New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve coverage of application vulnerabilities for servlet #6803
Merged
jandro996
merged 16 commits into
master
from
alejandro.gonzalez/chang_app_vulns_approach
Mar 14, 2024
Merged
Improve coverage of application vulnerabilities for servlet #6803
jandro996
merged 16 commits into
master
from
alejandro.gonzalez/chang_app_vulns_approach
Mar 14, 2024
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jandro996
requested review from
smola,
manuel-alvarez-alvarez,
mcculls and
nayeem-kamal
March 12, 2024 09:40
BenchmarksStartupParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 50 metrics, 13 unstable metrics. Startup time reports for petclinicgantt
title petclinic - global startup overhead: candidate=1.32.0-SNAPSHOT~e8d42e8f26, baseline=1.32.0-SNAPSHOT~ee9c0f803a
dateFormat X
axisFormat %s
section tracing
Agent [baseline] (1.089 s) : 0, 1088613
Total [baseline] (9.229 s) : 0, 9228894
Agent [candidate] (1.081 s) : 0, 1081267
Total [candidate] (9.188 s) : 0, 9187591
section appsec
Agent [baseline] (1.2 s) : 0, 1200201
Total [baseline] (9.296 s) : 0, 9295711
Agent [candidate] (1.211 s) : 0, 1211305
Total [candidate] (9.312 s) : 0, 9311652
section iast
Agent [baseline] (1.206 s) : 0, 1206009
Total [baseline] (9.35 s) : 0, 9349891
Agent [candidate] (1.219 s) : 0, 1219448
Total [candidate] (9.459 s) : 0, 9458576
section profiling
Agent [baseline] (1.274 s) : 0, 1273722
Total [baseline] (9.362 s) : 0, 9362317
Agent [candidate] (1.276 s) : 0, 1276384
Total [candidate] (9.404 s) : 0, 9403624
gantt
title petclinic - break down per module: candidate=1.32.0-SNAPSHOT~e8d42e8f26, baseline=1.32.0-SNAPSHOT~ee9c0f803a
dateFormat X
axisFormat %s
section tracing
BytebuddyAgent [baseline] (702.294 ms) : 0, 702294
BytebuddyAgent [candidate] (696.704 ms) : 0, 696704
GlobalTracer [baseline] (293.795 ms) : 0, 293795
GlobalTracer [candidate] (292.843 ms) : 0, 292843
AppSec [baseline] (49.445 ms) : 0, 49445
AppSec [candidate] (48.879 ms) : 0, 48879
Remote Config [baseline] (722.439 µs) : 0, 722
Remote Config [candidate] (740.703 µs) : 0, 741
Telemetry [baseline] (7.744 ms) : 0, 7744
Telemetry [candidate] (7.751 ms) : 0, 7751
section appsec
BytebuddyAgent [baseline] (696.493 ms) : 0, 696493
BytebuddyAgent [candidate] (702.828 ms) : 0, 702828
GlobalTracer [baseline] (291.197 ms) : 0, 291197
GlobalTracer [candidate] (294.736 ms) : 0, 294736
AppSec [baseline] (152.886 ms) : 0, 152886
AppSec [candidate] (153.652 ms) : 0, 153652
IAST [baseline] (17.876 ms) : 0, 17876
IAST [candidate] (18.039 ms) : 0, 18039
Remote Config [baseline] (606.518 µs) : 0, 607
Remote Config [candidate] (616.885 µs) : 0, 617
Telemetry [baseline] (6.89 ms) : 0, 6890
Telemetry [candidate] (6.965 ms) : 0, 6965
section iast
BytebuddyAgent [baseline] (802.334 ms) : 0, 802334
BytebuddyAgent [candidate] (809.913 ms) : 0, 809913
GlobalTracer [baseline] (288.344 ms) : 0, 288344
GlobalTracer [candidate] (292.213 ms) : 0, 292213
AppSec [baseline] (48.575 ms) : 0, 48575
AppSec [candidate] (48.548 ms) : 0, 48548
IAST [baseline] (25.16 ms) : 0, 25160
IAST [candidate] (26.853 ms) : 0, 26853
Remote Config [baseline] (597.77 µs) : 0, 598
Remote Config [candidate] (616.33 µs) : 0, 616
Telemetry [baseline] (6.603 ms) : 0, 6603
Telemetry [candidate] (6.637 ms) : 0, 6637
section profiling
BytebuddyAgent [baseline] (689.23 ms) : 0, 689230
BytebuddyAgent [candidate] (690.612 ms) : 0, 690612
GlobalTracer [baseline] (375.785 ms) : 0, 375785
GlobalTracer [candidate] (377.133 ms) : 0, 377133
AppSec [baseline] (49.668 ms) : 0, 49668
AppSec [candidate] (49.825 ms) : 0, 49825
Remote Config [baseline] (785.161 µs) : 0, 785
Remote Config [candidate] (780.137 µs) : 0, 780
Telemetry [baseline] (7.419 ms) : 0, 7419
Telemetry [candidate] (7.47 ms) : 0, 7470
ProfilingAgent [baseline] (94.614 ms) : 0, 94614
ProfilingAgent [candidate] (94.364 ms) : 0, 94364
Profiling [baseline] (94.638 ms) : 0, 94638
Profiling [candidate] (94.387 ms) : 0, 94387
Startup time reports for insecure-bankgantt
title insecure-bank - global startup overhead: candidate=1.32.0-SNAPSHOT~e8d42e8f26, baseline=1.32.0-SNAPSHOT~ee9c0f803a
dateFormat X
axisFormat %s
section tracing
Agent [baseline] (1.083 s) : 0, 1082771
Total [baseline] (8.619 s) : 0, 8619316
Agent [candidate] (1.082 s) : 0, 1082372
Total [candidate] (8.581 s) : 0, 8580788
section iast
Agent [baseline] (1.205 s) : 0, 1205369
Total [baseline] (9.051 s) : 0, 9050626
Agent [candidate] (1.221 s) : 0, 1221412
Total [candidate] (9.094 s) : 0, 9094500
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.214 s) : 0, 1213574
Total [baseline] (9.04 s) : 0, 9040471
Agent [candidate] (1.213 s) : 0, 1212617
Total [candidate] (9.033 s) : 0, 9032916
section iast_TELEMETRY_OFF
Agent [baseline] (1.198 s) : 0, 1198365
Total [baseline] (9.075 s) : 0, 9075379
Agent [candidate] (1.201 s) : 0, 1201060
Total [candidate] (9.047 s) : 0, 9046926
gantt
title insecure-bank - break down per module: candidate=1.32.0-SNAPSHOT~e8d42e8f26, baseline=1.32.0-SNAPSHOT~ee9c0f803a
dateFormat X
axisFormat %s
section tracing
BytebuddyAgent [baseline] (697.307 ms) : 0, 697307
BytebuddyAgent [candidate] (697.982 ms) : 0, 697982
GlobalTracer [baseline] (293.164 ms) : 0, 293164
GlobalTracer [candidate] (292.695 ms) : 0, 292695
AppSec [baseline] (49.472 ms) : 0, 49472
AppSec [candidate] (48.677 ms) : 0, 48677
Remote Config [baseline] (731.533 µs) : 0, 732
Remote Config [candidate] (733.329 µs) : 0, 733
Telemetry [baseline] (7.718 ms) : 0, 7718
Telemetry [candidate] (7.932 ms) : 0, 7932
section iast
BytebuddyAgent [baseline] (801.658 ms) : 0, 801658
BytebuddyAgent [candidate] (812.007 ms) : 0, 812007
GlobalTracer [baseline] (288.542 ms) : 0, 288542
GlobalTracer [candidate] (292.637 ms) : 0, 292637
AppSec [baseline] (49.908 ms) : 0, 49908
AppSec [candidate] (49.76 ms) : 0, 49760
IAST [baseline] (23.672 ms) : 0, 23672
IAST [candidate] (24.159 ms) : 0, 24159
Remote Config [baseline] (620.225 µs) : 0, 620
Remote Config [candidate] (620.629 µs) : 0, 621
Telemetry [baseline] (6.591 ms) : 0, 6591
Telemetry [candidate] (7.434 ms) : 0, 7434
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (806.837 ms) : 0, 806837
BytebuddyAgent [candidate] (805.846 ms) : 0, 805846
GlobalTracer [baseline] (290.711 ms) : 0, 290711
GlobalTracer [candidate] (291.16 ms) : 0, 291160
AppSec [baseline] (51.767 ms) : 0, 51767
AppSec [candidate] (50.298 ms) : 0, 50298
IAST [baseline] (21.59 ms) : 0, 21590
IAST [candidate] (22.824 ms) : 0, 22824
Remote Config [baseline] (629.408 µs) : 0, 629
Remote Config [candidate] (613.016 µs) : 0, 613
Telemetry [baseline] (7.383 ms) : 0, 7383
Telemetry [candidate] (7.372 ms) : 0, 7372
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (794.162 ms) : 0, 794162
BytebuddyAgent [candidate] (794.505 ms) : 0, 794505
GlobalTracer [baseline] (289.188 ms) : 0, 289188
GlobalTracer [candidate] (290.579 ms) : 0, 290579
AppSec [baseline] (51.366 ms) : 0, 51366
AppSec [candidate] (48.849 ms) : 0, 48849
IAST [baseline] (21.557 ms) : 0, 21557
IAST [candidate] (25.692 ms) : 0, 25692
Remote Config [baseline] (571.741 µs) : 0, 572
Remote Config [candidate] (576.964 µs) : 0, 577
Telemetry [baseline] (7.217 ms) : 0, 7217
Telemetry [candidate] (6.508 ms) : 0, 6508
LoadRequest duration reports for petclinicgantt
title petclinic - request duration [CI 0.99] : candidate=1.32.0-SNAPSHOT~e8d42e8f26, baseline=1.32.0-SNAPSHOT~ee9c0f803a
dateFormat X
axisFormat %s
section baseline
no_agent (1.368 ms) : 1349, 1387
. : milestone, 1368,
appsec (1.775 ms) : 1752, 1799
. : milestone, 1775,
iast (1.524 ms) : 1500, 1549
. : milestone, 1524,
profiling (1.567 ms) : 1542, 1592
. : milestone, 1567,
tracing (1.516 ms) : 1493, 1540
. : milestone, 1516,
section candidate
no_agent (1.358 ms) : 1339, 1377
. : milestone, 1358,
appsec (1.788 ms) : 1764, 1812
. : milestone, 1788,
iast (1.555 ms) : 1532, 1578
. : milestone, 1555,
profiling (1.526 ms) : 1502, 1550
. : milestone, 1526,
tracing (1.542 ms) : 1520, 1565
. : milestone, 1542,
Request duration reports for insecure-bankgantt
title insecure-bank - request duration [CI 0.99] : candidate=1.32.0-SNAPSHOT~e8d42e8f26, baseline=1.32.0-SNAPSHOT~ee9c0f803a
dateFormat X
axisFormat %s
section baseline
no_agent (365.471 µs) : 346, 385
. : milestone, 365,
iast (478.702 µs) : 458, 499
. : milestone, 479,
iast_FULL (539.252 µs) : 519, 560
. : milestone, 539,
iast_GLOBAL (502.282 µs) : 481, 524
. : milestone, 502,
iast_HARDCODED_SECRET_DISABLED (476.122 µs) : 455, 497
. : milestone, 476,
iast_INACTIVE (458.52 µs) : 437, 480
. : milestone, 459,
iast_TELEMETRY_OFF (479.655 µs) : 459, 501
. : milestone, 480,
tracing (454.608 µs) : 434, 476
. : milestone, 455,
section candidate
no_agent (373.857 µs) : 354, 394
. : milestone, 374,
iast (480.225 µs) : 460, 501
. : milestone, 480,
iast_FULL (555.252 µs) : 535, 576
. : milestone, 555,
iast_GLOBAL (508.562 µs) : 488, 529
. : milestone, 509,
iast_HARDCODED_SECRET_DISABLED (480.232 µs) : 460, 501
. : milestone, 480,
iast_INACTIVE (453.421 µs) : 433, 474
. : milestone, 453,
iast_TELEMETRY_OFF (472.873 µs) : 453, 493
. : milestone, 473,
tracing (450.157 µs) : 429, 471
. : milestone, 450,
|
smola
approved these changes
Mar 12, 2024
smola
changed the title
Change Servlet instrumentation for application vulnerabilities
Improve coverage of application vulnerabilities for servlet
Mar 12, 2024
smola
added
type: enhancement
comp: asm iast
Application Security Management (IAST)
labels
Mar 12, 2024
...rvlet/request-2/src/main/java/datadog/trace/instrumentation/servlet2/IastServlet2Advice.java
Outdated
Show resolved
Hide resolved
manuel-alvarez-alvarez
approved these changes
Mar 13, 2024
jandro996
force-pushed
the
alejandro.gonzalez/chang_app_vulns_approach
branch
from
March 14, 2024 07:42
ef20ab0
to
e790156
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What Does This Do
Get the realPath from the context when HttpServlet#service or javax.servlet.FilterChain#doFilter (This implementation is based on the current tracer instrumentation for servlet)
Remove javax.servlet.ServletContext#getRealPath instrumentation
Add new Iast Instrumentations for:
servlet2 -> javax.servlet.Servlet
servlet3 -> javax.servlet.Servlet
servlet5 -> jakarta.servlet.Servlet
Motivation
We noticed that javax.servlet.ServletContext#getRealPath is not always called, so we need to find a more reliable point to check the vulnerabilities
Add coverage to servlet 5
Additional Notes
Jira ticket: [PROJ-IDENT]