New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ensure no IAST advices are added unless appsec is fully enabled #6813
Merged
manuel-alvarez-alvarez
merged 1 commit into
master
from
malvarez/iast-remove-inst-appsec-inactive
Mar 21, 2024
Merged
Ensure no IAST advices are added unless appsec is fully enabled #6813
manuel-alvarez-alvarez
merged 1 commit into
master
from
malvarez/iast-remove-inst-appsec-inactive
Mar 21, 2024
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
manuel-alvarez-alvarez
added
the
comp: asm iast
Application Security Management (IAST)
label
Mar 14, 2024
smola
changed the title
Ensure no advices are added unless appsec is fully enabled
Ensure no IAST advices are added unless appsec is fully enabled
Mar 14, 2024
BenchmarksStartupParameters
See matching parameters
SummaryFound 0 performance improvements and 1 performance regressions! Performance is the same for 46 metrics, 16 unstable metrics.
Startup time reports for insecure-bankgantt
title insecure-bank - global startup overhead: candidate=1.32.0-SNAPSHOT~0924f0f242, baseline=1.32.0-SNAPSHOT~97283c4020
dateFormat X
axisFormat %s
section tracing
Agent [baseline] (1.078 s) : 0, 1078480
Total [baseline] (8.582 s) : 0, 8582137
Agent [candidate] (1.086 s) : 0, 1086110
Total [candidate] (8.601 s) : 0, 8601432
section iast
Agent [baseline] (1.21 s) : 0, 1210329
Total [baseline] (9.05 s) : 0, 9050050
Agent [candidate] (1.202 s) : 0, 1202475
Total [candidate] (9.071 s) : 0, 9071197
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.207 s) : 0, 1207028
Total [baseline] (9.023 s) : 0, 9022754
Agent [candidate] (1.201 s) : 0, 1200614
Total [candidate] (8.993 s) : 0, 8993374
section iast_TELEMETRY_OFF
Agent [baseline] (1.197 s) : 0, 1196796
Total [baseline] (9.024 s) : 0, 9023504
Agent [candidate] (1.201 s) : 0, 1200646
Total [candidate] (9.045 s) : 0, 9044550
gantt
title insecure-bank - break down per module: candidate=1.32.0-SNAPSHOT~0924f0f242, baseline=1.32.0-SNAPSHOT~97283c4020
dateFormat X
axisFormat %s
section tracing
BytebuddyAgent [baseline] (695.76 ms) : 0, 695760
BytebuddyAgent [candidate] (693.065 ms) : 0, 693065
GlobalTracer [baseline] (290.89 ms) : 0, 290890
GlobalTracer [candidate] (299.983 ms) : 0, 299983
AppSec [baseline] (48.905 ms) : 0, 48905
AppSec [candidate] (49.594 ms) : 0, 49594
Remote Config [baseline] (1.147 ms) : 0, 1147
Remote Config [candidate] (1.044 ms) : 0, 1044
Telemetry [baseline] (7.482 ms) : 0, 7482
Telemetry [candidate] (7.636 ms) : 0, 7636
section iast
BytebuddyAgent [baseline] (804.713 ms) : 0, 804713
BytebuddyAgent [candidate] (796.686 ms) : 0, 796686
GlobalTracer [baseline] (289.334 ms) : 0, 289334
GlobalTracer [candidate] (289.156 ms) : 0, 289156
AppSec [baseline] (51.23 ms) : 0, 51230
AppSec [candidate] (48.859 ms) : 0, 48859
IAST [baseline] (23.242 ms) : 0, 23242
IAST [candidate] (25.527 ms) : 0, 25527
Remote Config [baseline] (585.157 µs) : 0, 585
Remote Config [candidate] (560.395 µs) : 0, 560
Telemetry [baseline] (6.723 ms) : 0, 6723
Telemetry [candidate] (7.313 ms) : 0, 7313
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (802.603 ms) : 0, 802603
BytebuddyAgent [candidate] (795.924 ms) : 0, 795924
GlobalTracer [baseline] (289.249 ms) : 0, 289249
GlobalTracer [candidate] (289.023 ms) : 0, 289023
AppSec [baseline] (50.941 ms) : 0, 50941
AppSec [candidate] (50.346 ms) : 0, 50346
IAST [baseline] (21.998 ms) : 0, 21998
IAST [candidate] (23.255 ms) : 0, 23255
Remote Config [baseline] (560.673 µs) : 0, 561
Remote Config [candidate] (572.347 µs) : 0, 572
Telemetry [baseline] (7.358 ms) : 0, 7358
Telemetry [candidate] (7.206 ms) : 0, 7206
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (792.531 ms) : 0, 792531
BytebuddyAgent [candidate] (795.342 ms) : 0, 795342
GlobalTracer [baseline] (288.779 ms) : 0, 288779
GlobalTracer [candidate] (289.997 ms) : 0, 289997
AppSec [baseline] (50.32 ms) : 0, 50320
AppSec [candidate] (47.367 ms) : 0, 47367
IAST [baseline] (23.787 ms) : 0, 23787
IAST [candidate] (24.815 ms) : 0, 24815
Remote Config [baseline] (571.113 µs) : 0, 571
Remote Config [candidate] (576.475 µs) : 0, 576
Telemetry [baseline] (6.534 ms) : 0, 6534
Telemetry [candidate] (8.139 ms) : 0, 8139
Startup time reports for petclinicgantt
title petclinic - global startup overhead: candidate=1.32.0-SNAPSHOT~0924f0f242, baseline=1.32.0-SNAPSHOT~97283c4020
dateFormat X
axisFormat %s
section tracing
Agent [baseline] (1.082 s) : 0, 1082196
Total [baseline] (9.216 s) : 0, 9215561
Agent [candidate] (1.078 s) : 0, 1077589
Total [candidate] (9.215 s) : 0, 9214512
section appsec
Agent [baseline] (1.206 s) : 0, 1205605
Total [baseline] (9.326 s) : 0, 9326232
Agent [candidate] (1.204 s) : 0, 1204107
Total [candidate] (9.265 s) : 0, 9264836
section iast
Agent [baseline] (1.206 s) : 0, 1206000
Total [baseline] (9.36 s) : 0, 9360260
Agent [candidate] (1.221 s) : 0, 1221072
Total [candidate] (9.405 s) : 0, 9404923
section profiling
Agent [baseline] (1.274 s) : 0, 1274126
Total [baseline] (9.336 s) : 0, 9336387
Agent [candidate] (1.274 s) : 0, 1274083
Total [candidate] (9.422 s) : 0, 9421811
gantt
title petclinic - break down per module: candidate=1.32.0-SNAPSHOT~0924f0f242, baseline=1.32.0-SNAPSHOT~97283c4020
dateFormat X
axisFormat %s
section tracing
BytebuddyAgent [baseline] (696.89 ms) : 0, 696890
BytebuddyAgent [candidate] (687.296 ms) : 0, 687296
GlobalTracer [baseline] (292.827 ms) : 0, 292827
GlobalTracer [candidate] (297.838 ms) : 0, 297838
AppSec [baseline] (49.547 ms) : 0, 49547
AppSec [candidate] (49.484 ms) : 0, 49484
Remote Config [baseline] (1.126 ms) : 0, 1126
Remote Config [candidate] (1.061 ms) : 0, 1061
Telemetry [baseline] (7.436 ms) : 0, 7436
Telemetry [candidate] (7.514 ms) : 0, 7514
section appsec
BytebuddyAgent [baseline] (699.758 ms) : 0, 699758
BytebuddyAgent [candidate] (697.138 ms) : 0, 697138
GlobalTracer [baseline] (292.556 ms) : 0, 292556
GlobalTracer [candidate] (291.857 ms) : 0, 291857
AppSec [baseline] (153.446 ms) : 0, 153446
AppSec [candidate] (154.077 ms) : 0, 154077
Remote Config [baseline] (616.504 µs) : 0, 617
Remote Config [candidate] (611.739 µs) : 0, 612
Telemetry [baseline] (6.87 ms) : 0, 6870
Telemetry [candidate] (6.807 ms) : 0, 6807
IAST [baseline] (17.935 ms) : 0, 17935
IAST [candidate] (19.349 ms) : 0, 19349
section iast
BytebuddyAgent [baseline] (801.758 ms) : 0, 801758
BytebuddyAgent [candidate] (810.321 ms) : 0, 810321
GlobalTracer [baseline] (288.473 ms) : 0, 288473
GlobalTracer [candidate] (292.892 ms) : 0, 292892
AppSec [baseline] (51.165 ms) : 0, 51165
AppSec [candidate] (48.067 ms) : 0, 48067
Remote Config [baseline] (567.184 µs) : 0, 567
Remote Config [candidate] (595.361 µs) : 0, 595
Telemetry [baseline] (8.118 ms) : 0, 8118
Telemetry [candidate] (7.319 ms) : 0, 7319
IAST [baseline] (21.428 ms) : 0, 21428
IAST [candidate] (27.029 ms) : 0, 27029
section profiling
BytebuddyAgent [baseline] (689.831 ms) : 0, 689831
BytebuddyAgent [candidate] (680.753 ms) : 0, 680753
GlobalTracer [baseline] (376.14 ms) : 0, 376140
GlobalTracer [candidate] (383.139 ms) : 0, 383139
AppSec [baseline] (49.91 ms) : 0, 49910
AppSec [candidate] (49.798 ms) : 0, 49798
Remote Config [baseline] (852.123 µs) : 0, 852
Remote Config [candidate] (863.448 µs) : 0, 863
Telemetry [baseline] (7.278 ms) : 0, 7278
Telemetry [candidate] (7.465 ms) : 0, 7465
ProfilingAgent [baseline] (93.93 ms) : 0, 93930
ProfilingAgent [candidate] (95.755 ms) : 0, 95755
Profiling [baseline] (93.953 ms) : 0, 93953
Profiling [candidate] (95.779 ms) : 0, 95779
LoadRequest duration reports for insecure-bankgantt
title insecure-bank - request duration [CI 0.99] : candidate=1.32.0-SNAPSHOT~0924f0f242, baseline=1.32.0-SNAPSHOT~97283c4020
dateFormat X
axisFormat %s
section baseline
no_agent (360.441 µs) : 340, 381
. : milestone, 360,
iast (473.081 µs) : 453, 493
. : milestone, 473,
iast_FULL (533.931 µs) : 513, 554
. : milestone, 534,
iast_GLOBAL (491.733 µs) : 471, 513
. : milestone, 492,
iast_HARDCODED_SECRET_DISABLED (464.444 µs) : 444, 485
. : milestone, 464,
iast_INACTIVE (443.909 µs) : 424, 464
. : milestone, 444,
iast_TELEMETRY_OFF (465.701 µs) : 445, 486
. : milestone, 466,
tracing (440.226 µs) : 420, 461
. : milestone, 440,
section candidate
no_agent (370.851 µs) : 350, 391
. : milestone, 371,
iast (472.349 µs) : 451, 493
. : milestone, 472,
iast_FULL (536.617 µs) : 516, 557
. : milestone, 537,
iast_GLOBAL (490.016 µs) : 470, 510
. : milestone, 490,
iast_HARDCODED_SECRET_DISABLED (477.987 µs) : 457, 499
. : milestone, 478,
iast_INACTIVE (448.704 µs) : 428, 469
. : milestone, 449,
iast_TELEMETRY_OFF (467.491 µs) : 447, 488
. : milestone, 467,
tracing (436.546 µs) : 416, 457
. : milestone, 437,
Request duration reports for petclinicgantt
title petclinic - request duration [CI 0.99] : candidate=1.32.0-SNAPSHOT~0924f0f242, baseline=1.32.0-SNAPSHOT~97283c4020
dateFormat X
axisFormat %s
section baseline
no_agent (1.342 ms) : 1323, 1361
. : milestone, 1342,
appsec (1.751 ms) : 1728, 1775
. : milestone, 1751,
iast (1.534 ms) : 1511, 1556
. : milestone, 1534,
profiling (1.555 ms) : 1531, 1580
. : milestone, 1555,
tracing (1.512 ms) : 1489, 1536
. : milestone, 1512,
section candidate
no_agent (1.349 ms) : 1330, 1368
. : milestone, 1349,
appsec (1.753 ms) : 1729, 1776
. : milestone, 1753,
iast (1.512 ms) : 1488, 1535
. : milestone, 1512,
profiling (1.544 ms) : 1519, 1569
. : milestone, 1544,
tracing (1.516 ms) : 1493, 1539
. : milestone, 1516,
|
smola
approved these changes
Mar 14, 2024
manuel-alvarez-alvarez
force-pushed
the
malvarez/iast-remove-inst-appsec-inactive
branch
from
March 14, 2024 17:16
02bd708
to
ec14c24
Compare
manuel-alvarez-alvarez
requested review from
ValentinZakharov,
jandro996,
ygree,
am312 and
smola
March 14, 2024 17:16
smola
approved these changes
Mar 18, 2024
manuel-alvarez-alvarez
force-pushed
the
malvarez/iast-remove-inst-appsec-inactive
branch
from
March 19, 2024 08:16
5736332
to
a9bf7f4
Compare
jandro996
approved these changes
Mar 20, 2024
manuel-alvarez-alvarez
force-pushed
the
malvarez/iast-remove-inst-appsec-inactive
branch
from
March 20, 2024 08:50
a9bf7f4
to
0924f0f
Compare
manuel-alvarez-alvarez
force-pushed
the
malvarez/iast-remove-inst-appsec-inactive
branch
from
March 21, 2024 09:00
0924f0f
to
1eb9bab
Compare
manuel-alvarez-alvarez
deleted the
malvarez/iast-remove-inst-appsec-inactive
branch
March 21, 2024 11:47
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What Does This Do
Removes IAST from triggering inactive opt-out advices when appsec starts in inactive mode, only when appsec is fully enabled IAST opt-out advices will be triggered (also fully enabled).
Motivation
Since there is no benefit from starting IAST opt-out advices in inactive mode besides testing stability (in fact the advices are no-ops so no vulnerabilities will be discovered), it's better simply to skip them.