-
Notifications
You must be signed in to change notification settings - Fork 441
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
APMSP-1241 Directly import trace-agent stats code for client-side stats #2817
Conversation
go.mod
Outdated
google.golang.org/grpc v1.57.1 | ||
google.golang.org/protobuf v1.33.0 | ||
google.golang.org/api v0.169.0 | ||
google.golang.org/grpc v1.64.0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🟡 Library Vulnerability
google.golang.org/grpc → 1.64.0
Private tokens could appear in logs if context containing gRPC metadata is logged in github.com/grpc/grpc-go (...read more)
Impact
This issue represents a potential PII concern. If applications were printing or logging a context containing gRPC metadata, the affected versions will contain all the metadata, which may include private information.
Patches
The issue first appeared in 1.64.0 and is patched in 1.64.1 and 1.65.0
Workarounds
If using an affected version and upgrading is not possible, ensuring you do not log or print contexts will avoid the problem.
go.mod
Outdated
google.golang.org/grpc v1.57.1 | ||
google.golang.org/protobuf v1.33.0 | ||
google.golang.org/api v0.169.0 | ||
google.golang.org/grpc v1.64.0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🟡 Library Vulnerability
google.golang.org/grpc → 1.64.0
Private tokens could appear in logs if context containing gRPC metadata is logged in github.com/grpc/grpc-go (...read more)
Impact
This issue represents a potential PII concern. If applications were printing or logging a context containing gRPC metadata, the affected versions will contain all the metadata, which may include private information.
Patches
The issue first appeared in 1.64.0 and is patched in 1.64.1 and 1.65.0
Workarounds
If using an affected version and upgrading is not possible, ensuring you do not log or print contexts will avoid the problem.
BenchmarksBenchmark execution time: 2024-10-31 09:31:26 Comparing candidate commit 9c2328e in PR branch Found 4 performance improvements and 1 performance regressions! Performance is the same for 53 metrics, 1 unstable metrics. scenario:BenchmarkOTelApiWithCustomTags/datadog_otel_api-24
scenario:BenchmarkOTelApiWithCustomTags/otel_api-24
scenario:BenchmarkSetTagStringer-24
scenario:BenchmarkStartSpanConcurrent-24
|
internal/apps/go.mod
Outdated
golang.org/x/text v0.16.0 // indirect | ||
golang.org/x/tools v0.23.0 // indirect | ||
google.golang.org/genproto/googleapis/rpc v0.0.0-20240520151616-dc85e6b867a5 // indirect | ||
google.golang.org/grpc v1.64.0 // indirect |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🟡 Library Vulnerability
google.golang.org/grpc → 1.64.0
Private tokens could appear in logs if context containing gRPC metadata is logged in github.com/grpc/grpc-go (...read more)
Impact
This issue represents a potential PII concern. If applications were printing or logging a context containing gRPC metadata, the affected versions will contain all the metadata, which may include private information.
Patches
The issue first appeared in 1.64.0 and is patched in 1.64.1 and 1.65.0
Workarounds
If using an affected version and upgrading is not possible, ensuring you do not log or print contexts will avoid the problem.
internal/exectracetest/go.mod
Outdated
golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect | ||
google.golang.org/protobuf v1.33.0 // indirect | ||
google.golang.org/genproto/googleapis/rpc v0.0.0-20240520151616-dc85e6b867a5 // indirect | ||
google.golang.org/grpc v1.64.0 // indirect |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🟡 Library Vulnerability
google.golang.org/grpc → 1.64.0
Private tokens could appear in logs if context containing gRPC metadata is logged in github.com/grpc/grpc-go (...read more)
Impact
This issue represents a potential PII concern. If applications were printing or logging a context containing gRPC metadata, the affected versions will contain all the metadata, which may include private information.
Patches
The issue first appeared in 1.64.0 and is patched in 1.64.1 and 1.65.0
Workarounds
If using an affected version and upgrading is not possible, ensuring you do not log or print contexts will avoid the problem.
ed5d824
to
cfe668d
Compare
…agent The dd-agent and google.golang.org/api both rely on google.golang.org/grpc, the old version of the api package forces a downgrade of the datadog-agent which breaks the build.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approving on behalf of appsec only for appsec code. Thanks for starting out the migration to rolling out go 1.21 👍
This PR is stale because it has been open 20 days with no activity. Remove stale label or comment or this will be closed in 10 days. |
@ajgajg1134 Was the agent released? When will this able to be merged? |
The current ETA for agent release is TOMORROW! 🎉 |
WIP: This PR should be updated to point to the released
v0.58
version of the trace-agent when it is available and then should be ready for merge. However this code is very unlikely to change other than changing the go.mod version so it should be safe to review now with minimal disruption.What does this PR do?
Begin using the trace-agent's Concentrator instead of our own (mostly copied) implementation from the trace-agent.
Unfortunately there's some additional changes here needed like updating to go 1.22 as that's the minimum supported version of the trace-agent (but this is aligned with dd-trace-go's published version support policy). Additionally the google.golang.org/api contrib needed to be updated to support the more recent versions required by the trace-agent. I believe these imports / upgrades are ok but if we need to target a smaller import and modularize some more of the trace-agent to reduce impact here just let me know!
Motivation
Some new features introduced in the trace-agent concentrator have been missed here over time and this brings back feature parity when using client side stats (e.g. peer tags aggregation, marking trace root spans). We will eventually be enabling client stats by default (as it's more efficient!) and this is a required step to ensure that we don't break important stats features.
Reviewer's Checklist
Unsure? Have a question? Request a review!