DataDog
diff --git a/‎.github/workflows/analyze-changes.yaml‎
Lines changed: 4 additions & 4 deletions b/‎.github/workflows/analyze-changes.yaml‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎.gitlab/find-gh-base-ref.sh‎
Lines changed: 6 additions & 0 deletions b/‎.gitlab/find-gh-base-ref.sh‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎buildSrc/src/main/kotlin/datadog/gradle/plugin/dump/DumpHangedTestPlugin.kt‎
Lines changed: 33 additions & 47 deletions b/‎buildSrc/src/main/kotlin/datadog/gradle/plugin/dump/DumpHangedTestPlugin.kt‎
Lines changed: 33 additions & 47 deletions
diff --git a/‎dd-java-agent/agent-bootstrap/src/main/java/datadog/trace/bootstrap/instrumentation/decorator/ServerDecorator.java‎
Lines changed: 8 additions & 2 deletions b/‎dd-java-agent/agent-bootstrap/src/main/java/datadog/trace/bootstrap/instrumentation/decorator/ServerDecorator.java‎
Lines changed: 8 additions & 2 deletions
diff --git a/‎dd-java-agent/agent-bootstrap/src/test/groovy/datadog/trace/bootstrap/instrumentation/decorator/BaseDecoratorTest.groovy‎
Lines changed: 2 additions & 0 deletions b/‎dd-java-agent/agent-bootstrap/src/test/groovy/datadog/trace/bootstrap/instrumentation/decorator/BaseDecoratorTest.groovy‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎dd-java-agent/agent-bootstrap/src/test/groovy/datadog/trace/bootstrap/instrumentation/decorator/ServerDecoratorTest.groovy‎
Lines changed: 2 additions & 2 deletions b/‎dd-java-agent/agent-bootstrap/src/test/groovy/datadog/trace/bootstrap/instrumentation/decorator/ServerDecoratorTest.groovy‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎dd-java-agent/agent-debugger/src/main/java/com/datadog/debugger/symbol/JarScanner.java‎
Lines changed: 9 additions & 1 deletion b/‎dd-java-agent/agent-debugger/src/main/java/com/datadog/debugger/symbol/JarScanner.java‎
Lines changed: 9 additions & 1 deletion
diff --git a/‎dd-java-agent/agent-debugger/src/test/java/com/datadog/debugger/symbol/JarScannerTest.java‎
Lines changed: 27 additions & 0 deletions b/‎dd-java-agent/agent-debugger/src/test/java/com/datadog/debugger/symbol/JarScannerTest.java‎
Lines changed: 27 additions & 0 deletions
diff --git a/‎dd-java-agent/agent-profiling/build.gradle‎
Lines changed: 9 additions & 1 deletion b/‎dd-java-agent/agent-profiling/build.gradle‎
Lines changed: 9 additions & 1 deletion
diff --git a/‎dd-java-agent/agent-profiling/profiling-ddprof/src/main/java/com/datadog/profiling/ddprof/DatadogProfilerRecordingData.java‎
Lines changed: 7 additions & 0 deletions b/‎dd-java-agent/agent-profiling/profiling-ddprof/src/main/java/com/datadog/profiling/ddprof/DatadogProfilerRecordingData.java‎
Lines changed: 7 additions & 0 deletions
@@ -30,7 +30,7 @@ jobs:
             ${{ runner.os }}-gradle-
         
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3
+        uses: github/codeql-action/init@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
         with:
           languages: 'java'
           build-mode: 'manual'
@@ -49,7 +49,7 @@ jobs:
             --build-cache --parallel --stacktrace --no-daemon --max-workers=4
 
       - name: Perform CodeQL Analysis and upload results to GitHub Security tab
-        uses: github/codeql-action/analyze@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3
+        uses: github/codeql-action/analyze@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
 
   trivy:
     name: Analyze changes with Trivy
@@ -101,7 +101,7 @@ jobs:
           ls -laR "./workspace/.trivy"
 
       - name: Run Trivy security scanner
-        uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284 # v0.34.0
+        uses: aquasecurity/trivy-action@e368e328979b113139d6f9068e03accaed98a518 # v0.34.1
         with:
           scan-type: rootfs
           scan-ref: './workspace/.trivy/'
@@ -114,7 +114,7 @@ jobs:
           TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3
+        uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
         if: always()
         with:
           sarif_file: 'trivy-results.sarif'
 
@@ -14,6 +14,12 @@ if [[ $CI_COMMIT_BRANCH =~ ^(master|release/.*)$ ]]; then
   exit 1
 fi
 
+# See .test_job declaration
+if [[ $CI_COMMIT_BRANCH =~ ^(mq-working-branch-|gh-readonly-queue/) ]]; then
+  echo "CI_COMMIT_BRANCH is a merge queue branch, skipping base ref detection" >&2
+  exit 1
+fi
+
 CURRENT_HEAD_SHA="$(git rev-parse HEAD)"
 if [[ -z "${CURRENT_HEAD_SHA:-}" ]]; then
   echo "Failed to determine current HEAD SHA" >&2
 
@@ -20,6 +20,7 @@ import java.util.concurrent.ScheduledExecutorService
 import java.util.concurrent.ScheduledFuture
 import java.util.concurrent.TimeUnit
 import javax.inject.Inject
+import kotlin.jvm.optionals.getOrElse
 
 /**
  * Plugin to collect thread and heap dumps for hanged tests.
@@ -120,43 +121,27 @@ class DumpHangedTestPlugin : Plugin<Project> {
 
       dumpsDir.mkdirs()
 
-      fun file(name: String, ext: String = "log") =
-        File(dumpsDir, "$name-${System.currentTimeMillis()}.$ext")
+      ProcessHandle.current().children()
+        .filter { it.info().commandLine().getOrElse { "" }.contains("Gradle Test Executor") }
+        .forEach { process ->
+          collectDump(dumpsDir, process)
 
-      // Collect all JVMs pids.
-      val allJavaProcessesFile = file("all-java-processes")
-      runCmd(Redirect.to(allJavaProcessesFile), "jcmd", "-l")
-
-      // On IBM JDK thread dump can be collected by signaling the matching `Gradle Test Executor` process with `kill -3`.
-      // It will be writen into `/tmp/javacore.YYYYMMDD.HHMMSS.PID.SEQ.txt
-      if (isIbm8(allJavaProcessesFile)) {
-        val allProcessesFile = file("all-processes")
-        runCmd(Redirect.to(allProcessesFile), "ps", "-ef")
-        extractPidsIbm8(allProcessesFile).forEach { ibm8Pid ->
-          runCmd(Redirect.INHERIT, "kill", "-3", ibm8Pid)
-        }
-      } else {
-        val pids = extractPids(allJavaProcessesFile)
-
-        pids.forEach { pid ->
-          // Collect heap dump by pid.
-          val heapDumpPath = file("${pid}-heap-dump", "hprof").absolutePath
-          runCmd(Redirect.INHERIT, "jcmd", pid, "GC.heap_dump", heapDumpPath)
-
-          // Collect thread dump by pid.
-          val threadDumpFile = file("${pid}-thread-dump")
-          runCmd(Redirect.to(threadDumpFile), "jcmd", pid, "Thread.print", "-l")
+          process.children().forEach { child ->
+            collectDump(dumpsDir, child)
+          }
         }
 
-        // Just in case collect all thread dumps by using special PID `0`.
-        val allThreadsFile = file("all-thread-dumps")
-        runCmd(Redirect.to(allThreadsFile), "jcmd", "0", "Thread.print", "-l")
-      }
+      // Just in case collect all thread dumps by using special PID `0`.
+      val allThreadsFile = file(dumpsDir, "all-thread-dumps")
+      runCmd(Redirect.to(allThreadsFile), "jcmd", "0", "Thread.print", "-l")
     } catch (e: Throwable) {
       t.logger.warn("Taking dumps failed with error: ${e.message ?: e.javaClass.name}, for ${t.path}")
     }
   }
 
+  private fun file(baseDir: File, name: String, ext: String = "log") =
+    File(baseDir, "$name-${System.currentTimeMillis()}.$ext")
+
   private fun cleanup(t: Task) {
     val future = t.extra
       .takeIf { it.has(DUMP_FUTURE_KEY) }
@@ -183,23 +168,24 @@ class DumpHangedTestPlugin : Plugin<Project> {
     }
   }
 
-  private fun isIbm8(file: File): Boolean =
-    file.readLines().any { it.contains("-PtestJvm=ibm8") }
-
-  private fun extractPids(file: File): List<String> =
-    file.readLines()
-      .filter { it.contains("Gradle Test Executor") }
-      .map { it.substringBefore(' ') }
-
-  private fun extractPidsIbm8(file: File): List<String> =
-    file.readLines()
-      .filter { it.contains("Gradle Test Executor") }
-      .filter { it.contains("ibm", ignoreCase = true) }
-      .mapNotNull(::extractPid)
-
-  private val whitespaceRegex = Regex("\\s+")
+  private fun collectDump(
+    baseDir: File,
+    process: ProcessHandle
+  ) {
+    val pid = process.pid().toString()
 
-  // ps -ef format produce output like: UID PID PPID ...
-  private fun extractPid(line: String): String? =
-    line.trimStart().split(whitespaceRegex, limit = 3).getOrNull(1)
+    if (process.info().command().getOrElse { "" }.contains("/ibm8")) {
+      // On IBM JDK thread dump can be collected by signaling process with `kill -3`.
+      // It will be writen into `/tmp/javacore.YYYYMMDD.HHMMSS.PID.SEQ.txt
+      runCmd(Redirect.INHERIT, "kill", "-3", pid)
+    } else {
+      // Collect heap dump by pid.
+      val heapDumpPath = file(baseDir, "$pid-heap-dump", "hprof").absolutePath
+      runCmd(Redirect.INHERIT, "jcmd", pid, "GC.heap_dump", heapDumpPath)
+
+      // Collect thread dump by pid.
+      val threadDumpFile = file(baseDir, "$pid-thread-dump", "log")
+      runCmd(Redirect.to(threadDumpFile), "jcmd", pid, "Thread.print", "-l")
+    }
+  }
 }
@@ -1,15 +1,21 @@
 package datadog.trace.bootstrap.instrumentation.decorator;
 
 import datadog.trace.api.DDTags;
+import datadog.trace.api.TagMap;
 import datadog.trace.bootstrap.instrumentation.api.AgentSpan;
 import datadog.trace.bootstrap.instrumentation.api.Tags;
 
 public abstract class ServerDecorator extends BaseDecorator {
+  private static final TagMap.Entry SPAN_KIND_ENTRY =
+      TagMap.Entry.create(Tags.SPAN_KIND, Tags.SPAN_KIND_SERVER);
+  private static final TagMap.Entry LANG_ENTRY =
+      TagMap.Entry.create(DDTags.LANGUAGE_TAG_KEY, DDTags.LANGUAGE_TAG_VALUE);
 
   @Override
   public AgentSpan afterStart(final AgentSpan span) {
-    span.setTag(Tags.SPAN_KIND, Tags.SPAN_KIND_SERVER);
-    span.setTag(DDTags.LANGUAGE_TAG_KEY, DDTags.LANGUAGE_TAG_VALUE);
+    span.setTag(SPAN_KIND_ENTRY);
+    span.setTag(LANG_ENTRY);
+
     return super.afterStart(span);
   }
 }
@@ -30,9 +30,11 @@ class BaseDecoratorTest extends DDSpecification {
     1 * spanContext.setIntegrationName("test-component")
     _ * span.setTag(_)
     _ * span.setTag(_, _) // Want to allow other calls from child implementations.
+    _ * span.setTag(_)
     _ * span.setMeasured(true)
     _ * span.setMetric(_)
     _ * span.setMetric(_, _)
+    _ * span.setMetric(_)
     _ * span.setServiceName(_, _)
     _ * span.setOperationName(_)
     _ * span.setSamplingPriority(_)
 
@@ -22,11 +22,11 @@ class ServerDecoratorTest extends BaseDecoratorTest {
     decorator.afterStart(span)
 
     then:
-    1 * span.setTag(LANGUAGE_TAG_KEY, LANGUAGE_TAG_VALUE)
+    1 * span.setTag(TagMap.Entry.create(LANGUAGE_TAG_KEY, LANGUAGE_TAG_VALUE))
     1 * span.setTag(TagMap.Entry.create(COMPONENT, "test-component"))
     1 * span.context() >> spanContext
     1 * spanContext.setIntegrationName("test-component")
-    1 * span.setTag(SPAN_KIND, "server")
+    1 * span.setTag(TagMap.Entry.create(SPAN_KIND, "server"))
     1 * span.setSpanType(decorator.spanType())
     if (decorator.traceAnalyticsEnabled) {
       1 * span.setMetric(TagMap.Entry.create(ANALYTICS_SAMPLE_RATE, 1.0))
 
@@ -1,5 +1,6 @@
 package com.datadog.debugger.symbol;
 
+import java.net.URI;
 import java.net.URISyntaxException;
 import java.net.URL;
 import java.nio.file.Path;
@@ -65,6 +66,13 @@ public static String trimPrefixes(String classFilePath) {
   private static Path getPathFromPrefixedFileName(String locationStr, String prefix, int endIdx) {
     String fileName = locationStr.substring(prefix.length(), endIdx);
     LOGGER.debug("jar filename={}", fileName);
-    return Paths.get(fileName);
+    try {
+      // Reconstruct a file URI and use Paths.get(URI) to correctly handle
+      // platform-specific paths, including Windows drive letters (e.g. /C:/...)
+      return Paths.get(new URI("file:" + fileName));
+    } catch (URISyntaxException e) {
+      LOGGER.debug("Failed to parse as URI: {}, falling back to direct path", fileName, e);
+      return Paths.get(fileName);
+    }
   }
 }
@@ -8,10 +8,13 @@
 import java.net.URISyntaxException;
 import java.net.URL;
 import java.net.URLClassLoader;
+import java.nio.file.Path;
 import java.security.CodeSource;
 import java.security.ProtectionDomain;
 import java.security.cert.Certificate;
 import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.condition.EnabledOnOs;
+import org.junit.jupiter.api.condition.OS;
 
 class JarScannerTest {
   @Test
@@ -50,4 +53,28 @@ public void extractJarPathFromNestedJar() throws URISyntaxException {
     assertEquals(
         jarFileUrl.getFile(), JarScanner.extractJarPath(protectionDomain, null).toString());
   }
+
+  @Test
+  @EnabledOnOs(OS.WINDOWS)
+  public void extractJarPathFromFileOnWindows() throws URISyntaxException {
+    URL mockLocation = mock(URL.class);
+    when(mockLocation.toString()).thenReturn("file:/C:/apps/server/classes/");
+    CodeSource codeSource = new CodeSource(mockLocation, (Certificate[]) null);
+    ProtectionDomain protectionDomain = new ProtectionDomain(codeSource, null);
+    Path result = JarScanner.extractJarPath(protectionDomain, SymDBReport.NO_OP);
+    assertNotNull(result);
+    assertTrue(result.toString().contains("server"));
+  }
+
+  @Test
+  @EnabledOnOs(OS.WINDOWS)
+  public void extractJarPathFromJarOnWindows() throws URISyntaxException {
+    URL mockLocation = mock(URL.class);
+    when(mockLocation.toString()).thenReturn("jar:file:/C:/libs/app.jar!/com/example/");
+    CodeSource codeSource = new CodeSource(mockLocation, (Certificate[]) null);
+    ProtectionDomain protectionDomain = new ProtectionDomain(codeSource, null);
+    Path result = JarScanner.extractJarPath(protectionDomain, SymDBReport.NO_OP);
+    assertNotNull(result);
+    assertTrue(result.toString().contains("app.jar"));
+  }
 }
@@ -13,7 +13,9 @@ excludedClassesCoverage += [
   'com.datadog.profiling.agent.ProfilingAgent',
   'com.datadog.profiling.agent.ProfilingAgent.ShutdownHook',
   'com.datadog.profiling.agent.ProfilingAgent.DataDumper',
-  'com.datadog.profiling.agent.ProfilerFlare'
+  'com.datadog.profiling.agent.ProfilerFlare',
+  'com.datadog.profiling.agent.ScrubRecordingDataListener',
+  'com.datadog.profiling.agent.ScrubRecordingDataListener.ScrubbedRecordingData'
 ]
 
 dependencies {
@@ -23,6 +25,7 @@ dependencies {
   api project(':dd-java-agent:agent-profiling:profiling-ddprof')
   api project(':dd-java-agent:agent-profiling:profiling-uploader')
   api project(':dd-java-agent:agent-profiling:profiling-controller')
+  implementation project(':dd-java-agent:agent-profiling:profiling-scrubber')
   api project(':dd-java-agent:agent-profiling:profiling-controller-jfr')
   api project(':dd-java-agent:agent-profiling:profiling-controller-jfr:implementation')
   api project(':dd-java-agent:agent-profiling:profiling-controller-ddprof')
@@ -42,6 +45,11 @@ configurations {
 
 tasks.named("shadowJar", ShadowJar) {
   dependencies deps.excludeShared
+
+  // Exclude multi-release versioned classes from jafar-parser.
+  // These are duplicates of base classes for newer Java APIs and confuse
+  // the GraalVM native-image builder when the profiling jar is embedded in the agent.
+  exclude 'META-INF/versions/**'
 }
 
 tasks.named("jar", Jar) {
 
@@ -7,6 +7,7 @@
 import java.nio.file.Path;
 import java.time.Instant;
 import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
 
 final class DatadogProfilerRecordingData extends RecordingData {
   private final Path recordingFile;
@@ -36,4 +37,10 @@ public void release() {
   public String getName() {
     return "ddprof";
   }
+
+  @Nullable
+  @Override
+  public Path getPath() {
+    return recordingFile;
+  }
 }