENABLED && isFalse(DD_EXPERIMENTAL_APPSEC_STANDALONE_ENABLED)
+    ))
     this._setBoolean(env, 'appsec.apiSecurity.enabled', coalesce(
       DD_API_SECURITY_ENABLED && isTrue(DD_API_SECURITY_ENABLED),
       DD_EXPERIMENTAL_API_SECURITY_ENABLED && isTrue(DD_EXPERIMENTAL_API_SECURITY_ENABLED)
@@ -739,7 +744,6 @@ class Config {
     this._setString(env, 'appsec.rules', DD_APPSEC_RULES)
     // DD_APPSEC_SCA_ENABLED is never used locally, but only sent to the backend
     this._setBoolean(env, 'appsec.sca.enabled', DD_APPSEC_SCA_ENABLED)
-    this._setBoolean(env, 'appsec.standalone.enabled', DD_EXPERIMENTAL_APPSEC_STANDALONE_ENABLED)
     this._setBoolean(env, 'appsec.stackTrace.enabled', DD_APPSEC_STACK_TRACE_ENABLED)
     this._setValue(env, 'appsec.stackTrace.maxDepth', maybeInt(DD_APPSEC_MAX_STACK_TRACE_DEPTH))
     this._envUnprocessed['appsec.stackTrace.maxDepth'] = DD_APPSEC_MAX_STACK_TRACE_DEPTH
@@ -913,6 +917,10 @@ class Config {
 
     tagger.add(tags, options.tags)
 
+    this._setBoolean(opts, 'apmTracingEnabled', coalesce(
+      options.apmTracingEnabled,
+      options.experimental?.appsec?.standalone && !options.experimental.appsec.standalone.enabled
+    ))
     this._setBoolean(opts, 'appsec.apiSecurity.enabled', options.appsec.apiSecurity?.enabled)
     this._setValue(opts, 'appsec.blockedTemplateGraphql', maybeFile(options.appsec.blockedTemplateGraphql))
     this._setValue(opts, 'appsec.blockedTemplateHtml', maybeFile(options.appsec.blockedTemplateHtml))
@@ -927,7 +935,6 @@ class Config {
     this._setValue(opts, 'appsec.rateLimit', maybeInt(options.appsec.rateLimit))
     this._optsUnprocessed['appsec.rateLimit'] = options.appsec.rateLimit
     this._setString(opts, 'appsec.rules', options.appsec.rules)
-    this._setBoolean(opts, 'appsec.standalone.enabled', options.experimental?.appsec?.standalone?.enabled)
     this._setBoolean(opts, 'appsec.stackTrace.enabled', options.appsec.stackTrace?.enabled)
     this._setValue(opts, 'appsec.stackTrace.maxDepth', maybeInt(options.appsec.stackTrace?.maxDepth))
     this._optsUnprocessed['appsec.stackTrace.maxDepth'] = options.appsec.stackTrace?.maxDepth

packages/dd-trace/src/constants.js

@@ -34,7 +34,7 @@ module.exports = {
   SCI_REPOSITORY_URL: '_dd.git.repository_url',
   SCI_COMMIT_SHA: '_dd.git.commit.sha',
   APM_TRACING_ENABLED_KEY: '_dd.apm.enabled',
-  APPSEC_PROPAGATION_KEY: '_dd.p.appsec',
+  TRACE_SOURCE_PROPAGATION_KEY: '_dd.p.ts',
   PAYLOAD_TAG_REQUEST_PREFIX: 'aws.request.body',
   PAYLOAD_TAG_RESPONSE_PREFIX: 'aws.response.body',
   PAYLOAD_TAGGING_MAX_TAGS: 758,