Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix session rewriting false positives #7323

Merged
merged 8 commits into from
Jul 24, 2024
Merged

Fix session rewriting false positives #7323

merged 8 commits into from
Jul 24, 2024

Conversation

jandro996
Copy link
Member

@jandro996 jandro996 commented Jul 12, 2024
edited by jira bot
Loading

What Does This Do

  • Remove Session Tracking Modes check calls from servlet instrumentation
  • Add IAST instrumentation to HttpSession#getSession with calls to Session Tracking Modes check

Solved for javax and jakarta implementations

Motivation

The current implementation for detecting Session Rewriting is causing false positives because it only considers the servlet configuration. This may be insecure, but if the session is not being used, an Session Rewriting should not be reported.

Additional Notes

Jira ticket: APPSEC-53722

@jandro996 jandro996 added type: bug comp: asm iast Application Security Management (IAST) labels Jul 12, 2024
@pr-commenter
Copy link

pr-commenter bot commented Jul 12, 2024
edited
Loading

Benchmarks

Startup

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/session-rewriting-fix
git_commit_date 1721730161 1721754159
git_commit_sha e146e2f 3727c44
release_version 1.38.0-SNAPSHOT~e146e2f28a 1.38.0-SNAPSHOT~3727c44e6a
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1721756720 1721756720
ci_job_id 582001325 582001325
ci_pipeline_id 39915351 39915351
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
module Agent Agent
parent None None
variant iast iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 50 metrics, 13 unstable metrics.

Startup time reports for insecure-bank 
gantt
    title insecure-bank - global startup overhead: candidate=1.38.0-SNAPSHOT~3727c44e6a, baseline=1.38.0-SNAPSHOT~e146e2f28a

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.044 s) : 0, 1044077
Total [baseline] (8.461 s) : 0, 8460969
Agent [candidate] (1.044 s) : 0, 1044026
Total [candidate] (8.482 s) : 0, 8481810
section iast
Agent [baseline] (1.179 s) : 0, 1179207
Total [baseline] (8.996 s) : 0, 8996183
Agent [candidate] (1.174 s) : 0, 1173795
Total [candidate] (8.973 s) : 0, 8972879
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.17 s) : 0, 1170489
Total [baseline] (8.946 s) : 0, 8945730
Agent [candidate] (1.171 s) : 0, 1171477
Total [candidate] (8.938 s) : 0, 8938223
section iast_TELEMETRY_OFF
Agent [baseline] (1.17 s) : 0, 1170019
Total [baseline] (8.989 s) : 0, 8988617
Agent [candidate] (1.187 s) : 0, 1187293
Total [candidate] (8.979 s) : 0, 8979160
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.044 s -
Agent iast 1.179 s 135.129 ms (12.9%)
Agent iast_HARDCODED_SECRET_DISABLED 1.17 s 126.412 ms (12.1%)
Agent iast_TELEMETRY_OFF 1.17 s 125.942 ms (12.1%)
Total tracing 8.461 s -
Total iast 8.996 s 535.215 ms (6.3%)
Total iast_HARDCODED_SECRET_DISABLED 8.946 s 484.761 ms (5.7%)
Total iast_TELEMETRY_OFF 8.989 s 527.649 ms (6.2%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.044 s -
Agent iast 1.174 s 129.769 ms (12.4%)
Agent iast_HARDCODED_SECRET_DISABLED 1.171 s 127.451 ms (12.2%)
Agent iast_TELEMETRY_OFF 1.187 s 143.267 ms (13.7%)
Total tracing 8.482 s -
Total iast 8.973 s 491.069 ms (5.8%)
Total iast_HARDCODED_SECRET_DISABLED 8.938 s 456.413 ms (5.4%)
Total iast_TELEMETRY_OFF 8.979 s 497.35 ms (5.9%) 
gantt
    title insecure-bank - break down per module: candidate=1.38.0-SNAPSHOT~3727c44e6a, baseline=1.38.0-SNAPSHOT~e146e2f28a

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (667.103 ms) : 0, 667103
BytebuddyAgent [candidate] (666.823 ms) : 0, 666823
GlobalTracer [baseline] (305.099 ms) : 0, 305099
GlobalTracer [candidate] (305.395 ms) : 0, 305395
AppSec [baseline] (50.195 ms) : 0, 50195
AppSec [candidate] (50.043 ms) : 0, 50043
Remote Config [baseline] (675.803 µs) : 0, 676
Remote Config [candidate] (677.568 µs) : 0, 678
Telemetry [baseline] (7.602 ms) : 0, 7602
Telemetry [candidate] (7.62 ms) : 0, 7620
section iast
BytebuddyAgent [baseline] (787.367 ms) : 0, 787367
BytebuddyAgent [candidate] (782.27 ms) : 0, 782270
GlobalTracer [baseline] (296.158 ms) : 0, 296158
GlobalTracer [candidate] (295.247 ms) : 0, 295247
AppSec [baseline] (48.17 ms) : 0, 48170
AppSec [candidate] (50.876 ms) : 0, 50876
IAST [baseline] (26.414 ms) : 0, 26414
IAST [candidate] (24.194 ms) : 0, 24194
Remote Config [baseline] (589.579 µs) : 0, 590
Remote Config [candidate] (595.122 µs) : 0, 595
Telemetry [baseline] (6.966 ms) : 0, 6966
Telemetry [candidate] (7.106 ms) : 0, 7106
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (779.042 ms) : 0, 779042
BytebuddyAgent [candidate] (780.604 ms) : 0, 780604
GlobalTracer [baseline] (294.953 ms) : 0, 294953
GlobalTracer [candidate] (296.052 ms) : 0, 296052
AppSec [baseline] (51.945 ms) : 0, 51945
AppSec [candidate] (49.078 ms) : 0, 49078
IAST [baseline] (22.728 ms) : 0, 22728
IAST [candidate] (24.489 ms) : 0, 24489
Remote Config [baseline] (581.521 µs) : 0, 582
Remote Config [candidate] (596.459 µs) : 0, 596
Telemetry [baseline] (7.785 ms) : 0, 7785
Telemetry [candidate] (7.148 ms) : 0, 7148
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (779.489 ms) : 0, 779489
BytebuddyAgent [candidate] (791.96 ms) : 0, 791960
GlobalTracer [baseline] (295.667 ms) : 0, 295667
GlobalTracer [candidate] (299.864 ms) : 0, 299864
AppSec [baseline] (47.365 ms) : 0, 47365
AppSec [candidate] (48.141 ms) : 0, 48141
IAST [baseline] (25.7 ms) : 0, 25700
IAST [candidate] (25.92 ms) : 0, 25920
Remote Config [baseline] (578.902 µs) : 0, 579
Remote Config [candidate] (624.414 µs) : 0, 624
Telemetry [baseline] (7.722 ms) : 0, 7722
Telemetry [candidate] (7.081 ms) : 0, 7081
Loading
Startup time reports for petclinic 
gantt
    title petclinic - global startup overhead: candidate=1.38.0-SNAPSHOT~3727c44e6a, baseline=1.38.0-SNAPSHOT~e146e2f28a

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.042 s) : 0, 1042470
Total [baseline] (10.36 s) : 0, 10359714
Agent [candidate] (1.042 s) : 0, 1042304
Total [candidate] (10.337 s) : 0, 10337483
section appsec
Agent [baseline] (1.163 s) : 0, 1163052
Total [baseline] (10.495 s) : 0, 10494886
Agent [candidate] (1.169 s) : 0, 1168863
Total [candidate] (10.512 s) : 0, 10512274
section iast
Agent [baseline] (1.172 s) : 0, 1171812
Total [baseline] (10.705 s) : 0, 10704773
Agent [candidate] (1.174 s) : 0, 1173667
Total [candidate] (10.827 s) : 0, 10827496
section profiling
Agent [baseline] (1.24 s) : 0, 1239691
Total [baseline] (10.556 s) : 0, 10556304
Agent [candidate] (1.244 s) : 0, 1243635
Total [candidate] (10.618 s) : 0, 10618419
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.042 s -
Agent appsec 1.163 s 120.582 ms (11.6%)
Agent iast 1.172 s 129.342 ms (12.4%)
Agent profiling 1.24 s 197.221 ms (18.9%)
Total tracing 10.36 s -
Total appsec 10.495 s 135.172 ms (1.3%)
Total iast 10.705 s 345.059 ms (3.3%)
Total profiling 10.556 s 196.59 ms (1.9%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.042 s -
Agent appsec 1.169 s 126.559 ms (12.1%)
Agent iast 1.174 s 131.363 ms (12.6%)
Agent profiling 1.244 s 201.331 ms (19.3%)
Total tracing 10.337 s -
Total appsec 10.512 s 174.791 ms (1.7%)
Total iast 10.827 s 490.012 ms (4.7%)
Total profiling 10.618 s 280.935 ms (2.7%) 
gantt
    title petclinic - break down per module: candidate=1.38.0-SNAPSHOT~3727c44e6a, baseline=1.38.0-SNAPSHOT~e146e2f28a

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (665.893 ms) : 0, 665893
BytebuddyAgent [candidate] (665.74 ms) : 0, 665740
GlobalTracer [baseline] (304.801 ms) : 0, 304801
GlobalTracer [candidate] (304.984 ms) : 0, 304984
AppSec [baseline] (50.099 ms) : 0, 50099
AppSec [candidate] (49.91 ms) : 0, 49910
Remote Config [baseline] (664.7 µs) : 0, 665
Remote Config [candidate] (657.924 µs) : 0, 658
Telemetry [baseline] (7.584 ms) : 0, 7584
Telemetry [candidate] (7.559 ms) : 0, 7559
section appsec
BytebuddyAgent [baseline] (676.646 ms) : 0, 676646
BytebuddyAgent [candidate] (679.922 ms) : 0, 679922
GlobalTracer [baseline] (299.413 ms) : 0, 299413
GlobalTracer [candidate] (300.392 ms) : 0, 300392
AppSec [baseline] (154.068 ms) : 0, 154068
AppSec [candidate] (154.41 ms) : 0, 154410
Remote Config [baseline] (624.093 µs) : 0, 624
Remote Config [candidate] (631.773 µs) : 0, 632
Telemetry [baseline] (7.929 ms) : 0, 7929
Telemetry [candidate] (8.344 ms) : 0, 8344
IAST [baseline] (21.797 ms) : 0, 21797
IAST [candidate] (23.261 ms) : 0, 23261
section iast
BytebuddyAgent [baseline] (782.17 ms) : 0, 782170
BytebuddyAgent [candidate] (781.635 ms) : 0, 781635
GlobalTracer [baseline] (295.827 ms) : 0, 295827
GlobalTracer [candidate] (295.459 ms) : 0, 295459
AppSec [baseline] (47.479 ms) : 0, 47479
AppSec [candidate] (50.438 ms) : 0, 50438
Remote Config [baseline] (601.156 µs) : 0, 601
Remote Config [candidate] (590.315 µs) : 0, 590
Telemetry [baseline] (7.062 ms) : 0, 7062
Telemetry [candidate] (7.966 ms) : 0, 7966
IAST [baseline] (25.202 ms) : 0, 25202
IAST [candidate] (24.053 ms) : 0, 24053
section profiling
BytebuddyAgent [baseline] (661.929 ms) : 0, 661929
BytebuddyAgent [candidate] (664.127 ms) : 0, 664127
GlobalTracer [baseline] (387.997 ms) : 0, 387997
GlobalTracer [candidate] (388.358 ms) : 0, 388358
AppSec [baseline] (51.577 ms) : 0, 51577
AppSec [candidate] (51.517 ms) : 0, 51517
Remote Config [baseline] (664.741 µs) : 0, 665
Remote Config [candidate] (647.946 µs) : 0, 648
Telemetry [baseline] (7.367 ms) : 0, 7367
Telemetry [candidate] (7.345 ms) : 0, 7345
ProfilingAgent [baseline] (94.121 ms) : 0, 94121
ProfilingAgent [candidate] (95.476 ms) : 0, 95476
Profiling [baseline] (94.145 ms) : 0, 94145
Profiling [candidate] (95.5 ms) : 0, 95500
Loading

Load

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
end_time 2024-07-23T17:16:02 2024-07-23T17:22:50
git_branch master alejandro.gonzalez/session-rewriting-fix
git_commit_date 1721730161 1721754159
git_commit_sha e146e2f 3727c44
release_version 1.38.0-SNAPSHOT~e146e2f28a 1.38.0-SNAPSHOT~3727c44e6a
start_time 2024-07-23T17:15:49 2024-07-23T17:22:37
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1721755713 1721755713
ci_job_id 582001326 582001326
ci_pipeline_id 39915351 39915351
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant iast iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 17 unstable metrics.

Request duration reports for insecure-bank 
gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.38.0-SNAPSHOT~3727c44e6a, baseline=1.38.0-SNAPSHOT~e146e2f28a
    dateFormat X
    axisFormat %s
section baseline
no_agent (364.504 µs) : 344, 385
.   : milestone, 365,
iast (472.821 µs) : 452, 494
.   : milestone, 473,
iast_FULL (542.221 µs) : 521, 563
.   : milestone, 542,
iast_GLOBAL (497.262 µs) : 476, 518
.   : milestone, 497,
iast_HARDCODED_SECRET_DISABLED (476.776 µs) : 456, 498
.   : milestone, 477,
iast_INACTIVE (448.253 µs) : 427, 469
.   : milestone, 448,
iast_TELEMETRY_OFF (461.749 µs) : 441, 482
.   : milestone, 462,
tracing (433.974 µs) : 413, 455
.   : milestone, 434,
section candidate
no_agent (359.781 µs) : 340, 379
.   : milestone, 360,
iast (481.249 µs) : 459, 503
.   : milestone, 481,
iast_FULL (541.771 µs) : 521, 563
.   : milestone, 542,
iast_GLOBAL (495.316 µs) : 474, 516
.   : milestone, 495,
iast_HARDCODED_SECRET_DISABLED (475.057 µs) : 454, 496
.   : milestone, 475,
iast_INACTIVE (448.233 µs) : 426, 470
.   : milestone, 448,
iast_TELEMETRY_OFF (462.094 µs) : 441, 483
.   : milestone, 462,
tracing (433.799 µs) : 413, 454
.   : milestone, 434,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 364.504 µs [344.304 µs, 384.704 µs] -
iast 472.821 µs [451.731 µs, 493.911 µs] 108.317 µs (29.7%)
iast_FULL 542.221 µs [521.078 µs, 563.363 µs] 177.717 µs (48.8%)
iast_GLOBAL 497.262 µs [476.347 µs, 518.176 µs] 132.758 µs (36.4%)
iast_HARDCODED_SECRET_DISABLED 476.776 µs [455.799 µs, 497.753 µs] 112.272 µs (30.8%)
iast_INACTIVE 448.253 µs [427.236 µs, 469.271 µs] 83.749 µs (23.0%)
iast_TELEMETRY_OFF 461.749 µs [441.032 µs, 482.467 µs] 97.245 µs (26.7%)
tracing 433.974 µs [413.162 µs, 454.786 µs] 69.47 µs (19.1%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 359.781 µs [340.121 µs, 379.441 µs] -
iast 481.249 µs [459.437 µs, 503.062 µs] 121.468 µs (33.8%)
iast_FULL 541.771 µs [520.726 µs, 562.817 µs] 181.99 µs (50.6%)
iast_GLOBAL 495.316 µs [474.239 µs, 516.392 µs] 135.535 µs (37.7%)
iast_HARDCODED_SECRET_DISABLED 475.057 µs [453.99 µs, 496.125 µs] 115.276 µs (32.0%)
iast_INACTIVE 448.233 µs [426.462 µs, 470.005 µs] 88.452 µs (24.6%)
iast_TELEMETRY_OFF 462.094 µs [441.008 µs, 483.18 µs] 102.313 µs (28.4%)
tracing 433.799 µs [413.407 µs, 454.191 µs] 74.018 µs (20.6%)
Request duration reports for petclinic 
gantt
    title petclinic - request duration [CI 0.99] : candidate=1.38.0-SNAPSHOT~3727c44e6a, baseline=1.38.0-SNAPSHOT~e146e2f28a
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.334 ms) : 1314, 1354
.   : milestone, 1334,
appsec (1.709 ms) : 1685, 1733
.   : milestone, 1709,
appsec_no_iast (1.715 ms) : 1690, 1739
.   : milestone, 1715,
iast (1.482 ms) : 1460, 1505
.   : milestone, 1482,
profiling (1.522 ms) : 1496, 1547
.   : milestone, 1522,
tracing (1.474 ms) : 1450, 1498
.   : milestone, 1474,
section candidate
no_agent (1.334 ms) : 1315, 1353
.   : milestone, 1334,
appsec (1.697 ms) : 1673, 1721
.   : milestone, 1697,
appsec_no_iast (1.716 ms) : 1693, 1740
.   : milestone, 1716,
iast (1.473 ms) : 1451, 1496
.   : milestone, 1473,
profiling (1.472 ms) : 1448, 1497
.   : milestone, 1472,
tracing (1.467 ms) : 1442, 1492
.   : milestone, 1467,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.334 ms [1.314 ms, 1.354 ms] -
appsec 1.709 ms [1.685 ms, 1.733 ms] 374.871 µs (28.1%)
appsec_no_iast 1.715 ms [1.69 ms, 1.739 ms] 380.94 µs (28.6%)
iast 1.482 ms [1.46 ms, 1.505 ms] 148.688 µs (11.1%)
profiling 1.522 ms [1.496 ms, 1.547 ms] 187.883 µs (14.1%)
tracing 1.474 ms [1.45 ms, 1.498 ms] 140.454 µs (10.5%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.334 ms [1.315 ms, 1.353 ms] -
appsec 1.697 ms [1.673 ms, 1.721 ms] 362.525 µs (27.2%)
appsec_no_iast 1.716 ms [1.693 ms, 1.74 ms] 382.111 µs (28.6%)
iast 1.473 ms [1.451 ms, 1.496 ms] 139.056 µs (10.4%)
profiling 1.472 ms [1.448 ms, 1.497 ms] 138.058 µs (10.3%)
tracing 1.467 ms [1.442 ms, 1.492 ms] 132.841 µs (10.0%)

Dacapo

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/session-rewriting-fix
git_commit_date 1721730161 1721754159
git_commit_sha e146e2f 3727c44
release_version 1.38.0-SNAPSHOT~e146e2f28a 1.38.0-SNAPSHOT~3727c44e6a
See matching parameters
Baseline Candidate
application biojava biojava
ci_job_date 1721756227 1721756227
ci_job_id 582001328 582001328
ci_pipeline_id 39915351 39915351
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant appsec appsec

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics.

Execution time for tomcat 
gantt
    title tomcat - execution time [CI 0.99] : candidate=1.38.0-SNAPSHOT~3727c44e6a, baseline=1.38.0-SNAPSHOT~e146e2f28a
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.458 ms) : 1447, 1470
.   : milestone, 1458,
appsec (2.224 ms) : 2189, 2259
.   : milestone, 2224,
iast (1.961 ms) : 1919, 2002
.   : milestone, 1961,
iast_GLOBAL (2.002 ms) : 1960, 2045
.   : milestone, 2002,
profiling (1.862 ms) : 1826, 1897
.   : milestone, 1862,
tracing (1.843 ms) : 1810, 1876
.   : milestone, 1843,
section candidate
no_agent (1.459 ms) : 1447, 1470
.   : milestone, 1459,
appsec (2.228 ms) : 2193, 2263
.   : milestone, 2228,
iast (1.959 ms) : 1918, 2000
.   : milestone, 1959,
iast_GLOBAL (2.021 ms) : 1978, 2063
.   : milestone, 2021,
profiling (1.865 ms) : 1831, 1900
.   : milestone, 1865,
tracing (1.836 ms) : 1803, 1869
.   : milestone, 1836,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.458 ms [1.447 ms, 1.47 ms] -
appsec 2.224 ms [2.189 ms, 2.259 ms] 766.069 µs (52.5%)
iast 1.961 ms [1.919 ms, 2.002 ms] 502.493 µs (34.5%)
iast_GLOBAL 2.002 ms [1.96 ms, 2.045 ms] 543.968 µs (37.3%)
profiling 1.862 ms [1.826 ms, 1.897 ms] 403.571 µs (27.7%)
tracing 1.843 ms [1.81 ms, 1.876 ms] 384.685 µs (26.4%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.459 ms [1.447 ms, 1.47 ms] -
appsec 2.228 ms [2.193 ms, 2.263 ms] 769.663 µs (52.8%)
iast 1.959 ms [1.918 ms, 2.0 ms] 500.352 µs (34.3%)
iast_GLOBAL 2.021 ms [1.978 ms, 2.063 ms] 562.103 µs (38.5%)
profiling 1.865 ms [1.831 ms, 1.9 ms] 406.495 µs (27.9%)
tracing 1.836 ms [1.803 ms, 1.869 ms] 377.081 µs (25.8%)
Execution time for biojava 
gantt
    title biojava - execution time [CI 0.99] : candidate=1.38.0-SNAPSHOT~3727c44e6a, baseline=1.38.0-SNAPSHOT~e146e2f28a
    dateFormat X
    axisFormat %s
section baseline
no_agent (15.418 s) : 15418000, 15418000
.   : milestone, 15418000,
appsec (14.972 s) : 14972000, 14972000
.   : milestone, 14972000,
iast (18.762 s) : 18762000, 18762000
.   : milestone, 18762000,
iast_GLOBAL (18.106 s) : 18106000, 18106000
.   : milestone, 18106000,
profiling (15.286 s) : 15286000, 15286000
.   : milestone, 15286000,
tracing (15.278 s) : 15278000, 15278000
.   : milestone, 15278000,
section candidate
no_agent (15.357 s) : 15357000, 15357000
.   : milestone, 15357000,
appsec (15.098 s) : 15098000, 15098000
.   : milestone, 15098000,
iast (18.75 s) : 18750000, 18750000
.   : milestone, 18750000,
iast_GLOBAL (17.959 s) : 17959000, 17959000
.   : milestone, 17959000,
profiling (16.012 s) : 16012000, 16012000
.   : milestone, 16012000,
tracing (15.016 s) : 15016000, 15016000
.   : milestone, 15016000,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.418 s [15.418 s, 15.418 s] -
appsec 14.972 s [14.972 s, 14.972 s] -446.0 ms (-2.9%)
iast 18.762 s [18.762 s, 18.762 s] 3.344 s (21.7%)
iast_GLOBAL 18.106 s [18.106 s, 18.106 s] 2.688 s (17.4%)
profiling 15.286 s [15.286 s, 15.286 s] -132.0 ms (-0.9%)
tracing 15.278 s [15.278 s, 15.278 s] -140.0 ms (-0.9%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.357 s [15.357 s, 15.357 s] -
appsec 15.098 s [15.098 s, 15.098 s] -259.0 ms (-1.7%)
iast 18.75 s [18.75 s, 18.75 s] 3.393 s (22.1%)
iast_GLOBAL 17.959 s [17.959 s, 17.959 s] 2.602 s (16.9%)
profiling 16.012 s [16.012 s, 16.012 s] 655.0 ms (4.3%)
tracing 15.016 s [15.016 s, 15.016 s] -341.0 ms (-2.2%)

jandro996
jandro996 commented Jul 15, 2024
View reviewed changes
...tadog/trace/instrumentation/servlet5/IastOptOutJakartaHttpServletRequestInstrumentation.java
}

@Override
protected boolean isOptOutEnabled() {
Copy link
Member Author

@jandro996 jandro996 Jul 15, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Although we already have a JakartaHttpServletRequestInstrumentation for IAST we need another one due to session rewriting is an opt-out feature

@jandro996 jandro996 marked this pull request as ready for review July 15, 2024 06:24
@jandro996 jandro996 requested review from a team as code owners July 15, 2024 06:24
@jandro996 jandro996 merged commit 598bb20 into master Jul 24, 2024
80 checks passed
@jandro996 jandro996 deleted the alejandro.gonzalez/session-rewriting-fix branch July 24, 2024 13:24
@github-actions github-actions bot added this to the 1.38.0 milestone Jul 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@manuel-alvarez-alvarez manuel-alvarez-alvarez manuel-alvarez-alvarez approved these changes

@smola smola Awaiting requested review from smola smola is a code owner automatically assigned from DataDog/asm-java

@anderruiz anderruiz Awaiting requested review from anderruiz

@ValentinZakharov ValentinZakharov Awaiting requested review from ValentinZakharov

Assignees
No one assigned
Labels
comp: asm iast Application Security Management (IAST) type: bug
Projects
None yet
Milestone
1.38.0
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@jandro996 @manuel-alvarez-alvarez