IAST metrics

Author: iunanua

package.json

@@ -64,7 +64,7 @@
   "dependencies": {
     "@datadog/native-appsec": "2.0.0",
     "@datadog/native-iast-rewriter": "2.0.1",
-    "@datadog/native-iast-taint-tracking": "1.1.1",
+    "@datadog/native-iast-taint-tracking": "1.2.1",
     "@datadog/native-metrics": "^1.5.0",
     "@datadog/pprof": "^2.0.0",
     "@datadog/sketches-js": "^2.1.0",

packages/dd-trace/src/appsec/iast/analyzers/command-injection-analyzer.js

@@ -4,7 +4,13 @@ const InjectionAnalyzer = require('./injection-analyzer')
 class CommandInjectionAnalyzer extends InjectionAnalyzer {
   constructor () {
     super('COMMAND_INJECTION')
-    this.addSub('datadog:child_process:execution:start', ({ command }) => this.analyze(command))
+  }
+
+  onConfigure () {
+    this.addSub(
+      { channelName: 'datadog:child_process:execution:start' },
+      ({ command }, iastPluginContext) => this.analyze(command, iastPluginContext)
+    )
   }
 }
 

packages/dd-trace/src/appsec/iast/analyzers/ldap-injection-analyzer.js

@@ -4,7 +4,12 @@ const InjectionAnalyzer = require('./injection-analyzer')
 class LdapInjectionAnalyzer extends InjectionAnalyzer {
   constructor () {
     super('LDAP_INJECTION')
-    this.addSub('datadog:ldapjs:client:search', ({ base, filter }) => this.analyzeAll(base, filter))
+  }
+
+  onConfigure () {
+    this.addSub(
+      { channelName: 'datadog:ldapjs:client:search' },
+      ({ base, filter }, iastPluginContext) => this.analyzeAll(iastPluginContext, base, filter))
   }
 }
 

packages/dd-trace/src/appsec/iast/analyzers/path-traversal-analyzer.js

@@ -1,12 +1,10 @@
 'use strict'
-const { getIastContext } = require('../iast-context')
-const { storage } = require('../../../../../datadog-core')
 const InjectionAnalyzer = require('./injection-analyzer')
 
 class PathTraversalAnalyzer extends InjectionAnalyzer {
   constructor () {
     super('PATH_TRAVERSAL')
-    this.addSub('apm:fs:operation:start', obj => {
+    this.addSub({ channelName: 'apm:fs:operation:start' }, (obj, iastPluginContext) => {
       const pathArguments = []
       if (obj.dest) {
         pathArguments.push(obj.dest)
@@ -35,12 +33,12 @@ class PathTraversalAnalyzer extends InjectionAnalyzer {
       if (obj.target) {
         pathArguments.push(obj.target)
       }
-      this.analyze(pathArguments)
+      this.analyze(pathArguments, iastPluginContext)
     })
   }
 
-  analyze (value) {
-    const iastContext = getIastContext(storage.getStore())
+  analyze (value, iastPluginContext) {
+    const iastContext = iastPluginContext.iastContext
     if (!iastContext) {
       return
     }

packages/dd-trace/src/appsec/iast/analyzers/sql-injection-analyzer.js

@@ -4,9 +4,21 @@ const InjectionAnalyzer = require('./injection-analyzer')
 class SqlInjectionAnalyzer extends InjectionAnalyzer {
   constructor () {
     super('SQL_INJECTION')
-    this.addSub('apm:mysql:query:start', ({ sql }) => this.analyze(sql))
-    this.addSub('apm:mysql2:query:start', ({ sql }) => this.analyze(sql))
-    this.addSub('apm:pg:query:start', ({ originalQuery }) => this.analyze(originalQuery))
+  }
+
+  onConfigure () {
+    this.addSub(
+      { channelName: 'apm:mysql:query:start' },
+      ({ sql }, iastPluginContext) => this.analyze(sql, iastPluginContext)
+    )
+    this.addSub(
+      { channelName: 'apm:mysql2:query:start' },
+      ({ sql }, iastPluginContext) => this.analyze(sql, iastPluginContext)
+    )
+    this.addSub(
+      { channelName: 'apm:pg:query:start' },
+      ({ originalQuery }, iastPluginContext) => this.analyze(originalQuery, iastPluginContext)
+    )
   }
 }
 

packages/dd-trace/src/appsec/iast/analyzers/vulnerability-analyzer.js

@@ -1,33 +1,16 @@
 'use strict'
 
-const Plugin = require('../../../../src/plugins/plugin')
-const { storage } = require('../../../../../datadog-core')
-const iastLog = require('../iast-log')
 const { getFirstNonDDPathAndLine } = require('../path-line')
 const { createVulnerability, addVulnerability } = require('../vulnerability-reporter')
-const { getIastContext } = require('../iast-context')
 const overheadController = require('../overhead-controller')
+const { SinkIastPlugin } = require('../iast-plugin')
 
-class Analyzer extends Plugin {
+class Analyzer extends SinkIastPlugin {
   constructor (type) {
     super()
     this._type = type
   }
 
-  _wrapHandler (handler) {
-    return (message, name) => {
-      try {
-        handler(message, name)
-      } catch (e) {
-        iastLog.errorAndPublish(e)
-      }
-    }
-  }
-
-  addSub (channelName, handler) {
-    super.addSub(channelName, this._wrapHandler(handler))
-  }
-
   _isVulnerable (value, context) {
     return false
   }
@@ -56,17 +39,20 @@ class Analyzer extends Plugin {
     return getFirstNonDDPathAndLine()
   }
 
-  analyze (value) {
-    const store = storage.getStore()
-    const iastContext = getIastContext(store)
-    if (store && !iastContext) return
-    this._reportIfVulnerable(value, iastContext)
+  _invalidContext (iastPluginContext) {
+    return !iastPluginContext || (iastPluginContext.store && !iastPluginContext.iastContext)
   }
 
-  analyzeAll (...values) {
-    const store = storage.getStore()
-    const iastContext = getIastContext(store)
-    if (store && !iastContext) return
+  analyze (value, iastPluginContext) {
+    if (this._invalidContext(iastPluginContext)) return
+
+    this._reportIfVulnerable(value, iastPluginContext.iastContext)
+  }
+
+  analyzeAll (iastPluginContext, ...values) {
+    if (this._invalidContext(iastPluginContext)) return
+
+    const iastContext = iastPluginContext.iastContext
     for (let i = 0; i < values.length; i++) {
       const value = values[i]
       if (this._isVulnerable(value, iastContext)) {
@@ -81,6 +67,10 @@ class Analyzer extends Plugin {
   _checkOCE (context) {
     return overheadController.hasQuota(overheadController.OPERATIONS.REPORT_VULNERABILITY, context)
   }
+
+  addSub (iastSub, handler) {
+    super.addSub({ tag: this._type, ...iastSub }, handler)
+  }
 }
 
 module.exports = Analyzer

packages/dd-trace/src/appsec/iast/analyzers/weak-cipher-analyzer.js

@@ -13,7 +13,12 @@ const INSECURE_CIPHERS = new Set([
 class WeakCipherAnalyzer extends Analyzer {
   constructor () {
     super('WEAK_CIPHER')
-    this.addSub('datadog:crypto:cipher:start', ({ algorithm }) => this.analyze(algorithm))
+  }
+
+  onConfigure () {
+    this.addSub(
+      { channelName: 'datadog:crypto:cipher:start' },
+      ({ algorithm }, iastPluginContext) => this.analyze(algorithm, iastPluginContext))
   }
 
   _isVulnerable (algorithm) {

packages/dd-trace/src/appsec/iast/analyzers/weak-hash-analyzer.js

@@ -10,7 +10,13 @@ const INSECURE_HASH_ALGORITHMS = new Set([
 class WeakHashAnalyzer extends Analyzer {
   constructor () {
     super('WEAK_HASH')
-    this.addSub('datadog:crypto:hashing:start', ({ algorithm }) => this.analyze(algorithm))
+  }
+
+  onConfigure () {
+    this.addSub(
+      { channelName: 'datadog:crypto:hashing:start' },
+      ({ algorithm }, iastPluginContext) => this.analyze(algorithm, iastPluginContext)
+    )
   }
 
   _isVulnerable (algorithm) {

packages/dd-trace/src/appsec/iast/iast-log.js

@@ -1,7 +1,8 @@
 'use strict'
 
 const log = require('../../log')
-const telemetryLogs = require('./telemetry/logs')
+const telemetry = require('../telemetry')
+const telemetryLogs = require('../telemetry/api/logs-plugin')
 const { calculateDDBasePath } = require('../../util')
 
 const ddBasePath = calculateDDBasePath(__dirname)
@@ -11,19 +12,23 @@ const STACK_FRAME_LINE_REGEX = /^\s*at\s/gm
 function sanitize (logEntry, stack) {
   if (!stack) return logEntry
 
-  let stackLines = stack.split(EOL)
+  if (telemetry.isDebugEnabled()) {
+    logEntry.stack_trace = stack
+  } else {
+    let stackLines = stack.split(EOL)
 
-  const firstIndex = stackLines.findIndex(l => l.match(STACK_FRAME_LINE_REGEX))
+    const firstIndex = stackLines.findIndex(l => l.match(STACK_FRAME_LINE_REGEX))
 
-  const isDDCode = firstIndex > -1 && stackLines[firstIndex].includes(ddBasePath)
-  stackLines = stackLines
-    .filter((line, index) => (isDDCode && index < firstIndex) || line.includes(ddBasePath))
-    .map(line => line.replace(ddBasePath, ''))
+    const isDDCode = firstIndex > -1 && stackLines[firstIndex].includes(ddBasePath)
+    stackLines = stackLines
+      .filter((line, index) => (isDDCode && index < firstIndex) || line.includes(ddBasePath))
+      .map(line => line.replace(ddBasePath, ''))
 
-  logEntry.stack_trace = stackLines.join(EOL)
+    logEntry.stack_trace = stackLines.join(EOL)
 
-  if (!isDDCode) {
-    logEntry.message = 'omitted'
+    if (!isDDCode) {
+      logEntry.message = 'omitted'
+    }
   }
 
   return logEntry
@@ -81,7 +86,7 @@ const iastLog = {
 
   publish (data, level) {
     if (telemetryLogs.isLevelEnabled(level)) {
-      const telemetryLog = getTelemetryLog(data, level)
+      const telemetryLog = getTelemetryLog(data, level, telemetry.verbosity)
       telemetryLogs.publish(telemetryLog)
     }
     return this

packages/dd-trace/src/appsec/iast/iast-metric.js

@@ -0,0 +1,81 @@
+'use strict'
+
+const { Metric, Scope } = require('../telemetry/metric')
+
+const IAST_NAMESPACE = 'iast'
+
+const PropagationType = {
+  STRING: 'STRING',
+  JSON: 'JSON',
+  URL: 'URL'
+}
+
+const MetricTag = {
+  VULNERABILITY_TYPE: 'vulnerability_type',
+  SOURCE_TYPE: 'source_type',
+  PROPAGATION_TYPE: 'propagation_type'
+}
+
+function getExecutedMetric (metricTag) {
+  return metricTag === MetricTag.VULNERABILITY_TYPE ? EXECUTED_SINK : EXECUTED_SOURCE
+}
+
+function getInstrumentedMetric (metricTag) {
+  return metricTag === MetricTag.VULNERABILITY_TYPE ? INSTRUMENTED_SINK : INSTRUMENTED_SOURCE
+}
+
+const INSTRUMENTED_PROPAGATION =
+  new Metric('instrumented.propagation', Scope.GLOBAL, MetricTag.PROPAGATION_TYPE, IAST_NAMESPACE)
+const INSTRUMENTED_SOURCE = new Metric('instrumented.source', Scope.GLOBAL, MetricTag.SOURCE_TYPE, IAST_NAMESPACE)
+const INSTRUMENTED_SINK = new Metric('instrumented.sink', Scope.GLOBAL, MetricTag.VULNERABILITY_TYPE, IAST_NAMESPACE)
+
+const EXECUTED_SOURCE = new Metric('executed.source', Scope.REQUEST, MetricTag.SOURCE_TYPE, IAST_NAMESPACE)
+const EXECUTED_SINK = new Metric('executed.sink', Scope.REQUEST, MetricTag.VULNERABILITY_TYPE, IAST_NAMESPACE)
+
+const REQUEST_TAINTED = new Metric('request.tainted', Scope.REQUEST, null, IAST_NAMESPACE)
+
+// DEBUG using metrics
+const EXECUTED_PROPAGATION =
+  new Metric('executed.propagation', Scope.REQUEST, MetricTag.PROPAGATION_TYPE, IAST_NAMESPACE)
+const EXECUTED_TAINTED = new Metric('executed.tainted', Scope.REQUEST, null, IAST_NAMESPACE)
+
+// DEBUG using log endpoint
+// const SOURCE_DEBUG = new Metric('source.debug', Scope.GLOBAL, null, IAST_NAMESPACE)
+// const PROPAGATION_DEBUG = new Metric('propagation.debug', Scope.GLOBAL, null, IAST_NAMESPACE)
+// const SINK_DEBUG = new Metric('sink.debug', Scope.GLOBAL, null, IAST_NAMESPACE)
+// const TAINTED_DEBUG = new Metric('tainted.debug', Scope.GLOBAL, null, IAST_NAMESPACE)
+// const TAINTED_SINK_DEBUG = new Metric('tainted.sink.debug', Scope.GLOBAL, null, IAST_NAMESPACE)
+
+// DEBUG using distribution endpoint
+const INSTRUMENTATION_TIME = new Metric('instrumentation.time', Scope.GLOBAL, null, IAST_NAMESPACE)
+// const EXECUTION_TIME = new Metric('execution.time', Scope.GLOBAL, null, IAST_NAMESPACE)
+
+const IastMetric = {
+  INSTRUMENTED_PROPAGATION,
+  INSTRUMENTED_SOURCE,
+  INSTRUMENTED_SINK,
+
+  EXECUTED_PROPAGATION,
+  EXECUTED_SOURCE,
+  EXECUTED_SINK,
+  EXECUTED_TAINTED,
+
+  REQUEST_TAINTED,
+
+  INSTRUMENTATION_TIME
+}
+
+const metrics = new Map()
+for (const iastMetricName in IastMetric) {
+  const iastMetric = IastMetric[iastMetricName]
+  metrics.set(iastMetric.name, iastMetric)
+}
+
+module.exports = {
+  IastMetric,
+  PropagationType,
+  MetricTag,
+
+  getExecutedMetric,
+  getInstrumentedMetric
+}