APMSP-1241 Directly import trace-agent stats code for client-side stats

[ajgajg1134]

WIP: This PR should be updated to point to the released v0.58 version of the trace-agent when it is available and then should be ready for merge. However this code is very unlikely to change other than changing the go.mod version so it should be safe to review now with minimal disruption.

What does this PR do?

Begin using the trace-agent's Concentrator instead of our own (mostly copied) implementation from the trace-agent.

Unfortunately there's some additional changes here needed like updating to go 1.22 as that's the minimum supported version of the trace-agent (but this is aligned with dd-trace-go's published version support policy). Additionally the google.golang.org/api contrib needed to be updated to support the more recent versions required by the trace-agent. I believe these imports / upgrades are ok but if we need to target a smaller import and modularize some more of the trace-agent to reduce impact here just let me know!

Motivation

Some new features introduced in the trace-agent concentrator have been missed here over time and this brings back feature parity when using client side stats (e.g. peer tags aggregation, marking trace root spans). We will eventually be enabling client stats by default (as it's more efficient!) and this is a required step to ensure that we don't break important stats features.

Reviewer's Checklist

• Changed code has unit tests for its functionality at or near 100% coverage.
• System-Tests covering this feature have been added and enabled with the va.b.c-dev version tag.
• There is a benchmark for any new code, or changes to existing code.
• If this interacts with the agent in a new way, a system test has been added.
• Add an appropriate team label so this PR gets put in the right place for the release notes.
• Non-trivial go.mod changes, e.g. adding new modules, are reviewed by @DataDog/dd-trace-go-guild.

Unsure? Have a question? Request a review!

[datadog-datadog-prod-us1]

🟡 Library Vulnerability

google.golang.org/grpc → 1.64.0

Private tokens could appear in logs if context containing gRPC metadata is logged in github.com/grpc/grpc-go (...read more)

Impact

This issue represents a potential PII concern. If applications were printing or logging a context containing gRPC metadata, the affected versions will contain all the metadata, which may include private information.

Patches

The issue first appeared in 1.64.0 and is patched in 1.64.1 and 1.65.0

Workarounds

If using an affected version and upgrading is not possible, ensuring you do not log or print contexts will avoid the problem.

    

[datadog-datadog-prod-us1]

🟡 Library Vulnerability

google.golang.org/grpc → 1.64.0

Private tokens could appear in logs if context containing gRPC metadata is logged in github.com/grpc/grpc-go (...read more)

Impact

This issue represents a potential PII concern. If applications were printing or logging a context containing gRPC metadata, the affected versions will contain all the metadata, which may include private information.

Patches

The issue first appeared in 1.64.0 and is patched in 1.64.1 and 1.65.0

Workarounds

If using an affected version and upgrading is not possible, ensuring you do not log or print contexts will avoid the problem.

    

[pr-commenter]

Benchmarks

Benchmark execution time: 2024-10-31 09:31:26

Comparing candidate commit 9c2328e in PR branch andrew.glaude/spanConcentrator2 with baseline commit 0bd0a8c in branch main.

Found 4 performance improvements and 1 performance regressions! Performance is the same for 53 metrics, 1 unstable metrics.

scenario:BenchmarkOTelApiWithCustomTags/datadog_otel_api-24

• 🟩 execution_time [-197.789ns; -162.611ns] or [-4.095%; -3.367%]

scenario:BenchmarkOTelApiWithCustomTags/otel_api-24

• 🟩 allocations [-1; -1] or [-2.273%; -2.273%]
• 🟩 execution_time [-407.377ns; -351.423ns] or [-5.529%; -4.770%]

scenario:BenchmarkSetTagStringer-24

• 🟥 execution_time [+4.686ns; +8.854ns] or [+3.371%; +6.370%]

scenario:BenchmarkStartSpanConcurrent-24

• 🟩 execution_time [-2.405µs; -2.256µs] or [-31.744%; -29.774%]

[datadog-datadog-prod-us1]

🟡 Library Vulnerability

google.golang.org/grpc → 1.64.0

Private tokens could appear in logs if context containing gRPC metadata is logged in github.com/grpc/grpc-go (...read more)

Impact

This issue represents a potential PII concern. If applications were printing or logging a context containing gRPC metadata, the affected versions will contain all the metadata, which may include private information.

Patches

The issue first appeared in 1.64.0 and is patched in 1.64.1 and 1.65.0

Workarounds

If using an affected version and upgrading is not possible, ensuring you do not log or print contexts will avoid the problem.

    

[datadog-datadog-prod-us1]

🟡 Library Vulnerability

google.golang.org/grpc → 1.64.0

Private tokens could appear in logs if context containing gRPC metadata is logged in github.com/grpc/grpc-go (...read more)

Impact

This issue represents a potential PII concern. If applications were printing or logging a context containing gRPC metadata, the affected versions will contain all the metadata, which may include private information.

Patches

The issue first appeared in 1.64.0 and is patched in 1.64.1 and 1.65.0

Workarounds

If using an affected version and upgrading is not possible, ensuring you do not log or print contexts will avoid the problem.

    

[eliottness]

Approving on behalf of appsec only for appsec code. Thanks for starting out the migration to rolling out go 1.21 👍

[github-actions]

This PR is stale because it has been open 20 days with no activity. Remove stale label or comment or this will be closed in 10 days.

[darccio]

@ajgajg1134 Was the agent released? When will this able to be merged?

[ajgajg1134]

@ajgajg1134 Was the agent released? When will this able to be merged?

The current ETA for agent release is TOMORROW! 🎉