fix(instrumentation-aws-sdk): remove un-sanitised db.statement span attribute from DynamoDB spans

[ramesius]

Which problem is this PR solving?

DynamoDB spans include the db.statement span attribute which can include un-sanitised sensitive data.

Short description of the changes

Remove the db.statement attribute from DynamoDB spans due to not being sanitised of sensitive data.

According to the semantic conventions spec:

(db.statement) Should be collected by default only if there is sanitisation that excludes sensitive information.

I have updated the tests to explicitly assert that db.statement remains undefined.

Contributes to #1552

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: ramesius / name: Matthew Turner (a5acebf, 52d09b7, c198332, a37da4a, 55ce8d5, 648c034, 449d159)
• ✅ login: blumamir / name: Amir Blum (a61251c)

[andymac4182]

@carolabadeer @blumamir Are you able to review please? This is impacting on our services. It is pushing private database values to traces.

[srprash]

It is indeed not a good practice to record raw query as db.statement span attribute, and thanks for raising this PR.
I propose that we follow a similar approach as the redis instrumentation, where a custom function can be provided to serialize the db.statement value.

By default, this instrumentation should either not record db.statement at all, or record only the unsensitive part of the queries.

@ramesius Would you be able to add the feature in this PR?

[ramesius]

@srprash Yeah I can take care of that in this PR.
The naming of the configuration will match.

I will raise the change with a default implementation that redacts the whole db.statement for now.

[ramesius]

This now adds the configuration dynamoDBStatementSerializer to customise the statement serialization.

[ramesius]

@srprash Good for another review when you are ready.

[ramesius]

@srprash Do you know when you will be able to review this again?

[blumamir]

Overall LGTM.
Added few minor comments.

Sorry for taking long time to review 🙏

[blumamir]

Should we record this attribute if config.dynamoDBStatementSerializer is undefined or if the config function returned undefined?

[blumamir]

Since this function is supplied by the user, the instrumentation should protect. itself from any exception thrown from this function and prevent the patch code from crashing in this case.

You can see many examples in other instrumentations

[ramesius]

Most definitely, I will add this in 👍🏻

[blumamir]

I suggest that we also assert it's expected value and not only it's present.

[ramesius]

Something missed, thanks for picking it up, will sort that out.

[ramesius]

In fact, since this is testing default behaviour and the upcoming change to not set the property if the serializer is not configured this can probably stay as is?

[blumamir]

I suggest adding a test where this serializer throw an exception to verify the instrumentation do not crash in this case

[blumamir]

What is the gain from testing this feature with few operations? is there anything in the code that should behave differently based on the operation that determines how to serializer is executed?

[ramesius]

Probably a little excessive in hindsight.

Thinking about https://github.com/open-telemetry/opentelemetry-js-contrib/pull/1748/files/52d09b71cc206a6a40a77cfcf7ab69f7809805d2#r1384667968 multiple tests that assert the operation would probably be the correct direction.

[blumamir]

I wonder if the serializer should also get the operation to be able to properly sanitize. I guess the sanitization logic can probably work differently for different operations?

This can also be added in the future if someone brings up the need.

[ramesius]

I like the suggestion. As pointed out elsewhere, the sanitize function is supplied as part of the public API so I think including operation now just avoids breaking changes later 👍🏻

[codecov]

Codecov Report

Merging #1748 (a61251c) into main (86a21d7) will increase coverage by 0.00%.
The diff coverage is 100.00%.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1748   +/-   ##
=======================================
  Coverage   91.44%   91.45%           
=======================================
  Files         144      144           
  Lines        7400     7406    +6     
  Branches     1481     1483    +2     
=======================================
+ Hits         6767     6773    +6     
  Misses        633      633           

Files	Coverage Δ
...entelemetry-instrumentation-aws-sdk/src/aws-sdk.ts	97.48% <100.00%> (ø)
...ntation-aws-sdk/src/services/ServicesExtensions.ts	100.00% <100.00%> (ø)
...y-instrumentation-aws-sdk/src/services/dynamodb.ts	100.00% <100.00%> (ø)
...try-instrumentation-aws-sdk/src/services/lambda.ts	97.77% <100.00%> (ø)
...emetry-instrumentation-aws-sdk/src/services/sns.ts	94.11% <100.00%> (ø)
...emetry-instrumentation-aws-sdk/src/services/sqs.ts	100.00% <100.00%> (ø)

[ramesius]

I think I have addressed all the feedback, ready for another round 👍🏻

[ramesius]

@srprash @blumamir Would you mind reviewing this again to hopefully get this merged soon? 🤞🏻