Optimize IAST Vulnerability Detection (#8885)

What Does This Do
Implements the new algorithm for detecting IAST vulnerabilities, where vulnerabilities that were already explored in previous runs for a given endpoint are skipped, ensuring that all remaining ones are eventually explored.

This addresses the current limitation where only the first matching vulnerabilities are consistently reported, causing others to remain hidden.

Changes to OverheadContext
The OverheadContext class has been extended to support three separate tracking maps:

globalMap
Used to track vulnerability detection counts per endpoint across all requests.
Keys are strings combining the request method and route (GET /login, POST /submit, etc.).
Values are maps from vulnerabilityType → int (count of occurrences).
Capped at 4,096 entries using a clear‐on‐overflow strategy, to ensure bounded memory usage.
Oldest entries are cleared once the limit is reached.
copyMap
Created per request to copy the global counts at the start of the request, ensuring a consistent baseline to compare against throughout the lifecycle of the request.
requestMap
Tracks vulnerability type counts within the request.
An additional field, isGlobal, has been added to indicate whether the context is global or request-scoped. If isGlobal is true, the maps are not used, and quota checks proceed using the global strategy only.

A new method, resetMaps(), has been added to update globalMap when the request ends and vulnerability data has been reported. Two scenarios are supported:

Case 1: Budget not fully used → The entry for the endpoint in globalMap is cleared, since the request stayed within budget.
Case 2: Budget fully used → The counts from requestMap are compared to those in copyMap. For each vulnerability type, if the value in requestMap is greater, it is used to update the corresponding entry in globalMap.
Changes to OverheadController
The method consumeQuota() has been extended to receive a vulnerabilityType and modified to support the new logic:

If an OverheadContext is present and not global, and there is remaining quota and a valid span, the controller now invokes a new method maybeSkipVulnerability() to determine whether quota should actually be consumed or not, based on endpoint-specific history.

It's better to check the Algorithm execution example flow diagram to understand how this should work

Changes to IastRequestContext
In releaseRequestContext(), the request now calls resetMaps() on the associated OverheadContext, ensuring globalMap is updated at the end of each request.

Motivation
[RFC-1029] Optimizing IAST Vulnerability Detection implementation

Additional Notes
java tracer needs to implement also [RFC-1029-A1] Solution for dynamic http routes

Author: jandro996

dd-java-agent/agent-iast/src/main/java/com/datadog/iast/IastRequestContext.java

@@ -48,8 +48,27 @@ public IastRequestContext() {
   }
 
   public IastRequestContext(final TaintedObjects taintedObjects) {
+    this(taintedObjects, false);
+  }
+
+  public IastRequestContext(final TaintedObjects taintedObjects, boolean isGlobal) {
+    this.vulnerabilityBatch = new VulnerabilityBatch();
+    this.overheadContext =
+        new OverheadContext(Config.get().getIastVulnerabilitiesPerRequest(), isGlobal);
+    this.taintedObjects = taintedObjects;
+  }
+
+  /**
+   * Use this constructor only when you want to create a new context with a fresh overhead context
+   * (e.g. for testing purposes).
+   *
+   * @param taintedObjects the tainted objects to use
+   * @param overheadContext the overhead context to use
+   */
+  public IastRequestContext(
+      final TaintedObjects taintedObjects, final OverheadContext overheadContext) {
     this.vulnerabilityBatch = new VulnerabilityBatch();
-    this.overheadContext = new OverheadContext(Config.get().getIastVulnerabilitiesPerRequest());
+    this.overheadContext = overheadContext;
     this.taintedObjects = taintedObjects;
   }
 
@@ -188,6 +207,7 @@ public void releaseRequestContext(@Nonnull final IastContext context) {
         pool.offer(unwrapped);
         iastCtx.setTaintedObjects(TaintedObjects.NoOp.INSTANCE);
       }
+      iastCtx.overheadContext.resetMaps();
     }
   }
 }

dd-java-agent/agent-iast/src/main/java/com/datadog/iast/Reporter.java

@@ -140,7 +140,7 @@ private VulnerabilityBatch getOrCreateVulnerabilityBatch(final AgentSpan span) {
   private AgentSpan startNewSpan() {
     final AgentSpanContext tagContext =
         new TagContext()
-            .withRequestContextDataIast(new IastRequestContext(TaintedObjects.NoOp.INSTANCE));
+            .withRequestContextDataIast(new IastRequestContext(TaintedObjects.NoOp.INSTANCE, true));
     final AgentSpan span =
         tracer()
             .startSpan("iast", VULNERABILITY_SPAN_NAME, tagContext)

dd-java-agent/agent-iast/src/main/java/com/datadog/iast/overhead/OverheadContext.java

@@ -3,16 +3,60 @@
 import static datadog.trace.api.iast.IastDetectionMode.UNLIMITED;
 
 import com.datadog.iast.util.NonBlockingSemaphore;
+import datadog.trace.api.iast.VulnerabilityTypes;
+import java.util.Map;
+import java.util.Set;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.ConcurrentMap;
+import java.util.concurrent.atomic.AtomicIntegerArray;
+import java.util.function.Function;
+import javax.annotation.Nullable;
+import org.jetbrains.annotations.NotNull;
 
 public class OverheadContext {
 
+  /** Maximum number of distinct endpoints to remember in the global cache. */
+  private static final int GLOBAL_MAP_MAX_SIZE = 4096;
+
+  /**
+   * Global concurrent cache mapping each “method + path” key to its historical vulnerabilityCounts
+   * map. As soon as size() > GLOBAL_MAP_MAX_SIZE, we clear() the whole map.
+   */
+  static final ConcurrentMap<String, AtomicIntegerArray> globalMap =
+      new ConcurrentHashMap<String, AtomicIntegerArray>() {
+
+        @Override
+        public AtomicIntegerArray computeIfAbsent(
+            String key,
+            @NotNull Function<? super String, ? extends AtomicIntegerArray> mappingFunction) {
+          if (this.size() >= GLOBAL_MAP_MAX_SIZE) {
+            super.clear();
+          }
+          return super.computeIfAbsent(key, mappingFunction);
+        }
+      };
+
+  // Snapshot of the globalMap for the current request
+  private @Nullable final Map<String, int[]> copyMap;
+  // Map of vulnerabilities per endpoint for the current request, needs to use AtomicIntegerArray
+  // because it's possible to have concurrent updates in the same request
+  private @Nullable final Map<String, AtomicIntegerArray> requestMap;
+
   private final NonBlockingSemaphore availableVulnerabilities;
+  private final boolean isGlobal;
 
   public OverheadContext(final int vulnerabilitiesPerRequest) {
+    this(vulnerabilitiesPerRequest, false);
+  }
+
+  public OverheadContext(final int vulnerabilitiesPerRequest, final boolean isGlobal) {
     availableVulnerabilities =
         vulnerabilitiesPerRequest == UNLIMITED
             ? NonBlockingSemaphore.unlimited()
             : NonBlockingSemaphore.withPermitCount(vulnerabilitiesPerRequest);
+    this.isGlobal = isGlobal;
+    this.requestMap = isGlobal ? null : new ConcurrentHashMap<>();
+    this.copyMap = isGlobal ? null : new ConcurrentHashMap<>();
   }
 
   public int getAvailableQuota() {
@@ -26,4 +70,52 @@ public boolean consumeQuota(final int delta) {
   public void reset() {
     availableVulnerabilities.reset();
   }
+
+  public void resetMaps() {
+    // If this is a global context, we do not reset the maps
+    if (isGlobal || requestMap == null || copyMap == null) {
+      return;
+    }
+    Set<String> endpoints = requestMap.keySet();
+    // If the budget is not consumed, we can reset the maps
+    if (getAvailableQuota() > 0) {
+      // clean endpoints from globalMap
+      endpoints.forEach(globalMap::remove);
+      return;
+    }
+    // If the budget is consumed, we need to merge the requestMap into the globalMap
+    endpoints.forEach(
+        endpoint -> {
+          AtomicIntegerArray countMap = requestMap.get(endpoint);
+          // should not happen, but just in case
+          if (countMap == null) {
+            globalMap.remove(endpoint);
+            return;
+          }
+          // Iterate over the vulnerabilities and update the globalMap
+          int numberOfVulnerabilities = VulnerabilityTypes.STRINGS.length;
+          for (int i = 0; i < numberOfVulnerabilities; i++) {
+            int counter = countMap.get(i);
+            if (counter > 0) {
+              AtomicIntegerArray globalCountMap =
+                  globalMap.computeIfAbsent(
+                      endpoint, value -> new AtomicIntegerArray(numberOfVulnerabilities));
+
+              globalCountMap.accumulateAndGet(i, counter, Math::max);
+            }
+          }
+        });
+  }
+
+  public boolean isGlobal() {
+    return isGlobal;
+  }
+
+  public @Nullable Map<String, int[]> getCopyMap() {
+    return copyMap;
+  }
+
+  public @Nullable Map<String, AtomicIntegerArray> getRequestMap() {
+    return requestMap;
+  }
 }

dd-java-agent/agent-iast/src/main/java/com/datadog/iast/overhead/OverheadController.java

@@ -1,19 +1,24 @@
 package com.datadog.iast.overhead;
 
+import static com.datadog.iast.overhead.OverheadContext.globalMap;
 import static datadog.trace.api.iast.IastDetectionMode.UNLIMITED;
 
 import com.datadog.iast.IastRequestContext;
 import com.datadog.iast.IastSystem;
+import com.datadog.iast.model.VulnerabilityType;
 import com.datadog.iast.util.NonBlockingSemaphore;
 import datadog.trace.api.Config;
 import datadog.trace.api.gateway.RequestContext;
 import datadog.trace.api.gateway.RequestContextSlot;
 import datadog.trace.api.iast.IastContext;
+import datadog.trace.api.iast.VulnerabilityTypes;
 import datadog.trace.api.telemetry.LogCollector;
 import datadog.trace.bootstrap.instrumentation.api.AgentSpan;
 import datadog.trace.bootstrap.instrumentation.api.AgentTracer;
+import datadog.trace.bootstrap.instrumentation.api.Tags;
 import datadog.trace.util.AgentTaskScheduler;
 import java.util.concurrent.TimeUnit;
+import java.util.concurrent.atomic.AtomicIntegerArray;
 import java.util.concurrent.atomic.AtomicLong;
 import javax.annotation.Nullable;
 import org.slf4j.Logger;
@@ -27,9 +32,12 @@ public interface OverheadController {
 
   int releaseRequest();
 
-  boolean hasQuota(final Operation operation, @Nullable final AgentSpan span);
+  boolean hasQuota(Operation operation, @Nullable AgentSpan span);
 
-  boolean consumeQuota(final Operation operation, @Nullable final AgentSpan span);
+  boolean consumeQuota(Operation operation, @Nullable AgentSpan span);
+
+  boolean consumeQuota(
+      Operation operation, @Nullable AgentSpan span, @Nullable VulnerabilityType type);
 
   static OverheadController build(final Config config, final AgentTaskScheduler scheduler) {
     return build(
@@ -100,14 +108,23 @@ public boolean hasQuota(final Operation operation, @Nullable final AgentSpan spa
 
     @Override
     public boolean consumeQuota(final Operation operation, @Nullable final AgentSpan span) {
-      final boolean result = delegate.consumeQuota(operation, span);
+      return consumeQuota(operation, span, null);
+    }
+
+    @Override
+    public boolean consumeQuota(
+        final Operation operation,
+        @Nullable final AgentSpan span,
+        @Nullable final VulnerabilityType type) {
+      final boolean result = delegate.consumeQuota(operation, span, type);
       if (LOGGER.isDebugEnabled()) {
         LOGGER.debug(
-            "consumeQuota: operation={}, result={}, availableQuota={}, span={}",
+            "consumeQuota: operation={}, result={}, availableQuota={}, span={}, type={}",
             operation,
             result,
             getAvailableQuote(span),
-            span);
+            span,
+            type);
       }
       return result;
     }
@@ -147,7 +164,7 @@ class OverheadControllerImpl implements OverheadController {
     private volatile long lastAcquiredTimestamp = Long.MAX_VALUE;
 
     final OverheadContext globalContext =
-        new OverheadContext(Config.get().getIastVulnerabilitiesPerRequest());
+        new OverheadContext(Config.get().getIastVulnerabilitiesPerRequest(), true);
 
     public OverheadControllerImpl(
         final float requestSampling,
@@ -192,7 +209,96 @@ public boolean hasQuota(final Operation operation, @Nullable final AgentSpan spa
 
     @Override
     public boolean consumeQuota(final Operation operation, @Nullable final AgentSpan span) {
-      return operation.consumeQuota(getContext(span));
+      return consumeQuota(operation, span, null);
+    }
+
+    @Override
+    public boolean consumeQuota(
+        final Operation operation,
+        @Nullable final AgentSpan span,
+        @Nullable final VulnerabilityType type) {
+
+      OverheadContext ctx = getContext(span);
+      if (ctx == null) {
+        return false;
+      }
+      if (ctx.isGlobal()) {
+        return operation.consumeQuota(ctx);
+      }
+      if (operation.hasQuota(ctx)) {
+        String method = null;
+        String path = null;
+        if (span != null) {
+          AgentSpan rootSpan = span.getLocalRootSpan();
+          Object methodTag = rootSpan.getTag(Tags.HTTP_METHOD);
+          method = (methodTag == null) ? "" : methodTag.toString();
+          Object routeTag = rootSpan.getTag(Tags.HTTP_ROUTE);
+          path = (routeTag == null) ? "" : routeTag.toString();
+        }
+        if (!maybeSkipVulnerability(ctx, type, method, path)) {
+          return operation.consumeQuota(ctx);
+        }
+      }
+      return false;
+    }
+
+    /**
+     * Method to be called when a vulnerability of a certain type is detected. Implements the
+     * RFC-1029 algorithm.
+     *
+     * @param ctx the overhead context for the current request
+     * @param type the type of vulnerability detected
+     * @param httpMethod the HTTP method of the request (e.g., GET, POST)
+     * @param httpPath the HTTP path of the request
+     * @return true if the vulnerability should be skipped, false otherwise
+     */
+    private boolean maybeSkipVulnerability(
+        @Nullable final OverheadContext ctx,
+        @Nullable final VulnerabilityType type,
+        @Nullable final String httpMethod,
+        @Nullable final String httpPath) {
+
+      if (ctx == null || type == null || ctx.getRequestMap() == null || ctx.getCopyMap() == null) {
+        return false;
+      }
+
+      int numberOfVulnerabilities = VulnerabilityTypes.STRINGS.length;
+
+      String currentEndpoint = httpMethod + " " + httpPath;
+
+      AtomicIntegerArray requestArray = ctx.getRequestMap().get(currentEndpoint);
+      int[] copyArray;
+
+      if (requestArray == null) {
+        AtomicIntegerArray globalArray =
+            globalMap.computeIfAbsent(
+                currentEndpoint, k -> new AtomicIntegerArray(numberOfVulnerabilities));
+        copyArray = toIntArray(globalArray);
+        ctx.getCopyMap().put(currentEndpoint, copyArray);
+        requestArray =
+            ctx.getRequestMap()
+                .computeIfAbsent(
+                    currentEndpoint, k -> new AtomicIntegerArray(numberOfVulnerabilities));
+      } else {
+        copyArray = ctx.getCopyMap().get(currentEndpoint);
+      }
+
+      int counter = requestArray.getAndIncrement(type.type());
+      int storedCounter = 0;
+      if (copyArray != null) {
+        storedCounter = copyArray[type.type()];
+      }
+
+      return counter < storedCounter;
+    }
+
+    private static int[] toIntArray(AtomicIntegerArray atomic) {
+      int length = atomic.length();
+      int[] result = new int[length];
+      for (int i = 0; i < length; i++) {
+        result[i] = atomic.get(i);
+      }
+      return result;
     }
 
     @Nullable

dd-java-agent/agent-iast/src/main/java/com/datadog/iast/sink/HttpResponseHeaderModuleImpl.java

@@ -1,5 +1,6 @@
 package com.datadog.iast.sink;
 
+import static com.datadog.iast.model.VulnerabilityType.INSECURE_COOKIE;
 import static com.datadog.iast.util.HttpHeader.SET_COOKIE;
 import static com.datadog.iast.util.HttpHeader.SET_COOKIE2;
 import static java.util.Collections.singletonList;
@@ -65,7 +66,9 @@ private void onCookies(final List<Cookie> cookies) {
       return;
     }
     final AgentSpan span = AgentTracer.activeSpan();
-    if (!overheadController.consumeQuota(Operations.REPORT_VULNERABILITY, span)) {
+    if (!overheadController.consumeQuota(
+        Operations.REPORT_VULNERABILITY, span, INSECURE_COOKIE // we need a type to check quota
+        )) {
       return;
     }
     final Location location = Location.forSpanAndStack(span, getCurrentStackTrace());

dd-java-agent/agent-iast/src/main/java/com/datadog/iast/sink/SinkModuleBase.java

@@ -58,7 +58,8 @@ protected void report(final Vulnerability vulnerability) {
   }
 
   protected void report(@Nullable final AgentSpan span, final Vulnerability vulnerability) {
-    if (!overheadController.consumeQuota(Operations.REPORT_VULNERABILITY, span)) {
+    if (!overheadController.consumeQuota(
+        Operations.REPORT_VULNERABILITY, span, vulnerability.getType())) {
       return;
     }
     reporter.report(span, vulnerability);
@@ -70,7 +71,7 @@ protected void report(final VulnerabilityType type, final Evidence evidence) {
 
   protected void report(
       @Nullable final AgentSpan span, final VulnerabilityType type, final Evidence evidence) {
-    if (!overheadController.consumeQuota(Operations.REPORT_VULNERABILITY, span)) {
+    if (!overheadController.consumeQuota(Operations.REPORT_VULNERABILITY, span, type)) {
       return;
     }
     final Vulnerability vulnerability =
@@ -170,7 +171,7 @@ protected final Evidence checkInjection(
     }
 
     final AgentSpan span = AgentTracer.activeSpan();
-    if (!overheadController.consumeQuota(Operations.REPORT_VULNERABILITY, span)) {
+    if (!overheadController.consumeQuota(Operations.REPORT_VULNERABILITY, span, type)) {
       return null;
     }
 
@@ -251,7 +252,7 @@ protected final Evidence checkInjection(
       if (!spanFetched && valueRanges != null && valueRanges.length > 0) {
         span = AgentTracer.activeSpan();
         spanFetched = true;
-        if (!overheadController.consumeQuota(Operations.REPORT_VULNERABILITY, span)) {
+        if (!overheadController.consumeQuota(Operations.REPORT_VULNERABILITY, span, type)) {
           return null;
         }
       }

dd-java-agent/agent-iast/src/test/groovy/com/datadog/iast/IastModuleImplTestBase.groovy

@@ -114,6 +114,7 @@ class IastModuleImplTestBase extends DDSpecification {
     return Stub(OverheadController) {
       acquireRequest() >> true
       consumeQuota(_ as Operation, _) >> true
+      consumeQuota(_ as Operation, _, _) >> true
     }
   }
 }