feat(iast): check secure marks in ranges before reporting vulnerabilities #13044
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ra1986/APPSEC-56946_secure_marks_wrappers
![datadog-datadog-prod-us1[bot]](https://avatars.githubusercontent.com/u/365230?s=60&v=4){kind=small}
avara1986
changed the title
|
|
avara1986
added
changelog/no-changelog
BenchmarksBenchmark execution time: 2025-04-08 10:27:41 Comparing candidate commit 1f4c41b in PR branch Found 1 performance improvements and 1 performance regressions! Performance is the same for 494 metrics, 2 unstable metrics. scenario:iast_aspects-ospathdirname_aspect
scenario:iast_aspects-ospathsplitdrive_aspect
|
2 tasks
…6946_cmdi_secure_mark_check
chojomok
pushed a commit
that referenced
this pull request
Apr 7, 2025
This PR reorganizes the SQL injection detection logic by moving it to the IAST folder structure. The changes include: - Relocated SQL injection detection code from contrib to ddtrace/appsec/_iast/ - Consolidated SQL injection related functionality in a dedicated location - Improved code organization and maintainability - Maintained existing functionality while improving code structure - Updated imports and references to reflect new file locations This refactoring aligns with our ongoing efforts to better organize IAST-related code and makes the codebase more maintainable by grouping related security features together. No functional changes are included in this PR, it's purely organizational. Related to: #13044 and APPSEC-56946 - [x] PR author has checked that all the criteria below are met - The PR description includes an overview of the change - The PR description articulates the motivation for the change - The change includes tests OR the PR description describes a testing strategy - The PR description notes risks associated with the change, if any - Newly-added code is easy to change - The change follows the [library release note guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html) - The change includes or references documentation updates if necessary - Backport labels are set (if [applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)) - [x] Reviewer has checked that all the criteria below are met - Title is accurate - All changes are related to the pull request's stated goal - Avoids breaking [API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces) changes - Testing strategy adequately addresses listed risks - Newly-added code is easy to change - Release note makes sense to a user of the library - If necessary, author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment - Backport labels are set in a manner that is consistent with the [release branch maintenance policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)
avara1986
force-pushed
the
avara1986/APPSEC-56946_cmdi_secure_mark_check
branch
from
8008aa5 to
8bcd435
Compare
…6946_cmdi_secure_mark_check
avara1986
force-pushed
the
avara1986/APPSEC-56946_cmdi_secure_mark_check
branch
from
9df9d01 to
a01965e
Compare
…6946_cmdi_secure_mark_check
2 tasks
christophe-papazian
approved these changes
Apr 8, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR enhances IAST vulnerability detection by implementing secure mark validation before reporting vulnerabilities. The changes include:
These changes improve the accuracy of vulnerability detection by ensuring that properly sanitized inputs (marked as secure) are not reported as vulnerabilities, reducing false positives in the IAST system.
Related to: APPSEC-56946 & APPSEC-57144
Checklist
Reviewer Checklist