Add exclusion to solve IAST weak randomness vulnerability false positives #8462

jandro996 · 2025-02-27T14:39:45Z

What Does This Do

Excluded by the iast instrumenter

com.azure.core.amqp.ExponentialAmqpRetryPolicy
com.azure.core.util.CoreUtils
com.azure.cosmos.implementation.directconnectivity.GoneAndRetryWithRetryPolicy$RetryWithRetryPolicy
com.azure.cosmos.implementation.directconnectivity.StoreReader
com.azure.cosmos.implementation.directconnectivity.addressEnumerator.AddressEnumeratorUsingPermutations
com.azure.cosmos.implementation.uuid.UUIDTimer
com.azure.messaging.eventhubs.EventProcessorClient
com.azure.messaging.eventhubs.PartitionBasedLoadBalancer
com.launchdarkly.shaded.com.launchdarkly.eventsource.EventSource
com.microsoft.sqlserver.jdbc.SQLServerConnection

Motivation

Solve weak randomness vulnerability false positives

Additional Notes

Contributor Checklist

Format the title according the contribution guidelines
Assign the type: and (comp: or inst:) labels in addition to any usefull labels
Don't use close, fix or any linking keywords when referencing an issue.
Use solves instead, and assign the PR milestone to the issue
Update the public documentation in case of new configuration flag or behavior

Jira ticket: APPSEC-56887

pr-commenter · 2025-02-27T15:15:00Z

Benchmarks

Startup

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	alejandro.gonzalez/weak-randomness-false-positives
git_commit_date	1740676228	1740729237
git_commit_sha	`ccc22c5`	`a8c6e1b`
release_version	1.47.0-SNAPSHOT~ccc22c5138	1.47.0-SNAPSHOT~a8c6e1b185

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1740731684	1740731684
ci_job_id	827218832	827218832
ci_pipeline_id	57304662	57304662
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-yyi4imu-project-304-concurrent-0-afdpiiwj 6.8.0-1021-aws #23~22.04.1-Ubuntu SMP Tue Dec 10 16:50:46 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-yyi4imu-project-304-concurrent-0-afdpiiwj 6.8.0-1021-aws #23~22.04.1-Ubuntu SMP Tue Dec 10 16:50:46 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
module	Agent	Agent
parent	None	None
variant	iast	iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 58 metrics, 5 unstable metrics.

Startup time reports for insecure-bank

gantt
    title insecure-bank - global startup overhead: candidate=1.47.0-SNAPSHOT~a8c6e1b185, baseline=1.47.0-SNAPSHOT~ccc22c5138

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.048 s) : 0, 1048176
Total [baseline] (8.698 s) : 0, 8697590
Agent [candidate] (1.04 s) : 0, 1039671
Total [candidate] (8.656 s) : 0, 8656172
section iast
Agent [baseline] (1.178 s) : 0, 1177733
Total [baseline] (9.266 s) : 0, 9265549
Agent [candidate] (1.169 s) : 0, 1169353
Total [candidate] (9.223 s) : 0, 9222627
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.177 s) : 0, 1177301
Total [baseline] (9.24 s) : 0, 9239819
Agent [candidate] (1.178 s) : 0, 1178357
Total [candidate] (9.203 s) : 0, 9202651
section iast_TELEMETRY_OFF
Agent [baseline] (1.168 s) : 0, 1167753
Total [baseline] (9.254 s) : 0, 9254227
Agent [candidate] (1.179 s) : 0, 1179482
Total [candidate] (9.299 s) : 0, 9298867

baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.048 s	-
Agent	iast	1.178 s	129.557 ms (12.4%)
Agent	iast_HARDCODED_SECRET_DISABLED	1.177 s	129.125 ms (12.3%)
Agent	iast_TELEMETRY_OFF	1.168 s	119.577 ms (11.4%)
Total	tracing	8.698 s	-
Total	iast	9.266 s	567.959 ms (6.5%)
Total	iast_HARDCODED_SECRET_DISABLED	9.24 s	542.229 ms (6.2%)
Total	iast_TELEMETRY_OFF	9.254 s	556.638 ms (6.4%)

candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.04 s	-
Agent	iast	1.169 s	129.682 ms (12.5%)
Agent	iast_HARDCODED_SECRET_DISABLED	1.178 s	138.685 ms (13.3%)
Agent	iast_TELEMETRY_OFF	1.179 s	139.811 ms (13.4%)
Total	tracing	8.656 s	-
Total	iast	9.223 s	566.456 ms (6.5%)
Total	iast_HARDCODED_SECRET_DISABLED	9.203 s	546.479 ms (6.3%)
Total	iast_TELEMETRY_OFF	9.299 s	642.695 ms (7.4%)

gantt
    title insecure-bank - break down per module: candidate=1.47.0-SNAPSHOT~a8c6e1b185, baseline=1.47.0-SNAPSHOT~ccc22c5138

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (722.388 ms) : 0, 722388
BytebuddyAgent [candidate] (717.693 ms) : 0, 717693
GlobalTracer [baseline] (240.582 ms) : 0, 240582
GlobalTracer [candidate] (239.111 ms) : 0, 239111
AppSec [baseline] (55.709 ms) : 0, 55709
AppSec [candidate] (55.742 ms) : 0, 55742
Remote Config [baseline] (692.272 µs) : 0, 692
Remote Config [candidate] (692.752 µs) : 0, 693
Telemetry [baseline] (13.722 ms) : 0, 13722
Telemetry [candidate] (11.541 ms) : 0, 11541
section iast
BytebuddyAgent [baseline] (842.729 ms) : 0, 842729
BytebuddyAgent [candidate] (835.666 ms) : 0, 835666
GlobalTracer [baseline] (230.5 ms) : 0, 230500
GlobalTracer [candidate] (229.238 ms) : 0, 229238
IAST [baseline] (22.833 ms) : 0, 22833
IAST [candidate] (22.924 ms) : 0, 22924
AppSec [baseline] (57.358 ms) : 0, 57358
AppSec [candidate] (57.113 ms) : 0, 57113
Remote Config [baseline] (605.652 µs) : 0, 606
Remote Config [candidate] (629.49 µs) : 0, 629
Telemetry [baseline] (8.686 ms) : 0, 8686
Telemetry [candidate] (8.829 ms) : 0, 8829
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (841.876 ms) : 0, 841876
BytebuddyAgent [candidate] (842.956 ms) : 0, 842956
GlobalTracer [baseline] (230.962 ms) : 0, 230962
GlobalTracer [candidate] (230.957 ms) : 0, 230957
IAST [baseline] (23.06 ms) : 0, 23060
IAST [candidate] (23.12 ms) : 0, 23120
AppSec [baseline] (56.862 ms) : 0, 56862
AppSec [candidate] (57.018 ms) : 0, 57018
Remote Config [baseline] (617.67 µs) : 0, 618
Remote Config [candidate] (605.672 µs) : 0, 606
Telemetry [baseline] (8.804 ms) : 0, 8804
Telemetry [candidate] (8.667 ms) : 0, 8667
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (833.402 ms) : 0, 833402
BytebuddyAgent [candidate] (842.671 ms) : 0, 842671
GlobalTracer [baseline] (231.089 ms) : 0, 231089
GlobalTracer [candidate] (232.498 ms) : 0, 232498
IAST [baseline] (26.244 ms) : 0, 26244
IAST [candidate] (26.479 ms) : 0, 26479
AppSec [baseline] (52.919 ms) : 0, 52919
AppSec [candidate] (53.374 ms) : 0, 53374
Remote Config [baseline] (616.962 µs) : 0, 617
Remote Config [candidate] (620.41 µs) : 0, 620
Telemetry [baseline] (8.556 ms) : 0, 8556
Telemetry [candidate] (8.706 ms) : 0, 8706

Startup time reports for petclinic

gantt
    title petclinic - global startup overhead: candidate=1.47.0-SNAPSHOT~a8c6e1b185, baseline=1.47.0-SNAPSHOT~ccc22c5138

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.042 s) : 0, 1041720
Total [baseline] (10.352 s) : 0, 10351945
Agent [candidate] (1.047 s) : 0, 1046615
Total [candidate] (10.458 s) : 0, 10458474
section appsec
Agent [baseline] (1.185 s) : 0, 1185122
Total [baseline] (10.76 s) : 0, 10759597
Agent [candidate] (1.184 s) : 0, 1183582
Total [candidate] (10.704 s) : 0, 10704230
section iast
Agent [baseline] (1.17 s) : 0, 1170015
Total [baseline] (11.036 s) : 0, 11035733
Agent [candidate] (1.169 s) : 0, 1168873
Total [candidate] (11.012 s) : 0, 11011537
section profiling
Agent [baseline] (1.265 s) : 0, 1265335
Total [baseline] (10.908 s) : 0, 10908215
Agent [candidate] (1.262 s) : 0, 1261880
Total [candidate] (10.89 s) : 0, 10890448

baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.042 s	-
Agent	appsec	1.185 s	143.402 ms (13.8%)
Agent	iast	1.17 s	128.295 ms (12.3%)
Agent	profiling	1.265 s	223.615 ms (21.5%)
Total	tracing	10.352 s	-
Total	appsec	10.76 s	407.652 ms (3.9%)
Total	iast	11.036 s	683.788 ms (6.6%)
Total	profiling	10.908 s	556.27 ms (5.4%)

candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.047 s	-
Agent	appsec	1.184 s	136.967 ms (13.1%)
Agent	iast	1.169 s	122.258 ms (11.7%)
Agent	profiling	1.262 s	215.266 ms (20.6%)
Total	tracing	10.458 s	-
Total	appsec	10.704 s	245.755 ms (2.3%)
Total	iast	11.012 s	553.063 ms (5.3%)
Total	profiling	10.89 s	431.974 ms (4.1%)

gantt
    title petclinic - break down per module: candidate=1.47.0-SNAPSHOT~a8c6e1b185, baseline=1.47.0-SNAPSHOT~ccc22c5138

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (717.752 ms) : 0, 717752
BytebuddyAgent [candidate] (722.298 ms) : 0, 722298
GlobalTracer [baseline] (239.129 ms) : 0, 239129
GlobalTracer [candidate] (240.357 ms) : 0, 240357
AppSec [baseline] (55.589 ms) : 0, 55589
AppSec [candidate] (55.937 ms) : 0, 55937
Remote Config [baseline] (685.48 µs) : 0, 685
Remote Config [candidate] (696.969 µs) : 0, 697
Telemetry [baseline] (13.613 ms) : 0, 13613
Telemetry [candidate] (12.337 ms) : 0, 12337
section appsec
BytebuddyAgent [baseline] (736.825 ms) : 0, 736825
BytebuddyAgent [candidate] (735.233 ms) : 0, 735233
GlobalTracer [baseline] (236.588 ms) : 0, 236588
GlobalTracer [candidate] (236.458 ms) : 0, 236458
IAST [baseline] (21.77 ms) : 0, 21770
IAST [candidate] (21.713 ms) : 0, 21713
AppSec [baseline] (176.963 ms) : 0, 176963
AppSec [candidate] (177.156 ms) : 0, 177156
Remote Config [baseline] (653.699 µs) : 0, 654
Remote Config [candidate] (662.593 µs) : 0, 663
Telemetry [baseline] (8.308 ms) : 0, 8308
Telemetry [candidate] (8.278 ms) : 0, 8278
section iast
BytebuddyAgent [baseline] (836.076 ms) : 0, 836076
BytebuddyAgent [candidate] (835.312 ms) : 0, 835312
GlobalTracer [baseline] (229.883 ms) : 0, 229883
GlobalTracer [candidate] (229.944 ms) : 0, 229944
IAST [baseline] (22.73 ms) : 0, 22730
IAST [candidate] (22.708 ms) : 0, 22708
AppSec [baseline] (57.035 ms) : 0, 57035
AppSec [candidate] (56.801 ms) : 0, 56801
Remote Config [baseline] (609.892 µs) : 0, 610
Remote Config [candidate] (601.893 µs) : 0, 602
Telemetry [baseline] (8.74 ms) : 0, 8740
Telemetry [candidate] (8.601 ms) : 0, 8601
section profiling
BytebuddyAgent [baseline] (711.653 ms) : 0, 711653
BytebuddyAgent [candidate] (712.408 ms) : 0, 712408
GlobalTracer [baseline] (350.287 ms) : 0, 350287
GlobalTracer [candidate] (349.318 ms) : 0, 349318
AppSec [baseline] (55.65 ms) : 0, 55650
AppSec [candidate] (54.135 ms) : 0, 54135
Remote Config [baseline] (670.487 µs) : 0, 670
Remote Config [candidate] (662.154 µs) : 0, 662
Telemetry [baseline] (8.989 ms) : 0, 8989
Telemetry [candidate] (8.893 ms) : 0, 8893
ProfilingAgent [baseline] (97.679 ms) : 0, 97679
ProfilingAgent [candidate] (95.874 ms) : 0, 95874
Profiling [baseline] (97.704 ms) : 0, 97704
Profiling [candidate] (95.898 ms) : 0, 95898

Load

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
end_time	2025-02-28T08:04:59	2025-02-28T08:12:43
git_branch	master	alejandro.gonzalez/weak-randomness-false-positives
git_commit_date	1740676228	1740729237
git_commit_sha	`ccc22c5`	`a8c6e1b`
release_version	1.47.0-SNAPSHOT~ccc22c5138	1.47.0-SNAPSHOT~a8c6e1b185
start_time	2025-02-28T08:04:46	2025-02-28T08:12:29

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1740730759	1740730759
ci_job_id	827218833	827218833
ci_pipeline_id	57304662	57304662
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-p8xzvopw-project-304-concurrent-0-k6q0yfs2 6.8.0-1021-aws #23~22.04.1-Ubuntu SMP Tue Dec 10 16:50:46 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-p8xzvopw-project-304-concurrent-0-k6q0yfs2 6.8.0-1021-aws #23~22.04.1-Ubuntu SMP Tue Dec 10 16:50:46 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
variant	iast	iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 18 unstable metrics.

Request duration reports for insecure-bank

gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.47.0-SNAPSHOT~a8c6e1b185, baseline=1.47.0-SNAPSHOT~ccc22c5138
    dateFormat X
    axisFormat %s
section baseline
no_agent (381.849 µs) : 362, 402
.   : milestone, 382,
iast (508.552 µs) : 486, 531
.   : milestone, 509,
iast_FULL (731.058 µs) : 708, 754
.   : milestone, 731,
iast_GLOBAL (559.633 µs) : 537, 582
.   : milestone, 560,
iast_HARDCODED_SECRET_DISABLED (505.353 µs) : 484, 527
.   : milestone, 505,
iast_INACTIVE (459.698 µs) : 438, 481
.   : milestone, 460,
iast_TELEMETRY_OFF (498.586 µs) : 475, 522
.   : milestone, 499,
tracing (458.673 µs) : 437, 480
.   : milestone, 459,
section candidate
no_agent (376.34 µs) : 357, 396
.   : milestone, 376,
iast (509.589 µs) : 487, 532
.   : milestone, 510,
iast_FULL (726.139 µs) : 704, 748
.   : milestone, 726,
iast_GLOBAL (561.832 µs) : 539, 585
.   : milestone, 562,
iast_HARDCODED_SECRET_DISABLED (507.007 µs) : 484, 530
.   : milestone, 507,
iast_INACTIVE (457.277 µs) : 436, 479
.   : milestone, 457,
iast_TELEMETRY_OFF (498.367 µs) : 475, 522
.   : milestone, 498,
tracing (454.664 µs) : 433, 476
.   : milestone, 455,

baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	381.849 µs [362.057 µs, 401.642 µs]	-
iast	508.552 µs [486.063 µs, 531.041 µs]	126.703 µs (33.2%)
iast_FULL	731.058 µs [707.665 µs, 754.452 µs]	349.209 µs (91.5%)
iast_GLOBAL	559.633 µs [536.961 µs, 582.306 µs]	177.784 µs (46.6%)
iast_HARDCODED_SECRET_DISABLED	505.353 µs [484.026 µs, 526.679 µs]	123.503 µs (32.3%)
iast_INACTIVE	459.698 µs [438.001 µs, 481.396 µs]	77.849 µs (20.4%)
iast_TELEMETRY_OFF	498.586 µs [475.193 µs, 521.98 µs]	116.737 µs (30.6%)
tracing	458.673 µs [437.456 µs, 479.891 µs]	76.824 µs (20.1%)

candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	376.34 µs [356.792 µs, 395.888 µs]	-
iast	509.589 µs [486.837 µs, 532.341 µs]	133.249 µs (35.4%)
iast_FULL	726.139 µs [704.251 µs, 748.028 µs]	349.799 µs (92.9%)
iast_GLOBAL	561.832 µs [539.1 µs, 584.564 µs]	185.492 µs (49.3%)
iast_HARDCODED_SECRET_DISABLED	507.007 µs [484.013 µs, 530.001 µs]	130.667 µs (34.7%)
iast_INACTIVE	457.277 µs [435.881 µs, 478.672 µs]	80.936 µs (21.5%)
iast_TELEMETRY_OFF	498.367 µs [474.841 µs, 521.894 µs]	122.027 µs (32.4%)
tracing	454.664 µs [433.365 µs, 475.962 µs]	78.323 µs (20.8%)

Request duration reports for petclinic

gantt
    title petclinic - request duration [CI 0.99] : candidate=1.47.0-SNAPSHOT~a8c6e1b185, baseline=1.47.0-SNAPSHOT~ccc22c5138
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.37 ms) : 1351, 1389
.   : milestone, 1370,
appsec (1.731 ms) : 1706, 1755
.   : milestone, 1731,
appsec_no_iast (1.738 ms) : 1714, 1762
.   : milestone, 1738,
code_origins (1.678 ms) : 1645, 1712
.   : milestone, 1678,
iast (1.502 ms) : 1478, 1526
.   : milestone, 1502,
profiling (1.526 ms) : 1501, 1551
.   : milestone, 1526,
tracing (1.487 ms) : 1463, 1512
.   : milestone, 1487,
section candidate
no_agent (1.343 ms) : 1323, 1363
.   : milestone, 1343,
appsec (1.712 ms) : 1689, 1736
.   : milestone, 1712,
appsec_no_iast (1.754 ms) : 1729, 1779
.   : milestone, 1754,
code_origins (1.687 ms) : 1654, 1720
.   : milestone, 1687,
iast (1.518 ms) : 1494, 1542
.   : milestone, 1518,
profiling (1.492 ms) : 1469, 1516
.   : milestone, 1492,
tracing (1.483 ms) : 1459, 1508
.   : milestone, 1483,

baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.37 ms [1.351 ms, 1.389 ms]	-
appsec	1.731 ms [1.706 ms, 1.755 ms]	361.248 µs (26.4%)
appsec_no_iast	1.738 ms [1.714 ms, 1.762 ms]	368.376 µs (26.9%)
code_origins	1.678 ms [1.645 ms, 1.712 ms]	308.599 µs (22.5%)
iast	1.502 ms [1.478 ms, 1.526 ms]	132.081 µs (9.6%)
profiling	1.526 ms [1.501 ms, 1.551 ms]	156.511 µs (11.4%)
tracing	1.487 ms [1.463 ms, 1.512 ms]	117.864 µs (8.6%)

candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.343 ms [1.323 ms, 1.363 ms]	-
appsec	1.712 ms [1.689 ms, 1.736 ms]	369.403 µs (27.5%)
appsec_no_iast	1.754 ms [1.729 ms, 1.779 ms]	410.928 µs (30.6%)
code_origins	1.687 ms [1.654 ms, 1.72 ms]	343.831 µs (25.6%)
iast	1.518 ms [1.494 ms, 1.542 ms]	175.225 µs (13.0%)
profiling	1.492 ms [1.469 ms, 1.516 ms]	149.259 µs (11.1%)
tracing	1.483 ms [1.459 ms, 1.508 ms]	140.318 µs (10.4%)

Dacapo

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	alejandro.gonzalez/weak-randomness-false-positives
git_commit_date	1740676228	1740729237
git_commit_sha	`ccc22c5`	`a8c6e1b`
release_version	1.47.0-SNAPSHOT~ccc22c5138	1.47.0-SNAPSHOT~a8c6e1b185

See matching parameters

	Baseline	Candidate
application	biojava	biojava
ci_job_date	1740731252	1740731252
ci_job_id	827218834	827218834
ci_pipeline_id	57304662	57304662
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-yyi4imu-project-304-concurrent-1-4npmpd9w 6.8.0-1021-aws #23~22.04.1-Ubuntu SMP Tue Dec 10 16:50:46 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-yyi4imu-project-304-concurrent-1-4npmpd9w 6.8.0-1021-aws #23~22.04.1-Ubuntu SMP Tue Dec 10 16:50:46 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
variant	appsec	appsec

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics.

Execution time for tomcat

gantt
    title tomcat - execution time [CI 0.99] : candidate=1.47.0-SNAPSHOT~a8c6e1b185, baseline=1.47.0-SNAPSHOT~ccc22c5138
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.473 ms) : 1461, 1485
.   : milestone, 1473,
appsec (2.323 ms) : 2280, 2366
.   : milestone, 2323,
iast (2.114 ms) : 2059, 2169
.   : milestone, 2114,
iast_GLOBAL (2.15 ms) : 2094, 2205
.   : milestone, 2150,
profiling (1.977 ms) : 1933, 2021
.   : milestone, 1977,
tracing (1.944 ms) : 1902, 1987
.   : milestone, 1944,
section candidate
no_agent (1.472 ms) : 1461, 1484
.   : milestone, 1472,
appsec (2.32 ms) : 2277, 2363
.   : milestone, 2320,
iast (2.103 ms) : 2049, 2158
.   : milestone, 2103,
iast_GLOBAL (2.147 ms) : 2091, 2202
.   : milestone, 2147,
profiling (1.96 ms) : 1916, 2003
.   : milestone, 1960,
tracing (1.943 ms) : 1901, 1985
.   : milestone, 1943,

baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.473 ms [1.461 ms, 1.485 ms]	-
appsec	2.323 ms [2.28 ms, 2.366 ms]	850.254 µs (57.7%)
iast	2.114 ms [2.059 ms, 2.169 ms]	640.902 µs (43.5%)
iast_GLOBAL	2.15 ms [2.094 ms, 2.205 ms]	676.761 µs (45.9%)
profiling	1.977 ms [1.933 ms, 2.021 ms]	504.222 µs (34.2%)
tracing	1.944 ms [1.902 ms, 1.987 ms]	471.459 µs (32.0%)

candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.472 ms [1.461 ms, 1.484 ms]	-
appsec	2.32 ms [2.277 ms, 2.363 ms]	847.841 µs (57.6%)
iast	2.103 ms [2.049 ms, 2.158 ms]	630.985 µs (42.9%)
iast_GLOBAL	2.147 ms [2.091 ms, 2.202 ms]	674.224 µs (45.8%)
profiling	1.96 ms [1.916 ms, 2.003 ms]	487.339 µs (33.1%)
tracing	1.943 ms [1.901 ms, 1.985 ms]	470.794 µs (32.0%)

Execution time for biojava

gantt
    title biojava - execution time [CI 0.99] : candidate=1.47.0-SNAPSHOT~a8c6e1b185, baseline=1.47.0-SNAPSHOT~ccc22c5138
    dateFormat X
    axisFormat %s
section baseline
no_agent (15.282 s) : 15282000, 15282000
.   : milestone, 15282000,
appsec (15.107 s) : 15107000, 15107000
.   : milestone, 15107000,
iast (18.533 s) : 18533000, 18533000
.   : milestone, 18533000,
iast_GLOBAL (18.102 s) : 18102000, 18102000
.   : milestone, 18102000,
profiling (15.732 s) : 15732000, 15732000
.   : milestone, 15732000,
tracing (14.967 s) : 14967000, 14967000
.   : milestone, 14967000,
section candidate
no_agent (14.787 s) : 14787000, 14787000
.   : milestone, 14787000,
appsec (14.836 s) : 14836000, 14836000
.   : milestone, 14836000,
iast (18.366 s) : 18366000, 18366000
.   : milestone, 18366000,
iast_GLOBAL (17.989 s) : 17989000, 17989000
.   : milestone, 17989000,
profiling (14.855 s) : 14855000, 14855000
.   : milestone, 14855000,
tracing (14.939 s) : 14939000, 14939000
.   : milestone, 14939000,

baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	15.282 s [15.282 s, 15.282 s]	-
appsec	15.107 s [15.107 s, 15.107 s]	-175.0 ms (-1.1%)
iast	18.533 s [18.533 s, 18.533 s]	3.251 s (21.3%)
iast_GLOBAL	18.102 s [18.102 s, 18.102 s]	2.82 s (18.5%)
profiling	15.732 s [15.732 s, 15.732 s]	450.0 ms (2.9%)
tracing	14.967 s [14.967 s, 14.967 s]	-315.0 ms (-2.1%)

candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	14.787 s [14.787 s, 14.787 s]	-
appsec	14.836 s [14.836 s, 14.836 s]	49.0 ms (0.3%)
iast	18.366 s [18.366 s, 18.366 s]	3.579 s (24.2%)
iast_GLOBAL	17.989 s [17.989 s, 17.989 s]	3.202 s (21.7%)
profiling	14.855 s [14.855 s, 14.855 s]	68.0 ms (0.5%)
tracing	14.939 s [14.939 s, 14.939 s]	152.0 ms (1.0%)

…ositives

| Package | Type | Package file | Manager | Update | Change | |---|---|---|---|---|---| | [com.datadoghq:dd-trace-api](https://github.com/datadog/dd-trace-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `1.46.1` -> `1.47.0` | | [com.datadoghq:dd-trace-ot](https://github.com/datadog/dd-trace-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `1.46.1` -> `1.47.0` | | [software.amazon.awssdk:sdk-core](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.33` -> `2.30.34` | | [software.amazon.awssdk:sqs](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.33` -> `2.30.34` | | [software.amazon.awssdk:dynamodb-enhanced](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.33` -> `2.30.34` | | [software.amazon.awssdk:dynamodb](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.33` -> `2.30.34` | | [software.amazon.awssdk:aws-core](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.33` -> `2.30.34` | | [software.amazon.awssdk:bom](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.33` -> `2.30.34` | | [software.amazon.awssdk:auth](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.33` -> `2.30.34` | --- ### Release Notes <details> <summary>datadog/dd-trace-java (com.datadoghq:dd-trace-api)</summary> ### [`v1.47.0`](https://github.com/DataDog/dd-trace-java/releases/tag/v1.47.0): 1.47.0 ##### Components ##### Application Security Management (IAST) - 🐛 Exclude com.stripe.net.HttpURLConnectionClient to solve IAST SSRF vulnerability false positives ([#8483](DataDog/dd-trace-java#8483) - [@jandro996](https://github.com/jandro996)) - 🐛 Add exclusion to solve IAST weak randomness vulnerability false positives ([#8462](DataDog/dd-trace-java#8462) - [@jandro996](https://github.com/jandro996)) - ✨ Fix weak randomness false positive in Kafka client ([#8408](DataDog/dd-trace-java#8408) - [@smola](https://github.com/smola)) - ✨ Fix location for SSRF with Kong Unirest ([#8407](DataDog/dd-trace-java#8407) - [@smola](https://github.com/smola)) - ✨ Exclude IBM Instana from IAST ([#8406](DataDog/dd-trace-java#8406) - [@smola](https://github.com/smola)) - 🐛 Fix org.json iast instrumentation test for latest dependency ([#8347](DataDog/dd-trace-java#8347) - [@jandro996](https://github.com/jandro996)) - ✨ Configuration to Disable APM Tracing ([#8219](DataDog/dd-trace-java#8219) - [@jandro996](https://github.com/jandro996)) - ✨ Address cookie vulnerability cardinality issues ([#8210](DataDog/dd-trace-java#8210) - [@jandro996](https://github.com/jandro996)) - ✨ Email HTML Injection detection in IAST ([#8205](DataDog/dd-trace-java#8205) - [@sezen-datadog](https://github.com/sezen-datadog)) ##### Application Security Management (WAF) - 🐛✨ Ensure usr.exists tag is not overridden when UsernameNotFoundException is thrown ([#8376](DataDog/dd-trace-java#8376) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - 🐛✨ Ensure usr.exists tag is not overridden by auto instrumentation ([#8374](DataDog/dd-trace-java#8374) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - ✨ Update appsec metrics with event_rules_version tag ([#8354](DataDog/dd-trace-java#8354) - [@sezen-datadog](https://github.com/sezen-datadog)) - ✨ Update metrics: appsec.waf.requests ([#8353](DataDog/dd-trace-java#8353) - [@Mariovido](https://github.com/Mariovido)) - ✨ Improve ASM support in vert.x 5.0 ([#8285](DataDog/dd-trace-java#8285) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - ✨ Update metrics: appsec.waf.updates and appsec.waf.init ([#8280](DataDog/dd-trace-java#8280) - [@Mariovido](https://github.com/Mariovido)) - ✨ Configuration to Disable APM Tracing ([#8219](DataDog/dd-trace-java#8219) - [@jandro996](https://github.com/jandro996)) ##### Build & Tooling - 🐛 Do not generate Muzzle references for primitive arrays in method body ([#8361](DataDog/dd-trace-java#8361) - [@amarziali](https://github.com/amarziali)) - 📖 Improve dev env setup documentation for Windows ([#8180](DataDog/dd-trace-java#8180) - [@lucaspimentel](https://github.com/lucaspimentel)) ##### Continuous Integration Visibility - ✨ Add support for skip-EFD tagging ([#8487](DataDog/dd-trace-java#8487) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - 🐛 Fix an NPE in Gradle Android instrumentation ([#8484](DataDog/dd-trace-java#8484) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Consider modified tests when applying fail-fast tests ordering ([#8474](DataDog/dd-trace-java#8474) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Implement tests reordering for TestNG ([#8467](DataDog/dd-trace-java#8467) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - 🐛 Fix Gradle Launcher instrumentation to not interfere with Gradle Test Kit ([#8465](DataDog/dd-trace-java#8465) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - 🧹 Use separate TestEventHandlers per framework in CI Vis instrumentations ([#8451](DataDog/dd-trace-java#8451) - [@daniel-mohedano](https://github.com/daniel-mohedano)) - ✨ Remove warning log when JUnit 4 test method cannot be retrieved ([#8445](DataDog/dd-trace-java#8445) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - 🐛 Fix Scalatest tracing for tests that are reported asynchronously ([#8444](DataDog/dd-trace-java#8444) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Implement attempt to fix tests ([#8393](DataDog/dd-trace-java#8393) - [@daniel-mohedano](https://github.com/daniel-mohedano)) - ✨ Implement test disabling ([#8377](DataDog/dd-trace-java#8377) - [@daniel-mohedano](https://github.com/daniel-mohedano)) - ✨ Update CODEOWNERS parser to not log errors on comments with leading whitespace ([#8349](DataDog/dd-trace-java#8349) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Request Test Management tests list ([#8345](DataDog/dd-trace-java#8345) - [@daniel-mohedano](https://github.com/daniel-mohedano)) - ✨ Receive test management settings from CIVis settings request ([#8331](DataDog/dd-trace-java#8331) - [@daniel-mohedano](https://github.com/daniel-mohedano)) - ✨ Implement quarantined tests tagging ([#8326](DataDog/dd-trace-java#8326) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Implement tests quarantining ([#8320](DataDog/dd-trace-java#8320) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Add tag to specify if the user is setting DD_SERVICE ([#8318](DataDog/dd-trace-java#8318) - [@daniel-mohedano](https://github.com/daniel-mohedano)) ##### Crash tracking - ✨ Only fork jps when required ([#8419](DataDog/dd-trace-java#8419) - [@mcculls](https://github.com/mcculls)) - 🐛 Use Java home of the crashed process to launch crash uploader ([#8348](DataDog/dd-trace-java#8348) - [@jbachorik](https://github.com/jbachorik)) ##### Data Streams Monitoring - 🐛 Fix error happening when sqs message attributes are readonly ([#8473](DataDog/dd-trace-java#8473) - [@vandonr](https://github.com/vandonr)) - 🐛 Fix bug on proto schema extraction ([#8403](DataDog/dd-trace-java#8403) - [@vandonr](https://github.com/vandonr)) - 🐛 Fix service name overrides in consumers ([#8387](DataDog/dd-trace-java#8387) - [@piochelepiotr](https://github.com/piochelepiotr)) ##### Database Monitoring - ✨ Add DBMTracePreparedStatements to tracer configuration log ([#8508](DataDog/dd-trace-java#8508) - [@cecile75](https://github.com/cecile75)) ##### Dynamic Instrumentation - ✨ Look in another location for grpc service methods ([#8468](DataDog/dd-trace-java#8468) - [@evanchooly](https://github.com/evanchooly)) - 🐛 Fix Exception Replay with Lambda proxy classes ([#8452](DataDog/dd-trace-java#8452) - [@jpbempel](https://github.com/jpbempel)) - ✨ Add code origin support for spring-webmvc ([#8416](DataDog/dd-trace-java#8416) - [@evanchooly](https://github.com/evanchooly)) - ✨ Add support for scanning jar from loaded class ([#8370](DataDog/dd-trace-java#8370) - [@jpbempel](https://github.com/jpbempel)) - 🐛 Disable capture of entry values ([#8369](DataDog/dd-trace-java#8369) - [@jpbempel](https://github.com/jpbempel)) - 🐛 Fix CodeOrigin for `@Trace` annotation ([#8344](DataDog/dd-trace-java#8344) - [@jpbempel](https://github.com/jpbempel)) - 🐛 Fix equals/hashCode for CodeOrigin probe ([#8319](DataDog/dd-trace-java#8319) - [@jpbempel](https://github.com/jpbempel)) - ✨ Add code origin support to kafka message listeners ([#8301](DataDog/dd-trace-java#8301) - [@evanchooly](https://github.com/evanchooly)) ##### Metrics - ✨ Create metric: appsec.waf.error ([#8381](DataDog/dd-trace-java#8381) - [@sezen-datadog](https://github.com/sezen-datadog)) - ✨ Create metric: appsec.rasp.error ([#8364](DataDog/dd-trace-java#8364) - [@sezen-datadog](https://github.com/sezen-datadog)) ##### Profiling - ✨ Bump ddprof library to 1.22.0 ([#8463](DataDog/dd-trace-java#8463) - [@jbachorik](https://github.com/jbachorik)) - IBM J9 8u361 corresponds to OpenJDK 8u362 by [@jbachorik](https://github.com/jbachorik) in DataDog/java-profiler#187 - Fix compatibility with musl libc 1.2.4 by [@jbachorik](https://github.com/jbachorik) in DataDog/java-profiler#189 - Modify version extraction by [@jbachorik](https://github.com/jbachorik) in DataDog/java-profiler#179 - Do not write null values to jvminfo event by [@jbachorik](https://github.com/jbachorik) in DataDog/java-profiler#184 - Productize VMStructs-based stack walker by [@jbachorik](https://github.com/jbachorik) in DataDog/java-profiler#177 - A few minor downport issues by [@jbachorik](https://github.com/jbachorik) in DataDog/java-profiler#180 - Enable ASGCT by default on fairly safe J9 JDK versions by [@jbachorik](https://github.com/jbachorik) in DataDog/java-profiler#181 - 🐛 Exclude OrderedThreadPoolExecutor from queue-time measurements ([#8456](DataDog/dd-trace-java#8456) - [@jbachorik](https://github.com/jbachorik)) - ✨ Record JVM info on JVMs without JFR ([#8431](DataDog/dd-trace-java#8431) - [@jbachorik](https://github.com/jbachorik)) - 🐛 Actually use CleanupTask in TempLocationManager ([#8420](DataDog/dd-trace-java#8420) - [@mcculls](https://github.com/mcculls)) - ✨ Only fork jps when required ([#8419](DataDog/dd-trace-java#8419) - [@mcculls](https://github.com/mcculls)) - 🐛 Adjust JFR checks for J9 ([#8405](DataDog/dd-trace-java#8405) - [@jbachorik](https://github.com/jbachorik)) - 🧹 Disable smap RSS parsing by default ([#8342](DataDog/dd-trace-java#8342) - [@MattAlp](https://github.com/MattAlp)) ##### Telemetry - 🐛 Add support for JBoss jar:file format to DependencyResolver ([#8428](DataDog/dd-trace-java#8428) - [@jandro996](https://github.com/jandro996)) - ✨ Update metrics: appsec.waf.requests ([#8353](DataDog/dd-trace-java#8353) - [@Mariovido](https://github.com/Mariovido)) ##### Trace context propagation - ✨ Introduce tracing propagator ([#8313](DataDog/dd-trace-java#8313) - [@PerfectSlayer](https://github.com/PerfectSlayer)) ##### Tracer core - 🐛 Fix Stable Config telemetry source names ([#8460](DataDog/dd-trace-java#8460) - [@BaptisteFoy](https://github.com/BaptisteFoy)) - ✨ Probe trace endpoints with a valid payload of empty arrays ([#8414](DataDog/dd-trace-java#8414) - [@mcculls](https://github.com/mcculls)) - ✨ Add 1 minute fail-safe to JUL/JMX class-loading callback ([#8399](DataDog/dd-trace-java#8399) - [@mcculls](https://github.com/mcculls)) - ✨ Migrate DSM injection calls to context-first APIs ([#8383](DataDog/dd-trace-java#8383) - [@PerfectSlayer](https://github.com/PerfectSlayer)) - 🧹 Move continuation capture methods from scope to tracer ([#8371](DataDog/dd-trace-java#8371) - [@mcculls](https://github.com/mcculls)) - ✨ Migrate context extraction calls to context-first APIs ([#8368](DataDog/dd-trace-java#8368) - [@PerfectSlayer](https://github.com/PerfectSlayer)) - 🧹 Migrate context injection calls to context-first APIs ([#8358](DataDog/dd-trace-java#8358) - [@PerfectSlayer](https://github.com/PerfectSlayer)) - 💡 Support reading configurations from files ([#8338](DataDog/dd-trace-java#8338) - [@mtoffl01](https://github.com/mtoffl01)) - 💡 Implementation of BaggagePropagator and BaggageContext ([#8330](DataDog/dd-trace-java#8330) - [@mhlidd](https://github.com/mhlidd)) - 🧹 Combine continuation implementations into one which supports multiple activations ([#8324](DataDog/dd-trace-java#8324) - [@mcculls](https://github.com/mcculls)) - ✨ Introduce tracing propagator ([#8313](DataDog/dd-trace-java#8313) - [@PerfectSlayer](https://github.com/PerfectSlayer)) - ✨ Remove old context propagation API ([#8271](DataDog/dd-trace-java#8271) - [@PerfectSlayer](https://github.com/PerfectSlayer)) ##### Instrumentations ##### AWS Lambda instrumentation - 🐛 Send error message and stack to Lambda extension ([#8417](DataDog/dd-trace-java#8417) - [@nhulston](https://github.com/nhulston)) ##### AWS SDK instrumentation - 🐛 Fix error happening when sqs message attributes are readonly ([#8473](DataDog/dd-trace-java#8473) - [@vandonr](https://github.com/vandonr)) - 💡 Inject trace context into AWS Step Functions input ([#7585](DataDog/dd-trace-java#7585) - [@DylanLovesCoffee](https://github.com/DylanLovesCoffee)) ##### Core Java language instrumentation - ✨ Look in another location for grpc service methods ([#8468](DataDog/dd-trace-java#8468) - [@evanchooly](https://github.com/evanchooly)) - ✨ Add code origin support for spring-webmvc ([#8416](DataDog/dd-trace-java#8416) - [@evanchooly](https://github.com/evanchooly)) - 💡 Implementation of BaggagePropagator and BaggageContext ([#8330](DataDog/dd-trace-java#8330) - [@mhlidd](https://github.com/mhlidd)) - ✨ Add code origin support to kafka message listeners ([#8301](DataDog/dd-trace-java#8301) - [@evanchooly](https://github.com/evanchooly)) ##### gRPC instrumentation - ✨ Look in another location for grpc service methods ([#8468](DataDog/dd-trace-java#8468) - [@evanchooly](https://github.com/evanchooly)) ##### Kafka instrumentation - ✨ Add messaging.destination.name tag to kafka integrations ([#8366](DataDog/dd-trace-java#8366) - [@rarguelloF](https://github.com/rarguelloF)) ##### Protocol Buffer instrumentation - 🐛 Fix bug on proto schema extraction ([#8403](DataDog/dd-trace-java#8403) - [@vandonr](https://github.com/vandonr)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "after 6pm every weekday,before 2am every weekday" in timezone Australia/Melbourne, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). GitOrigin-RevId: 108a0f86aa59ab4c938cbac0688dd4c19cb301fa

add exclusion for APPSEC-56887

8c9abd5

jandro996 added type: bug comp: asm iast Application Security Management (IAST) labels Feb 27, 2025

Merge branch 'master' into alejandro.gonzalez/weak-randomness-false-p…

a8c6e1b

…ositives

jandro996 marked this pull request as ready for review February 28, 2025 09:13

jandro996 requested a review from a team as a code owner February 28, 2025 09:13

jandro996 requested review from smola, sezen-datadog and manuel-alvarez-alvarez February 28, 2025 09:13

smola approved these changes Feb 28, 2025

View reviewed changes

manuel-alvarez-alvarez approved these changes Feb 28, 2025

View reviewed changes

jandro996 merged commit 6a2bd8d into master Feb 28, 2025
217 checks passed

jandro996 deleted the alejandro.gonzalez/weak-randomness-false-positives branch February 28, 2025 13:01

github-actions bot added this to the 1.47.0 milestone Feb 28, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Add exclusion to solve IAST weak randomness vulnerability false positives #8462

Add exclusion to solve IAST weak randomness vulnerability false positives #8462

Uh oh!

jandro996 commented Feb 27, 2025 •

edited by jira bot

Loading

Uh oh!

pr-commenter bot commented Feb 27, 2025 •

edited

Loading

Uh oh!

Uh oh!

Uh oh!

Add exclusion to solve IAST weak randomness vulnerability false positives #8462

Add exclusion to solve IAST weak randomness vulnerability false positives #8462

Uh oh!

Conversation

jandro996 commented Feb 27, 2025 • edited by jira bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

What Does This Do

Motivation

Additional Notes

Contributor Checklist

Uh oh!

pr-commenter bot commented Feb 27, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Benchmarks

Startup

Parameters

Summary

Load

Parameters

Summary

Dacapo

Parameters

Summary

Uh oh!

Uh oh!

Uh oh!

jandro996 commented Feb 27, 2025 •

edited by jira bot

Loading

pr-commenter bot commented Feb 27, 2025 •

edited

Loading