Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Limit the collections that the iast visitor can handle #7764

Merged

Conversation

manuel-alvarez-alvarez
Copy link
Member

@manuel-alvarez-alvarez manuel-alvarez-alvarez commented Oct 14, 2024

What Does This Do

Limits the types of collections that IAST object visitor can handle to:

  • Java collections
  • Apache commons collections
  • Guava collections
  • Protobuf collections

Motivation

When an hibernate persistent collection is added to the session scope, we will try to visit the different elements in order to detect trust boundary violation vulnerabilities and we might trigger issues further down the line due to lazy loading in ORMs.

Additional Notes

Contributor Checklist

Jira ticket: SCRS-1113

@@ -66,7 +66,6 @@ class GrpcRequestMessageHandlerTest extends IastModuleImplTestBase {
given:
final visitor = Mock(ObjectVisitor.Visitor) {
visit(_ as String, _ as Object) >> {
println 'feo'
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unrelated print of ferrous oxide 😄

Copy link
Contributor

@Mariovido Mariovido left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@pr-commenter
Copy link

pr-commenter bot commented Oct 14, 2024

Benchmarks

Startup

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master malvarez/iast-fix-visitor-collections
git_commit_date 1728902480 1728911946
git_commit_sha 79648fa ab66ad0
release_version 1.41.0-SNAPSHOT~79648faf82 1.41.0-SNAPSHOT~ab66ad0c5b
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1728914474 1728914474
ci_job_id 671423412 671423412
ci_pipeline_id 46542894 46542894
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
module Agent Agent
parent None None
variant iast iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 53 metrics, 10 unstable metrics.

Startup time reports for petclinic
gantt
    title petclinic - global startup overhead: candidate=1.41.0-SNAPSHOT~ab66ad0c5b, baseline=1.41.0-SNAPSHOT~79648faf82

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.066 s) : 0, 1066454
Total [baseline] (10.474 s) : 0, 10473682
Agent [candidate] (1.066 s) : 0, 1065817
Total [candidate] (10.414 s) : 0, 10413541
section appsec
Agent [baseline] (1.205 s) : 0, 1205166
Total [baseline] (10.574 s) : 0, 10574252
Agent [candidate] (1.209 s) : 0, 1208733
Total [candidate] (10.581 s) : 0, 10580548
section iast
Agent [baseline] (1.207 s) : 0, 1207389
Total [baseline] (10.928 s) : 0, 10927831
Agent [candidate] (1.196 s) : 0, 1196354
Total [candidate] (10.905 s) : 0, 10905189
section profiling
Agent [baseline] (1.272 s) : 0, 1272274
Total [baseline] (10.607 s) : 0, 10607230
Agent [candidate] (1.265 s) : 0, 1264854
Total [candidate] (10.671 s) : 0, 10670661
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.066 s -
Agent appsec 1.205 s 138.712 ms (13.0%)
Agent iast 1.207 s 140.935 ms (13.2%)
Agent profiling 1.272 s 205.819 ms (19.3%)
Total tracing 10.474 s -
Total appsec 10.574 s 100.571 ms (1.0%)
Total iast 10.928 s 454.149 ms (4.3%)
Total profiling 10.607 s 133.549 ms (1.3%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.066 s -
Agent appsec 1.209 s 142.916 ms (13.4%)
Agent iast 1.196 s 130.537 ms (12.2%)
Agent profiling 1.265 s 199.037 ms (18.7%)
Total tracing 10.414 s -
Total appsec 10.581 s 167.008 ms (1.6%)
Total iast 10.905 s 491.648 ms (4.7%)
Total profiling 10.671 s 257.12 ms (2.5%)
gantt
    title petclinic - break down per module: candidate=1.41.0-SNAPSHOT~ab66ad0c5b, baseline=1.41.0-SNAPSHOT~79648faf82

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (680.864 ms) : 0, 680864
BytebuddyAgent [candidate] (680.594 ms) : 0, 680594
GlobalTracer [baseline] (310.122 ms) : 0, 310122
GlobalTracer [candidate] (309.685 ms) : 0, 309685
AppSec [baseline] (53.72 ms) : 0, 53720
AppSec [candidate] (53.723 ms) : 0, 53723
Remote Config [baseline] (663.935 µs) : 0, 664
Remote Config [candidate] (668.758 µs) : 0, 669
Telemetry [baseline] (7.496 ms) : 0, 7496
Telemetry [candidate] (7.557 ms) : 0, 7557
section appsec
BytebuddyAgent [baseline] (702.292 ms) : 0, 702292
BytebuddyAgent [candidate] (702.929 ms) : 0, 702929
GlobalTracer [baseline] (307.339 ms) : 0, 307339
GlobalTracer [candidate] (308.756 ms) : 0, 308756
AppSec [baseline] (161.618 ms) : 0, 161618
AppSec [candidate] (163.546 ms) : 0, 163546
Remote Config [baseline] (638.543 µs) : 0, 639
Remote Config [candidate] (634.068 µs) : 0, 634
Telemetry [baseline] (8.728 ms) : 0, 8728
Telemetry [candidate] (8.089 ms) : 0, 8089
IAST [baseline] (21.743 ms) : 0, 21743
IAST [candidate] (22.183 ms) : 0, 22183
section iast
BytebuddyAgent [baseline] (806.688 ms) : 0, 806688
BytebuddyAgent [candidate] (797.707 ms) : 0, 797707
GlobalTracer [baseline] (300.563 ms) : 0, 300563
GlobalTracer [candidate] (299.154 ms) : 0, 299154
AppSec [baseline] (54.895 ms) : 0, 54895
AppSec [candidate] (56.223 ms) : 0, 56223
Remote Config [baseline] (619.851 µs) : 0, 620
Remote Config [candidate] (612.094 µs) : 0, 612
Telemetry [baseline] (7.172 ms) : 0, 7172
Telemetry [candidate] (7.088 ms) : 0, 7088
IAST [baseline] (23.694 ms) : 0, 23694
IAST [candidate] (21.939 ms) : 0, 21939
section profiling
BytebuddyAgent [baseline] (679.173 ms) : 0, 679173
BytebuddyAgent [candidate] (674.879 ms) : 0, 674879
GlobalTracer [baseline] (394.433 ms) : 0, 394433
GlobalTracer [candidate] (392.393 ms) : 0, 392393
AppSec [baseline] (55.0 ms) : 0, 55000
AppSec [candidate] (54.596 ms) : 0, 54596
Remote Config [baseline] (658.434 µs) : 0, 658
Remote Config [candidate] (658.849 µs) : 0, 659
Telemetry [baseline] (7.484 ms) : 0, 7484
Telemetry [candidate] (7.416 ms) : 0, 7416
ProfilingAgent [baseline] (96.765 ms) : 0, 96765
ProfilingAgent [candidate] (96.37 ms) : 0, 96370
Profiling [baseline] (96.789 ms) : 0, 96789
Profiling [candidate] (96.393 ms) : 0, 96393
Loading
Startup time reports for insecure-bank
gantt
    title insecure-bank - global startup overhead: candidate=1.41.0-SNAPSHOT~ab66ad0c5b, baseline=1.41.0-SNAPSHOT~79648faf82

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.067 s) : 0, 1066849
Total [baseline] (8.563 s) : 0, 8563413
Agent [candidate] (1.072 s) : 0, 1072448
Total [candidate] (8.568 s) : 0, 8567925
section iast
Agent [baseline] (1.193 s) : 0, 1193089
Total [baseline] (9.116 s) : 0, 9116394
Agent [candidate] (1.195 s) : 0, 1194772
Total [candidate] (9.119 s) : 0, 9119046
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.195 s) : 0, 1195382
Total [baseline] (9.089 s) : 0, 9088868
Agent [candidate] (1.203 s) : 0, 1203310
Total [candidate] (9.106 s) : 0, 9105958
section iast_TELEMETRY_OFF
Agent [baseline] (1.201 s) : 0, 1200740
Total [baseline] (9.119 s) : 0, 9119058
Agent [candidate] (1.208 s) : 0, 1207876
Total [candidate] (9.069 s) : 0, 9068712
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.067 s -
Agent iast 1.193 s 126.24 ms (11.8%)
Agent iast_HARDCODED_SECRET_DISABLED 1.195 s 128.533 ms (12.0%)
Agent iast_TELEMETRY_OFF 1.201 s 133.891 ms (12.6%)
Total tracing 8.563 s -
Total iast 9.116 s 552.981 ms (6.5%)
Total iast_HARDCODED_SECRET_DISABLED 9.089 s 525.455 ms (6.1%)
Total iast_TELEMETRY_OFF 9.119 s 555.645 ms (6.5%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.072 s -
Agent iast 1.195 s 122.325 ms (11.4%)
Agent iast_HARDCODED_SECRET_DISABLED 1.203 s 130.863 ms (12.2%)
Agent iast_TELEMETRY_OFF 1.208 s 135.428 ms (12.6%)
Total tracing 8.568 s -
Total iast 9.119 s 551.121 ms (6.4%)
Total iast_HARDCODED_SECRET_DISABLED 9.106 s 538.033 ms (6.3%)
Total iast_TELEMETRY_OFF 9.069 s 500.787 ms (5.8%)
gantt
    title insecure-bank - break down per module: candidate=1.41.0-SNAPSHOT~ab66ad0c5b, baseline=1.41.0-SNAPSHOT~79648faf82

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (680.891 ms) : 0, 680891
BytebuddyAgent [candidate] (685.439 ms) : 0, 685439
GlobalTracer [baseline] (310.266 ms) : 0, 310266
GlobalTracer [candidate] (311.077 ms) : 0, 311077
AppSec [baseline] (53.912 ms) : 0, 53912
AppSec [candidate] (53.984 ms) : 0, 53984
Remote Config [baseline] (663.766 µs) : 0, 664
Remote Config [candidate] (669.333 µs) : 0, 669
Telemetry [baseline] (7.534 ms) : 0, 7534
Telemetry [candidate] (7.57 ms) : 0, 7570
section iast
BytebuddyAgent [baseline] (795.66 ms) : 0, 795660
BytebuddyAgent [candidate] (797.628 ms) : 0, 797628
GlobalTracer [baseline] (297.825 ms) : 0, 297825
GlobalTracer [candidate] (298.333 ms) : 0, 298333
AppSec [baseline] (54.933 ms) : 0, 54933
AppSec [candidate] (54.634 ms) : 0, 54634
IAST [baseline] (23.427 ms) : 0, 23427
IAST [candidate] (22.846 ms) : 0, 22846
Remote Config [baseline] (600.748 µs) : 0, 601
Remote Config [candidate] (606.177 µs) : 0, 606
Telemetry [baseline] (7.016 ms) : 0, 7016
Telemetry [candidate] (7.042 ms) : 0, 7042
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (797.004 ms) : 0, 797004
BytebuddyAgent [candidate] (801.808 ms) : 0, 801808
GlobalTracer [baseline] (298.962 ms) : 0, 298962
GlobalTracer [candidate] (300.916 ms) : 0, 300916
AppSec [baseline] (54.705 ms) : 0, 54705
AppSec [candidate] (53.724 ms) : 0, 53724
IAST [baseline] (23.414 ms) : 0, 23414
IAST [candidate] (25.351 ms) : 0, 25351
Remote Config [baseline] (606.071 µs) : 0, 606
Remote Config [candidate] (612.236 µs) : 0, 612
Telemetry [baseline] (7.036 ms) : 0, 7036
Telemetry [candidate] (7.152 ms) : 0, 7152
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (799.013 ms) : 0, 799013
BytebuddyAgent [candidate] (805.285 ms) : 0, 805285
GlobalTracer [baseline] (301.24 ms) : 0, 301240
GlobalTracer [candidate] (302.275 ms) : 0, 302275
AppSec [baseline] (55.301 ms) : 0, 55301
AppSec [candidate] (53.162 ms) : 0, 53162
IAST [baseline] (23.708 ms) : 0, 23708
IAST [candidate] (25.74 ms) : 0, 25740
Remote Config [baseline] (640.041 µs) : 0, 640
Remote Config [candidate] (618.258 µs) : 0, 618
Telemetry [baseline] (7.079 ms) : 0, 7079
Telemetry [candidate] (6.943 ms) : 0, 6943
Loading

Load

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
end_time 2024-10-14T13:31:41 2024-10-14T13:38:31
git_branch master malvarez/iast-fix-visitor-collections
git_commit_date 1728902480 1728911946
git_commit_sha 79648fa ab66ad0
release_version 1.41.0-SNAPSHOT~79648faf82 1.41.0-SNAPSHOT~ab66ad0c5b
start_time 2024-10-14T13:31:27 2024-10-14T13:38:18
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1728913457 1728913457
ci_job_id 671423413 671423413
ci_pipeline_id 46542894 46542894
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant iast iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 16 unstable metrics.

Request duration reports for insecure-bank
gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.41.0-SNAPSHOT~ab66ad0c5b, baseline=1.41.0-SNAPSHOT~79648faf82
    dateFormat X
    axisFormat %s
section baseline
no_agent (373.178 µs) : 353, 393
.   : milestone, 373,
iast (490.007 µs) : 468, 512
.   : milestone, 490,
iast_FULL (548.247 µs) : 527, 569
.   : milestone, 548,
iast_GLOBAL (505.32 µs) : 484, 527
.   : milestone, 505,
iast_HARDCODED_SECRET_DISABLED (479.604 µs) : 459, 501
.   : milestone, 480,
iast_INACTIVE (449.69 µs) : 429, 471
.   : milestone, 450,
iast_TELEMETRY_OFF (473.367 µs) : 452, 494
.   : milestone, 473,
tracing (439.036 µs) : 419, 459
.   : milestone, 439,
section candidate
no_agent (373.804 µs) : 354, 393
.   : milestone, 374,
iast (477.598 µs) : 457, 499
.   : milestone, 478,
iast_FULL (555.12 µs) : 534, 576
.   : milestone, 555,
iast_GLOBAL (508.97 µs) : 487, 531
.   : milestone, 509,
iast_HARDCODED_SECRET_DISABLED (490.681 µs) : 469, 512
.   : milestone, 491,
iast_INACTIVE (445.029 µs) : 425, 465
.   : milestone, 445,
iast_TELEMETRY_OFF (472.936 µs) : 452, 494
.   : milestone, 473,
tracing (440.493 µs) : 420, 461
.   : milestone, 440,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 373.178 µs [353.205 µs, 393.151 µs] -
iast 490.007 µs [468.354 µs, 511.66 µs] 116.829 µs (31.3%)
iast_FULL 548.247 µs [527.027 µs, 569.467 µs] 175.069 µs (46.9%)
iast_GLOBAL 505.32 µs [483.672 µs, 526.969 µs] 132.143 µs (35.4%)
iast_HARDCODED_SECRET_DISABLED 479.604 µs [458.63 µs, 500.578 µs] 106.426 µs (28.5%)
iast_INACTIVE 449.69 µs [428.683 µs, 470.697 µs] 76.512 µs (20.5%)
iast_TELEMETRY_OFF 473.367 µs [452.255 µs, 494.479 µs] 100.189 µs (26.8%)
tracing 439.036 µs [418.661 µs, 459.411 µs] 65.858 µs (17.6%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 373.804 µs [354.329 µs, 393.278 µs] -
iast 477.598 µs [456.537 µs, 498.658 µs] 103.794 µs (27.8%)
iast_FULL 555.12 µs [533.835 µs, 576.404 µs] 181.316 µs (48.5%)
iast_GLOBAL 508.97 µs [486.752 µs, 531.188 µs] 135.167 µs (36.2%)
iast_HARDCODED_SECRET_DISABLED 490.681 µs [469.344 µs, 512.018 µs] 116.878 µs (31.3%)
iast_INACTIVE 445.029 µs [424.66 µs, 465.399 µs] 71.226 µs (19.1%)
iast_TELEMETRY_OFF 472.936 µs [451.719 µs, 494.152 µs] 99.132 µs (26.5%)
tracing 440.493 µs [419.977 µs, 461.008 µs] 66.689 µs (17.8%)
Request duration reports for petclinic
gantt
    title petclinic - request duration [CI 0.99] : candidate=1.41.0-SNAPSHOT~ab66ad0c5b, baseline=1.41.0-SNAPSHOT~79648faf82
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.337 ms) : 1318, 1356
.   : milestone, 1337,
appsec (1.719 ms) : 1694, 1743
.   : milestone, 1719,
appsec_no_iast (1.702 ms) : 1678, 1727
.   : milestone, 1702,
iast (1.472 ms) : 1449, 1495
.   : milestone, 1472,
profiling (1.523 ms) : 1498, 1548
.   : milestone, 1523,
tracing (1.468 ms) : 1443, 1492
.   : milestone, 1468,
section candidate
no_agent (1.34 ms) : 1320, 1360
.   : milestone, 1340,
appsec (1.719 ms) : 1695, 1744
.   : milestone, 1719,
appsec_no_iast (1.741 ms) : 1717, 1764
.   : milestone, 1741,
iast (1.466 ms) : 1443, 1489
.   : milestone, 1466,
profiling (1.469 ms) : 1444, 1494
.   : milestone, 1469,
tracing (1.464 ms) : 1440, 1489
.   : milestone, 1464,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.337 ms [1.318 ms, 1.356 ms] -
appsec 1.719 ms [1.694 ms, 1.743 ms] 381.55 µs (28.5%)
appsec_no_iast 1.702 ms [1.678 ms, 1.727 ms] 365.405 µs (27.3%)
iast 1.472 ms [1.449 ms, 1.495 ms] 135.323 µs (10.1%)
profiling 1.523 ms [1.498 ms, 1.548 ms] 185.761 µs (13.9%)
tracing 1.468 ms [1.443 ms, 1.492 ms] 130.656 µs (9.8%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.34 ms [1.32 ms, 1.36 ms] -
appsec 1.719 ms [1.695 ms, 1.744 ms] 379.521 µs (28.3%)
appsec_no_iast 1.741 ms [1.717 ms, 1.764 ms] 401.026 µs (29.9%)
iast 1.466 ms [1.443 ms, 1.489 ms] 126.267 µs (9.4%)
profiling 1.469 ms [1.444 ms, 1.494 ms] 129.255 µs (9.6%)
tracing 1.464 ms [1.44 ms, 1.489 ms] 124.635 µs (9.3%)

Dacapo

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master malvarez/iast-fix-visitor-collections
git_commit_date 1728902480 1728911946
git_commit_sha 79648fa ab66ad0
release_version 1.41.0-SNAPSHOT~79648faf82 1.41.0-SNAPSHOT~ab66ad0c5b
See matching parameters
Baseline Candidate
application biojava biojava
ci_job_date 1728914026 1728914026
ci_job_id 671423414 671423414
ci_pipeline_id 46542894 46542894
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant appsec appsec

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics.

Execution time for tomcat
gantt
    title tomcat - execution time [CI 0.99] : candidate=1.41.0-SNAPSHOT~ab66ad0c5b, baseline=1.41.0-SNAPSHOT~79648faf82
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.465 ms) : 1454, 1477
.   : milestone, 1465,
appsec (2.317 ms) : 2276, 2358
.   : milestone, 2317,
iast (2.072 ms) : 2020, 2125
.   : milestone, 2072,
iast_GLOBAL (2.108 ms) : 2056, 2160
.   : milestone, 2108,
profiling (1.939 ms) : 1896, 1982
.   : milestone, 1939,
tracing (1.907 ms) : 1868, 1947
.   : milestone, 1907,
section candidate
no_agent (1.458 ms) : 1447, 1470
.   : milestone, 1458,
appsec (2.323 ms) : 2281, 2364
.   : milestone, 2323,
iast (2.069 ms) : 2017, 2121
.   : milestone, 2069,
iast_GLOBAL (2.095 ms) : 2043, 2148
.   : milestone, 2095,
profiling (1.936 ms) : 1894, 1978
.   : milestone, 1936,
tracing (1.913 ms) : 1872, 1953
.   : milestone, 1913,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.465 ms [1.454 ms, 1.477 ms] -
appsec 2.317 ms [2.276 ms, 2.358 ms] 851.79 µs (58.1%)
iast 2.072 ms [2.02 ms, 2.125 ms] 607.286 µs (41.4%)
iast_GLOBAL 2.108 ms [2.056 ms, 2.16 ms] 642.875 µs (43.9%)
profiling 1.939 ms [1.896 ms, 1.982 ms] 473.955 µs (32.3%)
tracing 1.907 ms [1.868 ms, 1.947 ms] 442.158 µs (30.2%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.458 ms [1.447 ms, 1.47 ms] -
appsec 2.323 ms [2.281 ms, 2.364 ms] 864.225 µs (59.3%)
iast 2.069 ms [2.017 ms, 2.121 ms] 610.584 µs (41.9%)
iast_GLOBAL 2.095 ms [2.043 ms, 2.148 ms] 637.156 µs (43.7%)
profiling 1.936 ms [1.894 ms, 1.978 ms] 477.745 µs (32.8%)
tracing 1.913 ms [1.872 ms, 1.953 ms] 454.245 µs (31.1%)
Execution time for biojava
gantt
    title biojava - execution time [CI 0.99] : candidate=1.41.0-SNAPSHOT~ab66ad0c5b, baseline=1.41.0-SNAPSHOT~79648faf82
    dateFormat X
    axisFormat %s
section baseline
no_agent (15.465 s) : 15465000, 15465000
.   : milestone, 15465000,
appsec (15.251 s) : 15251000, 15251000
.   : milestone, 15251000,
iast (19.097 s) : 19097000, 19097000
.   : milestone, 19097000,
iast_GLOBAL (18.167 s) : 18167000, 18167000
.   : milestone, 18167000,
profiling (15.32 s) : 15320000, 15320000
.   : milestone, 15320000,
tracing (15.055 s) : 15055000, 15055000
.   : milestone, 15055000,
section candidate
no_agent (15.088 s) : 15088000, 15088000
.   : milestone, 15088000,
appsec (15.259 s) : 15259000, 15259000
.   : milestone, 15259000,
iast (18.749 s) : 18749000, 18749000
.   : milestone, 18749000,
iast_GLOBAL (17.975 s) : 17975000, 17975000
.   : milestone, 17975000,
profiling (14.914 s) : 14914000, 14914000
.   : milestone, 14914000,
tracing (15.498 s) : 15498000, 15498000
.   : milestone, 15498000,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.465 s [15.465 s, 15.465 s] -
appsec 15.251 s [15.251 s, 15.251 s] -214.0 ms (-1.4%)
iast 19.097 s [19.097 s, 19.097 s] 3.632 s (23.5%)
iast_GLOBAL 18.167 s [18.167 s, 18.167 s] 2.702 s (17.5%)
profiling 15.32 s [15.32 s, 15.32 s] -145.0 ms (-0.9%)
tracing 15.055 s [15.055 s, 15.055 s] -410.0 ms (-2.7%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.088 s [15.088 s, 15.088 s] -
appsec 15.259 s [15.259 s, 15.259 s] 171.0 ms (1.1%)
iast 18.749 s [18.749 s, 18.749 s] 3.661 s (24.3%)
iast_GLOBAL 17.975 s [17.975 s, 17.975 s] 2.887 s (19.1%)
profiling 14.914 s [14.914 s, 14.914 s] -174.0 ms (-1.2%)
tracing 15.498 s [15.498 s, 15.498 s] 410.0 ms (2.7%)

@@ -74,6 +70,29 @@ class ObjectVisitorTest extends Specification {
0 * _
}

void 'test visiting ignored collection'() {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it's not clear to me what we're asserting in this test... I understand that we're not supposed to access the list, so shouldn't we throw an exception in the get for instance ? Or count accesses and make sure it's ==0 ?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, we could throw an exception but in the end we are asserting that there are no mock invocations of the visitor with 0 * _ which is equivalent.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK thanks I wasn't familiar with that notation

@manuel-alvarez-alvarez manuel-alvarez-alvarez merged commit 703af33 into master Oct 15, 2024
104 checks passed
@manuel-alvarez-alvarez manuel-alvarez-alvarez deleted the malvarez/iast-fix-visitor-collections branch October 15, 2024 07:14
@github-actions github-actions bot added this to the 1.41.0 milestone Oct 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
comp: asm iast Application Security Management (IAST) type: bug
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants