Skip to content

Increase IAST propagation to StringBuffer setLength #8128

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Jan 10, 2025
Merged

Increase IAST propagation to StringBuffer setLength #8128

merged 7 commits into from
Jan 10, 2025

Conversation

Mariovido
Copy link
Contributor

@Mariovido Mariovido commented Dec 23, 2024
edited
Loading

What Does This Do

This adds the instrumentation to propagate the taint values through the following methods of StringBuffer:

  • setLength(int)

Motivation

Increase propagation of StringBuffer methods.

Additional Notes

Contributor Checklist

Jira ticket: APPSEC-55367

@Mariovido Mariovido added type: enhancement Enhancements and improvements comp: asm iast Application Security Management (IAST) labels Dec 23, 2024
@pr-commenter
Copy link

pr-commenter bot commented Dec 23, 2024
edited
Loading

Benchmarks

Startup

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master mario.vidal/taint_tracking_string_buffer_set_length
git_commit_date 1736497810 1736500201
git_commit_sha f4139b0 b3e8860
release_version 1.46.0-SNAPSHOT~f4139b0e7d 1.46.0-SNAPSHOT~b3e8860a51
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1736502685 1736502685
ci_job_id 761461604 761461604
ci_pipeline_id 52639762 52639762
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
module Agent Agent
parent None None
variant iast iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 58 metrics, 5 unstable metrics.

Startup time reports for insecure-bank 
gantt
    title insecure-bank - global startup overhead: candidate=1.46.0-SNAPSHOT~b3e8860a51, baseline=1.46.0-SNAPSHOT~f4139b0e7d

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.055 s) : 0, 1054755
Total [baseline] (8.619 s) : 0, 8619396
Agent [candidate] (1.062 s) : 0, 1061947
Total [candidate] (8.629 s) : 0, 8628921
section iast
Agent [baseline] (1.177 s) : 0, 1176804
Total [baseline] (9.2 s) : 0, 9199502
Agent [candidate] (1.179 s) : 0, 1178991
Total [candidate] (9.213 s) : 0, 9213347
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.186 s) : 0, 1186120
Total [baseline] (9.19 s) : 0, 9189504
Agent [candidate] (1.182 s) : 0, 1182398
Total [candidate] (9.19 s) : 0, 9189593
section iast_TELEMETRY_OFF
Agent [baseline] (1.176 s) : 0, 1175916
Total [baseline] (9.168 s) : 0, 9167507
Agent [candidate] (1.176 s) : 0, 1175714
Total [candidate] (9.198 s) : 0, 9198045
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.055 s -
Agent iast 1.177 s 122.05 ms (11.6%)
Agent iast_HARDCODED_SECRET_DISABLED 1.186 s 131.365 ms (12.5%)
Agent iast_TELEMETRY_OFF 1.176 s 121.162 ms (11.5%)
Total tracing 8.619 s -
Total iast 9.2 s 580.106 ms (6.7%)
Total iast_HARDCODED_SECRET_DISABLED 9.19 s 570.108 ms (6.6%)
Total iast_TELEMETRY_OFF 9.168 s 548.111 ms (6.4%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.062 s -
Agent iast 1.179 s 117.043 ms (11.0%)
Agent iast_HARDCODED_SECRET_DISABLED 1.182 s 120.45 ms (11.3%)
Agent iast_TELEMETRY_OFF 1.176 s 113.766 ms (10.7%)
Total tracing 8.629 s -
Total iast 9.213 s 584.427 ms (6.8%)
Total iast_HARDCODED_SECRET_DISABLED 9.19 s 560.673 ms (6.5%)
Total iast_TELEMETRY_OFF 9.198 s 569.125 ms (6.6%) 
gantt
    title insecure-bank - break down per module: candidate=1.46.0-SNAPSHOT~b3e8860a51, baseline=1.46.0-SNAPSHOT~f4139b0e7d

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (713.68 ms) : 0, 713680
BytebuddyAgent [candidate] (716.962 ms) : 0, 716962
GlobalTracer [baseline] (256.36 ms) : 0, 256360
GlobalTracer [candidate] (257.394 ms) : 0, 257394
AppSec [baseline] (55.316 ms) : 0, 55316
AppSec [candidate] (56.182 ms) : 0, 56182
Remote Config [baseline] (709.253 µs) : 0, 709
Remote Config [candidate] (725.868 µs) : 0, 726
Telemetry [baseline] (13.649 ms) : 0, 13649
Telemetry [candidate] (15.671 ms) : 0, 15671
section iast
BytebuddyAgent [baseline] (827.763 ms) : 0, 827763
BytebuddyAgent [candidate] (828.975 ms) : 0, 828975
GlobalTracer [baseline] (245.656 ms) : 0, 245656
GlobalTracer [candidate] (246.266 ms) : 0, 246266
AppSec [baseline] (57.959 ms) : 0, 57959
AppSec [candidate] (57.944 ms) : 0, 57944
Remote Config [baseline] (662.738 µs) : 0, 663
Remote Config [candidate] (682.996 µs) : 0, 683
Telemetry [baseline] (8.671 ms) : 0, 8671
Telemetry [candidate] (8.719 ms) : 0, 8719
IAST [baseline] (21.073 ms) : 0, 21073
IAST [candidate] (21.343 ms) : 0, 21343
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (834.035 ms) : 0, 834035
BytebuddyAgent [candidate] (831.831 ms) : 0, 831831
GlobalTracer [baseline] (246.958 ms) : 0, 246958
GlobalTracer [candidate] (246.73 ms) : 0, 246730
AppSec [baseline] (58.829 ms) : 0, 58829
AppSec [candidate] (57.976 ms) : 0, 57976
Remote Config [baseline] (686.77 µs) : 0, 687
Remote Config [candidate] (698.111 µs) : 0, 698
Telemetry [baseline] (8.902 ms) : 0, 8902
Telemetry [candidate] (8.813 ms) : 0, 8813
IAST [baseline] (21.708 ms) : 0, 21708
IAST [candidate] (21.338 ms) : 0, 21338
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (827.036 ms) : 0, 827036
BytebuddyAgent [candidate] (827.151 ms) : 0, 827151
GlobalTracer [baseline] (246.059 ms) : 0, 246059
GlobalTracer [candidate] (246.198 ms) : 0, 246198
AppSec [baseline] (57.855 ms) : 0, 57855
AppSec [candidate] (57.5 ms) : 0, 57500
Remote Config [baseline] (648.924 µs) : 0, 649
Remote Config [candidate] (645.493 µs) : 0, 645
Telemetry [baseline] (8.586 ms) : 0, 8586
Telemetry [candidate] (8.567 ms) : 0, 8567
IAST [baseline] (20.757 ms) : 0, 20757
IAST [candidate] (20.59 ms) : 0, 20590
Loading
Startup time reports for petclinic 
gantt
    title petclinic - global startup overhead: candidate=1.46.0-SNAPSHOT~b3e8860a51, baseline=1.46.0-SNAPSHOT~f4139b0e7d

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.06 s) : 0, 1060294
Total [baseline] (10.541 s) : 0, 10540929
Agent [candidate] (1.075 s) : 0, 1074799
Total [candidate] (10.485 s) : 0, 10484912
section appsec
Agent [baseline] (1.196 s) : 0, 1195870
Total [baseline] (10.719 s) : 0, 10718906
Agent [candidate] (1.193 s) : 0, 1192859
Total [candidate] (10.721 s) : 0, 10720839
section iast
Agent [baseline] (1.18 s) : 0, 1179584
Total [baseline] (10.955 s) : 0, 10955148
Agent [candidate] (1.181 s) : 0, 1181010
Total [candidate] (10.965 s) : 0, 10964801
section profiling
Agent [baseline] (1.285 s) : 0, 1284768
Total [baseline] (10.821 s) : 0, 10821055
Agent [candidate] (1.271 s) : 0, 1271069
Total [candidate] (10.88 s) : 0, 10880180
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.06 s -
Agent appsec 1.196 s 135.575 ms (12.8%)
Agent iast 1.18 s 119.29 ms (11.3%)
Agent profiling 1.285 s 224.473 ms (21.2%)
Total tracing 10.541 s -
Total appsec 10.719 s 177.976 ms (1.7%)
Total iast 10.955 s 414.219 ms (3.9%)
Total profiling 10.821 s 280.126 ms (2.7%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.075 s -
Agent appsec 1.193 s 118.061 ms (11.0%)
Agent iast 1.181 s 106.211 ms (9.9%)
Agent profiling 1.271 s 196.27 ms (18.3%)
Total tracing 10.485 s -
Total appsec 10.721 s 235.927 ms (2.3%)
Total iast 10.965 s 479.889 ms (4.6%)
Total profiling 10.88 s 395.268 ms (3.8%) 
gantt
    title petclinic - break down per module: candidate=1.46.0-SNAPSHOT~b3e8860a51, baseline=1.46.0-SNAPSHOT~f4139b0e7d

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (716.376 ms) : 0, 716376
BytebuddyAgent [candidate] (725.646 ms) : 0, 725646
GlobalTracer [baseline] (257.009 ms) : 0, 257009
GlobalTracer [candidate] (261.382 ms) : 0, 261382
AppSec [baseline] (55.409 ms) : 0, 55409
AppSec [candidate] (58.582 ms) : 0, 58582
Remote Config [baseline] (740.693 µs) : 0, 741
Remote Config [candidate] (738.169 µs) : 0, 738
Telemetry [baseline] (15.726 ms) : 0, 15726
Telemetry [candidate] (13.226 ms) : 0, 13226
section appsec
BytebuddyAgent [baseline] (736.585 ms) : 0, 736585
BytebuddyAgent [candidate] (733.819 ms) : 0, 733819
GlobalTracer [baseline] (254.238 ms) : 0, 254238
GlobalTracer [candidate] (254.24 ms) : 0, 254240
AppSec [baseline] (171.251 ms) : 0, 171251
AppSec [candidate] (171.174 ms) : 0, 171174
Remote Config [baseline] (659.475 µs) : 0, 659
Remote Config [candidate] (655.766 µs) : 0, 656
Telemetry [baseline] (8.275 ms) : 0, 8275
Telemetry [candidate] (8.181 ms) : 0, 8181
IAST [baseline] (19.483 ms) : 0, 19483
IAST [candidate] (19.437 ms) : 0, 19437
section iast
BytebuddyAgent [baseline] (829.881 ms) : 0, 829881
BytebuddyAgent [candidate] (830.59 ms) : 0, 830590
GlobalTracer [baseline] (246.081 ms) : 0, 246081
GlobalTracer [candidate] (246.633 ms) : 0, 246633
AppSec [baseline] (58.003 ms) : 0, 58003
AppSec [candidate] (58.268 ms) : 0, 58268
Remote Config [baseline] (677.331 µs) : 0, 677
Remote Config [candidate] (682.794 µs) : 0, 683
Telemetry [baseline] (8.679 ms) : 0, 8679
Telemetry [candidate] (8.763 ms) : 0, 8763
IAST [baseline] (21.268 ms) : 0, 21268
IAST [candidate] (21.051 ms) : 0, 21051
section profiling
ProfilingAgent [baseline] (96.546 ms) : 0, 96546
ProfilingAgent [candidate] (94.826 ms) : 0, 94826
BytebuddyAgent [baseline] (709.506 ms) : 0, 709506
BytebuddyAgent [candidate] (703.55 ms) : 0, 703550
GlobalTracer [baseline] (372.269 ms) : 0, 372269
GlobalTracer [candidate] (367.699 ms) : 0, 367699
AppSec [baseline] (54.579 ms) : 0, 54579
AppSec [candidate] (53.605 ms) : 0, 53605
Remote Config [baseline] (695.362 µs) : 0, 695
Remote Config [candidate] (697.018 µs) : 0, 697
Telemetry [baseline] (8.9 ms) : 0, 8900
Telemetry [candidate] (8.834 ms) : 0, 8834
Profiling [baseline] (96.571 ms) : 0, 96571
Profiling [candidate] (94.851 ms) : 0, 94851
Loading

Load

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
end_time 2025-01-10T09:21:23 2025-01-10T09:28:26
git_branch master mario.vidal/taint_tracking_string_buffer_set_length
git_commit_date 1736497810 1736500201
git_commit_sha f4139b0 b3e8860
release_version 1.46.0-SNAPSHOT~f4139b0e7d 1.46.0-SNAPSHOT~b3e8860a51
start_time 2025-01-10T09:21:09 2025-01-10T09:28:12
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1736501660 1736501660
ci_job_id 761461605 761461605
ci_pipeline_id 52639762 52639762
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant iast iast

Summary

Found 1 performance improvements and 0 performance regressions! Performance is the same for 10 metrics, 17 unstable metrics.

scenario Δ mean http_req_duration Δ mean throughput candidate mean http_req_duration candidate mean throughput baseline mean http_req_duration baseline mean throughput
scenario:load:petclinic:profiling better
[-94.833µs; -43.143µs] or [-5.960%; -2.712%]		 unstable
[-429.149op/s; +657.070op/s] or [-14.484%; +22.176%]		 1.522ms 3076.923op/s 1.591ms 2962.963op/s
Request duration reports for petclinic 
gantt
    title petclinic - request duration [CI 0.99] : candidate=1.46.0-SNAPSHOT~b3e8860a51, baseline=1.46.0-SNAPSHOT~f4139b0e7d
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.364 ms) : 1344, 1384
.   : milestone, 1364,
appsec (1.756 ms) : 1732, 1780
.   : milestone, 1756,
appsec_no_iast (1.766 ms) : 1741, 1791
.   : milestone, 1766,
iast (1.507 ms) : 1484, 1530
.   : milestone, 1507,
profiling (1.591 ms) : 1566, 1616
.   : milestone, 1591,
tracing (1.486 ms) : 1460, 1511
.   : milestone, 1486,
section candidate
no_agent (1.374 ms) : 1354, 1393
.   : milestone, 1374,
appsec (1.747 ms) : 1723, 1771
.   : milestone, 1747,
appsec_no_iast (1.739 ms) : 1715, 1763
.   : milestone, 1739,
iast (1.519 ms) : 1496, 1542
.   : milestone, 1519,
profiling (1.522 ms) : 1499, 1545
.   : milestone, 1522,
tracing (1.492 ms) : 1467, 1517
.   : milestone, 1492,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.364 ms [1.344 ms, 1.384 ms] -
appsec 1.756 ms [1.732 ms, 1.78 ms] 392.36 µs (28.8%)
appsec_no_iast 1.766 ms [1.741 ms, 1.791 ms] 401.951 µs (29.5%)
iast 1.507 ms [1.484 ms, 1.53 ms] 143.229 µs (10.5%)
profiling 1.591 ms [1.566 ms, 1.616 ms] 227.23 µs (16.7%)
tracing 1.486 ms [1.46 ms, 1.511 ms] 121.738 µs (8.9%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.374 ms [1.354 ms, 1.393 ms] -
appsec 1.747 ms [1.723 ms, 1.771 ms] 373.158 µs (27.2%)
appsec_no_iast 1.739 ms [1.715 ms, 1.763 ms] 365.827 µs (26.6%)
iast 1.519 ms [1.496 ms, 1.542 ms] 145.291 µs (10.6%)
profiling 1.522 ms [1.499 ms, 1.545 ms] 148.518 µs (10.8%)
tracing 1.492 ms [1.467 ms, 1.517 ms] 118.653 µs (8.6%)
Request duration reports for insecure-bank 
gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.46.0-SNAPSHOT~b3e8860a51, baseline=1.46.0-SNAPSHOT~f4139b0e7d
    dateFormat X
    axisFormat %s
section baseline
no_agent (384.298 µs) : 363, 406
.   : milestone, 384,
iast (507.567 µs) : 485, 530
.   : milestone, 508,
iast_FULL (663.637 µs) : 642, 685
.   : milestone, 664,
iast_GLOBAL (530.541 µs) : 508, 553
.   : milestone, 531,
iast_HARDCODED_SECRET_DISABLED (498.844 µs) : 477, 521
.   : milestone, 499,
iast_INACTIVE (452.107 µs) : 431, 473
.   : milestone, 452,
iast_TELEMETRY_OFF (487.408 µs) : 466, 509
.   : milestone, 487,
tracing (458.581 µs) : 437, 480
.   : milestone, 459,
section candidate
no_agent (383.08 µs) : 363, 403
.   : milestone, 383,
iast (495.284 µs) : 474, 517
.   : milestone, 495,
iast_FULL (665.305 µs) : 644, 687
.   : milestone, 665,
iast_GLOBAL (525.711 µs) : 504, 547
.   : milestone, 526,
iast_HARDCODED_SECRET_DISABLED (509.943 µs) : 488, 532
.   : milestone, 510,
iast_INACTIVE (465.405 µs) : 443, 487
.   : milestone, 465,
iast_TELEMETRY_OFF (493.525 µs) : 471, 516
.   : milestone, 494,
tracing (458.447 µs) : 437, 480
.   : milestone, 458,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 384.298 µs [363.005 µs, 405.591 µs] -
iast 507.567 µs [484.998 µs, 530.136 µs] 123.269 µs (32.1%)
iast_FULL 663.637 µs [642.252 µs, 685.022 µs] 279.339 µs (72.7%)
iast_GLOBAL 530.541 µs [508.28 µs, 552.802 µs] 146.243 µs (38.1%)
iast_HARDCODED_SECRET_DISABLED 498.844 µs [477.162 µs, 520.525 µs] 114.546 µs (29.8%)
iast_INACTIVE 452.107 µs [431.488 µs, 472.726 µs] 67.809 µs (17.6%)
iast_TELEMETRY_OFF 487.408 µs [465.543 µs, 509.273 µs] 103.11 µs (26.8%)
tracing 458.581 µs [437.158 µs, 480.005 µs] 74.283 µs (19.3%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 383.08 µs [363.115 µs, 403.046 µs] -
iast 495.284 µs [473.824 µs, 516.745 µs] 112.204 µs (29.3%)
iast_FULL 665.305 µs [643.567 µs, 687.042 µs] 282.224 µs (73.7%)
iast_GLOBAL 525.711 µs [504.26 µs, 547.162 µs] 142.631 µs (37.2%)
iast_HARDCODED_SECRET_DISABLED 509.943 µs [487.681 µs, 532.204 µs] 126.862 µs (33.1%)
iast_INACTIVE 465.405 µs [443.495 µs, 487.315 µs] 82.325 µs (21.5%)
iast_TELEMETRY_OFF 493.525 µs [471.164 µs, 515.886 µs] 110.445 µs (28.8%)
tracing 458.447 µs [437.078 µs, 479.816 µs] 75.367 µs (19.7%)

Dacapo

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master mario.vidal/taint_tracking_string_buffer_set_length
git_commit_date 1736497810 1736500201
git_commit_sha f4139b0 b3e8860
release_version 1.46.0-SNAPSHOT~f4139b0e7d 1.46.0-SNAPSHOT~b3e8860a51
See matching parameters
Baseline Candidate
application biojava biojava
ci_job_date 1736502217 1736502217
ci_job_id 761461606 761461606
ci_pipeline_id 52639762 52639762
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant appsec appsec

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics.

Execution time for biojava 
gantt
    title biojava - execution time [CI 0.99] : candidate=1.46.0-SNAPSHOT~b3e8860a51, baseline=1.46.0-SNAPSHOT~f4139b0e7d
    dateFormat X
    axisFormat %s
section baseline
no_agent (14.938 s) : 14938000, 14938000
.   : milestone, 14938000,
appsec (14.94 s) : 14940000, 14940000
.   : milestone, 14940000,
iast (19.043 s) : 19043000, 19043000
.   : milestone, 19043000,
iast_GLOBAL (18.128 s) : 18128000, 18128000
.   : milestone, 18128000,
profiling (15.476 s) : 15476000, 15476000
.   : milestone, 15476000,
tracing (15.201 s) : 15201000, 15201000
.   : milestone, 15201000,
section candidate
no_agent (15.481 s) : 15481000, 15481000
.   : milestone, 15481000,
appsec (15.139 s) : 15139000, 15139000
.   : milestone, 15139000,
iast (18.729 s) : 18729000, 18729000
.   : milestone, 18729000,
iast_GLOBAL (17.923 s) : 17923000, 17923000
.   : milestone, 17923000,
profiling (14.871 s) : 14871000, 14871000
.   : milestone, 14871000,
tracing (14.76 s) : 14760000, 14760000
.   : milestone, 14760000,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 14.938 s [14.938 s, 14.938 s] -
appsec 14.94 s [14.94 s, 14.94 s] 2.0 ms (0.0%)
iast 19.043 s [19.043 s, 19.043 s] 4.105 s (27.5%)
iast_GLOBAL 18.128 s [18.128 s, 18.128 s] 3.19 s (21.4%)
profiling 15.476 s [15.476 s, 15.476 s] 538.0 ms (3.6%)
tracing 15.201 s [15.201 s, 15.201 s] 263.0 ms (1.8%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.481 s [15.481 s, 15.481 s] -
appsec 15.139 s [15.139 s, 15.139 s] -342.0 ms (-2.2%)
iast 18.729 s [18.729 s, 18.729 s] 3.248 s (21.0%)
iast_GLOBAL 17.923 s [17.923 s, 17.923 s] 2.442 s (15.8%)
profiling 14.871 s [14.871 s, 14.871 s] -610.0 ms (-3.9%)
tracing 14.76 s [14.76 s, 14.76 s] -721.0 ms (-4.7%)
Execution time for tomcat 
gantt
    title tomcat - execution time [CI 0.99] : candidate=1.46.0-SNAPSHOT~b3e8860a51, baseline=1.46.0-SNAPSHOT~f4139b0e7d
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.468 ms) : 1456, 1479
.   : milestone, 1468,
appsec (2.346 ms) : 2304, 2388
.   : milestone, 2346,
iast (2.101 ms) : 2047, 2155
.   : milestone, 2101,
iast_GLOBAL (2.143 ms) : 2089, 2197
.   : milestone, 2143,
profiling (1.955 ms) : 1912, 1998
.   : milestone, 1955,
tracing (1.931 ms) : 1889, 1972
.   : milestone, 1931,
section candidate
no_agent (1.473 ms) : 1461, 1485
.   : milestone, 1473,
appsec (2.365 ms) : 2323, 2408
.   : milestone, 2365,
iast (2.102 ms) : 2048, 2155
.   : milestone, 2102,
iast_GLOBAL (2.143 ms) : 2089, 2197
.   : milestone, 2143,
profiling (1.965 ms) : 1922, 2008
.   : milestone, 1965,
tracing (1.945 ms) : 1904, 1987
.   : milestone, 1945,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.468 ms [1.456 ms, 1.479 ms] -
appsec 2.346 ms [2.304 ms, 2.388 ms] 878.326 µs (59.8%)
iast 2.101 ms [2.047 ms, 2.155 ms] 633.316 µs (43.2%)
iast_GLOBAL 2.143 ms [2.089 ms, 2.197 ms] 675.114 µs (46.0%)
profiling 1.955 ms [1.912 ms, 1.998 ms] 487.483 µs (33.2%)
tracing 1.931 ms [1.889 ms, 1.972 ms] 463.028 µs (31.5%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.473 ms [1.461 ms, 1.485 ms] -
appsec 2.365 ms [2.323 ms, 2.408 ms] 892.166 µs (60.6%)
iast 2.102 ms [2.048 ms, 2.155 ms] 628.586 µs (42.7%)
iast_GLOBAL 2.143 ms [2.089 ms, 2.197 ms] 670.197 µs (45.5%)
profiling 1.965 ms [1.922 ms, 2.008 ms] 491.674 µs (33.4%)
tracing 1.945 ms [1.904 ms, 1.987 ms] 472.308 µs (32.1%)

@Mariovido Mariovido marked this pull request as ready for review December 23, 2024 11:33
@Mariovido Mariovido requested review from a team as code owners December 23, 2024 11:33
jandro996
jandro996 approved these changes Jan 8, 2025
View reviewed changes
Copy link
Member

@jandro996 jandro996 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM if @manuel-alvarez-alvarez it's fine with remove the weak reference inside the tainted object ;)

@Mariovido Mariovido added type: enhancement Enhancements and improvements and removed type: enhancement Enhancements and improvements labels Jan 10, 2025
@Mariovido Mariovido merged commit 22458b3 into master Jan 10, 2025
173 of 174 checks passed
@Mariovido Mariovido deleted the mario.vidal/taint_tracking_string_buffer_set_length branch January 10, 2025 10:03
@github-actions github-actions bot added this to the 1.46.0 milestone Jan 10, 2025
svc-squareup-copybara pushed a commit to cashapp/misk that referenced this pull request Jan 31, 2025
@github-cash-renovate-jvm-2 @svc-squareup-copybara
This PR contains the following updates:
df54c92 
| Package | Type | Package file | Manager | Update | Change |
|---|---|---|---|---|---|
|
[com.google.cloud:google-cloud-datastore](https://github.com/googleapis/java-datastore)
| dependencies | misk/gradle/libs.versions.toml | gradle | minor |
`2.25.4` -> `2.26.0` |
| [com.datadoghq:dd-trace-api](https://github.com/datadog/dd-trace-java)
| dependencies | misk/gradle/libs.versions.toml | gradle | minor |
`1.45.2` -> `1.46.0` |
| [com.datadoghq:dd-trace-ot](https://github.com/datadog/dd-trace-java)
| dependencies | misk/gradle/libs.versions.toml | gradle | minor |
`1.45.2` -> `1.46.0` |
| [software.amazon.awssdk:sdk-core](https://aws.amazon.com/sdkforjava) |
dependencies | misk/gradle/libs.versions.toml | gradle | patch |
`2.30.9` -> `2.30.10` |
|
[software.amazon.awssdk:dynamodb-enhanced](https://aws.amazon.com/sdkforjava)
| dependencies | misk/gradle/libs.versions.toml | gradle | patch |
`2.30.9` -> `2.30.10` |
| [software.amazon.awssdk:dynamodb](https://aws.amazon.com/sdkforjava) |
dependencies | misk/gradle/libs.versions.toml | gradle | patch |
`2.30.9` -> `2.30.10` |
| [software.amazon.awssdk:aws-core](https://aws.amazon.com/sdkforjava) |
dependencies | misk/gradle/libs.versions.toml | gradle | patch |
`2.30.9` -> `2.30.10` |
| [software.amazon.awssdk:bom](https://aws.amazon.com/sdkforjava) |
dependencies | misk/gradle/libs.versions.toml | gradle | patch |
`2.30.9` -> `2.30.10` |
| [software.amazon.awssdk:auth](https://aws.amazon.com/sdkforjava) |
dependencies | misk/gradle/libs.versions.toml | gradle | patch |
`2.30.9` -> `2.30.10` |

---

### Release Notes

<details>
<summary>googleapis/java-datastore
(com.google.cloud:google-cloud-datastore)</summary>

###
[`v2.26.0`](https://github.com/googleapis/java-datastore/blob/HEAD/CHANGELOG.md#2260-2025-01-29)

##### Features

- Add firestoreInDatastoreMode for datastore emulator
([#&#8203;1698](googleapis/java-datastore#1698))
([50f106d](googleapis/java-datastore@50f106d))

##### Dependencies

- Update dependency com.google.cloud:sdk-platform-java-config to v3.42.0
([#&#8203;1725](googleapis/java-datastore#1725))
([1cbaf22](googleapis/java-datastore@1cbaf22))

</details>

<details>
<summary>datadog/dd-trace-java (com.datadoghq:dd-trace-api)</summary>

###
[`v1.46.0`](https://github.com/DataDog/dd-trace-java/releases/tag/v1.46.0):
1.46.0

##### Breaking Changes

> \[!WARNING]
> jnr-unixsocket is now an external dependency of dd-trace-ot and must
be included when deploying dd-trace-ot.

> \[!NOTE]
> The API `TracerScope.setAsync(boolean)`, used to manually control
asynchronous span propagation, does no more apply to the scope instance
but to the active span scope.

##### Components

##### Application Security Management (IAST)

- 🐛 Fix String.replace instrumentation for IAST
([#&#8203;8281](DataDog/dd-trace-java#8281) -
[@&#8203;Mariovido](https://github.com/Mariovido))
- ✨ Apply the standard nomenclature to the stacktrace configs
([#&#8203;8244](DataDog/dd-trace-java#8244) -
[@&#8203;jandro996](https://github.com/jandro996))
- 🐛 Exclude false positive weak randomness
([#&#8203;8232](DataDog/dd-trace-java#8232) -
[@&#8203;jandro996](https://github.com/jandro996))
- ✨ Propagation of translateEscapes of String class
([#&#8203;8186](DataDog/dd-trace-java#8186) -
[@&#8203;sezen-datadog](https://github.com/sezen-datadog))
- ✨ Add security control metrics
([#&#8203;8175](DataDog/dd-trace-java#8175) -
[@&#8203;jandro996](https://github.com/jandro996))
- ✨ Increase IAST propagation to StringBuffer setLength
([#&#8203;8128](DataDog/dd-trace-java#8128) -
[@&#8203;Mariovido](https://github.com/Mariovido))
- ✨ Add IAST taint tracking for DB values
([#&#8203;8072](DataDog/dd-trace-java#8072) -
[@&#8203;Mariovido](https://github.com/Mariovido))

##### Application Security Management (WAF)

- 🐛 Prevents a NPE when there is no subscriber for user events
([#&#8203;8258](DataDog/dd-trace-java#8258) -
[@&#8203;manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez))
- ✨ Apply the standard nomenclature to the stacktrace configs
([#&#8203;8244](DataDog/dd-trace-java#8244) -
[@&#8203;jandro996](https://github.com/jandro996))
- 🐛 Ensure cached subscriptions are cleared on reconfiguration via
RC ([#&#8203;8229](DataDog/dd-trace-java#8229)
-
[@&#8203;manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez))
- ✨ Add support for session tracking in Vertx
([#&#8203;8167](DataDog/dd-trace-java#8167) -
[@&#8203;manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez))
- ✨ Create span tag: \_dd.appsec.rasp.timeout
([#&#8203;8269](DataDog/dd-trace-java#8269) -
[@&#8203;Mariovido](https://github.com/Mariovido))

##### Build & Tooling

- 🐛 Ensure shaded helpers have unique names when injected into
class-loaders
([#&#8203;8192](DataDog/dd-trace-java#8192) -
[@&#8203;mcculls](https://github.com/mcculls))

##### Configuration at Runtime

- 🐛 Remove filtering of `DD_SERVICE` and `DD_ENV` from the tracer
([#&#8203;8176](DataDog/dd-trace-java#8176) -
[@&#8203;mhlidd](https://github.com/mhlidd))

##### Continuous Integration Visibility

- 🧹 Generalize TestRetryPolicy to TestExecutionPolicy
([#&#8203;8302](DataDog/dd-trace-java#8302) -
[@&#8203;nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog))
- 🧹 Parallelize CI Visibility settings requests
([#&#8203;8299](DataDog/dd-trace-java#8299) -
[@&#8203;nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog))
- 🧹 Generalize test retry logic
([#&#8203;8289](DataDog/dd-trace-java#8289) -
[@&#8203;nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog))
- 🧹 Generalize tests skipping logic
([#&#8203;8288](DataDog/dd-trace-java#8288) -
[@&#8203;nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog))
- 🧹 Remove skip and shouldBeSkipped methods from TestEventsHandler
in favor of isSkippable
([#&#8203;8286](DataDog/dd-trace-java#8286) -
[@&#8203;nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog))
- ✨⚡ Optimize Git repository information computation
([#&#8203;8270](DataDog/dd-trace-java#8270) -
[@&#8203;dougqh](https://github.com/dougqh))
- ✨ Always request known tests from the backend
([#&#8203;8268](DataDog/dd-trace-java#8268) -
[@&#8203;nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog))
- ✨ Fix NPE when trying to get retry analyzer in Test NG
([#&#8203;8253](DataDog/dd-trace-java#8253) -
[@&#8203;nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog))
- 🐛 Set test framework and test framework version tags atomically
([#&#8203;8252](DataDog/dd-trace-java#8252) -
[@&#8203;nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog))
- ✨ Add debug logging to Android Gradle module layout logic
([#&#8203;8251](DataDog/dd-trace-java#8251) -
[@&#8203;nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog))
- 🐛 Fix source and destination folders computation for Android
Gradle projects
([#&#8203;8190](DataDog/dd-trace-java#8190) -
[@&#8203;nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog))
- ✨ Add basic Scala Weaver sbt support
([#&#8203;8189](DataDog/dd-trace-java#8189) -
[@&#8203;daniel-mohedano](https://github.com/daniel-mohedano))
- ✨ Implement impacted tests detection
([#&#8203;8188](DataDog/dd-trace-java#8188) -
[@&#8203;nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog))

##### Data Streams Monitoring

- ✨ Change hash computation for protobuf to better represent
impacting changes + save proto number in schema
([#&#8203;8201](DataDog/dd-trace-java#8201) -
[@&#8203;vandonr](https://github.com/vandonr))

##### Database Monitoring

- Add peer service tag in dbm sql commenter
([#&#8203;7913](DataDog/dd-trace-java#7913) -
[@&#8203;jordan-wong](https://github.com/jordan-wong))

##### Dynamic Instrumentation

- ✨ Add support for SymDB to scan directories
([#&#8203;8306](DataDog/dd-trace-java#8306) -
[@&#8203;jpbempel](https://github.com/jpbempel))
- ✨ Add SymDB report for any jar scanning failures
([#&#8203;8300](DataDog/dd-trace-java#8300) -
[@&#8203;jpbempel](https://github.com/jpbempel))
- ✨ Use two budgets depending on type
([#&#8203;8283](DataDog/dd-trace-java#8283) -
[@&#8203;evanchooly](https://github.com/evanchooly))
- ✨ Institute a 10 snapshot per probe per trace budget
([#&#8203;8277](DataDog/dd-trace-java#8277) -
[@&#8203;evanchooly](https://github.com/evanchooly))
- 🐛 Avoid double snapshots for Exception Replay
([#&#8203;8273](DataDog/dd-trace-java#8273) -
[@&#8203;jpbempel](https://github.com/jpbempel))
- ✨ Simplify code origins. Separate out snapshot generation.
([#&#8203;8263](DataDog/dd-trace-java#8263) -
[@&#8203;evanchooly](https://github.com/evanchooly))
- ✨ Add Exception probe custom instrumentation
([#&#8203;8230](DataDog/dd-trace-java#8230) -
[@&#8203;jpbempel](https://github.com/jpbempel))
- ✨ Enhance log probes to honor debug session tags
([#&#8203;8215](DataDog/dd-trace-java#8215) -
[@&#8203;evanchooly](https://github.com/evanchooly))
- 🐛 Don't redact env tokens from debugger probe snapshots
([#&#8203;8211](DataDog/dd-trace-java#8211) -
[@&#8203;watson](https://github.com/watson))
- ✨⚡ Move Trace/SpanId capture at commit time
([#&#8203;8184](DataDog/dd-trace-java#8184) -
[@&#8203;jpbempel](https://github.com/jpbempel))
- 🐛 Capture values at entry for method probe
([#&#8203;8169](DataDog/dd-trace-java#8169) -
[@&#8203;jpbempel](https://github.com/jpbempel))

##### JMX fetch

- 🐛 Mute JMXFetch Shutdown in progress error
([#&#8203;8068](DataDog/dd-trace-java#8068) -
[@&#8203;ygree](https://github.com/ygree))

##### OpenTracing

- ⚠️🧹 Make jnr-unixsocket an explicit dependency of
dd-trace-ot
([#&#8203;8307](DataDog/dd-trace-java#8307) -
[@&#8203;mcculls](https://github.com/mcculls))

##### Profiling

- 🐛 Avoid unsupported API call for creating folders on windows
([#&#8203;8304](DataDog/dd-trace-java#8304) -
[@&#8203;jbachorik](https://github.com/jbachorik))
- ✨ Tag profiles for serverless
([#&#8203;8279](DataDog/dd-trace-java#8279) -
[@&#8203;jbachorik](https://github.com/jbachorik))
- ✨ add queue type and length to queue events
([#&#8203;8242](DataDog/dd-trace-java#8242) -
[@&#8203;richardstartin](https://github.com/richardstartin))
- 🐛 TempLocationManager Fixes and Improvements
([#&#8203;8191](DataDog/dd-trace-java#8191) -
[@&#8203;jbachorik](https://github.com/jbachorik))
- ✨ Bump ddprof to 1.18.0
([#&#8203;8173](DataDog/dd-trace-java#8173) -
[@&#8203;jbachorik](https://github.com/jbachorik))
- ✨ Report profiler initialization and configuration errors to
telemetry
([#&#8203;8171](DataDog/dd-trace-java#8171) -
[@&#8203;jbachorik](https://github.com/jbachorik))

##### Telemetry

- ✨ Add pending traces report in tracer flares
([#&#8203;8053](DataDog/dd-trace-java#8053) -
[@&#8203;mhlidd](https://github.com/mhlidd))

##### Testing

- ✨ Test http server requests in parallel
([#&#8203;8222](DataDog/dd-trace-java#8222) -
[@&#8203;amarziali](https://github.com/amarziali))

##### Trace context propagation

- ✨ Add non default propagator registration
([#&#8203;8310](DataDog/dd-trace-java#8310) -
[@&#8203;PerfectSlayer](https://github.com/PerfectSlayer))

##### Tracer core

- ✨ Probe for existence of IBMSASL or ACCP security providers
([#&#8203;8276](DataDog/dd-trace-java#8276) -
[@&#8203;mcculls](https://github.com/mcculls))
- ✨⚡ Overhead improvement to agent feedback based sampling
([#&#8203;8265](DataDog/dd-trace-java#8265) -
[@&#8203;dougqh](https://github.com/dougqh))
- 🧹 Move async propagation API from scope to tracer
([#&#8203;8231](DataDog/dd-trace-java#8231) -
[@&#8203;PerfectSlayer](https://github.com/PerfectSlayer))
- ✨ Introduce context propagation API
([#&#8203;8161](DataDog/dd-trace-java#8161) -
[@&#8203;PerfectSlayer](https://github.com/PerfectSlayer))
- ✨🧪 Use env-entry to add tags per webapp deployment
([#&#8203;8138](DataDog/dd-trace-java#8138) -
[@&#8203;amarziali](https://github.com/amarziali))
- ✨ Introduce context helpers API
([#&#8203;8134](DataDog/dd-trace-java#8134) -
[@&#8203;PerfectSlayer](https://github.com/PerfectSlayer))
- ✨ Support IPv6 values for `DD_AGENT_HOST` and
`DD_TRACE_AGENT_URL`
([#&#8203;7984](DataDog/dd-trace-java#7984) -
[@&#8203;mhlidd](https://github.com/mhlidd))

##### Instrumentations

##### Apache HttpComponents

- 🐛 Properly finish spans and support latest apache httpclient5
([#&#8203;8272](DataDog/dd-trace-java#8272) -
[@&#8203;amarziali](https://github.com/amarziali))

##### AWS Lambda instrumentation

- 🐛 Properly capture lambda payloads for all handler types.
([#&#8203;8264](DataDog/dd-trace-java#8264) -
[@&#8203;purple4reina](https://github.com/purple4reina))

##### AWS S3 instrumentation

- 💡 Create S3 instrumentation + add span pointers
([#&#8203;8075](DataDog/dd-trace-java#8075) -
[@&#8203;nhulston](https://github.com/nhulston))

##### AWS SDK instrumentation

- 🐛 Revert "Add avoid double instrumenting lambda non-streaming
handlers."
([#&#8203;8247](DataDog/dd-trace-java#8247) -
[@&#8203;nhulston](https://github.com/nhulston))

##### Cassandra

- ✨ Allow extracting keyspace from statement result
([#&#8203;8239](DataDog/dd-trace-java#8239) -
[@&#8203;amarziali](https://github.com/amarziali))

##### Core Java language instrumentation

- ✨ Propagation of translateEscapes of String class
([#&#8203;8186](DataDog/dd-trace-java#8186) -
[@&#8203;sezen-datadog](https://github.com/sezen-datadog))

##### Eclipse Vert.x instrumentation

- 🐛 Fix vertx worker propagation and error handling
([#&#8203;8237](DataDog/dd-trace-java#8237) -
[@&#8203;amarziali](https://github.com/amarziali))
- ✨ Support vertx 5
([#&#8203;8220](DataDog/dd-trace-java#8220) -
[@&#8203;amarziali](https://github.com/amarziali))
- ✨ Add support for session tracking in Vertx
([#&#8203;8167](DataDog/dd-trace-java#8167) -
[@&#8203;manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez))

##### Kafka instrumentation

- 🐛 Prevent possible NPE calculating Kafka record header size
([#&#8203;8292](DataDog/dd-trace-java#8292) -
[@&#8203;ygree](https://github.com/ygree))

##### Mule instrumentation

- 🐛 Fix crash using Mule with JPMS
([#&#8203;8187](DataDog/dd-trace-java#8187) -
[@&#8203;amarziali](https://github.com/amarziali))

##### Protocol Buffer instrumentation

- ✨ Change hash computation for protobuf to better represent
impacting changes + save proto number in schema
([#&#8203;8201](DataDog/dd-trace-java#8201) -
[@&#8203;vandonr](https://github.com/vandonr))

##### Spring instrumentation

- 🐛 Preserve getQualifier from spring scheduling runnables
([#&#8203;8293](DataDog/dd-trace-java#8293) -
[@&#8203;amarziali](https://github.com/amarziali))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "after 6pm every weekday,before 2am
every weekday" in timezone Australia/Melbourne, Automerge - At any time
(no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Renovate
Bot](https://github.com/renovatebot/renovate).

GitOrigin-RevId: bb09d47e4eed77a003f630273b4d0a84003eb899
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@manuel-alvarez-alvarez manuel-alvarez-alvarez manuel-alvarez-alvarez approved these changes

@jandro996 jandro996 jandro996 approved these changes

@smola smola Awaiting requested review from smola smola is a code owner automatically assigned from DataDog/asm-java

Assignees
No one assigned
Labels
comp: asm iast Application Security Management (IAST) type: enhancement Enhancements and improvements
Projects
None yet
Milestone
1.46.0
Development

Successfully merging this pull request may close these issues.
3 participants
@Mariovido @manuel-alvarez-alvarez @jandro996