Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create new ranges for vulns to prevent GC issues #7309

Merged
merged 1 commit into from
Jul 15, 2024
Merged

Create new ranges for vulns to prevent GC issues #7309

merged 1 commit into from
Jul 15, 2024
+90 −7

Conversation

manuel-alvarez-alvarez
Copy link
Contributor

What Does This Do

Creates new ranges without weak references for evidences in vulnerabilities

Motivation

Before the vulnerability is written to the span in the end of the request, there's still the chance that the original value is GCed causing flaky tests in our pipelines.

Additional Notes

Jira ticket: [PROJ-IDENT]

@manuel-alvarez-alvarez manuel-alvarez-alvarez added the comp: asm iast Application Security Management (IAST) label Jul 11, 2024
@manuel-alvarez-alvarez manuel-alvarez-alvarez requested a review from a team as a code owner July 11, 2024 15:47
@pr-commenter
Copy link

pr-commenter bot commented Jul 11, 2024
edited
Loading

Benchmarks

Startup

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master malvarez/iast-prevent-flaky-weak-refs
git_commit_date 1721038044 1721056555
git_commit_sha f88def8 5de479f
release_version 1.38.0-SNAPSHOT~f88def8618 1.38.0-SNAPSHOT~5de479f3cc
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1721059083 1721059083
ci_job_id 572532679 572532679
ci_pipeline_id 39166925 39166925
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
module Agent Agent
parent None None
variant iast iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 54 metrics, 9 unstable metrics.

Startup time reports for insecure-bank 
gantt
    title insecure-bank - global startup overhead: candidate=1.38.0-SNAPSHOT~5de479f3cc, baseline=1.38.0-SNAPSHOT~f88def8618

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.064 s) : 0, 1063621
Total [baseline] (8.527 s) : 0, 8526561
Agent [candidate] (1.078 s) : 0, 1078252
Total [candidate] (8.583 s) : 0, 8583470
section iast
Agent [baseline] (1.182 s) : 0, 1181634
Total [baseline] (8.967 s) : 0, 8967436
Agent [candidate] (1.188 s) : 0, 1187783
Total [candidate] (9.007 s) : 0, 9007138
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.172 s) : 0, 1172034
Total [baseline] (8.938 s) : 0, 8938400
Agent [candidate] (1.173 s) : 0, 1172986
Total [candidate] (8.908 s) : 0, 8907529
section iast_TELEMETRY_OFF
Agent [baseline] (1.171 s) : 0, 1170621
Total [baseline] (8.964 s) : 0, 8963636
Agent [candidate] (1.171 s) : 0, 1170811
Total [candidate] (8.948 s) : 0, 8948008
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.064 s -
Agent iast 1.182 s 118.014 ms (11.1%)
Agent iast_HARDCODED_SECRET_DISABLED 1.172 s 108.413 ms (10.2%)
Agent iast_TELEMETRY_OFF 1.171 s 107.0 ms (10.1%)
Total tracing 8.527 s -
Total iast 8.967 s 440.875 ms (5.2%)
Total iast_HARDCODED_SECRET_DISABLED 8.938 s 411.839 ms (4.8%)
Total iast_TELEMETRY_OFF 8.964 s 437.075 ms (5.1%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.078 s -
Agent iast 1.188 s 109.531 ms (10.2%)
Agent iast_HARDCODED_SECRET_DISABLED 1.173 s 94.734 ms (8.8%)
Agent iast_TELEMETRY_OFF 1.171 s 92.559 ms (8.6%)
Total tracing 8.583 s -
Total iast 9.007 s 423.668 ms (4.9%)
Total iast_HARDCODED_SECRET_DISABLED 8.908 s 324.059 ms (3.8%)
Total iast_TELEMETRY_OFF 8.948 s 364.537 ms (4.2%) 
gantt
    title insecure-bank - break down per module: candidate=1.38.0-SNAPSHOT~5de479f3cc, baseline=1.38.0-SNAPSHOT~f88def8618

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (665.929 ms) : 0, 665929
BytebuddyAgent [candidate] (674.034 ms) : 0, 674034
GlobalTracer [baseline] (305.004 ms) : 0, 305004
GlobalTracer [candidate] (310.049 ms) : 0, 310049
AppSec [baseline] (49.841 ms) : 0, 49841
AppSec [candidate] (50.784 ms) : 0, 50784
Remote Config [baseline] (679.676 µs) : 0, 680
Remote Config [candidate] (691.507 µs) : 0, 692
Telemetry [baseline] (7.663 ms) : 0, 7663
Telemetry [candidate] (7.787 ms) : 0, 7787
section iast
BytebuddyAgent [baseline] (787.844 ms) : 0, 787844
BytebuddyAgent [candidate] (791.696 ms) : 0, 791696
GlobalTracer [baseline] (297.874 ms) : 0, 297874
GlobalTracer [candidate] (299.053 ms) : 0, 299053
AppSec [baseline] (47.876 ms) : 0, 47876
AppSec [candidate] (51.041 ms) : 0, 51041
Remote Config [baseline] (602.841 µs) : 0, 603
Remote Config [candidate] (586.684 µs) : 0, 587
Telemetry [baseline] (7.06 ms) : 0, 7060
Telemetry [candidate] (6.97 ms) : 0, 6970
IAST [baseline] (26.752 ms) : 0, 26752
IAST [candidate] (24.741 ms) : 0, 24741
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (779.587 ms) : 0, 779587
BytebuddyAgent [candidate] (780.742 ms) : 0, 780742
GlobalTracer [baseline] (295.61 ms) : 0, 295610
GlobalTracer [candidate] (295.783 ms) : 0, 295783
AppSec [baseline] (49.026 ms) : 0, 49026
AppSec [candidate] (49.113 ms) : 0, 49113
Remote Config [baseline] (570.74 µs) : 0, 571
Remote Config [candidate] (557.62 µs) : 0, 558
Telemetry [baseline] (6.945 ms) : 0, 6945
Telemetry [candidate] (6.928 ms) : 0, 6928
IAST [baseline] (26.759 ms) : 0, 26759
IAST [candidate] (26.276 ms) : 0, 26276
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (778.358 ms) : 0, 778358
BytebuddyAgent [candidate] (778.167 ms) : 0, 778167
GlobalTracer [baseline] (295.81 ms) : 0, 295810
GlobalTracer [candidate] (295.822 ms) : 0, 295822
AppSec [baseline] (47.592 ms) : 0, 47592
AppSec [candidate] (47.415 ms) : 0, 47415
Remote Config [baseline] (579.786 µs) : 0, 580
Remote Config [candidate] (581.261 µs) : 0, 581
Telemetry [baseline] (6.834 ms) : 0, 6834
Telemetry [candidate] (6.801 ms) : 0, 6801
IAST [baseline] (27.889 ms) : 0, 27889
IAST [candidate] (28.468 ms) : 0, 28468
Loading
Startup time reports for petclinic 
gantt
    title petclinic - global startup overhead: candidate=1.38.0-SNAPSHOT~5de479f3cc, baseline=1.38.0-SNAPSHOT~f88def8618

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.064 s) : 0, 1064301
Total [baseline] (10.281 s) : 0, 10280937
Agent [candidate] (1.066 s) : 0, 1065689
Total [candidate] (10.356 s) : 0, 10355510
section appsec
Agent [baseline] (1.184 s) : 0, 1183977
Total [baseline] (10.541 s) : 0, 10540641
Agent [candidate] (1.188 s) : 0, 1187583
Total [candidate] (10.571 s) : 0, 10570929
section iast
Agent [baseline] (1.183 s) : 0, 1183281
Total [baseline] (10.774 s) : 0, 10774402
Agent [candidate] (1.173 s) : 0, 1173296
Total [candidate] (10.668 s) : 0, 10667522
section profiling
Agent [baseline] (1.266 s) : 0, 1266306
Total [baseline] (10.62 s) : 0, 10620166
Agent [candidate] (1.264 s) : 0, 1264277
Total [candidate] (10.578 s) : 0, 10577834
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.064 s -
Agent appsec 1.184 s 119.676 ms (11.2%)
Agent iast 1.183 s 118.979 ms (11.2%)
Agent profiling 1.266 s 202.005 ms (19.0%)
Total tracing 10.281 s -
Total appsec 10.541 s 259.704 ms (2.5%)
Total iast 10.774 s 493.465 ms (4.8%)
Total profiling 10.62 s 339.229 ms (3.3%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.066 s -
Agent appsec 1.188 s 121.894 ms (11.4%)
Agent iast 1.173 s 107.607 ms (10.1%)
Agent profiling 1.264 s 198.588 ms (18.6%)
Total tracing 10.356 s -
Total appsec 10.571 s 215.419 ms (2.1%)
Total iast 10.668 s 312.012 ms (3.0%)
Total profiling 10.578 s 222.324 ms (2.1%) 
gantt
    title petclinic - break down per module: candidate=1.38.0-SNAPSHOT~5de479f3cc, baseline=1.38.0-SNAPSHOT~f88def8618

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (666.2 ms) : 0, 666200
BytebuddyAgent [candidate] (666.811 ms) : 0, 666811
GlobalTracer [baseline] (305.214 ms) : 0, 305214
GlobalTracer [candidate] (305.56 ms) : 0, 305560
AppSec [baseline] (50.075 ms) : 0, 50075
AppSec [candidate] (50.326 ms) : 0, 50326
Remote Config [baseline] (675.877 µs) : 0, 676
Remote Config [candidate] (686.722 µs) : 0, 687
Telemetry [baseline] (7.592 ms) : 0, 7592
Telemetry [candidate] (7.691 ms) : 0, 7691
section appsec
BytebuddyAgent [baseline] (676.762 ms) : 0, 676762
BytebuddyAgent [candidate] (678.256 ms) : 0, 678256
GlobalTracer [baseline] (299.41 ms) : 0, 299410
GlobalTracer [candidate] (300.042 ms) : 0, 300042
AppSec [baseline] (153.543 ms) : 0, 153543
AppSec [candidate] (153.903 ms) : 0, 153903
Remote Config [baseline] (622.572 µs) : 0, 623
Remote Config [candidate] (617.687 µs) : 0, 618
Telemetry [baseline] (8.213 ms) : 0, 8213
Telemetry [candidate] (9.255 ms) : 0, 9255
IAST [baseline] (21.522 ms) : 0, 21522
IAST [candidate] (21.523 ms) : 0, 21523
section iast
BytebuddyAgent [baseline] (790.717 ms) : 0, 790717
BytebuddyAgent [candidate] (782.183 ms) : 0, 782183
GlobalTracer [baseline] (296.791 ms) : 0, 296791
GlobalTracer [candidate] (296.145 ms) : 0, 296145
AppSec [baseline] (49.101 ms) : 0, 49101
AppSec [candidate] (49.432 ms) : 0, 49432
Remote Config [baseline] (591.18 µs) : 0, 591
Remote Config [candidate] (594.222 µs) : 0, 594
Telemetry [baseline] (6.953 ms) : 0, 6953
Telemetry [candidate] (6.956 ms) : 0, 6956
IAST [baseline] (25.409 ms) : 0, 25409
IAST [candidate] (24.405 ms) : 0, 24405
section profiling
BytebuddyAgent [baseline] (664.021 ms) : 0, 664021
BytebuddyAgent [candidate] (662.961 ms) : 0, 662961
GlobalTracer [baseline] (388.625 ms) : 0, 388625
GlobalTracer [candidate] (388.531 ms) : 0, 388531
AppSec [baseline] (51.82 ms) : 0, 51820
AppSec [candidate] (51.471 ms) : 0, 51471
Remote Config [baseline] (661.776 µs) : 0, 662
Remote Config [candidate] (647.058 µs) : 0, 647
Telemetry [baseline] (7.275 ms) : 0, 7275
Telemetry [candidate] (7.303 ms) : 0, 7303
ProfilingAgent [baseline] (96.855 ms) : 0, 96855
ProfilingAgent [candidate] (96.07 ms) : 0, 96070
Profiling [baseline] (96.88 ms) : 0, 96880
Profiling [candidate] (96.093 ms) : 0, 96093
Loading

Load

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
end_time 2024-07-15T15:28:49 2024-07-15T15:35:41
git_branch master malvarez/iast-prevent-flaky-weak-refs
git_commit_date 1721038044 1721056555
git_commit_sha f88def8 5de479f
release_version 1.38.0-SNAPSHOT~f88def8618 1.38.0-SNAPSHOT~5de479f3cc
start_time 2024-07-15T15:28:36 2024-07-15T15:35:27
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1721058089 1721058089
ci_job_id 572532680 572532680
ci_pipeline_id 39166925 39166925
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant iast iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 16 unstable metrics.

Request duration reports for petclinic 
gantt
    title petclinic - request duration [CI 0.99] : candidate=1.38.0-SNAPSHOT~5de479f3cc, baseline=1.38.0-SNAPSHOT~f88def8618
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.368 ms) : 1349, 1388
.   : milestone, 1368,
appsec (1.737 ms) : 1714, 1760
.   : milestone, 1737,
appsec_no_iast (1.745 ms) : 1721, 1768
.   : milestone, 1745,
iast (1.493 ms) : 1471, 1516
.   : milestone, 1493,
profiling (1.504 ms) : 1479, 1529
.   : milestone, 1504,
tracing (1.473 ms) : 1449, 1497
.   : milestone, 1473,
section candidate
no_agent (1.351 ms) : 1331, 1371
.   : milestone, 1351,
appsec (1.743 ms) : 1719, 1767
.   : milestone, 1743,
appsec_no_iast (1.715 ms) : 1690, 1741
.   : milestone, 1715,
iast (1.475 ms) : 1452, 1498
.   : milestone, 1475,
profiling (1.531 ms) : 1505, 1556
.   : milestone, 1531,
tracing (1.476 ms) : 1452, 1499
.   : milestone, 1476,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.368 ms [1.349 ms, 1.388 ms] -
appsec 1.737 ms [1.714 ms, 1.76 ms] 368.693 µs (26.9%)
appsec_no_iast 1.745 ms [1.721 ms, 1.768 ms] 376.268 µs (27.5%)
iast 1.493 ms [1.471 ms, 1.516 ms] 124.979 µs (9.1%)
profiling 1.504 ms [1.479 ms, 1.529 ms] 135.332 µs (9.9%)
tracing 1.473 ms [1.449 ms, 1.497 ms] 104.68 µs (7.6%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.351 ms [1.331 ms, 1.371 ms] -
appsec 1.743 ms [1.719 ms, 1.767 ms] 391.946 µs (29.0%)
appsec_no_iast 1.715 ms [1.69 ms, 1.741 ms] 363.92 µs (26.9%)
iast 1.475 ms [1.452 ms, 1.498 ms] 123.573 µs (9.1%)
profiling 1.531 ms [1.505 ms, 1.556 ms] 179.393 µs (13.3%)
tracing 1.476 ms [1.452 ms, 1.499 ms] 124.411 µs (9.2%)
Request duration reports for insecure-bank 
gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.38.0-SNAPSHOT~5de479f3cc, baseline=1.38.0-SNAPSHOT~f88def8618
    dateFormat X
    axisFormat %s
section baseline
no_agent (376.165 µs) : 356, 396
.   : milestone, 376,
iast (490.67 µs) : 470, 512
.   : milestone, 491,
iast_FULL (562.365 µs) : 541, 583
.   : milestone, 562,
iast_GLOBAL (524.656 µs) : 503, 546
.   : milestone, 525,
iast_HARDCODED_SECRET_DISABLED (490.992 µs) : 470, 512
.   : milestone, 491,
iast_INACTIVE (455.346 µs) : 434, 476
.   : milestone, 455,
iast_TELEMETRY_OFF (476.644 µs) : 455, 498
.   : milestone, 477,
tracing (447.429 µs) : 427, 468
.   : milestone, 447,
section candidate
no_agent (370.519 µs) : 350, 391
.   : milestone, 371,
iast (493.132 µs) : 471, 515
.   : milestone, 493,
iast_FULL (566.007 µs) : 545, 587
.   : milestone, 566,
iast_GLOBAL (526.085 µs) : 503, 549
.   : milestone, 526,
iast_HARDCODED_SECRET_DISABLED (485.396 µs) : 464, 506
.   : milestone, 485,
iast_INACTIVE (460.144 µs) : 438, 482
.   : milestone, 460,
iast_TELEMETRY_OFF (475.4 µs) : 454, 496
.   : milestone, 475,
tracing (441.828 µs) : 421, 463
.   : milestone, 442,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 376.165 µs [356.03 µs, 396.301 µs] -
iast 490.67 µs [469.517 µs, 511.823 µs] 114.505 µs (30.4%)
iast_FULL 562.365 µs [541.315 µs, 583.415 µs] 186.2 µs (49.5%)
iast_GLOBAL 524.656 µs [503.174 µs, 546.139 µs] 148.491 µs (39.5%)
iast_HARDCODED_SECRET_DISABLED 490.992 µs [469.996 µs, 511.988 µs] 114.827 µs (30.5%)
iast_INACTIVE 455.346 µs [434.328 µs, 476.363 µs] 79.181 µs (21.0%)
iast_TELEMETRY_OFF 476.644 µs [455.326 µs, 497.963 µs] 100.479 µs (26.7%)
tracing 447.429 µs [427.107 µs, 467.75 µs] 71.263 µs (18.9%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 370.519 µs [350.287 µs, 390.752 µs] -
iast 493.132 µs [471.111 µs, 515.152 µs] 122.612 µs (33.1%)
iast_FULL 566.007 µs [544.925 µs, 587.089 µs] 195.488 µs (52.8%)
iast_GLOBAL 526.085 µs [503.112 µs, 549.059 µs] 155.566 µs (42.0%)
iast_HARDCODED_SECRET_DISABLED 485.396 µs [464.386 µs, 506.406 µs] 114.877 µs (31.0%)
iast_INACTIVE 460.144 µs [438.313 µs, 481.974 µs] 89.624 µs (24.2%)
iast_TELEMETRY_OFF 475.4 µs [454.354 µs, 496.446 µs] 104.881 µs (28.3%)
tracing 441.828 µs [420.676 µs, 462.979 µs] 71.308 µs (19.2%)

Dacapo

@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/iast-prevent-flaky-weak-refs branch 2 times, most recently from 787f6ca to 2abf7ca Compare July 15, 2024 08:43
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/iast-prevent-flaky-weak-refs branch from 2abf7ca to 5de479f Compare July 15, 2024 15:16
@manuel-alvarez-alvarez manuel-alvarez-alvarez merged commit b417127 into master Jul 15, 2024
82 checks passed
@manuel-alvarez-alvarez manuel-alvarez-alvarez deleted the malvarez/iast-prevent-flaky-weak-refs branch July 15, 2024 17:09
@github-actions github-actions bot added this to the 1.38.0 milestone Jul 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smola smola smola approved these changes

@ValentinZakharov ValentinZakharov Awaiting requested review from ValentinZakharov ValentinZakharov is a code owner automatically assigned from DataDog/asm-java

Assignees
No one assigned
Labels
comp: asm iast Application Security Management (IAST)
Projects
None yet
Milestone
1.38.0
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@manuel-alvarez-alvarez @smola