-
Notifications
You must be signed in to change notification settings - Fork 292
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Propagate AppSec blocking exceptions from bytebuddy suppressions #7516
Propagate AppSec blocking exceptions from bytebuddy suppressions #7516
Conversation
BenchmarksStartupParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 54 metrics, 9 unstable metrics. Startup time reports for petclinicgantt
title petclinic - global startup overhead: candidate=1.42.0-SNAPSHOT~521e392227, baseline=1.42.0-SNAPSHOT~b2332408b0
dateFormat X
axisFormat %s
section tracing
Agent [baseline] (1.084 s) : 0, 1083811
Total [baseline] (10.397 s) : 0, 10396646
Agent [candidate] (1.079 s) : 0, 1078780
Total [candidate] (10.365 s) : 0, 10365384
section appsec
Agent [baseline] (1.211 s) : 0, 1210863
Total [baseline] (10.618 s) : 0, 10618074
Agent [candidate] (1.21 s) : 0, 1210344
Total [candidate] (10.593 s) : 0, 10593120
section iast
Agent [baseline] (1.209 s) : 0, 1208549
Total [baseline] (10.928 s) : 0, 10927752
Agent [candidate] (1.219 s) : 0, 1219137
Total [candidate] (10.923 s) : 0, 10923323
section profiling
Agent [baseline] (1.283 s) : 0, 1283418
Total [baseline] (10.689 s) : 0, 10688658
Agent [candidate] (1.272 s) : 0, 1272291
Total [candidate] (10.685 s) : 0, 10685230
gantt
title petclinic - break down per module: candidate=1.42.0-SNAPSHOT~521e392227, baseline=1.42.0-SNAPSHOT~b2332408b0
dateFormat X
axisFormat %s
section tracing
BytebuddyAgent [baseline] (689.176 ms) : 0, 689176
BytebuddyAgent [candidate] (686.537 ms) : 0, 686537
GlobalTracer [baseline] (315.502 ms) : 0, 315502
GlobalTracer [candidate] (314.26 ms) : 0, 314260
AppSec [baseline] (54.974 ms) : 0, 54974
AppSec [candidate] (54.732 ms) : 0, 54732
Remote Config [baseline] (664.017 µs) : 0, 664
Remote Config [candidate] (665.813 µs) : 0, 666
Telemetry [baseline] (9.827 ms) : 0, 9827
Telemetry [candidate] (8.941 ms) : 0, 8941
section appsec
BytebuddyAgent [baseline] (701.573 ms) : 0, 701573
BytebuddyAgent [candidate] (701.594 ms) : 0, 701594
GlobalTracer [baseline] (310.616 ms) : 0, 310616
GlobalTracer [candidate] (310.957 ms) : 0, 310957
AppSec [baseline] (166.611 ms) : 0, 166611
AppSec [candidate] (166.228 ms) : 0, 166228
Remote Config [baseline] (647.473 µs) : 0, 647
Remote Config [candidate] (630.644 µs) : 0, 631
Telemetry [baseline] (8.108 ms) : 0, 8108
Telemetry [candidate] (7.323 ms) : 0, 7323
IAST [baseline] (19.469 ms) : 0, 19469
IAST [candidate] (20.029 ms) : 0, 20029
section iast
BytebuddyAgent [baseline] (805.467 ms) : 0, 805467
BytebuddyAgent [candidate] (812.476 ms) : 0, 812476
GlobalTracer [baseline] (303.701 ms) : 0, 303701
GlobalTracer [candidate] (305.678 ms) : 0, 305678
AppSec [baseline] (57.847 ms) : 0, 57847
AppSec [candidate] (57.79 ms) : 0, 57790
Remote Config [baseline] (594.196 µs) : 0, 594
Remote Config [candidate] (626.011 µs) : 0, 626
Telemetry [baseline] (7.392 ms) : 0, 7392
Telemetry [candidate] (7.537 ms) : 0, 7537
IAST [baseline] (19.868 ms) : 0, 19868
IAST [candidate] (21.241 ms) : 0, 21241
section profiling
BytebuddyAgent [baseline] (684.348 ms) : 0, 684348
BytebuddyAgent [candidate] (678.459 ms) : 0, 678459
GlobalTracer [baseline] (399.122 ms) : 0, 399122
GlobalTracer [candidate] (396.082 ms) : 0, 396082
AppSec [baseline] (55.536 ms) : 0, 55536
AppSec [candidate] (54.932 ms) : 0, 54932
Remote Config [baseline] (669.028 µs) : 0, 669
Remote Config [candidate] (655.275 µs) : 0, 655
Telemetry [baseline] (12.999 ms) : 0, 12999
Telemetry [candidate] (14.12 ms) : 0, 14120
ProfilingAgent [baseline] (91.797 ms) : 0, 91797
ProfilingAgent [candidate] (89.508 ms) : 0, 89508
Profiling [baseline] (91.82 ms) : 0, 91820
Profiling [candidate] (89.531 ms) : 0, 89531
Startup time reports for insecure-bankgantt
title insecure-bank - global startup overhead: candidate=1.42.0-SNAPSHOT~521e392227, baseline=1.42.0-SNAPSHOT~b2332408b0
dateFormat X
axisFormat %s
section tracing
Agent [baseline] (1.081 s) : 0, 1081361
Total [baseline] (8.567 s) : 0, 8567149
Agent [candidate] (1.081 s) : 0, 1080597
Total [candidate] (8.561 s) : 0, 8560901
section iast
Agent [baseline] (1.21 s) : 0, 1209845
Total [baseline] (9.158 s) : 0, 9157871
Agent [candidate] (1.201 s) : 0, 1200893
Total [candidate] (9.095 s) : 0, 9094527
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.211 s) : 0, 1211335
Total [baseline] (9.105 s) : 0, 9105126
Agent [candidate] (1.202 s) : 0, 1201941
Total [candidate] (9.075 s) : 0, 9075327
section iast_TELEMETRY_OFF
Agent [baseline] (1.197 s) : 0, 1196815
Total [baseline] (9.064 s) : 0, 9063660
Agent [candidate] (1.198 s) : 0, 1198407
Total [candidate] (9.08 s) : 0, 9080254
gantt
title insecure-bank - break down per module: candidate=1.42.0-SNAPSHOT~521e392227, baseline=1.42.0-SNAPSHOT~b2332408b0
dateFormat X
axisFormat %s
section tracing
BytebuddyAgent [baseline] (686.83 ms) : 0, 686830
BytebuddyAgent [candidate] (687.092 ms) : 0, 687092
GlobalTracer [baseline] (315.109 ms) : 0, 315109
GlobalTracer [candidate] (314.065 ms) : 0, 314065
AppSec [baseline] (55.358 ms) : 0, 55358
AppSec [candidate] (54.654 ms) : 0, 54654
Remote Config [baseline] (657.75 µs) : 0, 658
Remote Config [candidate] (659.607 µs) : 0, 660
Telemetry [baseline] (9.761 ms) : 0, 9761
Telemetry [candidate] (10.5 ms) : 0, 10500
section iast
BytebuddyAgent [baseline] (805.452 ms) : 0, 805452
BytebuddyAgent [candidate] (800.096 ms) : 0, 800096
GlobalTracer [baseline] (304.31 ms) : 0, 304310
GlobalTracer [candidate] (301.823 ms) : 0, 301823
AppSec [baseline] (55.907 ms) : 0, 55907
AppSec [candidate] (57.004 ms) : 0, 57004
Remote Config [baseline] (611.018 µs) : 0, 611
Remote Config [candidate] (635.256 µs) : 0, 635
Telemetry [baseline] (7.436 ms) : 0, 7436
Telemetry [candidate] (7.306 ms) : 0, 7306
IAST [baseline] (22.449 ms) : 0, 22449
IAST [candidate] (20.418 ms) : 0, 20418
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (806.434 ms) : 0, 806434
BytebuddyAgent [candidate] (799.571 ms) : 0, 799571
GlobalTracer [baseline] (304.981 ms) : 0, 304981
GlobalTracer [candidate] (302.655 ms) : 0, 302655
AppSec [baseline] (58.218 ms) : 0, 58218
AppSec [candidate] (56.514 ms) : 0, 56514
Remote Config [baseline] (604.152 µs) : 0, 604
Remote Config [candidate] (608.761 µs) : 0, 609
Telemetry [baseline] (7.463 ms) : 0, 7463
Telemetry [candidate] (7.422 ms) : 0, 7422
IAST [baseline] (19.916 ms) : 0, 19916
IAST [candidate] (21.601 ms) : 0, 21601
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (795.518 ms) : 0, 795518
BytebuddyAgent [candidate] (797.062 ms) : 0, 797062
GlobalTracer [baseline] (302.245 ms) : 0, 302245
GlobalTracer [candidate] (302.595 ms) : 0, 302595
AppSec [baseline] (58.262 ms) : 0, 58262
AppSec [candidate] (57.828 ms) : 0, 57828
Remote Config [baseline] (590.988 µs) : 0, 591
Remote Config [candidate] (591.184 µs) : 0, 591
Telemetry [baseline] (7.315 ms) : 0, 7315
Telemetry [candidate] (7.353 ms) : 0, 7353
IAST [baseline] (19.32 ms) : 0, 19320
IAST [candidate] (19.376 ms) : 0, 19376
LoadParameters
See matching parameters
SummaryFound 0 performance improvements and 1 performance regressions! Performance is the same for 6 metrics, 21 unstable metrics.
Request duration reports for insecure-bankgantt
title insecure-bank - request duration [CI 0.99] : candidate=1.42.0-SNAPSHOT~521e392227, baseline=1.42.0-SNAPSHOT~b2332408b0
dateFormat X
axisFormat %s
section baseline
no_agent (456.142 µs) : 427, 485
. : milestone, 456,
iast (586.817 µs) : 555, 619
. : milestone, 587,
iast_FULL (830.038 µs) : 798, 862
. : milestone, 830,
iast_GLOBAL (624.523 µs) : 592, 657
. : milestone, 625,
iast_HARDCODED_SECRET_DISABLED (598.809 µs) : 566, 631
. : milestone, 599,
iast_INACTIVE (539.369 µs) : 508, 570
. : milestone, 539,
iast_TELEMETRY_OFF (584.544 µs) : 552, 617
. : milestone, 585,
tracing (540.118 µs) : 510, 570
. : milestone, 540,
section candidate
no_agent (455.487 µs) : 427, 484
. : milestone, 455,
iast (585.863 µs) : 554, 617
. : milestone, 586,
iast_FULL (830.577 µs) : 799, 862
. : milestone, 831,
iast_GLOBAL (625.463 µs) : 593, 658
. : milestone, 625,
iast_HARDCODED_SECRET_DISABLED (591.876 µs) : 561, 623
. : milestone, 592,
iast_INACTIVE (546.052 µs) : 516, 576
. : milestone, 546,
iast_TELEMETRY_OFF (579.142 µs) : 547, 612
. : milestone, 579,
tracing (535.199 µs) : 505, 565
. : milestone, 535,
Request duration reports for petclinicgantt
title petclinic - request duration [CI 0.99] : candidate=1.42.0-SNAPSHOT~521e392227, baseline=1.42.0-SNAPSHOT~b2332408b0
dateFormat X
axisFormat %s
section baseline
no_agent (1.692 ms) : 1666, 1719
. : milestone, 1692,
appsec (2.186 ms) : 2155, 2217
. : milestone, 2186,
appsec_no_iast (2.196 ms) : 2165, 2227
. : milestone, 2196,
iast (1.896 ms) : 1866, 1926
. : milestone, 1896,
profiling (1.908 ms) : 1878, 1938
. : milestone, 1908,
tracing (1.846 ms) : 1815, 1877
. : milestone, 1846,
section candidate
no_agent (1.714 ms) : 1690, 1737
. : milestone, 1714,
appsec (2.221 ms) : 2191, 2251
. : milestone, 2221,
appsec_no_iast (2.184 ms) : 2153, 2216
. : milestone, 2184,
iast (1.891 ms) : 1861, 1920
. : milestone, 1891,
profiling (1.993 ms) : 1941, 2045
. : milestone, 1993,
tracing (1.835 ms) : 1803, 1866
. : milestone, 1835,
DacapoParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics. Execution time for biojavagantt
title biojava - execution time [CI 0.99] : candidate=1.42.0-SNAPSHOT~521e392227, baseline=1.42.0-SNAPSHOT~b2332408b0
dateFormat X
axisFormat %s
section baseline
no_agent (15.316 s) : 15316000, 15316000
. : milestone, 15316000,
appsec (15.412 s) : 15412000, 15412000
. : milestone, 15412000,
iast (19.136 s) : 19136000, 19136000
. : milestone, 19136000,
iast_GLOBAL (17.879 s) : 17879000, 17879000
. : milestone, 17879000,
profiling (14.972 s) : 14972000, 14972000
. : milestone, 14972000,
tracing (15.257 s) : 15257000, 15257000
. : milestone, 15257000,
section candidate
no_agent (14.843 s) : 14843000, 14843000
. : milestone, 14843000,
appsec (15.018 s) : 15018000, 15018000
. : milestone, 15018000,
iast (18.948 s) : 18948000, 18948000
. : milestone, 18948000,
iast_GLOBAL (17.754 s) : 17754000, 17754000
. : milestone, 17754000,
profiling (15.045 s) : 15045000, 15045000
. : milestone, 15045000,
tracing (15.452 s) : 15452000, 15452000
. : milestone, 15452000,
Execution time for tomcatgantt
title tomcat - execution time [CI 0.99] : candidate=1.42.0-SNAPSHOT~521e392227, baseline=1.42.0-SNAPSHOT~b2332408b0
dateFormat X
axisFormat %s
section baseline
no_agent (1.473 ms) : 1462, 1485
. : milestone, 1473,
appsec (2.342 ms) : 2300, 2384
. : milestone, 2342,
iast (2.073 ms) : 2021, 2125
. : milestone, 2073,
iast_GLOBAL (2.128 ms) : 2076, 2180
. : milestone, 2128,
profiling (1.95 ms) : 1908, 1991
. : milestone, 1950,
tracing (1.914 ms) : 1875, 1954
. : milestone, 1914,
section candidate
no_agent (1.468 ms) : 1456, 1479
. : milestone, 1468,
appsec (2.329 ms) : 2289, 2370
. : milestone, 2329,
iast (2.078 ms) : 2026, 2131
. : milestone, 2078,
iast_GLOBAL (2.122 ms) : 2070, 2174
. : milestone, 2122,
profiling (1.949 ms) : 1908, 1991
. : milestone, 1949,
tracing (1.921 ms) : 1882, 1960
. : milestone, 1921,
|
1f33e7d
to
d10aca5
Compare
8197d05
to
3f38715
Compare
3f38715
to
0dc4743
Compare
0dc4743
to
9e3da3d
Compare
9e3da3d
to
521e392
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nice work!
What Does This Do
Updates our exception handler so
datadog.appsec.api.blocking.BlockingException
can be propagated in our advices in order to effectively block attacks.Motivation
AppSec protection relies on the usage of exceptions in order to block possible attacks, this PR ensures that the exceptions are not swallowed by our error handling mechanism.
Additional Notes
Contributor Checklist
type:
and (comp:
orinst:
) labels in addition to any usefull labelsclose
,fix
or any linking keywords when referencing an issue.Use
solves
instead, and assign the PR milestone to the issueJira ticket: APPSEC-55498