Standalone ASM configuration and span tags

[iunanua]

What does this PR do?

• Add DD_EXPERIMENTAL_APPSEC_STANDALONE_ENABLED env var and experimental.appsec.standalone.enabled config option
• Add calculated apmTracingEnabled config property.
• if apmTracingEnabled is false, the _dd.apm.enabled:0 tag is included in root spans.
• if appsec.standalone.enabled is true, the _dd.p.appsec span tag is included whether an appsec or iast event occurs.

Motivation

This is the first part to support Standalone ASM billing. We have divided the feature into two PRs in order to facilitate the review.

Note for APM reviewers:

opentracing/tracer.js modified to pass apmTracingEnabled flag
opentracing/span.js modified to include _dd.apm.enabled tag,
Practically the same as for traceId128BitGenerationEnabled

Plugin Checklist

• Unit tests.
• TypeScript definitions.
• TypeScript tests.
• API documentation.
• CircleCI jobs/workflows.
• Plugin is exported.

Additional Notes

[github-actions]

Overall package size

Self size: 6.51 MB
Deduped: 60.65 MB
No deduping: 60.93 MB

Dependency sizes

name	version	self size	total size
@datadog/native-iast-taint-tracking	2.1.0	14.91 MB	14.92 MB
@datadog/native-appsec	7.1.1	14.39 MB	14.4 MB
@datadog/pprof	5.3.0	9.85 MB	10.22 MB
protobufjs	7.2.5	2.77 MB	6.56 MB
@datadog/native-iast-rewriter	2.3.1	2.15 MB	2.24 MB
@opentelemetry/core	1.14.0	872.87 kB	1.47 MB
@datadog/native-metrics	2.0.0	898.77 kB	1.3 MB
@opentelemetry/api	1.8.0	1.21 MB	1.21 MB
import-in-the-middle	1.7.4	70.19 kB	739.86 kB
msgpack-lite	0.1.26	201.16 kB	281.59 kB
opentracing	0.14.7	194.81 kB	194.81 kB
semver	7.5.4	93.4 kB	123.8 kB
pprof-format	2.1.0	111.69 kB	111.69 kB
@datadog/sketches-js	2.1.0	109.9 kB	109.9 kB
lodash.sortby	4.7.0	75.76 kB	75.76 kB
lru-cache	7.14.0	74.95 kB	74.95 kB
ipaddr.js	2.1.0	60.23 kB	60.23 kB
ignore	5.2.4	51.22 kB	51.22 kB
int64-buffer	0.1.10	49.18 kB	49.18 kB
shell-quote	1.8.1	44.96 kB	44.96 kB
istanbul-lib-coverage	3.2.0	29.34 kB	29.34 kB
tlhunter-sorted-set	0.1.0	24.94 kB	24.94 kB
limiter	1.1.5	23.17 kB	23.17 kB
dc-polyfill	0.1.4	23.1 kB	23.1 kB
retry	0.13.1	18.85 kB	18.85 kB
node-abort-controller	3.1.1	16.89 kB	16.89 kB
jest-docblock	29.7.0	8.99 kB	12.76 kB
crypto-randomuuid	1.0.0	11.18 kB	11.18 kB
path-to-regexp	0.1.7	6.78 kB	6.78 kB
koalas	1.0.2	6.47 kB	6.47 kB
methods	1.1.2	5.29 kB	5.29 kB
module-details-from-path	1.0.3	4.47 kB	4.47 kB

_{🤖 This report was automatically generated by heaviest-objects-in-the-universe}

[iunanua]

I was tempted to name it apmTracing because of the tracing property but as it is a bool i think it's better to add the Enabled suffix

[simon-id]

agreed, but let's sync with APM on that

[pr-commenter]

Benchmarks

Benchmark execution time: 2024-05-21 14:10:28

Comparing candidate commit cb73c58 in PR branch igor/standalone-asm-config-and-tags with baseline commit f4adddc in branch master.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 262 metrics, 4 unstable metrics.

[codecov]

Codecov Report

Attention: Patch coverage is 61.11111% with 14 lines in your changes are missing coverage. Please review.

Project coverage is 63.82%. Comparing base (8f9e558) to head (626bbfa).
Report is 14 commits behind head on master.

❗ Current head 626bbfa differs from pull request most recent head 4518d52

Please upload reports for the commit 4518d52 to get more accurate results.

Files	Patch %	Lines
packages/dd-trace/src/appsec/reporter.js	27.27%	8 Missing ⚠️
...dd-trace/src/appsec/iast/vulnerability-reporter.js	40.00%	3 Missing ⚠️
packages/dd-trace/src/appsec/sdk/track_event.js	50.00%	2 Missing ⚠️
packages/dd-trace/src/appsec/standalone.js	75.00%	1 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff             @@
##           master    #4291       +/-   ##
===========================================
- Coverage   85.23%   63.82%   -21.41%     
===========================================
  Files         252      244        -8     
  Lines       11042    10315      -727     
  Branches       33       33               
===========================================
- Hits         9412     6584     -2828     
- Misses       1630     3731     +2101     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[CarlesDD]

Missing type for experimental.appsec.standalone.enabled in index.d.ts and test.ts

[simon-id]

why don't we just check for the singleton here too ? instead of having a whole different variable ?

[iunanua]

al the moment, apm tracing is disabled when appsec standalone is true but in the future there might be other products with the need to disable apm tracing, thats why it is a different variable.
And also if we check here the standalone singleton, opentracing span would have a dependency with appsec...

[simon-id]

naming is horrible tho, the tracing is obviously enabled, it's just changing a tag.
Also I'm not sure how useful it is to futur-proof this right now when we're still in a very experimental phase. Feels a tiny bit over-engineered no ?
And the singleton isn't really appsec, you could literally put it in config.js and it would still work the exact same. The Appsec part is just from an arbitrary path you choose

[iunanua]

I think they are two different things:

• standalone ASM is configured by DD_EXPERIMENTAL_APPSEC_STANDALONE_ENABLED. It "disables" apm tracing, adds a tag when appsec events occurs and also interferes in the priority sampler to change traces priority based on span tags (appsec specific tags). So these requirements are specific to appsec, they are not generic and that's why appsec/standalone singleton is in the appsec namespace.

• Other aspect is to disable apm tracing. I know, we only include a tag in the trace root span to indicate or pretend it is disabled (but that's what RFC says). So I see this as something generic and that's why I created apmTracingEnabled config property to isolate the span context creation with appsec configuration.

I should have included an explanation like this in the PR description.

[simon-id]

• 
• 

you say the same thing twice xD

[simon-id]

let's see what APM thinks about this

[iunanua]

actually, the change would be in tracer.js as pointed out by ugaitz to continue using fields argument.

replacing tracer.js, line 37
this._apmTracingEnabled = config.apmTracingEnabled
by
this._apmTracingEnabled = config.appsec.standalone.enabled

[iunanua]

And apmTracingEnabled name is derived from the env var name proposed at the beginning in the RFC.
I'm open to suggestions if you don't like it

[simon-id]

I think overall APM should be the one to decide how they want to do this @rochdev

[iunanua]

or @Qard (as I believe you were talking about this in the guild)