Skip to content

Increase IAST propagation to StringBuffer setLength #8128

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Mariovido merged 7 commits into from
Jan 10, 2025
Merged

Increase IAST propagation to StringBuffer setLength #8128

Mariovido merged 7 commits into from
Jan 10, 2025

Conversation

@Mariovido
Copy link
Contributor

@Mariovido Mariovido commented Dec 23, 2024
edited
Loading

What Does This Do

This adds the instrumentation to propagate the taint values through the following methods of StringBuffer:

  • setLength(int)

Motivation

Increase propagation of StringBuffer methods.

Additional Notes

Contributor Checklist

Jira ticket: APPSEC-55367
@Mariovido Mariovido added type: enhancement Enhancements and improvements comp: asm iast Application Security Management (IAST) labels Dec 23, 2024
@pr-commenter
Copy link

pr-commenter bot commented Dec 23, 2024
edited
Loading

Benchmarks

Startup

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master mario.vidal/taint_tracking_string_buffer_set_length
git_commit_date 1736497810 1736500201
git_commit_sha f4139b0 b3e8860
release_version 1.46.0-SNAPSHOT~f4139b0e7d 1.46.0-SNAPSHOT~b3e8860a51
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1736502685 1736502685
ci_job_id 761461604 761461604
ci_pipeline_id 52639762 52639762
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
module Agent Agent
parent None None
variant iast iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 58 metrics, 5 unstable metrics.

Startup time reports for insecure-bank 
gantt title insecure-bank - global startup overhead: candidate=1.46.0-SNAPSHOT~b3e8860a51, baseline=1.46.0-SNAPSHOT~f4139b0e7d dateFormat X axisFormat %s section tracing Agent [baseline] (1.055 s) : 0, 1054755 Total [baseline] (8.619 s) : 0, 8619396 Agent [candidate] (1.062 s) : 0, 1061947 Total [candidate] (8.629 s) : 0, 8628921 section iast Agent [baseline] (1.177 s) : 0, 1176804 Total [baseline] (9.2 s) : 0, 9199502 Agent [candidate] (1.179 s) : 0, 1178991 Total [candidate] (9.213 s) : 0, 9213347 section iast_HARDCODED_SECRET_DISABLED Agent [baseline] (1.186 s) : 0, 1186120 Total [baseline] (9.19 s) : 0, 9189504 Agent [candidate] (1.182 s) : 0, 1182398 Total [candidate] (9.19 s) : 0, 9189593 section iast_TELEMETRY_OFF Agent [baseline] (1.176 s) : 0, 1175916 Total [baseline] (9.168 s) : 0, 9167507 Agent [candidate] (1.176 s) : 0, 1175714 Total [candidate] (9.198 s) : 0, 9198045
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.055 s -
Agent iast 1.177 s 122.05 ms (11.6%)
Agent iast_HARDCODED_SECRET_DISABLED 1.186 s 131.365 ms (12.5%)
Agent iast_TELEMETRY_OFF 1.176 s 121.162 ms (11.5%)
Total tracing 8.619 s -
Total iast 9.2 s 580.106 ms (6.7%)
Total iast_HARDCODED_SECRET_DISABLED 9.19 s 570.108 ms (6.6%)
Total iast_TELEMETRY_OFF 9.168 s 548.111 ms (6.4%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.062 s -
Agent iast 1.179 s 117.043 ms (11.0%)
Agent iast_HARDCODED_SECRET_DISABLED 1.182 s 120.45 ms (11.3%)
Agent iast_TELEMETRY_OFF 1.176 s 113.766 ms (10.7%)
Total tracing 8.629 s -
Total iast 9.213 s 584.427 ms (6.8%)
Total iast_HARDCODED_SECRET_DISABLED 9.19 s 560.673 ms (6.5%)
Total iast_TELEMETRY_OFF 9.198 s 569.125 ms (6.6%) 
gantt title insecure-bank - break down per module: candidate=1.46.0-SNAPSHOT~b3e8860a51, baseline=1.46.0-SNAPSHOT~f4139b0e7d dateFormat X axisFormat %s section tracing BytebuddyAgent [baseline] (713.68 ms) : 0, 713680 BytebuddyAgent [candidate] (716.962 ms) : 0, 716962 GlobalTracer [baseline] (256.36 ms) : 0, 256360 GlobalTracer [candidate] (257.394 ms) : 0, 257394 AppSec [baseline] (55.316 ms) : 0, 55316 AppSec [candidate] (56.182 ms) : 0, 56182 Remote Config [baseline] (709.253 µs) : 0, 709 Remote Config [candidate] (725.868 µs) : 0, 726 Telemetry [baseline] (13.649 ms) : 0, 13649 Telemetry [candidate] (15.671 ms) : 0, 15671 section iast BytebuddyAgent [baseline] (827.763 ms) : 0, 827763 BytebuddyAgent [candidate] (828.975 ms) : 0, 828975 GlobalTracer [baseline] (245.656 ms) : 0, 245656 GlobalTracer [candidate] (246.266 ms) : 0, 246266 AppSec [baseline] (57.959 ms) : 0, 57959 AppSec [candidate] (57.944 ms) : 0, 57944 Remote Config [baseline] (662.738 µs) : 0, 663 Remote Config [candidate] (682.996 µs) : 0, 683 Telemetry [baseline] (8.671 ms) : 0, 8671 Telemetry [candidate] (8.719 ms) : 0, 8719 IAST [baseline] (21.073 ms) : 0, 21073 IAST [candidate] (21.343 ms) : 0, 21343 section iast_HARDCODED_SECRET_DISABLED BytebuddyAgent [baseline] (834.035 ms) : 0, 834035 BytebuddyAgent [candidate] (831.831 ms) : 0, 831831 GlobalTracer [baseline] (246.958 ms) : 0, 246958 GlobalTracer [candidate] (246.73 ms) : 0, 246730 AppSec [baseline] (58.829 ms) : 0, 58829 AppSec [candidate] (57.976 ms) : 0, 57976 Remote Config [baseline] (686.77 µs) : 0, 687 Remote Config [candidate] (698.111 µs) : 0, 698 Telemetry [baseline] (8.902 ms) : 0, 8902 Telemetry [candidate] (8.813 ms) : 0, 8813 IAST [baseline] (21.708 ms) : 0, 21708 IAST [candidate] (21.338 ms) : 0, 21338 section iast_TELEMETRY_OFF BytebuddyAgent [baseline] (827.036 ms) : 0, 827036 BytebuddyAgent [candidate] (827.151 ms) : 0, 827151 GlobalTracer [baseline] (246.059 ms) : 0, 246059 GlobalTracer [candidate] (246.198 ms) : 0, 246198 AppSec [baseline] (57.855 ms) : 0, 57855 AppSec [candidate] (57.5 ms) : 0, 57500 Remote Config [baseline] (648.924 µs) : 0, 649 Remote Config [candidate] (645.493 µs) : 0, 645 Telemetry [baseline] (8.586 ms) : 0, 8586 Telemetry [candidate] (8.567 ms) : 0, 8567 IAST [baseline] (20.757 ms) : 0, 20757 IAST [candidate] (20.59 ms) : 0, 20590
Loading
Startup time reports for petclinic 
gantt title petclinic - global startup overhead: candidate=1.46.0-SNAPSHOT~b3e8860a51, baseline=1.46.0-SNAPSHOT~f4139b0e7d dateFormat X axisFormat %s section tracing Agent [baseline] (1.06 s) : 0, 1060294 Total [baseline] (10.541 s) : 0, 10540929 Agent [candidate] (1.075 s) : 0, 1074799 Total [candidate] (10.485 s) : 0, 10484912 section appsec Agent [baseline] (1.196 s) : 0, 1195870 Total [baseline] (10.719 s) : 0, 10718906 Agent [candidate] (1.193 s) : 0, 1192859 Total [candidate] (10.721 s) : 0, 10720839 section iast Agent [baseline] (1.18 s) : 0, 1179584 Total [baseline] (10.955 s) : 0, 10955148 Agent [candidate] (1.181 s) : 0, 1181010 Total [candidate] (10.965 s) : 0, 10964801 section profiling Agent [baseline] (1.285 s) : 0, 1284768 Total [baseline] (10.821 s) : 0, 10821055 Agent [candidate] (1.271 s) : 0, 1271069 Total [candidate] (10.88 s) : 0, 10880180
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.06 s -
Agent appsec 1.196 s 135.575 ms (12.8%)
Agent iast 1.18 s 119.29 ms (11.3%)
Agent profiling 1.285 s 224.473 ms (21.2%)
Total tracing 10.541 s -
Total appsec 10.719 s 177.976 ms (1.7%)
Total iast 10.955 s 414.219 ms (3.9%)
Total profiling 10.821 s 280.126 ms (2.7%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.075 s -
Agent appsec 1.193 s 118.061 ms (11.0%)
Agent iast 1.181 s 106.211 ms (9.9%)
Agent profiling 1.271 s 196.27 ms (18.3%)
Total tracing 10.485 s -
Total appsec 10.721 s 235.927 ms (2.3%)
Total iast 10.965 s 479.889 ms (4.6%)
Total profiling 10.88 s 395.268 ms (3.8%) 
gantt title petclinic - break down per module: candidate=1.46.0-SNAPSHOT~b3e8860a51, baseline=1.46.0-SNAPSHOT~f4139b0e7d dateFormat X axisFormat %s section tracing BytebuddyAgent [baseline] (716.376 ms) : 0, 716376 BytebuddyAgent [candidate] (725.646 ms) : 0, 725646 GlobalTracer [baseline] (257.009 ms) : 0, 257009 GlobalTracer [candidate] (261.382 ms) : 0, 261382 AppSec [baseline] (55.409 ms) : 0, 55409 AppSec [candidate] (58.582 ms) : 0, 58582 Remote Config [baseline] (740.693 µs) : 0, 741 Remote Config [candidate] (738.169 µs) : 0, 738 Telemetry [baseline] (15.726 ms) : 0, 15726 Telemetry [candidate] (13.226 ms) : 0, 13226 section appsec BytebuddyAgent [baseline] (736.585 ms) : 0, 736585 BytebuddyAgent [candidate] (733.819 ms) : 0, 733819 GlobalTracer [baseline] (254.238 ms) : 0, 254238 GlobalTracer [candidate] (254.24 ms) : 0, 254240 AppSec [baseline] (171.251 ms) : 0, 171251 AppSec [candidate] (171.174 ms) : 0, 171174 Remote Config [baseline] (659.475 µs) : 0, 659 Remote Config [candidate] (655.766 µs) : 0, 656 Telemetry [baseline] (8.275 ms) : 0, 8275 Telemetry [candidate] (8.181 ms) : 0, 8181 IAST [baseline] (19.483 ms) : 0, 19483 IAST [candidate] (19.437 ms) : 0, 19437 section iast BytebuddyAgent [baseline] (829.881 ms) : 0, 829881 BytebuddyAgent [candidate] (830.59 ms) : 0, 830590 GlobalTracer [baseline] (246.081 ms) : 0, 246081 GlobalTracer [candidate] (246.633 ms) : 0, 246633 AppSec [baseline] (58.003 ms) : 0, 58003 AppSec [candidate] (58.268 ms) : 0, 58268 Remote Config [baseline] (677.331 µs) : 0, 677 Remote Config [candidate] (682.794 µs) : 0, 683 Telemetry [baseline] (8.679 ms) : 0, 8679 Telemetry [candidate] (8.763 ms) : 0, 8763 IAST [baseline] (21.268 ms) : 0, 21268 IAST [candidate] (21.051 ms) : 0, 21051 section profiling ProfilingAgent [baseline] (96.546 ms) : 0, 96546 ProfilingAgent [candidate] (94.826 ms) : 0, 94826 BytebuddyAgent [baseline] (709.506 ms) : 0, 709506 BytebuddyAgent [candidate] (703.55 ms) : 0, 703550 GlobalTracer [baseline] (372.269 ms) : 0, 372269 GlobalTracer [candidate] (367.699 ms) : 0, 367699 AppSec [baseline] (54.579 ms) : 0, 54579 AppSec [candidate] (53.605 ms) : 0, 53605 Remote Config [baseline] (695.362 µs) : 0, 695 Remote Config [candidate] (697.018 µs) : 0, 697 Telemetry [baseline] (8.9 ms) : 0, 8900 Telemetry [candidate] (8.834 ms) : 0, 8834 Profiling [baseline] (96.571 ms) : 0, 96571 Profiling [candidate] (94.851 ms) : 0, 94851
Loading

Load

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
end_time 2025-01-10T09:21:23 2025-01-10T09:28:26
git_branch master mario.vidal/taint_tracking_string_buffer_set_length
git_commit_date 1736497810 1736500201
git_commit_sha f4139b0 b3e8860
release_version 1.46.0-SNAPSHOT~f4139b0e7d 1.46.0-SNAPSHOT~b3e8860a51
start_time 2025-01-10T09:21:09 2025-01-10T09:28:12
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1736501660 1736501660
ci_job_id 761461605 761461605
ci_pipeline_id 52639762 52639762
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant iast iast

Summary

Found 1 performance improvements and 0 performance regressions! Performance is the same for 10 metrics, 17 unstable metrics.

scenario Δ mean http_req_duration Δ mean throughput candidate mean http_req_duration candidate mean throughput baseline mean http_req_duration baseline mean throughput
scenario:load:petclinic:profiling better
[-94.833µs; -43.143µs] or [-5.960%; -2.712%]		 unstable
[-429.149op/s; +657.070op/s] or [-14.484%; +22.176%]		 1.522ms 3076.923op/s 1.591ms 2962.963op/s
Request duration reports for petclinic 
gantt title petclinic - request duration [CI 0.99] : candidate=1.46.0-SNAPSHOT~b3e8860a51, baseline=1.46.0-SNAPSHOT~f4139b0e7d dateFormat X axisFormat %s section baseline no_agent (1.364 ms) : 1344, 1384 . : milestone, 1364, appsec (1.756 ms) : 1732, 1780 . : milestone, 1756, appsec_no_iast (1.766 ms) : 1741, 1791 . : milestone, 1766, iast (1.507 ms) : 1484, 1530 . : milestone, 1507, profiling (1.591 ms) : 1566, 1616 . : milestone, 1591, tracing (1.486 ms) : 1460, 1511 . : milestone, 1486, section candidate no_agent (1.374 ms) : 1354, 1393 . : milestone, 1374, appsec (1.747 ms) : 1723, 1771 . : milestone, 1747, appsec_no_iast (1.739 ms) : 1715, 1763 . : milestone, 1739, iast (1.519 ms) : 1496, 1542 . : milestone, 1519, profiling (1.522 ms) : 1499, 1545 . : milestone, 1522, tracing (1.492 ms) : 1467, 1517 . : milestone, 1492,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.364 ms [1.344 ms, 1.384 ms] -
appsec 1.756 ms [1.732 ms, 1.78 ms] 392.36 µs (28.8%)
appsec_no_iast 1.766 ms [1.741 ms, 1.791 ms] 401.951 µs (29.5%)
iast 1.507 ms [1.484 ms, 1.53 ms] 143.229 µs (10.5%)
profiling 1.591 ms [1.566 ms, 1.616 ms] 227.23 µs (16.7%)
tracing 1.486 ms [1.46 ms, 1.511 ms] 121.738 µs (8.9%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.374 ms [1.354 ms, 1.393 ms] -
appsec 1.747 ms [1.723 ms, 1.771 ms] 373.158 µs (27.2%)
appsec_no_iast 1.739 ms [1.715 ms, 1.763 ms] 365.827 µs (26.6%)
iast 1.519 ms [1.496 ms, 1.542 ms] 145.291 µs (10.6%)
profiling 1.522 ms [1.499 ms, 1.545 ms] 148.518 µs (10.8%)
tracing 1.492 ms [1.467 ms, 1.517 ms] 118.653 µs (8.6%)
Request duration reports for insecure-bank 
gantt title insecure-bank - request duration [CI 0.99] : candidate=1.46.0-SNAPSHOT~b3e8860a51, baseline=1.46.0-SNAPSHOT~f4139b0e7d dateFormat X axisFormat %s section baseline no_agent (384.298 µs) : 363, 406 . : milestone, 384, iast (507.567 µs) : 485, 530 . : milestone, 508, iast_FULL (663.637 µs) : 642, 685 . : milestone, 664, iast_GLOBAL (530.541 µs) : 508, 553 . : milestone, 531, iast_HARDCODED_SECRET_DISABLED (498.844 µs) : 477, 521 . : milestone, 499, iast_INACTIVE (452.107 µs) : 431, 473 . : milestone, 452, iast_TELEMETRY_OFF (487.408 µs) : 466, 509 . : milestone, 487, tracing (458.581 µs) : 437, 480 . : milestone, 459, section candidate no_agent (383.08 µs) : 363, 403 . : milestone, 383, iast (495.284 µs) : 474, 517 . : milestone, 495, iast_FULL (665.305 µs) : 644, 687 . : milestone, 665, iast_GLOBAL (525.711 µs) : 504, 547 . : milestone, 526, iast_HARDCODED_SECRET_DISABLED (509.943 µs) : 488, 532 . : milestone, 510, iast_INACTIVE (465.405 µs) : 443, 487 . : milestone, 465, iast_TELEMETRY_OFF (493.525 µs) : 471, 516 . : milestone, 494, tracing (458.447 µs) : 437, 480 . : milestone, 458,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 384.298 µs [363.005 µs, 405.591 µs] -
iast 507.567 µs [484.998 µs, 530.136 µs] 123.269 µs (32.1%)
iast_FULL 663.637 µs [642.252 µs, 685.022 µs] 279.339 µs (72.7%)
iast_GLOBAL 530.541 µs [508.28 µs, 552.802 µs] 146.243 µs (38.1%)
iast_HARDCODED_SECRET_DISABLED 498.844 µs [477.162 µs, 520.525 µs] 114.546 µs (29.8%)
iast_INACTIVE 452.107 µs [431.488 µs, 472.726 µs] 67.809 µs (17.6%)
iast_TELEMETRY_OFF 487.408 µs [465.543 µs, 509.273 µs] 103.11 µs (26.8%)
tracing 458.581 µs [437.158 µs, 480.005 µs] 74.283 µs (19.3%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 383.08 µs [363.115 µs, 403.046 µs] -
iast 495.284 µs [473.824 µs, 516.745 µs] 112.204 µs (29.3%)
iast_FULL 665.305 µs [643.567 µs, 687.042 µs] 282.224 µs (73.7%)
iast_GLOBAL 525.711 µs [504.26 µs, 547.162 µs] 142.631 µs (37.2%)
iast_HARDCODED_SECRET_DISABLED 509.943 µs [487.681 µs, 532.204 µs] 126.862 µs (33.1%)
iast_INACTIVE 465.405 µs [443.495 µs, 487.315 µs] 82.325 µs (21.5%)
iast_TELEMETRY_OFF 493.525 µs [471.164 µs, 515.886 µs] 110.445 µs (28.8%)
tracing 458.447 µs [437.078 µs, 479.816 µs] 75.367 µs (19.7%)

Dacapo

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master mario.vidal/taint_tracking_string_buffer_set_length
git_commit_date 1736497810 1736500201
git_commit_sha f4139b0 b3e8860
release_version 1.46.0-SNAPSHOT~f4139b0e7d 1.46.0-SNAPSHOT~b3e8860a51
See matching parameters
Baseline Candidate
application biojava biojava
ci_job_date 1736502217 1736502217
ci_job_id 761461606 761461606
ci_pipeline_id 52639762 52639762
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant appsec appsec

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics.

Execution time for biojava 
gantt title biojava - execution time [CI 0.99] : candidate=1.46.0-SNAPSHOT~b3e8860a51, baseline=1.46.0-SNAPSHOT~f4139b0e7d dateFormat X axisFormat %s section baseline no_agent (14.938 s) : 14938000, 14938000 . : milestone, 14938000, appsec (14.94 s) : 14940000, 14940000 . : milestone, 14940000, iast (19.043 s) : 19043000, 19043000 . : milestone, 19043000, iast_GLOBAL (18.128 s) : 18128000, 18128000 . : milestone, 18128000, profiling (15.476 s) : 15476000, 15476000 . : milestone, 15476000, tracing (15.201 s) : 15201000, 15201000 . : milestone, 15201000, section candidate no_agent (15.481 s) : 15481000, 15481000 . : milestone, 15481000, appsec (15.139 s) : 15139000, 15139000 . : milestone, 15139000, iast (18.729 s) : 18729000, 18729000 . : milestone, 18729000, iast_GLOBAL (17.923 s) : 17923000, 17923000 . : milestone, 17923000, profiling (14.871 s) : 14871000, 14871000 . : milestone, 14871000, tracing (14.76 s) : 14760000, 14760000 . : milestone, 14760000,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 14.938 s [14.938 s, 14.938 s] -
appsec 14.94 s [14.94 s, 14.94 s] 2.0 ms (0.0%)
iast 19.043 s [19.043 s, 19.043 s] 4.105 s (27.5%)
iast_GLOBAL 18.128 s [18.128 s, 18.128 s] 3.19 s (21.4%)
profiling 15.476 s [15.476 s, 15.476 s] 538.0 ms (3.6%)
tracing 15.201 s [15.201 s, 15.201 s] 263.0 ms (1.8%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.481 s [15.481 s, 15.481 s] -
appsec 15.139 s [15.139 s, 15.139 s] -342.0 ms (-2.2%)
iast 18.729 s [18.729 s, 18.729 s] 3.248 s (21.0%)
iast_GLOBAL 17.923 s [17.923 s, 17.923 s] 2.442 s (15.8%)
profiling 14.871 s [14.871 s, 14.871 s] -610.0 ms (-3.9%)
tracing 14.76 s [14.76 s, 14.76 s] -721.0 ms (-4.7%)
Execution time for tomcat 
gantt title tomcat - execution time [CI 0.99] : candidate=1.46.0-SNAPSHOT~b3e8860a51, baseline=1.46.0-SNAPSHOT~f4139b0e7d dateFormat X axisFormat %s section baseline no_agent (1.468 ms) : 1456, 1479 . : milestone, 1468, appsec (2.346 ms) : 2304, 2388 . : milestone, 2346, iast (2.101 ms) : 2047, 2155 . : milestone, 2101, iast_GLOBAL (2.143 ms) : 2089, 2197 . : milestone, 2143, profiling (1.955 ms) : 1912, 1998 . : milestone, 1955, tracing (1.931 ms) : 1889, 1972 . : milestone, 1931, section candidate no_agent (1.473 ms) : 1461, 1485 . : milestone, 1473, appsec (2.365 ms) : 2323, 2408 . : milestone, 2365, iast (2.102 ms) : 2048, 2155 . : milestone, 2102, iast_GLOBAL (2.143 ms) : 2089, 2197 . : milestone, 2143, profiling (1.965 ms) : 1922, 2008 . : milestone, 1965, tracing (1.945 ms) : 1904, 1987 . : milestone, 1945,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.468 ms [1.456 ms, 1.479 ms] -
appsec 2.346 ms [2.304 ms, 2.388 ms] 878.326 µs (59.8%)
iast 2.101 ms [2.047 ms, 2.155 ms] 633.316 µs (43.2%)
iast_GLOBAL 2.143 ms [2.089 ms, 2.197 ms] 675.114 µs (46.0%)
profiling 1.955 ms [1.912 ms, 1.998 ms] 487.483 µs (33.2%)
tracing 1.931 ms [1.889 ms, 1.972 ms] 463.028 µs (31.5%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.473 ms [1.461 ms, 1.485 ms] -
appsec 2.365 ms [2.323 ms, 2.408 ms] 892.166 µs (60.6%)
iast 2.102 ms [2.048 ms, 2.155 ms] 628.586 µs (42.7%)
iast_GLOBAL 2.143 ms [2.089 ms, 2.197 ms] 670.197 µs (45.5%)
profiling 1.965 ms [1.922 ms, 2.008 ms] 491.674 µs (33.4%)
tracing 1.945 ms [1.904 ms, 1.987 ms] 472.308 µs (32.1%)
@Mariovido Mariovido marked this pull request as ready for review December 23, 2024 11:33
@Mariovido Mariovido requested review from a team as code owners December 23, 2024 11:33
jandro996
jandro996 approved these changes Jan 8, 2025
View reviewed changes
Copy link
Member

@jandro996 jandro996 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM if @manuel-alvarez-alvarez it's fine with remove the weak reference inside the tainted object ;)
@Mariovido Mariovido added type: enhancement Enhancements and improvements and removed type: enhancement Enhancements and improvements labels Jan 10, 2025
@Mariovido Mariovido merged commit 22458b3 into master Jan 10, 2025
173 of 174 checks passed
@Mariovido Mariovido deleted the mario.vidal/taint_tracking_string_buffer_set_length branch January 10, 2025 10:03
@github-actions github-actions bot added this to the 1.46.0 milestone Jan 10, 2025
svc-squareup-copybara pushed a commit to cashapp/misk that referenced this pull request Jan 31, 2025
@github-cash-renovate-jvm-2 @svc-squareup-copybara
This PR contains the following updates:
df54c92 
| Package | Type | Package file | Manager | Update | Change | |---|---|---|---|---|---| | [com.google.cloud:google-cloud-datastore](https://github.com/googleapis/java-datastore) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `2.25.4` -> `2.26.0` | | [com.datadoghq:dd-trace-api](https://github.com/datadog/dd-trace-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `1.45.2` -> `1.46.0` | | [com.datadoghq:dd-trace-ot](https://github.com/datadog/dd-trace-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `1.45.2` -> `1.46.0` | | [software.amazon.awssdk:sdk-core](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.9` -> `2.30.10` | | [software.amazon.awssdk:dynamodb-enhanced](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.9` -> `2.30.10` | | [software.amazon.awssdk:dynamodb](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.9` -> `2.30.10` | | [software.amazon.awssdk:aws-core](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.9` -> `2.30.10` | | [software.amazon.awssdk:bom](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.9` -> `2.30.10` | | [software.amazon.awssdk:auth](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.9` -> `2.30.10` | --- ### Release Notes <details> <summary>googleapis/java-datastore (com.google.cloud:google-cloud-datastore)</summary> ### [`v2.26.0`](https://github.com/googleapis/java-datastore/blob/HEAD/CHANGELOG.md#2260-2025-01-29) ##### Features - Add firestoreInDatastoreMode for datastore emulator ([#&#8203;1698](googleapis/java-datastore#1698)) ([50f106d](googleapis/java-datastore@50f106d)) ##### Dependencies - Update dependency com.google.cloud:sdk-platform-java-config to v3.42.0 ([#&#8203;1725](googleapis/java-datastore#1725)) ([1cbaf22](googleapis/java-datastore@1cbaf22)) </details> <details> <summary>datadog/dd-trace-java (com.datadoghq:dd-trace-api)</summary> ### [`v1.46.0`](https://github.com/DataDog/dd-trace-java/releases/tag/v1.46.0): 1.46.0 ##### Breaking Changes > \[!WARNING] > jnr-unixsocket is now an external dependency of dd-trace-ot and must be included when deploying dd-trace-ot. > \[!NOTE] > The API `TracerScope.setAsync(boolean)`, used to manually control asynchronous span propagation, does no more apply to the scope instance but to the active span scope. ##### Components ##### Application Security Management (IAST) - 🐛 Fix String.replace instrumentation for IAST ([#&#8203;8281](DataDog/dd-trace-java#8281) - [@&#8203;Mariovido](https://github.com/Mariovido)) - ✨ Apply the standard nomenclature to the stacktrace configs ([#&#8203;8244](DataDog/dd-trace-java#8244) - [@&#8203;jandro996](https://github.com/jandro996)) - 🐛 Exclude false positive weak randomness ([#&#8203;8232](DataDog/dd-trace-java#8232) - [@&#8203;jandro996](https://github.com/jandro996)) - ✨ Propagation of translateEscapes of String class ([#&#8203;8186](DataDog/dd-trace-java#8186) - [@&#8203;sezen-datadog](https://github.com/sezen-datadog)) - ✨ Add security control metrics ([#&#8203;8175](DataDog/dd-trace-java#8175) - [@&#8203;jandro996](https://github.com/jandro996)) - ✨ Increase IAST propagation to StringBuffer setLength ([#&#8203;8128](DataDog/dd-trace-java#8128) - [@&#8203;Mariovido](https://github.com/Mariovido)) - ✨ Add IAST taint tracking for DB values ([#&#8203;8072](DataDog/dd-trace-java#8072) - [@&#8203;Mariovido](https://github.com/Mariovido)) ##### Application Security Management (WAF) - 🐛 Prevents a NPE when there is no subscriber for user events ([#&#8203;8258](DataDog/dd-trace-java#8258) - [@&#8203;manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - ✨ Apply the standard nomenclature to the stacktrace configs ([#&#8203;8244](DataDog/dd-trace-java#8244) - [@&#8203;jandro996](https://github.com/jandro996)) - 🐛 Ensure cached subscriptions are cleared on reconfiguration via RC ([#&#8203;8229](DataDog/dd-trace-java#8229) - [@&#8203;manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - ✨ Add support for session tracking in Vertx ([#&#8203;8167](DataDog/dd-trace-java#8167) - [@&#8203;manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - ✨ Create span tag: \_dd.appsec.rasp.timeout ([#&#8203;8269](DataDog/dd-trace-java#8269) - [@&#8203;Mariovido](https://github.com/Mariovido)) ##### Build & Tooling - 🐛 Ensure shaded helpers have unique names when injected into class-loaders ([#&#8203;8192](DataDog/dd-trace-java#8192) - [@&#8203;mcculls](https://github.com/mcculls)) ##### Configuration at Runtime - 🐛 Remove filtering of `DD_SERVICE` and `DD_ENV` from the tracer ([#&#8203;8176](DataDog/dd-trace-java#8176) - [@&#8203;mhlidd](https://github.com/mhlidd)) ##### Continuous Integration Visibility - 🧹 Generalize TestRetryPolicy to TestExecutionPolicy ([#&#8203;8302](DataDog/dd-trace-java#8302) - [@&#8203;nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - 🧹 Parallelize CI Visibility settings requests ([#&#8203;8299](DataDog/dd-trace-java#8299) - [@&#8203;nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - 🧹 Generalize test retry logic ([#&#8203;8289](DataDog/dd-trace-java#8289) - [@&#8203;nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - 🧹 Generalize tests skipping logic ([#&#8203;8288](DataDog/dd-trace-java#8288) - [@&#8203;nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - 🧹 Remove skip and shouldBeSkipped methods from TestEventsHandler in favor of isSkippable ([#&#8203;8286](DataDog/dd-trace-java#8286) - [@&#8203;nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨⚡ Optimize Git repository information computation ([#&#8203;8270](DataDog/dd-trace-java#8270) - [@&#8203;dougqh](https://github.com/dougqh)) - ✨ Always request known tests from the backend ([#&#8203;8268](DataDog/dd-trace-java#8268) - [@&#8203;nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Fix NPE when trying to get retry analyzer in Test NG ([#&#8203;8253](DataDog/dd-trace-java#8253) - [@&#8203;nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - 🐛 Set test framework and test framework version tags atomically ([#&#8203;8252](DataDog/dd-trace-java#8252) - [@&#8203;nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Add debug logging to Android Gradle module layout logic ([#&#8203;8251](DataDog/dd-trace-java#8251) - [@&#8203;nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - 🐛 Fix source and destination folders computation for Android Gradle projects ([#&#8203;8190](DataDog/dd-trace-java#8190) - [@&#8203;nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Add basic Scala Weaver sbt support ([#&#8203;8189](DataDog/dd-trace-java#8189) - [@&#8203;daniel-mohedano](https://github.com/daniel-mohedano)) - ✨ Implement impacted tests detection ([#&#8203;8188](DataDog/dd-trace-java#8188) - [@&#8203;nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) ##### Data Streams Monitoring - ✨ Change hash computation for protobuf to better represent impacting changes + save proto number in schema ([#&#8203;8201](DataDog/dd-trace-java#8201) - [@&#8203;vandonr](https://github.com/vandonr)) ##### Database Monitoring - Add peer service tag in dbm sql commenter ([#&#8203;7913](DataDog/dd-trace-java#7913) - [@&#8203;jordan-wong](https://github.com/jordan-wong)) ##### Dynamic Instrumentation - ✨ Add support for SymDB to scan directories ([#&#8203;8306](DataDog/dd-trace-java#8306) - [@&#8203;jpbempel](https://github.com/jpbempel)) - ✨ Add SymDB report for any jar scanning failures ([#&#8203;8300](DataDog/dd-trace-java#8300) - [@&#8203;jpbempel](https://github.com/jpbempel)) - ✨ Use two budgets depending on type ([#&#8203;8283](DataDog/dd-trace-java#8283) - [@&#8203;evanchooly](https://github.com/evanchooly)) - ✨ Institute a 10 snapshot per probe per trace budget ([#&#8203;8277](DataDog/dd-trace-java#8277) - [@&#8203;evanchooly](https://github.com/evanchooly)) - 🐛 Avoid double snapshots for Exception Replay ([#&#8203;8273](DataDog/dd-trace-java#8273) - [@&#8203;jpbempel](https://github.com/jpbempel)) - ✨ Simplify code origins. Separate out snapshot generation. ([#&#8203;8263](DataDog/dd-trace-java#8263) - [@&#8203;evanchooly](https://github.com/evanchooly)) - ✨ Add Exception probe custom instrumentation ([#&#8203;8230](DataDog/dd-trace-java#8230) - [@&#8203;jpbempel](https://github.com/jpbempel)) - ✨ Enhance log probes to honor debug session tags ([#&#8203;8215](DataDog/dd-trace-java#8215) - [@&#8203;evanchooly](https://github.com/evanchooly)) - 🐛 Don't redact env tokens from debugger probe snapshots ([#&#8203;8211](DataDog/dd-trace-java#8211) - [@&#8203;watson](https://github.com/watson)) - ✨⚡ Move Trace/SpanId capture at commit time ([#&#8203;8184](DataDog/dd-trace-java#8184) - [@&#8203;jpbempel](https://github.com/jpbempel)) - 🐛 Capture values at entry for method probe ([#&#8203;8169](DataDog/dd-trace-java#8169) - [@&#8203;jpbempel](https://github.com/jpbempel)) ##### JMX fetch - 🐛 Mute JMXFetch Shutdown in progress error ([#&#8203;8068](DataDog/dd-trace-java#8068) - [@&#8203;ygree](https://github.com/ygree)) ##### OpenTracing - ⚠️🧹 Make jnr-unixsocket an explicit dependency of dd-trace-ot ([#&#8203;8307](DataDog/dd-trace-java#8307) - [@&#8203;mcculls](https://github.com/mcculls)) ##### Profiling - 🐛 Avoid unsupported API call for creating folders on windows ([#&#8203;8304](DataDog/dd-trace-java#8304) - [@&#8203;jbachorik](https://github.com/jbachorik)) - ✨ Tag profiles for serverless ([#&#8203;8279](DataDog/dd-trace-java#8279) - [@&#8203;jbachorik](https://github.com/jbachorik)) - ✨ add queue type and length to queue events ([#&#8203;8242](DataDog/dd-trace-java#8242) - [@&#8203;richardstartin](https://github.com/richardstartin)) - 🐛 TempLocationManager Fixes and Improvements ([#&#8203;8191](DataDog/dd-trace-java#8191) - [@&#8203;jbachorik](https://github.com/jbachorik)) - ✨ Bump ddprof to 1.18.0 ([#&#8203;8173](DataDog/dd-trace-java#8173) - [@&#8203;jbachorik](https://github.com/jbachorik)) - ✨ Report profiler initialization and configuration errors to telemetry ([#&#8203;8171](DataDog/dd-trace-java#8171) - [@&#8203;jbachorik](https://github.com/jbachorik)) ##### Telemetry - ✨ Add pending traces report in tracer flares ([#&#8203;8053](DataDog/dd-trace-java#8053) - [@&#8203;mhlidd](https://github.com/mhlidd)) ##### Testing - ✨ Test http server requests in parallel ([#&#8203;8222](DataDog/dd-trace-java#8222) - [@&#8203;amarziali](https://github.com/amarziali)) ##### Trace context propagation - ✨ Add non default propagator registration ([#&#8203;8310](DataDog/dd-trace-java#8310) - [@&#8203;PerfectSlayer](https://github.com/PerfectSlayer)) ##### Tracer core - ✨ Probe for existence of IBMSASL or ACCP security providers ([#&#8203;8276](DataDog/dd-trace-java#8276) - [@&#8203;mcculls](https://github.com/mcculls)) - ✨⚡ Overhead improvement to agent feedback based sampling ([#&#8203;8265](DataDog/dd-trace-java#8265) - [@&#8203;dougqh](https://github.com/dougqh)) - 🧹 Move async propagation API from scope to tracer ([#&#8203;8231](DataDog/dd-trace-java#8231) - [@&#8203;PerfectSlayer](https://github.com/PerfectSlayer)) - ✨ Introduce context propagation API ([#&#8203;8161](DataDog/dd-trace-java#8161) - [@&#8203;PerfectSlayer](https://github.com/PerfectSlayer)) - ✨🧪 Use env-entry to add tags per webapp deployment ([#&#8203;8138](DataDog/dd-trace-java#8138) - [@&#8203;amarziali](https://github.com/amarziali)) - ✨ Introduce context helpers API ([#&#8203;8134](DataDog/dd-trace-java#8134) - [@&#8203;PerfectSlayer](https://github.com/PerfectSlayer)) - ✨ Support IPv6 values for `DD_AGENT_HOST` and `DD_TRACE_AGENT_URL` ([#&#8203;7984](DataDog/dd-trace-java#7984) - [@&#8203;mhlidd](https://github.com/mhlidd)) ##### Instrumentations ##### Apache HttpComponents - 🐛 Properly finish spans and support latest apache httpclient5 ([#&#8203;8272](DataDog/dd-trace-java#8272) - [@&#8203;amarziali](https://github.com/amarziali)) ##### AWS Lambda instrumentation - 🐛 Properly capture lambda payloads for all handler types. ([#&#8203;8264](DataDog/dd-trace-java#8264) - [@&#8203;purple4reina](https://github.com/purple4reina)) ##### AWS S3 instrumentation - 💡 Create S3 instrumentation + add span pointers ([#&#8203;8075](DataDog/dd-trace-java#8075) - [@&#8203;nhulston](https://github.com/nhulston)) ##### AWS SDK instrumentation - 🐛 Revert "Add avoid double instrumenting lambda non-streaming handlers." ([#&#8203;8247](DataDog/dd-trace-java#8247) - [@&#8203;nhulston](https://github.com/nhulston)) ##### Cassandra - ✨ Allow extracting keyspace from statement result ([#&#8203;8239](DataDog/dd-trace-java#8239) - [@&#8203;amarziali](https://github.com/amarziali)) ##### Core Java language instrumentation - ✨ Propagation of translateEscapes of String class ([#&#8203;8186](DataDog/dd-trace-java#8186) - [@&#8203;sezen-datadog](https://github.com/sezen-datadog)) ##### Eclipse Vert.x instrumentation - 🐛 Fix vertx worker propagation and error handling ([#&#8203;8237](DataDog/dd-trace-java#8237) - [@&#8203;amarziali](https://github.com/amarziali)) - ✨ Support vertx 5 ([#&#8203;8220](DataDog/dd-trace-java#8220) - [@&#8203;amarziali](https://github.com/amarziali)) - ✨ Add support for session tracking in Vertx ([#&#8203;8167](DataDog/dd-trace-java#8167) - [@&#8203;manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) ##### Kafka instrumentation - 🐛 Prevent possible NPE calculating Kafka record header size ([#&#8203;8292](DataDog/dd-trace-java#8292) - [@&#8203;ygree](https://github.com/ygree)) ##### Mule instrumentation - 🐛 Fix crash using Mule with JPMS ([#&#8203;8187](DataDog/dd-trace-java#8187) - [@&#8203;amarziali](https://github.com/amarziali)) ##### Protocol Buffer instrumentation - ✨ Change hash computation for protobuf to better represent impacting changes + save proto number in schema ([#&#8203;8201](DataDog/dd-trace-java#8201) - [@&#8203;vandonr](https://github.com/vandonr)) ##### Spring instrumentation - 🐛 Preserve getQualifier from spring scheduling runnables ([#&#8203;8293](DataDog/dd-trace-java#8293) - [@&#8203;amarziali](https://github.com/amarziali)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "after 6pm every weekday,before 2am every weekday" in timezone Australia/Melbourne, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). GitOrigin-RevId: bb09d47e4eed77a003f630273b4d0a84003eb899
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

comp: asm iast Application Security Management (IAST) type: enhancement Enhancements and improvements

4 participants

@Mariovido @manuel-alvarez-alvarez @jandro996