Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixed closing WAF context #7681

Merged
merged 10 commits into from
Sep 30, 2024
Merged

Conversation

ValentinZakharov
Copy link
Contributor

@ValentinZakharov ValentinZakharov commented Sep 24, 2024

What Does This Do

Added extra checks to prevent occurring exceptions, in case the WAF context was closed earlier during the race condition.

Motivation

Reported exception from customers' service

io.sqreen.powerwaf.exception.UnclassifiedPowerwafException: Error calling WAF
io.sqreen.powerwaf.exception.UnclassifiedPowerwafException
  at (redacted: 2 frames)
  at com.datadog.appsec.powerwaf.PowerWAFModule.runPowerwafTransient(PowerWAFModule.java:634)
  at com.datadog.appsec.powerwaf.PowerWAFModule.access$700(PowerWAFModule.java:74)
  at com.datadog.appsec.powerwaf.PowerWAFModule$PowerWAFDataCallback.doRunPowerwaf(PowerWAFModule.java:617)
  at com.datadog.appsec.powerwaf.PowerWAFModule$PowerWAFDataCallback.onDataAvailable(PowerWAFModule.java:439)
  at com.datadog.appsec.event.EventDispatcher.publishDataEvent(EventDispatcher.java:148)
  at com.datadog.appsec.event.ReplaceableEventProducerService.publishDataEvent(ReplaceableEventProducerService.java:29)
  at com.datadog.appsec.gateway.GatewayBridge.onDatabaseSqlQuery(GatewayBridge.java:184)
  at datadog.trace.api.gateway.InstrumentationGateway$14.apply(InstrumentationGateway.java:389)
  at datadog.trace.api.gateway.InstrumentationGateway$14.apply(InstrumentationGateway.java:384)
  at datadog.trace.bootstrap.instrumentation.decorator.DatabaseClientDecorator.onRawStatement(DatabaseClientDecorator.java:130)
  at datadog.trace.instrumentation.jdbc.JDBCDecorator.onStatement(JDBCDecorator.java:216)
  at (redacted: 13 frames)
  at datadog.trace.instrumentation.springscheduling.SpannedMethodInvocation.invokeWithSpan(SpannedMethodInvocation.java:50)
  at datadog.trace.instrumentation.springscheduling.SpannedMethodInvocation.invokeWithContinuation(SpannedMethodInvocation.java:42)
  at datadog.trace.instrumentation.springscheduling.SpannedMethodInvocation.proceed(SpannedMethodInvocation.java:36)
  at (redacted)
  at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
  at java.base/java.lang.Thread.run(Thread.java:833)

Additional Notes

Occasional exceptions were observed when the root span and SQL query span executed concurrently. This created a risk of a race condition, where the WAF context could be prematurely closed and finalized before all parallel spans completed. Upon further investigation, the following issues were identified:

  1. An attempt to use the WAF context after the root span had already closed (since the WAF context was tied to the root span).
  2. Due to the premature closure of the WAF context, a new context was re-created but never released.
image

Contributor Checklist

Jira ticket: APPSEC-55391

@ValentinZakharov ValentinZakharov added type: bug comp: asm waf Application Security Management (WAF) labels Sep 24, 2024
@ValentinZakharov ValentinZakharov self-assigned this Sep 24, 2024
@ValentinZakharov ValentinZakharov force-pushed the vzakharov/unclassified_waf_exception branch from 7ad360b to 0a8eeb8 Compare September 24, 2024 22:25
@pr-commenter
Copy link

pr-commenter bot commented Sep 24, 2024

Benchmarks

Startup

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master vzakharov/unclassified_waf_exception
git_commit_date 1727627513 1727648853
git_commit_sha 59ce38a cc6603d
release_version 1.40.0-SNAPSHOT~59ce38a456 1.40.0-SNAPSHOT~cc6603d80f
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1727651279 1727651279
ci_job_id 655003320 655003320
ci_pipeline_id 45382395 45382395
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
module Agent Agent
parent None None
variant iast iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 48 metrics, 15 unstable metrics.

Startup time reports for petclinic
gantt
    title petclinic - global startup overhead: candidate=1.40.0-SNAPSHOT~cc6603d80f, baseline=1.40.0-SNAPSHOT~59ce38a456

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.078 s) : 0, 1077663
Total [baseline] (10.36 s) : 0, 10360346
Agent [candidate] (1.066 s) : 0, 1066011
Total [candidate] (10.337 s) : 0, 10336570
section appsec
Agent [baseline] (1.196 s) : 0, 1195715
Total [baseline] (10.56 s) : 0, 10560183
Agent [candidate] (1.21 s) : 0, 1209515
Total [candidate] (10.658 s) : 0, 10657854
section iast
Agent [baseline] (1.2 s) : 0, 1200309
Total [baseline] (10.839 s) : 0, 10838626
Agent [candidate] (1.209 s) : 0, 1208514
Total [candidate] (10.797 s) : 0, 10797214
section profiling
Agent [baseline] (1.267 s) : 0, 1267128
Total [baseline] (10.67 s) : 0, 10670065
Agent [candidate] (1.27 s) : 0, 1270229
Total [candidate] (10.544 s) : 0, 10543705
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.078 s -
Agent appsec 1.196 s 118.053 ms (11.0%)
Agent iast 1.2 s 122.646 ms (11.4%)
Agent profiling 1.267 s 189.466 ms (17.6%)
Total tracing 10.36 s -
Total appsec 10.56 s 199.838 ms (1.9%)
Total iast 10.839 s 478.281 ms (4.6%)
Total profiling 10.67 s 309.72 ms (3.0%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.066 s -
Agent appsec 1.21 s 143.504 ms (13.5%)
Agent iast 1.209 s 142.502 ms (13.4%)
Agent profiling 1.27 s 204.218 ms (19.2%)
Total tracing 10.337 s -
Total appsec 10.658 s 321.284 ms (3.1%)
Total iast 10.797 s 460.644 ms (4.5%)
Total profiling 10.544 s 207.135 ms (2.0%)
gantt
    title petclinic - break down per module: candidate=1.40.0-SNAPSHOT~cc6603d80f, baseline=1.40.0-SNAPSHOT~59ce38a456

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (687.436 ms) : 0, 687436
BytebuddyAgent [candidate] (679.938 ms) : 0, 679938
GlobalTracer [baseline] (313.735 ms) : 0, 313735
GlobalTracer [candidate] (310.474 ms) : 0, 310474
AppSec [baseline] (54.26 ms) : 0, 54260
AppSec [candidate] (53.773 ms) : 0, 53773
Remote Config [baseline] (670.985 µs) : 0, 671
Remote Config [candidate] (657.859 µs) : 0, 658
Telemetry [baseline] (7.76 ms) : 0, 7760
Telemetry [candidate] (7.585 ms) : 0, 7585
section appsec
BytebuddyAgent [baseline] (695.364 ms) : 0, 695364
BytebuddyAgent [candidate] (707.363 ms) : 0, 707363
GlobalTracer [baseline] (306.403 ms) : 0, 306403
GlobalTracer [candidate] (305.268 ms) : 0, 305268
AppSec [baseline] (161.983 ms) : 0, 161983
AppSec [candidate] (162.871 ms) : 0, 162871
Remote Config [baseline] (648.318 µs) : 0, 648
Remote Config [candidate] (652.073 µs) : 0, 652
Telemetry [baseline] (7.865 ms) : 0, 7865
Telemetry [candidate] (9.261 ms) : 0, 9261
IAST [baseline] (19.753 ms) : 0, 19753
IAST [candidate] (20.735 ms) : 0, 20735
section iast
BytebuddyAgent [baseline] (799.043 ms) : 0, 799043
BytebuddyAgent [candidate] (804.657 ms) : 0, 804657
GlobalTracer [baseline] (301.416 ms) : 0, 301416
GlobalTracer [candidate] (303.191 ms) : 0, 303191
AppSec [baseline] (54.617 ms) : 0, 54617
AppSec [candidate] (55.874 ms) : 0, 55874
Remote Config [baseline] (637.347 µs) : 0, 637
Remote Config [candidate] (605.464 µs) : 0, 605
Telemetry [baseline] (7.91 ms) : 0, 7910
Telemetry [candidate] (7.19 ms) : 0, 7190
IAST [baseline] (22.937 ms) : 0, 22937
IAST [candidate] (23.145 ms) : 0, 23145
section profiling
ProfilingAgent [baseline] (97.105 ms) : 0, 97105
ProfilingAgent [candidate] (96.928 ms) : 0, 96928
BytebuddyAgent [baseline] (673.516 ms) : 0, 673516
BytebuddyAgent [candidate] (676.098 ms) : 0, 676098
GlobalTracer [baseline] (394.932 ms) : 0, 394932
GlobalTracer [candidate] (395.786 ms) : 0, 395786
AppSec [baseline] (54.796 ms) : 0, 54796
AppSec [candidate] (54.634 ms) : 0, 54634
Remote Config [baseline] (658.48 µs) : 0, 658
Remote Config [candidate] (654.393 µs) : 0, 654
Telemetry [baseline] (7.538 ms) : 0, 7538
Telemetry [candidate] (7.492 ms) : 0, 7492
Profiling [baseline] (97.129 ms) : 0, 97129
Profiling [candidate] (96.952 ms) : 0, 96952
Loading
Startup time reports for insecure-bank
gantt
    title insecure-bank - global startup overhead: candidate=1.40.0-SNAPSHOT~cc6603d80f, baseline=1.40.0-SNAPSHOT~59ce38a456

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.073 s) : 0, 1072921
Total [baseline] (8.572 s) : 0, 8571799
Agent [candidate] (1.069 s) : 0, 1068514
Total [candidate] (8.533 s) : 0, 8533395
section iast
Agent [baseline] (1.186 s) : 0, 1185713
Total [baseline] (9.032 s) : 0, 9032449
Agent [candidate] (1.186 s) : 0, 1185818
Total [candidate] (8.998 s) : 0, 8998241
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.192 s) : 0, 1192241
Total [baseline] (8.978 s) : 0, 8978306
Agent [candidate] (1.207 s) : 0, 1206557
Total [candidate] (8.999 s) : 0, 8998510
section iast_TELEMETRY_OFF
Agent [baseline] (1.195 s) : 0, 1195277
Total [baseline] (9.047 s) : 0, 9046891
Agent [candidate] (1.187 s) : 0, 1187047
Total [candidate] (9.025 s) : 0, 9024926
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.073 s -
Agent iast 1.186 s 112.792 ms (10.5%)
Agent iast_HARDCODED_SECRET_DISABLED 1.192 s 119.32 ms (11.1%)
Agent iast_TELEMETRY_OFF 1.195 s 122.356 ms (11.4%)
Total tracing 8.572 s -
Total iast 9.032 s 460.65 ms (5.4%)
Total iast_HARDCODED_SECRET_DISABLED 8.978 s 406.506 ms (4.7%)
Total iast_TELEMETRY_OFF 9.047 s 475.092 ms (5.5%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.069 s -
Agent iast 1.186 s 117.305 ms (11.0%)
Agent iast_HARDCODED_SECRET_DISABLED 1.207 s 138.043 ms (12.9%)
Agent iast_TELEMETRY_OFF 1.187 s 118.534 ms (11.1%)
Total tracing 8.533 s -
Total iast 8.998 s 464.846 ms (5.4%)
Total iast_HARDCODED_SECRET_DISABLED 8.999 s 465.115 ms (5.5%)
Total iast_TELEMETRY_OFF 9.025 s 491.531 ms (5.8%)
gantt
    title insecure-bank - break down per module: candidate=1.40.0-SNAPSHOT~cc6603d80f, baseline=1.40.0-SNAPSHOT~59ce38a456

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (684.853 ms) : 0, 684853
BytebuddyAgent [candidate] (683.608 ms) : 0, 683608
GlobalTracer [baseline] (312.062 ms) : 0, 312062
GlobalTracer [candidate] (309.686 ms) : 0, 309686
AppSec [baseline] (53.94 ms) : 0, 53940
AppSec [candidate] (53.329 ms) : 0, 53329
Remote Config [baseline] (659.12 µs) : 0, 659
Remote Config [candidate] (662.143 µs) : 0, 662
Telemetry [baseline] (7.647 ms) : 0, 7647
Telemetry [candidate] (7.55 ms) : 0, 7550
section iast
BytebuddyAgent [baseline] (788.919 ms) : 0, 788919
BytebuddyAgent [candidate] (788.959 ms) : 0, 788959
GlobalTracer [baseline] (298.019 ms) : 0, 298019
GlobalTracer [candidate] (298.581 ms) : 0, 298581
AppSec [baseline] (52.965 ms) : 0, 52965
AppSec [candidate] (55.063 ms) : 0, 55063
IAST [baseline] (23.665 ms) : 0, 23665
IAST [candidate] (21.937 ms) : 0, 21937
Remote Config [baseline] (632.165 µs) : 0, 632
Remote Config [candidate] (642.234 µs) : 0, 642
Telemetry [baseline] (7.89 ms) : 0, 7890
Telemetry [candidate] (7.048 ms) : 0, 7048
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (792.978 ms) : 0, 792978
BytebuddyAgent [candidate] (802.813 ms) : 0, 802813
GlobalTracer [baseline] (299.85 ms) : 0, 299850
GlobalTracer [candidate] (302.925 ms) : 0, 302925
AppSec [baseline] (55.336 ms) : 0, 55336
AppSec [candidate] (55.595 ms) : 0, 55595
IAST [baseline] (22.749 ms) : 0, 22749
IAST [candidate] (23.629 ms) : 0, 23629
Remote Config [baseline] (604.103 µs) : 0, 604
Remote Config [candidate] (611.015 µs) : 0, 611
Telemetry [baseline] (7.073 ms) : 0, 7073
Telemetry [candidate] (7.156 ms) : 0, 7156
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (794.386 ms) : 0, 794386
BytebuddyAgent [candidate] (788.556 ms) : 0, 788556
GlobalTracer [baseline] (301.139 ms) : 0, 301139
GlobalTracer [candidate] (299.179 ms) : 0, 299179
AppSec [baseline] (53.482 ms) : 0, 53482
AppSec [candidate] (57.147 ms) : 0, 57147
IAST [baseline] (25.052 ms) : 0, 25052
IAST [candidate] (20.942 ms) : 0, 20942
Remote Config [baseline] (617.956 µs) : 0, 618
Remote Config [candidate] (613.38 µs) : 0, 613
Telemetry [baseline] (6.859 ms) : 0, 6859
Telemetry [candidate] (6.964 ms) : 0, 6964
Loading

Load

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
end_time 2024-09-29T22:38:46 2024-09-29T22:45:37
git_branch master vzakharov/unclassified_waf_exception
git_commit_date 1727627513 1727648853
git_commit_sha 59ce38a cc6603d
release_version 1.40.0-SNAPSHOT~59ce38a456 1.40.0-SNAPSHOT~cc6603d80f
start_time 2024-09-29T22:38:33 2024-09-29T22:45:23
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1727650284 1727650284
ci_job_id 655003321 655003321
ci_pipeline_id 45382395 45382395
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant iast iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 17 unstable metrics.

Request duration reports for insecure-bank
gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.40.0-SNAPSHOT~cc6603d80f, baseline=1.40.0-SNAPSHOT~59ce38a456
    dateFormat X
    axisFormat %s
section baseline
no_agent (377.045 µs) : 357, 397
.   : milestone, 377,
iast (490.837 µs) : 469, 512
.   : milestone, 491,
iast_FULL (560.323 µs) : 539, 582
.   : milestone, 560,
iast_GLOBAL (509.77 µs) : 489, 531
.   : milestone, 510,
iast_HARDCODED_SECRET_DISABLED (486.092 µs) : 465, 507
.   : milestone, 486,
iast_INACTIVE (449.854 µs) : 429, 471
.   : milestone, 450,
iast_TELEMETRY_OFF (484.299 µs) : 461, 508
.   : milestone, 484,
tracing (452.582 µs) : 432, 474
.   : milestone, 453,
section candidate
no_agent (373.571 µs) : 354, 393
.   : milestone, 374,
iast (489.844 µs) : 469, 511
.   : milestone, 490,
iast_FULL (559.231 µs) : 538, 580
.   : milestone, 559,
iast_GLOBAL (509.462 µs) : 489, 530
.   : milestone, 509,
iast_HARDCODED_SECRET_DISABLED (484.751 µs) : 464, 506
.   : milestone, 485,
iast_INACTIVE (457.252 µs) : 436, 479
.   : milestone, 457,
iast_TELEMETRY_OFF (484.444 µs) : 461, 507
.   : milestone, 484,
tracing (446.591 µs) : 426, 467
.   : milestone, 447,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 377.045 µs [356.636 µs, 397.453 µs] -
iast 490.837 µs [469.334 µs, 512.34 µs] 113.792 µs (30.2%)
iast_FULL 560.323 µs [538.846 µs, 581.8 µs] 183.278 µs (48.6%)
iast_GLOBAL 509.77 µs [488.691 µs, 530.849 µs] 132.726 µs (35.2%)
iast_HARDCODED_SECRET_DISABLED 486.092 µs [465.171 µs, 507.014 µs] 109.048 µs (28.9%)
iast_INACTIVE 449.854 µs [428.56 µs, 471.148 µs] 72.809 µs (19.3%)
iast_TELEMETRY_OFF 484.299 µs [460.675 µs, 507.923 µs] 107.255 µs (28.4%)
tracing 452.582 µs [431.659 µs, 473.505 µs] 75.537 µs (20.0%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 373.571 µs [354.037 µs, 393.105 µs] -
iast 489.844 µs [468.602 µs, 511.087 µs] 116.273 µs (31.1%)
iast_FULL 559.231 µs [537.991 µs, 580.47 µs] 185.66 µs (49.7%)
iast_GLOBAL 509.462 µs [488.574 µs, 530.349 µs] 135.891 µs (36.4%)
iast_HARDCODED_SECRET_DISABLED 484.751 µs [463.899 µs, 505.603 µs] 111.18 µs (29.8%)
iast_INACTIVE 457.252 µs [435.51 µs, 478.994 µs] 83.681 µs (22.4%)
iast_TELEMETRY_OFF 484.444 µs [461.494 µs, 507.394 µs] 110.873 µs (29.7%)
tracing 446.591 µs [426.464 µs, 466.718 µs] 73.02 µs (19.5%)
Request duration reports for petclinic
gantt
    title petclinic - request duration [CI 0.99] : candidate=1.40.0-SNAPSHOT~cc6603d80f, baseline=1.40.0-SNAPSHOT~59ce38a456
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.343 ms) : 1323, 1362
.   : milestone, 1343,
appsec (1.701 ms) : 1676, 1726
.   : milestone, 1701,
appsec_no_iast (1.721 ms) : 1697, 1745
.   : milestone, 1721,
iast (1.485 ms) : 1461, 1508
.   : milestone, 1485,
profiling (1.48 ms) : 1455, 1504
.   : milestone, 1480,
tracing (1.45 ms) : 1424, 1475
.   : milestone, 1450,
section candidate
no_agent (1.357 ms) : 1338, 1376
.   : milestone, 1357,
appsec (1.715 ms) : 1689, 1740
.   : milestone, 1715,
appsec_no_iast (1.702 ms) : 1677, 1726
.   : milestone, 1702,
iast (1.474 ms) : 1451, 1497
.   : milestone, 1474,
profiling (1.524 ms) : 1499, 1549
.   : milestone, 1524,
tracing (1.476 ms) : 1452, 1501
.   : milestone, 1476,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.343 ms [1.323 ms, 1.362 ms] -
appsec 1.701 ms [1.676 ms, 1.726 ms] 358.208 µs (26.7%)
appsec_no_iast 1.721 ms [1.697 ms, 1.745 ms] 378.397 µs (28.2%)
iast 1.485 ms [1.461 ms, 1.508 ms] 141.993 µs (10.6%)
profiling 1.48 ms [1.455 ms, 1.504 ms] 137.094 µs (10.2%)
tracing 1.45 ms [1.424 ms, 1.475 ms] 106.903 µs (8.0%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.357 ms [1.338 ms, 1.376 ms] -
appsec 1.715 ms [1.689 ms, 1.74 ms] 357.455 µs (26.3%)
appsec_no_iast 1.702 ms [1.677 ms, 1.726 ms] 344.639 µs (25.4%)
iast 1.474 ms [1.451 ms, 1.497 ms] 116.907 µs (8.6%)
profiling 1.524 ms [1.499 ms, 1.549 ms] 166.869 µs (12.3%)
tracing 1.476 ms [1.452 ms, 1.501 ms] 119.03 µs (8.8%)

Dacapo

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master vzakharov/unclassified_waf_exception
git_commit_date 1727627513 1727648853
git_commit_sha 59ce38a cc6603d
release_version 1.40.0-SNAPSHOT~59ce38a456 1.40.0-SNAPSHOT~cc6603d80f
See matching parameters
Baseline Candidate
application biojava biojava
ci_job_date 1727650797 1727650797
ci_job_id 655003322 655003322
ci_pipeline_id 45382395 45382395
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant appsec appsec

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 1 unstable metrics.

Execution time for biojava
gantt
    title biojava - execution time [CI 0.99] : candidate=1.40.0-SNAPSHOT~cc6603d80f, baseline=1.40.0-SNAPSHOT~59ce38a456
    dateFormat X
    axisFormat %s
section baseline
no_agent (15.19 s) : 15190000, 15190000
.   : milestone, 15190000,
appsec (15.348 s) : 15348000, 15348000
.   : milestone, 15348000,
iast (18.645 s) : 18645000, 18645000
.   : milestone, 18645000,
iast_GLOBAL (18.05 s) : 18050000, 18050000
.   : milestone, 18050000,
profiling (15.209 s) : 15209000, 15209000
.   : milestone, 15209000,
tracing (15.265 s) : 15265000, 15265000
.   : milestone, 15265000,
section candidate
no_agent (15.124 s) : 15124000, 15124000
.   : milestone, 15124000,
appsec (15.096 s) : 15096000, 15096000
.   : milestone, 15096000,
iast (18.942 s) : 18942000, 18942000
.   : milestone, 18942000,
iast_GLOBAL (17.793 s) : 17793000, 17793000
.   : milestone, 17793000,
profiling (15.939 s) : 15939000, 15939000
.   : milestone, 15939000,
tracing (14.74 s) : 14740000, 14740000
.   : milestone, 14740000,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.19 s [15.19 s, 15.19 s] -
appsec 15.348 s [15.348 s, 15.348 s] 158.0 ms (1.0%)
iast 18.645 s [18.645 s, 18.645 s] 3.455 s (22.7%)
iast_GLOBAL 18.05 s [18.05 s, 18.05 s] 2.86 s (18.8%)
profiling 15.209 s [15.209 s, 15.209 s] 19.0 ms (0.1%)
tracing 15.265 s [15.265 s, 15.265 s] 75.0 ms (0.5%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.124 s [15.124 s, 15.124 s] -
appsec 15.096 s [15.096 s, 15.096 s] -28.0 ms (-0.2%)
iast 18.942 s [18.942 s, 18.942 s] 3.818 s (25.2%)
iast_GLOBAL 17.793 s [17.793 s, 17.793 s] 2.669 s (17.6%)
profiling 15.939 s [15.939 s, 15.939 s] 815.0 ms (5.4%)
tracing 14.74 s [14.74 s, 14.74 s] -384.0 ms (-2.5%)
Execution time for tomcat
gantt
    title tomcat - execution time [CI 0.99] : candidate=1.40.0-SNAPSHOT~cc6603d80f, baseline=1.40.0-SNAPSHOT~59ce38a456
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.465 ms) : 1453, 1476
.   : milestone, 1465,
appsec (2.295 ms) : 2256, 2335
.   : milestone, 2295,
iast (2.039 ms) : 1989, 2089
.   : milestone, 2039,
iast_GLOBAL (2.095 ms) : 2044, 2146
.   : milestone, 2095,
profiling (2.379 ms) : 2200, 2559
.   : milestone, 2379,
tracing (1.893 ms) : 1855, 1932
.   : milestone, 1893,
section candidate
no_agent (1.461 ms) : 1450, 1473
.   : milestone, 1461,
appsec (2.281 ms) : 2242, 2321
.   : milestone, 2281,
iast (2.047 ms) : 1997, 2097
.   : milestone, 2047,
iast_GLOBAL (2.083 ms) : 2034, 2133
.   : milestone, 2083,
profiling (1.916 ms) : 1877, 1956
.   : milestone, 1916,
tracing (1.887 ms) : 1849, 1925
.   : milestone, 1887,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.465 ms [1.453 ms, 1.476 ms] -
appsec 2.295 ms [2.256 ms, 2.335 ms] 830.368 µs (56.7%)
iast 2.039 ms [1.989 ms, 2.089 ms] 573.993 µs (39.2%)
iast_GLOBAL 2.095 ms [2.044 ms, 2.146 ms] 630.167 µs (43.0%)
profiling 2.379 ms [2.2 ms, 2.559 ms] 914.499 µs (62.4%)
tracing 1.893 ms [1.855 ms, 1.932 ms] 428.589 µs (29.3%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.461 ms [1.45 ms, 1.473 ms] -
appsec 2.281 ms [2.242 ms, 2.321 ms] 820.166 µs (56.1%)
iast 2.047 ms [1.997 ms, 2.097 ms] 585.856 µs (40.1%)
iast_GLOBAL 2.083 ms [2.034 ms, 2.133 ms] 622.015 µs (42.6%)
profiling 1.916 ms [1.877 ms, 1.956 ms] 454.973 µs (31.1%)
tracing 1.887 ms [1.849 ms, 1.925 ms] 425.328 µs (29.1%)

@ValentinZakharov ValentinZakharov marked this pull request as ready for review September 25, 2024 15:08
@ValentinZakharov ValentinZakharov changed the title Improved WAF Context closing logic Fixed closing WAF context Sep 25, 2024
@@ -204,6 +205,7 @@ public void closeAdditive() {
if (additive != null) {
try {
additive.close();
additiveClosed = true;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could be in the finally block, to make sure it's marked as closed if additive.close throws?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, Done

@@ -205,6 +206,7 @@ public void closeAdditive() {
try {
additive.close();
} finally {
additiveClosed = true;

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is a small change of a race condition here after the additive is closed, one thing you can do is to set the additiveClosed before closing the additive, since both variables are volatile it should work.

Copy link
Member

@jandro996 jandro996 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ValentinZakharov ValentinZakharov force-pushed the vzakharov/unclassified_waf_exception branch from cc6603d to a4ade47 Compare September 29, 2024 22:27
@ValentinZakharov ValentinZakharov merged commit 716ecbd into master Sep 30, 2024
101 of 102 checks passed
@ValentinZakharov ValentinZakharov deleted the vzakharov/unclassified_waf_exception branch September 30, 2024 09:05
@github-actions github-actions bot added this to the 1.40.0 milestone Sep 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
comp: asm waf Application Security Management (WAF) type: bug
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants