-
Notifications
You must be signed in to change notification settings - Fork 292
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ensure vulnerabilities are reported with taintable values #7801
Ensure vulnerabilities are reported with taintable values #7801
Conversation
dd-java-agent/agent-iast/src/main/java/com/datadog/iast/sink/SinkModuleBase.java
Show resolved
Hide resolved
dd-java-agent/agent-iast/src/main/java/com/datadog/iast/sink/SinkModuleBase.java
Show resolved
Hide resolved
dd-java-agent/agent-iast/src/main/java/com/datadog/iast/sink/SinkModuleBase.java
Show resolved
Hide resolved
BenchmarksStartupParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 54 metrics, 9 unstable metrics. Startup time reports for petclinicgantt
title petclinic - global startup overhead: candidate=1.42.0-SNAPSHOT~6e4a946642, baseline=1.42.0-SNAPSHOT~5ba267f941
dateFormat X
axisFormat %s
section tracing
Agent [baseline] (1.074 s) : 0, 1073774
Total [baseline] (10.393 s) : 0, 10393056
Agent [candidate] (1.083 s) : 0, 1082969
Total [candidate] (10.347 s) : 0, 10347090
section appsec
Agent [baseline] (1.207 s) : 0, 1206899
Total [baseline] (10.567 s) : 0, 10567439
Agent [candidate] (1.219 s) : 0, 1218942
Total [candidate] (10.589 s) : 0, 10589053
section iast
Agent [baseline] (1.2 s) : 0, 1199612
Total [baseline] (10.819 s) : 0, 10818934
Agent [candidate] (1.201 s) : 0, 1201244
Total [candidate] (10.815 s) : 0, 10815100
section profiling
Agent [baseline] (1.272 s) : 0, 1271867
Total [baseline] (10.651 s) : 0, 10651295
Agent [candidate] (1.27 s) : 0, 1270230
Total [candidate] (10.653 s) : 0, 10652818
gantt
title petclinic - break down per module: candidate=1.42.0-SNAPSHOT~6e4a946642, baseline=1.42.0-SNAPSHOT~5ba267f941
dateFormat X
axisFormat %s
section tracing
BytebuddyAgent [baseline] (684.88 ms) : 0, 684880
BytebuddyAgent [candidate] (691.348 ms) : 0, 691348
GlobalTracer [baseline] (312.418 ms) : 0, 312418
GlobalTracer [candidate] (314.705 ms) : 0, 314705
AppSec [baseline] (54.055 ms) : 0, 54055
AppSec [candidate] (54.341 ms) : 0, 54341
Remote Config [baseline] (662.763 µs) : 0, 663
Remote Config [candidate] (674.35 µs) : 0, 674
Telemetry [baseline] (8.154 ms) : 0, 8154
Telemetry [candidate] (8.147 ms) : 0, 8147
section appsec
BytebuddyAgent [baseline] (701.168 ms) : 0, 701168
BytebuddyAgent [candidate] (708.387 ms) : 0, 708387
GlobalTracer [baseline] (309.094 ms) : 0, 309094
GlobalTracer [candidate] (312.013 ms) : 0, 312013
AppSec [baseline] (165.092 ms) : 0, 165092
AppSec [candidate] (166.589 ms) : 0, 166589
Remote Config [baseline] (635.849 µs) : 0, 636
Remote Config [candidate] (644.824 µs) : 0, 645
Telemetry [baseline] (7.022 ms) : 0, 7022
Telemetry [candidate] (7.47 ms) : 0, 7470
IAST [baseline] (20.657 ms) : 0, 20657
IAST [candidate] (20.186 ms) : 0, 20186
section iast
BytebuddyAgent [baseline] (799.527 ms) : 0, 799527
BytebuddyAgent [candidate] (801.074 ms) : 0, 801074
GlobalTracer [baseline] (301.397 ms) : 0, 301397
GlobalTracer [candidate] (301.312 ms) : 0, 301312
AppSec [baseline] (57.344 ms) : 0, 57344
AppSec [candidate] (57.295 ms) : 0, 57295
Remote Config [baseline] (590.348 µs) : 0, 590
Remote Config [candidate] (595.242 µs) : 0, 595
Telemetry [baseline] (7.0 ms) : 0, 7000
Telemetry [candidate] (7.071 ms) : 0, 7071
IAST [baseline] (20.121 ms) : 0, 20121
IAST [candidate] (20.252 ms) : 0, 20252
section profiling
ProfilingAgent [baseline] (89.907 ms) : 0, 89907
ProfilingAgent [candidate] (90.518 ms) : 0, 90518
BytebuddyAgent [baseline] (679.8 ms) : 0, 679800
BytebuddyAgent [candidate] (678.287 ms) : 0, 678287
GlobalTracer [baseline] (394.665 ms) : 0, 394665
GlobalTracer [candidate] (394.417 ms) : 0, 394417
AppSec [baseline] (54.615 ms) : 0, 54615
AppSec [candidate] (54.618 ms) : 0, 54618
Remote Config [baseline] (663.674 µs) : 0, 664
Remote Config [candidate] (647.969 µs) : 0, 648
Telemetry [baseline] (13.527 ms) : 0, 13527
Telemetry [candidate] (13.147 ms) : 0, 13147
Profiling [baseline] (89.93 ms) : 0, 89930
Profiling [candidate] (90.541 ms) : 0, 90541
Startup time reports for insecure-bankgantt
title insecure-bank - global startup overhead: candidate=1.42.0-SNAPSHOT~6e4a946642, baseline=1.42.0-SNAPSHOT~5ba267f941
dateFormat X
axisFormat %s
section tracing
Agent [baseline] (1.078 s) : 0, 1077991
Total [baseline] (8.567 s) : 0, 8567259
Agent [candidate] (1.076 s) : 0, 1076184
Total [candidate] (8.552 s) : 0, 8551647
section iast
Agent [baseline] (1.21 s) : 0, 1210473
Total [baseline] (9.146 s) : 0, 9146453
Agent [candidate] (1.201 s) : 0, 1201107
Total [candidate] (9.124 s) : 0, 9123895
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.206 s) : 0, 1206238
Total [baseline] (9.093 s) : 0, 9092772
Agent [candidate] (1.202 s) : 0, 1201889
Total [candidate] (9.091 s) : 0, 9091107
section iast_TELEMETRY_OFF
Agent [baseline] (1.196 s) : 0, 1195952
Total [baseline] (9.064 s) : 0, 9063594
Agent [candidate] (1.198 s) : 0, 1197866
Total [candidate] (9.064 s) : 0, 9064316
gantt
title insecure-bank - break down per module: candidate=1.42.0-SNAPSHOT~6e4a946642, baseline=1.42.0-SNAPSHOT~5ba267f941
dateFormat X
axisFormat %s
section tracing
BytebuddyAgent [baseline] (686.565 ms) : 0, 686565
BytebuddyAgent [candidate] (685.435 ms) : 0, 685435
GlobalTracer [baseline] (314.092 ms) : 0, 314092
GlobalTracer [candidate] (312.193 ms) : 0, 312193
AppSec [baseline] (54.202 ms) : 0, 54202
AppSec [candidate] (53.929 ms) : 0, 53929
Remote Config [baseline] (669.325 µs) : 0, 669
Remote Config [candidate] (657.001 µs) : 0, 657
Telemetry [baseline] (8.847 ms) : 0, 8847
Telemetry [candidate] (10.346 ms) : 0, 10346
section iast
BytebuddyAgent [baseline] (806.169 ms) : 0, 806169
BytebuddyAgent [candidate] (800.44 ms) : 0, 800440
GlobalTracer [baseline] (304.685 ms) : 0, 304685
GlobalTracer [candidate] (301.459 ms) : 0, 301459
AppSec [baseline] (56.645 ms) : 0, 56645
AppSec [candidate] (55.091 ms) : 0, 55091
IAST [baseline] (21.508 ms) : 0, 21508
IAST [candidate] (22.883 ms) : 0, 22883
Remote Config [baseline] (629.496 µs) : 0, 629
Remote Config [candidate] (608.324 µs) : 0, 608
Telemetry [baseline] (7.106 ms) : 0, 7106
Telemetry [candidate] (7.012 ms) : 0, 7012
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (804.287 ms) : 0, 804287
BytebuddyAgent [candidate] (800.163 ms) : 0, 800163
GlobalTracer [baseline] (302.549 ms) : 0, 302549
GlobalTracer [candidate] (301.543 ms) : 0, 301543
AppSec [baseline] (56.197 ms) : 0, 56197
AppSec [candidate] (58.071 ms) : 0, 58071
IAST [baseline] (21.92 ms) : 0, 21920
IAST [candidate] (20.669 ms) : 0, 20669
Remote Config [baseline] (597.93 µs) : 0, 598
Remote Config [candidate] (623.665 µs) : 0, 624
Telemetry [baseline] (7.013 ms) : 0, 7013
Telemetry [candidate] (7.196 ms) : 0, 7196
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (796.206 ms) : 0, 796206
BytebuddyAgent [candidate] (796.719 ms) : 0, 796719
GlobalTracer [baseline] (300.988 ms) : 0, 300988
GlobalTracer [candidate] (302.552 ms) : 0, 302552
AppSec [baseline] (56.675 ms) : 0, 56675
AppSec [candidate] (57.434 ms) : 0, 57434
IAST [baseline] (20.88 ms) : 0, 20880
IAST [candidate] (19.946 ms) : 0, 19946
Remote Config [baseline] (606.551 µs) : 0, 607
Remote Config [candidate] (594.241 µs) : 0, 594
Telemetry [baseline] (6.985 ms) : 0, 6985
Telemetry [candidate] (6.96 ms) : 0, 6960
LoadParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 17 unstable metrics. Request duration reports for insecure-bankgantt
title insecure-bank - request duration [CI 0.99] : candidate=1.42.0-SNAPSHOT~6e4a946642, baseline=1.42.0-SNAPSHOT~5ba267f941
dateFormat X
axisFormat %s
section baseline
no_agent (368.616 µs) : 348, 389
. : milestone, 369,
iast (484.639 µs) : 463, 506
. : milestone, 485,
iast_FULL (555.322 µs) : 534, 577
. : milestone, 555,
iast_GLOBAL (501.445 µs) : 480, 523
. : milestone, 501,
iast_HARDCODED_SECRET_DISABLED (491.238 µs) : 470, 513
. : milestone, 491,
iast_INACTIVE (450.487 µs) : 429, 472
. : milestone, 450,
iast_TELEMETRY_OFF (471.969 µs) : 451, 493
. : milestone, 472,
tracing (448.067 µs) : 427, 469
. : milestone, 448,
section candidate
no_agent (376.587 µs) : 357, 396
. : milestone, 377,
iast (490.422 µs) : 469, 512
. : milestone, 490,
iast_FULL (558.242 µs) : 537, 580
. : milestone, 558,
iast_GLOBAL (507.476 µs) : 487, 528
. : milestone, 507,
iast_HARDCODED_SECRET_DISABLED (485.553 µs) : 464, 507
. : milestone, 486,
iast_INACTIVE (443.542 µs) : 423, 464
. : milestone, 444,
iast_TELEMETRY_OFF (475.97 µs) : 455, 497
. : milestone, 476,
tracing (438.868 µs) : 418, 459
. : milestone, 439,
Request duration reports for petclinicgantt
title petclinic - request duration [CI 0.99] : candidate=1.42.0-SNAPSHOT~6e4a946642, baseline=1.42.0-SNAPSHOT~5ba267f941
dateFormat X
axisFormat %s
section baseline
no_agent (1.341 ms) : 1322, 1360
. : milestone, 1341,
appsec (1.72 ms) : 1696, 1743
. : milestone, 1720,
appsec_no_iast (1.723 ms) : 1698, 1749
. : milestone, 1723,
iast (1.469 ms) : 1447, 1492
. : milestone, 1469,
profiling (1.48 ms) : 1457, 1503
. : milestone, 1480,
tracing (1.475 ms) : 1451, 1499
. : milestone, 1475,
section candidate
no_agent (1.318 ms) : 1299, 1338
. : milestone, 1318,
appsec (1.724 ms) : 1700, 1749
. : milestone, 1724,
appsec_no_iast (1.707 ms) : 1682, 1732
. : milestone, 1707,
iast (1.477 ms) : 1454, 1500
. : milestone, 1477,
profiling (1.473 ms) : 1450, 1495
. : milestone, 1473,
tracing (1.461 ms) : 1437, 1486
. : milestone, 1461,
DacapoParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics. Execution time for biojavagantt
title biojava - execution time [CI 0.99] : candidate=1.42.0-SNAPSHOT~6e4a946642, baseline=1.42.0-SNAPSHOT~5ba267f941
dateFormat X
axisFormat %s
section baseline
no_agent (15.064 s) : 15064000, 15064000
. : milestone, 15064000,
appsec (15.06 s) : 15060000, 15060000
. : milestone, 15060000,
iast (18.994 s) : 18994000, 18994000
. : milestone, 18994000,
iast_GLOBAL (17.896 s) : 17896000, 17896000
. : milestone, 17896000,
profiling (15.024 s) : 15024000, 15024000
. : milestone, 15024000,
tracing (15.299 s) : 15299000, 15299000
. : milestone, 15299000,
section candidate
no_agent (15.023 s) : 15023000, 15023000
. : milestone, 15023000,
appsec (15.365 s) : 15365000, 15365000
. : milestone, 15365000,
iast (18.721 s) : 18721000, 18721000
. : milestone, 18721000,
iast_GLOBAL (18.052 s) : 18052000, 18052000
. : milestone, 18052000,
profiling (15.749 s) : 15749000, 15749000
. : milestone, 15749000,
tracing (15.053 s) : 15053000, 15053000
. : milestone, 15053000,
Execution time for tomcatgantt
title tomcat - execution time [CI 0.99] : candidate=1.42.0-SNAPSHOT~6e4a946642, baseline=1.42.0-SNAPSHOT~5ba267f941
dateFormat X
axisFormat %s
section baseline
no_agent (1.458 ms) : 1447, 1469
. : milestone, 1458,
appsec (2.31 ms) : 2270, 2351
. : milestone, 2310,
iast (2.058 ms) : 2007, 2109
. : milestone, 2058,
iast_GLOBAL (2.105 ms) : 2053, 2157
. : milestone, 2105,
profiling (1.917 ms) : 1877, 1958
. : milestone, 1917,
tracing (1.905 ms) : 1866, 1944
. : milestone, 1905,
section candidate
no_agent (1.455 ms) : 1444, 1466
. : milestone, 1455,
appsec (2.307 ms) : 2266, 2347
. : milestone, 2307,
iast (2.057 ms) : 2007, 2108
. : milestone, 2057,
iast_GLOBAL (2.11 ms) : 2057, 2162
. : milestone, 2110,
profiling (1.924 ms) : 1883, 1966
. : milestone, 1924,
tracing (1.91 ms) : 1870, 1950
. : milestone, 1910,
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
64d26f7
to
194b3cf
Compare
194b3cf
to
6e4a946
Compare
What Does This Do
Makes sure that all sink modules are able to deal with
datadog.trace.api.iast.Taintable
references when reporting a vulnerability.Motivation
Taintable references were never expected to reach sinks, as they are just propagation utilities to improve performance, we have detected that in some cases they might reach sinks hiding vulnerabilities.
Additional Notes
Contributor Checklist
type:
and (comp:
orinst:
) labels in addition to any usefull labelsclose
,fix
or any linking keywords when referencing an issue.Use
solves
instead, and assign the PR milestone to the issueJira ticket: [PROJ-IDENT]