Increase IAST propagation to StringBuffer setLength #8128

Mariovido · 2024-12-23T09:59:38Z

What Does This Do

This adds the instrumentation to propagate the taint values through the following methods of StringBuffer:

setLength(int)

Motivation

Increase propagation of StringBuffer methods.

Additional Notes

Contributor Checklist

Format the title according the contribution guidelines
Assign the type: and (comp: or inst:) labels in addition to any usefull labels
Don't use close, fix or any linking keywords when referencing an issue.
Use solves instead, and assign the PR milestone to the issue
Update the public documentation in case of new configuration flag or behavior

Jira ticket: APPSEC-55367

…intedobjects

pr-commenter · 2024-12-23T10:39:42Z

Benchmarks

Startup

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	mario.vidal/taint_tracking_string_buffer_set_length
git_commit_date	1736497810	1736500201
git_commit_sha	`f4139b0`	`b3e8860`
release_version	1.46.0-SNAPSHOT~f4139b0e7d	1.46.0-SNAPSHOT~b3e8860a51

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1736502685	1736502685
ci_job_id	761461604	761461604
ci_pipeline_id	52639762	52639762
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
module	Agent	Agent
parent	None	None
variant	iast	iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 58 metrics, 5 unstable metrics.

Startup time reports for insecure-bank

gantt
    title insecure-bank - global startup overhead: candidate=1.46.0-SNAPSHOT~b3e8860a51, baseline=1.46.0-SNAPSHOT~f4139b0e7d

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.055 s) : 0, 1054755
Total [baseline] (8.619 s) : 0, 8619396
Agent [candidate] (1.062 s) : 0, 1061947
Total [candidate] (8.629 s) : 0, 8628921
section iast
Agent [baseline] (1.177 s) : 0, 1176804
Total [baseline] (9.2 s) : 0, 9199502
Agent [candidate] (1.179 s) : 0, 1178991
Total [candidate] (9.213 s) : 0, 9213347
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.186 s) : 0, 1186120
Total [baseline] (9.19 s) : 0, 9189504
Agent [candidate] (1.182 s) : 0, 1182398
Total [candidate] (9.19 s) : 0, 9189593
section iast_TELEMETRY_OFF
Agent [baseline] (1.176 s) : 0, 1175916
Total [baseline] (9.168 s) : 0, 9167507
Agent [candidate] (1.176 s) : 0, 1175714
Total [candidate] (9.198 s) : 0, 9198045

baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.055 s	-
Agent	iast	1.177 s	122.05 ms (11.6%)
Agent	iast_HARDCODED_SECRET_DISABLED	1.186 s	131.365 ms (12.5%)
Agent	iast_TELEMETRY_OFF	1.176 s	121.162 ms (11.5%)
Total	tracing	8.619 s	-
Total	iast	9.2 s	580.106 ms (6.7%)
Total	iast_HARDCODED_SECRET_DISABLED	9.19 s	570.108 ms (6.6%)
Total	iast_TELEMETRY_OFF	9.168 s	548.111 ms (6.4%)

candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.062 s	-
Agent	iast	1.179 s	117.043 ms (11.0%)
Agent	iast_HARDCODED_SECRET_DISABLED	1.182 s	120.45 ms (11.3%)
Agent	iast_TELEMETRY_OFF	1.176 s	113.766 ms (10.7%)
Total	tracing	8.629 s	-
Total	iast	9.213 s	584.427 ms (6.8%)
Total	iast_HARDCODED_SECRET_DISABLED	9.19 s	560.673 ms (6.5%)
Total	iast_TELEMETRY_OFF	9.198 s	569.125 ms (6.6%)

gantt
    title insecure-bank - break down per module: candidate=1.46.0-SNAPSHOT~b3e8860a51, baseline=1.46.0-SNAPSHOT~f4139b0e7d

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (713.68 ms) : 0, 713680
BytebuddyAgent [candidate] (716.962 ms) : 0, 716962
GlobalTracer [baseline] (256.36 ms) : 0, 256360
GlobalTracer [candidate] (257.394 ms) : 0, 257394
AppSec [baseline] (55.316 ms) : 0, 55316
AppSec [candidate] (56.182 ms) : 0, 56182
Remote Config [baseline] (709.253 µs) : 0, 709
Remote Config [candidate] (725.868 µs) : 0, 726
Telemetry [baseline] (13.649 ms) : 0, 13649
Telemetry [candidate] (15.671 ms) : 0, 15671
section iast
BytebuddyAgent [baseline] (827.763 ms) : 0, 827763
BytebuddyAgent [candidate] (828.975 ms) : 0, 828975
GlobalTracer [baseline] (245.656 ms) : 0, 245656
GlobalTracer [candidate] (246.266 ms) : 0, 246266
AppSec [baseline] (57.959 ms) : 0, 57959
AppSec [candidate] (57.944 ms) : 0, 57944
Remote Config [baseline] (662.738 µs) : 0, 663
Remote Config [candidate] (682.996 µs) : 0, 683
Telemetry [baseline] (8.671 ms) : 0, 8671
Telemetry [candidate] (8.719 ms) : 0, 8719
IAST [baseline] (21.073 ms) : 0, 21073
IAST [candidate] (21.343 ms) : 0, 21343
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (834.035 ms) : 0, 834035
BytebuddyAgent [candidate] (831.831 ms) : 0, 831831
GlobalTracer [baseline] (246.958 ms) : 0, 246958
GlobalTracer [candidate] (246.73 ms) : 0, 246730
AppSec [baseline] (58.829 ms) : 0, 58829
AppSec [candidate] (57.976 ms) : 0, 57976
Remote Config [baseline] (686.77 µs) : 0, 687
Remote Config [candidate] (698.111 µs) : 0, 698
Telemetry [baseline] (8.902 ms) : 0, 8902
Telemetry [candidate] (8.813 ms) : 0, 8813
IAST [baseline] (21.708 ms) : 0, 21708
IAST [candidate] (21.338 ms) : 0, 21338
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (827.036 ms) : 0, 827036
BytebuddyAgent [candidate] (827.151 ms) : 0, 827151
GlobalTracer [baseline] (246.059 ms) : 0, 246059
GlobalTracer [candidate] (246.198 ms) : 0, 246198
AppSec [baseline] (57.855 ms) : 0, 57855
AppSec [candidate] (57.5 ms) : 0, 57500
Remote Config [baseline] (648.924 µs) : 0, 649
Remote Config [candidate] (645.493 µs) : 0, 645
Telemetry [baseline] (8.586 ms) : 0, 8586
Telemetry [candidate] (8.567 ms) : 0, 8567
IAST [baseline] (20.757 ms) : 0, 20757
IAST [candidate] (20.59 ms) : 0, 20590

Startup time reports for petclinic

gantt
    title petclinic - global startup overhead: candidate=1.46.0-SNAPSHOT~b3e8860a51, baseline=1.46.0-SNAPSHOT~f4139b0e7d

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.06 s) : 0, 1060294
Total [baseline] (10.541 s) : 0, 10540929
Agent [candidate] (1.075 s) : 0, 1074799
Total [candidate] (10.485 s) : 0, 10484912
section appsec
Agent [baseline] (1.196 s) : 0, 1195870
Total [baseline] (10.719 s) : 0, 10718906
Agent [candidate] (1.193 s) : 0, 1192859
Total [candidate] (10.721 s) : 0, 10720839
section iast
Agent [baseline] (1.18 s) : 0, 1179584
Total [baseline] (10.955 s) : 0, 10955148
Agent [candidate] (1.181 s) : 0, 1181010
Total [candidate] (10.965 s) : 0, 10964801
section profiling
Agent [baseline] (1.285 s) : 0, 1284768
Total [baseline] (10.821 s) : 0, 10821055
Agent [candidate] (1.271 s) : 0, 1271069
Total [candidate] (10.88 s) : 0, 10880180

baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.06 s	-
Agent	appsec	1.196 s	135.575 ms (12.8%)
Agent	iast	1.18 s	119.29 ms (11.3%)
Agent	profiling	1.285 s	224.473 ms (21.2%)
Total	tracing	10.541 s	-
Total	appsec	10.719 s	177.976 ms (1.7%)
Total	iast	10.955 s	414.219 ms (3.9%)
Total	profiling	10.821 s	280.126 ms (2.7%)

candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.075 s	-
Agent	appsec	1.193 s	118.061 ms (11.0%)
Agent	iast	1.181 s	106.211 ms (9.9%)
Agent	profiling	1.271 s	196.27 ms (18.3%)
Total	tracing	10.485 s	-
Total	appsec	10.721 s	235.927 ms (2.3%)
Total	iast	10.965 s	479.889 ms (4.6%)
Total	profiling	10.88 s	395.268 ms (3.8%)

gantt
    title petclinic - break down per module: candidate=1.46.0-SNAPSHOT~b3e8860a51, baseline=1.46.0-SNAPSHOT~f4139b0e7d

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (716.376 ms) : 0, 716376
BytebuddyAgent [candidate] (725.646 ms) : 0, 725646
GlobalTracer [baseline] (257.009 ms) : 0, 257009
GlobalTracer [candidate] (261.382 ms) : 0, 261382
AppSec [baseline] (55.409 ms) : 0, 55409
AppSec [candidate] (58.582 ms) : 0, 58582
Remote Config [baseline] (740.693 µs) : 0, 741
Remote Config [candidate] (738.169 µs) : 0, 738
Telemetry [baseline] (15.726 ms) : 0, 15726
Telemetry [candidate] (13.226 ms) : 0, 13226
section appsec
BytebuddyAgent [baseline] (736.585 ms) : 0, 736585
BytebuddyAgent [candidate] (733.819 ms) : 0, 733819
GlobalTracer [baseline] (254.238 ms) : 0, 254238
GlobalTracer [candidate] (254.24 ms) : 0, 254240
AppSec [baseline] (171.251 ms) : 0, 171251
AppSec [candidate] (171.174 ms) : 0, 171174
Remote Config [baseline] (659.475 µs) : 0, 659
Remote Config [candidate] (655.766 µs) : 0, 656
Telemetry [baseline] (8.275 ms) : 0, 8275
Telemetry [candidate] (8.181 ms) : 0, 8181
IAST [baseline] (19.483 ms) : 0, 19483
IAST [candidate] (19.437 ms) : 0, 19437
section iast
BytebuddyAgent [baseline] (829.881 ms) : 0, 829881
BytebuddyAgent [candidate] (830.59 ms) : 0, 830590
GlobalTracer [baseline] (246.081 ms) : 0, 246081
GlobalTracer [candidate] (246.633 ms) : 0, 246633
AppSec [baseline] (58.003 ms) : 0, 58003
AppSec [candidate] (58.268 ms) : 0, 58268
Remote Config [baseline] (677.331 µs) : 0, 677
Remote Config [candidate] (682.794 µs) : 0, 683
Telemetry [baseline] (8.679 ms) : 0, 8679
Telemetry [candidate] (8.763 ms) : 0, 8763
IAST [baseline] (21.268 ms) : 0, 21268
IAST [candidate] (21.051 ms) : 0, 21051
section profiling
ProfilingAgent [baseline] (96.546 ms) : 0, 96546
ProfilingAgent [candidate] (94.826 ms) : 0, 94826
BytebuddyAgent [baseline] (709.506 ms) : 0, 709506
BytebuddyAgent [candidate] (703.55 ms) : 0, 703550
GlobalTracer [baseline] (372.269 ms) : 0, 372269
GlobalTracer [candidate] (367.699 ms) : 0, 367699
AppSec [baseline] (54.579 ms) : 0, 54579
AppSec [candidate] (53.605 ms) : 0, 53605
Remote Config [baseline] (695.362 µs) : 0, 695
Remote Config [candidate] (697.018 µs) : 0, 697
Telemetry [baseline] (8.9 ms) : 0, 8900
Telemetry [candidate] (8.834 ms) : 0, 8834
Profiling [baseline] (96.571 ms) : 0, 96571
Profiling [candidate] (94.851 ms) : 0, 94851

Load

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
end_time	2025-01-10T09:21:23	2025-01-10T09:28:26
git_branch	master	mario.vidal/taint_tracking_string_buffer_set_length
git_commit_date	1736497810	1736500201
git_commit_sha	`f4139b0`	`b3e8860`
release_version	1.46.0-SNAPSHOT~f4139b0e7d	1.46.0-SNAPSHOT~b3e8860a51
start_time	2025-01-10T09:21:09	2025-01-10T09:28:12

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1736501660	1736501660
ci_job_id	761461605	761461605
ci_pipeline_id	52639762	52639762
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant	iast	iast

Summary

Found 1 performance improvements and 0 performance regressions! Performance is the same for 10 metrics, 17 unstable metrics.

scenario	Δ mean http_req_duration	Δ mean throughput	candidate mean http_req_duration	candidate mean throughput	baseline mean http_req_duration	baseline mean throughput
scenario:load:petclinic:profiling	better [-94.833µs; -43.143µs] or [-5.960%; -2.712%]	unstable [-429.149op/s; +657.070op/s] or [-14.484%; +22.176%]	1.522ms	3076.923op/s	1.591ms	2962.963op/s

Request duration reports for petclinic

gantt
    title petclinic - request duration [CI 0.99] : candidate=1.46.0-SNAPSHOT~b3e8860a51, baseline=1.46.0-SNAPSHOT~f4139b0e7d
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.364 ms) : 1344, 1384
.   : milestone, 1364,
appsec (1.756 ms) : 1732, 1780
.   : milestone, 1756,
appsec_no_iast (1.766 ms) : 1741, 1791
.   : milestone, 1766,
iast (1.507 ms) : 1484, 1530
.   : milestone, 1507,
profiling (1.591 ms) : 1566, 1616
.   : milestone, 1591,
tracing (1.486 ms) : 1460, 1511
.   : milestone, 1486,
section candidate
no_agent (1.374 ms) : 1354, 1393
.   : milestone, 1374,
appsec (1.747 ms) : 1723, 1771
.   : milestone, 1747,
appsec_no_iast (1.739 ms) : 1715, 1763
.   : milestone, 1739,
iast (1.519 ms) : 1496, 1542
.   : milestone, 1519,
profiling (1.522 ms) : 1499, 1545
.   : milestone, 1522,
tracing (1.492 ms) : 1467, 1517
.   : milestone, 1492,

baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.364 ms [1.344 ms, 1.384 ms]	-
appsec	1.756 ms [1.732 ms, 1.78 ms]	392.36 µs (28.8%)
appsec_no_iast	1.766 ms [1.741 ms, 1.791 ms]	401.951 µs (29.5%)
iast	1.507 ms [1.484 ms, 1.53 ms]	143.229 µs (10.5%)
profiling	1.591 ms [1.566 ms, 1.616 ms]	227.23 µs (16.7%)
tracing	1.486 ms [1.46 ms, 1.511 ms]	121.738 µs (8.9%)

candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.374 ms [1.354 ms, 1.393 ms]	-
appsec	1.747 ms [1.723 ms, 1.771 ms]	373.158 µs (27.2%)
appsec_no_iast	1.739 ms [1.715 ms, 1.763 ms]	365.827 µs (26.6%)
iast	1.519 ms [1.496 ms, 1.542 ms]	145.291 µs (10.6%)
profiling	1.522 ms [1.499 ms, 1.545 ms]	148.518 µs (10.8%)
tracing	1.492 ms [1.467 ms, 1.517 ms]	118.653 µs (8.6%)

Request duration reports for insecure-bank

gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.46.0-SNAPSHOT~b3e8860a51, baseline=1.46.0-SNAPSHOT~f4139b0e7d
    dateFormat X
    axisFormat %s
section baseline
no_agent (384.298 µs) : 363, 406
.   : milestone, 384,
iast (507.567 µs) : 485, 530
.   : milestone, 508,
iast_FULL (663.637 µs) : 642, 685
.   : milestone, 664,
iast_GLOBAL (530.541 µs) : 508, 553
.   : milestone, 531,
iast_HARDCODED_SECRET_DISABLED (498.844 µs) : 477, 521
.   : milestone, 499,
iast_INACTIVE (452.107 µs) : 431, 473
.   : milestone, 452,
iast_TELEMETRY_OFF (487.408 µs) : 466, 509
.   : milestone, 487,
tracing (458.581 µs) : 437, 480
.   : milestone, 459,
section candidate
no_agent (383.08 µs) : 363, 403
.   : milestone, 383,
iast (495.284 µs) : 474, 517
.   : milestone, 495,
iast_FULL (665.305 µs) : 644, 687
.   : milestone, 665,
iast_GLOBAL (525.711 µs) : 504, 547
.   : milestone, 526,
iast_HARDCODED_SECRET_DISABLED (509.943 µs) : 488, 532
.   : milestone, 510,
iast_INACTIVE (465.405 µs) : 443, 487
.   : milestone, 465,
iast_TELEMETRY_OFF (493.525 µs) : 471, 516
.   : milestone, 494,
tracing (458.447 µs) : 437, 480
.   : milestone, 458,

baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	384.298 µs [363.005 µs, 405.591 µs]	-
iast	507.567 µs [484.998 µs, 530.136 µs]	123.269 µs (32.1%)
iast_FULL	663.637 µs [642.252 µs, 685.022 µs]	279.339 µs (72.7%)
iast_GLOBAL	530.541 µs [508.28 µs, 552.802 µs]	146.243 µs (38.1%)
iast_HARDCODED_SECRET_DISABLED	498.844 µs [477.162 µs, 520.525 µs]	114.546 µs (29.8%)
iast_INACTIVE	452.107 µs [431.488 µs, 472.726 µs]	67.809 µs (17.6%)
iast_TELEMETRY_OFF	487.408 µs [465.543 µs, 509.273 µs]	103.11 µs (26.8%)
tracing	458.581 µs [437.158 µs, 480.005 µs]	74.283 µs (19.3%)

candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	383.08 µs [363.115 µs, 403.046 µs]	-
iast	495.284 µs [473.824 µs, 516.745 µs]	112.204 µs (29.3%)
iast_FULL	665.305 µs [643.567 µs, 687.042 µs]	282.224 µs (73.7%)
iast_GLOBAL	525.711 µs [504.26 µs, 547.162 µs]	142.631 µs (37.2%)
iast_HARDCODED_SECRET_DISABLED	509.943 µs [487.681 µs, 532.204 µs]	126.862 µs (33.1%)
iast_INACTIVE	465.405 µs [443.495 µs, 487.315 µs]	82.325 µs (21.5%)
iast_TELEMETRY_OFF	493.525 µs [471.164 µs, 515.886 µs]	110.445 µs (28.8%)
tracing	458.447 µs [437.078 µs, 479.816 µs]	75.367 µs (19.7%)

Dacapo

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	mario.vidal/taint_tracking_string_buffer_set_length
git_commit_date	1736497810	1736500201
git_commit_sha	`f4139b0`	`b3e8860`
release_version	1.46.0-SNAPSHOT~f4139b0e7d	1.46.0-SNAPSHOT~b3e8860a51

See matching parameters

	Baseline	Candidate
application	biojava	biojava
ci_job_date	1736502217	1736502217
ci_job_id	761461606	761461606
ci_pipeline_id	52639762	52639762
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant	appsec	appsec

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics.

Execution time for biojava

gantt
    title biojava - execution time [CI 0.99] : candidate=1.46.0-SNAPSHOT~b3e8860a51, baseline=1.46.0-SNAPSHOT~f4139b0e7d
    dateFormat X
    axisFormat %s
section baseline
no_agent (14.938 s) : 14938000, 14938000
.   : milestone, 14938000,
appsec (14.94 s) : 14940000, 14940000
.   : milestone, 14940000,
iast (19.043 s) : 19043000, 19043000
.   : milestone, 19043000,
iast_GLOBAL (18.128 s) : 18128000, 18128000
.   : milestone, 18128000,
profiling (15.476 s) : 15476000, 15476000
.   : milestone, 15476000,
tracing (15.201 s) : 15201000, 15201000
.   : milestone, 15201000,
section candidate
no_agent (15.481 s) : 15481000, 15481000
.   : milestone, 15481000,
appsec (15.139 s) : 15139000, 15139000
.   : milestone, 15139000,
iast (18.729 s) : 18729000, 18729000
.   : milestone, 18729000,
iast_GLOBAL (17.923 s) : 17923000, 17923000
.   : milestone, 17923000,
profiling (14.871 s) : 14871000, 14871000
.   : milestone, 14871000,
tracing (14.76 s) : 14760000, 14760000
.   : milestone, 14760000,

baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	14.938 s [14.938 s, 14.938 s]	-
appsec	14.94 s [14.94 s, 14.94 s]	2.0 ms (0.0%)
iast	19.043 s [19.043 s, 19.043 s]	4.105 s (27.5%)
iast_GLOBAL	18.128 s [18.128 s, 18.128 s]	3.19 s (21.4%)
profiling	15.476 s [15.476 s, 15.476 s]	538.0 ms (3.6%)
tracing	15.201 s [15.201 s, 15.201 s]	263.0 ms (1.8%)

candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	15.481 s [15.481 s, 15.481 s]	-
appsec	15.139 s [15.139 s, 15.139 s]	-342.0 ms (-2.2%)
iast	18.729 s [18.729 s, 18.729 s]	3.248 s (21.0%)
iast_GLOBAL	17.923 s [17.923 s, 17.923 s]	2.442 s (15.8%)
profiling	14.871 s [14.871 s, 14.871 s]	-610.0 ms (-3.9%)
tracing	14.76 s [14.76 s, 14.76 s]	-721.0 ms (-4.7%)

Execution time for tomcat

gantt
    title tomcat - execution time [CI 0.99] : candidate=1.46.0-SNAPSHOT~b3e8860a51, baseline=1.46.0-SNAPSHOT~f4139b0e7d
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.468 ms) : 1456, 1479
.   : milestone, 1468,
appsec (2.346 ms) : 2304, 2388
.   : milestone, 2346,
iast (2.101 ms) : 2047, 2155
.   : milestone, 2101,
iast_GLOBAL (2.143 ms) : 2089, 2197
.   : milestone, 2143,
profiling (1.955 ms) : 1912, 1998
.   : milestone, 1955,
tracing (1.931 ms) : 1889, 1972
.   : milestone, 1931,
section candidate
no_agent (1.473 ms) : 1461, 1485
.   : milestone, 1473,
appsec (2.365 ms) : 2323, 2408
.   : milestone, 2365,
iast (2.102 ms) : 2048, 2155
.   : milestone, 2102,
iast_GLOBAL (2.143 ms) : 2089, 2197
.   : milestone, 2143,
profiling (1.965 ms) : 1922, 2008
.   : milestone, 1965,
tracing (1.945 ms) : 1904, 1987
.   : milestone, 1945,

baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.468 ms [1.456 ms, 1.479 ms]	-
appsec	2.346 ms [2.304 ms, 2.388 ms]	878.326 µs (59.8%)
iast	2.101 ms [2.047 ms, 2.155 ms]	633.316 µs (43.2%)
iast_GLOBAL	2.143 ms [2.089 ms, 2.197 ms]	675.114 µs (46.0%)
profiling	1.955 ms [1.912 ms, 1.998 ms]	487.483 µs (33.2%)
tracing	1.931 ms [1.889 ms, 1.972 ms]	463.028 µs (31.5%)

candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.473 ms [1.461 ms, 1.485 ms]	-
appsec	2.365 ms [2.323 ms, 2.408 ms]	892.166 µs (60.6%)
iast	2.102 ms [2.048 ms, 2.155 ms]	628.586 µs (42.7%)
iast_GLOBAL	2.143 ms [2.089 ms, 2.197 ms]	670.197 µs (45.5%)
profiling	1.965 ms [1.922 ms, 2.008 ms]	491.674 µs (33.4%)
tracing	1.945 ms [1.904 ms, 1.987 ms]	472.308 µs (32.1%)

dd-java-agent/agent-iast/src/main/java/com/datadog/iast/propagation/StringModuleImpl.java

jandro996

LGTM if @manuel-alvarez-alvarez it's fine with remove the weak reference inside the tainted object ;)

…et_length

| Package | Type | Package file | Manager | Update | Change | |---|---|---|---|---|---| | [com.google.cloud:google-cloud-datastore](https://github.com/googleapis/java-datastore) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `2.25.4` -> `2.26.0` | | [com.datadoghq:dd-trace-api](https://github.com/datadog/dd-trace-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `1.45.2` -> `1.46.0` | | [com.datadoghq:dd-trace-ot](https://github.com/datadog/dd-trace-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `1.45.2` -> `1.46.0` | | [software.amazon.awssdk:sdk-core](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.9` -> `2.30.10` | | [software.amazon.awssdk:dynamodb-enhanced](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.9` -> `2.30.10` | | [software.amazon.awssdk:dynamodb](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.9` -> `2.30.10` | | [software.amazon.awssdk:aws-core](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.9` -> `2.30.10` | | [software.amazon.awssdk:bom](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.9` -> `2.30.10` | | [software.amazon.awssdk:auth](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.9` -> `2.30.10` | --- ### Release Notes <details> <summary>googleapis/java-datastore (com.google.cloud:google-cloud-datastore)</summary> ### [`v2.26.0`](https://github.com/googleapis/java-datastore/blob/HEAD/CHANGELOG.md#2260-2025-01-29) ##### Features - Add firestoreInDatastoreMode for datastore emulator ([#1698](googleapis/java-datastore#1698)) ([50f106d](googleapis/java-datastore@50f106d)) ##### Dependencies - Update dependency com.google.cloud:sdk-platform-java-config to v3.42.0 ([#1725](googleapis/java-datastore#1725)) ([1cbaf22](googleapis/java-datastore@1cbaf22)) </details> <details> <summary>datadog/dd-trace-java (com.datadoghq:dd-trace-api)</summary> ### [`v1.46.0`](https://github.com/DataDog/dd-trace-java/releases/tag/v1.46.0): 1.46.0 ##### Breaking Changes > \[!WARNING] > jnr-unixsocket is now an external dependency of dd-trace-ot and must be included when deploying dd-trace-ot. > \[!NOTE] > The API `TracerScope.setAsync(boolean)`, used to manually control asynchronous span propagation, does no more apply to the scope instance but to the active span scope. ##### Components ##### Application Security Management (IAST) - 🐛 Fix String.replace instrumentation for IAST ([#8281](DataDog/dd-trace-java#8281) - [@Mariovido](https://github.com/Mariovido)) - ✨ Apply the standard nomenclature to the stacktrace configs ([#8244](DataDog/dd-trace-java#8244) - [@jandro996](https://github.com/jandro996)) - 🐛 Exclude false positive weak randomness ([#8232](DataDog/dd-trace-java#8232) - [@jandro996](https://github.com/jandro996)) - ✨ Propagation of translateEscapes of String class ([#8186](DataDog/dd-trace-java#8186) - [@sezen-datadog](https://github.com/sezen-datadog)) - ✨ Add security control metrics ([#8175](DataDog/dd-trace-java#8175) - [@jandro996](https://github.com/jandro996)) - ✨ Increase IAST propagation to StringBuffer setLength ([#8128](DataDog/dd-trace-java#8128) - [@Mariovido](https://github.com/Mariovido)) - ✨ Add IAST taint tracking for DB values ([#8072](DataDog/dd-trace-java#8072) - [@Mariovido](https://github.com/Mariovido)) ##### Application Security Management (WAF) - 🐛 Prevents a NPE when there is no subscriber for user events ([#8258](DataDog/dd-trace-java#8258) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - ✨ Apply the standard nomenclature to the stacktrace configs ([#8244](DataDog/dd-trace-java#8244) - [@jandro996](https://github.com/jandro996)) - 🐛 Ensure cached subscriptions are cleared on reconfiguration via RC ([#8229](DataDog/dd-trace-java#8229) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - ✨ Add support for session tracking in Vertx ([#8167](DataDog/dd-trace-java#8167) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - ✨ Create span tag: \_dd.appsec.rasp.timeout ([#8269](DataDog/dd-trace-java#8269) - [@Mariovido](https://github.com/Mariovido)) ##### Build & Tooling - 🐛 Ensure shaded helpers have unique names when injected into class-loaders ([#8192](DataDog/dd-trace-java#8192) - [@mcculls](https://github.com/mcculls)) ##### Configuration at Runtime - 🐛 Remove filtering of `DD_SERVICE` and `DD_ENV` from the tracer ([#8176](DataDog/dd-trace-java#8176) - [@mhlidd](https://github.com/mhlidd)) ##### Continuous Integration Visibility - 🧹 Generalize TestRetryPolicy to TestExecutionPolicy ([#8302](DataDog/dd-trace-java#8302) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - 🧹 Parallelize CI Visibility settings requests ([#8299](DataDog/dd-trace-java#8299) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - 🧹 Generalize test retry logic ([#8289](DataDog/dd-trace-java#8289) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - 🧹 Generalize tests skipping logic ([#8288](DataDog/dd-trace-java#8288) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - 🧹 Remove skip and shouldBeSkipped methods from TestEventsHandler in favor of isSkippable ([#8286](DataDog/dd-trace-java#8286) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨⚡ Optimize Git repository information computation ([#8270](DataDog/dd-trace-java#8270) - [@dougqh](https://github.com/dougqh)) - ✨ Always request known tests from the backend ([#8268](DataDog/dd-trace-java#8268) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Fix NPE when trying to get retry analyzer in Test NG ([#8253](DataDog/dd-trace-java#8253) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - 🐛 Set test framework and test framework version tags atomically ([#8252](DataDog/dd-trace-java#8252) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Add debug logging to Android Gradle module layout logic ([#8251](DataDog/dd-trace-java#8251) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - 🐛 Fix source and destination folders computation for Android Gradle projects ([#8190](DataDog/dd-trace-java#8190) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Add basic Scala Weaver sbt support ([#8189](DataDog/dd-trace-java#8189) - [@daniel-mohedano](https://github.com/daniel-mohedano)) - ✨ Implement impacted tests detection ([#8188](DataDog/dd-trace-java#8188) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) ##### Data Streams Monitoring - ✨ Change hash computation for protobuf to better represent impacting changes + save proto number in schema ([#8201](DataDog/dd-trace-java#8201) - [@vandonr](https://github.com/vandonr)) ##### Database Monitoring - Add peer service tag in dbm sql commenter ([#7913](DataDog/dd-trace-java#7913) - [@jordan-wong](https://github.com/jordan-wong)) ##### Dynamic Instrumentation - ✨ Add support for SymDB to scan directories ([#8306](DataDog/dd-trace-java#8306) - [@jpbempel](https://github.com/jpbempel)) - ✨ Add SymDB report for any jar scanning failures ([#8300](DataDog/dd-trace-java#8300) - [@jpbempel](https://github.com/jpbempel)) - ✨ Use two budgets depending on type ([#8283](DataDog/dd-trace-java#8283) - [@evanchooly](https://github.com/evanchooly)) - ✨ Institute a 10 snapshot per probe per trace budget ([#8277](DataDog/dd-trace-java#8277) - [@evanchooly](https://github.com/evanchooly)) - 🐛 Avoid double snapshots for Exception Replay ([#8273](DataDog/dd-trace-java#8273) - [@jpbempel](https://github.com/jpbempel)) - ✨ Simplify code origins. Separate out snapshot generation. ([#8263](DataDog/dd-trace-java#8263) - [@evanchooly](https://github.com/evanchooly)) - ✨ Add Exception probe custom instrumentation ([#8230](DataDog/dd-trace-java#8230) - [@jpbempel](https://github.com/jpbempel)) - ✨ Enhance log probes to honor debug session tags ([#8215](DataDog/dd-trace-java#8215) - [@evanchooly](https://github.com/evanchooly)) - 🐛 Don't redact env tokens from debugger probe snapshots ([#8211](DataDog/dd-trace-java#8211) - [@watson](https://github.com/watson)) - ✨⚡ Move Trace/SpanId capture at commit time ([#8184](DataDog/dd-trace-java#8184) - [@jpbempel](https://github.com/jpbempel)) - 🐛 Capture values at entry for method probe ([#8169](DataDog/dd-trace-java#8169) - [@jpbempel](https://github.com/jpbempel)) ##### JMX fetch - 🐛 Mute JMXFetch Shutdown in progress error ([#8068](DataDog/dd-trace-java#8068) - [@ygree](https://github.com/ygree)) ##### OpenTracing - ⚠️🧹 Make jnr-unixsocket an explicit dependency of dd-trace-ot ([#8307](DataDog/dd-trace-java#8307) - [@mcculls](https://github.com/mcculls)) ##### Profiling - 🐛 Avoid unsupported API call for creating folders on windows ([#8304](DataDog/dd-trace-java#8304) - [@jbachorik](https://github.com/jbachorik)) - ✨ Tag profiles for serverless ([#8279](DataDog/dd-trace-java#8279) - [@jbachorik](https://github.com/jbachorik)) - ✨ add queue type and length to queue events ([#8242](DataDog/dd-trace-java#8242) - [@richardstartin](https://github.com/richardstartin)) - 🐛 TempLocationManager Fixes and Improvements ([#8191](DataDog/dd-trace-java#8191) - [@jbachorik](https://github.com/jbachorik)) - ✨ Bump ddprof to 1.18.0 ([#8173](DataDog/dd-trace-java#8173) - [@jbachorik](https://github.com/jbachorik)) - ✨ Report profiler initialization and configuration errors to telemetry ([#8171](DataDog/dd-trace-java#8171) - [@jbachorik](https://github.com/jbachorik)) ##### Telemetry - ✨ Add pending traces report in tracer flares ([#8053](DataDog/dd-trace-java#8053) - [@mhlidd](https://github.com/mhlidd)) ##### Testing - ✨ Test http server requests in parallel ([#8222](DataDog/dd-trace-java#8222) - [@amarziali](https://github.com/amarziali)) ##### Trace context propagation - ✨ Add non default propagator registration ([#8310](DataDog/dd-trace-java#8310) - [@PerfectSlayer](https://github.com/PerfectSlayer)) ##### Tracer core - ✨ Probe for existence of IBMSASL or ACCP security providers ([#8276](DataDog/dd-trace-java#8276) - [@mcculls](https://github.com/mcculls)) - ✨⚡ Overhead improvement to agent feedback based sampling ([#8265](DataDog/dd-trace-java#8265) - [@dougqh](https://github.com/dougqh)) - 🧹 Move async propagation API from scope to tracer ([#8231](DataDog/dd-trace-java#8231) - [@PerfectSlayer](https://github.com/PerfectSlayer)) - ✨ Introduce context propagation API ([#8161](DataDog/dd-trace-java#8161) - [@PerfectSlayer](https://github.com/PerfectSlayer)) - ✨🧪 Use env-entry to add tags per webapp deployment ([#8138](DataDog/dd-trace-java#8138) - [@amarziali](https://github.com/amarziali)) - ✨ Introduce context helpers API ([#8134](DataDog/dd-trace-java#8134) - [@PerfectSlayer](https://github.com/PerfectSlayer)) - ✨ Support IPv6 values for `DD_AGENT_HOST` and `DD_TRACE_AGENT_URL` ([#7984](DataDog/dd-trace-java#7984) - [@mhlidd](https://github.com/mhlidd)) ##### Instrumentations ##### Apache HttpComponents - 🐛 Properly finish spans and support latest apache httpclient5 ([#8272](DataDog/dd-trace-java#8272) - [@amarziali](https://github.com/amarziali)) ##### AWS Lambda instrumentation - 🐛 Properly capture lambda payloads for all handler types. ([#8264](DataDog/dd-trace-java#8264) - [@purple4reina](https://github.com/purple4reina)) ##### AWS S3 instrumentation - 💡 Create S3 instrumentation + add span pointers ([#8075](DataDog/dd-trace-java#8075) - [@nhulston](https://github.com/nhulston)) ##### AWS SDK instrumentation - 🐛 Revert "Add avoid double instrumenting lambda non-streaming handlers." ([#8247](DataDog/dd-trace-java#8247) - [@nhulston](https://github.com/nhulston)) ##### Cassandra - ✨ Allow extracting keyspace from statement result ([#8239](DataDog/dd-trace-java#8239) - [@amarziali](https://github.com/amarziali)) ##### Core Java language instrumentation - ✨ Propagation of translateEscapes of String class ([#8186](DataDog/dd-trace-java#8186) - [@sezen-datadog](https://github.com/sezen-datadog)) ##### Eclipse Vert.x instrumentation - 🐛 Fix vertx worker propagation and error handling ([#8237](DataDog/dd-trace-java#8237) - [@amarziali](https://github.com/amarziali)) - ✨ Support vertx 5 ([#8220](DataDog/dd-trace-java#8220) - [@amarziali](https://github.com/amarziali)) - ✨ Add support for session tracking in Vertx ([#8167](DataDog/dd-trace-java#8167) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) ##### Kafka instrumentation - 🐛 Prevent possible NPE calculating Kafka record header size ([#8292](DataDog/dd-trace-java#8292) - [@ygree](https://github.com/ygree)) ##### Mule instrumentation - 🐛 Fix crash using Mule with JPMS ([#8187](DataDog/dd-trace-java#8187) - [@amarziali](https://github.com/amarziali)) ##### Protocol Buffer instrumentation - ✨ Change hash computation for protobuf to better represent impacting changes + save proto number in schema ([#8201](DataDog/dd-trace-java#8201) - [@vandonr](https://github.com/vandonr)) ##### Spring instrumentation - 🐛 Preserve getQualifier from spring scheduling runnables ([#8293](DataDog/dd-trace-java#8293) - [@amarziali](https://github.com/amarziali)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "after 6pm every weekday,before 2am every weekday" in timezone Australia/Melbourne, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). GitOrigin-RevId: bb09d47e4eed77a003f630273b4d0a84003eb899

Add support for stringbuffer in setlength and add remove method to ta…

e2345c2

…intedobjects

Mariovido added type: enhancement comp: asm iast Application Security Management (IAST) labels Dec 23, 2024

Mariovido added 5 commits December 23, 2024 11:02

Remove return boolean of the remove TaintedMap method

2939389

Rename untaint to clearTaint

1ea7765

Add tests for new method in TaintedObjects

a623305

Remove clearTaint method and replace for existing one called clear

daba6bd

Remove unused test

d78ac81

Mariovido marked this pull request as ready for review December 23, 2024 11:33

Mariovido requested review from a team as code owners December 23, 2024 11:33

Mariovido requested review from smola and manuel-alvarez-alvarez December 23, 2024 11:33

manuel-alvarez-alvarez reviewed Jan 2, 2025

View reviewed changes

dd-java-agent/agent-iast/src/main/java/com/datadog/iast/propagation/StringModuleImpl.java Show resolved Hide resolved

jandro996 approved these changes Jan 8, 2025

View reviewed changes

manuel-alvarez-alvarez approved these changes Jan 10, 2025

View reviewed changes

Merge branch 'master' into mario.vidal/taint_tracking_string_buffer_s…

b3e8860

…et_length

Mariovido added type: enhancement and removed type: enhancement labels Jan 10, 2025

Mariovido merged commit 22458b3 into master Jan 10, 2025
173 of 174 checks passed

Mariovido deleted the mario.vidal/taint_tracking_string_buffer_set_length branch January 10, 2025 10:03

github-actions bot added this to the 1.46.0 milestone Jan 10, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Increase IAST propagation to StringBuffer setLength #8128

Increase IAST propagation to StringBuffer setLength #8128

Mariovido commented Dec 23, 2024 •

edited

Loading

pr-commenter bot commented Dec 23, 2024 •

edited

Loading

jandro996 left a comment

Increase IAST propagation to StringBuffer setLength #8128

Increase IAST propagation to StringBuffer setLength #8128

Conversation

Mariovido commented Dec 23, 2024 • edited Loading

What Does This Do

Motivation

Additional Notes

Contributor Checklist

pr-commenter bot commented Dec 23, 2024 • edited Loading

Benchmarks

Startup

Parameters

Summary

Load

Parameters

Summary

Dacapo

Parameters

Summary

jandro996 left a comment

Choose a reason for hiding this comment

Mariovido commented Dec 23, 2024 •

edited

Loading

pr-commenter bot commented Dec 23, 2024 •

edited

Loading