[appsec] Stripe business logic events

[simon-id]

What does this PR do?

This PR adds instrumentation for the Stripe SDK, and sends payloads from a couple of methods to the AppSec WAF, that will in turn convert them into span tags for the backend to receive.

Motivation

These tags will be used by the WAF to detect endpoints that handle payments in the Endpoint Catalog, and will be useful for fraud detection and general security observability.

ST: DataDog/system-tests#6219

[github-actions]

Overall package size

Self size: 4.58 MB
Deduped: 5.42 MB
No deduping: 5.42 MB

Dependency sizes

| name | version | self size | total size | |------|---------|-----------|------------| | import-in-the-middle | 2.0.6 | 81.92 kB | 813.08 kB | | dc-polyfill | 0.1.10 | 26.73 kB | 26.73 kB |

_{🤖 This report was automatically generated by heaviest-objects-in-the-universe}

[codecov]

Codecov Report

❌ Patch coverage is 98.43750% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 80.38%. Comparing base (1630815) to head (465d6b8).

Files with missing lines	Patch %	Lines
packages/datadog-instrumentations/src/stripe.js	97.61%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #7138      +/-   ##
==========================================
+ Coverage   80.34%   80.38%   +0.03%     
==========================================
  Files         731      732       +1     
  Lines       31093    31157      +64     
==========================================
+ Hits        24981    25044      +63     
- Misses       6112     6113       +1     

Flag	Coverage Δ
aiguard-macos	39.07% <0.00%> (-0.11%)	⬇️
aiguard-ubuntu	39.11% <0.00%> (-0.11%)	⬇️
aiguard-windows	38.96% <0.00%> (-0.11%)	⬇️
apm-capabilities-tracing-macos	48.80% <0.00%> (-0.05%)	⬇️
apm-capabilities-tracing-ubuntu	48.80% <0.00%> (-0.05%)	⬇️
apm-capabilities-tracing-windows	48.53% <0.00%> (-0.05%)	⬇️
apm-integrations-child-process	38.57% <0.00%> (-0.11%)	⬇️
apm-integrations-couchbase-18	37.32% <0.00%> (-0.25%)	⬇️
apm-integrations-couchbase-eol	37.81% <0.00%> (-0.11%)	⬇️
apm-integrations-oracledb	37.92% <0.00%> (-0.18%)	⬇️
appsec-express	55.32% <27.27%> (-0.12%)	⬇️
appsec-fastify	51.95% <27.27%> (-0.11%)	⬇️
appsec-graphql	52.28% <27.27%> (-0.11%)	⬇️
appsec-kafka	44.63% <0.00%> (-0.09%)	⬇️
appsec-ldapjs	44.31% <0.00%> (-0.09%)	⬇️
appsec-lodash	43.99% <0.00%> (-0.09%)	⬇️
appsec-macos	58.43% <27.27%> (-0.12%)	⬇️
appsec-mongodb-core	49.19% <0.00%> (-0.09%)	⬇️
appsec-mongoose	49.88% <0.00%> (-0.08%)	⬇️
appsec-mysql	51.23% <27.27%> (-0.11%)	⬇️
appsec-node-serialize	43.50% <0.00%> (-0.09%)	⬇️
appsec-passport	48.06% <27.27%> (-0.13%)	⬇️
appsec-postgres	51.02% <27.27%> (-0.11%)	⬇️
appsec-sourcing	42.84% <0.00%> (-0.09%)	⬇️
appsec-template	43.67% <0.00%> (-0.09%)	⬇️
appsec-ubuntu	58.46% <27.27%> (-0.12%)	⬇️
appsec-windows	58.30% <27.27%> (-0.12%)	⬇️
instrumentations-instrumentation-bluebird	32.25% <0.00%> (-0.11%)	⬇️
instrumentations-instrumentation-body-parser	40.73% <0.00%> (-0.10%)	⬇️
instrumentations-instrumentation-child_process	37.88% <0.00%> (-0.11%)	⬇️
instrumentations-instrumentation-cookie-parser	34.51% <0.00%> (-0.10%)	⬇️
instrumentations-instrumentation-express	34.85% <0.00%> (-0.10%)	⬇️
instrumentations-instrumentation-express-mongo-sanitize	34.64% <0.00%> (-0.10%)	⬇️
instrumentations-instrumentation-express-session	40.41% <0.00%> (-0.10%)	⬇️
instrumentations-instrumentation-fs	31.85% <0.00%> (-0.11%)	⬇️
instrumentations-instrumentation-generic-pool	29.80% <0.00%> (-0.01%)	⬇️
instrumentations-instrumentation-http	39.62% <0.00%> (-0.11%)	⬇️
instrumentations-instrumentation-knex	32.25% <0.00%> (-0.11%)	⬇️
instrumentations-instrumentation-mongoose	33.61% <0.00%> (-0.10%)	⬇️
instrumentations-instrumentation-multer	40.47% <0.00%> (-0.10%)	⬇️
instrumentations-instrumentation-mysql2	38.26% <0.00%> (-0.11%)	⬇️
instrumentations-instrumentation-passport	40.77% <0.00%> (-0.10%)	⬇️
instrumentations-instrumentation-passport-http	40.74% <0.00%> (-0.10%)	⬇️
instrumentations-instrumentation-passport-local	40.74% <0.00%> (-0.10%)	⬇️
instrumentations-instrumentation-pg	37.78% <0.00%> (-0.11%)	⬇️
instrumentations-instrumentation-promise	32.17% <0.00%> (-0.11%)	⬇️
instrumentations-instrumentation-promise-js	32.18% <0.00%> (-0.11%)	⬇️
instrumentations-instrumentation-q	32.22% <0.00%> (-0.11%)	⬇️
instrumentations-instrumentation-url	32.14% <0.00%> (-0.11%)	⬇️
instrumentations-instrumentation-when	32.19% <0.00%> (-0.11%)	⬇️
llmobs-ai	41.41% <0.00%> (-0.10%)	⬇️
llmobs-anthropic	40.63% <0.00%> (-0.10%)	⬇️
llmobs-bedrock	39.51% <0.00%> (-0.09%)	⬇️
llmobs-google-genai	40.11% <0.00%> (-0.10%)	⬇️
llmobs-langchain	39.66% <0.00%> (-0.08%)	⬇️
llmobs-openai	44.48% <0.00%> (-0.10%)	⬇️
llmobs-vertex-ai	40.41% <0.00%> (-0.10%)	⬇️
platform-core	28.09% <ø> (ø)
platform-esbuild	31.49% <ø> (ø)
platform-instrumentations-misc	39.62% <ø> (ø)
platform-shimmer	34.83% <ø> (ø)
platform-unit-guardrails	30.37% <ø> (ø)
plugins-azure-event-hubs	22.64% <ø> (ø)
plugins-azure-service-bus	22.08% <ø> (ø)
plugins-bullmq	43.71% <0.00%> (-0.11%)	⬇️
plugins-cassandra	38.04% <0.00%> (-0.10%)	⬇️
plugins-cookie	23.69% <ø> (ø)
plugins-cookie-parser	23.50% <ø> (ø)
plugins-crypto	22.88% <ø> (ø)
plugins-dd-trace-api	38.42% <0.00%> (-0.11%)	⬇️
plugins-express-mongo-sanitize	23.67% <ø> (ø)
plugins-express-session	23.46% <ø> (ø)
plugins-fastify	42.53% <0.00%> (-0.10%)	⬇️
plugins-fetch	38.60% <0.00%> (-0.10%)	⬇️
plugins-fs	38.67% <0.00%> (-0.11%)	⬇️
plugins-generic-pool	22.68% <ø> (ø)
plugins-google-cloud-pubsub	45.70% <0.00%> (-0.12%)	⬇️
plugins-grpc	41.29% <0.00%> (-0.10%)	⬇️
plugins-handlebars	23.71% <ø> (ø)
plugins-hapi	40.43% <0.00%> (-0.11%)	⬇️
plugins-hono	40.63% <0.00%> (-0.10%)	⬇️
plugins-ioredis	38.47% <0.00%> (-0.11%)	⬇️
plugins-knex	23.51% <ø> (ø)
plugins-ldapjs	21.28% <ø> (ø)
plugins-light-my-request	23.15% <ø> (ø)
plugins-limitd-client	32.39% <0.00%> (-0.26%)	⬇️
plugins-lodash	22.74% <ø> (ø)
plugins-mariadb	39.60% <0.00%> (-0.11%)	⬇️
plugins-memcached	38.20% <0.00%> (-0.11%)	⬇️
plugins-microgateway-core	39.44% <0.00%> (-0.11%)	⬇️
plugins-moleculer	40.84% <0.00%> (-0.10%)	⬇️
plugins-mongodb	39.55% <0.00%> (-0.10%)	⬇️
plugins-mongodb-core	39.12% <0.00%> (-0.11%)	⬇️
plugins-mongoose	39.18% <0.00%> (-0.10%)	⬇️
plugins-multer	23.46% <ø> (ø)
plugins-mysql	39.25% <0.00%> (-0.11%)	⬇️
plugins-mysql2	39.30% <0.00%> (-0.11%)	⬇️
plugins-node-serialize	23.73% <ø> (ø)
plugins-opensearch	37.87% <0.00%> (-0.10%)	⬇️
plugins-passport-http	23.56% <ø> (ø)
plugins-postgres	35.71% <0.00%> (-0.09%)	⬇️
plugins-process	22.88% <ø> (ø)
plugins-pug	23.69% <ø> (ø)
plugins-redis	38.95% <0.00%> (-0.11%)	⬇️
plugins-router	43.24% <0.00%> (-0.10%)	⬇️
plugins-sequelize	22.27% <ø> (ø)
plugins-test-and-upstream-amqp10	38.54% <0.00%> (+0.04%)	⬆️
plugins-test-and-upstream-amqplib	43.89% <0.00%> (-0.11%)	⬇️
plugins-test-and-upstream-apollo	39.32% <0.00%> (-0.10%)	⬇️
plugins-test-and-upstream-avsc	38.81% <0.00%> (-0.11%)	⬇️
plugins-test-and-upstream-bunyan	33.86% <0.00%> (-0.11%)	⬇️
plugins-test-and-upstream-connect	41.04% <0.00%> (-0.11%)	⬇️
plugins-test-and-upstream-graphql	40.22% <0.00%> (-0.11%)	⬇️
plugins-test-and-upstream-koa	40.63% <0.00%> (-0.10%)	⬇️
plugins-test-and-upstream-protobufjs	39.04% <0.00%> (-0.11%)	⬇️
plugins-test-and-upstream-rhea	44.18% <0.00%> (-0.08%)	⬇️
plugins-undici	39.39% <0.00%> (-0.10%)	⬇️
plugins-url	22.88% <ø> (ø)
plugins-valkey	38.12% <0.00%> (-0.11%)	⬇️
plugins-vm	22.88% <ø> (ø)
plugins-winston	34.26% <0.00%> (-0.11%)	⬇️
plugins-ws	42.20% <0.00%> (-0.10%)	⬇️
profiling-macos	40.06% <0.00%> (-0.11%)	⬇️
profiling-ubuntu	40.11% <0.00%> (-0.11%)	⬇️
profiling-windows	41.46% <0.00%> (-0.10%)	⬇️
serverless-azure-functions-client	22.38% <ø> (ø)
serverless-azure-functions-eventhubs	22.38% <ø> (ø)
serverless-azure-functions-servicebus	22.38% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[pr-commenter]

Benchmarks

Benchmark execution time: 2026-02-06 11:06:32

Comparing candidate commit 465d6b8 in PR branch stripe_business_events with baseline commit 1630815 in branch master.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 230 metrics, 30 unstable metrics.

[uurien]

Is this long list (instead of >=9) used here only for testing purpose? To force the the execution in the versions 9, 10...?

I think that we shold add a comment explainig why, or else we can set this as >=9 and in externals.json add these version in stripe section. I think that it is the main purpose of having an array for versions in externals.json:

  "stripe": [
    {
      "name": "express",
      "versions": ["^4"]
    },
    {
      "name": "body-parser",
      "versions": ["1.20.1"]
    },
    {
      "name": "stripe",
      "versions": ['9', '10', '11', '12', '13', '14', '15', '16', '17', '18', '19']
    }
  ],

[simon-id]

yes, it's to make sure we test all the majors, as it seems like stripe sdk loves majors. I don't think a comment is super useful here as this syntax is used in other instrumentations too. If you want a comment, please make a github suggestion, it's easy and handy!
And about externals.json I am not as sure as oyu this is why we have it. What's wrong with having it in the instrmentation anyway ?

[uurien]

What's wrong with having it in the instrumentation anyway ?

I am afraid that someone could see that and change it to <=9.