v1.70.0

This release includes ASM Exploit Prevention's General Availability and offers multiple fixes in contribs, improved client-side stats implementation, and multiple environment variables for configuration:

• DD_PROFILING_FLUSH_ON_EXIT: if set to 1, the profiler will upload the profiles in progress when profiler.Stop is called. Be mindful of using this setting for short-lived programs (e.g. lambdas, which we do not currently support for Go) as it may lead to inflated host counts. Also note that stopping the CPU profiler takes 200ms. See https://go.dev/issue/63043.
• DD_PROFILING_ENABLED: if set to false, then calling profiler.Start will not enable profiling. Note that setting this to true is not sufficient to enable profiling; you still need to call profiler.Start.
• DD_TRACE_LOG_DIRECTORY: it allows specifying a log directory for tracer logs (details).
• DD_APPSEC_RASP_ENABLED: if set to false, disables ASM Exploit Prevention (defaults to true)

What's Changed

Application Performance Monitoring (APM)

• contrib/segmentio/kafka.go.v0: refactor tracing code by @rarguelloF in #2885
• contrib/slog: clone record before calling Add by @felixge in #2929
• contrib/confluentinc/confluent-kafka-go: fix goroutine leak in Produce by @rarguelloF in #2924
• contrib/jackc/pgx.v5: wrap previous tracer by @rarguelloF in #2932
• contrib/net/http: refactor tracing by @rarguelloF in #2921
• contrib/confluentinc/confluent-kafka-go: split tracing code by @rarguelloF in #2907
• [godfathering] contrib/dimfeld/httptreemux.v5: failing tests for path variable replacement by @darccio in #2938
• [serverless] Inject trace context into SQS/SNS/EventBridge by @nhulston in #2917
• contrib/log/slog: fix WithAttrs and WithGroup implementation by @rarguelloF in #2857
• [SVLS-5560] Inject DD trace context into AWS Step Functions input by @DylanLovesCoffee in #2942
• APMSP-1241 Directly import trace-agent stats code for client-side stats by @ajgajg1134 in #2817
• [fix][internal/httptrace]: integration-level error codes override global by @mtoffl01 in #2946
• contrib/valyala/fasthttp.v1: fix memory leak of spanOpts by @0angelic0 in #2962
• contrib/go-chi: Apply DD_TRACE_HTTP_SERVER_ERROR_STATUSES by @mtoffl01 in #2960
• [fix][tracer] DD_TRACE_HEADER_TAGS treats trailing colon as invalid input by @mtoffl01 in #2913
• Fix: Support custom propagators in startup log by @mtoffl01 in #2925
• fix(options): Don't override c.httpClient if it is set via the options by @BaptisteFoy in #2970

Application Security Management (ASM)

We’re pleased to release Exploit Prevention (aka Run-time Application Self-Protection (RASP)) to protect your Go services against exploits of SQL injections (SQLi), Server-Side Request Forgeries (SSRF) and Local File Inclusion (LFI) vulnerabilities.
We recommend leveraging orchestrion, our new automatic Go instrumentation tool, to benefit from this new type of application security monitoring automatically. Note that some of those features are exclusive to orchestrion, such as LFI or the upcoming Command Injection (CMDi), which is coming later this quarter.
Please refer to the documentation or our blog post for more information.

• appsec: enable SQLi and SSRF exploit preventions by default in monitoring-only mode by @eliottness in #2952
• appsec: add tracer start option for appsec enablement by @RomainMuller in #2966
• appsec: differentiate user login and user set event by @eliottness in #2956

CI Visibility

• internal/civisibility: add early flake detection feature by @tonyredondo in #2916
• internal/civisibility: adds git tree upload feature by @tonyredondo in #2927
• internal/civisibility: add handshake linkname to orchestrion api to address linkname lock down by @tonyredondo in #2934
• internal/civisibility: add more nil checks to increase resilience by @tonyredondo in #2944
• internal/civisibility: auto test retries max retries fix by @tonyredondo in #2947
• internal/civisibility: intelligent test runner support by @tonyredondo in #2943
• internal/civisibility: test with efd enabled disable atr for that test by @tonyredondo in #2958
• internal/civisibility: add support for unskippable tests and suites by @tonyredondo in #2957
• internal/civisibility: api refactor and support for telemetry metrics by @tonyredondo in #2963
• Add CI Visibility data to client stats (APMSP-1241) by @ajgajg1134 in #2969

Profiling

• profiler: add enable flag to control profiler activation by @korECM in #2840
• profiler: add DD_PROFILING_FLUSH_ON_EXIT to upload current profiles before exiting by @jinroh in #2926

General

• Implement DD_TRACE_LOG_DIRECTORY by @mtoffl01 in #2901
• internal/osinfo: setup for kernel info by @eliottness in #2933
• fix and cleanup the Content-Length handling in transport by @paulcacheux in #2954
• ddtrace/tracer: support reading statsd port from tracer by @hannahkm in #2931
• ddtrace/tracer: fix trace_agent_url on startup log by @rachelyangdog in #2949

New Contributors

• @nhulston made their first contribution in #2917
• @korECM made their first contribution in #2840
• @DylanLovesCoffee made their first contribution in #2942
• @paulcacheux made their first contribution in #2954
• @0angelic0 made their first contribution in #2962
• @jinroh made their first contribution in #2926
• @rachelyangdog made their first contribution in #2949

Full Changelog: v1.69.1...v1.70.0