# This is the 1st commit message:

Extend vulnerability location data with class re-enable aws integrations tests (#3733) feat(tests/test_data_integrity): update test_datadog_external_env for Go v1.72.0 and forward (#3961) Activate ruff rules on tests/ folder (#3999) [python] Avoid passing global tracer to pin in weblog apps (#4004) All classes must declare feature ids (#4003) Extend mypy scope (#4002) Onboarding: bug marker profiling (#4005) Docker SSI: fix scenario (#4006) [ruby] Enable IP blocking tests for Ruby (#3937) Activate ruff rules on tests/ folder (#4007) [nodejs] remove auto login event skip (#3998) Email HTML Injection detection in IAST Java (#3906) Co-authored-by: Mario Vidal Domínguez <[email protected]> Add test to check absence of client computed stats (#3812) [java] Skip payara/CROSSED_TRACING_LIBRARIES/prod (#4009) Add GraphQL error extension tests (#3986) Co-authored-by: William Conti <[email protected]> Use prod agent, dev agent broke lot of tracers (#4011) update xpassing baggage tests for unimplemented languages (#3773) [NodeJS] skip failing baggage tests (#4015) [python] fix 500 errors in sql queries (#3997) Activate ruff rules on tests/ folder (#4010) Hotfix Fix fuzzer [Nodejs] Enable untrusted deserialization stack trace test for Node.js (#3995) [python] use main again for dev branch (#4008) Co-authored-by: erikayasuda <[email protected]> Co-authored-by: Charles de Beauchesne <[email protected]> Revert agent dev fix (#4013) [PHP] Enable rasp telemetry tests for PHP (#3972) [skipci] Update CODEOWNERS for static files (#4012) [Java] Enable more easy wins (#4018) [java] Bump GraalVM system test to JDK 22 (#4001) [NodeJS] skip more failing baggage tests (#4021) [Debugger] Update dotnet Exception Replay tests (#3974) Test multiple rasp during one request (#3989) Add test for location extended data (#3978) Fix APPSEC_NO_STATS scenario name (#4019) Avoid false XPASS on APPSEC_WAF_TELEMETRY (#4029) [java] Enable Test_Blocking_strip_response_headers in some variants (#4033) [java] Remove some outdated manifest entries (#4039) [java] Fix xpass for Test_SecurityEvents_Appsec_Metastruct_Disabled (#4038) Consolidate remote config tests into same directory/file (#4031) [python] use last patch version of python for django weblogs (#4025) crashtracking: assert si_signo is set to 11 (#4023) # This is the commit message #2: [nodejs] Fix get_target_branch - "quotes, parens and # (#3952)"" (#3953) Co-authored-by: Charles de Beauchesne <[email protected]> # This is the commit message #3: Fix Standalone Billing values (#3965) # This is the commit message #4: Add success to valid WAF telemetry tags (#3966) # This is the commit message #5: Ensure tracer release coherence (#3967) [Nodejs] Code injection telemetry metric (#3959) Do not use special chars in "redacted" string used in scrubber (#3977) fix Context Propagation: Extraction feature_id (#3970) [dotnet] Enable Custom Blocking Response tests (#3971) [python] update flask base image (#3979) [ruby] Skip failing test for APMAPI-1141 (#3980) update weblog sampling_test use sampling rules instead of deprecated envvar (#3984) [python] enable Python IAST+SSRF tests (#2512) Signed-off-by: Juanjo Alvarez <[email protected]> [python] IAST Header source in werkzeug 3.1 (#3991) [python] switch flaky decorator for bug (#3990) [python] update versions for major release (#3993) [test optimization] Update config shape sent as telemetry (#3992) Add profiling scenarios to Python onboarding tests (#3002) Update changelog re-enable aws integrations tests (#3733) feat(tests/test_data_integrity): update test_datadog_external_env for Go v1.72.0 and forward (#3961) [python] Avoid passing global tracer to pin in weblog apps (#4004) All classes must declare feature ids (#4003) Extend mypy scope (#4002) Onboarding: bug marker profiling (#4005) Docker SSI: fix scenario (#4006) [ruby] Enable IP blocking tests for Ruby (#3937) [nodejs] remove auto login event skip (#3998) [NodeJS] skip failing baggage tests (#4015) [python] fix 500 errors in sql queries (#3997) Hotfix Fix fuzzer [python] use main again for dev branch (#4008) Co-authored-by: erikayasuda <[email protected]> Co-authored-by: Charles de Beauchesne <[email protected]> Revert agent dev fix (#4013) [skipci] Update CODEOWNERS for static files (#4012) [Java] Enable more easy wins (#4018) [java] Bump GraalVM system test to JDK 22 (#4001) [NodeJS] skip more failing baggage tests (#4021) [Debugger] Update dotnet Exception Replay tests (#3974) Test multiple rasp during one request (#3989) Add test for location extended data (#3978) Fix APPSEC_NO_STATS scenario name (#4019) Avoid false XPASS on APPSEC_WAF_TELEMETRY (#4029) [java] Enable Test_Blocking_strip_response_headers in some variants (#4033) [java] Remove some outdated manifest entries (#4039) [java] Fix xpass for Test_SecurityEvents_Appsec_Metastruct_Disabled (#4038) Consolidate remote config tests into same directory/file (#4031) [python] use last patch version of python for django weblogs (#4025) crashtracking: assert si_signo is set to 11 (#4023) class vs path
DataDog · Feb 10, 2025 · d4259f6 · d4259f6
1 parent 00cae7e
commit d4259f6
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 12 deletions.
diff --git a/tests/appsec/iast/sink/test_hardcoded_secrets.py b/tests/appsec/iast/sink/test_hardcoded_secrets.py
@@ -44,7 +44,7 @@ def test_hardcoded_secrets_exec(self):
         hardcode_secrets = [v for v in hardcode_secrets if v["evidence"]["value"] == "aws-access-token"]
         assert len(hardcode_secrets) == 1
         vuln = hardcode_secrets[0]
-        assert vuln["location"]["path"] == get_expectation(self.location_map)
+        assert vuln["location"]["class"] == get_expectation(self.location_map)
 
 
 @features.iast_sink_hardcoded_secrets

diff --git a/tests/appsec/iast/utils.py b/tests/appsec/iast/utils.py
@@ -34,14 +34,20 @@ def get_iast_event(request):
 def assert_iast_vulnerability(
     request, vulnerability_count=None, vulnerability_type=None, expected_location=None, expected_evidence=None
 ):
+    oldVersion = context.library < "[email protected]"
     iast = get_iast_event(request=request)
     assert iast["vulnerabilities"], "Expected at least one vulnerability"
     vulns = iast["vulnerabilities"]
     if vulnerability_type:
         vulns = [v for v in vulns if v["type"] == vulnerability_type]
         assert vulns, f"No vulnerability of type {vulnerability_type}"
     if expected_location:
-        vulns = [v for v in vulns if v.get("location", {}).get("path", "") == expected_location]
+        vulns = [
+            v
+            for v in vulns
+            if (oldVersion and v.get("location", {}).get("path", "") == expected_location)
+            or (v.get("location", {}).get("class", "") == expected_location)
+        ]
         assert vulns, f"No vulnerability with location {expected_location}"
     if expected_evidence:
         vulns = [v for v in vulns if v.get("evidence", {}).get("value", "") == expected_evidence]
@@ -234,24 +240,45 @@ def validate_stack_traces(request):
     assert "frames" in stack_trace, "'frames' not found in stack trace"
     assert len(stack_trace["frames"]) <= 32, "stack trace above size limit (32 frames)"
 
-    # Vulns without location path are not expected to have a stack trace
+    # Vulns without location path/class are not expected to have a stack trace
+    old_version = context.library < "[email protected]"
     location = vuln["location"]
-    assert location is not None and "path" in location, "This vulnerability is not expected to have a stack trace"
+    if old_version:
+        assert (
+            location is not None and "path" in location
+        ), "This vulnerability was expected to have a path in its location data, it is not possible to validate the stack trace"
+    else:
+        assert (
+            location is not None and "class" in location
+        ), "This vulnerability was expected to have a class in its location data, it is not possible to validate the stack trace"
 
     locationFrame = None
+
     for frame in stack_trace["frames"]:
         # We are looking for the frame that corresponds to the location of the vulnerability, we will need to update this to cover all tracers
         # currently support: Java, Python, Node.js
         if (
-            stack_trace["language"] == "java"
-            and (
-                location["path"] in frame["class_name"]
-                and location["method"] in frame["function"]
-                and location["line"] == frame["line"]
+            (
+                stack_trace["language"] == "java"
+                and old_version
+                and (
+                    location["path"] in frame["class_name"]
+                    and location["method"] in frame["function"]
+                    and location["line"] == frame["line"]
+                )
+            )
+            or (
+                stack_trace["language"] == "java"
+                and (
+                    location["class"] in frame["class_name"]
+                    and location["method"] in frame["function"]
+                    and location["line"] == frame["line"]
+                )
+            )
+            or (
+                stack_trace["language"] in ("python", "nodejs")
+                and (frame.get("file", "").endswith(location["path"]) and location["line"] == frame["line"])
             )
-        ) or (
-            stack_trace["language"] in ("python", "nodejs")
-            and (frame.get("file", "").endswith(location["path"]) and location["line"] == frame["line"])
         ):
             locationFrame = frame
     assert locationFrame is not None, "location not found in stack trace"