New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add request sampling back in http sources #6810
Merged
manuel-alvarez-alvarez
merged 2 commits into
master
from
malvarez/iast-recover-sources-sampling
Mar 14, 2024
Merged
Add request sampling back in http sources #6810
manuel-alvarez-alvarez
merged 2 commits into
master
from
malvarez/iast-recover-sources-sampling
Mar 14, 2024
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
manuel-alvarez-alvarez
added
tag: performance
Performance related changes
comp: asm iast
Application Security Management (IAST)
labels
Mar 13, 2024
manuel-alvarez-alvarez
force-pushed
the
malvarez/iast-recover-sources-sampling
branch
from
March 13, 2024 16:16
3c36750
to
e542e02
Compare
BenchmarksStartupParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 50 metrics, 13 unstable metrics. Startup time reports for petclinicgantt
title petclinic - global startup overhead: candidate=1.32.0-SNAPSHOT~e78a54c6f0, baseline=1.32.0-SNAPSHOT~f19053f7e4
dateFormat X
axisFormat %s
section tracing
Agent [baseline] (1.089 s) : 0, 1088676
Total [baseline] (9.223 s) : 0, 9222970
Agent [candidate] (1.08 s) : 0, 1079534
Total [candidate] (9.136 s) : 0, 9135867
section appsec
Agent [baseline] (1.2 s) : 0, 1200367
Total [baseline] (9.32 s) : 0, 9319910
Agent [candidate] (1.2 s) : 0, 1200476
Total [candidate] (9.353 s) : 0, 9352828
section iast
Agent [baseline] (1.203 s) : 0, 1202651
Total [baseline] (9.284 s) : 0, 9283875
Agent [candidate] (1.203 s) : 0, 1203111
Total [candidate] (9.317 s) : 0, 9316759
section profiling
Agent [baseline] (1.273 s) : 0, 1272815
Total [baseline] (9.447 s) : 0, 9446614
Agent [candidate] (1.282 s) : 0, 1282296
Total [candidate] (9.474 s) : 0, 9473534
gantt
title petclinic - break down per module: candidate=1.32.0-SNAPSHOT~e78a54c6f0, baseline=1.32.0-SNAPSHOT~f19053f7e4
dateFormat X
axisFormat %s
section tracing
BytebuddyAgent [baseline] (703.523 ms) : 0, 703523
BytebuddyAgent [candidate] (695.614 ms) : 0, 695614
GlobalTracer [baseline] (292.835 ms) : 0, 292835
GlobalTracer [candidate] (292.183 ms) : 0, 292183
AppSec [baseline] (49.023 ms) : 0, 49023
AppSec [candidate] (48.923 ms) : 0, 48923
Remote Config [baseline] (747.173 µs) : 0, 747
Remote Config [candidate] (750.924 µs) : 0, 751
Telemetry [baseline] (7.8 ms) : 0, 7800
Telemetry [candidate] (7.763 ms) : 0, 7763
section appsec
BytebuddyAgent [baseline] (696.604 ms) : 0, 696604
BytebuddyAgent [candidate] (696.398 ms) : 0, 696398
GlobalTracer [baseline] (290.826 ms) : 0, 290826
GlobalTracer [candidate] (291.891 ms) : 0, 291891
AppSec [baseline] (153.454 ms) : 0, 153454
AppSec [candidate] (152.698 ms) : 0, 152698
IAST [baseline] (17.827 ms) : 0, 17827
IAST [candidate] (17.849 ms) : 0, 17849
Remote Config [baseline] (605.322 µs) : 0, 605
Remote Config [candidate] (604.29 µs) : 0, 604
Telemetry [baseline] (6.856 ms) : 0, 6856
Telemetry [candidate] (6.848 ms) : 0, 6848
section iast
BytebuddyAgent [baseline] (799.381 ms) : 0, 799381
BytebuddyAgent [candidate] (798.978 ms) : 0, 798978
GlobalTracer [baseline] (288.017 ms) : 0, 288017
GlobalTracer [candidate] (289.007 ms) : 0, 289007
AppSec [baseline] (50.133 ms) : 0, 50133
AppSec [candidate] (50.062 ms) : 0, 50062
IAST [baseline] (23.743 ms) : 0, 23743
IAST [candidate] (23.669 ms) : 0, 23669
Remote Config [baseline] (608.867 µs) : 0, 609
Remote Config [candidate] (578.014 µs) : 0, 578
Telemetry [baseline] (6.579 ms) : 0, 6579
Telemetry [candidate] (6.621 ms) : 0, 6621
section profiling
BytebuddyAgent [baseline] (688.882 ms) : 0, 688882
BytebuddyAgent [candidate] (694.626 ms) : 0, 694626
GlobalTracer [baseline] (375.261 ms) : 0, 375261
GlobalTracer [candidate] (378.262 ms) : 0, 378262
AppSec [baseline] (49.51 ms) : 0, 49510
AppSec [candidate] (49.693 ms) : 0, 49693
Remote Config [baseline] (792.256 µs) : 0, 792
Remote Config [candidate] (794.116 µs) : 0, 794
Telemetry [baseline] (7.65 ms) : 0, 7650
Telemetry [candidate] (7.458 ms) : 0, 7458
ProfilingAgent [baseline] (94.701 ms) : 0, 94701
ProfilingAgent [candidate] (94.971 ms) : 0, 94971
Profiling [baseline] (94.725 ms) : 0, 94725
Profiling [candidate] (94.995 ms) : 0, 94995
Startup time reports for insecure-bankgantt
title insecure-bank - global startup overhead: candidate=1.32.0-SNAPSHOT~e78a54c6f0, baseline=1.32.0-SNAPSHOT~f19053f7e4
dateFormat X
axisFormat %s
section tracing
Agent [baseline] (1.078 s) : 0, 1077833
Total [baseline] (8.542 s) : 0, 8541582
Agent [candidate] (1.081 s) : 0, 1081385
Total [candidate] (8.561 s) : 0, 8560666
section iast
Agent [baseline] (1.204 s) : 0, 1203558
Total [baseline] (9.041 s) : 0, 9041157
Agent [candidate] (1.204 s) : 0, 1203902
Total [candidate] (9.061 s) : 0, 9061425
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.211 s) : 0, 1211263
Total [baseline] (9.052 s) : 0, 9051800
Agent [candidate] (1.222 s) : 0, 1221896
Total [candidate] (9.065 s) : 0, 9065266
section iast_TELEMETRY_OFF
Agent [baseline] (1.195 s) : 0, 1195012
Total [baseline] (9.054 s) : 0, 9054115
Agent [candidate] (1.206 s) : 0, 1206432
Total [candidate] (9.068 s) : 0, 9068242
gantt
title insecure-bank - break down per module: candidate=1.32.0-SNAPSHOT~e78a54c6f0, baseline=1.32.0-SNAPSHOT~f19053f7e4
dateFormat X
axisFormat %s
section tracing
BytebuddyAgent [baseline] (695.697 ms) : 0, 695697
BytebuddyAgent [candidate] (696.908 ms) : 0, 696908
GlobalTracer [baseline] (290.785 ms) : 0, 290785
GlobalTracer [candidate] (292.619 ms) : 0, 292619
AppSec [baseline] (48.628 ms) : 0, 48628
AppSec [candidate] (48.999 ms) : 0, 48999
Remote Config [baseline] (742.353 µs) : 0, 742
Remote Config [candidate] (743.327 µs) : 0, 743
Telemetry [baseline] (7.691 ms) : 0, 7691
Telemetry [candidate] (7.816 ms) : 0, 7816
section iast
BytebuddyAgent [baseline] (799.638 ms) : 0, 799638
BytebuddyAgent [candidate] (799.682 ms) : 0, 799682
GlobalTracer [baseline] (288.444 ms) : 0, 288444
GlobalTracer [candidate] (288.875 ms) : 0, 288875
AppSec [baseline] (50.845 ms) : 0, 50845
AppSec [candidate] (51.5 ms) : 0, 51500
Remote Config [baseline] (627.8 µs) : 0, 628
Remote Config [candidate] (617.032 µs) : 0, 617
Telemetry [baseline] (6.652 ms) : 0, 6652
Telemetry [candidate] (7.439 ms) : 0, 7439
IAST [baseline] (22.936 ms) : 0, 22936
IAST [candidate] (21.457 ms) : 0, 21457
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (804.956 ms) : 0, 804956
BytebuddyAgent [candidate] (811.68 ms) : 0, 811680
GlobalTracer [baseline] (289.974 ms) : 0, 289974
GlobalTracer [candidate] (292.793 ms) : 0, 292793
AppSec [baseline] (51.325 ms) : 0, 51325
AppSec [candidate] (49.365 ms) : 0, 49365
Remote Config [baseline] (618.96 µs) : 0, 619
Remote Config [candidate] (609.327 µs) : 0, 609
Telemetry [baseline] (6.657 ms) : 0, 6657
Telemetry [candidate] (7.437 ms) : 0, 7437
IAST [baseline] (23.0 ms) : 0, 23000
IAST [candidate] (25.082 ms) : 0, 25082
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (791.432 ms) : 0, 791432
BytebuddyAgent [candidate] (799.124 ms) : 0, 799124
GlobalTracer [baseline] (288.163 ms) : 0, 288163
GlobalTracer [candidate] (291.082 ms) : 0, 291082
AppSec [baseline] (46.863 ms) : 0, 46863
AppSec [candidate] (50.325 ms) : 0, 50325
Remote Config [baseline] (583.606 µs) : 0, 584
Remote Config [candidate] (592.003 µs) : 0, 592
Telemetry [baseline] (6.545 ms) : 0, 6545
Telemetry [candidate] (6.597 ms) : 0, 6597
IAST [baseline] (27.074 ms) : 0, 27074
IAST [candidate] (24.269 ms) : 0, 24269
LoadRequest duration reports for petclinicgantt
title petclinic - request duration [CI 0.99] : candidate=1.32.0-SNAPSHOT~e78a54c6f0, baseline=1.32.0-SNAPSHOT~f19053f7e4
dateFormat X
axisFormat %s
section baseline
no_agent (1.341 ms) : 1321, 1360
. : milestone, 1341,
appsec (1.745 ms) : 1722, 1769
. : milestone, 1745,
iast (1.506 ms) : 1482, 1529
. : milestone, 1506,
profiling (1.542 ms) : 1517, 1567
. : milestone, 1542,
tracing (1.51 ms) : 1487, 1534
. : milestone, 1510,
section candidate
no_agent (1.339 ms) : 1320, 1358
. : milestone, 1339,
appsec (1.773 ms) : 1749, 1797
. : milestone, 1773,
iast (1.508 ms) : 1485, 1531
. : milestone, 1508,
profiling (1.52 ms) : 1496, 1545
. : milestone, 1520,
tracing (1.5 ms) : 1477, 1523
. : milestone, 1500,
Request duration reports for insecure-bankgantt
title insecure-bank - request duration [CI 0.99] : candidate=1.32.0-SNAPSHOT~e78a54c6f0, baseline=1.32.0-SNAPSHOT~f19053f7e4
dateFormat X
axisFormat %s
section baseline
no_agent (360.443 µs) : 341, 380
. : milestone, 360,
iast (466.048 µs) : 444, 489
. : milestone, 466,
iast_FULL (532.332 µs) : 512, 553
. : milestone, 532,
iast_GLOBAL (495.279 µs) : 474, 516
. : milestone, 495,
iast_HARDCODED_SECRET_DISABLED (475.281 µs) : 455, 496
. : milestone, 475,
iast_INACTIVE (445.859 µs) : 425, 467
. : milestone, 446,
iast_TELEMETRY_OFF (465.754 µs) : 445, 486
. : milestone, 466,
tracing (441.79 µs) : 421, 462
. : milestone, 442,
section candidate
no_agent (358.395 µs) : 339, 378
. : milestone, 358,
iast (466.155 µs) : 446, 486
. : milestone, 466,
iast_FULL (535.33 µs) : 515, 556
. : milestone, 535,
iast_GLOBAL (497.038 µs) : 476, 518
. : milestone, 497,
iast_HARDCODED_SECRET_DISABLED (473.726 µs) : 453, 494
. : milestone, 474,
iast_INACTIVE (448.357 µs) : 428, 469
. : milestone, 448,
iast_TELEMETRY_OFF (463.767 µs) : 443, 484
. : milestone, 464,
tracing (445.633 µs) : 425, 466
. : milestone, 446,
|
manuel-alvarez-alvarez
force-pushed
the
malvarez/iast-recover-sources-sampling
branch
2 times, most recently
from
March 13, 2024 19:40
7180447
to
ee9940d
Compare
manuel-alvarez-alvarez
requested review from
smola,
jandro996,
dougqh and
am312
March 13, 2024 19:40
dougqh
approved these changes
Mar 13, 2024
smola
changed the title
Add request sampling back in http sources
Add request sampling back in http sources in global context mode
Mar 14, 2024
smola
approved these changes
Mar 14, 2024
manuel-alvarez-alvarez
changed the title
Add request sampling back in http sources in global context mode
Add request sampling back in http sources
Mar 14, 2024
manuel-alvarez-alvarez
force-pushed
the
malvarez/iast-recover-sources-sampling
branch
5 times, most recently
from
March 14, 2024 10:37
daca71a
to
ba61dd0
Compare
manuel-alvarez-alvarez
force-pushed
the
malvarez/iast-recover-sources-sampling
branch
from
March 14, 2024 10:57
ba61dd0
to
bf8602f
Compare
manuel-alvarez-alvarez
deleted the
malvarez/iast-recover-sources-sampling
branch
March 14, 2024 12:35
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
comp: asm iast
Application Security Management (IAST)
run-tests: all
Run all tests
tag: performance
Performance related changes
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What Does This Do
Adds sampling back to HTTP sources so there will be no tainting if no active IAST context is present. The way it's done is by checking for the presence of an
IastRequestContext
in the current span at the callsite/addvice level. It brings two benefits:REQUEST
mode the tainting operation happens sooner so less code is run when a request is sampledGLOBAL
mode now sources are sampled too bringing less load to services.Motivation
When using
DD_IAST_CONTEXT_MODE=GLOBAL
, tainting all incoming HTTP data is starting to hurt in terms of performance, this PR reduces the amount of work done by IAST ending in less CPU consumption.