1.20.0

Breaking changes

• ⚠️🔐 Elasticsearch and Opensearch should omit params by default (#5749)
• 🐛⚠️ httpasyncclient4: fix url parsing and make host/port extraction happening (#5543)

Components

Application Security Management (IAST)

• ⚡ Use a NoOp tainted objects for vulnerabilities without context (#5786)
• ⚡ Improve performance while computing IAST metrics (#5784)
• ⚡ Check for overhead constraints in weak randomness module (#5783)
• 🐛 Fix NullPointerException in unvalidated redirect detection (#5755)
• 🐛 Set concrete types for the response instrumentation (#5714)
• 🐛 Prevent IAST from creating empty spans for duplicated vulnerabilities (#5780)
• Redact empty sensitive ranges (#5706)
• Add URLEncoder tainting support (#5656)
• Add JavaScriptUtils.javaScriptEscape tainting support (#5648)
• Add unbescape escape functions tainting support (#5647)
• Add freemarker.template.utility.StringUtil tainting support (#5645)
• Weak cipher detection in javax.crypto.KeyGenerator (#5634)
• Add more org.owasp.esapi.Encoder escape functions tainting support (#5624)
• X-Content-Type missing header vulnerability (#5571)
• HSTS missing header vulnerability detection (#5520)

Application Security Management (WAF)

• 🐛 Fix timing of appsec.blocked tag setting and double finishes (#5777)
• Enable user event tracking only when AppSec is enabled (#5756)
• 🐛 Fixed NPE in user events tracking (#5732)
• Response blocking in OpenLiberty (#5657)
• Response blocking in Netty (#5650)
• Reduce log level for WAF timeouts (#5733)

Continuous Integration Visibility

• Add basic Scala MUnit support (#5781)
• Update repo URL extraction logic for Bitbucket (#5766)
• 🐛 Make Maven test module names unique (#5762)
• 🧹 Refactor CI Visibility to better encapsulate internal APIs (#5747)
• Use DD Javac Plugin metadata to resolve method lines (#5746)
• 🐛 Exclude org.mockito package from CI Visibility code coverage by default (#5712)
• Add git command line client builder to GitInfoProvider (#5711)

Dynamic Instrumentation

• Merge span decoration and log instrumentation (#5809)
• Reports instrumentation failure (#5795)
• Enable ByteCode verification by default (#5774)
• 🐛 Fix instrumentation when bytecode generation fails (#5767)
• 🐛 Fix log template issue for duplicated line probes (#5620)

Metrics

• Preserve tracer's default metrics namespace as "datadog.tracer" in dd-trace-ot (#5810)

Profiling

• Do not attempt to use ddprof library on windows (#5793)
• Rework Queue time tracking to avoid unwrapping the task type unless the event will be recorded (#5785)
• Update ddprof to 0.71.0 (#5719)

Telemetry

• Report dd-trace-java and its dependencies to telemetry (#5698)

Tracer core

• ⚡ Type resolver's use of URL caches should be configurable (#5805)
• ⚡ Avoid creating new ContinuingScope if the top scope is already keeping the span alive (#5739)
• Add _dd.base_service to disambiguate service map (#5701)

Instrumentations

Apache Spark instrumentation

• Capture app, job and databricks parameters in spark streaming spans (#5796)
• Get databricks cluster name from spark conf, if absent in job properties (#5775)
• Unify spark metrics naming (#5723)

Eclipse Vert.x instrumentation

• 🐛 Fix for Vert.x 4.0 instrumentation to close span on timeout (#5772)

Elasticsearch instrumentation

• Separate config for Elasticsearch body and params (#5771)

JDBC instrumentation

• ✨ Add redshift support to JDBC URL parser (#5792)

Jetty instrumentation

• 🐛 Fix simultaneous jetty 10/11 instrumentation when jakarta/javax servlet are both present (#5787)
• ✨ Add tracing support for Jetty 12 (#5744)

OpenTelemetry instrumentation

• ✨ Add RxJava async result types support for OpenTelemetry annotations (#5801)
• ✨ Add Reactor async result types support for OpenTelemetry annotations (#5800)
• ✨ Add Guava async result type support for OpenTelemetry annotations (#5799)
• ✨ Add generic async result type support for OpenTelemetry annotations and its Reactive Streams extension (#5737)
• 🐛 Ensure OpenTelemetry spans are not modifiable when finished (#5722)
• ✨ Add OpenTelemetry annotations support (#5593)

RabbitMQ instrumentation

• 🐛 Fix exception in reactor-rabbit (#5707)

Reactor instrumentation

• 🐛 Fix exception in reactor-rabbit (#5707)

All other instrumentations

• Support java.util.Timer once scheduling (#5708)

1.19.3

Components

Application Security Management (IAST)

• 🐛 Fix NullPointerException in unvalidated redirect detection (#5755) (#5759)

Application Security Management (WAF)

• 🐛 Enable user event tracking only when AppSec is enabled (#5756) (#5765)
• 🐛 Fix NPE in user events tracking (#5732) (#5757)

Continuous Integration Visibility

• 🐛 Make Maven test module names unique (#5761)

1.19.2

Components

Profiling

• Upgrade to ddprof 0.70.1 (#5754)

1.19.1

Warning

Do not use this version for profiling, the excessive resource usage was introduced in 1.19.0 and fixed in v1.19.2

Components

Application Security Management (IAST)

• 🐛 Set concrete types for the response instrumentation (#5729)

Continuous Integration Visibility

• 🐛 Fix automatic Javac plugin configuration in Maven projects that use annotation processors (#5727)
• 🐛 Fix automatic tracer configuration for Maven projects that use Jacoco (#5726)

Instrumentations

OpenTelemetry instrumentation

• 🐛 Ensure OpenTelemetry spans are not modifiable when finished (#5728)

1.19.0

Warning

Do not use this version for profiling, the excessive resource usage was introduced in this version and fixed in v1.19.2

Components

Application Security Management (IAST)

• Extend apache commons StringEscapeUtils tainting support (#5638)
• Update IAST exclusions to not filter JSPs and hdiv related classes (#5625)
• 🐛 Fix HttpOnly cookie detection and add small refactorings (#5615)
• Implemented trust boundary violation vulnerability detection (#5612)
• Support escape functions used in OWASP Benchmark for Trust Boundary Violation (#5608)
• Add support for XSS vulnerability (#5589)
• Add String#split taint tracking (#5584)
• Add String#toCharArray taint tracking (#5576)
• Update IAST redaction algorithm (#5528)

Application Security Management (WAF)

• Upgrade to libddwaf 1.12.0/libsqreen 7.1.0 (#5658)
• 🐛 More accurately report whether the request was blocked (#5594)
• Add Fastly and CloudFlare headers to ASM attacks (#5579)
• Response substitution on undertow (#5536)
• Response header substitution in jetty (#5467)
• Automatic user events tracking (Spring Security) (#5350)

Continuous Integration Visibility

• 🐛 Close outstanding APM spans before finishing test span (#5689)
• Disable code coverage segments data gathering by default (#5627)
• Report test framework data from child processes instead of parsing project dependencies (#5613)
• Add Cucumber support to CI Visibility (#5611)
• ⚡ Replace reflection calls with method handle invocations in test utils (#5610)
• Send test session events when build system is not instrumented (#5603)
• Implement Intelligent Test Runner metadata tags (#5602)
• 🐛 Fix Maven instrumentation for parallel builds (#5598)
• 🐛 Fix TestNG instrumentation to use immutable ITestResult.getName() instead of mutable ITestResult.getTestName() (#5595)
• Pass skippable tests from parent to children with signal server (#5581)
• Support test framework version extraction for legacy TestNG (#5580)
• 🧹 Move ITR skipping logic to test events handler (#5575)
• Tag test spans with method description (#5564)
• 🧹 Split DDTestModuleImpl into parent process and child process implementations (#5549)
• Implement repository index sharing between processes (#5512)
• Update signal server and client with mechanism to send/receive signal responses (#5511)

Data Streams Monitoring

• Add DSM Context Propagation for SQS v2 (#5637)

Dynamic Instrumentation

• Fix sampling when log probe is evaluation at Exit (#5692)
• Add UDS support for the debugger by using OkHttpUtils.buildHttpClient (#5621)
• Add capture of inherited (static) fields (#5609)
• Add capture of static fields (#5588)

Metrics

• Enable/disable embedded JMXFetch with dynamic config (#5586)

Profiling

• Upgrade to ddprof 0.70.0 (#5676)
• Upgrade to ddprof 0.67.0 (#5639)
• Upgrade to ddprof 0.65.0 (#5590)
• Disable wallclock profiling during Socket.connect (#5587)
• Improve profiler config ergonomics (#5583)

Remote Configuration

• Add debug log when sending RC request (#5672)
• Enable/disable embedded JMXFetch with dynamic config (#5586)
• Avoid logging InterruptedIOExceptions from remote-config as parsing/processing failures (#5577)
• Change traceDebug with dynamic config (#5482)

Telemetry

• 🐛 Fix spans_created and spans_finished integration_name tags (#5681)
• ⚡ Fix #5640 Telemetry startup degradation (#5678)
• 🧹 Telemetry V2 preps (Serialization Refactoring) (#5640)
• 🐛 Fix span metric names for created and finished spans (#5600)

Tracer core

• Updated config parsing for integer ranges for grpc (#5683)
• Make partial flushing settings consistent with other tracer libraries (#5682)
• Only check CLIENT/SERVER_ERROR_STATUSES when we know we have a status to check (#5596)
• Support HTTP client header tagging (#5585)
• ✨ Add span links support (#5569)
• 🐛 Add config option to disable baggage as tag injection (#5563)

Instrumentations

Apache Spark instrumentation

• ✨ Capture more Spark parameters (#5630)
• ✨ Add support for spark structured streaming (#5629)
• Compute distribution of task metrics for each stage (#5542)
• Aggregate peak execution memory using the max of all stages (#5205)

AWS SDK instrumentation

• Avoid sending trace context twice when using JMS-over-SQS (#5626)

JDBC instrumentation

• 🐛 Add edb as supported postgres connection type (#5623)
• 💡 Add IBM Informix support to JDBC instrumentation (#5599)

JMS instrumentation

• Avoid sending trace context twice when using JMS-over-SQS (#5626)

Netty instrumentation

• ✨ Fix async propagation in some versions of undertow (#5649)

OpenTelemetry instrumentation

• ✨ Add support for OpenTelemetry Context.makeCurrent() (#5673)
• 🐛 Fix OpenTelemetry Context instrumentation activation (#5671)
• 🐛 Fix possible invalid parent span using OpenTelemetry API (#5644)
• 🐛 Fix empty string attribute value (#5574)

Spring instrumentation

• 💡 Add Spring Web Service error capture instrumentation (#5643)
• Instrument spring-messaging to reduce chance of disconnected traces (#5631)
• Disabling `spring-path-filter' integration should remove all path-related filters (#5578)
• Automatic user events tracking (Spring Security) (#5350)

1.18.3

Components

Application Security Management (IAST)

• 🐛 Fix missing HttpOnly cookie vulnerability detection (#5662)

Dynamic Instrumentation

• Add UDS support for the debugger by using OkHttpUtils.buildHttpClient (#5667)

Telemetry

• 🐛 Fix span metric names (#5665)

Instrumentations

OpenTelemetry instrumentation

• 🐛 Fix possible invalid parent span using OpenTelemetry API (#5666)

1.18.2

Components

Continuous Integration Visibility

• 🐛 Fix Maven instrumentation for parallel builds (#5607)
• 🐛 Fix TestNG instrumentation to use immutable ITestResult.getName() instead of mutable ITestResult.getTestName() (#5606)

1.18.1

Components

Continuous Integration Visibility

• 💡 Add support for tycho-surefire-plugin instrumentation in Maven builds (#5573)
• 🐛 Update TestNG instrumentation to differentiate between identical test cases executed concurrently (#5572)

1.18.0

Components

Application Security Management (IAST)

• Add support to XPath Injection vulnerability (#5459)
• Add missing IAST guards for response headers (#5537)
• Add required callsites for String.format (#5502)
• Update IAST exclusions (#5500)
• No SameSite Cookie vulnerability (#5438) (#5486)

Application Security Management (WAF)

• Remove warning about unknown grpc.server.request.metadata address (#5491)
• Support block on response on tomcat (#5393)

Continuous Integration Visibility

• 🐛 Fix maven dependency version parsing (#5547)
• 🐛 Fix incorrect current source root in RepoIndexSourcePathResolver (#5545)
• Implement ITR skippable tests request for Gradle (#5525)
• Implement ITR skippable tests request for Maven (#5524)
• 🧹 Encapsulate TestDecorator in agent-ci-visibility module (#5521)
• Implement tests skipping for TestNG (#5453)
• Implement tests skipping for JUnit 4 (#5452)
• Implement tests skipping for JUnit 5 (#5451)
• Implement passing module execution results from children processes to parent process (#5428)
• Implement a mechanism to report data from children processes to parent process (#5427)
• Implement Intelligent Test Runner skippable tests request (#5413)
• Implement remote settings fetching for CI Visibility (#5412)

Data Streams Monitoring

• ✨ calculate edge latency using message timestamp (#5507)

Dynamic Instrumentation

• Add support for distribution metrics (#5478)

GraalVM native-image

• Support native-image using latest GraalVM JDK (#5519)

Metrics

• JMXFetch 0.47.9 + DogStatsD 4.2.0 (#5522)

Profiling

• Upgrade ddprof to 0.63.0 (#5561)
• reduce direct allocation profiling rate limit (#5554)
• record time in netty SingleThreadEventExecutor queues (#5514)
• unwrapping tests and improvements (#5510)
• increase unwrapping depth, add new test (#5508)
• rework queue time profiling (#5504)

Remote Configuration

• Apply default tag name when setting header tags via dynamic-config (#5557)

Telemetry

• Telemetry app-heartbeat starts one interval after app-started (#5513)
• Provide instrumentation name context to span (#5492)
• Mitigate telemetry interval drift (#5476)

Trace context propagation

• 🔍 Add context propagation diagnostic information to debug logs (#5497)

Tracer core

• Add process health-check for Azure so we can re-use named-pipes… (#5541)
• Improve external agent process supervision on Azure (#5529)
• ⚡ Speed up HttpServerDecorator onRequest (#5523)

Instrumentations

Apache Spark instrumentation

• ✨ Instrument SparkSubmit to capture errors outside of SparkListener interface (#5505)

Netty instrumentation

• record time in netty SingleThreadEventExecutor queues (#5514)

OpenTelemetry instrumentation

• Provide instrumentation name context to span (#5492)

All other instrumentations

• opensearch: naming conventions for v1 (#5540)
• 🐛 avoid having duplicates in db.cassandra.contact.points (#5496)

1.17.0

Components

Application Security Management (IAST)

• Fix NoClassDefFoundError due to OSGI/servlet issues in IAST (#5446)
• Fix unvalidated redirect detection in Jetty (#5445)
• Unvalidated redirect not reported if Referer header is the source (#5424)
• Unvalidated redirect vulnerability detection in Vert.x 4 (#5381)

Application Security Management (WAF)

• 🐛 Added NPE checkers in Instrumentation Gateway (#5383)

Continuous Integration Visibility

• Implement Git repo unshallowing (#5434)
• 🐛 Do not send empty test suite spans (#5405)
• Implement auto-configuration for code-coverage in Gradle (#5399)
• Implement auto-configuration for code-coverage in Maven (#5398)
• Per test code coverage in CI Visibility (#5146)

Dynamic Instrumentation

• Add support for double values for metric probes (#5457)
• Fix inserting line probe before for-loops (#5450)
• Add special support for enum values (#5441)
• Add support for snapshot pruning (#5420)

Profiling

• upgrade ddprof to 0.57.0 (#5475)
• explicitly disable ddprof unsupported jdk versions (#5465)
• upgrade to ddprof 0.52.0 (#5455)
• track time in FJP shared queues (#5448)
• implement queue timing using Datadog profiler, remove JFR implementation (#5439)

Remote Configuration

• ✨ Support dynamic configuration of trace sampling rate (#5466)
• Bump default max remote config payload size limit to 5Mb (#5403)

Telemetry

• 🐛 Fix scanDependencies CLI (#5474)

Instrumentations

gRPC instrumentation

• ⚡ reduce number of scope activations in gRPC client instrumentation (#5470)

Spring instrumentation

• Avoid need to inject BeanDefinitionRepairer everywhere as a helper (#5365)

Other changes

• Allow trace flush interval to be configurable (#5435)
• expose cassandra contact points and use for peer.service (#5375)
• Add dynamic config support for log injection (#5221)