Upgrade Notes
- ASM
-
With this upgrade, you can now control how the stack trace report are cropped when reported for exploit prevention or IAST.
DD_APPSEC_MAX_STACK_TRACE_DEPTH
allowed to control the maximum stack trace size reported (default 32)DD_APPSEC_MAX_STACK_TRACE_DEPTH_TOP_PERCENT
allows now to specify how the stack trace is cropped as a percentage.
For example, a value of 100 will report the top DD_APPSEC_MAX_STACK_TRACE_DEPTH frames from the stack, while a value of 0 will report the bottom DD_APPSEC_MAX_STACK_TRACE_DEPTH frames of the trace. A value of 50 will report half of DD_APPSEC_MAX_STACK_TRACE_DEPTH (rounded down) frames from the top of the stack and the rest from bottom. Default value is 75.
-
Upgrades
libddwaf
to 1.22.0 -
Upgrades
libddwaf
to 1.21.0 and security rule file to 1.13.3
-
Deprecation Notes
- Python 3.7 support is deprecated and will be removed in 3.0
New Features
-
CI Visibility
-
Beta release of the new version of the pytest plugin, introducing the following features:
- Auto Test Retries
- Early Flake Detection
- Improved coverage collection for Test Impact Analysis (formerly Intelligent Test Runner) now uses an internal collection method instead of coverage.py, with improved dependency discovery.
Set the
DD_PYTEST_USE_NEW_PLUGIN_BETA
environment variable totrue
to use this new version.NOTE: this new version of the plugin introduces breaking changes:
module
,suite
, andtest
names are now parsed from theitem.nodeid
attribute- test names now include the class for class-based tests
- Test skipping by Test Impact Analysis (formerly Intelligent Test Runner) is now done at the suite level, instead of at the test level
-
-
Adds support for Selenium and RUM integration
-
Code Security
-Introduces "Standalone Code Security", a feature that disables APM in the tracer but keeps Code Security (IAST) enabled. In order to enable it, set the environment variablesDD_IAST_ENABLED=1
andDD_EXPERIMENTAL_APPSEC_STANDALONE_ENABLED=1
. -
LLM Observability
- Adds support to automatically submit Vertex AI Python calls to LLM Observability.
vertexai
: Introduces tracing support for Google's Vertex AI SDK for Python'sgenerate_content
andsend_message
calls. See the docs for more information.
-
Profiling
- Profiler uses agent url configured via
tracer.configure()
- Profiler uses agent url configured via
Bug Fixes
-
ASM
- Rnsures that common patches for exploit prevention and sca are only loaded if required, and only loaded once.
- Resolves an issue where AppSec was using a patched JSON loads, creating telemetry errors.
- Resolves an issue where some root span where not appropriately tagged for ASM standalone.
-
CI Visibility
- Fixes an issue where the CIVisbility service would incorrectly default the tracer env to
None
in EVP proxy mode ifDD_ENV
was not specified but the agent had a default environment set to a value other thannone
(eg: usingDD_APM_ENV
in the agent's environment). - Updates the inferred base service name algorithm to ensure that arguments following
--ddtrace
are no longer skipped when executing tests with pytest. Previously, the algorithm misinterpreted these arguments as standard flags, overlooking possible test paths that may contribute to the inferred service name.
- Fixes an issue where the CIVisbility service would incorrectly default the tracer env to
-
Code Security
- Patches the module dir function so original pre-patch results are not changed.
- Resolves a patching issue with
psycopg3
. - This fix resolves an issue where the modulo (%) operator would not be replaced correctly for bytes and bytesarray if IAST is enabled.
- Ensures IAST SSRF vulnerability redacts the url query parameters correctly.
- Adds
umap
,numba
andpynndescent
to the Code Security denylist.
-
Crashtracking
- Resolves issue where the crashtracker receiver may leave a zombie process behind after a crash.
-
Lib-Injection
- Ensures any user defined
sitecustomize.py
are preserved when auto-injecting. - Supports Python 2.7+ for injection compatibility check.
- Resolves an issue where the default versions of
click
andjinja2
installed on 3.8 were outside of the allowed minimum versions for autoinstrumentation.
- Ensures any user defined
-
LLM Observability
- Ensures bedrock spans are finished even when streamed responses are not fully consumed.
langchain
: Resolves a JSON decoding issue resulting from tagging streamed outputs from chains ending with a PydanticOutputParser.- Fixes an issue where decorators were not tracing generator functions properly.
-
Profiling
- Updates setup.py to ignore int-ptr conversion warnings for the profiler stack.pyx file. This is important because gcc 14 makes these conversions an error, alpine 3.21.0 ships with gcc 14, and any patch version of a Python alpine image cut after December 5th, 2024, will have this issue.
- Fixes unbounded memory usage growth caused by keeping arbitrary user-generated strings (e.g. asyncio Task names) in an internal table and never removing them.
- Fixes an issue where
asyncio
task names are not properly propagated when using stack v2, i.e. whenDD_PROFILING_STACK_V2_ENABLED
is set. Fixes an issue whereasyncio
tasks are not associated with spans when using stack v2, i.e. whenDD_PROFILING_STACK_V2_ENABLED
is set.
-
Telemetry
-
Ensures that Telemetry heartbeats are not skipped for forked processes, as doing so could result in the dependency list being lost over time.
-
Tracing
botocore
: This fix resolves an issue in the Bedrock integration where not consuming the full response stream would prevent spans from finishing.botocore
: This fix resolves the issue where the span pointer for deserialized DynamoDB requests (through the resource-based API) were not being generated.botocore
: This fix resolves an issue where our span pointer calculation code added recently logged unactionable messages.celery
: This fix resolves two issues with context propagation in celery- Invalid span parentage when task A calls task B async and task A errors out, causing A's queuing of B, and B itself to not be parented under A.
- Invalid context propagation from client to workers, and across retries, causing multiple traces instead of a single trace
celery
: Changes celeryout.host
span tag to point towards broker host url instead of local celery process hostname. Fixes inferred service representation issues when using celery.grpcaio
: Resolves a concurrency bug where distributed tracing headers were overwritten resulting in spans being assigned to the wrong trace.kafka
: Fixes an issue with Kafka consumer spans not using the active trace context when distributed tracing was enabled and no valid distributed context found was found within a consumed message.
Other Changes
- Tracing
- Removed x-forwarded from headers used for client IP resolution (but not from collected headers). We lack evidence of actual usage, and whether this should follow RFC 7239 or regular XFF list format.