-
Notifications
You must be signed in to change notification settings - Fork 292
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix stack trace inconsistency between excluded frames in vulnerability location and metastruct stack trace #7865
Fix stack trace inconsistency between excluded frames in vulnerability location and metastruct stack trace #7865
Conversation
… location and vulnerability stacktrace reported in metastruct
I'm not sure if we need more test to validate this change, keep in mind that it would be also tested in system tests as right now it would fail due to the vulnerability location is filtered from the reported stack trace as the location is in a |
BenchmarksStartupParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 52 metrics, 11 unstable metrics. Startup time reports for petclinicgantt
title petclinic - global startup overhead: candidate=1.43.0-SNAPSHOT~1d9c6df96f, baseline=1.43.0-SNAPSHOT~21c0b2df63
dateFormat X
axisFormat %s
section tracing
Agent [baseline] (1.089 s) : 0, 1089155
Total [baseline] (10.393 s) : 0, 10393371
Agent [candidate] (1.087 s) : 0, 1087424
Total [candidate] (10.538 s) : 0, 10537620
section appsec
Agent [baseline] (1.221 s) : 0, 1220705
Total [baseline] (10.694 s) : 0, 10693876
Agent [candidate] (1.224 s) : 0, 1223818
Total [candidate] (10.726 s) : 0, 10725792
section iast
Agent [baseline] (1.21 s) : 0, 1209844
Total [baseline] (10.909 s) : 0, 10909392
Agent [candidate] (1.209 s) : 0, 1209393
Total [candidate] (11.046 s) : 0, 11046367
section profiling
Agent [baseline] (1.295 s) : 0, 1294853
Total [baseline] (10.906 s) : 0, 10905820
Agent [candidate] (1.28 s) : 0, 1280040
Total [candidate] (10.801 s) : 0, 10800960
gantt
title petclinic - break down per module: candidate=1.43.0-SNAPSHOT~1d9c6df96f, baseline=1.43.0-SNAPSHOT~21c0b2df63
dateFormat X
axisFormat %s
section tracing
BytebuddyAgent [baseline] (692.357 ms) : 0, 692357
BytebuddyAgent [candidate] (689.593 ms) : 0, 689593
GlobalTracer [baseline] (318.437 ms) : 0, 318437
GlobalTracer [candidate] (317.766 ms) : 0, 317766
AppSec [baseline] (54.638 ms) : 0, 54638
AppSec [candidate] (54.269 ms) : 0, 54269
Remote Config [baseline] (679.621 µs) : 0, 680
Remote Config [candidate] (664.5 µs) : 0, 664
Telemetry [baseline] (9.196 ms) : 0, 9196
Telemetry [candidate] (11.374 ms) : 0, 11374
section appsec
BytebuddyAgent [baseline] (706.317 ms) : 0, 706317
BytebuddyAgent [candidate] (708.578 ms) : 0, 708578
GlobalTracer [baseline] (315.28 ms) : 0, 315280
GlobalTracer [candidate] (315.925 ms) : 0, 315925
AppSec [baseline] (167.247 ms) : 0, 167247
AppSec [candidate] (166.851 ms) : 0, 166851
Remote Config [baseline] (639.093 µs) : 0, 639
Remote Config [candidate] (646.049 µs) : 0, 646
Telemetry [baseline] (7.753 ms) : 0, 7753
Telemetry [candidate] (7.494 ms) : 0, 7494
IAST [baseline] (19.391 ms) : 0, 19391
IAST [candidate] (21.034 ms) : 0, 21034
section iast
BytebuddyAgent [baseline] (803.629 ms) : 0, 803629
BytebuddyAgent [candidate] (803.111 ms) : 0, 803111
GlobalTracer [baseline] (305.266 ms) : 0, 305266
GlobalTracer [candidate] (306.102 ms) : 0, 306102
AppSec [baseline] (57.332 ms) : 0, 57332
AppSec [candidate] (57.403 ms) : 0, 57403
Remote Config [baseline] (633.612 µs) : 0, 634
Remote Config [candidate] (622.178 µs) : 0, 622
Telemetry [baseline] (7.58 ms) : 0, 7580
Telemetry [candidate] (7.559 ms) : 0, 7559
IAST [baseline] (21.616 ms) : 0, 21616
IAST [candidate] (20.831 ms) : 0, 20831
section profiling
BytebuddyAgent [baseline] (688.008 ms) : 0, 688008
BytebuddyAgent [candidate] (680.688 ms) : 0, 680688
GlobalTracer [baseline] (404.73 ms) : 0, 404730
GlobalTracer [candidate] (400.604 ms) : 0, 400604
AppSec [baseline] (55.263 ms) : 0, 55263
AppSec [candidate] (54.472 ms) : 0, 54472
Remote Config [baseline] (693.129 µs) : 0, 693
Remote Config [candidate] (675.679 µs) : 0, 676
Telemetry [baseline] (10.168 ms) : 0, 10168
Telemetry [candidate] (12.864 ms) : 0, 12864
ProfilingAgent [baseline] (96.509 ms) : 0, 96509
ProfilingAgent [candidate] (91.724 ms) : 0, 91724
Profiling [baseline] (96.532 ms) : 0, 96532
Profiling [candidate] (91.748 ms) : 0, 91748
Startup time reports for insecure-bankgantt
title insecure-bank - global startup overhead: candidate=1.43.0-SNAPSHOT~1d9c6df96f, baseline=1.43.0-SNAPSHOT~21c0b2df63
dateFormat X
axisFormat %s
section tracing
Agent [baseline] (1.085 s) : 0, 1084651
Total [baseline] (8.589 s) : 0, 8589287
Agent [candidate] (1.082 s) : 0, 1081593
Total [candidate] (8.593 s) : 0, 8592657
section iast
Agent [baseline] (1.216 s) : 0, 1215746
Total [baseline] (9.159 s) : 0, 9159283
Agent [candidate] (1.208 s) : 0, 1208339
Total [candidate] (9.158 s) : 0, 9157669
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.225 s) : 0, 1225179
Total [baseline] (9.151 s) : 0, 9150910
Agent [candidate] (1.21 s) : 0, 1209537
Total [candidate] (9.138 s) : 0, 9138078
section iast_TELEMETRY_OFF
Agent [baseline] (1.205 s) : 0, 1205289
Total [baseline] (9.139 s) : 0, 9138553
Agent [candidate] (1.214 s) : 0, 1214121
Total [candidate] (9.154 s) : 0, 9153595
gantt
title insecure-bank - break down per module: candidate=1.43.0-SNAPSHOT~1d9c6df96f, baseline=1.43.0-SNAPSHOT~21c0b2df63
dateFormat X
axisFormat %s
section tracing
BytebuddyAgent [baseline] (689.491 ms) : 0, 689491
BytebuddyAgent [candidate] (687.562 ms) : 0, 687562
GlobalTracer [baseline] (317.198 ms) : 0, 317198
GlobalTracer [candidate] (316.346 ms) : 0, 316346
AppSec [baseline] (54.248 ms) : 0, 54248
AppSec [candidate] (54.132 ms) : 0, 54132
Remote Config [baseline] (668.533 µs) : 0, 669
Remote Config [candidate] (687.695 µs) : 0, 688
Telemetry [baseline] (9.216 ms) : 0, 9216
Telemetry [candidate] (9.104 ms) : 0, 9104
section iast
BytebuddyAgent [baseline] (808.661 ms) : 0, 808661
BytebuddyAgent [candidate] (802.468 ms) : 0, 802468
GlobalTracer [baseline] (306.78 ms) : 0, 306780
GlobalTracer [candidate] (304.998 ms) : 0, 304998
AppSec [baseline] (57.048 ms) : 0, 57048
AppSec [candidate] (57.405 ms) : 0, 57405
Remote Config [baseline] (613.223 µs) : 0, 613
Remote Config [candidate] (609.835 µs) : 0, 610
Telemetry [baseline] (7.484 ms) : 0, 7484
Telemetry [candidate] (7.504 ms) : 0, 7504
IAST [baseline] (21.293 ms) : 0, 21293
IAST [candidate] (21.569 ms) : 0, 21569
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (815.636 ms) : 0, 815636
BytebuddyAgent [candidate] (803.675 ms) : 0, 803675
GlobalTracer [baseline] (307.639 ms) : 0, 307639
GlobalTracer [candidate] (306.048 ms) : 0, 306048
AppSec [baseline] (57.834 ms) : 0, 57834
AppSec [candidate] (57.545 ms) : 0, 57545
Remote Config [baseline] (642.653 µs) : 0, 643
Remote Config [candidate] (614.326 µs) : 0, 614
Telemetry [baseline] (7.663 ms) : 0, 7663
Telemetry [candidate] (7.455 ms) : 0, 7455
IAST [baseline] (21.758 ms) : 0, 21758
IAST [candidate] (20.383 ms) : 0, 20383
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (800.107 ms) : 0, 800107
BytebuddyAgent [candidate] (806.371 ms) : 0, 806371
GlobalTracer [baseline] (304.614 ms) : 0, 304614
GlobalTracer [candidate] (307.467 ms) : 0, 307467
AppSec [baseline] (56.571 ms) : 0, 56571
AppSec [candidate] (58.197 ms) : 0, 58197
Remote Config [baseline] (618.121 µs) : 0, 618
Remote Config [candidate] (626.171 µs) : 0, 626
Telemetry [baseline] (7.466 ms) : 0, 7466
Telemetry [candidate] (7.39 ms) : 0, 7390
IAST [baseline] (22.138 ms) : 0, 22138
IAST [candidate] (20.204 ms) : 0, 20204
LoadParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 16 unstable metrics. Request duration reports for insecure-bankgantt
title insecure-bank - request duration [CI 0.99] : candidate=1.43.0-SNAPSHOT~1d9c6df96f, baseline=1.43.0-SNAPSHOT~21c0b2df63
dateFormat X
axisFormat %s
section baseline
no_agent (375.539 µs) : 356, 395
. : milestone, 376,
iast (506.147 µs) : 484, 529
. : milestone, 506,
iast_FULL (651.718 µs) : 630, 673
. : milestone, 652,
iast_GLOBAL (515.554 µs) : 494, 537
. : milestone, 516,
iast_HARDCODED_SECRET_DISABLED (490.127 µs) : 469, 511
. : milestone, 490,
iast_INACTIVE (452.273 µs) : 431, 473
. : milestone, 452,
iast_TELEMETRY_OFF (484.869 µs) : 463, 507
. : milestone, 485,
tracing (448.479 µs) : 428, 469
. : milestone, 448,
section candidate
no_agent (376.682 µs) : 355, 398
. : milestone, 377,
iast (491.853 µs) : 470, 513
. : milestone, 492,
iast_FULL (649.515 µs) : 628, 671
. : milestone, 650,
iast_GLOBAL (520.233 µs) : 499, 542
. : milestone, 520,
iast_HARDCODED_SECRET_DISABLED (490.114 µs) : 469, 512
. : milestone, 490,
iast_INACTIVE (456.04 µs) : 435, 477
. : milestone, 456,
iast_TELEMETRY_OFF (477.647 µs) : 457, 498
. : milestone, 478,
tracing (448.167 µs) : 428, 468
. : milestone, 448,
Request duration reports for petclinicgantt
title petclinic - request duration [CI 0.99] : candidate=1.43.0-SNAPSHOT~1d9c6df96f, baseline=1.43.0-SNAPSHOT~21c0b2df63
dateFormat X
axisFormat %s
section baseline
no_agent (1.347 ms) : 1328, 1366
. : milestone, 1347,
appsec (1.732 ms) : 1709, 1754
. : milestone, 1732,
appsec_no_iast (1.73 ms) : 1705, 1755
. : milestone, 1730,
iast (1.486 ms) : 1462, 1509
. : milestone, 1486,
profiling (1.49 ms) : 1467, 1513
. : milestone, 1490,
tracing (1.475 ms) : 1450, 1501
. : milestone, 1475,
section candidate
no_agent (1.351 ms) : 1332, 1371
. : milestone, 1351,
appsec (1.74 ms) : 1715, 1766
. : milestone, 1740,
appsec_no_iast (1.74 ms) : 1715, 1765
. : milestone, 1740,
iast (1.501 ms) : 1478, 1524
. : milestone, 1501,
profiling (1.485 ms) : 1462, 1508
. : milestone, 1485,
tracing (1.467 ms) : 1442, 1491
. : milestone, 1467,
DacapoParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics. Execution time for biojavagantt
title biojava - execution time [CI 0.99] : candidate=1.43.0-SNAPSHOT~1d9c6df96f, baseline=1.43.0-SNAPSHOT~21c0b2df63
dateFormat X
axisFormat %s
section baseline
no_agent (15.185 s) : 15185000, 15185000
. : milestone, 15185000,
appsec (15.093 s) : 15093000, 15093000
. : milestone, 15093000,
iast (18.717 s) : 18717000, 18717000
. : milestone, 18717000,
iast_GLOBAL (17.557 s) : 17557000, 17557000
. : milestone, 17557000,
profiling (15.147 s) : 15147000, 15147000
. : milestone, 15147000,
tracing (15.109 s) : 15109000, 15109000
. : milestone, 15109000,
section candidate
no_agent (15.688 s) : 15688000, 15688000
. : milestone, 15688000,
appsec (15.3 s) : 15300000, 15300000
. : milestone, 15300000,
iast (18.453 s) : 18453000, 18453000
. : milestone, 18453000,
iast_GLOBAL (18.154 s) : 18154000, 18154000
. : milestone, 18154000,
profiling (14.955 s) : 14955000, 14955000
. : milestone, 14955000,
tracing (15.155 s) : 15155000, 15155000
. : milestone, 15155000,
Execution time for tomcatgantt
title tomcat - execution time [CI 0.99] : candidate=1.43.0-SNAPSHOT~1d9c6df96f, baseline=1.43.0-SNAPSHOT~21c0b2df63
dateFormat X
axisFormat %s
section baseline
no_agent (1.459 ms) : 1448, 1471
. : milestone, 1459,
appsec (2.316 ms) : 2275, 2357
. : milestone, 2316,
iast (2.071 ms) : 2019, 2124
. : milestone, 2071,
iast_GLOBAL (2.124 ms) : 2071, 2177
. : milestone, 2124,
profiling (1.939 ms) : 1897, 1980
. : milestone, 1939,
tracing (1.912 ms) : 1872, 1952
. : milestone, 1912,
section candidate
no_agent (1.465 ms) : 1454, 1477
. : milestone, 1465,
appsec (2.321 ms) : 2280, 2361
. : milestone, 2321,
iast (2.072 ms) : 2020, 2125
. : milestone, 2072,
iast_GLOBAL (2.124 ms) : 2071, 2177
. : milestone, 2124,
profiling (1.928 ms) : 1887, 1969
. : milestone, 1928,
tracing (1.914 ms) : 1874, 1954
. : milestone, 1914,
|
Debugger benchmarksParameters
See matching parameters
SummaryFound 4 performance improvements and 0 performance regressions! Performance is the same for 3 metrics, 8 unstable metrics.
See unchanged results
Request duration reports for reportsgantt
title reports - request duration [CI 0.99] : candidate=None, baseline=None
dateFormat X
axisFormat %s
section baseline
noprobe (308.064 µs) : 266, 350
. : milestone, 308,
basic (301.462 µs) : 293, 310
. : milestone, 301,
loop (10.575 ms) : 10470, 10681
. : milestone, 10575,
section candidate
noprobe (316.535 µs) : 252, 381
. : milestone, 317,
basic (304.377 µs) : 289, 320
. : milestone, 304,
loop (10.257 ms) : 10222, 10291
. : milestone, 10257,
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me for RASP and IAST, but needs a review by the DI team.
Also note the performance regression in debugger benchmarks. |
internal-api/src/main/java/datadog/trace/util/stacktrace/AbstractStackWalker.java
Outdated
Show resolved
Hide resolved
dd-java-agent/agent-debugger/src/test/java/foo/bar/debugger/origin/CodeOriginTest.java
Outdated
Show resolved
Hide resolved
internal-api/src/main/java/datadog/trace/util/stacktrace/AbstractStackWalker.java
Outdated
Show resolved
Hide resolved
@Test | ||
public void test_generateUserCodeStackTrace() { | ||
List<StackTraceFrame> userCodeStack = StackUtils.generateUserCodeStackTrace(); | ||
private static Stream<Arguments> test_generateUserCodeStackTrace_Params() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this test only seems to care about the junit frames being 0 or not so I'm not sure the filtering change is even necessary.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My intention with this test is cover the StackUtils#generateUserCodeStackTrace parametrization, more than the AbstractStackWalker#isNotDatadogTraceStackElement that is covered by other tests. But I can try to add more specific if you feel that is necessary
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good now, broader impact is gone.
…y location and metastruct stack trace (#7865) What Does This Do Parametrize StackUtils#generateUserCodeStackTrace with a predicate Add AbstractStackWalker#isNotDatadogTraceStackElement as default filter Update isNotDatadogTraceStackElement to also filter com.datadog.appsec Motivation We are filtering different stack frames according to their class to calculate the vulnerability location and the vulnerability stack trace that is reported via meta struct
Hi! 👋 Thanks for your pull request! 🎉 To help us review it, please make sure to:
If you need help, please check our contributing guidelines. |
What Does This Do
StackUtils#generateUserCodeStackTrace
with a predicateAbstractStackWalker#isNotDatadogTraceStackElement
as default filtercom.datadog.appsec
Motivation
We are filtering different stack frames according to their class to calculate the vulnerability location and the vulnerability stack trace that is reported via meta struct
Additional Notes
Contributor Checklist
type:
and (comp:
orinst:
) labels in addition to any usefull labelsclose
,fix
or any linking keywords when referencing an issue.Use
solves
instead, and assign the PR milestone to the issueJira ticket: [PROJ-IDENT]