1.39.0

Components

Application Security Management (IAST)

• 🐛 Do not skip ErrorReportValve.report in any case (#7489 - @smola)
• ✨ Suppress internal exceptions in tomcat stacktrace leak detection (#7488 - @smola)
• 🐛 Add exclusions for openid4java and seasar frameworks (#7417 - @manuel-alvarez-alvarez)
• Add detection of untrusted deserialization in snakeyaml library (#7406 - @Mariovido)
• ✨ Fix progagation for Untrusted Deserialization vulnerability (#7374 - @Mariovido)
• Map JSP stack traces to file names (#7005 - @jandro996)

Application Security Management (WAF)

• Free AppSecRequestContext resources when the request ends (#7535 - @manuel-alvarez-alvarez)
• 🐛 Make RASP addresses ephemeral (#7529 - @manuel-alvarez-alvarez)
• ✨ Set DD_APPSEC_RASP_ENABLED to true by default (#7528 - @smola)
• 🐛 Fix call depth counter for sqli blocking (#7522 - @ValentinZakharov)
• Enable WAF generate_stack action by default (#7518 - @smola)
• ✨ Remove warning whenever we receive an unknown WAF address (#7482 - @smola)
• Add fingerprint support to the WAF (#7436 - @manuel-alvarez-alvarez)
• Upgrade to AppSec rules v1.13.0 (#7424 - @manuel-alvarez-alvarez)
• Add support for suspicious attacker blocking to appsec (#7401 - @manuel-alvarez-alvarez)
• Exploit prevention for SSRF (in java.net.URL) (#7373 - @manuel-alvarez-alvarez)

Cloud Workload Security (CWS)

• Make cws-tls use the same JNA dependency as instrumentations (#7412 - @bantonsson)

Continuous Integration Visibility

• 🐛 Fix Gradle Daemon process detection (#7524 - @nikita-tkachenko-datadog)
• 🧹 Split Gradle instrumentations into different modules (#7523 - @nikita-tkachenko-datadog)
• 🐛 Implement a fallback method for getting effective JVM for Maven Surefire executions (#7493 - @nikita-tkachenko-datadog)
• 🐛 Fix Cucumber JUnit 4 instrumentation to support empty scenario names (#7470 - @nikita-tkachenko-datadog)
• Implement telemetry and global per-JVM limit for auto test retries (#7458 - @nikita-tkachenko-datadog)
• 🐛 Fix Cucumber JUnit 4 instrumentation to correctly handle feature and scenario names with brackets (#7446 - @nikita-tkachenko-datadog)
• 🐛 Fix Gradle instrumentation to support v8.10 (#7443 - @nikita-tkachenko-datadog)
• 🐛 Fix Maven instrumentation to support command-line plugin goals invocation (#7430 - @nikita-tkachenko-datadog)

Crash tracking

• Make the warning in ScriptInitializer less scary (#7514 - @jbachorik)
• 🧹 Improving crash tracking script initialization error handling (#7427 - @PerfectSlayer)
• 🐛 Fix crash-tracking uploader script overwrite warning (#7386 - @jbachorik)

Data Streams Monitoring

• ⚡ Don't recompute DSM pathway hash for known tags (#7307 - @vandonr)

Database Monitoring

• Full mode for SQL Server (#7186 - @nenadnoveljic)

Dynamic Instrumentation

• 🐛 Fix concurrent modification (#7469 - @jpbempel)
• 🐛 Fix considering directory as jar file (#7459 - @jpbempel)
• ✨ Add exclusion predefined redaction keywords (#7457 - @jpbempel)
• 🐛 fix freeze context only for capturing line probe (#7456 - @jpbempel)
• 🐛 Fix SymDB upload dropped requests (#7442 - @jpbempel)
• ✨ Add protobuf collections as safe ones (#7438 - @jpbempel)
• 🐛 Fix Fingerprinter thread safety (#7429 - @jpbempel)
• 🐛 Add modifiers for extracting symbols (#7420 - @jpbempel)
• ✨ Add support for enum value comparison (#7418 - @jpbempel)

GraalVM native-image

• Avoid RemoteHostnameAdder.config resolution error when building Quarkus native images (#7480 - @mcculls)
• Fix ClassNotFoundException: net.jpountz.lz4.LZ4JavaSafeCompressor when instrumenting Kafka 3.7 with Quarkus native (#7404 - @mcculls)
• Fix unresolved field error when instrumenting Kafka 3.7 with Quarkus native (#7403 - @mcculls)

JMX fetch

• Bump JmxFetch to 0.49.4 (#7501 - @amarziali)

Metrics

• Bump integrations-core submodule to 7.55.3 (#7416 - @mcculls)

Profiling

• Log a warning when profiling enablement is misconfigured. (#7511 - @jbachorik)
• Emit recording setting events for SSI details (#7507 - @jbachorik)
• 🐛 Update ddprof to 1.13.0 (#7471 - @r1viollet)
• Allow subsampling the liveheap profiling data (#7380 - @jbachorik)

Telemetry

• 🔍 Enable telemetry logs for services using AppSec (#7534 - @smola)
• 🔍 Enable telemetry logs for a subset of Java versions (#7475 - @PerfectSlayer)
• Tag span metrics with 'otel.library' when we know it was created by an OTel extension (#7463 - @mcculls)
• ✨ Reduce telemetry log messages per minute to 10 (#7410 - @smola)
• ✨ Add Otel env var telemetry (#7391 - @cecile75)
• ✨ Add telemetry app product change message (#7348 - @jandro996)
• Adding InitializationTelemetry - e.g. guard rails reporting (#7287 - @dougqh)

Trace context propagation

• ✨ Use W3C Trace Context trace ID as parent ID regardless of propagation style order (#7355 - @mtoffl01)

Tracer core

• 🐛 Avoid using stdout to report bootstrapping errors (#7432 - @PerfectSlayer)
• Add _dd.tracer_host to local root spans (#7388 - @amarziali)

Instrumentations

Apache Spark instrumentation

• Allow instrumented Spark trace linked to Openlineage originated context (#7450 - @yiliangzhou)

Armeria Instrumentation

• OpenTelemetry drop-in fixes for Armeria HTTP (#7498 - @mcculls)

AWS SDK instrumentation

• Avoid NullPointerException when publishing SNS messages to phone numbers (#7448 - @mcculls)

gRPC instrumentation

• 🐛 Fix grpc server error mark (#7505 - @amarziali)

JDBC instrumentation

• 🐛 Don't leak calldepth threadlocal on statements (#7472 - @amarziali)
• 🐛 Do not leak call depth threadlocal in jdbc instrumentation (#7468 - @amarziali)
• 🐛 Fix exception handling for SQL Server full mode (#7405 - @nenadnoveljic)
• Full mode for SQL Server (#7186 - @nenadnoveljic)

OpenTelemetry instrumentation

• OpenTelemetry drop-in fixes for Apache Pulsar (#7500 - @mcculls)
• OpenTelemetry drop-in fixes for Apache Dubbo (#7499 - @mcculls)
• OpenTelemetry drop-in fixes for Armeria HTTP (#7498 - @mcculls)
• Tag span metrics with 'otel.library' when we know it was created by an OTel extension (#7463 - @mcculls)
• OpenTelemetry drop-in fixes for r2dbc (#7444 - @mcculls)

All other instrumentations

• OpenTelemetry drop-in fixes for Apache Pulsar (#7500 - @mcculls)
• OpenTelemetry drop-in fixes for Apache Dubbo (#7499 - @mcculls)
• 🐛 Apache http client 4: do not copy all request headers on redirect (#7483 - @amarziali)
• 🐛 Avoid finishing twice a servlet 3 async dispatch span (#7395 - @amarziali)

Other changes

• Bump byte-buddy to 1.14.18 (#7415 - @mcculls)