test(appsec): read lambda inferred-span AppSec data from the service-entry span#7176
test(appsec): read lambda inferred-span AppSec data from the service-entry span#7176zarirhamza wants to merge 1 commit into
Conversation
…y span The AppSec report is carried by the service-entry (top-level) span. With serverless service representation, the inferred API Gateway span shares the function's service and becomes the service-entry span, so the AppSec report moves there from the aws.lambda span. Accept the AppSec reference data from either span so the test holds across layer versions.
|
|
🎉 All green!🧪 All tests passed 🔗 Commit SHA: dd23604 | Docs | Datadog PR Page | Give us feedback! |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: dd236049b5
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| for _, _, span, appsec_data in interfaces.library.get_appsec_events(self.r): | ||
| if span.get("name") == "aws.lambda": | ||
| lambda_span_appsec_data = appsec_data | ||
| if span.get("name") == "aws.lambda" or span.get("name") in INFERRED_SPAN_NAMES: |
There was a problem hiding this comment.
When AppSec moves onto the inferred API Gateway span, adding the inferred names here is not enough because get_appsec_events(self.r) still uses full_trace=False; utils/interfaces/_library/core.py::get_spans then yields only spans whose extracted request id matches the response. In Lambda traces where the request id remains on aws.lambda but the AppSec payload is only on aws.apigateway/aws.httpapi, this loop never sees the new service-entry span and the assertion below still fails, so this should read events with full_trace=True like the inferred-span validation does.
Useful? React with 👍 / 👎.
1 participant
Motivation
Test_Lambda_Inferred_Span_Tags::test_lambda_inferred_spanasserts the AppSec report is on theaws.lambdaspan. With the Serverless Service Representation (SSR) work, the inferred API Gateway span now usesDD_SERVICE(the same service as the function span). Because_dd.top_level/ service-entry is computed by comparing a span's service to its parent's, the inferred span becomes the service-entry span and AppSec attaches its report there instead of on the downstreamaws.lambdaspan.This makes the test fail (
UnboundLocalError— no AppSec data found on theaws.lambdaspan) for the Python lambda layer once the inferred-span service change ships (see DataDog/datadog-lambda-python#834).Change
Capture the reference AppSec payload from whichever span is the service-entry span: the
aws.lambdaspan (older behavior / other tracers) or the inferred span (new SSR behavior). The inferred-span validation is unchanged.This keeps the test green for:
aws.lambda, mirrored to the inferred span)Note: this test is
missing_featurefor nodejs/java lambda, so only Python is affected.Test plan