3.1.0-prerelease
Pre-releaseSummary
This is the second pre-release of the next major version of the .NET APM SDK.
- [ASM] Changes to the collection of usr.id for authenticated clients
ASM’s Account TakeOver (ATO) detection is now automatically monitoring all compatible user authentication frameworks to detect attempted or leaked user credentials during an ATO campaign.
To do so, the monitoring of the user activity is extended to now collect all forms of user IDs, including non-numerical forms such as usernames or emails. This is configurable with 3 different working modes: identification
to send the user IDs in clear text; anonymization
to send anonymized user IDs; or disabled
to completely turn off any type of user ID collection (which leads to the disablement of the ATO detection).
The default collection mode being used is identification
and this is configurable in your remote service configuration settings in the service catalog (clicking on a service), or with the service environment variable DD_APPSEC_AUTO_USER_INSTRUMENTATION_MODE
.
You can read more here
- [ASM] IAST Email HTML Injection vulnerability
- [Dynamic Instrumentation] Support nullable types in templates and string lexicographic comparison
- [Dynamic Instrumentation] SymDb readiness for Open Beta, matching symbols based on signature
- [Exception Replay] Normalized exception hashing for more fine-grained aggregation
In addition, the following are the high-level changes present in the 3.x.x release line compared to 2.x.x. These include breaking changes in public APIs, changes in artifacts, and changes to default settings.
For the full list of changes, including exactly what changed and how you should handle them, please see the MIGRATING document
Breaking changes
- Custom-only tracing (using the Datadog.Trace NuGet package), without any automatic tracing, is no longer supported. Custom instrumentation with the Datadog.Trace NuGet where you have also configured automatic-instrumentation is still supported as it was in v2.x.x.
- The public API surface has changed in the Datadog.Trace NuGet package. A number of previously obsolete APIs have been removed, and some other APIs have been marked obsolete. Most changes are related to how you create
TracerSettings
andTracer
instances. - Changes to default settings. The default values of some settings have changed, and others have been removed. See below for more details.
- Changes in behavior. The semantic requirements and meaning of some settings have changed, as have some of the tags added to traces. See below for more details.
- The 32-bit MSI installer will no longer be available. The 64-bit MSI installer already includes support for tracing 32-bit processes, so you should use this installer instead.
- The client library will still be injected when
DD_TRACE_ENABLED=0
. In v2.x.x, settingDD_TRACE_ENABLED=0
would prevent the client library from being injected into the application completely. In v3.0.0+, the client library will still be injected, but tracing will be disabled. - Referencing the
Datadog.Trace.AspNet
module is no longer supported. In v1.x.x and 2.x.x ASP.NET support allowed adding a reference to theDatadog.Trace.AspNet
module in your web.config. This is no longer supported in v3.x.x.
Deprecation notices
- .NET Core 2.1 is marked EOL in v3.0.0+ of the tracer. That means versions 2.0, 2.1, 2.2 and 3.0 of .NET Core are now EOL. These versions may still work with v3.0.0+, but they will no longer receive significant testing and you will receive limited support for issues arising with EOL versions.
- Datadog.Trace.OpenTracing is now obsolete. OpenTracing is considered deprecated, and so Datadog.Trace.OpenTracing is considered deprecated. See the following details on future deprecation.
- macOS 11 is no longer supported for CI Visibility in v3.0.0+. Only macOS 12 and above are supported.
Major version policy and future deprecation
- Announcing a major version roadmap. We intend to make yearly major releases, starting from v3.0.0 in 2024, and v4.0.0 in 2025. We clearly will aim for minimal breaking changes, with the primary focus being on maintaining support for new versions of .NET and removal of EOL frameworks and operating systems.
- Planned removal of support for .NET Core 2.x and .NET Core 3.0 in version v4.0.0+. We intend to completely remove support for .NET Core 2.x and .NET Core 3.0 in v4.0.0. .NET Framework 4.6.1+ will continue to be supported.
- Planned removal of support for some linux distributions. In version v4.0.0, we intend to drop support for CentOS 7, RHEL 7, and CentOS Stream 8.
- Planned remove of support for App Analytics. In version v4.0.0, we intend to drop support for App Analytics and associated settings.
For the full list of changes, including exactly what changed and how you should handle them, please see the MIGRATING document
Changes
Tracer
- Fix
NullReferenceException
in ASP.NET Core whenRoutePattern.RawText
isnull
(#5880) - Fix
NullReferenceException
inHttpClientResponse.GetCharsetEncoding
(#5881) - Disable keep-alive in HttpClientRequestFactory (#5810)
- Fix error checking for CallTargetBubbleUpException (#5836)
- Ensure top-level entry points are wrapped with try-catch (#5838)
- Add an
IsManualInstrumentationOnly
flag to Datadog.Trace.Manual (#5866)
ASM
- [ASM] Changes to the collection of usr.id for authenticated clients (#5738)
- [ASM] IAST Email HTML Injection vulnerability (#5780)
- [ASM] Suspicious Attacker Blocking - Upgrade WAF to version 1.19.1 (#5820)
- [ASM] Add RASP timeout flag (#5827)
- [IAST] Safeguard Insert Before / After aspects with try/catch (#5839)
- [IAST] Safeguard Method Replace aspects with try/catch (#5841)
- [ASM] Detect enabled RASP rules (#5846)
- [ASM] Disable email Injection instrumented tests (#5875)
- [ASM] ensure struct is on the stack before passing to native code (#5882)
- [IAST] Broaden AspNet cookies filtering (#5830)
- [ASM] Refactor hardcoded secret analyzer (#5883)
Continuous Profiler
- [Profiler] LibrariesInfoCache: fix reload bug (#5837)
- [Profiler] Add Callstack::CopyFrom method (#5842)
- [Profiler] Fix null named thread (#5851)
Debugger
- [Dynamic Instrumentation] DEBUG-2489 Add default 3rd party detection includes\excludes (#5722)
- [Dynamic Instrumentation] DEBUG-2664 Remove
this
from static methods arguments upload (#5833) - [Dynamic Instrumentation] DEBUG-2216 Getting value of field or property throws
NotSupportedException
(#5558) - [Dynamic Instrumentation] DEBUG-2365 Support string lexicographic comparison (#5538)
- [Dynamic Instrumentation] DEBUG-2088 Support nullable types in templates (#5543)
- [Dynamic Instrumentation] DEBUG-2560 EL- Fix
IsEmpty
for string and collections (#5809) - [Dynamic Instrumentation] DEBUG-2524 Fix EL numeric binary operations (#5815)
- [Dynamic Instrumentation] Improved instrumentation matching of symbols received through SymDb (#5829)
- [Exception Replay] Normalized exception hashing for more fine-grained aggregation (#5872)
Build / Test
- [Samples] Update IIS sample Dockerfile (#5805)
- Update
config_norm_rules
with old DI config (#5816) - Simplify determining whether it's a debug run or not (#5817)
- Use unified Gitlab pipeline for APM SDKs for SSI artifacts (#5818)
- [Test Package Versions Bump] Updating package versions (#5819)
- Fix builds on release/2.x (#5826 -> master) (#5828)
- Add a scheduled job that sets the SSI variables in all tests (#5832)
- Add Callsite aspects analyzer to check for "safe" patterns (#5835)
- Catch exceptions when trying to shutdown IIS (#5840)
- [Test Package Versions Bump] Updating package versions (#5845)
- [Dynamimc Instrumentation] Update debugger .slnf file (#5858)
- Skip the mass transit test to see if it solves flake issues (#5861)
- Add verification step to create_draft_release to check SSI one-pipeline succeeded (#5865)
- [build] change agent image source (#5874)
- Try fix smoke tests (#5889)
-
- [Dynamic Instrumentation] Fix broken debugger integration test (#5869)
Miscellaneous
- [IAST] Add a mark to the modified instructions in IL dumps (#5854)
- Update Datadog.Trace README to reference v3 migration guide (#5857)
- Config refactor - Add telemetry to otel config (#5717)
- Exclude an SSIS service from auto-tracing (#5813)
- [CrashTracking] Ensure crashtracking does not prevent coredump collection (#5852)