Merge branch 'master' into codex/find-and-fix-critical-bug-in-dd-java-agent/agent-iast

Author: smola

.circleci/upload_ciapp.sh

@@ -20,6 +20,7 @@ java_prop() {
 # Upload test results to CI Visibility
 junit_upload() {
     # based on tracer implementation: https://github.com/DataDog/dd-trace-java/blob/master/dd-java-agent/agent-bootstrap/src/main/java/datadog/trace/bootstrap/instrumentation/decorator/TestDecorator.java#L55-L77
+    # Overwriting the tag with the GitHub repo URL instead of the GitLab one. Otherwise, some Test Optimization features won't work.
     DD_API_KEY=$1 \
         datadog-ci junit upload --service $SERVICE_NAME \
         --logs \
@@ -30,6 +31,7 @@ junit_upload() {
         --tags "os.architecture:$(java_prop os.arch)" \
         --tags "os.platform:$(java_prop os.name)" \
         --tags "os.version:$(java_prop os.version)" \
+        --tags "git.repository_url:https://github.com/DataDog/dd-trace-java" \
         ./results
 }
 

.github/workflows/README.md

@@ -115,16 +115,6 @@ _Action:_
 
 _Notes:_ Results are sent on both production and staging environments.
 
-### check-ci-pipelines [🔗](check-ci-pipelines.yaml)
-
-_Trigger:_ When opening or updating a PR.
-
-_Action:_ This action will check all other continuous integration jobs (Github action, Gitlab, CircleCi), and will fail if any of them fails.
-The purpose of this job is to be required for PR merges, achieving Green CI Policy.
-It got an `ignored` parameters to exclude some jobs if they are temprorary failing.
-
-_Recovery:_ Manually trigger the action on the desired branch.
-
 ### comment-on-submodule-update [🔗](comment-on-submodule-update.yaml)
 
 _Trigger:_ When creating a PR commits to `master` or a `release/*` branch with a Git Submodule update.

.github/workflows/analyze-changes.yaml

@@ -40,7 +40,7 @@ jobs:
             ${{ runner.os }}-gradle-
         
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19
+        uses: github/codeql-action/init@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 # v3.29.0
         with:
           languages: 'java'
           build-mode: 'manual'
@@ -57,7 +57,7 @@ jobs:
             --build-cache --parallel --stacktrace --no-daemon --max-workers=4
 
       - name: Perform CodeQL Analysis and upload results to GitHub Security tab
-        uses: github/codeql-action/analyze@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19
+        uses: github/codeql-action/analyze@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 # v3.29.0
 
   trivy:
     name: Analyze changes with Trivy
@@ -122,7 +122,7 @@ jobs:
           TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19
+        uses: github/codeql-action/upload-sarif@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 # v3.29.0
         if: always()
         with:
           sarif_file: 'trivy-results.sarif'

.github/workflows/check-ci-pipelines.yml

@@ -62,3 +62,12 @@ jobs:
       scenarios_groups: tracer-release
       excluded_scenarios: CROSSED_TRACING_LIBRARIES,INTEGRATIONS_AWS,APM_TRACING_E2E_OTEL,APM_TRACING_E2E_SINGLE_SPAN,PROFILING  # require AWS and datadog credentials 
       skip_empty_scenarios: true
+
+  # Ensure the main job is run to completion
+  check:
+    name: Check system tests success
+    runs-on: ubuntu-latest
+    needs:
+    - main
+    steps:
+    - run: exit 0

.github/workflows/run-system-tests.yaml

@@ -1,7 +1,4 @@
 include:
-  - project: DataDog/apm-reliability/libdatadog-build
-    ref: 0f677257308e1c379af490b754febfb40fa2c06d
-    file: templates/ci_authenticated_job.yml
   - local: ".gitlab/one-pipeline.locked.yml"
   - local: ".gitlab/benchmarks.yml"
   - local: ".gitlab/macrobenchmarks.yml"
@@ -31,7 +28,7 @@ variables:
   GRADLE_VERSION: "8.5" # must match gradle-wrapper.properties
   MAVEN_REPOSITORY_PROXY: "http://artifactual.artifactual.all-clusters.local-dc.fabric.dog:8081/repository/maven-central/"
   GRADLE_PLUGIN_PROXY: "http://artifactual.artifactual.all-clusters.local-dc.fabric.dog:8081/repository/gradle-plugin-portal-proxy/"
-  BUILDER_IMAGE_VERSION_PREFIX: "" # use either an empty string (e.g. "") for latest images or a version followed by a hyphen (e.g. "v25.05-")
+  BUILDER_IMAGE_VERSION_PREFIX: "v25.06-" # use either an empty string (e.g. "") for latest images or a version followed by a hyphen (e.g. "v25.05-")
   REPO_NOTIFICATION_CHANNEL: "#apm-java-escalations"
   DEFAULT_TEST_JVMS: /^(8|11|17|21)$/
   PROFILE_TESTS:
@@ -136,6 +133,7 @@ default:
       policy: $BUILD_CACHE_POLICY
   before_script:
     - source .gitlab/gitlab-utils.sh
+    - mkdir -p .gradle
     - export GRADLE_USER_HOME=$(pwd)/.gradle
     - |
       # Don't put jvm args here as it will be picked up by child gradle processes used in tests
@@ -153,7 +151,6 @@ default:
     # with Gitlab caching, .gradle is always owned by root and thus gradle's chmod invocation fails
     # This dance is a hack to have .gradle owned by the Gitlab runner user
     - gitlab_section_start "gradle-dance" "Fix .gradle directory permissions"
-    - mkdir -p .gradle
     - cp -r .gradle .gradle-copy
     - rm -rf .gradle
     - mv .gradle-copy .gradle
@@ -799,37 +796,3 @@ create_key:
     expire_in: 13 mos
     paths:
       - pubkeys
-
-tracer-base-image-release:
-  extends: .ci_authenticated_job
-  stage: publish
-  needs: [ build ]
-  rules:
-    - if: '$POPULATE_CACHE'
-      when: never
-    - if: '$CI_COMMIT_TAG =~ /^v1\..*/'
-      when: on_success
-  dependencies:
-    - build
-  script:
-    - echo $GH_TOKEN|docker login ghcr.io/datadog -u uploader --password-stdin
-    - mkdir -p ./tooling/ci/binaries/ && cp workspace/dd-java-agent/build/libs/*.jar ./tooling/ci/binaries/dd-java-agent.jar
-    - docker buildx build -t ghcr.io/datadog/dd-trace-java/dd-trace-java:latest -f ./tooling/ci/Dockerfile .
-    - docker push ghcr.io/datadog/dd-trace-java/dd-trace-java:latest
-
-tracer-base-image-snapshot:
-  extends: .ci_authenticated_job
-  stage: publish
-  needs: [ build ]
-  rules:
-    - if: '$POPULATE_CACHE'
-      when: never
-    - if: '$CI_COMMIT_BRANCH == "master"'
-      when: on_success
-  dependencies:
-    - build
-  script:
-    - echo $GH_TOKEN|docker login ghcr.io/datadog -u uploader --password-stdin
-    - mkdir -p ./tooling/ci/binaries/ && cp workspace/dd-java-agent/build/libs/*.jar ./tooling/ci/binaries/dd-java-agent.jar
-    - docker buildx build -t ghcr.io/datadog/dd-trace-java/dd-trace-java:latest_snapshot -f ./tooling/ci/Dockerfile .
-    - docker push ghcr.io/datadog/dd-trace-java/dd-trace-java:latest_snapshot

.gitlab-ci.yml

@@ -15,7 +15,7 @@
   script:
     - export ARTIFACTS_DIR="$(pwd)/reports" && mkdir -p "${ARTIFACTS_DIR}"
     - git config --global url."https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.ddbuild.io/DataDog/".insteadOf "https://github.com/DataDog/"
-    - git clone --branch dd-trace-java/tracer-benchmarks https://github.com/DataDog/benchmarking-platform.git /platform && cd /platform
+    - git clone --branch dd-trace-java/tracer-benchmarks-parallel https://github.com/DataDog/benchmarking-platform.git /platform && cd /platform
   artifacts:
     name: "reports"
     paths:

.gitlab/benchmarks.yml

@@ -33,10 +33,6 @@ if [[ ! -f "${TRACER}" ]]; then
   cd "${SCRIPT_DIR}"
 fi
 
-# Cleanup previous reports
-rm -rf "${REPORTS_DIR}"
-mkdir -p "${REPORTS_DIR}"
-
 if [[ "$#" == '0' ]]; then
   for type in 'startup' 'load' 'dacapo'; do
     run_benchmarks "$type"

benchmark/benchmarks.sh

@@ -1,18 +1,62 @@
 import http from 'k6/http';
 import {checkResponse, isOk, isRedirect} from "../../utils/k6.js";
 
-const baseUrl = 'http://localhost:8080';
+const variants = {
+  "no_agent": {
+    "APP_URL": 'http://localhost:8080',
+  },
+  "tracing": {
+    "APP_URL": 'http://localhost:8081',
+  },
+  "profiling": {
+    "APP_URL": 'http://localhost:8082',
+  },
+  "iast": {
+    "APP_URL": 'http://localhost:8083',
+  },
+  "iast_GLOBAL": {
+    "APP_URL": 'http://localhost:8084',
+  },
+  "iast_FULL": {
+    "APP_URL": 'http://localhost:8085',
+  },
+}
+
+export const options = function (variants) {
+  let scenarios = {};
+  for (const variant of Object.keys(variants)) {
+    scenarios[`load--insecure-bank--${variant}--warmup`] = {
+      executor: 'constant-vus',  // https://grafana.com/docs/k6/latest/using-k6/scenarios/executors/#all-executors
+      vus: 5,
+      duration: '20s',
+      gracefulStop: '2s',
+      env: {
+        "APP_URL": variants[variant]["APP_URL"]
+      }
+    };
+
+    scenarios[`load--insecure-bank--${variant}--high_load`] = {
+      executor: 'constant-vus',
+      vus: 5,
+      startTime: '22s',
+      duration: '15s',
+      gracefulStop: '2s',
+      env: {
+        "APP_URL": variants[variant]["APP_URL"]
+      }
+    };
+  }
 
-export const options = {
-  discardResponseBodies: true,
-  vus: 5,
-  iterations: 40000
-};
+  return {
+    discardResponseBodies: true,
+    scenarios,
+  }
+}(variants);
 
 export default function () {
 
   // login form
-  const loginResponse = http.post(`${baseUrl}/login`, {
+  const loginResponse = http.post(`${__ENV.APP_URL}/login`, {
     username: 'john',
     password: 'test'
   }, {
@@ -21,11 +65,11 @@ export default function () {
   checkResponse(loginResponse, isRedirect);
 
   // dashboard
-  const dashboard = http.get(`${baseUrl}/dashboard`);
+  const dashboard = http.get(`${__ENV.APP_URL}/dashboard`);
   checkResponse(dashboard, isOk);
 
   // logout
-  const logout = http.get(`${baseUrl}/j_spring_security_logout`, {
+  const logout = http.get(`${__ENV.APP_URL}/j_spring_security_logout`, {
     redirects: 0
   });
   checkResponse(logout, isRedirect);