Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Exclude net.jodah.failsafe from IAST #6200

Merged
merged 3 commits into from
Nov 13, 2023
Merged

Exclude net.jodah.failsafe from IAST #6200

merged 3 commits into from
Nov 13, 2023

Conversation

smola
Copy link
Member

@smola smola commented Nov 13, 2023
edited by jira bot
Loading

What Does This Do

Exclude net.jodah.failsafe.* from IAST instrumentation.

Motivation

Leads to weak randomness false positive, and it is unlikely we find other vulnerabilities here, so avoid the performance overhead.

Additional Notes

Jira ticket: APPSEC-12195

@smola smola requested a review from a team as a code owner November 13, 2023 08:23
@smola smola added the comp: asm iast Application Security Management (IAST) label Nov 13, 2023
@pr-commenter
Copy link

pr-commenter bot commented Nov 13, 2023
edited
Loading

Benchmarks

Startup

Parameters

Baseline Candidate
commit 1.24.0-SNAPSHOT~3fb888b81b 1.24.0-SNAPSHOT~38c994e825
config baseline candidate
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
module Agent Agent
parent None None
variant iast iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 54 cases.

Startup time reports for insecure-bank 
gantt
    title insecure-bank - global startup overhead: candidate=1.24.0-SNAPSHOT~38c994e825, baseline=1.24.0-SNAPSHOT~3fb888b81b

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.034 s) : 0, 1033771
Total [baseline] (8.781 s) : 0, 8780524
Agent [candidate] (1.036 s) : 0, 1036257
Total [candidate] (8.759 s) : 0, 8758852
section iast
Agent [baseline] (1.151 s) : 0, 1151092
Total [baseline] (9.291 s) : 0, 9291459
Agent [candidate] (1.154 s) : 0, 1153735
Total [candidate] (9.314 s) : 0, 9313978
section iast_TELEMETRY_OFF
Agent [baseline] (1.142 s) : 0, 1141582
Total [baseline] (9.269 s) : 0, 9268889
Agent [candidate] (1.145 s) : 0, 1145054
Total [candidate] (9.272 s) : 0, 9272154
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.034 s -
Agent iast 1.151 s 117.321 ms (11.3%)
Agent iast_TELEMETRY_OFF 1.142 s 107.811 ms (10.4%)
Total tracing 8.781 s -
Total iast 9.291 s 510.935 ms (5.8%)
Total iast_TELEMETRY_OFF 9.269 s 488.365 ms (5.6%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.036 s -
Agent iast 1.154 s 117.479 ms (11.3%)
Agent iast_TELEMETRY_OFF 1.145 s 108.797 ms (10.5%)
Total tracing 8.759 s -
Total iast 9.314 s 555.125 ms (6.3%)
Total iast_TELEMETRY_OFF 9.272 s 513.302 ms (5.9%) 
gantt
    title insecure-bank - break down per module: candidate=1.24.0-SNAPSHOT~38c994e825, baseline=1.24.0-SNAPSHOT~3fb888b81b

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (644.632 ms) : 0, 644632
BytebuddyAgent [candidate] (646.407 ms) : 0, 646407
GlobalTracer [baseline] (294.177 ms) : 0, 294177
GlobalTracer [candidate] (294.567 ms) : 0, 294567
AppSec [baseline] (48.666 ms) : 0, 48666
AppSec [candidate] (48.814 ms) : 0, 48814
Remote Config [baseline] (698.599 µs) : 0, 699
Remote Config [candidate] (695.95 µs) : 0, 696
Telemetry [baseline] (11.271 ms) : 0, 11271
Telemetry [candidate] (11.321 ms) : 0, 11321
section iast
BytebuddyAgent [baseline] (764.51 ms) : 0, 764510
BytebuddyAgent [candidate] (765.431 ms) : 0, 765431
GlobalTracer [baseline] (274.025 ms) : 0, 274025
GlobalTracer [candidate] (274.894 ms) : 0, 274894
AppSec [baseline] (46.786 ms) : 0, 46786
AppSec [candidate] (46.793 ms) : 0, 46793
Remote Config [baseline] (572.226 µs) : 0, 572
Remote Config [candidate] (577.028 µs) : 0, 577
Telemetry [baseline] (13.238 ms) : 0, 13238
Telemetry [candidate] (14.671 ms) : 0, 14671
IAST [baseline] (17.494 ms) : 0, 17494
IAST [candidate] (16.939 ms) : 0, 16939
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (756.464 ms) : 0, 756464
BytebuddyAgent [candidate] (758.65 ms) : 0, 758650
GlobalTracer [baseline] (273.536 ms) : 0, 273536
GlobalTracer [candidate] (274.231 ms) : 0, 274231
AppSec [baseline] (46.788 ms) : 0, 46788
AppSec [candidate] (46.626 ms) : 0, 46626
Remote Config [baseline] (563.978 µs) : 0, 564
Remote Config [candidate] (556.849 µs) : 0, 557
Telemetry [baseline] (11.789 ms) : 0, 11789
Telemetry [candidate] (13.939 ms) : 0, 13939
IAST [baseline] (18.03 ms) : 0, 18030
IAST [candidate] (16.644 ms) : 0, 16644
Loading
Startup time reports for petclinic 
gantt
    title petclinic - global startup overhead: candidate=1.24.0-SNAPSHOT~38c994e825, baseline=1.24.0-SNAPSHOT~3fb888b81b

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.034 s) : 0, 1034440
Total [baseline] (9.267 s) : 0, 9267002
Agent [candidate] (1.036 s) : 0, 1035755
Total [candidate] (9.295 s) : 0, 9295074
section appsec
Agent [baseline] (1.119 s) : 0, 1119428
Total [baseline] (9.446 s) : 0, 9446484
Agent [candidate] (1.121 s) : 0, 1121339
Total [candidate] (9.423 s) : 0, 9423016
section iast
Agent [baseline] (1.151 s) : 0, 1150562
Total [baseline] (9.476 s) : 0, 9476417
Agent [candidate] (1.153 s) : 0, 1152821
Total [candidate] (9.544 s) : 0, 9544293
section profiling
Agent [baseline] (1.216 s) : 0, 1216067
Total [baseline] (9.507 s) : 0, 9507387
Agent [candidate] (1.219 s) : 0, 1218743
Total [candidate] (9.508 s) : 0, 9507557
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.034 s -
Agent appsec 1.119 s 84.988 ms (8.2%)
Agent iast 1.151 s 116.122 ms (11.2%)
Agent profiling 1.216 s 181.627 ms (17.6%)
Total tracing 9.267 s -
Total appsec 9.446 s 179.483 ms (1.9%)
Total iast 9.476 s 209.416 ms (2.3%)
Total profiling 9.507 s 240.385 ms (2.6%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.036 s -
Agent appsec 1.121 s 85.584 ms (8.3%)
Agent iast 1.153 s 117.067 ms (11.3%)
Agent profiling 1.219 s 182.988 ms (17.7%)
Total tracing 9.295 s -
Total appsec 9.423 s 127.942 ms (1.4%)
Total iast 9.544 s 249.218 ms (2.7%)
Total profiling 9.508 s 212.482 ms (2.3%) 
gantt
    title petclinic - break down per module: candidate=1.24.0-SNAPSHOT~38c994e825, baseline=1.24.0-SNAPSHOT~3fb888b81b

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (645.383 ms) : 0, 645383
BytebuddyAgent [candidate] (645.374 ms) : 0, 645374
GlobalTracer [baseline] (293.785 ms) : 0, 293785
GlobalTracer [candidate] (294.984 ms) : 0, 294984
AppSec [baseline] (48.709 ms) : 0, 48709
AppSec [candidate] (49.016 ms) : 0, 49016
Remote Config [baseline] (695.884 µs) : 0, 696
Remote Config [candidate] (689.375 µs) : 0, 689
Telemetry [baseline] (11.44 ms) : 0, 11440
Telemetry [candidate] (11.315 ms) : 0, 11315
section appsec
BytebuddyAgent [baseline] (645.296 ms) : 0, 645296
BytebuddyAgent [candidate] (646.039 ms) : 0, 646039
GlobalTracer [baseline] (293.479 ms) : 0, 293479
GlobalTracer [candidate] (294.686 ms) : 0, 294686
AppSec [baseline] (138.72 ms) : 0, 138720
AppSec [candidate] (138.777 ms) : 0, 138777
Remote Config [baseline] (640.257 µs) : 0, 640
Remote Config [candidate] (637.256 µs) : 0, 637
Telemetry [baseline] (6.865 ms) : 0, 6865
Telemetry [candidate] (6.852 ms) : 0, 6852
section iast
BytebuddyAgent [baseline] (765.401 ms) : 0, 765401
BytebuddyAgent [candidate] (766.214 ms) : 0, 766214
GlobalTracer [baseline] (273.209 ms) : 0, 273209
GlobalTracer [candidate] (274.903 ms) : 0, 274903
AppSec [baseline] (46.738 ms) : 0, 46738
AppSec [candidate] (47.025 ms) : 0, 47025
Remote Config [baseline] (581.846 µs) : 0, 582
Remote Config [candidate] (580.772 µs) : 0, 581
Telemetry [baseline] (11.166 ms) : 0, 11166
Telemetry [candidate] (11.9 ms) : 0, 11900
IAST [baseline] (18.924 ms) : 0, 18924
IAST [candidate] (17.721 ms) : 0, 17721
section profiling
BytebuddyAgent [baseline] (654.724 ms) : 0, 654724
BytebuddyAgent [candidate] (656.781 ms) : 0, 656781
GlobalTracer [baseline] (357.752 ms) : 0, 357752
GlobalTracer [candidate] (358.566 ms) : 0, 358566
AppSec [baseline] (48.91 ms) : 0, 48910
AppSec [candidate] (48.904 ms) : 0, 48904
Remote Config [baseline] (640.993 µs) : 0, 641
Remote Config [candidate] (642.966 µs) : 0, 643
Telemetry [baseline] (11.256 ms) : 0, 11256
Telemetry [candidate] (11.375 ms) : 0, 11375
ProfilingAgent [baseline] (88.63 ms) : 0, 88630
ProfilingAgent [candidate] (88.154 ms) : 0, 88154
Profiling [baseline] (88.655 ms) : 0, 88655
Profiling [candidate] (88.177 ms) : 0, 88177
Loading

Load

Parameters

Baseline Candidate
commit 1.24.0-SNAPSHOT~3fb888b81b 1.24.0-SNAPSHOT~38c994e825
config baseline candidate
end_time 2023-11-13T12:37:44 2023-11-13T12:54:10
start_time 2023-11-13T12:37:31 2023-11-13T12:53:57
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
variant iast iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 22 cases.

Request duration reports for insecure-bank 
gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.24.0-SNAPSHOT~38c994e825, baseline=1.24.0-SNAPSHOT~3fb888b81b
    dateFormat X
    axisFormat %s
section baseline
no_agent (358.241 µs) : 338, 378
.   : milestone, 358,
iast (460.323 µs) : 439, 481
.   : milestone, 460,
iast_FULL (518.627 µs) : 498, 539
.   : milestone, 519,
iast_INACTIVE (431.946 µs) : 411, 453
.   : milestone, 432,
iast_TELEMETRY_OFF (455.452 µs) : 435, 476
.   : milestone, 455,
tracing (428.265 µs) : 407, 449
.   : milestone, 428,
section candidate
no_agent (361.881 µs) : 341, 382
.   : milestone, 362,
iast (461.49 µs) : 441, 482
.   : milestone, 461,
iast_FULL (513.742 µs) : 493, 534
.   : milestone, 514,
iast_INACTIVE (432.845 µs) : 412, 454
.   : milestone, 433,
iast_TELEMETRY_OFF (454.989 µs) : 434, 476
.   : milestone, 455,
tracing (429.245 µs) : 408, 451
.   : milestone, 429,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 358.241 µs [338.158 µs, 378.324 µs] -
iast 460.323 µs [439.463 µs, 481.183 µs] 102.082 µs (28.5%)
iast_FULL 518.627 µs [498.051 µs, 539.204 µs] 160.386 µs (44.8%)
iast_INACTIVE 431.946 µs [410.559 µs, 453.332 µs] 73.705 µs (20.6%)
iast_TELEMETRY_OFF 455.452 µs [434.559 µs, 476.345 µs] 97.211 µs (27.1%)
tracing 428.265 µs [407.086 µs, 449.444 µs] 70.024 µs (19.5%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 361.881 µs [341.446 µs, 382.316 µs] -
iast 461.49 µs [440.644 µs, 482.336 µs] 99.609 µs (27.5%)
iast_FULL 513.742 µs [493.135 µs, 534.349 µs] 151.861 µs (42.0%)
iast_INACTIVE 432.845 µs [412.054 µs, 453.636 µs] 70.964 µs (19.6%)
iast_TELEMETRY_OFF 454.989 µs [433.875 µs, 476.103 µs] 93.108 µs (25.7%)
tracing 429.245 µs [407.82 µs, 450.669 µs] 67.364 µs (18.6%)
Request duration reports for petclinic 
gantt
    title petclinic - request duration [CI 0.99] : candidate=1.24.0-SNAPSHOT~38c994e825, baseline=1.24.0-SNAPSHOT~3fb888b81b
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.343 ms) : 1324, 1362
.   : milestone, 1343,
appsec (1.701 ms) : 1677, 1726
.   : milestone, 1701,
iast (1.468 ms) : 1443, 1492
.   : milestone, 1468,
profiling (1.469 ms) : 1442, 1495
.   : milestone, 1469,
tracing (1.469 ms) : 1445, 1493
.   : milestone, 1469,
section candidate
no_agent (1.34 ms) : 1321, 1359
.   : milestone, 1340,
appsec (1.699 ms) : 1675, 1724
.   : milestone, 1699,
iast (1.48 ms) : 1456, 1504
.   : milestone, 1480,
profiling (1.47 ms) : 1444, 1495
.   : milestone, 1470,
tracing (1.438 ms) : 1414, 1462
.   : milestone, 1438,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.343 ms [1.324 ms, 1.362 ms] -
appsec 1.701 ms [1.677 ms, 1.726 ms] 358.326 µs (26.7%)
iast 1.468 ms [1.443 ms, 1.492 ms] 124.842 µs (9.3%)
profiling 1.469 ms [1.442 ms, 1.495 ms] 125.646 µs (9.4%)
tracing 1.469 ms [1.445 ms, 1.493 ms] 125.785 µs (9.4%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.34 ms [1.321 ms, 1.359 ms] -
appsec 1.699 ms [1.675 ms, 1.724 ms] 359.67 µs (26.8%)
iast 1.48 ms [1.456 ms, 1.504 ms] 140.083 µs (10.5%)
profiling 1.47 ms [1.444 ms, 1.495 ms] 129.884 µs (9.7%)
tracing 1.438 ms [1.414 ms, 1.462 ms] 98.646 µs (7.4%)

@smola smola enabled auto-merge (squash) November 13, 2023 10:13
@smola smola merged commit 0ecb5fd into master Nov 13, 2023
64 of 68 checks passed
@smola smola deleted the smola/exclude-iast-net-jodah branch November 13, 2023 17:49
@github-actions github-actions bot added this to the 1.24.0 milestone Nov 13, 2023
jandro996 pushed a commit that referenced this pull request Nov 14, 2023
@smola @jandro996
Exclude net.jodah.failsafe from IAST (#6200)
6c7a3ac
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@manuel-alvarez-alvarez manuel-alvarez-alvarez manuel-alvarez-alvarez approved these changes

@cataphract cataphract Awaiting requested review from cataphract cataphract is a code owner automatically assigned from DataDog/asm-java

Assignees
No one assigned
Labels
comp: asm iast Application Security Management (IAST)
Projects
None yet
Milestone
1.24.0
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@smola @manuel-alvarez-alvarez