Merge remote-tracking branch 'origin/master' into malvarez/api-10-redirect-support

Author: manuel-alvarez-alvarez

.github/workflows/analyze-changes.yaml

@@ -20,7 +20,7 @@ jobs:
         with:
           submodules: 'recursive'
       - name: Cache Gradle dependencies
-        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
         with:
           path: |
             ~/.gradle/caches
@@ -30,7 +30,7 @@ jobs:
             ${{ runner.os }}-gradle-
         
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4.31.7
+        uses: github/codeql-action/init@1b168cd39490f61582a9beae412bb7057a6b2c4e # v4.31.8
         with:
           languages: 'java'
           build-mode: 'manual'
@@ -49,7 +49,7 @@ jobs:
             --build-cache --parallel --stacktrace --no-daemon --max-workers=4
 
       - name: Perform CodeQL Analysis and upload results to GitHub Security tab
-        uses: github/codeql-action/analyze@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4.31.7
+        uses: github/codeql-action/analyze@1b168cd39490f61582a9beae412bb7057a6b2c4e # v4.31.8
 
   trivy:
     name: Analyze changes with Trivy
@@ -66,7 +66,7 @@ jobs:
           submodules: 'recursive'
 
       - name: Cache Gradle dependencies
-        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
         with:
           path: |
             ~/.gradle/caches
@@ -114,7 +114,7 @@ jobs:
           TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4.31.7
+        uses: github/codeql-action/upload-sarif@1b168cd39490f61582a9beae412bb7057a6b2c4e # v4.31.8
         if: always()
         with:
           sarif_file: 'trivy-results.sarif'

.github/workflows/run-system-tests.yaml

@@ -31,7 +31,7 @@ jobs:
           fetch-depth: 0
 
       - name: Cache Gradle dependencies
-        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
         with:
           path: |
             ~/.gradle/caches
@@ -54,7 +54,7 @@ jobs:
             --build-cache --parallel --stacktrace --no-daemon --max-workers=4
 
       - name: Upload artifact
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
         with:
           name: binaries
           path: workspace/dd-java-agent/build/libs/

…re/database/SharedDBCommenterTest.groovy …n/dbm/SharedDBCommenterForkedTest.groovydd-trace-core/src/test/groovy/datadog/trace/core/database/SharedDBCommenterTest.groovy renamed to dd-java-agent/agent-bootstrap/src/test/groovy/datadog/trace/bootstrap/instrumentation/dbm/SharedDBCommenterForkedTest.groovy dd-trace-core/src/test/groovy/datadog/trace/core/database/SharedDBCommenterTest.groovy renamed to dd-java-agent/agent-bootstrap/src/test/groovy/datadog/trace/bootstrap/instrumentation/dbm/SharedDBCommenterForkedTest.groovy

@@ -1,9 +1,8 @@
-package datadog.trace.core.database
+package datadog.trace.bootstrap.instrumentation.dbm
 
-import datadog.trace.bootstrap.instrumentation.dbm.SharedDBCommenter
 import spock.lang.Specification
 
-class SharedDBCommenterTest extends Specification {
+class SharedDBCommenterForkedTest extends Specification {
   def setup() {
     System.setProperty("dd.service.name", "test-service")
     System.setProperty("dd.env", "test-env")

dd-java-agent/instrumentation/jsp-2.3/src/main/java/datadog/trace/instrumentation/jsp/JSPDecorator.java

@@ -5,12 +5,9 @@
 import datadog.trace.bootstrap.instrumentation.api.UTF8BytesString;
 import datadog.trace.bootstrap.instrumentation.decorator.BaseDecorator;
 import java.net.URI;
-import java.net.URISyntaxException;
 import javax.servlet.RequestDispatcher;
 import javax.servlet.http.HttpServletRequest;
-import javax.servlet.jsp.HttpJspPage;
 import org.apache.jasper.JspCompilationContext;
-import org.slf4j.LoggerFactory;
 
 public class JSPDecorator extends BaseDecorator {
   public static final CharSequence JSP_COMPILE = UTF8BytesString.create("jsp.compile");
@@ -68,11 +65,14 @@ public void onRender(final AgentSpan span, final HttpServletRequest req) {
     // HttpServletRequest#getRequestURL(),
     // normalizing the URL should remove those symbols for readability and consistency
     try {
-      span.setTag(
-          "jsp.requestURL", (new URI(req.getRequestURL().toString())).normalize().toString());
-    } catch (final URISyntaxException uriSE) {
-      LoggerFactory.getLogger(HttpJspPage.class)
-          .debug("Failed to get and normalize request URL: {}", uriSE.getMessage());
+      // note: getRequestURL is supposed to always be nonnull - however servlet wrapping can happen
+      // and we never know if ever this can happen
+      final StringBuffer requestURL = req.getRequestURL();
+      if (requestURL != null && requestURL.length() > 0) {
+        span.setTag("jsp.requestURL", (new URI(requestURL.toString())).normalize().toString());
+      }
+    } catch (final Throwable ignored) {
+      // logging here will be too verbose
     }
   }
 }

dd-java-agent/instrumentation/spring/spring-messaging-4.0/src/main/java/datadog/trace/instrumentation/springmessaging/SpringMessageExtractAdapter.java

@@ -10,6 +10,7 @@
 import java.util.Map;
 import java.util.function.Function;
 import org.springframework.messaging.Message;
+import org.springframework.messaging.MessageHeaders;
 
 public final class SpringMessageExtractAdapter
     implements AgentPropagation.ContextVisitor<Message<?>> {
@@ -33,7 +34,12 @@ public String apply(String key) {
 
   @Override
   public void forEachKey(Message<?> carrier, AgentPropagation.KeyClassifier classifier) {
-    for (Map.Entry<String, ?> header : carrier.getHeaders().entrySet()) {
+    final MessageHeaders messageHeaders = carrier.getHeaders();
+    if (messageHeaders == null || messageHeaders.isEmpty()) {
+      return;
+    }
+
+    for (Map.Entry<String, ?> header : messageHeaders.entrySet()) {
       Object headerValue = header.getValue();
       if ("_datadog".equals(header.getKey())) {
         if (headerValue instanceof String) {

dd-java-agent/instrumentation/tomcat/tomcat-9.0/src/main/java/datadog/trace/instrumentation/tomcat9/WebappClassLoaderInstrumentation.java

@@ -41,7 +41,7 @@ public static void onContextAvailable(
         @Advice.This final WebappClassLoaderBase classLoader,
         @Advice.Argument(0) final WebResourceRoot webResourceRoot) {
       // at this moment we have the context set in this classloader, hence its name
-      final Context context = webResourceRoot.getContext();
+      final Context context = webResourceRoot != null ? webResourceRoot.getContext() : null;
       if (context == null) {
         return;
       }

remote-config/remote-config-core/src/main/java/datadog/remoteconfig/state/ProductState.java

@@ -58,8 +58,10 @@ public boolean apply(
     errors = null;
 
     List<ParsedConfigKey> configBeenUsedByProduct = new ArrayList<>();
+    List<ParsedConfigKey> changedKeys = new ArrayList<>();
     boolean changesDetected = false;
 
+    // Step 1: Detect all changes
     for (ParsedConfigKey configKey : relevantKeys) {
       try {
         RemoteConfigResponse.Targets.ConfigTarget target =
@@ -68,14 +70,28 @@ public boolean apply(
 
         if (isTargetChanged(configKey, target)) {
           changesDetected = true;
-          byte[] content = getTargetFileContent(fleetResponse, configKey);
-          callListenerApplyTarget(fleetResponse, hinter, configKey, content);
+          changedKeys.add(configKey);
         }
       } catch (ReportableException e) {
         recordError(e);
       }
     }
 
+    // Step 2: For products other than ASM_DD, apply changes immediately
+    if (product != Product.ASM_DD) {
+      for (ParsedConfigKey configKey : changedKeys) {
+        try {
+          byte[] content = getTargetFileContent(fleetResponse, configKey);
+          callListenerApplyTarget(fleetResponse, hinter, configKey, content);
+        } catch (ReportableException e) {
+          recordError(e);
+        }
+      }
+    }
+
+    // Step 3: Remove obsolete configurations (for all products)
+    // For ASM_DD, this is critical: removes MUST happen before applies to prevent
+    // duplicate rule warnings from the ddwaf rule parser and causing memory spikes.
     List<ParsedConfigKey> keysToRemove =
         cachedTargetFiles.keySet().stream()
             .filter(configKey -> !configBeenUsedByProduct.contains(configKey))
@@ -86,6 +102,22 @@ public boolean apply(
       callListenerRemoveTarget(hinter, configKey);
     }
 
+    // Step 4: For ASM_DD, apply changes AFTER removes
+    // TODO: This is a temporary solution. The proper fix requires better synchronization
+    // between remove and add/update operations. This should be discussed
+    // with the guild to determine the best long-term design approach.
+    if (product == Product.ASM_DD) {
+      for (ParsedConfigKey configKey : changedKeys) {
+        try {
+          byte[] content = getTargetFileContent(fleetResponse, configKey);
+          callListenerApplyTarget(fleetResponse, hinter, configKey, content);
+        } catch (ReportableException e) {
+          recordError(e);
+        }
+      }
+    }
+
+    // Step 5: Commit if there were changes
     if (changesDetected) {
       try {
         callListenerCommit(hinter);