dd-trace
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | new-deps-added | AI (publish-pattern): opentracing is the canonical OpenTracing API package; directly relevant to dd-trace's stated purpose. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Used in pkg.js for package metadata loading; standard pattern for APM instrumentation across all versions. | ai | |
| semgrep | semgrep:dll-injection-apis | AI (semgrep): LD_PRELOAD appears in an allowlist/denylist for child_process command scrubbing — defensive use, not injection. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Decoding AWS Kinesis payloads and similar instrumentation data; expected in an APM tracing library. | ai | |
| semgrep | semgrep:env-bulk-read | AI (semgrep): APM config library explicitly reads all env vars for configuration reporting — documented and expected. | ai | |
| semgrep | semgrep:hex-decode | AI (semgrep): GraphQL transform tooling; legitimate instrumentation use. | ai | |
| semgrep | semgrep:shady-links-raw-ip | AI (semgrep): Raw IP appears only in a comment/example string (127.0.0.1), not an actual outbound request. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): new Function used as a data object constructor for pprof profiling, not for dynamic code execution. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): Used in guardrails/telemetry for spawning subprocesses; standard for an APM agent. | ai | |
| install-scripts | install-script:preinstall | AI (install-scripts): Long-standing preinstall script for dd-trace; runs node scripts/preinstall.js, not arbitrary remote code. | ai |
Versions (showing 9 of 9)
| Version | Deps | Published |
|---|---|---|
| 5.104.0 | 3 / 53 | |
| 5.101.0 | 2 / 53 | |
| 5.100.0 | 2 / 53 | |
| 5.99.1 | 2 / 53 | |
| 5.98.0 | 2 / 50 | |
| 5.94.0 | 2 / 50 | |
| 5.85.0 | 2 / 47 | |
| 5.80.0 | 37 / 47 | |
| 5.76.0 | 37 / 46 |
v5.104.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.101.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.100.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.99.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.98.0
3 findingsScript: node scripts/preinstall.js
DLL injection API detected — potential process injection attack Source: https://github.com/DataDog/dd-trace-js/blob/63aea5c3d707a425ada0d7ff59e0d945010d1dca/packages/datadog-plugin-child_process/src/scrub-cmd-params.js#L5 3 | const shellParser = require('../../../vendor/dist/shell-quote').parse 4 | > 5 | const ALLOWED_ENV_VARIABLES = new Set(['LD_PRELOAD', 'LD_LIBRARY_PATH', 'PATH']) 6 | const PROCESS_DENYLIST = new Set(['md5']) 7 |
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.94.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.85.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.80.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.76.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.