Skip to content

Add IAST taint tracking for DB values #8072

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 23 commits into from
Jan 15, 2025
Merged

Add IAST taint tracking for DB values #8072

merged 23 commits into from
Jan 15, 2025

Conversation

@Mariovido
Copy link
Contributor

@Mariovido Mariovido commented Dec 10, 2024
edited
Loading

What Does This Do

This PR introduces a solution to taint database values. The goal is to detect potential security vulnerabilities, specifically SQL Injection and XSS as a first step. Key changes include:

  • New source has been created to differentiate taint values that come from the database: sql.row.value
  • Instrumentation of the ResultSet methods that return a String
    • Maximum number of row tainted per ResultSet will be given by this environment variable: DD_IAST_DB_ROWS_TO_TAINT (default 1)
  • Detection of the SQL Injection and XSS vulnerabilities with taint values that have the previous source

Motivation

This will increase the number of detections for the first two types of vulnerabilities (SQL Injection and XSS). Apart from that, this will improve our propagation taint tracking.

Additional Notes

See the RFC where this change is documented: RFC

Contributor Checklist

Jira ticket: APPSEC-55328

@Mariovido Mariovido added type: enhancement Enhancements and improvements comp: asm iast Application Security Management (IAST) labels Dec 10, 2024
@pr-commenter
Copy link

pr-commenter bot commented Dec 10, 2024
edited
Loading

Benchmarks

Startup

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master mario.vidal/taint_db_values_iast
git_commit_date 1736947494 1736947212
git_commit_sha 692835e 8c5291e
release_version 1.46.0-SNAPSHOT~692835e608 1.46.0-SNAPSHOT~8c5291ee75
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1736949726 1736949726
ci_job_id 767203052 767203052
ci_pipeline_id 53066902 53066902
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
module Agent Agent
parent None None
variant iast iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 59 metrics, 4 unstable metrics.

Startup time reports for petclinic 
gantt
    title petclinic - global startup overhead: candidate=1.46.0-SNAPSHOT~8c5291ee75, baseline=1.46.0-SNAPSHOT~692835e608

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.056 s) : 0, 1056292
Total [baseline] (10.467 s) : 0, 10467195
Agent [candidate] (1.054 s) : 0, 1053954
Total [candidate] (10.468 s) : 0, 10467527
section appsec
Agent [baseline] (1.189 s) : 0, 1188883
Total [baseline] (10.717 s) : 0, 10716538
Agent [candidate] (1.2 s) : 0, 1199823
Total [candidate] (10.734 s) : 0, 10734023
section iast
Agent [baseline] (1.188 s) : 0, 1188378
Total [baseline] (10.957 s) : 0, 10956628
Agent [candidate] (1.192 s) : 0, 1191982
Total [candidate] (10.999 s) : 0, 10999279
section profiling
Agent [baseline] (1.255 s) : 0, 1254706
Total [baseline] (10.859 s) : 0, 10858940
Agent [candidate] (1.258 s) : 0, 1257705
Total [candidate] (10.927 s) : 0, 10927349
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.056 s -
Agent appsec 1.189 s 132.591 ms (12.6%)
Agent iast 1.188 s 132.087 ms (12.5%)
Agent profiling 1.255 s 198.414 ms (18.8%)
Total tracing 10.467 s -
Total appsec 10.717 s 249.344 ms (2.4%)
Total iast 10.957 s 489.434 ms (4.7%)
Total profiling 10.859 s 391.746 ms (3.7%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.054 s -
Agent appsec 1.2 s 145.869 ms (13.8%)
Agent iast 1.192 s 138.028 ms (13.1%)
Agent profiling 1.258 s 203.751 ms (19.3%)
Total tracing 10.468 s -
Total appsec 10.734 s 266.496 ms (2.5%)
Total iast 10.999 s 531.752 ms (5.1%)
Total profiling 10.927 s 459.822 ms (4.4%) 
gantt
    title petclinic - break down per module: candidate=1.46.0-SNAPSHOT~8c5291ee75, baseline=1.46.0-SNAPSHOT~692835e608

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (713.846 ms) : 0, 713846
BytebuddyAgent [candidate] (714.659 ms) : 0, 714659
GlobalTracer [baseline] (255.76 ms) : 0, 255760
GlobalTracer [candidate] (256.188 ms) : 0, 256188
AppSec [baseline] (56.669 ms) : 0, 56669
AppSec [candidate] (55.086 ms) : 0, 55086
Remote Config [baseline] (719.515 µs) : 0, 720
Remote Config [candidate] (750.728 µs) : 0, 751
Telemetry [baseline] (14.244 ms) : 0, 14244
Telemetry [candidate] (12.203 ms) : 0, 12203
section appsec
BytebuddyAgent [baseline] (731.24 ms) : 0, 731240
BytebuddyAgent [candidate] (738.928 ms) : 0, 738928
GlobalTracer [baseline] (253.35 ms) : 0, 253350
GlobalTracer [candidate] (255.184 ms) : 0, 255184
AppSec [baseline] (170.776 ms) : 0, 170776
AppSec [candidate] (171.678 ms) : 0, 171678
Remote Config [baseline] (676.504 µs) : 0, 677
Remote Config [candidate] (688.234 µs) : 0, 688
Telemetry [baseline] (8.177 ms) : 0, 8177
Telemetry [candidate] (8.263 ms) : 0, 8263
IAST [baseline] (19.25 ms) : 0, 19250
IAST [candidate] (19.759 ms) : 0, 19759
section iast
BytebuddyAgent [baseline] (835.416 ms) : 0, 835416
BytebuddyAgent [candidate] (838.765 ms) : 0, 838765
GlobalTracer [baseline] (248.759 ms) : 0, 248759
GlobalTracer [candidate] (248.599 ms) : 0, 248599
AppSec [baseline] (58.003 ms) : 0, 58003
AppSec [candidate] (58.477 ms) : 0, 58477
Remote Config [baseline] (691.559 µs) : 0, 692
Remote Config [candidate] (688.059 µs) : 0, 688
Telemetry [baseline] (8.9 ms) : 0, 8900
Telemetry [candidate] (8.845 ms) : 0, 8845
IAST [baseline] (21.577 ms) : 0, 21577
IAST [candidate] (21.519 ms) : 0, 21519
section profiling
ProfilingAgent [baseline] (95.275 ms) : 0, 95275
ProfilingAgent [candidate] (95.944 ms) : 0, 95944
BytebuddyAgent [baseline] (703.084 ms) : 0, 703084
BytebuddyAgent [candidate] (704.707 ms) : 0, 704707
GlobalTracer [baseline] (350.442 ms) : 0, 350442
GlobalTracer [candidate] (351.69 ms) : 0, 351690
AppSec [baseline] (54.467 ms) : 0, 54467
AppSec [candidate] (53.725 ms) : 0, 53725
Remote Config [baseline] (656.122 µs) : 0, 656
Remote Config [candidate] (664.076 µs) : 0, 664
Telemetry [baseline] (8.849 ms) : 0, 8849
Telemetry [candidate] (8.859 ms) : 0, 8859
Profiling [baseline] (95.299 ms) : 0, 95299
Profiling [candidate] (95.967 ms) : 0, 95967
Loading
Startup time reports for insecure-bank 
gantt
    title insecure-bank - global startup overhead: candidate=1.46.0-SNAPSHOT~8c5291ee75, baseline=1.46.0-SNAPSHOT~692835e608

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.056 s) : 0, 1056165
Total [baseline] (8.648 s) : 0, 8648147
Agent [candidate] (1.06 s) : 0, 1060113
Total [candidate] (8.665 s) : 0, 8664888
section iast
Agent [baseline] (1.184 s) : 0, 1183939
Total [baseline] (9.203 s) : 0, 9203386
Agent [candidate] (1.186 s) : 0, 1185831
Total [candidate] (9.215 s) : 0, 9215057
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.182 s) : 0, 1181778
Total [baseline] (9.209 s) : 0, 9209189
Agent [candidate] (1.183 s) : 0, 1183434
Total [candidate] (9.17 s) : 0, 9169930
section iast_TELEMETRY_OFF
Agent [baseline] (1.185 s) : 0, 1184611
Total [baseline] (9.231 s) : 0, 9230611
Agent [candidate] (1.185 s) : 0, 1185281
Total [candidate] (9.252 s) : 0, 9251932
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.056 s -
Agent iast 1.184 s 127.774 ms (12.1%)
Agent iast_HARDCODED_SECRET_DISABLED 1.182 s 125.613 ms (11.9%)
Agent iast_TELEMETRY_OFF 1.185 s 128.446 ms (12.2%)
Total tracing 8.648 s -
Total iast 9.203 s 555.239 ms (6.4%)
Total iast_HARDCODED_SECRET_DISABLED 9.209 s 561.042 ms (6.5%)
Total iast_TELEMETRY_OFF 9.231 s 582.465 ms (6.7%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.06 s -
Agent iast 1.186 s 125.718 ms (11.9%)
Agent iast_HARDCODED_SECRET_DISABLED 1.183 s 123.321 ms (11.6%)
Agent iast_TELEMETRY_OFF 1.185 s 125.167 ms (11.8%)
Total tracing 8.665 s -
Total iast 9.215 s 550.169 ms (6.3%)
Total iast_HARDCODED_SECRET_DISABLED 9.17 s 505.041 ms (5.8%)
Total iast_TELEMETRY_OFF 9.252 s 587.044 ms (6.8%) 
gantt
    title insecure-bank - break down per module: candidate=1.46.0-SNAPSHOT~8c5291ee75, baseline=1.46.0-SNAPSHOT~692835e608

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (714.551 ms) : 0, 714551
BytebuddyAgent [candidate] (715.863 ms) : 0, 715863
GlobalTracer [baseline] (256.292 ms) : 0, 256292
GlobalTracer [candidate] (257.978 ms) : 0, 257978
AppSec [baseline] (55.163 ms) : 0, 55163
AppSec [candidate] (55.851 ms) : 0, 55851
Remote Config [baseline] (726.027 µs) : 0, 726
Remote Config [candidate] (723.257 µs) : 0, 723
Telemetry [baseline] (14.447 ms) : 0, 14447
Telemetry [candidate] (14.658 ms) : 0, 14658
section iast
BytebuddyAgent [baseline] (832.654 ms) : 0, 832654
BytebuddyAgent [candidate] (833.915 ms) : 0, 833915
GlobalTracer [baseline] (247.273 ms) : 0, 247273
GlobalTracer [candidate] (247.828 ms) : 0, 247828
AppSec [baseline] (57.888 ms) : 0, 57888
AppSec [candidate] (57.988 ms) : 0, 57988
IAST [baseline] (21.63 ms) : 0, 21630
IAST [candidate] (21.465 ms) : 0, 21465
Remote Config [baseline] (668.634 µs) : 0, 669
Remote Config [candidate] (669.299 µs) : 0, 669
Telemetry [baseline] (8.793 ms) : 0, 8793
Telemetry [candidate] (8.842 ms) : 0, 8842
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (831.446 ms) : 0, 831446
BytebuddyAgent [candidate] (832.549 ms) : 0, 832549
GlobalTracer [baseline] (246.526 ms) : 0, 246526
GlobalTracer [candidate] (246.954 ms) : 0, 246954
AppSec [baseline] (57.996 ms) : 0, 57996
AppSec [candidate] (58.007 ms) : 0, 58007
IAST [baseline] (21.421 ms) : 0, 21421
IAST [candidate] (21.374 ms) : 0, 21374
Remote Config [baseline] (675.894 µs) : 0, 676
Remote Config [candidate] (685.498 µs) : 0, 685
Telemetry [baseline] (8.746 ms) : 0, 8746
Telemetry [candidate] (8.73 ms) : 0, 8730
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (832.875 ms) : 0, 832875
BytebuddyAgent [candidate] (834.066 ms) : 0, 834066
GlobalTracer [baseline] (248.088 ms) : 0, 248088
GlobalTracer [candidate] (247.74 ms) : 0, 247740
AppSec [baseline] (58.146 ms) : 0, 58146
AppSec [candidate] (57.978 ms) : 0, 57978
IAST [baseline] (20.942 ms) : 0, 20942
IAST [candidate] (20.987 ms) : 0, 20987
Remote Config [baseline] (665.98 µs) : 0, 666
Remote Config [candidate] (682.105 µs) : 0, 682
Telemetry [baseline] (8.727 ms) : 0, 8727
Telemetry [candidate] (8.622 ms) : 0, 8622
Loading

Load

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
end_time 2025-01-15T13:32:08 2025-01-15T13:39:08
git_branch master mario.vidal/taint_db_values_iast
git_commit_date 1736947494 1736947212
git_commit_sha 692835e 8c5291e
release_version 1.46.0-SNAPSHOT~692835e608 1.46.0-SNAPSHOT~8c5291ee75
start_time 2025-01-15T13:31:54 2025-01-15T13:38:54
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1736948704 1736948704
ci_job_id 767203053 767203053
ci_pipeline_id 53066902 53066902
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant iast iast

Summary

Found 0 performance improvements and 1 performance regressions! Performance is the same for 10 metrics, 17 unstable metrics.

scenario Δ mean http_req_duration Δ mean throughput candidate mean http_req_duration candidate mean throughput baseline mean http_req_duration baseline mean throughput
scenario:load:insecure-bank:iast_FULL worse
[+61.683µs; +108.640µs] or [+9.437%; +16.622%]		 unstable
[-1727.666op/s; +1096.087op/s] or [-27.355%; +17.355%]		 738.764µs 6000.000op/s 653.602µs 6315.789op/s
Request duration reports for petclinic 
gantt
    title petclinic - request duration [CI 0.99] : candidate=1.46.0-SNAPSHOT~8c5291ee75, baseline=1.46.0-SNAPSHOT~692835e608
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.353 ms) : 1333, 1374
.   : milestone, 1353,
appsec (1.738 ms) : 1714, 1761
.   : milestone, 1738,
appsec_no_iast (1.764 ms) : 1741, 1786
.   : milestone, 1764,
iast (1.495 ms) : 1473, 1518
.   : milestone, 1495,
profiling (1.495 ms) : 1471, 1519
.   : milestone, 1495,
tracing (1.491 ms) : 1466, 1516
.   : milestone, 1491,
section candidate
no_agent (1.372 ms) : 1352, 1392
.   : milestone, 1372,
appsec (1.753 ms) : 1729, 1776
.   : milestone, 1753,
appsec_no_iast (1.753 ms) : 1728, 1778
.   : milestone, 1753,
iast (1.494 ms) : 1469, 1518
.   : milestone, 1494,
profiling (1.498 ms) : 1475, 1521
.   : milestone, 1498,
tracing (1.461 ms) : 1436, 1486
.   : milestone, 1461,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.353 ms [1.333 ms, 1.374 ms] -
appsec 1.738 ms [1.714 ms, 1.761 ms] 384.297 µs (28.4%)
appsec_no_iast 1.764 ms [1.741 ms, 1.786 ms] 410.057 µs (30.3%)
iast 1.495 ms [1.473 ms, 1.518 ms] 141.957 µs (10.5%)
profiling 1.495 ms [1.471 ms, 1.519 ms] 141.593 µs (10.5%)
tracing 1.491 ms [1.466 ms, 1.516 ms] 137.662 µs (10.2%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.372 ms [1.352 ms, 1.392 ms] -
appsec 1.753 ms [1.729 ms, 1.776 ms] 380.5 µs (27.7%)
appsec_no_iast 1.753 ms [1.728 ms, 1.778 ms] 381.05 µs (27.8%)
iast 1.494 ms [1.469 ms, 1.518 ms] 121.576 µs (8.9%)
profiling 1.498 ms [1.475 ms, 1.521 ms] 126.158 µs (9.2%)
tracing 1.461 ms [1.436 ms, 1.486 ms] 88.775 µs (6.5%)
Request duration reports for insecure-bank 
gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.46.0-SNAPSHOT~8c5291ee75, baseline=1.46.0-SNAPSHOT~692835e608
    dateFormat X
    axisFormat %s
section baseline
no_agent (373.531 µs) : 354, 393
.   : milestone, 374,
iast (494.303 µs) : 472, 516
.   : milestone, 494,
iast_FULL (653.602 µs) : 632, 675
.   : milestone, 654,
iast_GLOBAL (527.917 µs) : 505, 551
.   : milestone, 528,
iast_HARDCODED_SECRET_DISABLED (491.177 µs) : 470, 513
.   : milestone, 491,
iast_INACTIVE (456.085 µs) : 435, 478
.   : milestone, 456,
iast_TELEMETRY_OFF (484.391 µs) : 462, 506
.   : milestone, 484,
tracing (440.413 µs) : 420, 461
.   : milestone, 440,
section candidate
no_agent (369.885 µs) : 350, 389
.   : milestone, 370,
iast (511.704 µs) : 489, 534
.   : milestone, 512,
iast_FULL (738.764 µs) : 717, 761
.   : milestone, 739,
iast_GLOBAL (555.711 µs) : 533, 578
.   : milestone, 556,
iast_HARDCODED_SECRET_DISABLED (502.221 µs) : 481, 524
.   : milestone, 502,
iast_INACTIVE (453.498 µs) : 432, 475
.   : milestone, 453,
iast_TELEMETRY_OFF (492.632 µs) : 471, 514
.   : milestone, 493,
tracing (448.696 µs) : 427, 470
.   : milestone, 449,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 373.531 µs [353.999 µs, 393.063 µs] -
iast 494.303 µs [472.155 µs, 516.451 µs] 120.772 µs (32.3%)
iast_FULL 653.602 µs [631.847 µs, 675.357 µs] 280.071 µs (75.0%)
iast_GLOBAL 527.917 µs [505.145 µs, 550.689 µs] 154.386 µs (41.3%)
iast_HARDCODED_SECRET_DISABLED 491.177 µs [469.583 µs, 512.77 µs] 117.646 µs (31.5%)
iast_INACTIVE 456.085 µs [434.514 µs, 477.656 µs] 82.555 µs (22.1%)
iast_TELEMETRY_OFF 484.391 µs [462.327 µs, 506.455 µs] 110.86 µs (29.7%)
tracing 440.413 µs [419.757 µs, 461.068 µs] 66.882 µs (17.9%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 369.885 µs [350.346 µs, 389.424 µs] -
iast 511.704 µs [489.37 µs, 534.039 µs] 141.819 µs (38.3%)
iast_FULL 738.764 µs [716.882 µs, 760.645 µs] 368.879 µs (99.7%)
iast_GLOBAL 555.711 µs [533.419 µs, 578.002 µs] 185.825 µs (50.2%)
iast_HARDCODED_SECRET_DISABLED 502.221 µs [480.526 µs, 523.915 µs] 132.336 µs (35.8%)
iast_INACTIVE 453.498 µs [432.287 µs, 474.71 µs] 83.613 µs (22.6%)
iast_TELEMETRY_OFF 492.632 µs [470.895 µs, 514.369 µs] 122.747 µs (33.2%)
tracing 448.696 µs [427.475 µs, 469.916 µs] 78.81 µs (21.3%)

Dacapo

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master mario.vidal/taint_db_values_iast
git_commit_date 1736947494 1736947212
git_commit_sha 692835e 8c5291e
release_version 1.46.0-SNAPSHOT~692835e608 1.46.0-SNAPSHOT~8c5291ee75
See matching parameters
Baseline Candidate
application biojava biojava
ci_job_date 1736949260 1736949260
ci_job_id 767203054 767203054
ci_pipeline_id 53066902 53066902
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant appsec appsec

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics.

Execution time for tomcat 
gantt
    title tomcat - execution time [CI 0.99] : candidate=1.46.0-SNAPSHOT~8c5291ee75, baseline=1.46.0-SNAPSHOT~692835e608
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.462 ms) : 1451, 1474
.   : milestone, 1462,
appsec (2.348 ms) : 2305, 2390
.   : milestone, 2348,
iast (2.095 ms) : 2040, 2149
.   : milestone, 2095,
iast_GLOBAL (2.134 ms) : 2080, 2189
.   : milestone, 2134,
profiling (1.962 ms) : 1918, 2006
.   : milestone, 1962,
tracing (1.928 ms) : 1887, 1970
.   : milestone, 1928,
section candidate
no_agent (1.464 ms) : 1452, 1475
.   : milestone, 1464,
appsec (2.349 ms) : 2307, 2392
.   : milestone, 2349,
iast (2.099 ms) : 2045, 2154
.   : milestone, 2099,
iast_GLOBAL (2.134 ms) : 2080, 2188
.   : milestone, 2134,
profiling (1.961 ms) : 1918, 2004
.   : milestone, 1961,
tracing (1.932 ms) : 1890, 1974
.   : milestone, 1932,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.462 ms [1.451 ms, 1.474 ms] -
appsec 2.348 ms [2.305 ms, 2.39 ms] 885.345 µs (60.5%)
iast 2.095 ms [2.04 ms, 2.149 ms] 632.478 µs (43.3%)
iast_GLOBAL 2.134 ms [2.08 ms, 2.189 ms] 672.185 µs (46.0%)
profiling 1.962 ms [1.918 ms, 2.006 ms] 499.986 µs (34.2%)
tracing 1.928 ms [1.887 ms, 1.97 ms] 465.97 µs (31.9%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.464 ms [1.452 ms, 1.475 ms] -
appsec 2.349 ms [2.307 ms, 2.392 ms] 885.874 µs (60.5%)
iast 2.099 ms [2.045 ms, 2.154 ms] 635.591 µs (43.4%)
iast_GLOBAL 2.134 ms [2.08 ms, 2.188 ms] 670.311 µs (45.8%)
profiling 1.961 ms [1.918 ms, 2.004 ms] 497.235 µs (34.0%)
tracing 1.932 ms [1.89 ms, 1.974 ms] 468.53 µs (32.0%)
Execution time for biojava 
gantt
    title biojava - execution time [CI 0.99] : candidate=1.46.0-SNAPSHOT~8c5291ee75, baseline=1.46.0-SNAPSHOT~692835e608
    dateFormat X
    axisFormat %s
section baseline
no_agent (15.008 s) : 15008000, 15008000
.   : milestone, 15008000,
appsec (14.753 s) : 14753000, 14753000
.   : milestone, 14753000,
iast (18.656 s) : 18656000, 18656000
.   : milestone, 18656000,
iast_GLOBAL (18.103 s) : 18103000, 18103000
.   : milestone, 18103000,
profiling (15.64 s) : 15640000, 15640000
.   : milestone, 15640000,
tracing (14.758 s) : 14758000, 14758000
.   : milestone, 14758000,
section candidate
no_agent (15.405 s) : 15405000, 15405000
.   : milestone, 15405000,
appsec (15.242 s) : 15242000, 15242000
.   : milestone, 15242000,
iast (18.91 s) : 18910000, 18910000
.   : milestone, 18910000,
iast_GLOBAL (18.116 s) : 18116000, 18116000
.   : milestone, 18116000,
profiling (15.0 s) : 15000000, 15000000
.   : milestone, 15000000,
tracing (14.882 s) : 14882000, 14882000
.   : milestone, 14882000,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.008 s [15.008 s, 15.008 s] -
appsec 14.753 s [14.753 s, 14.753 s] -255.0 ms (-1.7%)
iast 18.656 s [18.656 s, 18.656 s] 3.648 s (24.3%)
iast_GLOBAL 18.103 s [18.103 s, 18.103 s] 3.095 s (20.6%)
profiling 15.64 s [15.64 s, 15.64 s] 632.0 ms (4.2%)
tracing 14.758 s [14.758 s, 14.758 s] -250.0 ms (-1.7%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.405 s [15.405 s, 15.405 s] -
appsec 15.242 s [15.242 s, 15.242 s] -163.0 ms (-1.1%)
iast 18.91 s [18.91 s, 18.91 s] 3.505 s (22.8%)
iast_GLOBAL 18.116 s [18.116 s, 18.116 s] 2.711 s (17.6%)
profiling 15.0 s [15.0 s, 15.0 s] -405.0 ms (-2.6%)
tracing 14.882 s [14.882 s, 14.882 s] -523.0 ms (-3.4%)

@Mariovido Mariovido changed the title [DRAFT] Taint DB values Add IAST taint tracking for DB values Dec 12, 2024
@Mariovido Mariovido marked this pull request as ready for review December 12, 2024 15:09
@Mariovido Mariovido requested review from a team as code owners December 12, 2024 15:09
@Mariovido Mariovido requested review from jandro996 and smola December 16, 2024 14:43
@jandro996
Copy link
Member

jandro996 commented Jan 8, 2025

@Mariovido rebase the branch and resolve the conflicts in internal-api/src/main/java/datadog/trace/api/Config.java :)
Thanks!!!

@Mariovido
Copy link
Contributor Author

Mariovido commented Jan 8, 2025

@Mariovido rebase the branch and resolve the conflicts in internal-api/src/main/java/datadog/trace/api/Config.java :) Thanks!!!

@jandro996 Solved the conflicts :)

@Mariovido Mariovido merged commit 0b1e6ff into master Jan 15, 2025
173 checks passed
@Mariovido Mariovido deleted the mario.vidal/taint_db_values_iast branch January 15, 2025 14:44
@github-actions github-actions bot added this to the 1.46.0 milestone Jan 15, 2025
svc-squareup-copybara pushed a commit to cashapp/misk that referenced this pull request Jan 31, 2025
@github-cash-renovate-jvm-2 @svc-squareup-copybara
This PR contains the following updates:
df54c92 
| Package | Type | Package file | Manager | Update | Change |
|---|---|---|---|---|---|
|
[com.google.cloud:google-cloud-datastore](https://github.com/googleapis/java-datastore)
| dependencies | misk/gradle/libs.versions.toml | gradle | minor |
`2.25.4` -> `2.26.0` |
| [com.datadoghq:dd-trace-api](https://github.com/datadog/dd-trace-java)
| dependencies | misk/gradle/libs.versions.toml | gradle | minor |
`1.45.2` -> `1.46.0` |
| [com.datadoghq:dd-trace-ot](https://github.com/datadog/dd-trace-java)
| dependencies | misk/gradle/libs.versions.toml | gradle | minor |
`1.45.2` -> `1.46.0` |
| [software.amazon.awssdk:sdk-core](https://aws.amazon.com/sdkforjava) |
dependencies | misk/gradle/libs.versions.toml | gradle | patch |
`2.30.9` -> `2.30.10` |
|
[software.amazon.awssdk:dynamodb-enhanced](https://aws.amazon.com/sdkforjava)
| dependencies | misk/gradle/libs.versions.toml | gradle | patch |
`2.30.9` -> `2.30.10` |
| [software.amazon.awssdk:dynamodb](https://aws.amazon.com/sdkforjava) |
dependencies | misk/gradle/libs.versions.toml | gradle | patch |
`2.30.9` -> `2.30.10` |
| [software.amazon.awssdk:aws-core](https://aws.amazon.com/sdkforjava) |
dependencies | misk/gradle/libs.versions.toml | gradle | patch |
`2.30.9` -> `2.30.10` |
| [software.amazon.awssdk:bom](https://aws.amazon.com/sdkforjava) |
dependencies | misk/gradle/libs.versions.toml | gradle | patch |
`2.30.9` -> `2.30.10` |
| [software.amazon.awssdk:auth](https://aws.amazon.com/sdkforjava) |
dependencies | misk/gradle/libs.versions.toml | gradle | patch |
`2.30.9` -> `2.30.10` |

---

### Release Notes

<details>
<summary>googleapis/java-datastore
(com.google.cloud:google-cloud-datastore)</summary>

###
[`v2.26.0`](https://github.com/googleapis/java-datastore/blob/HEAD/CHANGELOG.md#2260-2025-01-29)

##### Features

- Add firestoreInDatastoreMode for datastore emulator
([#&#8203;1698](googleapis/java-datastore#1698))
([50f106d](googleapis/java-datastore@50f106d))

##### Dependencies

- Update dependency com.google.cloud:sdk-platform-java-config to v3.42.0
([#&#8203;1725](googleapis/java-datastore#1725))
([1cbaf22](googleapis/java-datastore@1cbaf22))

</details>

<details>
<summary>datadog/dd-trace-java (com.datadoghq:dd-trace-api)</summary>

###
[`v1.46.0`](https://github.com/DataDog/dd-trace-java/releases/tag/v1.46.0):
1.46.0

##### Breaking Changes

> \[!WARNING]
> jnr-unixsocket is now an external dependency of dd-trace-ot and must
be included when deploying dd-trace-ot.

> \[!NOTE]
> The API `TracerScope.setAsync(boolean)`, used to manually control
asynchronous span propagation, does no more apply to the scope instance
but to the active span scope.

##### Components

##### Application Security Management (IAST)

- 🐛 Fix String.replace instrumentation for IAST
([#&#8203;8281](DataDog/dd-trace-java#8281) -
[@&#8203;Mariovido](https://github.com/Mariovido))
- ✨ Apply the standard nomenclature to the stacktrace configs
([#&#8203;8244](DataDog/dd-trace-java#8244) -
[@&#8203;jandro996](https://github.com/jandro996))
- 🐛 Exclude false positive weak randomness
([#&#8203;8232](DataDog/dd-trace-java#8232) -
[@&#8203;jandro996](https://github.com/jandro996))
- ✨ Propagation of translateEscapes of String class
([#&#8203;8186](DataDog/dd-trace-java#8186) -
[@&#8203;sezen-datadog](https://github.com/sezen-datadog))
- ✨ Add security control metrics
([#&#8203;8175](DataDog/dd-trace-java#8175) -
[@&#8203;jandro996](https://github.com/jandro996))
- ✨ Increase IAST propagation to StringBuffer setLength
([#&#8203;8128](DataDog/dd-trace-java#8128) -
[@&#8203;Mariovido](https://github.com/Mariovido))
- ✨ Add IAST taint tracking for DB values
([#&#8203;8072](DataDog/dd-trace-java#8072) -
[@&#8203;Mariovido](https://github.com/Mariovido))

##### Application Security Management (WAF)

- 🐛 Prevents a NPE when there is no subscriber for user events
([#&#8203;8258](DataDog/dd-trace-java#8258) -
[@&#8203;manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez))
- ✨ Apply the standard nomenclature to the stacktrace configs
([#&#8203;8244](DataDog/dd-trace-java#8244) -
[@&#8203;jandro996](https://github.com/jandro996))
- 🐛 Ensure cached subscriptions are cleared on reconfiguration via
RC ([#&#8203;8229](DataDog/dd-trace-java#8229)
-
[@&#8203;manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez))
- ✨ Add support for session tracking in Vertx
([#&#8203;8167](DataDog/dd-trace-java#8167) -
[@&#8203;manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez))
- ✨ Create span tag: \_dd.appsec.rasp.timeout
([#&#8203;8269](DataDog/dd-trace-java#8269) -
[@&#8203;Mariovido](https://github.com/Mariovido))

##### Build & Tooling

- 🐛 Ensure shaded helpers have unique names when injected into
class-loaders
([#&#8203;8192](DataDog/dd-trace-java#8192) -
[@&#8203;mcculls](https://github.com/mcculls))

##### Configuration at Runtime

- 🐛 Remove filtering of `DD_SERVICE` and `DD_ENV` from the tracer
([#&#8203;8176](DataDog/dd-trace-java#8176) -
[@&#8203;mhlidd](https://github.com/mhlidd))

##### Continuous Integration Visibility

- 🧹 Generalize TestRetryPolicy to TestExecutionPolicy
([#&#8203;8302](DataDog/dd-trace-java#8302) -
[@&#8203;nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog))
- 🧹 Parallelize CI Visibility settings requests
([#&#8203;8299](DataDog/dd-trace-java#8299) -
[@&#8203;nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog))
- 🧹 Generalize test retry logic
([#&#8203;8289](DataDog/dd-trace-java#8289) -
[@&#8203;nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog))
- 🧹 Generalize tests skipping logic
([#&#8203;8288](DataDog/dd-trace-java#8288) -
[@&#8203;nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog))
- 🧹 Remove skip and shouldBeSkipped methods from TestEventsHandler
in favor of isSkippable
([#&#8203;8286](DataDog/dd-trace-java#8286) -
[@&#8203;nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog))
- ✨⚡ Optimize Git repository information computation
([#&#8203;8270](DataDog/dd-trace-java#8270) -
[@&#8203;dougqh](https://github.com/dougqh))
- ✨ Always request known tests from the backend
([#&#8203;8268](DataDog/dd-trace-java#8268) -
[@&#8203;nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog))
- ✨ Fix NPE when trying to get retry analyzer in Test NG
([#&#8203;8253](DataDog/dd-trace-java#8253) -
[@&#8203;nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog))
- 🐛 Set test framework and test framework version tags atomically
([#&#8203;8252](DataDog/dd-trace-java#8252) -
[@&#8203;nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog))
- ✨ Add debug logging to Android Gradle module layout logic
([#&#8203;8251](DataDog/dd-trace-java#8251) -
[@&#8203;nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog))
- 🐛 Fix source and destination folders computation for Android
Gradle projects
([#&#8203;8190](DataDog/dd-trace-java#8190) -
[@&#8203;nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog))
- ✨ Add basic Scala Weaver sbt support
([#&#8203;8189](DataDog/dd-trace-java#8189) -
[@&#8203;daniel-mohedano](https://github.com/daniel-mohedano))
- ✨ Implement impacted tests detection
([#&#8203;8188](DataDog/dd-trace-java#8188) -
[@&#8203;nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog))

##### Data Streams Monitoring

- ✨ Change hash computation for protobuf to better represent
impacting changes + save proto number in schema
([#&#8203;8201](DataDog/dd-trace-java#8201) -
[@&#8203;vandonr](https://github.com/vandonr))

##### Database Monitoring

- Add peer service tag in dbm sql commenter
([#&#8203;7913](DataDog/dd-trace-java#7913) -
[@&#8203;jordan-wong](https://github.com/jordan-wong))

##### Dynamic Instrumentation

- ✨ Add support for SymDB to scan directories
([#&#8203;8306](DataDog/dd-trace-java#8306) -
[@&#8203;jpbempel](https://github.com/jpbempel))
- ✨ Add SymDB report for any jar scanning failures
([#&#8203;8300](DataDog/dd-trace-java#8300) -
[@&#8203;jpbempel](https://github.com/jpbempel))
- ✨ Use two budgets depending on type
([#&#8203;8283](DataDog/dd-trace-java#8283) -
[@&#8203;evanchooly](https://github.com/evanchooly))
- ✨ Institute a 10 snapshot per probe per trace budget
([#&#8203;8277](DataDog/dd-trace-java#8277) -
[@&#8203;evanchooly](https://github.com/evanchooly))
- 🐛 Avoid double snapshots for Exception Replay
([#&#8203;8273](DataDog/dd-trace-java#8273) -
[@&#8203;jpbempel](https://github.com/jpbempel))
- ✨ Simplify code origins. Separate out snapshot generation.
([#&#8203;8263](DataDog/dd-trace-java#8263) -
[@&#8203;evanchooly](https://github.com/evanchooly))
- ✨ Add Exception probe custom instrumentation
([#&#8203;8230](DataDog/dd-trace-java#8230) -
[@&#8203;jpbempel](https://github.com/jpbempel))
- ✨ Enhance log probes to honor debug session tags
([#&#8203;8215](DataDog/dd-trace-java#8215) -
[@&#8203;evanchooly](https://github.com/evanchooly))
- 🐛 Don't redact env tokens from debugger probe snapshots
([#&#8203;8211](DataDog/dd-trace-java#8211) -
[@&#8203;watson](https://github.com/watson))
- ✨⚡ Move Trace/SpanId capture at commit time
([#&#8203;8184](DataDog/dd-trace-java#8184) -
[@&#8203;jpbempel](https://github.com/jpbempel))
- 🐛 Capture values at entry for method probe
([#&#8203;8169](DataDog/dd-trace-java#8169) -
[@&#8203;jpbempel](https://github.com/jpbempel))

##### JMX fetch

- 🐛 Mute JMXFetch Shutdown in progress error
([#&#8203;8068](DataDog/dd-trace-java#8068) -
[@&#8203;ygree](https://github.com/ygree))

##### OpenTracing

- ⚠️🧹 Make jnr-unixsocket an explicit dependency of
dd-trace-ot
([#&#8203;8307](DataDog/dd-trace-java#8307) -
[@&#8203;mcculls](https://github.com/mcculls))

##### Profiling

- 🐛 Avoid unsupported API call for creating folders on windows
([#&#8203;8304](DataDog/dd-trace-java#8304) -
[@&#8203;jbachorik](https://github.com/jbachorik))
- ✨ Tag profiles for serverless
([#&#8203;8279](DataDog/dd-trace-java#8279) -
[@&#8203;jbachorik](https://github.com/jbachorik))
- ✨ add queue type and length to queue events
([#&#8203;8242](DataDog/dd-trace-java#8242) -
[@&#8203;richardstartin](https://github.com/richardstartin))
- 🐛 TempLocationManager Fixes and Improvements
([#&#8203;8191](DataDog/dd-trace-java#8191) -
[@&#8203;jbachorik](https://github.com/jbachorik))
- ✨ Bump ddprof to 1.18.0
([#&#8203;8173](DataDog/dd-trace-java#8173) -
[@&#8203;jbachorik](https://github.com/jbachorik))
- ✨ Report profiler initialization and configuration errors to
telemetry
([#&#8203;8171](DataDog/dd-trace-java#8171) -
[@&#8203;jbachorik](https://github.com/jbachorik))

##### Telemetry

- ✨ Add pending traces report in tracer flares
([#&#8203;8053](DataDog/dd-trace-java#8053) -
[@&#8203;mhlidd](https://github.com/mhlidd))

##### Testing

- ✨ Test http server requests in parallel
([#&#8203;8222](DataDog/dd-trace-java#8222) -
[@&#8203;amarziali](https://github.com/amarziali))

##### Trace context propagation

- ✨ Add non default propagator registration
([#&#8203;8310](DataDog/dd-trace-java#8310) -
[@&#8203;PerfectSlayer](https://github.com/PerfectSlayer))

##### Tracer core

- ✨ Probe for existence of IBMSASL or ACCP security providers
([#&#8203;8276](DataDog/dd-trace-java#8276) -
[@&#8203;mcculls](https://github.com/mcculls))
- ✨⚡ Overhead improvement to agent feedback based sampling
([#&#8203;8265](DataDog/dd-trace-java#8265) -
[@&#8203;dougqh](https://github.com/dougqh))
- 🧹 Move async propagation API from scope to tracer
([#&#8203;8231](DataDog/dd-trace-java#8231) -
[@&#8203;PerfectSlayer](https://github.com/PerfectSlayer))
- ✨ Introduce context propagation API
([#&#8203;8161](DataDog/dd-trace-java#8161) -
[@&#8203;PerfectSlayer](https://github.com/PerfectSlayer))
- ✨🧪 Use env-entry to add tags per webapp deployment
([#&#8203;8138](DataDog/dd-trace-java#8138) -
[@&#8203;amarziali](https://github.com/amarziali))
- ✨ Introduce context helpers API
([#&#8203;8134](DataDog/dd-trace-java#8134) -
[@&#8203;PerfectSlayer](https://github.com/PerfectSlayer))
- ✨ Support IPv6 values for `DD_AGENT_HOST` and
`DD_TRACE_AGENT_URL`
([#&#8203;7984](DataDog/dd-trace-java#7984) -
[@&#8203;mhlidd](https://github.com/mhlidd))

##### Instrumentations

##### Apache HttpComponents

- 🐛 Properly finish spans and support latest apache httpclient5
([#&#8203;8272](DataDog/dd-trace-java#8272) -
[@&#8203;amarziali](https://github.com/amarziali))

##### AWS Lambda instrumentation

- 🐛 Properly capture lambda payloads for all handler types.
([#&#8203;8264](DataDog/dd-trace-java#8264) -
[@&#8203;purple4reina](https://github.com/purple4reina))

##### AWS S3 instrumentation

- 💡 Create S3 instrumentation + add span pointers
([#&#8203;8075](DataDog/dd-trace-java#8075) -
[@&#8203;nhulston](https://github.com/nhulston))

##### AWS SDK instrumentation

- 🐛 Revert "Add avoid double instrumenting lambda non-streaming
handlers."
([#&#8203;8247](DataDog/dd-trace-java#8247) -
[@&#8203;nhulston](https://github.com/nhulston))

##### Cassandra

- ✨ Allow extracting keyspace from statement result
([#&#8203;8239](DataDog/dd-trace-java#8239) -
[@&#8203;amarziali](https://github.com/amarziali))

##### Core Java language instrumentation

- ✨ Propagation of translateEscapes of String class
([#&#8203;8186](DataDog/dd-trace-java#8186) -
[@&#8203;sezen-datadog](https://github.com/sezen-datadog))

##### Eclipse Vert.x instrumentation

- 🐛 Fix vertx worker propagation and error handling
([#&#8203;8237](DataDog/dd-trace-java#8237) -
[@&#8203;amarziali](https://github.com/amarziali))
- ✨ Support vertx 5
([#&#8203;8220](DataDog/dd-trace-java#8220) -
[@&#8203;amarziali](https://github.com/amarziali))
- ✨ Add support for session tracking in Vertx
([#&#8203;8167](DataDog/dd-trace-java#8167) -
[@&#8203;manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez))

##### Kafka instrumentation

- 🐛 Prevent possible NPE calculating Kafka record header size
([#&#8203;8292](DataDog/dd-trace-java#8292) -
[@&#8203;ygree](https://github.com/ygree))

##### Mule instrumentation

- 🐛 Fix crash using Mule with JPMS
([#&#8203;8187](DataDog/dd-trace-java#8187) -
[@&#8203;amarziali](https://github.com/amarziali))

##### Protocol Buffer instrumentation

- ✨ Change hash computation for protobuf to better represent
impacting changes + save proto number in schema
([#&#8203;8201](DataDog/dd-trace-java#8201) -
[@&#8203;vandonr](https://github.com/vandonr))

##### Spring instrumentation

- 🐛 Preserve getQualifier from spring scheduling runnables
([#&#8203;8293](DataDog/dd-trace-java#8293) -
[@&#8203;amarziali](https://github.com/amarziali))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "after 6pm every weekday,before 2am
every weekday" in timezone Australia/Melbourne, Automerge - At any time
(no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Renovate
Bot](https://github.com/renovatebot/renovate).

GitOrigin-RevId: bb09d47e4eed77a003f630273b4d0a84003eb899
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@manuel-alvarez-alvarez manuel-alvarez-alvarez manuel-alvarez-alvarez approved these changes

@datadog-datadog-prod-us1 datadog-datadog-prod-us1[bot] datadog-datadog-prod-us1[bot] left review comments

@jandro996 jandro996 jandro996 approved these changes

@ValentinZakharov ValentinZakharov Awaiting requested review from ValentinZakharov ValentinZakharov is a code owner automatically assigned from DataDog/asm-java

@smola smola Awaiting requested review from smola

Assignees

No one assigned

Labels

comp: asm iast Application Security Management (IAST) type: enhancement Enhancements and improvements

Projects

None yet

Milestone

1.46.0

Development

Successfully merging this pull request may close these issues.

5 participants

@Mariovido @jandro996 @smola @manuel-alvarez-alvarez