Support spring-boot-devtools reloadable classloader

[amarziali]

What Does This Do

This PR wants to add support for spring reloadable classloader. This kind of classloader is used on spring-boot-devtools and allows to re-apply instrumentations on hot reloaded classes while, normally, this would not be possible because of internal tracer memoizers.

The simple strategy used here is that we record each creation of this kind of classloader and we are resetting the memoizer state once per first class lookup

Motivation

Additional Notes

Jira ticket: AIDM-152

[pr-commenter]

Benchmarks

Startup

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	andrea.marziali/spring-devtools
git_commit_date	1722960232	1723019852
git_commit_sha	42eee08	f7a7134
release_version	1.39.0-SNAPSHOT~42eee0817d	1.39.0-SNAPSHOT~f7a71344de

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1723022308	1723022308
ci_job_id	597016647	597016647
ci_pipeline_id	41081827	41081827
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
module	Agent	Agent
parent	None	None
variant	iast	iast

Summary

Found 1 performance improvements and 0 performance regressions! Performance is the same for 49 metrics, 13 unstable metrics.

scenario	Δ mean execution_time	candidate mean execution_time	baseline mean execution_time
scenario:startup:insecure-bank:iast_TELEMETRY_OFF:Remote Config	better [-63.917µs; -28.795µs] or [-10.155%; -4.575%]	583.060µs	629.416µs

Startup time reports for insecure-bank

gantt
    title insecure-bank - global startup overhead: candidate=1.39.0-SNAPSHOT~f7a71344de, baseline=1.39.0-SNAPSHOT~42eee0817d

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.046 s) : 0, 1045838
Total [baseline] (8.503 s) : 0, 8502512
Agent [candidate] (1.047 s) : 0, 1046555
Total [candidate] (8.506 s) : 0, 8506056
section iast
Agent [baseline] (1.173 s) : 0, 1173462
Total [baseline] (9.022 s) : 0, 9021708
Agent [candidate] (1.194 s) : 0, 1194168
Total [candidate] (9.054 s) : 0, 9054204
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.173 s) : 0, 1172614
Total [baseline] (8.971 s) : 0, 8971217
Agent [candidate] (1.175 s) : 0, 1175252
Total [candidate] (8.946 s) : 0, 8946140
section iast_TELEMETRY_OFF
Agent [baseline] (1.17 s) : 0, 1170184
Total [baseline] (8.993 s) : 0, 8992813
Agent [candidate] (1.17 s) : 0, 1169946
Total [candidate] (8.991 s) : 0, 8991194

Loading

• baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.046 s	-
Agent	iast	1.173 s	127.624 ms (12.2%)
Agent	iast_HARDCODED_SECRET_DISABLED	1.173 s	126.776 ms (12.1%)
Agent	iast_TELEMETRY_OFF	1.17 s	124.346 ms (11.9%)
Total	tracing	8.503 s	-
Total	iast	9.022 s	519.195 ms (6.1%)
Total	iast_HARDCODED_SECRET_DISABLED	8.971 s	468.704 ms (5.5%)
Total	iast_TELEMETRY_OFF	8.993 s	490.3 ms (5.8%)

• candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.047 s	-
Agent	iast	1.194 s	147.613 ms (14.1%)
Agent	iast_HARDCODED_SECRET_DISABLED	1.175 s	128.697 ms (12.3%)
Agent	iast_TELEMETRY_OFF	1.17 s	123.391 ms (11.8%)
Total	tracing	8.506 s	-
Total	iast	9.054 s	548.148 ms (6.4%)
Total	iast_HARDCODED_SECRET_DISABLED	8.946 s	440.084 ms (5.2%)
Total	iast_TELEMETRY_OFF	8.991 s	485.139 ms (5.7%)

gantt
    title insecure-bank - break down per module: candidate=1.39.0-SNAPSHOT~f7a71344de, baseline=1.39.0-SNAPSHOT~42eee0817d

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (668.23 ms) : 0, 668230
BytebuddyAgent [candidate] (669.132 ms) : 0, 669132
GlobalTracer [baseline] (305.66 ms) : 0, 305660
GlobalTracer [candidate] (305.38 ms) : 0, 305380
AppSec [baseline] (50.493 ms) : 0, 50493
AppSec [candidate] (50.516 ms) : 0, 50516
Remote Config [baseline] (684.769 µs) : 0, 685
Remote Config [candidate] (672.778 µs) : 0, 673
Telemetry [baseline] (7.348 ms) : 0, 7348
Telemetry [candidate] (7.405 ms) : 0, 7405
section iast
BytebuddyAgent [baseline] (782.377 ms) : 0, 782377
BytebuddyAgent [candidate] (796.199 ms) : 0, 796199
GlobalTracer [baseline] (294.699 ms) : 0, 294699
GlobalTracer [candidate] (299.613 ms) : 0, 299613
AppSec [baseline] (52.796 ms) : 0, 52796
AppSec [candidate] (52.417 ms) : 0, 52417
IAST [baseline] (22.414 ms) : 0, 22414
IAST [candidate] (23.012 ms) : 0, 23012
Remote Config [baseline] (602.58 µs) : 0, 603
Remote Config [candidate] (591.827 µs) : 0, 592
Telemetry [baseline] (7.101 ms) : 0, 7101
Telemetry [candidate] (8.635 ms) : 0, 8635
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (782.055 ms) : 0, 782055
BytebuddyAgent [candidate] (785.112 ms) : 0, 785112
GlobalTracer [baseline] (295.699 ms) : 0, 295699
GlobalTracer [candidate] (295.901 ms) : 0, 295901
AppSec [baseline] (51.513 ms) : 0, 51513
AppSec [candidate] (47.846 ms) : 0, 47846
IAST [baseline] (22.29 ms) : 0, 22290
IAST [candidate] (25.197 ms) : 0, 25197
Remote Config [baseline] (569.301 µs) : 0, 569
Remote Config [candidate] (591.512 µs) : 0, 592
Telemetry [baseline] (6.972 ms) : 0, 6972
Telemetry [candidate] (7.049 ms) : 0, 7049
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (779.517 ms) : 0, 779517
BytebuddyAgent [candidate] (779.137 ms) : 0, 779137
GlobalTracer [baseline] (295.315 ms) : 0, 295315
GlobalTracer [candidate] (295.372 ms) : 0, 295372
AppSec [baseline] (47.052 ms) : 0, 47052
AppSec [candidate] (48.542 ms) : 0, 48542
IAST [baseline] (26.334 ms) : 0, 26334
IAST [candidate] (25.971 ms) : 0, 25971
Remote Config [baseline] (629.416 µs) : 0, 629
Remote Config [candidate] (583.06 µs) : 0, 583
Telemetry [baseline] (7.808 ms) : 0, 7808
Telemetry [candidate] (6.868 ms) : 0, 6868

Loading

Startup time reports for petclinic

gantt
    title petclinic - global startup overhead: candidate=1.39.0-SNAPSHOT~f7a71344de, baseline=1.39.0-SNAPSHOT~42eee0817d

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.046 s) : 0, 1045516
Total [baseline] (10.281 s) : 0, 10280797
Agent [candidate] (1.055 s) : 0, 1054626
Total [candidate] (10.307 s) : 0, 10306585
section appsec
Agent [baseline] (1.165 s) : 0, 1164630
Total [baseline] (10.496 s) : 0, 10496298
Agent [candidate] (1.171 s) : 0, 1170736
Total [candidate] (10.538 s) : 0, 10537946
section iast
Agent [baseline] (1.171 s) : 0, 1171363
Total [baseline] (10.778 s) : 0, 10778500
Agent [candidate] (1.173 s) : 0, 1172542
Total [candidate] (10.764 s) : 0, 10764278
section profiling
Agent [baseline] (1.248 s) : 0, 1247627
Total [baseline] (10.625 s) : 0, 10624635
Agent [candidate] (1.246 s) : 0, 1245683
Total [candidate] (10.612 s) : 0, 10612186

Loading

• baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.046 s	-
Agent	appsec	1.165 s	119.114 ms (11.4%)
Agent	iast	1.171 s	125.848 ms (12.0%)
Agent	profiling	1.248 s	202.111 ms (19.3%)
Total	tracing	10.281 s	-
Total	appsec	10.496 s	215.5 ms (2.1%)
Total	iast	10.778 s	497.702 ms (4.8%)
Total	profiling	10.625 s	343.837 ms (3.3%)

• candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.055 s	-
Agent	appsec	1.171 s	116.11 ms (11.0%)
Agent	iast	1.173 s	117.916 ms (11.2%)
Agent	profiling	1.246 s	191.057 ms (18.1%)
Total	tracing	10.307 s	-
Total	appsec	10.538 s	231.361 ms (2.2%)
Total	iast	10.764 s	457.693 ms (4.4%)
Total	profiling	10.612 s	305.601 ms (3.0%)

gantt
    title petclinic - break down per module: candidate=1.39.0-SNAPSHOT~f7a71344de, baseline=1.39.0-SNAPSHOT~42eee0817d

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (668.4 ms) : 0, 668400
BytebuddyAgent [candidate] (673.077 ms) : 0, 673077
GlobalTracer [baseline] (305.251 ms) : 0, 305251
GlobalTracer [candidate] (309.22 ms) : 0, 309220
AppSec [baseline] (50.334 ms) : 0, 50334
AppSec [candidate] (50.821 ms) : 0, 50821
Remote Config [baseline] (687.289 µs) : 0, 687
Remote Config [candidate] (676.107 µs) : 0, 676
Telemetry [baseline] (7.411 ms) : 0, 7411
Telemetry [candidate] (7.383 ms) : 0, 7383
section appsec
BytebuddyAgent [baseline] (677.758 ms) : 0, 677758
BytebuddyAgent [candidate] (681.887 ms) : 0, 681887
GlobalTracer [baseline] (298.361 ms) : 0, 298361
GlobalTracer [candidate] (299.936 ms) : 0, 299936
AppSec [baseline] (154.934 ms) : 0, 154934
AppSec [candidate] (155.198 ms) : 0, 155198
Remote Config [baseline] (599.353 µs) : 0, 599
Remote Config [candidate] (598.232 µs) : 0, 598
Telemetry [baseline] (8.46 ms) : 0, 8460
Telemetry [candidate] (9.2 ms) : 0, 9200
IAST [baseline] (22.114 ms) : 0, 22114
IAST [candidate] (20.796 ms) : 0, 20796
section iast
BytebuddyAgent [baseline] (781.886 ms) : 0, 781886
BytebuddyAgent [candidate] (782.429 ms) : 0, 782429
GlobalTracer [baseline] (294.536 ms) : 0, 294536
GlobalTracer [candidate] (295.498 ms) : 0, 295498
AppSec [baseline] (52.056 ms) : 0, 52056
AppSec [candidate] (48.245 ms) : 0, 48245
Remote Config [baseline] (1.316 ms) : 0, 1316
Remote Config [candidate] (629.007 µs) : 0, 629
Telemetry [baseline] (7.03 ms) : 0, 7030
Telemetry [candidate] (7.066 ms) : 0, 7066
IAST [baseline] (21.081 ms) : 0, 21081
IAST [candidate] (25.174 ms) : 0, 25174
section profiling
BytebuddyAgent [baseline] (666.65 ms) : 0, 666650
BytebuddyAgent [candidate] (665.077 ms) : 0, 665077
GlobalTracer [baseline] (389.169 ms) : 0, 389169
GlobalTracer [candidate] (388.952 ms) : 0, 388952
AppSec [baseline] (51.686 ms) : 0, 51686
AppSec [candidate] (51.489 ms) : 0, 51489
Remote Config [baseline] (694.479 µs) : 0, 694
Remote Config [candidate] (690.752 µs) : 0, 691
Telemetry [baseline] (7.244 ms) : 0, 7244
Telemetry [candidate] (7.237 ms) : 0, 7237
ProfilingAgent [baseline] (94.833 ms) : 0, 94833
ProfilingAgent [candidate] (95.078 ms) : 0, 95078
Profiling [baseline] (94.858 ms) : 0, 94858
Profiling [candidate] (95.103 ms) : 0, 95103

Loading

Load

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
end_time	2024-08-07T08:49:33	2024-08-07T08:58:32
git_branch	master	andrea.marziali/spring-devtools
git_commit_date	1722960232	1723019852
git_commit_sha	42eee08	f7a7134
release_version	1.39.0-SNAPSHOT~42eee0817d	1.39.0-SNAPSHOT~f7a71344de
start_time	2024-08-07T08:49:17	2024-08-07T08:58:15

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1723021566	1723021566
ci_job_id	597016648	597016648
ci_pipeline_id	41081827	41081827
cpu_model	Intel(R) Xeon(R) Platinum 8175M CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8175M CPU @ 2.50GHz
variant	iast	iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 6 metrics, 22 unstable metrics.

Request duration reports for insecure-bank

gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.39.0-SNAPSHOT~f7a71344de, baseline=1.39.0-SNAPSHOT~42eee0817d
    dateFormat X
    axisFormat %s
section baseline
no_agent (452.388 µs) : 424, 481
.   : milestone, 452,
iast (586.074 µs) : 554, 618
.   : milestone, 586,
iast_FULL (684.146 µs) : 652, 717
.   : milestone, 684,
iast_GLOBAL (610.97 µs) : 578, 643
.   : milestone, 611,
iast_HARDCODED_SECRET_DISABLED (581.932 µs) : 550, 614
.   : milestone, 582,
iast_INACTIVE (551.631 µs) : 519, 585
.   : milestone, 552,
iast_TELEMETRY_OFF (566.486 µs) : 535, 598
.   : milestone, 566,
tracing (536.096 µs) : 506, 566
.   : milestone, 536,
section candidate
no_agent (459.168 µs) : 429, 489
.   : milestone, 459,
iast (588.102 µs) : 557, 619
.   : milestone, 588,
iast_FULL (679.113 µs) : 648, 710
.   : milestone, 679,
iast_GLOBAL (618.779 µs) : 586, 651
.   : milestone, 619,
iast_HARDCODED_SECRET_DISABLED (585.468 µs) : 554, 617
.   : milestone, 585,
iast_INACTIVE (551.221 µs) : 520, 583
.   : milestone, 551,
iast_TELEMETRY_OFF (575.503 µs) : 544, 607
.   : milestone, 576,
tracing (533.469 µs) : 504, 563
.   : milestone, 533,

Loading

• baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	452.388 µs [423.914 µs, 480.862 µs]	-
iast	586.074 µs [553.952 µs, 618.195 µs]	133.685 µs (29.6%)
iast_FULL	684.146 µs [651.674 µs, 716.618 µs]	231.758 µs (51.2%)
iast_GLOBAL	610.97 µs [578.45 µs, 643.491 µs]	158.582 µs (35.1%)
iast_HARDCODED_SECRET_DISABLED	581.932 µs [549.958 µs, 613.906 µs]	129.544 µs (28.6%)
iast_INACTIVE	551.631 µs [518.752 µs, 584.51 µs]	99.243 µs (21.9%)
iast_TELEMETRY_OFF	566.486 µs [535.082 µs, 597.889 µs]	114.097 µs (25.2%)
tracing	536.096 µs [506.122 µs, 566.07 µs]	83.708 µs (18.5%)

• candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	459.168 µs [429.078 µs, 489.257 µs]	-
iast	588.102 µs [556.749 µs, 619.456 µs]	128.935 µs (28.1%)
iast_FULL	679.113 µs [647.73 µs, 710.497 µs]	219.945 µs (47.9%)
iast_GLOBAL	618.779 µs [586.303 µs, 651.254 µs]	159.611 µs (34.8%)
iast_HARDCODED_SECRET_DISABLED	585.468 µs [553.67 µs, 617.266 µs]	126.301 µs (27.5%)
iast_INACTIVE	551.221 µs [519.504 µs, 582.937 µs]	92.053 µs (20.0%)
iast_TELEMETRY_OFF	575.503 µs [543.519 µs, 607.487 µs]	116.335 µs (25.3%)
tracing	533.469 µs [503.696 µs, 563.241 µs]	74.301 µs (16.2%)

Request duration reports for petclinic

gantt
    title petclinic - request duration [CI 0.99] : candidate=1.39.0-SNAPSHOT~f7a71344de, baseline=1.39.0-SNAPSHOT~42eee0817d
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.713 ms) : 1688, 1737
.   : milestone, 1713,
appsec (2.166 ms) : 2135, 2198
.   : milestone, 2166,
appsec_no_iast (2.182 ms) : 2149, 2215
.   : milestone, 2182,
iast (1.86 ms) : 1830, 1890
.   : milestone, 1860,
profiling (1.904 ms) : 1872, 1936
.   : milestone, 1904,
tracing (1.849 ms) : 1818, 1881
.   : milestone, 1849,
section candidate
no_agent (1.713 ms) : 1688, 1738
.   : milestone, 1713,
appsec (2.185 ms) : 2155, 2216
.   : milestone, 2185,
appsec_no_iast (2.186 ms) : 2155, 2217
.   : milestone, 2186,
iast (1.849 ms) : 1819, 1879
.   : milestone, 1849,
profiling (1.896 ms) : 1860, 1932
.   : milestone, 1896,
tracing (1.877 ms) : 1845, 1910
.   : milestone, 1877,

Loading

• baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.713 ms [1.688 ms, 1.737 ms]	-
appsec	2.166 ms [2.135 ms, 2.198 ms]	453.779 µs (26.5%)
appsec_no_iast	2.182 ms [2.149 ms, 2.215 ms]	469.635 µs (27.4%)
iast	1.86 ms [1.83 ms, 1.89 ms]	147.32 µs (8.6%)
profiling	1.904 ms [1.872 ms, 1.936 ms]	191.26 µs (11.2%)
tracing	1.849 ms [1.818 ms, 1.881 ms]	136.666 µs (8.0%)

• candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.713 ms [1.688 ms, 1.738 ms]	-
appsec	2.185 ms [2.155 ms, 2.216 ms]	472.601 µs (27.6%)
appsec_no_iast	2.186 ms [2.155 ms, 2.217 ms]	472.861 µs (27.6%)
iast	1.849 ms [1.819 ms, 1.879 ms]	136.043 µs (7.9%)
profiling	1.896 ms [1.86 ms, 1.932 ms]	183.127 µs (10.7%)
tracing	1.877 ms [1.845 ms, 1.91 ms]	164.502 µs (9.6%)

Dacapo

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	andrea.marziali/spring-devtools
git_commit_date	1722960232	1723019852
git_commit_sha	42eee08	f7a7134
release_version	1.39.0-SNAPSHOT~42eee0817d	1.39.0-SNAPSHOT~f7a71344de

See matching parameters

	Baseline	Candidate
application	biojava	biojava
ci_job_date	1723021750	1723021750
ci_job_id	597016649	597016649
ci_pipeline_id	41081827	41081827
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant	appsec	appsec

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 1 unstable metrics.

Execution time for tomcat

gantt
    title tomcat - execution time [CI 0.99] : candidate=1.39.0-SNAPSHOT~f7a71344de, baseline=1.39.0-SNAPSHOT~42eee0817d
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.462 ms) : 1451, 1474
.   : milestone, 1462,
appsec (2.222 ms) : 2187, 2257
.   : milestone, 2222,
iast (1.974 ms) : 1932, 2016
.   : milestone, 1974,
iast_GLOBAL (2.022 ms) : 1980, 2065
.   : milestone, 2022,
profiling (1.878 ms) : 1843, 1913
.   : milestone, 1878,
tracing (1.838 ms) : 1805, 1871
.   : milestone, 1838,
section candidate
no_agent (1.462 ms) : 1451, 1474
.   : milestone, 1462,
appsec (2.22 ms) : 2185, 2255
.   : milestone, 2220,
iast (1.961 ms) : 1920, 2002
.   : milestone, 1961,
iast_GLOBAL (2.01 ms) : 1967, 2052
.   : milestone, 2010,
profiling (2.35 ms) : 2167, 2534
.   : milestone, 2350,
tracing (1.845 ms) : 1812, 1878
.   : milestone, 1845,

Loading

• baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.462 ms [1.451 ms, 1.474 ms]	-
appsec	2.222 ms [2.187 ms, 2.257 ms]	759.829 µs (52.0%)
iast	1.974 ms [1.932 ms, 2.016 ms]	511.933 µs (35.0%)
iast_GLOBAL	2.022 ms [1.98 ms, 2.065 ms]	559.874 µs (38.3%)
profiling	1.878 ms [1.843 ms, 1.913 ms]	415.243 µs (28.4%)
tracing	1.838 ms [1.805 ms, 1.871 ms]	375.646 µs (25.7%)

• candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.462 ms [1.451 ms, 1.474 ms]	-
appsec	2.22 ms [2.185 ms, 2.255 ms]	757.634 µs (51.8%)
iast	1.961 ms [1.92 ms, 2.002 ms]	498.762 µs (34.1%)
iast_GLOBAL	2.01 ms [1.967 ms, 2.052 ms]	547.497 µs (37.4%)
profiling	2.35 ms [2.167 ms, 2.534 ms]	888.091 µs (60.7%)
tracing	1.845 ms [1.812 ms, 1.878 ms]	382.489 µs (26.2%)

Execution time for biojava

gantt
    title biojava - execution time [CI 0.99] : candidate=1.39.0-SNAPSHOT~f7a71344de, baseline=1.39.0-SNAPSHOT~42eee0817d
    dateFormat X
    axisFormat %s
section baseline
no_agent (15.429 s) : 15429000, 15429000
.   : milestone, 15429000,
appsec (14.887 s) : 14887000, 14887000
.   : milestone, 14887000,
iast (18.678 s) : 18678000, 18678000
.   : milestone, 18678000,
iast_GLOBAL (17.717 s) : 17717000, 17717000
.   : milestone, 17717000,
profiling (15.21 s) : 15210000, 15210000
.   : milestone, 15210000,
tracing (15.223 s) : 15223000, 15223000
.   : milestone, 15223000,
section candidate
no_agent (15.444 s) : 15444000, 15444000
.   : milestone, 15444000,
appsec (14.969 s) : 14969000, 14969000
.   : milestone, 14969000,
iast (18.959 s) : 18959000, 18959000
.   : milestone, 18959000,
iast_GLOBAL (17.728 s) : 17728000, 17728000
.   : milestone, 17728000,
profiling (15.285 s) : 15285000, 15285000
.   : milestone, 15285000,
tracing (15.046 s) : 15046000, 15046000
.   : milestone, 15046000,

Loading

• baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	15.429 s [15.429 s, 15.429 s]	-
appsec	14.887 s [14.887 s, 14.887 s]	-542.0 ms (-3.5%)
iast	18.678 s [18.678 s, 18.678 s]	3.249 s (21.1%)
iast_GLOBAL	17.717 s [17.717 s, 17.717 s]	2.288 s (14.8%)
profiling	15.21 s [15.21 s, 15.21 s]	-219.0 ms (-1.4%)
tracing	15.223 s [15.223 s, 15.223 s]	-206.0 ms (-1.3%)

• candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	15.444 s [15.444 s, 15.444 s]	-
appsec	14.969 s [14.969 s, 14.969 s]	-475.0 ms (-3.1%)
iast	18.959 s [18.959 s, 18.959 s]	3.515 s (22.8%)
iast_GLOBAL	17.728 s [17.728 s, 17.728 s]	2.284 s (14.8%)
profiling	15.285 s [15.285 s, 15.285 s]	-159.0 ms (-1.0%)
tracing	15.046 s [15.046 s, 15.046 s]	-398.0 ms (-2.6%)

[datadog-datadog-prod-us1]

🔴 Library Vulnerability

org.springframework.boot:spring-boot → 1.3.0.RELEASE

Temporary Directory Hijacking to Local Privilege Escalation Vulnerability in org.springframework.boot:spring-boot (...read more)

spring-boot versions prior to version v2.2.11.RELEASE was vulnerable to temporary directory hijacking. This vulnerability impacted the org.springframework.boot.web.server.AbstractConfigurableWebServerFactory.createTempDir method.

The vulnerable method is used to create a work directory for embedded web servers such as Tomcat and Jetty. The directory contains configuration files, JSP/class files, etc. If a local attacker got the permission to write in this directory, they could completely take over the application (ie. local privilege escalation).

Impact Location

This vulnerability impacted the following source location:

	/**
	 * Return the absolute temp dir for given web server.
	 * @param prefix server name
	 * @return the temp dir for given server.
	 */
	protected final File createTempDir(String prefix) {
		try {
			File tempDir = File.createTempFile(prefix + ".", "." + getPort());
			tempDir.delete();
			tempDir.mkdir();
			tempDir.deleteOnExit();
			return tempDir;
		}

- https://github.com/spring-projects/spring-boot/blob/ce70e7d768977242a8ea6f93188388f273be5851/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/server/AbstractConfigurableWebServerFactory.java#L165-L177

This vulnerability exists because File.mkdir returns false when it fails to create a directory, it does not throw an exception. As such, the following race condition exists:

File tmpDir =File.createTempFile(prefix + ".", "." + getPort()); // Attacker knows the full path of the file that will be generated
// delete the file that was created
tmpDir.delete(); // Attacker sees file is deleted and begins a race to create their own directory before Jetty.
// and make a directory of the same name
// SECURITY VULNERABILITY: Race Condition! - Attacker beats java code and now owns this directory
tmpDir.mkdirs(); // This method returns 'false' because it was unable to create the directory. No exception is thrown.
// Attacker can write any new files to this directory that they wish.
// Attacker can read any files created by this process.

Prerequisites

This vulnerability impacts Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users.

Patches

This vulnerability was inadvertently fixed as a part of this patch: spring-projects/spring-boot@667ccda

This vulnerability is patched in versions v2.2.11.RELEASE or later.

Workarounds

Setting the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability for all operating systems.

    

[amarziali]

For testing. This message can be ignored