-
Notifications
You must be signed in to change notification settings - Fork 292
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Short circuit for WAF/RASP calls #7630
Conversation
BenchmarksStartupParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 50 metrics, 13 unstable metrics. Startup time reports for insecure-bankgantt
title insecure-bank - global startup overhead: candidate=1.40.0-SNAPSHOT~ea350f0b9c, baseline=1.40.0-SNAPSHOT~f6810002f7
dateFormat X
axisFormat %s
section tracing
Agent [baseline] (1.084 s) : 0, 1084081
Total [baseline] (8.632 s) : 0, 8631698
Agent [candidate] (1.068 s) : 0, 1068446
Total [candidate] (8.566 s) : 0, 8566046
section iast
Agent [baseline] (1.191 s) : 0, 1191479
Total [baseline] (9.017 s) : 0, 9016958
Agent [candidate] (1.192 s) : 0, 1191705
Total [candidate] (9.023 s) : 0, 9022567
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.191 s) : 0, 1191075
Total [baseline] (8.998 s) : 0, 8997873
Agent [candidate] (1.196 s) : 0, 1196165
Total [candidate] (9.002 s) : 0, 9001515
section iast_TELEMETRY_OFF
Agent [baseline] (1.197 s) : 0, 1196505
Total [baseline] (9.043 s) : 0, 9042519
Agent [candidate] (1.188 s) : 0, 1187718
Total [candidate] (9.016 s) : 0, 9015799
gantt
title insecure-bank - break down per module: candidate=1.40.0-SNAPSHOT~ea350f0b9c, baseline=1.40.0-SNAPSHOT~f6810002f7
dateFormat X
axisFormat %s
section tracing
BytebuddyAgent [baseline] (691.08 ms) : 0, 691080
BytebuddyAgent [candidate] (681.627 ms) : 0, 681627
GlobalTracer [baseline] (315.556 ms) : 0, 315556
GlobalTracer [candidate] (310.616 ms) : 0, 310616
AppSec [baseline] (55.001 ms) : 0, 55001
AppSec [candidate] (54.126 ms) : 0, 54126
Remote Config [baseline] (692.526 µs) : 0, 693
Remote Config [candidate] (666.864 µs) : 0, 667
Telemetry [baseline] (7.797 ms) : 0, 7797
Telemetry [candidate] (7.632 ms) : 0, 7632
section iast
BytebuddyAgent [baseline] (792.37 ms) : 0, 792370
BytebuddyAgent [candidate] (792.16 ms) : 0, 792160
GlobalTracer [baseline] (298.839 ms) : 0, 298839
GlobalTracer [candidate] (299.277 ms) : 0, 299277
AppSec [baseline] (54.973 ms) : 0, 54973
AppSec [candidate] (53.919 ms) : 0, 53919
Remote Config [baseline] (602.122 µs) : 0, 602
Remote Config [candidate] (616.459 µs) : 0, 616
Telemetry [baseline] (7.374 ms) : 0, 7374
Telemetry [candidate] (7.357 ms) : 0, 7357
IAST [baseline] (23.58 ms) : 0, 23580
IAST [candidate] (24.574 ms) : 0, 24574
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (792.966 ms) : 0, 792966
BytebuddyAgent [candidate] (797.712 ms) : 0, 797712
GlobalTracer [baseline] (298.758 ms) : 0, 298758
GlobalTracer [candidate] (298.375 ms) : 0, 298375
AppSec [baseline] (53.842 ms) : 0, 53842
AppSec [candidate] (55.163 ms) : 0, 55163
Remote Config [baseline] (628.951 µs) : 0, 629
Remote Config [candidate] (626.784 µs) : 0, 627
Telemetry [baseline] (7.44 ms) : 0, 7440
Telemetry [candidate] (7.505 ms) : 0, 7505
IAST [baseline] (23.688 ms) : 0, 23688
IAST [candidate] (22.931 ms) : 0, 22931
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (796.546 ms) : 0, 796546
BytebuddyAgent [candidate] (788.826 ms) : 0, 788826
GlobalTracer [baseline] (300.275 ms) : 0, 300275
GlobalTracer [candidate] (299.612 ms) : 0, 299612
AppSec [baseline] (54.467 ms) : 0, 54467
AppSec [candidate] (56.862 ms) : 0, 56862
Remote Config [baseline] (1.408 ms) : 0, 1408
Remote Config [candidate] (613.764 µs) : 0, 614
Telemetry [baseline] (7.341 ms) : 0, 7341
Telemetry [candidate] (7.32 ms) : 0, 7320
IAST [baseline] (22.568 ms) : 0, 22568
IAST [candidate] (20.719 ms) : 0, 20719
Startup time reports for petclinicgantt
title petclinic - global startup overhead: candidate=1.40.0-SNAPSHOT~ea350f0b9c, baseline=1.40.0-SNAPSHOT~f6810002f7
dateFormat X
axisFormat %s
section tracing
Agent [baseline] (1.064 s) : 0, 1064268
Total [baseline] (10.396 s) : 0, 10396177
Agent [candidate] (1.066 s) : 0, 1066399
Total [candidate] (10.461 s) : 0, 10460744
section appsec
Agent [baseline] (1.207 s) : 0, 1207101
Total [baseline] (10.69 s) : 0, 10690318
Agent [candidate] (1.202 s) : 0, 1202431
Total [candidate] (10.645 s) : 0, 10644701
section iast
Agent [baseline] (1.195 s) : 0, 1194944
Total [baseline] (10.878 s) : 0, 10877729
Agent [candidate] (1.21 s) : 0, 1209997
Total [candidate] (10.901 s) : 0, 10900920
section profiling
Agent [baseline] (1.265 s) : 0, 1265491
Total [baseline] (10.651 s) : 0, 10651115
Agent [candidate] (1.283 s) : 0, 1282779
Total [candidate] (10.74 s) : 0, 10739732
gantt
title petclinic - break down per module: candidate=1.40.0-SNAPSHOT~ea350f0b9c, baseline=1.40.0-SNAPSHOT~f6810002f7
dateFormat X
axisFormat %s
section tracing
BytebuddyAgent [baseline] (678.775 ms) : 0, 678775
BytebuddyAgent [candidate] (679.896 ms) : 0, 679896
GlobalTracer [baseline] (309.811 ms) : 0, 309811
GlobalTracer [candidate] (310.617 ms) : 0, 310617
AppSec [baseline] (53.702 ms) : 0, 53702
AppSec [candidate] (53.901 ms) : 0, 53901
Remote Config [baseline] (670.594 µs) : 0, 671
Remote Config [candidate] (665.458 µs) : 0, 665
Telemetry [baseline] (7.603 ms) : 0, 7603
Telemetry [candidate] (7.609 ms) : 0, 7609
section appsec
BytebuddyAgent [baseline] (705.332 ms) : 0, 705332
BytebuddyAgent [candidate] (702.541 ms) : 0, 702541
GlobalTracer [baseline] (304.662 ms) : 0, 304662
GlobalTracer [candidate] (303.672 ms) : 0, 303672
AppSec [baseline] (163.421 ms) : 0, 163421
AppSec [candidate] (164.069 ms) : 0, 164069
IAST [baseline] (21.504 ms) : 0, 21504
IAST [candidate] (20.048 ms) : 0, 20048
Remote Config [baseline] (661.92 µs) : 0, 662
Remote Config [candidate] (642.646 µs) : 0, 643
Telemetry [baseline] (8.521 ms) : 0, 8521
Telemetry [candidate] (7.778 ms) : 0, 7778
section iast
BytebuddyAgent [baseline] (795.144 ms) : 0, 795144
BytebuddyAgent [candidate] (805.595 ms) : 0, 805595
GlobalTracer [baseline] (299.17 ms) : 0, 299170
GlobalTracer [candidate] (303.636 ms) : 0, 303636
AppSec [baseline] (56.447 ms) : 0, 56447
AppSec [candidate] (55.849 ms) : 0, 55849
IAST [baseline] (22.261 ms) : 0, 22261
IAST [candidate] (22.98 ms) : 0, 22980
Remote Config [baseline] (623.518 µs) : 0, 624
Remote Config [candidate] (601.7 µs) : 0, 602
Telemetry [baseline] (7.526 ms) : 0, 7526
Telemetry [candidate] (7.397 ms) : 0, 7397
section profiling
BytebuddyAgent [baseline] (673.317 ms) : 0, 673317
BytebuddyAgent [candidate] (683.142 ms) : 0, 683142
GlobalTracer [baseline] (394.578 ms) : 0, 394578
GlobalTracer [candidate] (399.695 ms) : 0, 399695
AppSec [baseline] (54.59 ms) : 0, 54590
AppSec [candidate] (55.174 ms) : 0, 55174
Remote Config [baseline] (671.761 µs) : 0, 672
Remote Config [candidate] (657.107 µs) : 0, 657
Telemetry [baseline] (7.516 ms) : 0, 7516
Telemetry [candidate] (7.585 ms) : 0, 7585
ProfilingAgent [baseline] (96.67 ms) : 0, 96670
ProfilingAgent [candidate] (97.813 ms) : 0, 97813
Profiling [baseline] (96.693 ms) : 0, 96693
Profiling [candidate] (97.837 ms) : 0, 97837
LoadParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 17 unstable metrics. Request duration reports for petclinicgantt
title petclinic - request duration [CI 0.99] : candidate=1.40.0-SNAPSHOT~ea350f0b9c, baseline=1.40.0-SNAPSHOT~f6810002f7
dateFormat X
axisFormat %s
section baseline
no_agent (1.367 ms) : 1348, 1387
. : milestone, 1367,
appsec (1.726 ms) : 1703, 1749
. : milestone, 1726,
appsec_no_iast (1.727 ms) : 1703, 1750
. : milestone, 1727,
iast (1.475 ms) : 1452, 1497
. : milestone, 1475,
profiling (1.481 ms) : 1458, 1504
. : milestone, 1481,
tracing (1.484 ms) : 1460, 1507
. : milestone, 1484,
section candidate
no_agent (1.334 ms) : 1315, 1353
. : milestone, 1334,
appsec (1.721 ms) : 1697, 1745
. : milestone, 1721,
appsec_no_iast (1.733 ms) : 1710, 1757
. : milestone, 1733,
iast (1.491 ms) : 1469, 1513
. : milestone, 1491,
profiling (1.501 ms) : 1475, 1527
. : milestone, 1501,
tracing (1.47 ms) : 1446, 1493
. : milestone, 1470,
Request duration reports for insecure-bankgantt
title insecure-bank - request duration [CI 0.99] : candidate=1.40.0-SNAPSHOT~ea350f0b9c, baseline=1.40.0-SNAPSHOT~f6810002f7
dateFormat X
axisFormat %s
section baseline
no_agent (377.759 µs) : 358, 397
. : milestone, 378,
iast (486.705 µs) : 465, 508
. : milestone, 487,
iast_FULL (556.078 µs) : 535, 577
. : milestone, 556,
iast_GLOBAL (514.139 µs) : 492, 536
. : milestone, 514,
iast_HARDCODED_SECRET_DISABLED (495.698 µs) : 474, 517
. : milestone, 496,
iast_INACTIVE (452.405 µs) : 431, 474
. : milestone, 452,
iast_TELEMETRY_OFF (478.579 µs) : 456, 501
. : milestone, 479,
tracing (448.312 µs) : 428, 469
. : milestone, 448,
section candidate
no_agent (370.26 µs) : 350, 390
. : milestone, 370,
iast (489.592 µs) : 468, 511
. : milestone, 490,
iast_FULL (554.741 µs) : 534, 576
. : milestone, 555,
iast_GLOBAL (506.001 µs) : 485, 527
. : milestone, 506,
iast_HARDCODED_SECRET_DISABLED (486.471 µs) : 465, 508
. : milestone, 486,
iast_INACTIVE (448.081 µs) : 427, 469
. : milestone, 448,
iast_TELEMETRY_OFF (480.677 µs) : 458, 503
. : milestone, 481,
tracing (440.134 µs) : 420, 460
. : milestone, 440,
DacapoParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics. Execution time for tomcatgantt
title tomcat - execution time [CI 0.99] : candidate=1.40.0-SNAPSHOT~ea350f0b9c, baseline=1.40.0-SNAPSHOT~f6810002f7
dateFormat X
axisFormat %s
section baseline
no_agent (1.464 ms) : 1453, 1476
. : milestone, 1464,
appsec (2.316 ms) : 2275, 2356
. : milestone, 2316,
iast (2.054 ms) : 2004, 2104
. : milestone, 2054,
iast_GLOBAL (2.1 ms) : 2049, 2151
. : milestone, 2100,
profiling (1.923 ms) : 1883, 1963
. : milestone, 1923,
tracing (1.901 ms) : 1862, 1939
. : milestone, 1901,
section candidate
no_agent (1.469 ms) : 1457, 1480
. : milestone, 1469,
appsec (2.312 ms) : 2271, 2352
. : milestone, 2312,
iast (2.043 ms) : 1993, 2092
. : milestone, 2043,
iast_GLOBAL (2.103 ms) : 2052, 2155
. : milestone, 2103,
profiling (1.932 ms) : 1892, 1972
. : milestone, 1932,
tracing (1.894 ms) : 1856, 1932
. : milestone, 1894,
Execution time for biojavagantt
title biojava - execution time [CI 0.99] : candidate=1.40.0-SNAPSHOT~ea350f0b9c, baseline=1.40.0-SNAPSHOT~f6810002f7
dateFormat X
axisFormat %s
section baseline
no_agent (15.495 s) : 15495000, 15495000
. : milestone, 15495000,
appsec (15.111 s) : 15111000, 15111000
. : milestone, 15111000,
iast (18.9 s) : 18900000, 18900000
. : milestone, 18900000,
iast_GLOBAL (17.977 s) : 17977000, 17977000
. : milestone, 17977000,
profiling (16.096 s) : 16096000, 16096000
. : milestone, 16096000,
tracing (15.316 s) : 15316000, 15316000
. : milestone, 15316000,
section candidate
no_agent (15.091 s) : 15091000, 15091000
. : milestone, 15091000,
appsec (15.104 s) : 15104000, 15104000
. : milestone, 15104000,
iast (18.775 s) : 18775000, 18775000
. : milestone, 18775000,
iast_GLOBAL (18.049 s) : 18049000, 18049000
. : milestone, 18049000,
profiling (15.751 s) : 15751000, 15751000
. : milestone, 15751000,
tracing (15.097 s) : 15097000, 15097000
. : milestone, 15097000,
|
Not sure if already exists (I'm don't have deep knowledge this topic), but it will be nice to have some test cases to test what it's explained in the JIRA ticket:
If you think it's not necessary, feel free to continue with the merge! :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As discussed offline, we should add the tests. I can see us regressing here without a test.
* Removed hardcoded WAF addresses * Missing test
What Does This Do
Removed hardcoded addresses for WAF/RASP calls, to increase overall performance.
Motivation
To avoid redundant calls and decrease overhead, call WAF/RASP only when rules contains specific addresses.
If address is absent or disabled in rules, then we should avoid WAF/RASP calls.
Also, no RASP metric should be generated in this case.
Additional Notes
Contributor Checklist
type:
and (comp:
orinst:
) labels in addition to any usefull labelsclose
,fix
or any linking keywords when referencing an issue.Use
solves
instead, and assign the PR milestone to the issueJira ticket: APPSEC-54878