Report servlet misconfiguration vulnerabilities with opt-out configuration #6970
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
BenchmarksStartupParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 48 metrics, 15 unstable metrics. Startup time reports for insecure-bankgantt
title insecure-bank - global startup overhead: candidate=1.34.0-SNAPSHOT~29756c51cb, baseline=1.34.0-SNAPSHOT~3293d86cd4
dateFormat X
axisFormat %s
section tracing
Agent [baseline] (1.075 s) : 0, 1074762
Total [baseline] (8.571 s) : 0, 8570559
Agent [candidate] (1.082 s) : 0, 1082433
Total [candidate] (8.553 s) : 0, 8552679
section iast
Agent [baseline] (1.209 s) : 0, 1208551
Total [baseline] (9.007 s) : 0, 9006792
Agent [candidate] (1.199 s) : 0, 1198636
Total [candidate] (8.999 s) : 0, 8999488
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.201 s) : 0, 1201080
Total [baseline] (8.977 s) : 0, 8976541
Agent [candidate] (1.205 s) : 0, 1205399
Total [candidate] (8.99 s) : 0, 8989621
section iast_TELEMETRY_OFF
Agent [baseline] (1.2 s) : 0, 1200488
Total [baseline] (9.027 s) : 0, 9027379
Agent [candidate] (1.196 s) : 0, 1196140
Total [candidate] (8.978 s) : 0, 8977854
gantt
title insecure-bank - break down per module: candidate=1.34.0-SNAPSHOT~29756c51cb, baseline=1.34.0-SNAPSHOT~3293d86cd4
dateFormat X
axisFormat %s
section tracing
BytebuddyAgent [baseline] (673.075 ms) : 0, 673075
BytebuddyAgent [candidate] (678.195 ms) : 0, 678195
GlobalTracer [baseline] (309.486 ms) : 0, 309486
GlobalTracer [candidate] (311.608 ms) : 0, 311608
AppSec [baseline] (49.49 ms) : 0, 49490
AppSec [candidate] (49.623 ms) : 0, 49623
Remote Config [baseline] (661.265 µs) : 0, 661
Remote Config [candidate] (672.378 µs) : 0, 672
Telemetry [baseline] (7.633 ms) : 0, 7633
Telemetry [candidate] (7.697 ms) : 0, 7697
section iast
BytebuddyAgent [baseline] (801.682 ms) : 0, 801682
BytebuddyAgent [candidate] (793.896 ms) : 0, 793896
GlobalTracer [baseline] (290.054 ms) : 0, 290054
GlobalTracer [candidate] (288.248 ms) : 0, 288248
AppSec [baseline] (51.688 ms) : 0, 51688
AppSec [candidate] (51.838 ms) : 0, 51838
IAST [baseline] (23.235 ms) : 0, 23235
IAST [candidate] (23.11 ms) : 0, 23110
Remote Config [baseline] (568.414 µs) : 0, 568
Remote Config [candidate] (621.062 µs) : 0, 621
Telemetry [baseline] (6.619 ms) : 0, 6619
Telemetry [candidate] (6.607 ms) : 0, 6607
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (795.395 ms) : 0, 795395
BytebuddyAgent [candidate] (798.266 ms) : 0, 798266
GlobalTracer [baseline] (288.385 ms) : 0, 288385
GlobalTracer [candidate] (289.818 ms) : 0, 289818
AppSec [baseline] (50.201 ms) : 0, 50201
AppSec [candidate] (51.855 ms) : 0, 51855
IAST [baseline] (24.863 ms) : 0, 24863
IAST [candidate] (22.813 ms) : 0, 22813
Remote Config [baseline] (574.362 µs) : 0, 574
Remote Config [candidate] (1.354 ms) : 0, 1354
Telemetry [baseline] (7.305 ms) : 0, 7305
Telemetry [candidate] (6.807 ms) : 0, 6807
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (794.573 ms) : 0, 794573
BytebuddyAgent [candidate] (791.996 ms) : 0, 791996
GlobalTracer [baseline] (288.5 ms) : 0, 288500
GlobalTracer [candidate] (287.946 ms) : 0, 287946
AppSec [baseline] (49.328 ms) : 0, 49328
AppSec [candidate] (48.887 ms) : 0, 48887
IAST [baseline] (25.781 ms) : 0, 25781
IAST [candidate] (25.219 ms) : 0, 25219
Remote Config [baseline] (590.973 µs) : 0, 591
Remote Config [candidate] (584.232 µs) : 0, 584
Telemetry [baseline] (7.356 ms) : 0, 7356
Telemetry [candidate] (7.211 ms) : 0, 7211
Startup time reports for petclinicgantt
title petclinic - global startup overhead: candidate=1.34.0-SNAPSHOT~29756c51cb, baseline=1.34.0-SNAPSHOT~3293d86cd4
dateFormat X
axisFormat %s
section tracing
Agent [baseline] (1.076 s) : 0, 1076075
Total [baseline] (10.445 s) : 0, 10445174
Agent [candidate] (1.083 s) : 0, 1082526
Total [candidate] (10.396 s) : 0, 10396154
section appsec
Agent [baseline] (1.193 s) : 0, 1193277
Total [baseline] (10.476 s) : 0, 10476359
Agent [candidate] (1.191 s) : 0, 1191250
Total [candidate] (10.465 s) : 0, 10464916
section iast
Agent [baseline] (1.206 s) : 0, 1206340
Total [baseline] (10.698 s) : 0, 10697768
Agent [candidate] (1.199 s) : 0, 1198501
Total [candidate] (10.828 s) : 0, 10827829
section profiling
Agent [baseline] (1.276 s) : 0, 1275641
Total [baseline] (10.619 s) : 0, 10618946
Agent [candidate] (1.269 s) : 0, 1269082
Total [candidate] (10.638 s) : 0, 10637702
gantt
title petclinic - break down per module: candidate=1.34.0-SNAPSHOT~29756c51cb, baseline=1.34.0-SNAPSHOT~3293d86cd4
dateFormat X
axisFormat %s
section tracing
BytebuddyAgent [baseline] (674.369 ms) : 0, 674369
BytebuddyAgent [candidate] (678.447 ms) : 0, 678447
GlobalTracer [baseline] (309.767 ms) : 0, 309767
GlobalTracer [candidate] (311.769 ms) : 0, 311769
AppSec [baseline] (49.232 ms) : 0, 49232
AppSec [candidate] (49.472 ms) : 0, 49472
Remote Config [baseline] (660.461 µs) : 0, 660
Remote Config [candidate] (658.149 µs) : 0, 658
Telemetry [baseline] (7.679 ms) : 0, 7679
Telemetry [candidate] (7.59 ms) : 0, 7590
section appsec
BytebuddyAgent [baseline] (697.885 ms) : 0, 697885
BytebuddyAgent [candidate] (696.9 ms) : 0, 696900
GlobalTracer [baseline] (292.148 ms) : 0, 292148
GlobalTracer [candidate] (292.394 ms) : 0, 292394
AppSec [baseline] (149.43 ms) : 0, 149430
AppSec [candidate] (149.588 ms) : 0, 149588
IAST [baseline] (19.224 ms) : 0, 19224
IAST [candidate] (19.431 ms) : 0, 19431
Remote Config [baseline] (622.112 µs) : 0, 622
Remote Config [candidate] (618.296 µs) : 0, 618
Telemetry [baseline] (9.1 ms) : 0, 9100
Telemetry [candidate] (7.544 ms) : 0, 7544
section iast
BytebuddyAgent [baseline] (799.007 ms) : 0, 799007
BytebuddyAgent [candidate] (793.174 ms) : 0, 793174
GlobalTracer [baseline] (290.088 ms) : 0, 290088
GlobalTracer [candidate] (287.987 ms) : 0, 287987
AppSec [baseline] (52.096 ms) : 0, 52096
AppSec [candidate] (50.609 ms) : 0, 50609
IAST [baseline] (22.551 ms) : 0, 22551
IAST [candidate] (25.12 ms) : 0, 25120
Remote Config [baseline] (1.33 ms) : 0, 1330
Remote Config [candidate] (575.294 µs) : 0, 575
Telemetry [baseline] (6.688 ms) : 0, 6688
Telemetry [candidate] (6.643 ms) : 0, 6643
section profiling
BytebuddyAgent [baseline] (682.425 ms) : 0, 682425
BytebuddyAgent [candidate] (678.237 ms) : 0, 678237
GlobalTracer [baseline] (382.621 ms) : 0, 382621
GlobalTracer [candidate] (380.43 ms) : 0, 380430
AppSec [baseline] (50.359 ms) : 0, 50359
AppSec [candidate] (50.15 ms) : 0, 50150
Remote Config [baseline] (714.08 µs) : 0, 714
Remote Config [candidate] (704.779 µs) : 0, 705
Telemetry [baseline] (7.466 ms) : 0, 7466
Telemetry [candidate] (7.438 ms) : 0, 7438
ProfilingAgent [baseline] (95.18 ms) : 0, 95180
ProfilingAgent [candidate] (95.837 ms) : 0, 95837
Profiling [baseline] (95.204 ms) : 0, 95204
Profiling [candidate] (95.861 ms) : 0, 95861
LoadParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 16 unstable metrics. Request duration reports for insecure-bankgantt
title insecure-bank - request duration [CI 0.99] : candidate=1.34.0-SNAPSHOT~29756c51cb, baseline=1.34.0-SNAPSHOT~3293d86cd4
dateFormat X
axisFormat %s
section baseline
no_agent (365.449 µs) : 346, 385
. : milestone, 365,
iast (466.919 µs) : 447, 487
. : milestone, 467,
iast_FULL (534.604 µs) : 514, 555
. : milestone, 535,
iast_GLOBAL (502.6 µs) : 482, 523
. : milestone, 503,
iast_HARDCODED_SECRET_DISABLED (473.807 µs) : 452, 495
. : milestone, 474,
iast_INACTIVE (449.729 µs) : 428, 471
. : milestone, 450,
iast_TELEMETRY_OFF (468.628 µs) : 447, 490
. : milestone, 469,
tracing (447.769 µs) : 428, 468
. : milestone, 448,
section candidate
no_agent (369.438 µs) : 349, 390
. : milestone, 369,
iast (472.13 µs) : 451, 493
. : milestone, 472,
iast_FULL (543.516 µs) : 523, 564
. : milestone, 544,
iast_GLOBAL (500.132 µs) : 478, 523
. : milestone, 500,
iast_HARDCODED_SECRET_DISABLED (487.228 µs) : 466, 508
. : milestone, 487,
iast_INACTIVE (450.028 µs) : 429, 471
. : milestone, 450,
iast_TELEMETRY_OFF (466.47 µs) : 446, 487
. : milestone, 466,
tracing (443.536 µs) : 422, 465
. : milestone, 444,
Request duration reports for petclinicgantt
title petclinic - request duration [CI 0.99] : candidate=1.34.0-SNAPSHOT~29756c51cb, baseline=1.34.0-SNAPSHOT~3293d86cd4
dateFormat X
axisFormat %s
section baseline
no_agent (1.354 ms) : 1335, 1373
. : milestone, 1354,
appsec (1.719 ms) : 1694, 1743
. : milestone, 1719,
appsec_no_iast (1.705 ms) : 1681, 1730
. : milestone, 1705,
iast (1.486 ms) : 1464, 1509
. : milestone, 1486,
profiling (1.47 ms) : 1446, 1494
. : milestone, 1470,
tracing (1.474 ms) : 1450, 1499
. : milestone, 1474,
section candidate
no_agent (1.356 ms) : 1337, 1375
. : milestone, 1356,
appsec (1.731 ms) : 1707, 1755
. : milestone, 1731,
appsec_no_iast (1.726 ms) : 1702, 1750
. : milestone, 1726,
iast (1.472 ms) : 1449, 1495
. : milestone, 1472,
profiling (1.501 ms) : 1476, 1525
. : milestone, 1501,
tracing (1.486 ms) : 1461, 1511
. : milestone, 1486,
DacapoParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics. Execution time for tomcatgantt
title tomcat - execution time [CI 0.99] : candidate=1.34.0-SNAPSHOT~29756c51cb, baseline=1.34.0-SNAPSHOT~3293d86cd4
dateFormat X
axisFormat %s
section baseline
no_agent (1.454 ms) : 1442, 1465
. : milestone, 1454,
appsec (2.198 ms) : 2164, 2232
. : milestone, 2198,
iast (1.865 ms) : 1830, 1899
. : milestone, 1865,
iast_GLOBAL (1.902 ms) : 1867, 1936
. : milestone, 1902,
profiling (1.829 ms) : 1795, 1862
. : milestone, 1829,
tracing (1.83 ms) : 1798, 1862
. : milestone, 1830,
section candidate
no_agent (1.455 ms) : 1444, 1467
. : milestone, 1455,
appsec (2.196 ms) : 2163, 2230
. : milestone, 2196,
iast (1.869 ms) : 1834, 1904
. : milestone, 1869,
iast_GLOBAL (1.909 ms) : 1873, 1944
. : milestone, 1909,
profiling (1.839 ms) : 1806, 1871
. : milestone, 1839,
tracing (1.824 ms) : 1793, 1856
. : milestone, 1824,
Execution time for biojavagantt
title biojava - execution time [CI 0.99] : candidate=1.34.0-SNAPSHOT~29756c51cb, baseline=1.34.0-SNAPSHOT~3293d86cd4
dateFormat X
axisFormat %s
section baseline
no_agent (15.501 s) : 15501000, 15501000
. : milestone, 15501000,
appsec (14.932 s) : 14932000, 14932000
. : milestone, 14932000,
iast (18.517 s) : 18517000, 18517000
. : milestone, 18517000,
iast_GLOBAL (17.773 s) : 17773000, 17773000
. : milestone, 17773000,
profiling (15.277 s) : 15277000, 15277000
. : milestone, 15277000,
tracing (14.888 s) : 14888000, 14888000
. : milestone, 14888000,
section candidate
no_agent (15.032 s) : 15032000, 15032000
. : milestone, 15032000,
appsec (15.262 s) : 15262000, 15262000
. : milestone, 15262000,
iast (18.617 s) : 18617000, 18617000
. : milestone, 18617000,
iast_GLOBAL (17.874 s) : 17874000, 17874000
. : milestone, 17874000,
profiling (15.396 s) : 15396000, 15396000
. : milestone, 15396000,
tracing (15.219 s) : 15219000, 15219000
. : milestone, 15219000,
|
manuel-alvarez-alvarez
approved these changes
May 7, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What Does This Do
Enable opt-out for instrumentations that calls ApplicationModule
Motivation
We are not reporting servlet misconfiguration vulnerabilities with opt-out configuration
Additional Notes
Jira ticket: [PROJ-IDENT]