Add safe extraction for malformed base64 kafka headers

[amarziali]

What does this do

When DD_KAFKA_CLIENT_BASE64_DECODING_ENABLED=true, the Kafka producer instrumentation calls extractContextAndGetSpanContext on the outgoing ProducerRecord headers. If any header value is not valid Base64 (e.g. a header produced by a non-DD service, a URL-safe encoded value, or a plain string), Base64.getDecoder().decode() throws IllegalArgumentException. That exception escapes @OnMethodEnter, ByteBuddy's suppress = Throwable.class silently swallows it and returns a null AgentScope, which then causes an NPE in BaseDecorator.beforeFinish at scope.context()

The fix moves the Base64 decode into a safe Function<byte[], String> (Functions.base64Decode) that catches any Exception and returns null. TextMapExtractAdapter.forEachKey checks for null, logs the failing header key with EXCLUDE_TELEMETRY (since it's not actionable) , and skips that header. Valid headers continue to be processed normally.

Depends to #11466

Motivation

Additional Notes

Contributor Checklist

• Format the title according to the contribution guidelines
• Assign the type: and (comp: or inst:) labels in addition to any other useful labels
• Avoid using close, fix, or any linking keywords when referencing an issue
  Use solves instead, and assign the PR milestone to the issue
• Update the CODEOWNERS file on source file addition, migration, or deletion
• Update public documentation with any new configuration flags or behaviors
• Add your completed PR to the merge queue by commenting /merge. You can also:
  • Customize the commit message associated with the merge with /merge --commit-message "..."
  • Remove your PR from the merge queue with /merge -c
  • Skip all merge queue checks with /merge -f --reason "reason"; please use this judiciously, as some checks do not run at the PR-level
  • Get more information in this doc

Jira ticket: [PROJ-IDENT]

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 1435039fe3

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[datadog-prod-us1-3]

✨ Fix all issues with BitsAI

⚠️ Warnings

🚦 2 Pipeline jobs failed

Run system tests | main / End-to-end #8 / spring-boot-wildfly 8     

🔄 Retry job. This looks flaky and may succeed on retry.

Connection to Docker registry timed out while fetching image due to network issues, leading to repeated fetch failures.

Run system tests | Check system tests success     

Useful? React with 👍 / 👎

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 46edb6e | Docs | Datadog PR Page | Give us feedback!}

[dd-octo-sts]

🟢 Java Benchmark SLOs — All performance SLOs passed

Suite	Status
Startup	🟢 pass

SLO thresholds are defined here based on automatically generated metrics. A warning is raised when results are within 5% of the threshold.

PR vs. master results

Scenario	Candidate	master	Δ (95% CI of mean)
startup:insecure-bank:iast:Agent	14.04 s	13.95 s	[-0.2%; +1.4%] (no difference)
startup:insecure-bank:tracing:Agent	12.85 s	12.90 s	[-1.4%; +0.5%] (no difference)
startup:petclinic:appsec:Agent	16.69 s	16.45 s	[+0.2%; +2.8%] (maybe worse)
startup:petclinic:iast:Agent	16.64 s	16.56 s	[-0.4%; +1.4%] (no difference)
startup:petclinic:profiling:Agent	16.46 s	16.63 s	[-2.6%; +0.6%] (no difference)
startup:petclinic:tracing:Agent	15.96 s	15.87 s	[-0.6%; +1.7%] (no difference)

Commit: 46edb6e1 · CI Pipeline · Benchmarking Platform UI

---

Load and DaCapo benchmarks can be triggered manually in the GitLab pipeline. Results will appear in the Benchmarking Platform UI after completion.

[pr-commenter]

Kafka / producer-benchmark

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	andrea.marziali/kafkaheaders
git_commit_date	1780305900	1780318689
git_commit_sha	7b18b2e	46edb6e

See matching parameters

	Baseline	Candidate
ci_job_date	1780319713	1780319713
ci_job_id	1729092713	1729092713
ci_pipeline_id	116226261	116226261
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
jdkVersion	11.0.25	11.0.25
jmhVersion	1.36	1.36
jvm	/usr/lib/jvm/java-11-openjdk-amd64/bin/java	/usr/lib/jvm/java-11-openjdk-amd64/bin/java
jvmArgs	-Dfile.encoding=UTF-8 -Djava.io.tmpdir=/go/src/github.com/DataDog/apm-reliability/dd-trace-java/platform/src/producer-benchmark/build/tmp/jmh -Duser.country=US -Duser.language=en -Duser.variant	-Dfile.encoding=UTF-8 -Djava.io.tmpdir=/go/src/github.com/DataDog/apm-reliability/dd-trace-java/platform/src/producer-benchmark/build/tmp/jmh -Duser.country=US -Duser.language=en -Duser.variant
vmName	OpenJDK 64-Bit Server VM	OpenJDK 64-Bit Server VM
vmVersion	11.0.25+9-post-Ubuntu-1ubuntu122.04	11.0.25+9-post-Ubuntu-1ubuntu122.04

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 3 metrics, 0 unstable metrics.

See unchanged results

scenario	Δ mean throughput
scenario:not-instrumented/KafkaProduceBenchmark.benchProduce	same
scenario:only-tracing-dsm-disabled-benchmarks/KafkaProduceBenchmark.benchProduce	same
scenario:only-tracing-dsm-enabled-benchmarks/KafkaProduceBenchmark.benchProduce	same

[pr-commenter]

Kafka / consumer-benchmark

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	andrea.marziali/kafkaheaders
git_commit_date	1780305900	1780318689
git_commit_sha	7b18b2e	46edb6e

See matching parameters

	Baseline	Candidate
ci_job_date	1780319755	1780319755
ci_job_id	1729092715	1729092715
ci_pipeline_id	116226261	116226261
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
jdkVersion	11.0.25	11.0.25
jmhVersion	1.36	1.36
jvm	/usr/lib/jvm/java-11-openjdk-amd64/bin/java	/usr/lib/jvm/java-11-openjdk-amd64/bin/java
jvmArgs	-Dfile.encoding=UTF-8 -Djava.io.tmpdir=/go/src/github.com/DataDog/apm-reliability/dd-trace-java/platform/src/consumer-benchmark/build/tmp/jmh -Duser.country=US -Duser.language=en -Duser.variant	-Dfile.encoding=UTF-8 -Djava.io.tmpdir=/go/src/github.com/DataDog/apm-reliability/dd-trace-java/platform/src/consumer-benchmark/build/tmp/jmh -Duser.country=US -Duser.language=en -Duser.variant
vmName	OpenJDK 64-Bit Server VM	OpenJDK 64-Bit Server VM
vmVersion	11.0.25+9-post-Ubuntu-1ubuntu122.04	11.0.25+9-post-Ubuntu-1ubuntu122.04

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 3 metrics, 0 unstable metrics.

See unchanged results

scenario	Δ mean throughput
scenario:not-instrumented/KafkaConsumerBenchmark.benchConsume	same
scenario:only-tracing-dsm-disabled-benchmarks/KafkaConsumerBenchmark.benchConsume	same
scenario:only-tracing-dsm-enabled-benchmarks/KafkaConsumerBenchmark.benchConsume	same