Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
opentracing
Advanced tools
[![Build Status][ci-img]][ci] [![Coverage Status][cov-img]][cov] [![NPM Published Version][npm-img]][npm] ![Node Version][node-img] [![Join the chat at https://gitter.im/opentracing/opentracing-javascript](https://badges.gitter.im/opentracing/opentracing-
The opentracing npm package provides a standard, vendor-neutral API for distributed tracing. It allows developers to add instrumentation to their applications, which is essential for understanding the performance and behavior of complex distributed systems. The package enables the tracking of request flows across various services and systems, making it easier to diagnose and optimize performance issues.
Starting a new trace
This code demonstrates how to start a new trace with a span named 'my_span' and then finish the span. This is the basic building block of distributed tracing.
const opentracing = require('opentracing');
const tracer = opentracing.globalTracer();
const span = tracer.startSpan('my_span');
span.finish();
Injecting and extracting span context
This code snippet shows how to inject a span context into a carrier (e.g., HTTP headers) and then extract it. This is crucial for propagating trace context across process boundaries.
const opentracing = require('opentracing');
const tracer = opentracing.globalTracer();
const spanContext = span.context();
const carrier = {};
tracer.inject(spanContext, opentracing.FORMAT_HTTP_HEADERS, carrier);
const extractedContext = tracer.extract(opentracing.FORMAT_HTTP_HEADERS, carrier);
Setting tags and logs
This example illustrates how to set tags and logs on a span. Tags are key-value pairs that provide additional context, such as HTTP method, while logs record timed events within a span.
const opentracing = require('opentracing');
const span = opentracing.globalTracer().startSpan('my_span');
span.setTag(opentracing.Tags.HTTP_METHOD, 'GET');
span.log({ event: 'request_sent' });
span.finish();
Jaeger Client is an open-source, end-to-end distributed tracing system that works with the OpenTracing API. It is similar to opentracing but is specifically designed to work with the Jaeger backend. It provides more specific implementations for trace collection and reporting.
Zipkin is another distributed tracing system that captures timing data needed to troubleshoot latency problems in service architectures. It has a different API compared to opentracing but serves a similar purpose in tracing requests through distributed systems.
LightStep Tracer is a distributed tracing library that implements the OpenTracing API, similar to opentracing. It is designed to integrate with LightStep's real-time analysis platform, providing more advanced features and integrations for monitoring and diagnosing distributed systems.
This library is a JavaScript implementation of Open Tracing API. It is intended for use both on the server and in the browser.
To fully understand this platform API, it's helpful to be familiar with the OpenTracing project and terminology more specifically.
Install the package using npm
:
npm install --save opentracing
The package contains an example using a naive MockTracer
implementation. To run the example:
npm run example
The output should look something like:
Spans:
parent_span - 1521ms
tag 'custom':'tag value'
tag 'alpha':'1000'
child_span - 503ms
tag 'alpha':'200'
tag 'beta':'50'
In your JavaScript code, add instrumentation to the operations to be tracked. This is composed primarily of using "spans" around operations of interest and adding log statements to capture useful data relevant to those operations.
const http = require('http');
const opentracing = require('opentracing');
// NOTE: the default OpenTracing tracer does not record any tracing information.
// Replace this line with the tracer implementation of your choice.
const tracer = new opentracing.Tracer();
const span = tracer.startSpan('http_request');
const opts = {
host : 'example.com',
method: 'GET',
port : '80',
path: '/',
};
http.request(opts, res => {
res.setEncoding('utf8');
res.on('error', err => {
// assuming no retries, mark the span as failed
span.setTag(opentracing.Tags.ERROR, true);
span.log({'event': 'error', 'error.object': err, 'message': err.message, 'stack': err.stack});
span.finish();
});
res.on('data', chunk => {
span.log({'event': 'data_received', 'chunk_length': chunk.length});
});
res.on('end', () => {
span.log({'event': 'request_end'});
span.finish();
});
}).end();
As noted in the source snippet, the default behavior of the opentracing
package is to act as a "no op" implementation. To capture and make the tracing data actionable, the tracer
object should be initialized with the OpenTracing implementation of your choice as in the pseudo-code below:
const CustomTracer = require('tracing-implementation-of-your-choice');
const tracer = new CustomTracer();
The package contains two bundles built with webpack that can be included using a standard <script>
tag. The library will be exposed under the global opentracing
namespace:
dist/opentracing-browser.min.js
- minified, no runtime checksdist/opentracing-browser.js
- debug version with runtime checksSince the source is written in TypeScript, if you are using TypeScript, you can just npm install
the package and it will work out of the box.
This is especially useful for implementors who want to type check their implementation with the base interface.
The library also provides a global singleton tracer for convenience. This can be set and accessed via the following:
opentracing.initGlobalTracer(new CustomTracer());
const tracer = opentracing.globalTracer();
Note: globalTracer()
returns a wrapper on the actual tracer object. This is done for the convenience of use as it ensures that the function will always return a non-null object. This can be helpful in cases where it is difficult or impossible to know precisely when initGlobalTracer
is called (for example, when writing a utility library that does not control the initialization process). For more precise control, individual Tracer
objects can be used instead of the global tracer.
There is a hosted copy of the current generated ESDoc API Documentation here.
See the OpenTracing website for general information on contributing to OpenTracing.
The project is written in TypeScript and built using a npm scripts. Run:
npm run build
creates the compiled, distributable JavaScript code in ./lib
npm run watch
incrementally compiles on file changesnpm run webpack
creates the bundles for the browser in ./dist
npm test
runs the testsnpm run typedoc
generates the documentation in ./typedoc
Note: The minimum supported Node version for development is >=6
. Tests can however be run on any version that this project supports (>=0.10
).
This section is intended for developers wishing to implement their own tracers. Developers who simply wish to use OpenTracing can safely ignore this information.
Implementations can subclass opentracing.Tracer
, opentracing.Span
, and the other API classes to build an OpenTracing tracer and implement the underscore prefixed methods such as _addTag
to pick up a bit of common code implemented in the base classes.
If mocha
is being used for unit testing, test/api_compatibility
can be used to test the custom tracer. The file exports a single function that expects as an argument a function that will return a new instance of the tracer.
const apiCompatibilityChecks = require('opentracing/lib/test/api_compatibility.js').default;
apiCompatibilityChecks(() => new CustomTracer());
Apache License 2.0
A minimal example tracer is provided in the src/mock_tracer
directory of the source code.
FAQs
[![Build Status][ci-img]][ci] [![Coverage Status][cov-img]][cov] [![NPM Published Version][npm-img]][npm] ![Node Version][node-img] [![Join the chat at https://gitter.im/opentracing/opentracing-javascript](https://badges.gitter.im/opentracing/opentracing-
We found that opentracing demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 6 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.