Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update URI and URL call sites for precise taint tracking #7299

Merged
merged 4 commits into from
Jul 16, 2024
Merged

Update URI and URL call sites for precise taint tracking #7299

merged 4 commits into from
Jul 16, 2024

Conversation

manuel-alvarez-alvarez
Copy link
Contributor

@manuel-alvarez-alvarez manuel-alvarez-alvarez commented Jul 9, 2024
edited
Loading

What Does This Do

Updates the URL and URI call sites to ensure that we keep tracking of the different ranges on a best effort basis.

Motivation

SSRF vulnerability has different scores depending on the part of the url that is coming from an external source (e.g. the host is the most important part to track as it gives big room for attacks).

Additional Notes

Jira ticket: APPSEC-53838

@manuel-alvarez-alvarez manuel-alvarez-alvarez added the comp: asm iast Application Security Management (IAST) label Jul 9, 2024
@pr-commenter
Copy link

pr-commenter bot commented Jul 10, 2024
edited
Loading

Benchmarks

Startup

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master malvarez/iast-precise-uri-tainting
git_commit_date 1721063355 1721063372
git_commit_sha b417127 b3dfd5a
release_version 1.38.0-SNAPSHOT~b417127f61 1.38.0-SNAPSHOT~b3dfd5a977
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1721065795 1721065795
ci_job_id 572729149 572729149
ci_pipeline_id 39183974 39183974
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
module Agent Agent
parent None None
variant iast iast

Summary

Found 0 performance improvements and 1 performance regressions! Performance is the same for 50 metrics, 12 unstable metrics.

scenario Δ mean execution_time candidate mean execution_time baseline mean execution_time
scenario:startup:insecure-bank:iast:Remote Config worse
[+21.478µs; +52.336µs] or [+3.781%; +9.214%]		 604.915µs 568.008µs
Startup time reports for insecure-bank 
gantt
    title insecure-bank - global startup overhead: candidate=1.38.0-SNAPSHOT~b3dfd5a977, baseline=1.38.0-SNAPSHOT~b417127f61

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.072 s) : 0, 1072247
Total [baseline] (8.597 s) : 0, 8597159
Agent [candidate] (1.062 s) : 0, 1061874
Total [candidate] (8.564 s) : 0, 8564328
section iast
Agent [baseline] (1.17 s) : 0, 1169775
Total [baseline] (8.942 s) : 0, 8942385
Agent [candidate] (1.17 s) : 0, 1170138
Total [candidate] (8.979 s) : 0, 8979057
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.171 s) : 0, 1170986
Total [baseline] (8.938 s) : 0, 8937968
Agent [candidate] (1.181 s) : 0, 1181258
Total [candidate] (8.926 s) : 0, 8925573
section iast_TELEMETRY_OFF
Agent [baseline] (1.168 s) : 0, 1168490
Total [baseline] (8.935 s) : 0, 8935124
Agent [candidate] (1.174 s) : 0, 1174144
Total [candidate] (8.958 s) : 0, 8957715
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.072 s -
Agent iast 1.17 s 97.528 ms (9.1%)
Agent iast_HARDCODED_SECRET_DISABLED 1.171 s 98.739 ms (9.2%)
Agent iast_TELEMETRY_OFF 1.168 s 96.243 ms (9.0%)
Total tracing 8.597 s -
Total iast 8.942 s 345.225 ms (4.0%)
Total iast_HARDCODED_SECRET_DISABLED 8.938 s 340.809 ms (4.0%)
Total iast_TELEMETRY_OFF 8.935 s 337.965 ms (3.9%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.062 s -
Agent iast 1.17 s 108.264 ms (10.2%)
Agent iast_HARDCODED_SECRET_DISABLED 1.181 s 119.384 ms (11.2%)
Agent iast_TELEMETRY_OFF 1.174 s 112.27 ms (10.6%)
Total tracing 8.564 s -
Total iast 8.979 s 414.729 ms (4.8%)
Total iast_HARDCODED_SECRET_DISABLED 8.926 s 361.246 ms (4.2%)
Total iast_TELEMETRY_OFF 8.958 s 393.387 ms (4.6%) 
gantt
    title insecure-bank - break down per module: candidate=1.38.0-SNAPSHOT~b3dfd5a977, baseline=1.38.0-SNAPSHOT~b417127f61

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (672.726 ms) : 0, 672726
BytebuddyAgent [candidate] (664.345 ms) : 0, 664345
GlobalTracer [baseline] (306.09 ms) : 0, 306090
GlobalTracer [candidate] (304.763 ms) : 0, 304763
AppSec [baseline] (50.295 ms) : 0, 50295
AppSec [candidate] (50.0 ms) : 0, 50000
Remote Config [baseline] (670.487 µs) : 0, 670
Remote Config [candidate] (667.756 µs) : 0, 668
Telemetry [baseline] (7.585 ms) : 0, 7585
Telemetry [candidate] (7.618 ms) : 0, 7618
section iast
BytebuddyAgent [baseline] (778.71 ms) : 0, 778710
BytebuddyAgent [candidate] (780.093 ms) : 0, 780093
GlobalTracer [baseline] (295.187 ms) : 0, 295187
GlobalTracer [candidate] (295.854 ms) : 0, 295854
AppSec [baseline] (48.157 ms) : 0, 48157
AppSec [candidate] (47.298 ms) : 0, 47298
IAST [baseline] (26.836 ms) : 0, 26836
IAST [candidate] (24.976 ms) : 0, 24976
Remote Config [baseline] (568.008 µs) : 0, 568
Remote Config [candidate] (604.915 µs) : 0, 605
Telemetry [baseline] (6.884 ms) : 0, 6884
Telemetry [candidate] (7.818 ms) : 0, 7818
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (779.437 ms) : 0, 779437
BytebuddyAgent [candidate] (786.026 ms) : 0, 786026
GlobalTracer [baseline] (295.288 ms) : 0, 295288
GlobalTracer [candidate] (297.885 ms) : 0, 297885
AppSec [baseline] (50.311 ms) : 0, 50311
AppSec [candidate] (48.698 ms) : 0, 48698
IAST [baseline] (24.766 ms) : 0, 24766
IAST [candidate] (27.408 ms) : 0, 27408
Remote Config [baseline] (584.776 µs) : 0, 585
Remote Config [candidate] (572.892 µs) : 0, 573
Telemetry [baseline] (7.05 ms) : 0, 7050
Telemetry [candidate] (7.017 ms) : 0, 7017
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (776.956 ms) : 0, 776956
BytebuddyAgent [candidate] (782.825 ms) : 0, 782825
GlobalTracer [baseline] (295.031 ms) : 0, 295031
GlobalTracer [candidate] (296.678 ms) : 0, 296678
AppSec [baseline] (47.277 ms) : 0, 47277
AppSec [candidate] (47.413 ms) : 0, 47413
IAST [baseline] (26.986 ms) : 0, 26986
IAST [candidate] (26.147 ms) : 0, 26147
Remote Config [baseline] (586.774 µs) : 0, 587
Remote Config [candidate] (577.954 µs) : 0, 578
Telemetry [baseline] (8.126 ms) : 0, 8126
Telemetry [candidate] (6.876 ms) : 0, 6876
Loading
Startup time reports for petclinic 
gantt
    title petclinic - global startup overhead: candidate=1.38.0-SNAPSHOT~b3dfd5a977, baseline=1.38.0-SNAPSHOT~b417127f61

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.062 s) : 0, 1062319
Total [baseline] (10.298 s) : 0, 10298175
Agent [candidate] (1.07 s) : 0, 1069609
Total [candidate] (10.46 s) : 0, 10459629
section appsec
Agent [baseline] (1.186 s) : 0, 1186374
Total [baseline] (10.537 s) : 0, 10536618
Agent [candidate] (1.181 s) : 0, 1181113
Total [candidate] (10.46 s) : 0, 10459573
section iast
Agent [baseline] (1.179 s) : 0, 1178851
Total [baseline] (10.674 s) : 0, 10673503
Agent [candidate] (1.173 s) : 0, 1173294
Total [candidate] (10.806 s) : 0, 10806471
section profiling
Agent [baseline] (1.262 s) : 0, 1262312
Total [baseline] (10.538 s) : 0, 10538250
Agent [candidate] (1.269 s) : 0, 1269270
Total [candidate] (10.634 s) : 0, 10633580
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.062 s -
Agent appsec 1.186 s 124.055 ms (11.7%)
Agent iast 1.179 s 116.532 ms (11.0%)
Agent profiling 1.262 s 199.993 ms (18.8%)
Total tracing 10.298 s -
Total appsec 10.537 s 238.443 ms (2.3%)
Total iast 10.674 s 375.328 ms (3.6%)
Total profiling 10.538 s 240.075 ms (2.3%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.07 s -
Agent appsec 1.181 s 111.504 ms (10.4%)
Agent iast 1.173 s 103.685 ms (9.7%)
Agent profiling 1.269 s 199.662 ms (18.7%)
Total tracing 10.46 s -
Total appsec 10.46 s -56.341 µs (-0.0%)
Total iast 10.806 s 346.842 ms (3.3%)
Total profiling 10.634 s 173.951 ms (1.7%) 
gantt
    title petclinic - break down per module: candidate=1.38.0-SNAPSHOT~b3dfd5a977, baseline=1.38.0-SNAPSHOT~b417127f61

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (664.745 ms) : 0, 664745
BytebuddyAgent [candidate] (669.259 ms) : 0, 669259
GlobalTracer [baseline] (304.723 ms) : 0, 304723
GlobalTracer [candidate] (307.114 ms) : 0, 307114
AppSec [baseline] (50.055 ms) : 0, 50055
AppSec [candidate] (50.163 ms) : 0, 50163
Remote Config [baseline] (664.014 µs) : 0, 664
Remote Config [candidate] (670.43 µs) : 0, 670
Telemetry [baseline] (7.572 ms) : 0, 7572
Telemetry [candidate] (7.634 ms) : 0, 7634
section appsec
BytebuddyAgent [baseline] (678.042 ms) : 0, 678042
BytebuddyAgent [candidate] (674.837 ms) : 0, 674837
GlobalTracer [baseline] (299.972 ms) : 0, 299972
GlobalTracer [candidate] (298.734 ms) : 0, 298734
AppSec [baseline] (153.833 ms) : 0, 153833
AppSec [candidate] (153.603 ms) : 0, 153603
IAST [baseline] (22.669 ms) : 0, 22669
IAST [candidate] (20.978 ms) : 0, 20978
Remote Config [baseline] (619.969 µs) : 0, 620
Remote Config [candidate] (614.923 µs) : 0, 615
Telemetry [baseline] (7.882 ms) : 0, 7882
Telemetry [candidate] (8.23 ms) : 0, 8230
section iast
BytebuddyAgent [baseline] (784.741 ms) : 0, 784741
BytebuddyAgent [candidate] (780.624 ms) : 0, 780624
GlobalTracer [baseline] (297.248 ms) : 0, 297248
GlobalTracer [candidate] (295.427 ms) : 0, 295427
AppSec [baseline] (48.399 ms) : 0, 48399
AppSec [candidate] (48.839 ms) : 0, 48839
IAST [baseline] (27.369 ms) : 0, 27369
IAST [candidate] (26.462 ms) : 0, 26462
Remote Config [baseline] (585.368 µs) : 0, 585
Remote Config [candidate] (584.887 µs) : 0, 585
Telemetry [baseline] (6.92 ms) : 0, 6920
Telemetry [candidate] (7.794 ms) : 0, 7794
section profiling
BytebuddyAgent [baseline] (661.902 ms) : 0, 661902
BytebuddyAgent [candidate] (663.59 ms) : 0, 663590
GlobalTracer [baseline] (387.753 ms) : 0, 387753
GlobalTracer [candidate] (390.869 ms) : 0, 390869
AppSec [baseline] (51.427 ms) : 0, 51427
AppSec [candidate] (52.226 ms) : 0, 52226
Remote Config [baseline] (659.549 µs) : 0, 660
Remote Config [candidate] (667.564 µs) : 0, 668
Telemetry [baseline] (7.307 ms) : 0, 7307
Telemetry [candidate] (7.355 ms) : 0, 7355
ProfilingAgent [baseline] (96.157 ms) : 0, 96157
ProfilingAgent [candidate] (97.346 ms) : 0, 97346
Profiling [baseline] (96.182 ms) : 0, 96182
Profiling [candidate] (97.371 ms) : 0, 97371
Loading

Load

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
end_time 2024-07-15T17:20:49 2024-07-15T17:27:41
git_branch master malvarez/iast-precise-uri-tainting
git_commit_date 1721063355 1721063372
git_commit_sha b417127 b3dfd5a
release_version 1.38.0-SNAPSHOT~b417127f61 1.38.0-SNAPSHOT~b3dfd5a977
start_time 2024-07-15T17:20:35 2024-07-15T17:27:27
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1721064807 1721064807
ci_job_id 572729151 572729151
ci_pipeline_id 39183974 39183974
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant iast iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 17 unstable metrics.

Request duration reports for petclinic 
gantt
    title petclinic - request duration [CI 0.99] : candidate=1.38.0-SNAPSHOT~b3dfd5a977, baseline=1.38.0-SNAPSHOT~b417127f61
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.354 ms) : 1334, 1374
.   : milestone, 1354,
appsec (1.73 ms) : 1707, 1753
.   : milestone, 1730,
appsec_no_iast (1.708 ms) : 1683, 1733
.   : milestone, 1708,
iast (1.486 ms) : 1463, 1509
.   : milestone, 1486,
profiling (1.499 ms) : 1475, 1524
.   : milestone, 1499,
tracing (1.484 ms) : 1461, 1508
.   : milestone, 1484,
section candidate
no_agent (1.354 ms) : 1335, 1373
.   : milestone, 1354,
appsec (1.714 ms) : 1689, 1738
.   : milestone, 1714,
appsec_no_iast (1.722 ms) : 1697, 1747
.   : milestone, 1722,
iast (1.486 ms) : 1463, 1509
.   : milestone, 1486,
profiling (1.507 ms) : 1483, 1532
.   : milestone, 1507,
tracing (1.475 ms) : 1450, 1500
.   : milestone, 1475,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.354 ms [1.334 ms, 1.374 ms] -
appsec 1.73 ms [1.707 ms, 1.753 ms] 375.991 µs (27.8%)
appsec_no_iast 1.708 ms [1.683 ms, 1.733 ms] 354.037 µs (26.1%)
iast 1.486 ms [1.463 ms, 1.509 ms] 131.604 µs (9.7%)
profiling 1.499 ms [1.475 ms, 1.524 ms] 145.307 µs (10.7%)
tracing 1.484 ms [1.461 ms, 1.508 ms] 130.403 µs (9.6%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.354 ms [1.335 ms, 1.373 ms] -
appsec 1.714 ms [1.689 ms, 1.738 ms] 359.943 µs (26.6%)
appsec_no_iast 1.722 ms [1.697 ms, 1.747 ms] 367.803 µs (27.2%)
iast 1.486 ms [1.463 ms, 1.509 ms] 132.149 µs (9.8%)
profiling 1.507 ms [1.483 ms, 1.532 ms] 153.145 µs (11.3%)
tracing 1.475 ms [1.45 ms, 1.5 ms] 120.959 µs (8.9%)
Request duration reports for insecure-bank 
gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.38.0-SNAPSHOT~b3dfd5a977, baseline=1.38.0-SNAPSHOT~b417127f61
    dateFormat X
    axisFormat %s
section baseline
no_agent (370.299 µs) : 350, 391
.   : milestone, 370,
iast (484.722 µs) : 464, 506
.   : milestone, 485,
iast_FULL (556.792 µs) : 536, 578
.   : milestone, 557,
iast_GLOBAL (512.913 µs) : 491, 535
.   : milestone, 513,
iast_HARDCODED_SECRET_DISABLED (492.335 µs) : 470, 514
.   : milestone, 492,
iast_INACTIVE (458.472 µs) : 438, 479
.   : milestone, 458,
iast_TELEMETRY_OFF (473.669 µs) : 453, 495
.   : milestone, 474,
tracing (448.929 µs) : 428, 470
.   : milestone, 449,
section candidate
no_agent (380.817 µs) : 361, 400
.   : milestone, 381,
iast (490.843 µs) : 469, 512
.   : milestone, 491,
iast_FULL (558.76 µs) : 538, 580
.   : milestone, 559,
iast_GLOBAL (513.131 µs) : 491, 535
.   : milestone, 513,
iast_HARDCODED_SECRET_DISABLED (489.577 µs) : 468, 511
.   : milestone, 490,
iast_INACTIVE (461.892 µs) : 440, 484
.   : milestone, 462,
iast_TELEMETRY_OFF (474.886 µs) : 454, 496
.   : milestone, 475,
tracing (447.378 µs) : 426, 468
.   : milestone, 447,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 370.299 µs [349.623 µs, 390.975 µs] -
iast 484.722 µs [463.618 µs, 505.825 µs] 114.423 µs (30.9%)
iast_FULL 556.792 µs [535.723 µs, 577.862 µs] 186.494 µs (50.4%)
iast_GLOBAL 512.913 µs [491.134 µs, 534.693 µs] 142.615 µs (38.5%)
iast_HARDCODED_SECRET_DISABLED 492.335 µs [470.357 µs, 514.313 µs] 122.036 µs (33.0%)
iast_INACTIVE 458.472 µs [437.581 µs, 479.362 µs] 88.173 µs (23.8%)
iast_TELEMETRY_OFF 473.669 µs [452.556 µs, 494.781 µs] 103.37 µs (27.9%)
tracing 448.929 µs [428.154 µs, 469.704 µs] 78.63 µs (21.2%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 380.817 µs [361.236 µs, 400.398 µs] -
iast 490.843 µs [469.333 µs, 512.353 µs] 110.026 µs (28.9%)
iast_FULL 558.76 µs [537.542 µs, 579.978 µs] 177.943 µs (46.7%)
iast_GLOBAL 513.131 µs [490.861 µs, 535.4 µs] 132.314 µs (34.7%)
iast_HARDCODED_SECRET_DISABLED 489.577 µs [467.932 µs, 511.223 µs] 108.76 µs (28.6%)
iast_INACTIVE 461.892 µs [439.729 µs, 484.055 µs] 81.075 µs (21.3%)
iast_TELEMETRY_OFF 474.886 µs [453.946 µs, 495.827 µs] 94.069 µs (24.7%)
tracing 447.378 µs [426.396 µs, 468.361 µs] 66.561 µs (17.5%)

Dacapo

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master malvarez/iast-precise-uri-tainting
git_commit_date 1721063355 1721063372
git_commit_sha b417127 b3dfd5a
release_version 1.38.0-SNAPSHOT~b417127f61 1.38.0-SNAPSHOT~b3dfd5a977
See matching parameters
Baseline Candidate
application biojava biojava
ci_job_date 1721065414 1721065414
ci_job_id 572729153 572729153
ci_pipeline_id 39183974 39183974
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant appsec appsec

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics.

Execution time for tomcat 
gantt
    title tomcat - execution time [CI 0.99] : candidate=1.38.0-SNAPSHOT~b3dfd5a977, baseline=1.38.0-SNAPSHOT~b417127f61
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.449 ms) : 1438, 1460
.   : milestone, 1449,
appsec (2.202 ms) : 2168, 2237
.   : milestone, 2202,
iast (1.956 ms) : 1915, 1997
.   : milestone, 1956,
iast_GLOBAL (1.993 ms) : 1951, 2036
.   : milestone, 1993,
profiling (1.845 ms) : 1812, 1879
.   : milestone, 1845,
tracing (1.835 ms) : 1802, 1869
.   : milestone, 1835,
section candidate
no_agent (1.447 ms) : 1436, 1458
.   : milestone, 1447,
appsec (2.22 ms) : 2185, 2255
.   : milestone, 2220,
iast (1.951 ms) : 1910, 1992
.   : milestone, 1951,
iast_GLOBAL (1.993 ms) : 1952, 2034
.   : milestone, 1993,
profiling (1.843 ms) : 1810, 1877
.   : milestone, 1843,
tracing (1.829 ms) : 1796, 1862
.   : milestone, 1829,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.449 ms [1.438 ms, 1.46 ms] -
appsec 2.202 ms [2.168 ms, 2.237 ms] 753.311 µs (52.0%)
iast 1.956 ms [1.915 ms, 1.997 ms] 506.788 µs (35.0%)
iast_GLOBAL 1.993 ms [1.951 ms, 2.036 ms] 544.229 µs (37.6%)
profiling 1.845 ms [1.812 ms, 1.879 ms] 396.351 µs (27.4%)
tracing 1.835 ms [1.802 ms, 1.869 ms] 386.241 µs (26.7%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.447 ms [1.436 ms, 1.458 ms] -
appsec 2.22 ms [2.185 ms, 2.255 ms] 772.939 µs (53.4%)
iast 1.951 ms [1.91 ms, 1.992 ms] 504.122 µs (34.8%)
iast_GLOBAL 1.993 ms [1.952 ms, 2.034 ms] 545.912 µs (37.7%)
profiling 1.843 ms [1.81 ms, 1.877 ms] 396.488 µs (27.4%)
tracing 1.829 ms [1.796 ms, 1.862 ms] 381.933 µs (26.4%)
Execution time for biojava 
gantt
    title biojava - execution time [CI 0.99] : candidate=1.38.0-SNAPSHOT~b3dfd5a977, baseline=1.38.0-SNAPSHOT~b417127f61
    dateFormat X
    axisFormat %s
section baseline
no_agent (15.373 s) : 15373000, 15373000
.   : milestone, 15373000,
appsec (15.301 s) : 15301000, 15301000
.   : milestone, 15301000,
iast (18.676 s) : 18676000, 18676000
.   : milestone, 18676000,
iast_GLOBAL (17.779 s) : 17779000, 17779000
.   : milestone, 17779000,
profiling (16.066 s) : 16066000, 16066000
.   : milestone, 16066000,
tracing (15.135 s) : 15135000, 15135000
.   : milestone, 15135000,
section candidate
no_agent (15.404 s) : 15404000, 15404000
.   : milestone, 15404000,
appsec (15.212 s) : 15212000, 15212000
.   : milestone, 15212000,
iast (18.613 s) : 18613000, 18613000
.   : milestone, 18613000,
iast_GLOBAL (17.881 s) : 17881000, 17881000
.   : milestone, 17881000,
profiling (15.106 s) : 15106000, 15106000
.   : milestone, 15106000,
tracing (15.011 s) : 15011000, 15011000
.   : milestone, 15011000,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.373 s [15.373 s, 15.373 s] -
appsec 15.301 s [15.301 s, 15.301 s] -72.0 ms (-0.5%)
iast 18.676 s [18.676 s, 18.676 s] 3.303 s (21.5%)
iast_GLOBAL 17.779 s [17.779 s, 17.779 s] 2.406 s (15.7%)
profiling 16.066 s [16.066 s, 16.066 s] 693.0 ms (4.5%)
tracing 15.135 s [15.135 s, 15.135 s] -238.0 ms (-1.5%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.404 s [15.404 s, 15.404 s] -
appsec 15.212 s [15.212 s, 15.212 s] -192.0 ms (-1.2%)
iast 18.613 s [18.613 s, 18.613 s] 3.209 s (20.8%)
iast_GLOBAL 17.881 s [17.881 s, 17.881 s] 2.477 s (16.1%)
profiling 15.106 s [15.106 s, 15.106 s] -298.0 ms (-1.9%)
tracing 15.011 s [15.011 s, 15.011 s] -393.0 ms (-2.6%)

@manuel-alvarez-alvarez manuel-alvarez-alvarez marked this pull request as ready for review July 10, 2024 10:57
@manuel-alvarez-alvarez manuel-alvarez-alvarez changed the title Update URI and URL constructors for precise tainting Update URI and URL call sites for precise tainting Jul 10, 2024
@manuel-alvarez-alvarez manuel-alvarez-alvarez changed the title Update URI and URL call sites for precise tainting Update URI and URL call sites for precise taint tracking Jul 10, 2024
@manuel-alvarez-alvarez manuel-alvarez-alvarez mentioned this pull request Jul 10, 2024
Merged
@manuel-alvarez-alvarez manuel-alvarez-alvarez changed the base branch from master to malvarez/iast-refactor-codec-module July 10, 2024 11:13
Base automatically changed from malvarez/iast-refactor-codec-module to master July 11, 2024 07:37
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/iast-precise-uri-tainting branch 2 times, most recently from 16328b6 to 49ed213 Compare July 11, 2024 08:31
@amarziali amarziali removed the request for review from a team July 11, 2024 08:32
@amarziali
Copy link
Collaborator

Removed IDM from the reviewers since it only impact ASM

@manuel-alvarez-alvarez manuel-alvarez-alvarez merged commit c31955f into master Jul 16, 2024
82 checks passed
@manuel-alvarez-alvarez manuel-alvarez-alvarez deleted the malvarez/iast-precise-uri-tainting branch July 16, 2024 07:17
@github-actions github-actions bot added this to the 1.38.0 milestone Jul 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smola smola smola approved these changes

@jandro996 jandro996 jandro996 approved these changes

Assignees
No one assigned
Labels
comp: asm iast Application Security Management (IAST)
Projects
None yet
Milestone
1.38.0
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@manuel-alvarez-alvarez @amarziali @smola @jandro996