Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Map JSP stack traces to file names #7005

Open
wants to merge 17 commits into
base: master
Choose a base branch
from
Open

Map JSP stack traces to file names #7005

wants to merge 17 commits into from
+1,706 −5

Conversation

jandro996
Copy link
Member

@jandro996 jandro996 commented May 8, 2024
edited by jira bot
Loading

What Does This Do

Add StratumManger to deal with SMAP Syntax from Jakarta Debugging Support for Other Languages

Replace the StackTraceElement used to create the vulnerability location with the original file and line info

Motivation

If we want to show proper filename for vulnerabilities in JSP, we’ll need to map JSP stack traces to file names.

Additional Notes

Jira ticket: APPSEC-4703

@pr-commenter
Copy link

pr-commenter bot commented May 8, 2024
edited
Loading

Benchmarks

Startup

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/xss_jsp_filename
git_commit_date 1719381320 1719384559
git_commit_sha 04cda74 807f96a
release_version 1.36.0-SNAPSHOT~04cda746be 1.36.0-SNAPSHOT~807f96af15
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1719387292 1719387292
ci_job_id 553272678 553272678
ci_pipeline_id 37561310 37561310
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
module Agent Agent
parent None None
variant iast iast

Summary

Found 1 performance improvements and 0 performance regressions! Performance is the same for 49 metrics, 13 unstable metrics.

scenario Δ mean execution_time candidate mean execution_time baseline mean execution_time
scenario:startup:petclinic:tracing:Remote Config better
[-37.104µs; -14.091µs] or [-5.401%; -2.051%]		 661.365µs 686.963µs
Startup time reports for petclinic 
gantt
    title petclinic - global startup overhead: candidate=1.36.0-SNAPSHOT~807f96af15, baseline=1.36.0-SNAPSHOT~04cda746be

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.065 s) : 0, 1064574
Total [baseline] (10.336 s) : 0, 10336430
Agent [candidate] (1.061 s) : 0, 1061414
Total [candidate] (10.413 s) : 0, 10413342
section appsec
Agent [baseline] (1.182 s) : 0, 1181678
Total [baseline] (10.436 s) : 0, 10435638
Agent [candidate] (1.18 s) : 0, 1180417
Total [candidate] (10.455 s) : 0, 10455206
section iast
Agent [baseline] (1.178 s) : 0, 1178281
Total [baseline] (10.769 s) : 0, 10768706
Agent [candidate] (1.168 s) : 0, 1167756
Total [candidate] (10.679 s) : 0, 10679055
section profiling
Agent [baseline] (1.269 s) : 0, 1269014
Total [baseline] (10.622 s) : 0, 10622295
Agent [candidate] (1.272 s) : 0, 1271820
Total [candidate] (10.687 s) : 0, 10686569
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.065 s -
Agent appsec 1.182 s 117.104 ms (11.0%)
Agent iast 1.178 s 113.707 ms (10.7%)
Agent profiling 1.269 s 204.44 ms (19.2%)
Total tracing 10.336 s -
Total appsec 10.436 s 99.208 ms (1.0%)
Total iast 10.769 s 432.275 ms (4.2%)
Total profiling 10.622 s 285.865 ms (2.8%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.061 s -
Agent appsec 1.18 s 119.003 ms (11.2%)
Agent iast 1.168 s 106.342 ms (10.0%)
Agent profiling 1.272 s 210.405 ms (19.8%)
Total tracing 10.413 s -
Total appsec 10.455 s 41.864 ms (0.4%)
Total iast 10.679 s 265.713 ms (2.6%)
Total profiling 10.687 s 273.226 ms (2.6%) 
gantt
    title petclinic - break down per module: candidate=1.36.0-SNAPSHOT~807f96af15, baseline=1.36.0-SNAPSHOT~04cda746be

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (666.95 ms) : 0, 666950
BytebuddyAgent [candidate] (664.722 ms) : 0, 664722
GlobalTracer [baseline] (304.643 ms) : 0, 304643
GlobalTracer [candidate] (303.77 ms) : 0, 303770
AppSec [baseline] (50.283 ms) : 0, 50283
AppSec [candidate] (50.015 ms) : 0, 50015
Logs Intake [candidate] (415.999 µs) : 0, 416
Remote Config [baseline] (686.963 µs) : 0, 687
Remote Config [candidate] (661.365 µs) : 0, 661
Telemetry [baseline] (7.573 ms) : 0, 7573
Telemetry [candidate] (7.462 ms) : 0, 7462
section appsec
BytebuddyAgent [baseline] (675.106 ms) : 0, 675106
BytebuddyAgent [candidate] (675.151 ms) : 0, 675151
GlobalTracer [baseline] (296.949 ms) : 0, 296949
GlobalTracer [candidate] (297.389 ms) : 0, 297389
AppSec [baseline] (153.71 ms) : 0, 153710
AppSec [candidate] (153.146 ms) : 0, 153146
Logs Intake [candidate] (333.552 µs) : 0, 334
Remote Config [baseline] (635.845 µs) : 0, 636
Remote Config [candidate] (646.991 µs) : 0, 647
Telemetry [baseline] (9.374 ms) : 0, 9374
Telemetry [candidate] (8.493 ms) : 0, 8493
IAST [baseline] (22.995 ms) : 0, 22995
IAST [candidate] (21.662 ms) : 0, 21662
section iast
BytebuddyAgent [baseline] (785.279 ms) : 0, 785279
BytebuddyAgent [candidate] (778.853 ms) : 0, 778853
GlobalTracer [baseline] (296.0 ms) : 0, 296000
GlobalTracer [candidate] (293.171 ms) : 0, 293171
AppSec [baseline] (47.478 ms) : 0, 47478
AppSec [candidate] (46.966 ms) : 0, 46966
Logs Intake [candidate] (301.262 µs) : 0, 301
Remote Config [baseline] (600.215 µs) : 0, 600
Remote Config [candidate] (570.756 µs) : 0, 571
Telemetry [baseline] (7.018 ms) : 0, 7018
Telemetry [candidate] (8.457 ms) : 0, 8457
IAST [baseline] (28.491 ms) : 0, 28491
IAST [candidate] (26.146 ms) : 0, 26146
section profiling
BytebuddyAgent [baseline] (667.155 ms) : 0, 667155
BytebuddyAgent [candidate] (666.882 ms) : 0, 666882
GlobalTracer [baseline] (388.166 ms) : 0, 388166
GlobalTracer [candidate] (390.495 ms) : 0, 390495
AppSec [baseline] (51.486 ms) : 0, 51486
AppSec [candidate] (51.583 ms) : 0, 51583
Logs Intake [candidate] (346.437 µs) : 0, 346
Remote Config [baseline] (734.196 µs) : 0, 734
Remote Config [candidate] (745.767 µs) : 0, 746
Telemetry [baseline] (7.441 ms) : 0, 7441
Telemetry [candidate] (7.473 ms) : 0, 7473
ProfilingAgent [baseline] (96.575 ms) : 0, 96575
ProfilingAgent [candidate] (97.071 ms) : 0, 97071
Profiling [baseline] (96.599 ms) : 0, 96599
Profiling [candidate] (97.096 ms) : 0, 97096
Loading
Startup time reports for insecure-bank 
gantt
    title insecure-bank - global startup overhead: candidate=1.36.0-SNAPSHOT~807f96af15, baseline=1.36.0-SNAPSHOT~04cda746be

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.07 s) : 0, 1069872
Total [baseline] (8.601 s) : 0, 8601024
Agent [candidate] (1.062 s) : 0, 1061946
Total [candidate] (8.528 s) : 0, 8527927
section iast
Agent [baseline] (1.169 s) : 0, 1169039
Total [baseline] (8.974 s) : 0, 8974003
Agent [candidate] (1.177 s) : 0, 1177350
Total [candidate] (9.014 s) : 0, 9014026
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.17 s) : 0, 1169568
Total [baseline] (8.995 s) : 0, 8994778
Agent [candidate] (1.175 s) : 0, 1174830
Total [candidate] (9.056 s) : 0, 9056264
section iast_TELEMETRY_OFF
Agent [baseline] (1.163 s) : 0, 1162923
Total [baseline] (8.969 s) : 0, 8968603
Agent [candidate] (1.166 s) : 0, 1166400
Total [candidate] (8.998 s) : 0, 8997954
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.07 s -
Agent iast 1.169 s 99.167 ms (9.3%)
Agent iast_HARDCODED_SECRET_DISABLED 1.17 s 99.696 ms (9.3%)
Agent iast_TELEMETRY_OFF 1.163 s 93.051 ms (8.7%)
Total tracing 8.601 s -
Total iast 8.974 s 372.978 ms (4.3%)
Total iast_HARDCODED_SECRET_DISABLED 8.995 s 393.754 ms (4.6%)
Total iast_TELEMETRY_OFF 8.969 s 367.579 ms (4.3%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.062 s -
Agent iast 1.177 s 115.404 ms (10.9%)
Agent iast_HARDCODED_SECRET_DISABLED 1.175 s 112.884 ms (10.6%)
Agent iast_TELEMETRY_OFF 1.166 s 104.454 ms (9.8%)
Total tracing 8.528 s -
Total iast 9.014 s 486.1 ms (5.7%)
Total iast_HARDCODED_SECRET_DISABLED 9.056 s 528.337 ms (6.2%)
Total iast_TELEMETRY_OFF 8.998 s 470.027 ms (5.5%) 
gantt
    title insecure-bank - break down per module: candidate=1.36.0-SNAPSHOT~807f96af15, baseline=1.36.0-SNAPSHOT~04cda746be

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (670.289 ms) : 0, 670289
BytebuddyAgent [candidate] (664.788 ms) : 0, 664788
GlobalTracer [baseline] (306.033 ms) : 0, 306033
GlobalTracer [candidate] (303.801 ms) : 0, 303801
AppSec [baseline] (50.53 ms) : 0, 50530
AppSec [candidate] (50.224 ms) : 0, 50224
Logs Intake [candidate] (373.914 µs) : 0, 374
Remote Config [baseline] (696.075 µs) : 0, 696
Remote Config [candidate] (681.462 µs) : 0, 681
Telemetry [baseline] (7.592 ms) : 0, 7592
Telemetry [candidate] (7.593 ms) : 0, 7593
section iast
BytebuddyAgent [baseline] (779.402 ms) : 0, 779402
BytebuddyAgent [candidate] (785.117 ms) : 0, 785117
GlobalTracer [baseline] (293.222 ms) : 0, 293222
GlobalTracer [candidate] (295.611 ms) : 0, 295611
AppSec [baseline] (47.053 ms) : 0, 47053
AppSec [candidate] (47.192 ms) : 0, 47192
Logs Intake [candidate] (296.993 µs) : 0, 297
Remote Config [baseline] (605.423 µs) : 0, 605
Remote Config [candidate] (1.313 ms) : 0, 1313
Telemetry [baseline] (7.607 ms) : 0, 7607
Telemetry [candidate] (7.715 ms) : 0, 7715
IAST [baseline] (27.871 ms) : 0, 27871
IAST [candidate] (26.648 ms) : 0, 26648
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (778.926 ms) : 0, 778926
BytebuddyAgent [candidate] (781.144 ms) : 0, 781144
GlobalTracer [baseline] (293.476 ms) : 0, 293476
GlobalTracer [candidate] (296.623 ms) : 0, 296623
AppSec [baseline] (47.14 ms) : 0, 47140
AppSec [candidate] (46.85 ms) : 0, 46850
Logs Intake [candidate] (307.567 µs) : 0, 308
Remote Config [baseline] (622.521 µs) : 0, 623
Remote Config [candidate] (574.11 µs) : 0, 574
Telemetry [baseline] (7.753 ms) : 0, 7753
Telemetry [candidate] (7.717 ms) : 0, 7717
IAST [baseline] (28.328 ms) : 0, 28328
IAST [candidate] (28.133 ms) : 0, 28133
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (775.038 ms) : 0, 775038
BytebuddyAgent [candidate] (777.22 ms) : 0, 777220
GlobalTracer [baseline] (292.93 ms) : 0, 292930
GlobalTracer [candidate] (293.828 ms) : 0, 293828
AppSec [baseline] (46.968 ms) : 0, 46968
AppSec [candidate] (46.212 ms) : 0, 46212
Logs Intake [candidate] (300.154 µs) : 0, 300
Remote Config [baseline] (582.021 µs) : 0, 582
Remote Config [candidate] (554.094 µs) : 0, 554
Telemetry [baseline] (7.573 ms) : 0, 7573
Telemetry [candidate] (8.315 ms) : 0, 8315
IAST [baseline] (26.543 ms) : 0, 26543
IAST [candidate] (26.543 ms) : 0, 26543
Loading

Load

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
end_time 2024-06-26T07:05:43 2024-06-26T07:12:34
git_branch master alejandro.gonzalez/xss_jsp_filename
git_commit_date 1719381320 1719384559
git_commit_sha 04cda74 807f96a
release_version 1.36.0-SNAPSHOT~04cda746be 1.36.0-SNAPSHOT~807f96af15
start_time 2024-06-26T07:05:30 2024-06-26T07:12:21
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1719386301 1719386301
ci_job_id 553272679 553272679
ci_pipeline_id 37561310 37561310
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant iast iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 17 unstable metrics.

Request duration reports for insecure-bank 
gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.36.0-SNAPSHOT~807f96af15, baseline=1.36.0-SNAPSHOT~04cda746be
    dateFormat X
    axisFormat %s
section baseline
no_agent (372.52 µs) : 353, 392
.   : milestone, 373,
iast (485.345 µs) : 464, 507
.   : milestone, 485,
iast_FULL (555.571 µs) : 534, 577
.   : milestone, 556,
iast_GLOBAL (514.963 µs) : 493, 537
.   : milestone, 515,
iast_HARDCODED_SECRET_DISABLED (489.774 µs) : 468, 511
.   : milestone, 490,
iast_INACTIVE (456.72 µs) : 436, 478
.   : milestone, 457,
iast_TELEMETRY_OFF (474.673 µs) : 454, 496
.   : milestone, 475,
tracing (446.769 µs) : 426, 468
.   : milestone, 447,
section candidate
no_agent (372.131 µs) : 351, 393
.   : milestone, 372,
iast (488.372 µs) : 467, 509
.   : milestone, 488,
iast_FULL (557.368 µs) : 536, 579
.   : milestone, 557,
iast_GLOBAL (513.441 µs) : 491, 535
.   : milestone, 513,
iast_HARDCODED_SECRET_DISABLED (489.203 µs) : 468, 510
.   : milestone, 489,
iast_INACTIVE (462.528 µs) : 441, 484
.   : milestone, 463,
iast_TELEMETRY_OFF (477.062 µs) : 456, 498
.   : milestone, 477,
tracing (448.344 µs) : 428, 469
.   : milestone, 448,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 372.52 µs [352.749 µs, 392.291 µs] -
iast 485.345 µs [464.13 µs, 506.561 µs] 112.826 µs (30.3%)
iast_FULL 555.571 µs [534.251 µs, 576.89 µs] 183.051 µs (49.1%)
iast_GLOBAL 514.963 µs [492.501 µs, 537.425 µs] 142.443 µs (38.2%)
iast_HARDCODED_SECRET_DISABLED 489.774 µs [468.102 µs, 511.446 µs] 117.254 µs (31.5%)
iast_INACTIVE 456.72 µs [435.746 µs, 477.694 µs] 84.2 µs (22.6%)
iast_TELEMETRY_OFF 474.673 µs [453.575 µs, 495.77 µs] 102.153 µs (27.4%)
tracing 446.769 µs [425.781 µs, 467.757 µs] 74.249 µs (19.9%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 372.131 µs [351.468 µs, 392.794 µs] -
iast 488.372 µs [467.375 µs, 509.37 µs] 116.241 µs (31.2%)
iast_FULL 557.368 µs [536.179 µs, 578.557 µs] 185.237 µs (49.8%)
iast_GLOBAL 513.441 µs [491.478 µs, 535.404 µs] 141.31 µs (38.0%)
iast_HARDCODED_SECRET_DISABLED 489.203 µs [467.917 µs, 510.49 µs] 117.072 µs (31.5%)
iast_INACTIVE 462.528 µs [440.658 µs, 484.398 µs] 90.397 µs (24.3%)
iast_TELEMETRY_OFF 477.062 µs [456.128 µs, 497.995 µs] 104.93 µs (28.2%)
tracing 448.344 µs [427.56 µs, 469.128 µs] 76.213 µs (20.5%)
Request duration reports for petclinic 
gantt
    title petclinic - request duration [CI 0.99] : candidate=1.36.0-SNAPSHOT~807f96af15, baseline=1.36.0-SNAPSHOT~04cda746be
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.338 ms) : 1319, 1357
.   : milestone, 1338,
appsec (1.736 ms) : 1713, 1760
.   : milestone, 1736,
appsec_no_iast (1.722 ms) : 1697, 1747
.   : milestone, 1722,
iast (1.481 ms) : 1458, 1503
.   : milestone, 1481,
profiling (1.529 ms) : 1504, 1554
.   : milestone, 1529,
tracing (1.478 ms) : 1454, 1501
.   : milestone, 1478,
section candidate
no_agent (1.342 ms) : 1323, 1362
.   : milestone, 1342,
appsec (1.74 ms) : 1715, 1764
.   : milestone, 1740,
appsec_no_iast (1.723 ms) : 1698, 1747
.   : milestone, 1723,
iast (1.477 ms) : 1455, 1500
.   : milestone, 1477,
profiling (1.519 ms) : 1493, 1546
.   : milestone, 1519,
tracing (1.457 ms) : 1432, 1482
.   : milestone, 1457,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.338 ms [1.319 ms, 1.357 ms] -
appsec 1.736 ms [1.713 ms, 1.76 ms] 398.422 µs (29.8%)
appsec_no_iast 1.722 ms [1.697 ms, 1.747 ms] 384.28 µs (28.7%)
iast 1.481 ms [1.458 ms, 1.503 ms] 143.055 µs (10.7%)
profiling 1.529 ms [1.504 ms, 1.554 ms] 190.954 µs (14.3%)
tracing 1.478 ms [1.454 ms, 1.501 ms] 139.754 µs (10.4%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.342 ms [1.323 ms, 1.362 ms] -
appsec 1.74 ms [1.715 ms, 1.764 ms] 397.622 µs (29.6%)
appsec_no_iast 1.723 ms [1.698 ms, 1.747 ms] 380.407 µs (28.3%)
iast 1.477 ms [1.455 ms, 1.5 ms] 135.025 µs (10.1%)
profiling 1.519 ms [1.493 ms, 1.546 ms] 177.237 µs (13.2%)
tracing 1.457 ms [1.432 ms, 1.482 ms] 114.842 µs (8.6%)

Dacapo

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/xss_jsp_filename
git_commit_date 1719381320 1719384559
git_commit_sha 04cda74 807f96a
release_version 1.36.0-SNAPSHOT~04cda746be 1.36.0-SNAPSHOT~807f96af15
See matching parameters
Baseline Candidate
application biojava biojava
ci_job_date 1719386809 1719386809
ci_job_id 553272680 553272680
ci_pipeline_id 37561310 37561310
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant appsec appsec

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics.

Execution time for biojava 
gantt
    title biojava - execution time [CI 0.99] : candidate=1.36.0-SNAPSHOT~807f96af15, baseline=1.36.0-SNAPSHOT~04cda746be
    dateFormat X
    axisFormat %s
section baseline
no_agent (15.256 s) : 15256000, 15256000
.   : milestone, 15256000,
appsec (14.81 s) : 14810000, 14810000
.   : milestone, 14810000,
iast (18.909 s) : 18909000, 18909000
.   : milestone, 18909000,
iast_GLOBAL (17.98 s) : 17980000, 17980000
.   : milestone, 17980000,
profiling (15.342 s) : 15342000, 15342000
.   : milestone, 15342000,
tracing (15.1 s) : 15100000, 15100000
.   : milestone, 15100000,
section candidate
no_agent (15.371 s) : 15371000, 15371000
.   : milestone, 15371000,
appsec (14.904 s) : 14904000, 14904000
.   : milestone, 14904000,
iast (18.883 s) : 18883000, 18883000
.   : milestone, 18883000,
iast_GLOBAL (17.755 s) : 17755000, 17755000
.   : milestone, 17755000,
profiling (15.145 s) : 15145000, 15145000
.   : milestone, 15145000,
tracing (15.056 s) : 15056000, 15056000
.   : milestone, 15056000,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.256 s [15.256 s, 15.256 s] -
appsec 14.81 s [14.81 s, 14.81 s] -446.0 ms (-2.9%)
iast 18.909 s [18.909 s, 18.909 s] 3.653 s (23.9%)
iast_GLOBAL 17.98 s [17.98 s, 17.98 s] 2.724 s (17.9%)
profiling 15.342 s [15.342 s, 15.342 s] 86.0 ms (0.6%)
tracing 15.1 s [15.1 s, 15.1 s] -156.0 ms (-1.0%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.371 s [15.371 s, 15.371 s] -
appsec 14.904 s [14.904 s, 14.904 s] -467.0 ms (-3.0%)
iast 18.883 s [18.883 s, 18.883 s] 3.512 s (22.8%)
iast_GLOBAL 17.755 s [17.755 s, 17.755 s] 2.384 s (15.5%)
profiling 15.145 s [15.145 s, 15.145 s] -226.0 ms (-1.5%)
tracing 15.056 s [15.056 s, 15.056 s] -315.0 ms (-2.0%)
Execution time for tomcat 
gantt
    title tomcat - execution time [CI 0.99] : candidate=1.36.0-SNAPSHOT~807f96af15, baseline=1.36.0-SNAPSHOT~04cda746be
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.456 ms) : 1444, 1467
.   : milestone, 1456,
appsec (2.201 ms) : 2168, 2235
.   : milestone, 2201,
iast (1.945 ms) : 1904, 1985
.   : milestone, 1945,
iast_GLOBAL (1.989 ms) : 1948, 2029
.   : milestone, 1989,
profiling (1.837 ms) : 1803, 1871
.   : milestone, 1837,
tracing (1.831 ms) : 1799, 1863
.   : milestone, 1831,
section candidate
no_agent (1.461 ms) : 1450, 1473
.   : milestone, 1461,
appsec (2.199 ms) : 2165, 2233
.   : milestone, 2199,
iast (1.962 ms) : 1921, 2003
.   : milestone, 1962,
iast_GLOBAL (2.002 ms) : 1961, 2043
.   : milestone, 2002,
profiling (1.842 ms) : 1809, 1875
.   : milestone, 1842,
tracing (1.813 ms) : 1781, 1844
.   : milestone, 1813,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.456 ms [1.444 ms, 1.467 ms] -
appsec 2.201 ms [2.168 ms, 2.235 ms] 745.556 µs (51.2%)
iast 1.945 ms [1.904 ms, 1.985 ms] 489.074 µs (33.6%)
iast_GLOBAL 1.989 ms [1.948 ms, 2.029 ms] 532.984 µs (36.6%)
profiling 1.837 ms [1.803 ms, 1.871 ms] 381.351 µs (26.2%)
tracing 1.831 ms [1.799 ms, 1.863 ms] 375.459 µs (25.8%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.461 ms [1.45 ms, 1.473 ms] -
appsec 2.199 ms [2.165 ms, 2.233 ms] 737.706 µs (50.5%)
iast 1.962 ms [1.921 ms, 2.003 ms] 500.87 µs (34.3%)
iast_GLOBAL 2.002 ms [1.961 ms, 2.043 ms] 540.56 µs (37.0%)
profiling 1.842 ms [1.809 ms, 1.875 ms] 380.868 µs (26.1%)
tracing 1.813 ms [1.781 ms, 1.844 ms] 351.339 µs (24.0%)

@jandro996 jandro996 force-pushed the alejandro.gonzalez/xss_jsp branch from 183a51c to ae313e3 Compare May 8, 2024 11:57
@jandro996 jandro996 force-pushed the alejandro.gonzalez/xss_jsp_filename branch from eab21bd to 13aa99b Compare May 8, 2024 15:46
@smola smola added the comp: asm iast Application Security Management (IAST) label May 13, 2024
Base automatically changed from alejandro.gonzalez/xss_jsp to master May 13, 2024 11:18
@jandro996 jandro996 force-pushed the alejandro.gonzalez/xss_jsp_filename branch from 4b6a319 to 8468f2e Compare June 12, 2024 07:46
@jandro996 jandro996 marked this pull request as ready for review June 17, 2024 06:05
@jandro996 jandro996 requested review from a team as code owners June 17, 2024 06:05
smola
smola reviewed Jun 20, 2024
View reviewed changes
Copy link
Member

@smola smola left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few comments, but I still did not review all the parsing logic.

internal-api/src/main/java/datadog/trace/api/iast/stratum/SourceMapper.java Show resolved Hide resolved
...gboot-tomcat-jsp/src/test/groovy/datadog/smoketest/springboot/IastSpringBootSmokeTest.groovy Outdated Show resolved Hide resolved
...oling/src/test/groovy/datadog/trace/agent/tooling/iast/stratum/StratumManagerImplTest.groovy Outdated Show resolved Hide resolved
...oling/src/test/groovy/datadog/trace/agent/tooling/iast/stratum/StratumManagerImplTest.groovy Outdated Show resolved Hide resolved
...nt/agent-tooling/src/main/java/datadog/trace/agent/tooling/iast/stratum/AbstractStratum.java Show resolved Hide resolved
manuel-alvarez-alvarez
manuel-alvarez-alvarez reviewed Jun 25, 2024
View reviewed changes
...strumenter/src/main/java/datadog/trace/instrumentation/iastinstrumenter/StratumListener.java
@Override
public void onConstantPool(
@Nonnull TypeDescription type, @Nonnull ConstantPool pool, byte[] classFile) {
if (StratumManagerImpl.shouldBeAnalyzed(type.getInternalName())) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is here just to get access to the class byte[] right?

I'm not sure about this approach as it will take a lot of wasted space, it's very likely that only a few jsps will need to have their metadata collected (the ones with vulnerabilities), and it will probably delay startup quite a bit. I think the best approach is to execute it only when computing the stack for a vulnerability.

jandro996 and others added 11 commits July 3, 2024 10:43
@jandro996
Add StratumManager and some tests
4d2f1fe
@jandro996
improve StratumManager
fa33ab4
@jandro996
clean and link everything
6cc03b8
@jandro996
no necessary
daea85c
@jandro996
fix
5571e21
@jandro996
fix
3fd121a
@jandro996
avoid String#split to fix forbiddenapis
1841455
@jandro996 @manuel-alvarez-alvarez
Update dd-java-agent/agent-tooling/src/main/java/datadog/trace/agent/…
7ae5d1e 
…tooling/iast/stratum/StratumManagerImpl.java

Co-authored-by: Manuel Álvarez Álvarez <[email protected]>
@jandro996 @manuel-alvarez-alvarez
Update dd-java-agent/agent-tooling/src/main/java/datadog/trace/agent/…
86fa888 
…tooling/iast/stratum/StratumManagerImpl.java

Co-authored-by: Manuel Álvarez Álvarez <[email protected]>
@jandro996 @smola
Update dd-java-agent/agent-tooling/src/test/groovy/datadog/trace/agen…
23886b4 
…t/tooling/iast/stratum/StratumManagerImplTest.groovy

Co-authored-by: Santiago M. Mola <[email protected]>
@jandro996 @smola
Update dd-java-agent/agent-tooling/src/test/groovy/datadog/trace/agen…
3c8ca9e 
…t/tooling/iast/stratum/StratumManagerImplTest.groovy

Co-authored-by: Santiago M. Mola <[email protected]>
@jandro996 jandro996 force-pushed the alejandro.gonzalez/xss_jsp_filename branch from 81b6989 to 3c8ca9e Compare July 3, 2024 08:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smola smola smola left review comments

@manuel-alvarez-alvarez manuel-alvarez-alvarez manuel-alvarez-alvarez left review comments

@anderruiz anderruiz Awaiting requested review from anderruiz

@mcculls mcculls Awaiting requested review from mcculls mcculls is a code owner automatically assigned from DataDog/apm-java

@nayeem-kamal nayeem-kamal Awaiting requested review from nayeem-kamal nayeem-kamal is a code owner automatically assigned from DataDog/apm-java

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
comp: asm iast Application Security Management (IAST)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@jandro996 @smola @manuel-alvarez-alvarez