DataDog
diff --git a/‎communication/src/main/java/datadog/communication/serialization/Codec.java‎
Lines changed: 15 additions & 1 deletion b/‎communication/src/main/java/datadog/communication/serialization/Codec.java‎
Lines changed: 15 additions & 1 deletion
diff --git a/‎communication/src/main/java/datadog/communication/serialization/custom/stacktrace/StackTraceEventFrameWriter.java‎
Lines changed: 58 additions & 0 deletions b/‎communication/src/main/java/datadog/communication/serialization/custom/stacktrace/StackTraceEventFrameWriter.java‎
Lines changed: 58 additions & 0 deletions
diff --git a/‎communication/src/main/java/datadog/communication/serialization/custom/stacktrace/StackTraceEventWriter.java‎
Lines changed: 42 additions & 0 deletions b/‎communication/src/main/java/datadog/communication/serialization/custom/stacktrace/StackTraceEventWriter.java‎
Lines changed: 42 additions & 0 deletions
diff --git a/‎communication/src/test/java/datadog/communication/serialization/msgpack/MsgPackWriterTest.java‎
Lines changed: 176 additions & 0 deletions b/‎communication/src/test/java/datadog/communication/serialization/msgpack/MsgPackWriterTest.java‎
Lines changed: 176 additions & 0 deletions
diff --git a/‎dd-java-agent/agent-iast/src/main/java/com/datadog/iast/Reporter.java‎
Lines changed: 27 additions & 0 deletions b/‎dd-java-agent/agent-iast/src/main/java/com/datadog/iast/Reporter.java‎
Lines changed: 27 additions & 0 deletions
@@ -1,14 +1,28 @@
 package datadog.communication.serialization;
 
+import datadog.communication.serialization.custom.stacktrace.StackTraceEventFrameWriter;
+import datadog.communication.serialization.custom.stacktrace.StackTraceEventWriter;
+import datadog.trace.util.stacktrace.StackTraceEvent;
+import datadog.trace.util.stacktrace.StackTraceFrame;
 import java.nio.ByteBuffer;
 import java.nio.CharBuffer;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.Map;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
 
 public final class Codec extends ClassValue<ValueWriter<?>> {
 
-  public static final Codec INSTANCE = new Codec();
+  private static final Map<Class<?>, ValueWriter<?>> defaultConfig =
+      Stream.of(
+              new Object[][] {
+                {StackTraceEvent.class, new StackTraceEventWriter()},
+                {StackTraceFrame.class, new StackTraceEventFrameWriter()},
+              })
+          .collect(Collectors.toMap(data -> (Class<?>) data[0], data -> (ValueWriter<?>) data[1]));
+
+  public static final Codec INSTANCE = new Codec(defaultConfig);
 
   private final Map<Class<?>, ValueWriter<?>> config;
 
 
@@ -0,0 +1,58 @@
+package datadog.communication.serialization.custom.stacktrace;
+
+import datadog.communication.serialization.EncodingCache;
+import datadog.communication.serialization.ValueWriter;
+import datadog.communication.serialization.Writable;
+import datadog.trace.util.Strings;
+import datadog.trace.util.stacktrace.StackTraceFrame;
+
+public class StackTraceEventFrameWriter implements ValueWriter<StackTraceFrame> {
+
+  @Override
+  public void write(StackTraceFrame value, Writable writable, EncodingCache encodingCache) {
+    int mapSize = 1; // id always present
+    boolean hasText = Strings.isNotBlank(value.getText());
+    boolean hasFile = Strings.isNotBlank(value.getFile());
+    boolean hasLine = value.getLine() != null;
+    boolean hasClass = Strings.isNotBlank(value.getClass_name());
+    boolean hasFunction = Strings.isNotBlank(value.getFunction());
+    if (hasText) {
+      mapSize++;
+    }
+    if (hasFile) {
+      mapSize++;
+    }
+    if (hasLine) {
+      mapSize++;
+    }
+    if (hasClass) {
+      mapSize++;
+    }
+    if (hasFunction) {
+      mapSize++;
+    }
+    writable.startMap(mapSize);
+    writable.writeString("id", encodingCache);
+    writable.writeInt(value.getId());
+    if (hasText) {
+      writable.writeString("text", encodingCache);
+      writable.writeString(value.getText(), encodingCache);
+    }
+    if (hasFile) {
+      writable.writeString("file", encodingCache);
+      writable.writeString(value.getFile(), encodingCache);
+    }
+    if (hasLine) {
+      writable.writeString("line", encodingCache);
+      writable.writeInt(value.getLine());
+    }
+    if (hasClass) {
+      writable.writeString("class_name", encodingCache);
+      writable.writeString(value.getClass_name(), encodingCache);
+    }
+    if (hasFunction) {
+      writable.writeString("function", encodingCache);
+      writable.writeString(value.getFunction(), encodingCache);
+    }
+  }
+}
@@ -0,0 +1,42 @@
+package datadog.communication.serialization.custom.stacktrace;
+
+import datadog.communication.serialization.EncodingCache;
+import datadog.communication.serialization.ValueWriter;
+import datadog.communication.serialization.Writable;
+import datadog.trace.util.Strings;
+import datadog.trace.util.stacktrace.StackTraceEvent;
+
+public class StackTraceEventWriter implements ValueWriter<StackTraceEvent> {
+
+  @Override
+  public void write(StackTraceEvent value, Writable writable, EncodingCache encodingCache) {
+    int mapSize = 1; // frames always present
+    boolean hasId = Strings.isNotBlank(value.getId());
+    boolean hasLanguage = Strings.isNotBlank(value.getLanguage());
+    boolean hasMessage = Strings.isNotBlank(value.getMessage());
+    if (hasId) {
+      mapSize++;
+    }
+    if (hasLanguage) {
+      mapSize++;
+    }
+    if (hasMessage) {
+      mapSize++;
+    }
+    writable.startMap(mapSize);
+    if (hasId) {
+      writable.writeString("id", encodingCache);
+      writable.writeString(value.getId(), encodingCache);
+    }
+    if (hasLanguage) {
+      writable.writeString("language", encodingCache);
+      writable.writeString(value.getLanguage(), encodingCache);
+    }
+    if (hasMessage) {
+      writable.writeString("message", encodingCache);
+      writable.writeString(value.getMessage(), encodingCache);
+    }
+    writable.writeString("frames", encodingCache);
+    writable.writeObject(value.getFrames(), encodingCache);
+  }
+}
@@ -1,5 +1,6 @@
 package datadog.communication.serialization.msgpack;
 
+import static datadog.trace.util.stacktrace.StackTraceEvent.DEFAULT_LANGUAGE;
 import static org.junit.jupiter.api.Assertions.assertArrayEquals;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertFalse;
@@ -12,12 +13,16 @@
 import datadog.communication.serialization.MessageFormatter;
 import datadog.communication.serialization.StreamingBuffer;
 import datadog.trace.bootstrap.instrumentation.api.UTF8BytesString;
+import datadog.trace.util.stacktrace.StackTraceEvent;
+import datadog.trace.util.stacktrace.StackTraceFrame;
 import java.io.IOException;
 import java.math.BigDecimal;
 import java.nio.ByteBuffer;
 import java.nio.CharBuffer;
 import java.nio.charset.StandardCharsets;
 import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -786,6 +791,177 @@ public void testStartStringHeader() {
     writer.writeStringHeader(0x10000);
   }
 
+  @Test
+  public void testStackTraceBatch() {
+    Map<String, List<StackTraceEvent>> batch = new HashMap<>();
+    batch.put("product_key", buildStacktraceEvents());
+    testStackTraceBatch(batch);
+  }
+
+  @Test
+  public void tesEmptyContentInStackTraceBatch() {
+    Map<String, List<StackTraceEvent>> batch = new HashMap<>();
+    testStackTraceBatch(batch);
+  }
+
+  @Test
+  public void testSimpleStackTraceEvent() {
+    final StackTraceFrame frame =
+        new StackTraceFrame(1, new StackTraceElement("class1", "method1", "file1", 1));
+    StackTraceEvent data = new StackTraceEvent(Collections.singletonList(frame), null, null, null);
+    MessageFormatter messageFormatter =
+        new MsgPackWriter(
+            newBuffer(
+                1000,
+                (messageCount, buffer) -> {
+                  MessageUnpacker unpacker = MessagePack.newDefaultUnpacker(buffer);
+                  try {
+                    checkStackTraceEvent(data, unpacker);
+                  } catch (IOException e) {
+                    Assertions.fail(e.getMessage());
+                  }
+                }));
+    messageFormatter.format(data, (x, w) -> w.writeObject(x, null));
+    messageFormatter.flush();
+  }
+
+  @Test
+  public void testSimpleStackTraceFrame() {
+    final StackTraceFrame frame = new StackTraceFrame(1, null, "null", -1, null, null);
+    MessageFormatter messageFormatter =
+        new MsgPackWriter(
+            newBuffer(
+                1000,
+                (messageCount, buffer) -> {
+                  MessageUnpacker unpacker = MessagePack.newDefaultUnpacker(buffer);
+                  try {
+                    checkStackTraceFrame(frame, unpacker);
+                  } catch (IOException e) {
+                    Assertions.fail(e.getMessage());
+                  }
+                }));
+    messageFormatter.format(frame, (x, w) -> w.writeObject(x, null));
+    messageFormatter.flush();
+  }
+
+  private void testStackTraceBatch(final Map<String, List<StackTraceEvent>> batch) {
+    MessageFormatter messageFormatter =
+        new MsgPackWriter(
+            newBuffer(
+                100000,
+                (messageCount, buffer) -> {
+                  MessageUnpacker unpacker = MessagePack.newDefaultUnpacker(buffer);
+                  try {
+                    checkStackTraceBatch(batch, unpacker);
+                  } catch (IOException e) {
+                    Assertions.fail(e.getMessage());
+                  }
+                }));
+    messageFormatter.format(batch, (x, w) -> w.writeObject(x, null));
+    messageFormatter.flush();
+  }
+
+  private void checkStackTraceBatch(
+      Map<String, List<StackTraceEvent>> batch, MessageUnpacker unpacker) throws IOException {
+
+    assertEquals(batch.size(), unpacker.unpackMapHeader());
+    if (batch.isEmpty()) {
+      return;
+    }
+    assertEquals("product_key", unpacker.unpackString());
+    List<StackTraceEvent> events = batch.get("product_key");
+    assertEquals(events.size(), unpacker.unpackArrayHeader());
+    for (StackTraceEvent event : events) {
+      checkStackTraceEvent(event, unpacker);
+    }
+  }
+
+  private void checkStackTraceEvent(StackTraceEvent event, MessageUnpacker unpacker)
+      throws IOException {
+    boolean hasId = event.getId() != null && !event.getId().isEmpty();
+    boolean hasLanguage = event.getLanguage() != null && !event.getLanguage().isEmpty();
+    boolean hasMessage = event.getMessage() != null && !event.getMessage().isEmpty();
+    int mapSize = 1 + (hasId ? 1 : 0) + (hasLanguage ? 1 : 0) + (hasMessage ? 1 : 0);
+    assertEquals(mapSize, unpacker.unpackMapHeader());
+    if (hasId) {
+      assertEquals("id", unpacker.unpackString());
+      assertEquals(event.getId(), unpacker.unpackString());
+    }
+    if (hasLanguage) {
+      assertEquals("language", unpacker.unpackString());
+      assertEquals(event.getLanguage(), unpacker.unpackString());
+    }
+    if (hasMessage) {
+      assertEquals("message", unpacker.unpackString());
+      assertEquals(event.getMessage(), unpacker.unpackString());
+    }
+    assertEquals("frames", unpacker.unpackString());
+    assertEquals(event.getFrames().size(), unpacker.unpackArrayHeader());
+    for (StackTraceFrame frame : event.getFrames()) {
+      checkStackTraceFrame(frame, unpacker);
+    }
+  }
+
+  private void checkStackTraceFrame(StackTraceFrame frame, MessageUnpacker unpacker)
+      throws IOException {
+    boolean hasText = frame.getText() != null && !frame.getText().isEmpty();
+    boolean hasFile = frame.getFile() != null && !frame.getFile().isEmpty();
+    boolean hasLine = frame.getLine() != null;
+    boolean hasClass = frame.getClass_name() != null && !frame.getClass_name().isEmpty();
+    boolean hasFunction = frame.getFunction() != null && !frame.getFunction().isEmpty();
+
+    int mapSize = 1; // id is always present
+    if (hasText) {
+      mapSize++;
+    }
+    if (hasFile) {
+      mapSize++;
+    }
+    if (hasLine) {
+      mapSize++;
+    }
+    if (hasClass) {
+      mapSize++;
+    }
+    if (hasFunction) {
+      mapSize++;
+    }
+    assertEquals(mapSize, unpacker.unpackMapHeader());
+    assertEquals("id", unpacker.unpackString());
+    assertEquals(frame.getId(), unpacker.unpackInt());
+    if (hasText) {
+      assertEquals("text", unpacker.unpackString());
+      assertEquals(frame.getText(), unpacker.unpackString());
+    }
+    if (hasFile) {
+      assertEquals("file", unpacker.unpackString());
+      assertEquals(frame.getFile(), unpacker.unpackString());
+    }
+    if (hasLine) {
+      assertEquals("line", unpacker.unpackString());
+      assertEquals(frame.getLine(), unpacker.unpackInt());
+    }
+    if (hasClass) {
+      assertEquals("class_name", unpacker.unpackString());
+      assertEquals(frame.getClass_name(), unpacker.unpackString());
+    }
+    if (hasFunction) {
+      assertEquals("function", unpacker.unpackString());
+      assertEquals(frame.getFunction(), unpacker.unpackString());
+    }
+  }
+
+  private List<StackTraceEvent> buildStacktraceEvents() {
+    final StackTraceFrame frame1 =
+        new StackTraceFrame(1, new StackTraceElement("class1", "method1", "file1", 1));
+    final StackTraceFrame frame2 =
+        new StackTraceFrame(2, new StackTraceElement("class2", "method2", "file2", 2));
+
+    return Arrays.asList(
+        new StackTraceEvent(Arrays.asList(frame1, frame2), DEFAULT_LANGUAGE, "id1", "event1"),
+        new StackTraceEvent(Arrays.asList(frame1, frame2), DEFAULT_LANGUAGE, "id2", "event2"));
+  }
+
   private StreamingBuffer newBuffer(int capacity, ByteBufferConsumer consumer) {
     return new FlushingBuffer(capacity, consumer);
   }
 
@@ -2,6 +2,7 @@
 
 import static com.datadog.iast.IastTag.Enabled.ANALYZED;
 import static datadog.trace.api.telemetry.LogCollector.SEND_TELEMETRY;
+import static datadog.trace.util.stacktrace.StackTraceEvent.DEFAULT_LANGUAGE;
 
 import com.datadog.iast.model.Vulnerability;
 import com.datadog.iast.model.VulnerabilityBatch;
@@ -12,6 +13,11 @@
 import datadog.trace.api.internal.TraceSegment;
 import datadog.trace.bootstrap.instrumentation.api.*;
 import datadog.trace.util.AgentTaskScheduler;
+import datadog.trace.util.stacktrace.StackTraceEvent;
+import datadog.trace.util.stacktrace.StackTraceFrame;
+import datadog.trace.util.stacktrace.StackUtils;
+import java.util.Collections;
+import java.util.List;
 import java.util.Set;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.TimeUnit;
@@ -29,6 +35,7 @@ public class Reporter {
   private static final String IAST_TAG = "iast";
 
   private static final String VULNERABILITY_SPAN_NAME = "vulnerability";
+  public static final String METASTRUCT_VULNERABILITY = "vulnerability";
 
   private final Predicate<Vulnerability> duplicated;
 
@@ -69,7 +76,27 @@ private void reportVulnerability(
     final VulnerabilityBatch batch = getOrCreateVulnerabilityBatch(span);
     if (batch != null) {
       batch.add(vulnerability);
+      if (Config.get().isIastStackTraceEnabled() && batch.getVulnerabilities() != null) {
+        String stackId =
+            addVulnerabilityStackTrace(span, String.valueOf(batch.getVulnerabilities().size()));
+        if (stackId != null) {
+          vulnerability.setStackId(stackId);
+        }
+      }
+    }
+  }
+
+  @Nullable
+  private static String addVulnerabilityStackTrace(@Nonnull AgentSpan span, String index) {
+    final RequestContext reqCtx = span.getRequestContext();
+    if (reqCtx == null) {
+      return null;
     }
+    List<StackTraceFrame> frames = StackUtils.generateUserCodeStackTrace();
+    StackTraceEvent stackTraceEvent = new StackTraceEvent(frames, DEFAULT_LANGUAGE, index, null);
+    StackUtils.addStacktraceEventsToMetaStruct(
+        reqCtx, METASTRUCT_VULNERABILITY, Collections.singletonList(stackTraceEvent));
+    return stackTraceEvent.getId();
   }
 
   @Nullable