-
Notifications
You must be signed in to change notification settings - Fork 292
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reset IAST request context on root span published #7969
Reset IAST request context on root span published #7969
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! but there are plenty of failing tests 😅
BenchmarksStartupParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 55 metrics, 8 unstable metrics. Startup time reports for insecure-bankgantt
title insecure-bank - global startup overhead: candidate=1.43.0-SNAPSHOT~f4d62a2aa3, baseline=1.43.0-SNAPSHOT~6181783bd1
dateFormat X
axisFormat %s
section tracing
Agent [baseline] (1.081 s) : 0, 1081358
Total [baseline] (8.608 s) : 0, 8608297
Agent [candidate] (1.085 s) : 0, 1084541
Total [candidate] (8.61 s) : 0, 8610194
section iast
Agent [baseline] (1.211 s) : 0, 1211123
Total [baseline] (9.172 s) : 0, 9172167
Agent [candidate] (1.22 s) : 0, 1220470
Total [candidate] (9.178 s) : 0, 9177560
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.213 s) : 0, 1212533
Total [baseline] (9.137 s) : 0, 9136942
Agent [candidate] (1.213 s) : 0, 1212570
Total [candidate] (9.137 s) : 0, 9137381
section iast_TELEMETRY_OFF
Agent [baseline] (1.211 s) : 0, 1210929
Total [baseline] (9.184 s) : 0, 9183903
Agent [candidate] (1.209 s) : 0, 1209178
Total [candidate] (9.163 s) : 0, 9163465
gantt
title insecure-bank - break down per module: candidate=1.43.0-SNAPSHOT~f4d62a2aa3, baseline=1.43.0-SNAPSHOT~6181783bd1
dateFormat X
axisFormat %s
section tracing
BytebuddyAgent [baseline] (687.143 ms) : 0, 687143
BytebuddyAgent [candidate] (689.274 ms) : 0, 689274
GlobalTracer [baseline] (315.163 ms) : 0, 315163
GlobalTracer [candidate] (316.955 ms) : 0, 316955
AppSec [baseline] (54.535 ms) : 0, 54535
AppSec [candidate] (54.518 ms) : 0, 54518
Remote Config [baseline] (682.262 µs) : 0, 682
Remote Config [candidate] (683.213 µs) : 0, 683
Telemetry [baseline] (10.108 ms) : 0, 10108
Telemetry [candidate] (9.339 ms) : 0, 9339
section iast
BytebuddyAgent [baseline] (804.467 ms) : 0, 804467
BytebuddyAgent [candidate] (811.495 ms) : 0, 811495
GlobalTracer [baseline] (306.153 ms) : 0, 306153
GlobalTracer [candidate] (308.347 ms) : 0, 308347
AppSec [baseline] (57.23 ms) : 0, 57230
AppSec [candidate] (56.111 ms) : 0, 56111
Remote Config [baseline] (607.351 µs) : 0, 607
Remote Config [candidate] (628.828 µs) : 0, 629
Telemetry [baseline] (7.472 ms) : 0, 7472
Telemetry [candidate] (7.49 ms) : 0, 7490
IAST [baseline] (21.41 ms) : 0, 21410
IAST [candidate] (22.479 ms) : 0, 22479
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (805.46 ms) : 0, 805460
BytebuddyAgent [candidate] (805.163 ms) : 0, 805163
GlobalTracer [baseline] (306.753 ms) : 0, 306753
GlobalTracer [candidate] (306.86 ms) : 0, 306860
AppSec [baseline] (56.967 ms) : 0, 56967
AppSec [candidate] (57.0 ms) : 0, 57000
Remote Config [baseline] (621.303 µs) : 0, 621
Remote Config [candidate] (615.32 µs) : 0, 615
Telemetry [baseline] (7.532 ms) : 0, 7532
Telemetry [candidate] (7.471 ms) : 0, 7471
IAST [baseline] (21.438 ms) : 0, 21438
IAST [candidate] (21.655 ms) : 0, 21655
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (803.424 ms) : 0, 803424
BytebuddyAgent [candidate] (802.757 ms) : 0, 802757
GlobalTracer [baseline] (306.676 ms) : 0, 306676
GlobalTracer [candidate] (306.324 ms) : 0, 306324
AppSec [baseline] (57.833 ms) : 0, 57833
AppSec [candidate] (57.132 ms) : 0, 57132
Remote Config [baseline] (620.166 µs) : 0, 620
Remote Config [candidate] (613.75 µs) : 0, 614
Telemetry [baseline] (7.476 ms) : 0, 7476
Telemetry [candidate] (7.42 ms) : 0, 7420
IAST [baseline] (21.127 ms) : 0, 21127
IAST [candidate] (21.128 ms) : 0, 21128
Startup time reports for petclinicgantt
title petclinic - global startup overhead: candidate=1.43.0-SNAPSHOT~f4d62a2aa3, baseline=1.43.0-SNAPSHOT~6181783bd1
dateFormat X
axisFormat %s
section tracing
Agent [baseline] (1.085 s) : 0, 1084520
Total [baseline] (10.425 s) : 0, 10424910
Agent [candidate] (1.088 s) : 0, 1088286
Total [candidate] (10.455 s) : 0, 10455318
section appsec
Agent [baseline] (1.218 s) : 0, 1218476
Total [baseline] (10.712 s) : 0, 10712422
Agent [candidate] (1.223 s) : 0, 1222987
Total [candidate] (10.778 s) : 0, 10778456
section iast
Agent [baseline] (1.212 s) : 0, 1211516
Total [baseline] (10.957 s) : 0, 10956665
Agent [candidate] (1.214 s) : 0, 1214331
Total [candidate] (10.942 s) : 0, 10942256
section profiling
Agent [baseline] (1.283 s) : 0, 1283413
Total [baseline] (10.845 s) : 0, 10844526
Agent [candidate] (1.283 s) : 0, 1282735
Total [candidate] (10.759 s) : 0, 10758887
gantt
title petclinic - break down per module: candidate=1.43.0-SNAPSHOT~f4d62a2aa3, baseline=1.43.0-SNAPSHOT~6181783bd1
dateFormat X
axisFormat %s
section tracing
BytebuddyAgent [baseline] (688.016 ms) : 0, 688016
BytebuddyAgent [candidate] (689.838 ms) : 0, 689838
GlobalTracer [baseline] (316.882 ms) : 0, 316882
GlobalTracer [candidate] (317.558 ms) : 0, 317558
AppSec [baseline] (54.55 ms) : 0, 54550
AppSec [candidate] (54.402 ms) : 0, 54402
Remote Config [baseline] (685.145 µs) : 0, 685
Remote Config [candidate] (677.421 µs) : 0, 677
Telemetry [baseline] (10.648 ms) : 0, 10648
Telemetry [candidate] (12.029 ms) : 0, 12029
section appsec
BytebuddyAgent [baseline] (705.544 ms) : 0, 705544
BytebuddyAgent [candidate] (708.694 ms) : 0, 708694
GlobalTracer [baseline] (314.568 ms) : 0, 314568
GlobalTracer [candidate] (315.374 ms) : 0, 315374
AppSec [baseline] (165.0 ms) : 0, 165000
AppSec [candidate] (167.129 ms) : 0, 167129
Remote Config [baseline] (640.971 µs) : 0, 641
Remote Config [candidate] (641.767 µs) : 0, 642
Telemetry [baseline] (8.169 ms) : 0, 8169
Telemetry [candidate] (7.496 ms) : 0, 7496
IAST [baseline] (21.68 ms) : 0, 21680
IAST [candidate] (19.779 ms) : 0, 19779
section iast
BytebuddyAgent [baseline] (804.688 ms) : 0, 804688
BytebuddyAgent [candidate] (806.656 ms) : 0, 806656
GlobalTracer [baseline] (306.966 ms) : 0, 306966
GlobalTracer [candidate] (307.254 ms) : 0, 307254
AppSec [baseline] (57.63 ms) : 0, 57630
AppSec [candidate] (57.949 ms) : 0, 57949
Remote Config [baseline] (598.568 µs) : 0, 599
Remote Config [candidate] (599.804 µs) : 0, 600
Telemetry [baseline] (7.434 ms) : 0, 7434
Telemetry [candidate] (7.425 ms) : 0, 7425
IAST [baseline] (20.454 ms) : 0, 20454
IAST [candidate] (20.646 ms) : 0, 20646
section profiling
BytebuddyAgent [baseline] (683.616 ms) : 0, 683616
BytebuddyAgent [candidate] (683.415 ms) : 0, 683415
GlobalTracer [baseline] (400.713 ms) : 0, 400713
GlobalTracer [candidate] (400.293 ms) : 0, 400293
AppSec [baseline] (54.805 ms) : 0, 54805
AppSec [candidate] (54.736 ms) : 0, 54736
Remote Config [baseline] (662.647 µs) : 0, 663
Remote Config [candidate] (663.676 µs) : 0, 664
Telemetry [baseline] (11.276 ms) : 0, 11276
Telemetry [candidate] (11.419 ms) : 0, 11419
ProfilingAgent [baseline] (93.307 ms) : 0, 93307
ProfilingAgent [candidate] (93.201 ms) : 0, 93201
Profiling [baseline] (93.331 ms) : 0, 93331
Profiling [candidate] (93.225 ms) : 0, 93225
LoadParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 17 unstable metrics. Request duration reports for petclinicgantt
title petclinic - request duration [CI 0.99] : candidate=1.43.0-SNAPSHOT~f4d62a2aa3, baseline=1.43.0-SNAPSHOT~6181783bd1
dateFormat X
axisFormat %s
section baseline
no_agent (1.334 ms) : 1315, 1354
. : milestone, 1334,
appsec (1.747 ms) : 1724, 1771
. : milestone, 1747,
appsec_no_iast (1.727 ms) : 1703, 1751
. : milestone, 1727,
iast (1.472 ms) : 1449, 1495
. : milestone, 1472,
profiling (1.54 ms) : 1516, 1565
. : milestone, 1540,
tracing (1.476 ms) : 1451, 1501
. : milestone, 1476,
section candidate
no_agent (1.335 ms) : 1316, 1354
. : milestone, 1335,
appsec (1.716 ms) : 1692, 1741
. : milestone, 1716,
appsec_no_iast (1.734 ms) : 1710, 1758
. : milestone, 1734,
iast (1.476 ms) : 1453, 1499
. : milestone, 1476,
profiling (1.526 ms) : 1501, 1550
. : milestone, 1526,
tracing (1.456 ms) : 1431, 1481
. : milestone, 1456,
Request duration reports for insecure-bankgantt
title insecure-bank - request duration [CI 0.99] : candidate=1.43.0-SNAPSHOT~f4d62a2aa3, baseline=1.43.0-SNAPSHOT~6181783bd1
dateFormat X
axisFormat %s
section baseline
no_agent (365.281 µs) : 345, 385
. : milestone, 365,
iast (489.353 µs) : 467, 511
. : milestone, 489,
iast_FULL (639.571 µs) : 618, 661
. : milestone, 640,
iast_GLOBAL (516.119 µs) : 494, 539
. : milestone, 516,
iast_HARDCODED_SECRET_DISABLED (484.521 µs) : 463, 506
. : milestone, 485,
iast_INACTIVE (438.099 µs) : 418, 458
. : milestone, 438,
iast_TELEMETRY_OFF (472.729 µs) : 452, 494
. : milestone, 473,
tracing (441.383 µs) : 420, 463
. : milestone, 441,
section candidate
no_agent (367.658 µs) : 347, 388
. : milestone, 368,
iast (482.054 µs) : 461, 503
. : milestone, 482,
iast_FULL (637.45 µs) : 616, 659
. : milestone, 637,
iast_GLOBAL (502.158 µs) : 481, 523
. : milestone, 502,
iast_HARDCODED_SECRET_DISABLED (478.965 µs) : 458, 500
. : milestone, 479,
iast_INACTIVE (446.043 µs) : 425, 467
. : milestone, 446,
iast_TELEMETRY_OFF (481.814 µs) : 460, 504
. : milestone, 482,
tracing (438.698 µs) : 418, 459
. : milestone, 439,
DacapoParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics. Execution time for tomcatgantt
title tomcat - execution time [CI 0.99] : candidate=1.43.0-SNAPSHOT~f4d62a2aa3, baseline=1.43.0-SNAPSHOT~6181783bd1
dateFormat X
axisFormat %s
section baseline
no_agent (1.471 ms) : 1460, 1483
. : milestone, 1471,
appsec (2.336 ms) : 2295, 2377
. : milestone, 2336,
iast (2.073 ms) : 2022, 2125
. : milestone, 2073,
iast_GLOBAL (2.133 ms) : 2081, 2186
. : milestone, 2133,
profiling (1.951 ms) : 1909, 1993
. : milestone, 1951,
tracing (1.937 ms) : 1896, 1977
. : milestone, 1937,
section candidate
no_agent (1.464 ms) : 1452, 1475
. : milestone, 1464,
appsec (2.335 ms) : 2293, 2376
. : milestone, 2335,
iast (2.061 ms) : 2010, 2112
. : milestone, 2061,
iast_GLOBAL (2.114 ms) : 2062, 2165
. : milestone, 2114,
profiling (1.943 ms) : 1901, 1986
. : milestone, 1943,
tracing (1.913 ms) : 1874, 1953
. : milestone, 1913,
Execution time for biojavagantt
title biojava - execution time [CI 0.99] : candidate=1.43.0-SNAPSHOT~f4d62a2aa3, baseline=1.43.0-SNAPSHOT~6181783bd1
dateFormat X
axisFormat %s
section baseline
no_agent (15.227 s) : 15227000, 15227000
. : milestone, 15227000,
appsec (15.416 s) : 15416000, 15416000
. : milestone, 15416000,
iast (18.596 s) : 18596000, 18596000
. : milestone, 18596000,
iast_GLOBAL (17.935 s) : 17935000, 17935000
. : milestone, 17935000,
profiling (15.689 s) : 15689000, 15689000
. : milestone, 15689000,
tracing (15.129 s) : 15129000, 15129000
. : milestone, 15129000,
section candidate
no_agent (14.912 s) : 14912000, 14912000
. : milestone, 14912000,
appsec (14.995 s) : 14995000, 14995000
. : milestone, 14995000,
iast (19.073 s) : 19073000, 19073000
. : milestone, 19073000,
iast_GLOBAL (18.329 s) : 18329000, 18329000
. : milestone, 18329000,
profiling (14.909 s) : 14909000, 14909000
. : milestone, 14909000,
tracing (15.254 s) : 15254000, 15254000
. : milestone, 15254000,
|
3e386cd
to
59f88c5
Compare
Kafka / producer-benchmarkParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 3 metrics, 0 unstable metrics. See unchanged results
|
Kafka / consumer-benchmarkParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 3 metrics, 0 unstable metrics. See unchanged results
|
59f88c5
to
ca69ebb
Compare
import javax.annotation.Nonnull; | ||
import javax.annotation.Nullable; | ||
|
||
/** Encapsulation for the IAST context, */ | ||
public interface IastContext { | ||
public interface IastContext extends Closeable { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Perhaps implementing AutoCloseable
is a better choice here if you want to go with try-with-resources
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep, AFAIK Closeable
extends AutoCloseable
so we could eventually use it in a try with resources, but so far it's only used in the span context directly:
if (this.requestContextDataIast instanceof Closeable) {
try {
((Closeable) this.requestContextDataIast).close();
} catch (IOException | RuntimeException e) {
exc = e;
}
}
a9c58b7
to
95147ec
Compare
95147ec
to
f4d62a2
Compare
Fixed! 😉 |
What Does This Do
Resets all IAST request context data structures when the root span of a trace is published.
Motivation
We observed an akka-http service with a very high number of IAST contexts in the heap probably related to pending traces, once a trace has been published we should not hold down to any references.
Additional Notes
Contributor Checklist
type:
and (comp:
orinst:
) labels in addition to any usefull labelsclose
,fix
or any linking keywords when referencing an issue.Use
solves
instead, and assign the PR milestone to the issueJira ticket: APPSEC-55869