Extend vulnerability location data with class

re-enable aws integrations tests (#3733)

feat(tests/test_data_integrity): update test_datadog_external_env for Go v1.72.0 and forward (#3961)

Activate ruff rules on tests/ folder (#3999)

[python] Avoid passing global tracer to pin in weblog apps (#4004)

All classes must declare feature ids (#4003)

Extend mypy scope (#4002)

Onboarding: bug marker profiling (#4005)

Docker SSI: fix scenario (#4006)

[ruby] Enable IP blocking tests for Ruby (#3937)

Activate ruff rules on tests/ folder (#4007)

[nodejs] remove auto login event skip (#3998)

Email HTML Injection detection in IAST Java (#3906)

Co-authored-by: Mario Vidal Domínguez <[email protected]>

Add test to check absence of client computed stats (#3812)

[java] Skip payara/CROSSED_TRACING_LIBRARIES/prod (#4009)

Add GraphQL error extension tests (#3986)

Co-authored-by: William Conti <[email protected]>

Use prod agent, dev agent broke lot  of tracers (#4011)

update xpassing baggage tests for unimplemented languages (#3773)

[NodeJS] skip failing baggage tests (#4015)

[python] fix 500 errors in sql queries (#3997)

Activate ruff rules on tests/ folder (#4010)

Hotfix

Fix fuzzer

[Nodejs] Enable untrusted deserialization stack trace test for Node.js (#3995)

[python] use main again for dev branch (#4008)

Co-authored-by: erikayasuda <[email protected]>
Co-authored-by: Charles de Beauchesne <[email protected]>

Revert agent dev fix (#4013)

[PHP] Enable rasp telemetry tests for PHP (#3972)

[skipci] Update CODEOWNERS for static files (#4012)

[Java] Enable more easy wins (#4018)

[java] Bump GraalVM system test to JDK 22 (#4001)

[NodeJS] skip more failing baggage tests (#4021)

[Debugger] Update dotnet Exception Replay tests (#3974)

Test multiple rasp during one request (#3989)

Add test for location extended data (#3978)

Fix APPSEC_NO_STATS scenario name (#4019)

Avoid false XPASS on APPSEC_WAF_TELEMETRY (#4029)

[java] Enable Test_Blocking_strip_response_headers in some variants (#4033)

[java] Remove some outdated manifest entries (#4039)

[java] Fix xpass for Test_SecurityEvents_Appsec_Metastruct_Disabled (#4038)

Consolidate remote config tests into same directory/file (#4031)

[python] use last patch version of python for django weblogs (#4025)

crashtracking: assert si_signo is set to 11 (#4023)

.github/CODEOWNERS

@@ -30,4 +30,4 @@
 /manifests/ruby.yml @DataDog/ruby-guild @DataDog/asm-ruby
 
 # Allows everyone to easily make changes
-/tests/telemetry_intake/static/ @DataDog/apm-ecosystems
+/tests/telemetry_intake/static/ @DataDog/apm-sdk

.github/actions/get_target_branch/action.yaml

@@ -16,6 +16,10 @@ runs:
       id: extract
       shell: bash
       run: |
-        branch=$(echo "${{ inputs.text }}" | grep -ioP '\[(?:java|dotnet|python|ruby|php|golang|cpp|agent|nodejs)@[^]]+(?=\])' | tr -d '[:space:]' || true)
+        branch=$(echo "${INPUTS_TEXT}" | grep -ioP '\[(?:java|dotnet|python|ruby|php|golang|cpp|agent|nodejs)@[^]]+(?=\])' | tr -d '[:space:]' || true)
 
         echo "target-branch=${branch#*@}" >> $GITHUB_OUTPUT
+
+      # the preferred approach to handling untrusted input is to set the value of the expression to an intermediate environment variable
+      env:
+          INPUTS_TEXT: ${{ inputs.text }}

.github/workflows/ci.yml

@@ -74,8 +74,10 @@ jobs:
         run: ./utils/scripts/load-binary.sh ${{ matrix.library }}
         env:
           TARGET_BRANCH: "${{ steps.get-target-branch.outputs.target-branch }}"
+
       - name: Get agent artifact
         run: ./utils/scripts/load-binary.sh agent
+
       # ### appsec-event-rules is now a private repo. The GH_TOKEN provided can't read private repos.
       # ### skipping this, waiting for a proper solution
       # - name: Load WAF rules

.github/workflows/run-end-to-end.yml

@@ -113,6 +113,9 @@ jobs:
     - name: Run APPSEC_STANDALONE_V2 scenario
       if: always() && steps.build.outcome == 'success' && contains(inputs.scenarios, '"APPSEC_STANDALONE_V2"')
       run: ./run.sh APPSEC_STANDALONE_V2
+    - name: Run APPSEC_NO_STATS scenario
+      if: always() && steps.build.outcome == 'success' && contains(inputs.scenarios, '"APPSEC_NO_STATS"')
+      run: ./run.sh APPSEC_NO_STATS
     - name: Run IAST_STANDALONE scenario
       if: always() && steps.build.outcome == 'success' && contains(inputs.scenarios, '"IAST_STANDALONE"')
       run: ./run.sh IAST_STANDALONE
@@ -135,7 +138,7 @@ jobs:
       if: always() && steps.build.outcome == 'success' && contains(inputs.scenarios, '"IPV6"') && inputs.library != 'ruby'
       run: ./run.sh IPV6
     - name: Run CROSSED_TRACING_LIBRARIES scenario
-      if: always() && steps.build.outcome == 'success' && matrix.weblog != 'python3.12' && matrix.weblog != 'django-py3.13' && contains(inputs.scenarios, '"CROSSED_TRACING_LIBRARIES"')
+      if: always() && steps.build.outcome == 'success' && matrix.weblog != 'python3.12' && matrix.weblog != 'django-py3.13' && matrix.weblog != 'spring-boot-payara' && contains(inputs.scenarios, '"CROSSED_TRACING_LIBRARIES"')
       # python 3.13 issue : APMAPI-1096
       run: ./run.sh CROSSED_TRACING_LIBRARIES
       env:
@@ -203,7 +206,7 @@ jobs:
       if: always() && steps.build.outcome == 'success' && contains(inputs.scenarios, '"REMOTE_CONFIG_MOCKED_BACKEND_ASM_DD_NOCACHE"')
       run: ./run.sh REMOTE_CONFIG_MOCKED_BACKEND_ASM_DD_NOCACHE
     - name: Run AGENT_NOT_SUPPORTING_SPAN_EVENTS scenario
-      if: always() && steps.build.outcome == 'success' && contains(inputs.scenarios, 'AGENT_NOT_SUPPORTING_SPAN_EVENTS') && (inputs.library != 'ruby' || matrix.weblog == 'rack')
+      if: always() && steps.build.outcome == 'success' && contains(inputs.scenarios, 'AGENT_NOT_SUPPORTING_SPAN_EVENTS')
       run: ./run.sh AGENT_NOT_SUPPORTING_SPAN_EVENTS
     - name: Run APPSEC_MISSING_RULES scenario
       # C++ 1.2.0 freeze when the rules file is missing
@@ -269,6 +272,9 @@ jobs:
     - name: Run APPSEC_RASP scenario
       if: always() && steps.build.outcome == 'success' && contains(inputs.scenarios, '"APPSEC_RASP"')
       run: ./run.sh APPSEC_RASP
+    - name: Run APPSEC_RASP_NON_BLOCKING scenario
+      if: always() && steps.build.outcome == 'success' && contains(inputs.scenarios, '"APPSEC_RASP_NON_BLOCKING"')
+      run: ./run.sh APPSEC_RASP_NON_BLOCKING
     - name: Run APPSEC_META_STRUCT_DISABLED scenario
       if: always() && steps.build.outcome == 'success' && contains(inputs.scenarios, '"APPSEC_META_STRUCT_DISABLED"')
       run: ./run.sh APPSEC_META_STRUCT_DISABLED

.gitlab-ci.yml

@@ -295,15 +295,15 @@ x_compute_python_aws_scenarios:
   parallel:
       matrix:
         - ONBOARDING_FILTER_WEBLOG: [test-app-python]
-          SCENARIO: [HOST_AUTO_INJECTION_INSTALL_SCRIPT]
+          SCENARIO: [HOST_AUTO_INJECTION_INSTALL_SCRIPT, HOST_AUTO_INJECTION_INSTALL_SCRIPT_PROFILING]
         - ONBOARDING_FILTER_WEBLOG: [test-app-python-container,test-app-python-alpine]
-          SCENARIO: [ CONTAINER_AUTO_INJECTION_INSTALL_SCRIPT]
+          SCENARIO: [CONTAINER_AUTO_INJECTION_INSTALL_SCRIPT, CONTAINER_AUTO_INJECTION_INSTALL_SCRIPT_PROFILING]
         - ONBOARDING_FILTER_WEBLOG: [
             test-app-python,
             test-app-python-container,
             test-app-python-alpine
           ]
-          SCENARIO: [INSTALLER_AUTO_INJECTION]
+          SCENARIO: [INSTALLER_AUTO_INJECTION, SIMPLE_AUTO_INJECTION_PROFILING]
         - ONBOARDING_FILTER_WEBLOG: [test-app-python]
           SCENARIO: [CHAOS_INSTALLER_AUTO_INJECTION]
         - ONBOARDING_FILTER_WEBLOG: [test-app-python-multicontainer,test-app-python-multialpine]

.vscode/launch.json

@@ -164,6 +164,16 @@
             "justMyCode": true,
             "python": "${workspaceFolder}/venv/bin/python"
         },
+        {
+            "name": "Replay APPSEC_STANDALONE scenario",
+            "type": "debugpy",
+            "request": "launch",
+            "module": "pytest",
+            "args": ["-S", "APPSEC_STANDALONE", "-p", "no:warnings", "--replay"],
+            "console": "integratedTerminal",
+            "justMyCode": true,
+            "python": "${workspaceFolder}/venv/bin/python"
+        },
         {
             "name": "Python: Current File",
             "type": "python",

CHANGELOG.md

@@ -2,6 +2,15 @@
 
 All notable changes to this project will be documented in this file.
 
+### 2025-01 (179 PR merged)
+
+* 2025-01-20 [Deserialize JSON in multipart](https://github.com/DataDog/system-tests/pull/3854) by @cbeauchesne
+* 2025-01-14 [[python] add new python weblog: django-py3.13](https://github.com/DataDog/system-tests/pull/3798) by @christophe-papazian
+* 2025-01-09 [Removes CircleCI job](https://github.com/DataDog/system-tests/pull/3792) by @cbeauchesne
+* 2025-01-03 [Add an option that skip all tests if scenario contains only xfail/skip](https://github.com/DataDog/system-tests/pull/3768) by @cbeauchesne
+* 2025-01-27 [Try to get TARGET_BRANCH from PR's title](https://github.com/DataDog/system-tests/pull/3675) by @iunanua
+* 2025-01-30 [[golang] new orchestrion go weblog](https://github.com/DataDog/system-tests/pull/3555) by @eliottness
+* 2025-01-16 [Add tests for Service Extension (Envoy External Processing)](https://github.com/DataDog/system-tests/pull/3377) by @e-n-0
 
 ### 2024-12 (138 PR merged)
 

conftest.py

@@ -15,7 +15,7 @@
 
 from manifests.parser.core import load as load_manifests
 from utils import context
-from utils._context._scenarios import scenarios
+from utils._context._scenarios import scenarios, Scenario
 from utils.tools import logger
 from utils.scripts.junit_report import junit_modifyreport
 from utils._context.library_version import LibraryVersion
@@ -150,16 +150,20 @@ def pytest_configure(config) -> None:
         config.option.skip_empty_scenario = True
 
     # First of all, we must get the current scenario
+
+    current_scenario: Scenario | None = None
+
     for name in dir(scenarios):
         if name.upper() == config.option.scenario:
-            context.scenario = getattr(scenarios, name)
+            current_scenario = getattr(scenarios, name)
             break
 
-    if context.scenario is None:
+    if current_scenario is not None:
+        current_scenario.pytest_configure(config)
+        context.scenario = current_scenario
+    else:
         pytest.exit(f"Scenario {config.option.scenario} does not exist", 1)
 
-    context.scenario.pytest_configure(config)
-
     if not config.option.replay and not config.option.collectonly:
         config.option.json_report_file = f"{context.scenario.host_log_folder}/report.json"
         config.option.xmlpath = f"{context.scenario.host_log_folder}/reportJunit.xml"
@@ -184,11 +188,8 @@ def pytest_sessionstart(session) -> None:
 
 # called when each test item is collected
 def _collect_item_metadata(item):
-    result = {
-        "details": None,
-        "testDeclaration": None,
-        "features": [marker.kwargs["feature_id"] for marker in item.iter_markers("features")],
-    }
+    details: str | None = None
+    test_declaration: str | None = None
 
     # get the reason form skip before xfail
     markers = [*item.iter_markers("skip"), *item.iter_markers("skipif"), *item.iter_markers("xfail")]
@@ -197,32 +198,36 @@ def _collect_item_metadata(item):
 
         if skip_reason is not None:
             # if any irrelevant declaration exists, it is the one we need to expose
-            if skip_reason.startswith("irrelevant") or result["details"] is None:
-                result["details"] = skip_reason
-
-    if result["details"]:
-        logger.debug(f"{item.nodeid} => {result['details']} => skipped")
-
-        if result["details"].startswith("irrelevant"):
-            result["testDeclaration"] = "irrelevant"
-        elif result["details"].startswith("flaky"):
-            result["testDeclaration"] = "flaky"
-        elif result["details"].startswith("bug"):
-            result["testDeclaration"] = "bug"
-        elif result["details"].startswith("incomplete_test_app"):
-            result["testDeclaration"] = "incompleteTestApp"
-        elif result["details"].startswith("missing_feature"):
-            result["testDeclaration"] = "notImplemented"
-        elif "got empty parameter set" in result["details"]:
+            if skip_reason.startswith("irrelevant") or details is None:
+                details = skip_reason
+
+    if details is not None:
+        logger.debug(f"{item.nodeid} => {details} => skipped")
+
+        if details.startswith("irrelevant"):
+            test_declaration = "irrelevant"
+        elif details.startswith("flaky"):
+            test_declaration = "flaky"
+        elif details.startswith("bug"):
+            test_declaration = "bug"
+        elif details.startswith("incomplete_test_app"):
+            test_declaration = "incompleteTestApp"
+        elif details.startswith("missing_feature"):
+            test_declaration = "notImplemented"
+        elif "got empty parameter set" in details:
             # Case of a test with no parameters. Onboarding: we removed the parameter/machine with excludedBranches
             logger.info(f"No parameters found for ${item.nodeid}")
         else:
-            raise ValueError(f"Unexpected test declaration for {item.nodeid} : {result['details']}")
+            raise ValueError(f"Unexpected test declaration for {item.nodeid} : {details}")
 
-    return result
+    return {
+        "details": details,
+        "testDeclaration": test_declaration,
+        "features": [marker.kwargs["feature_id"] for marker in item.iter_markers("features")],
+    }
 
 
-def _get_skip_reason_from_marker(marker):
+def _get_skip_reason_from_marker(marker) -> str | None:
     if marker.name == "skipif":
         if all(marker.args):
             return marker.kwargs.get("reason", "")
@@ -443,7 +448,7 @@ def pytest_runtest_call(item) -> None:
 
 
 @pytest.hookimpl(optionalhook=True)
-def pytest_json_runtest_metadata(item, call) -> None:
+def pytest_json_runtest_metadata(item, call) -> None | dict:
     if call.when != "setup":
         return {}
 
@@ -521,7 +526,7 @@ def export_feature_parity_dashboard(session, data) -> None:
         json.dump(result, f, indent=2)
 
 
-def convert_test_to_feature_parity_model(test) -> dict:
+def convert_test_to_feature_parity_model(test) -> dict | None:
     result = {
         "path": test["nodeid"],
         "lineNumber": test["lineno"],

docs/weblog/README.md

@@ -768,6 +768,17 @@ Examples:
 - `GET`: `/rasp/ssrf?user_id="' OR 1 = 1 --"`
 - `POST`: `{"user_id": "' OR 1 = 1 --"}`
 
+### \[GET\] /rasp/multiple
+The idea of this endpoint is to have an endpoint where multiple rasp operation take place. All of them will generate a MATCH on the WAF but none of them will block. The goal of this endpoint is to verify that the `rasp.rule.match` telemetry entry is updated properly. While this seems easy, the WAF requires that data given on `call` is passed as ephemeral and not as persistent.
+
+In order to make the test easier, the operation used here need to generate LFI matches. The request will have two get parameters(`file1`, `file2`) which will contain a path that needs to be used as the parameters of the choosen lfi function. Then there will be another call to the lfi function with a harcoded parameter `'../etc/passwd'`. This will make `rasp.rule.match` to be equal to 3. A code example look like:
+
+```
+lfi_operation($request->get('file1'))
+lfi_operation($request->get('file2'))
+lfi_operation('../etc/passwd') //This one is harcoded
+```
+
 ### GET /dsm/inject
 This endpoint is used to validate DSM context injection injects the correct encoding to a headers carrier.
 

manifests/cpp.yml

@@ -160,6 +160,7 @@ tests/:
       Test_Config_TraceEnabled: v1.0.1.dev
       Test_Config_TraceLogDirectory: missing_feature
       Test_Config_UnifiedServiceTagging: v1.0.1.dev
+      Test_Stable_Config_Default: missing_feature
     test_crashtracking.py: missing_feature
     test_dynamic_configuration.py:
       TestDynamicConfigV1_EmptyServiceTargets: missing_feature