Add hardcoded secrets detection

[jandro996]

What Does This Do

• Use Java constant pool to get each loaded class constant
• Check if the constants match secrets regular expressions
• When we found a secret use asm classReader to get the constant line and report the vulnerability

Motivation

Detect hardcoded secrets in custom code

Additional Notes

Jira ticket: APPSEC-11890

[pr-commenter]

Benchmarks

Startup

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	alejandro.gonzalez/Hardcoded_Secrets_detection
git_commit_date	1706145080	1706169451
git_commit_sha	20acb11	87186eb
release_version	1.29.0-SNAPSHOT~20acb116be	1.29.0-SNAPSHOT~87186eb56e

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1706172497	1706172497
ci_job_id	418141269	418141269
ci_pipeline_id	27158714	27158714
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
module	Agent	Agent
parent	None	None
variant	iast	iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 44 metrics, 10 unstable metrics.

Startup time reports for petclinic

gantt
    title petclinic - global startup overhead: candidate=1.29.0-SNAPSHOT~87186eb56e, baseline=1.29.0-SNAPSHOT~20acb116be

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.069 s) : 0, 1068563
Total [baseline] (9.353 s) : 0, 9352704
Agent [candidate] (1.069 s) : 0, 1068967
Total [candidate] (9.391 s) : 0, 9391244
section appsec
Agent [baseline] (1.161 s) : 0, 1161015
Total [baseline] (9.515 s) : 0, 9515423
Agent [candidate] (1.156 s) : 0, 1155619
Total [candidate] (9.407 s) : 0, 9406956
section iast
Agent [baseline] (1.185 s) : 0, 1184800
Total [baseline] (9.642 s) : 0, 9641851
Agent [candidate] (1.181 s) : 0, 1180689
Total [candidate] (9.601 s) : 0, 9601208
section profiling
Agent [baseline] (1.283 s) : 0, 1283425
Total [baseline] (9.557 s) : 0, 9557299
Agent [candidate] (1.285 s) : 0, 1284556
Total [candidate] (9.694 s) : 0, 9693979

Loading

• baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.069 s	-
Agent	appsec	1.161 s	92.452 ms (8.7%)
Agent	iast	1.185 s	116.236 ms (10.9%)
Agent	profiling	1.283 s	214.862 ms (20.1%)
Total	tracing	9.353 s	-
Total	appsec	9.515 s	162.719 ms (1.7%)
Total	iast	9.642 s	289.147 ms (3.1%)
Total	profiling	9.557 s	204.595 ms (2.2%)

• candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.069 s	-
Agent	appsec	1.156 s	86.652 ms (8.1%)
Agent	iast	1.181 s	111.723 ms (10.5%)
Agent	profiling	1.285 s	215.589 ms (20.2%)
Total	tracing	9.391 s	-
Total	appsec	9.407 s	15.712 ms (0.2%)
Total	iast	9.601 s	209.964 ms (2.2%)
Total	profiling	9.694 s	302.735 ms (3.2%)

gantt
    title petclinic - break down per module: candidate=1.29.0-SNAPSHOT~87186eb56e, baseline=1.29.0-SNAPSHOT~20acb116be

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (675.111 ms) : 0, 675111
BytebuddyAgent [candidate] (675.384 ms) : 0, 675384
GlobalTracer [baseline] (298.074 ms) : 0, 298074
GlobalTracer [candidate] (298.65 ms) : 0, 298650
AppSec [baseline] (52.325 ms) : 0, 52325
AppSec [candidate] (51.892 ms) : 0, 51892
Remote Config [baseline] (700.606 µs) : 0, 701
Remote Config [candidate] (694.426 µs) : 0, 694
Telemetry [baseline] (7.586 ms) : 0, 7586
Telemetry [candidate] (7.601 ms) : 0, 7601
section appsec
BytebuddyAgent [baseline] (671.18 ms) : 0, 671180
BytebuddyAgent [candidate] (666.988 ms) : 0, 666988
GlobalTracer [baseline] (297.419 ms) : 0, 297419
GlobalTracer [candidate] (296.714 ms) : 0, 296714
AppSec [baseline] (150.502 ms) : 0, 150502
AppSec [candidate] (150.108 ms) : 0, 150108
Remote Config [baseline] (706.176 µs) : 0, 706
Remote Config [candidate] (694.975 µs) : 0, 695
Telemetry [baseline] (6.828 ms) : 0, 6828
Telemetry [candidate] (6.773 ms) : 0, 6773
section iast
BytebuddyAgent [baseline] (779.822 ms) : 0, 779822
BytebuddyAgent [candidate] (776.672 ms) : 0, 776672
GlobalTracer [baseline] (287.672 ms) : 0, 287672
GlobalTracer [candidate] (287.238 ms) : 0, 287238
AppSec [baseline] (54.691 ms) : 0, 54691
AppSec [candidate] (53.993 ms) : 0, 53993
Remote Config [baseline] (612.556 µs) : 0, 613
Remote Config [candidate] (610.078 µs) : 0, 610
Telemetry [baseline] (7.504 ms) : 0, 7504
Telemetry [candidate] (6.688 ms) : 0, 6688
IAST [baseline] (19.974 ms) : 0, 19974
IAST [candidate] (21.11 ms) : 0, 21110
section profiling
ProfilingAgent [baseline] (123.4 ms) : 0, 123400
ProfilingAgent [candidate] (125.666 ms) : 0, 125666
BytebuddyAgent [baseline] (668.449 ms) : 0, 668449
BytebuddyAgent [candidate] (665.163 ms) : 0, 665163
GlobalTracer [baseline] (376.343 ms) : 0, 376343
GlobalTracer [candidate] (378.485 ms) : 0, 378485
AppSec [baseline] (52.246 ms) : 0, 52246
AppSec [candidate] (52.709 ms) : 0, 52709
Remote Config [baseline] (656.983 µs) : 0, 657
Remote Config [candidate] (675.609 µs) : 0, 676
Telemetry [baseline] (7.525 ms) : 0, 7525
Telemetry [candidate] (7.618 ms) : 0, 7618
Profiling [baseline] (123.424 ms) : 0, 123424
Profiling [candidate] (125.691 ms) : 0, 125691

Loading

Load

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
end_time	2024-01-25T08:24:19	2024-01-25T08:43:14
git_branch	master	alejandro.gonzalez/Hardcoded_Secrets_detection
git_commit_date	1706145080	1706169451
git_commit_sha	20acb11	87186eb
release_version	1.29.0-SNAPSHOT~20acb116be	1.29.0-SNAPSHOT~87186eb56e
start_time	2024-01-25T08:24:06	2024-01-25T08:43:01

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1706172497	1706172497
ci_job_id	418141269	418141269
ci_pipeline_id	27158714	27158714
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant	iast	iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 10 metrics, 16 unstable metrics.

Request duration reports for petclinic

gantt
    title petclinic - request duration [CI 0.99] : candidate=1.29.0-SNAPSHOT~87186eb56e, baseline=1.29.0-SNAPSHOT~20acb116be
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.348 ms) : 1328, 1367
.   : milestone, 1348,
appsec (1.772 ms) : 1747, 1798
.   : milestone, 1772,
iast (1.536 ms) : 1510, 1561
.   : milestone, 1536,
profiling (1.53 ms) : 1506, 1555
.   : milestone, 1530,
tracing (1.507 ms) : 1482, 1532
.   : milestone, 1507,
section candidate
no_agent (1.351 ms) : 1332, 1370
.   : milestone, 1351,
appsec (1.764 ms) : 1737, 1790
.   : milestone, 1764,
iast (1.539 ms) : 1514, 1563
.   : milestone, 1539,
profiling (1.528 ms) : 1503, 1553
.   : milestone, 1528,
tracing (1.485 ms) : 1460, 1510
.   : milestone, 1485,

Loading

• baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.348 ms [1.328 ms, 1.367 ms]	-
appsec	1.772 ms [1.747 ms, 1.798 ms]	424.966 µs (31.5%)
iast	1.536 ms [1.51 ms, 1.561 ms]	188.233 µs (14.0%)
profiling	1.53 ms [1.506 ms, 1.555 ms]	182.769 µs (13.6%)
tracing	1.507 ms [1.482 ms, 1.532 ms]	159.475 µs (11.8%)

• candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.351 ms [1.332 ms, 1.37 ms]	-
appsec	1.764 ms [1.737 ms, 1.79 ms]	412.834 µs (30.6%)
iast	1.539 ms [1.514 ms, 1.563 ms]	187.85 µs (13.9%)
profiling	1.528 ms [1.503 ms, 1.553 ms]	177.311 µs (13.1%)
tracing	1.485 ms [1.46 ms, 1.51 ms]	134.599 µs (10.0%)

Request duration reports for insecure-bank

gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.29.0-SNAPSHOT~87186eb56e, baseline=1.29.0-SNAPSHOT~20acb116be
    dateFormat X
    axisFormat %s
section baseline
no_agent (368.155 µs) : 348, 388
.   : milestone, 368,
iast (478.051 µs) : 457, 499
.   : milestone, 478,
iast_FULL (542.143 µs) : 521, 563
.   : milestone, 542,
iast_GLOBAL (505.626 µs) : 485, 527
.   : milestone, 506,
iast_HARDCODED_SECRET_DISABLED (476.666 µs) : 456, 497
.   : milestone, 477,
iast_INACTIVE (444.833 µs) : 424, 466
.   : milestone, 445,
iast_TELEMETRY_OFF (470.288 µs) : 450, 491
.   : milestone, 470,
tracing (442.949 µs) : 422, 464
.   : milestone, 443,
section candidate
no_agent (365.5 µs) : 346, 385
.   : milestone, 366,
iast (472.83 µs) : 452, 493
.   : milestone, 473,
iast_FULL (546.723 µs) : 526, 567
.   : milestone, 547,
iast_GLOBAL (502.52 µs) : 481, 524
.   : milestone, 503,
iast_HARDCODED_SECRET_DISABLED (478.006 µs) : 457, 499
.   : milestone, 478,
iast_INACTIVE (466.311 µs) : 445, 488
.   : milestone, 466,
iast_TELEMETRY_OFF (473.906 µs) : 453, 495
.   : milestone, 474,
tracing (439.523 µs) : 419, 460
.   : milestone, 440,

Loading

• baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	368.155 µs [347.911 µs, 388.399 µs]	-
iast	478.051 µs [457.38 µs, 498.722 µs]	109.896 µs (29.9%)
iast_FULL	542.143 µs [521.388 µs, 562.898 µs]	173.988 µs (47.3%)
iast_GLOBAL	505.626 µs [484.717 µs, 526.534 µs]	137.471 µs (37.3%)
iast_HARDCODED_SECRET_DISABLED	476.666 µs [455.874 µs, 497.457 µs]	108.511 µs (29.5%)
iast_INACTIVE	444.833 µs [423.628 µs, 466.039 µs]	76.678 µs (20.8%)
iast_TELEMETRY_OFF	470.288 µs [449.796 µs, 490.78 µs]	102.133 µs (27.7%)
tracing	442.949 µs [422.272 µs, 463.627 µs]	74.795 µs (20.3%)

• candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	365.5 µs [345.7 µs, 385.3 µs]	-
iast	472.83 µs [452.378 µs, 493.283 µs]	107.33 µs (29.4%)
iast_FULL	546.723 µs [526.05 µs, 567.396 µs]	181.223 µs (49.6%)
iast_GLOBAL	502.52 µs [481.248 µs, 523.793 µs]	137.02 µs (37.5%)
iast_HARDCODED_SECRET_DISABLED	478.006 µs [457.433 µs, 498.58 µs]	112.506 µs (30.8%)
iast_INACTIVE	466.311 µs [445.014 µs, 487.607 µs]	100.811 µs (27.6%)
iast_TELEMETRY_OFF	473.906 µs [452.707 µs, 495.104 µs]	108.406 µs (29.7%)
tracing	439.523 µs [418.876 µs, 460.169 µs]	74.022 µs (20.3%)