This version comes with the Application Security (AppSec) public beta which includes a broader security coverage of HTTP servers, now also extended to gRPC servers. It is powered by new security rules that allow monitoring the OWASP Top 10 attack attempts, such as SQL injections, Log4Shell and Server-Side Request Forgeries.
It also includes many APM tracing improvements, along with a fix for a regression introduced in v1.35.0.
Features
AppSec
- contrib/go-chi: integrate AppSec monitoring of http requests and responses (#1130)
- contrib/google.golang.org/grpc: monitor received RPC messages (#1105)
- internal/appsec: monitor HTTP response status codes (#1096)
- internal/appsec: enhanced monitoring of HTTP cookies (#1108)
- internal/appsec: monitor URL parameters of HTTP requests (#1106)
- internal/appsec: log http response headers into request spans on security events (#1107)
- internal/appsec: rate-limit AppSec traces to 100 per second (#1131)
APM Tracer
- contrib/gocql/gocql: support Scanner and Batch (#1117) (Thanks @jack-at-circle)
- contrib/go-chi option to ignore requests. (#1124) (Thanks @Anvay-Rajhansa)
- contrib/net/http: use ignoreRequest in WrapHandler (#1049)
- contrib/labstack/{echo, echo.v4}: add support for noDebugStack (#1097)
- contrib/google.golang.org/grpc: Fallback to GlobalConfig serviceName if missing (#1027) (Thanks @vasyharan)
- contrib/net/http: Add TraceAndServe and TraceConfig from contrib/internal/httputil (#1063) (Thanks @soh335)
- ddtrace/tracer: Use DD_AGENT_HOST to set trace agent hostname before querying the trace-agent for its features (#1126) (Thanks @carflo)
- ddtrace/tracer: fix tracer.StartSpanFromContext race condition on opts arg (#1127)
- ddtrace/tracer: propagate _dd.p.upstream_services tags (#1082)
Profiler
- profiler: log configuration at profiling start (#1114)
Fixes
- ddtrace/tracer: only drop P0s when client-side stats are enabled (#1139)
To view all changes check out the list of commits and the 1.36.0 milestone.