chore(telemetry): telemetry log messages must be constant (#14642)

Last PR in a list of 3 PRs to achieved requirements listed
[here](https://docs.google.com/document/d/16SFeOp7yxzT6dM1O0TKtWkgDsiq6SeV8P_MAYboCdOI/edit?tab=t.gho5ikpq9hed).

See: #14639.
See: #14641 

# Constant log message enforcement

Every log.error() messages are by default reported to telemetry. Message
reported to telemetry must be constant.

A check was added in CI (you can test it by running `hatch run
lint:error-log-check`): you will not be able to merge a PR that sends a
non constant message to telemetry.
You are two ways to still doing that:
- `log.error("my message", extra={"send_to_telemetry"=False})`: this
will only log the message and not sending it to telemetry.
- add an exception in `check_constant_log_message.py`. The reason should
be added in a comment and is only valid if you are 100% that the message
is constant or the log.error will not send telemetry. For instance in a
file of the debugger, log.error will eventually call log.debug.

Note that `log.error("my message with: %s", "something")` is valid but
only "my messag with %s", will be sent to telemetry.

## Checklist
- [X] PR author has checked that all the criteria below are met
- The PR description includes an overview of the change
- The PR description articulates the motivation for the change
- The change includes tests OR the PR description describes a testing
strategy
- The PR description notes risks associated with the change, if any
- Newly-added code is easy to change
- The change follows the [library release note
guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html)
- The change includes or references documentation updates if necessary
- Backport labels are set (if
[applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting))

## Reviewer Checklist
- [x] Reviewer has checked that all the criteria below are met 
- Title is accurate
- All changes are related to the pull request's stated goal
- Avoids breaking
[API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces)
changes
- Testing strategy adequately addresses listed risks
- Newly-added code is easy to change
- Release note makes sense to a user of the library
- If necessary, author has acknowledged and discussed the performance
implications of this PR as reported in the benchmarks PR comment
- Backport labels are set in a manner that is consistent with the
[release branch maintenance
policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)

Author: dubloom

ddtrace/appsec/_iast/_taint_tracking/_taint_objects_base.py

@@ -72,7 +72,7 @@ def get_tainted_ranges(pyobject: Any) -> Tuple:
     try:
         return get_ranges(pyobject)
     except ValueError as e:
-        iast_propagation_error_log(f"get_tainted_ranges error (pyobject type {type(pyobject)}): {e}")
+        iast_propagation_error_log(f"get_tainted_ranges error (pyobject type {type(pyobject)})", exc=e)
     return tuple()
 
 
@@ -83,5 +83,5 @@ def is_pyobject_tainted(pyobject: Any) -> bool:
     try:
         return is_in_taint_map(pyobject)
     except ValueError as e:
-        iast_propagation_error_log(f"Checking tainted object error: {e}")
+        iast_propagation_error_log("Checking tainted object error", exc=e)
     return False

ddtrace/contrib/internal/botocore/services/bedrock_agents.py

@@ -38,8 +38,8 @@ def __iter__(self):
             response = _process_streamed_response_chunks(chunks)
             try:
                 self._dd_integration.translate_bedrock_traces(traces, self._dd_span)
-            except Exception as e:
-                log.error("Error translating Bedrock traces: %s", e, exc_info=True)
+            except Exception:
+                log.error("Error translating Bedrock traces", exc_info=True)
             self._dd_integration.llmobs_set_tags(self._dd_span, self._args, self._kwargs, response, operation="agent")
             self._dd_span.finish()
 

ddtrace/debugging/_debugger.py

@@ -366,7 +366,7 @@ def _probe_injection_hook(self, module: ModuleType) -> None:
                         f"Cannot install probe {probe.probe_id}: "
                         f"no functions at line {line} within source file {module_origin} found"
                     )
-                log.error(message)
+                log.error(message, extra={"send_to_telemetry": False})
                 self._probe_registry.set_error(probe, "NoFunctionsAtLine", message)
                 continue
             for function in (cast(FullyNamedContextWrappedFunction, _) for _ in functions):
@@ -487,7 +487,7 @@ def _probe_wrapping_hook(self, module: ModuleType) -> None:
                     "found (note: if the function exists, it might be decorated with an unsupported decorator)"
                 )
                 self._probe_registry.set_error(probe, "NoFunctionInModule", message)
-                log.error(message)
+                log.error(message, extra={"send_to_telemetry": False})
                 continue
 
             if DebuggerWrappingContext.is_wrapped(function):

ddtrace/internal/telemetry/logging.py

@@ -14,4 +14,5 @@ def emit(self, record: logging.LogRecord) -> None:
         - Log all records with a level of ERROR or higher with telemetry
         """
         if record.levelno >= logging.ERROR:
-            self.telemetry_writer.add_error_log(record.msg, record.exc_info)
+            if getattr(record, "send_to_telemetry", None) in (None, True):
+                self.telemetry_writer.add_error_log(record.msg, record.exc_info)

ddtrace/internal/telemetry/writer.py

@@ -743,7 +743,8 @@ def _telemetry_excepthook(self, tp, value, root_traceback):
             lineno = traceback.tb_frame.f_code.co_firstlineno
             filename = traceback.tb_frame.f_code.co_filename
 
-            self.add_error_log("Unhandled exception from ddtrace code", (tp, None, root_traceback))
+            if "ddtrace/" in filename:
+                self.add_error_log("Unhandled exception from ddtrace code", (tp, None, root_traceback))
 
             dir_parts = filename.split(os.path.sep)
             # Check if exception was raised in the  `ddtrace.contrib` package

ddtrace/internal/writer/writer.py

@@ -330,7 +330,7 @@ def _send_payload(self, payload: bytes, count: int, client: WriterClientBase) ->
                 else:
                     log_args += (payload,)
 
-            log.error(msg, *log_args)
+            log.error(msg, *log_args, extra={"send_to_telemetry": False})
             self._metrics_dist("http.dropped.bytes", len(payload))
             self._metrics_dist("http.dropped.traces", count)
         return response
@@ -1052,7 +1052,7 @@ def _flush_single_payload(
                 msg += ", payload %s"
                 log_args += (binascii.hexlify(encoded).decode(),)  # type: ignore
 
-            log.error(msg, *log_args)
+            log.error(msg, *log_args, extra={"send_to_telemetry": False})
 
     def periodic(self):
         self.flush_queue(raise_exc=False)

ddtrace/vendor/ply/yacc.py

@@ -3177,7 +3177,7 @@ def validate_pfunctions(self):
                     for g in parsed_g:
                         grammar.append((name, g))
                 except SyntaxError as e:
-                    self.log.error(str(e))
+                    self.log.error(str(e), extra={"send_to_telemetry": False})
                     self.error = True
 
                 # Looks like a valid grammar rule
@@ -3351,7 +3351,7 @@ def yacc(method='LALR', debug=yaccdebug, module=None, tabmodule=tab_module, star
         else:
             grammar.set_start(start)
     except GrammarError as e:
-        errorlog.error(str(e))
+        errorlog.error(str(e), extra={"send_to_telemetry": False})
         errors = True
 
     if errors:

hatch.toml

@@ -56,6 +56,7 @@ checks = [
     "security",
     "test",
     "suitespec-check",
+    "error-log-check",
     "sg",
     "sg-test",
 ]
@@ -77,6 +78,9 @@ riot = [
 suitespec-check = [
     "python scripts/check_suitespec_coverage.py"
 ]
+error-log-check = [
+    "python scripts/check_constant_log_message.py"
+]
 sg = [
     "ast-grep scan {args:.}",
 ]

scripts/check_constant_log_message.py

@@ -0,0 +1,123 @@
+"""
+Check that log.error() and add_error_log calls use constant string literals as first argument.
+This script scans all Python files in ddtrace/ and reports violations.
+Exceptions can be specified in the EXCEPTIONS set using:
+- "filepath:line" to exclude a specific line in a file
+"""
+
+import ast
+import pathlib
+import sys
+from typing import List
+from typing import Tuple
+
+
+# Line-specific exceptions to exclude from checking
+# Format: "filepath:line" to exclude a specific line in a file
+EXCEPTIONS = {
+    # only constant message can be log.error()
+    "ddtrace/internal/telemetry/logging.py:18",
+    # log.exception calls use constant messages
+    "ddtrace/contrib/internal/aws_lambda/patch.py:36",
+    # log.error in _probe/registry.py ends up with a log.debug()
+    "ddtrace/debugging/_probe/registry.py:137",
+    "ddtrace/debugging/_probe/registry.py:146",
+    # we added a constant check for the wrapping method of add_error_log
+    "ddtrace/appsec/_iast/_metrics.py:53",
+    # we added a constant check for the wrapping method of iast_error
+    "ddtrace/appsec/_iast/_logs.py:41",
+    "ddtrace/appsec/_iast/_logs.py:45",
+    # the non constant part is an object type
+    "ddtrace/appsec/_iast/_taint_tracking/_taint_objects_base.py:75",
+}
+
+
+class LogMessageChecker(ast.NodeVisitor):
+    def __init__(self, filepath: str):
+        self.filepath = filepath
+        self.errors: List[Tuple[int, int]] = []
+
+    def _has_send_to_telemetry_false(self, node: ast.Call) -> bool:
+        """Check if the call has extra={'send_to_telemetry': False}."""
+        for keyword in node.keywords:
+            if keyword.arg == "extra" and isinstance(keyword.value, ast.Dict):
+                for key, value in zip(keyword.value.keys, keyword.value.values):
+                    if (
+                        isinstance(key, ast.Constant)
+                        and key.value == "send_to_telemetry"
+                        and isinstance(value, ast.Constant)
+                        and value.value is False
+                    ):
+                        return True
+        return False
+
+    def visit_Call(self, node: ast.Call) -> None:
+        """Check if this is a log.error(), add_error_log, or iast_error call with non-constant first arg."""
+        fn = node.func
+
+        # Check for add_error_log calls
+        is_add_integration_error = isinstance(fn, ast.Attribute) and fn.attr == "add_error_log"
+        # Check for log.error() calls (simple check for .error() on any variable)
+        is_log_error = isinstance(fn, ast.Attribute) and (fn.attr == "error" or fn.attr == "exception")
+        # Check for iast_error calls
+        is_iast_log = isinstance(fn, ast.Name) and (
+            fn.id == "iast_error"
+            or fn.id == "iast_instrumentation_ast_patching_errorr_log"
+            or fn.id == "iast_propagation_error_log"
+        )
+        is_target = is_add_integration_error or is_log_error or is_iast_log
+
+        if is_target and node.args:
+            msg = node.args[0]
+            is_constant_string = isinstance(msg, ast.Constant) and isinstance(msg.value, str)
+
+            # Skip constant string check if send_to_telemetry is False for log.error/exception calls
+            if not is_constant_string and is_log_error and self._has_send_to_telemetry_false(node):
+                pass
+            elif not is_constant_string and not self._is_line_exception(node.lineno):
+                self.errors.append((node.lineno, node.col_offset))
+
+        self.generic_visit(node)
+
+    def _is_line_exception(self, line_no: int) -> bool:
+        """Check if this specific line is in the exceptions list."""
+        return f"{str(self.filepath)}:{line_no}" in EXCEPTIONS
+
+
+def check_file(filepath: pathlib.Path) -> List[Tuple[int, int]]:
+    try:
+        source = filepath.read_text(encoding="utf-8")
+        tree = ast.parse(source, filename=str(filepath))
+        checker = LogMessageChecker(str(filepath))
+        checker.visit(tree)
+        return checker.errors
+    except (OSError, UnicodeDecodeError) as e:
+        print(f"Error reading {filepath}: {e}", file=sys.stderr)
+        return []
+    except SyntaxError as e:
+        print(f"Syntax error in {filepath}:{e.lineno}:{e.offset}: {e.msg}", file=sys.stderr)
+        return []
+
+
+def main() -> int:
+    contrib_path = pathlib.Path("ddtrace")
+    python_files = list(contrib_path.rglob("*.py"))
+
+    total_errors = 0
+
+    for filepath in python_files:
+        errors = check_file(filepath)
+        for line_no, col_no in errors:
+            print(f"{filepath}:{line_no}:{col_no}: " "LOG001 first argument to logging call must be a constant string")
+            total_errors += 1
+
+    if total_errors > 0:
+        print(f"\nFound {total_errors} violation(s)", file=sys.stderr)
+        return 1
+
+    print("All logging calls use constant strings ✓")
+    return 0
+
+
+if __name__ == "__main__":
+    sys.exit(main())

scripts/gen_gitlab_config.py

@@ -265,6 +265,11 @@ def check(name: str, command: str, paths: t.Set[str]) -> None:
         command="hatch run lint:suitespec-check",
         paths={"*"},
     )
+    check(
+        name="Check integration error logs",
+        command="hatch run lint:error-log-check",
+        paths={"ddtrace/contrib/**/*.py"},
+    )
     if not checks:
         return