Remove deduplication for session rewriting vulnerability report (#6895)

jandro996 · web-flow · commit 4c97fc1a28e2 · 2024-04-16T08:21:05.000+02:00
##What Does This Do
Add a new method Reporter#noDepupReport to allow report vulnerabilities without deduplication
Remove deduplication for session rewriting vulnerability report

##Motivation
If several apps are deployed in the same server only the first one session rewriting vulnerability find will be reported
diff --git a/dd-java-agent/agent-iast/src/main/java/com/datadog/iast/Reporter.java b/dd-java-agent/agent-iast/src/main/java/com/datadog/iast/Reporter.java
@@ -152,6 +152,9 @@ public HashBasedDeduplication(@Nullable final AgentTaskScheduler taskScheduler)
 
     @Override
     public boolean test(final Vulnerability vulnerability) {
+      if (!vulnerability.getType().isDeduplicable()) {
+        return false;
+      }
       final boolean newVulnerability = hashes.add(vulnerability.getHash());
       if (newVulnerability && hashes.size() > maxSize) {
         hashes.clear();
diff --git a/dd-java-agent/agent-iast/src/main/java/com/datadog/iast/model/VulnerabilityType.java b/dd-java-agent/agent-iast/src/main/java/com/datadog/iast/model/VulnerabilityType.java
@@ -87,7 +87,7 @@ public interface VulnerabilityType {
           VulnerabilityTypes.REFLECTION_INJECTION, VulnerabilityMarks.REFLECTION_INJECTION_MARK);
 
   VulnerabilityType SESSION_REWRITING =
-      new ServiceVulnerabilityType(VulnerabilityTypes.SESSION_REWRITING);
+      new ServiceVulnerabilityType(VulnerabilityTypes.SESSION_REWRITING, false);
 
   String name();
 
@@ -98,6 +98,9 @@ public interface VulnerabilityType {
 
   long calculateHash(@Nonnull final Vulnerability vulnerability);
 
+  /** A flag to indicate if the vulnerability is deduplicable. */
+  boolean isDeduplicable();
+
   class VulnerabilityTypeImpl implements VulnerabilityType {
 
     private final byte type;
@@ -106,14 +109,26 @@ class VulnerabilityTypeImpl implements VulnerabilityType {
 
     private final int mark;
 
+    private final boolean deduplicable;
+
     public VulnerabilityTypeImpl(final byte type, final int... marks) {
       this(type, ' ', marks);
     }
 
+    public VulnerabilityTypeImpl(final byte type, boolean deduplicable, final int... marks) {
+      this(type, ' ', deduplicable, marks);
+    }
+
     public VulnerabilityTypeImpl(final byte type, final char separator, final int... marks) {
+      this(type, separator, true, marks);
+    }
+
+    public VulnerabilityTypeImpl(
+        final byte type, final char separator, final boolean deduplicable, final int... marks) {
       this.type = type;
       this.separator = separator;
       mark = computeMarks(marks);
+      this.deduplicable = deduplicable;
     }
 
     @Override
@@ -148,6 +163,11 @@ public long calculateHash(@Nonnull final Vulnerability vulnerability) {
       return crc.getValue();
     }
 
+    @Override
+    public boolean isDeduplicable() {
+      return deduplicable;
+    }
+
     protected void update(final CRC32 crc, final String value) {
       final byte[] bytes = value.getBytes(StandardCharsets.UTF_8);
       crc.update(bytes, 0, bytes.length);
@@ -197,8 +217,8 @@ public long calculateHash(@Nonnull final Vulnerability vulnerability) {
   }
 
   class ServiceVulnerabilityType extends VulnerabilityTypeImpl {
-    public ServiceVulnerabilityType(byte type, int... marks) {
-      super(type, marks);
+    public ServiceVulnerabilityType(byte type, boolean deduplicable, int... marks) {
+      super(type, deduplicable, marks);
     }
 
     @Override
diff --git a/dd-java-agent/agent-iast/src/main/java/com/datadog/iast/sink/ApplicationModuleImpl.java b/dd-java-agent/agent-iast/src/main/java/com/datadog/iast/sink/ApplicationModuleImpl.java
@@ -112,6 +112,7 @@ public void checkSessionTrackingModes(@Nonnull Set<String> sessionTrackingModes)
     }
     final AgentSpan span = AgentTracer.activeSpan();
     // overhead is not checked here as it's called once per application context
+    // No deduplication is needed as same service can have multiple applications
     reporter.report(
         span,
         new Vulnerability(
diff --git a/dd-java-agent/agent-iast/src/test/groovy/com/datadog/iast/ReporterTest.groovy b/dd-java-agent/agent-iast/src/test/groovy/com/datadog/iast/ReporterTest.groovy
@@ -449,6 +449,30 @@ class ReporterTest extends DDSpecification {
     0 * _
   }
 
+  void 'Reporter when vulnerability is no deduplicable does not prevent duplicates'() {
+    given:
+    final Reporter reporter = new Reporter()
+    final batch = new VulnerabilityBatch()
+    final span = spanWithBatch(batch)
+    final vulnerability = new Vulnerability(
+      VulnerabilityType.SESSION_REWRITING,
+      Location.forSpan(span),
+      new Evidence("SESSION_REWRITING")
+      )
+
+    when: 'first time a vulnerability is reported'
+    reporter.report(span, vulnerability)
+
+    then:
+    batch.vulnerabilities.size() == 1
+
+    when: 'second time the a vulnerability is reported'
+    reporter.report(span, vulnerability)
+
+    then:
+    batch.vulnerabilities.size() == 2
+  }
+
   private AgentSpan spanWithBatch(final VulnerabilityBatch batch) {
     final traceSegment = Mock(TraceSegment) {
       getDataTop('iast') >> batch
diff --git a/dd-java-agent/agent-iast/src/test/groovy/com/datadog/iast/sink/ApplicationModuleTest.groovy b/dd-java-agent/agent-iast/src/test/groovy/com/datadog/iast/sink/ApplicationModuleTest.groovy
@@ -84,6 +84,7 @@ class ApplicationModuleTest extends IastModuleImplTestBase {
     } else {
       0 * reporter.report(_, _)
     }
+    0 * reporter.report(_, _)
 
     where:
     sessionTrackingModes        | expected

Original file line number	Diff line number	Diff line change
`@@ -112,6 +112,7 @@ public void checkSessionTrackingModes(@Nonnull Set<String> sessionTrackingModes)`
`112`	`112`	`}`
`113`	`113`	`final AgentSpan span = AgentTracer.activeSpan();`
`114`	`114`	`// overhead is not checked here as it's called once per application context`
	`115`	`+ // No deduplication is needed as same service can have multiple applications`
`115`	`116`	`reporter.report(`
`116`	`117`	`span,`
`117`	`118`	`new Vulnerability(`
Original file line number	Diff line number	Diff line change
`@@ -84,6 +84,7 @@ class ApplicationModuleTest extends IastModuleImplTestBase {`
`84`	`84`	`} else {`
`85`	`85`	`0 * reporter.report(_, _)`
`86`	`86`	`}`
	`87`	`+ 0 * reporter.report(_, _)`
`87`	`88`
`88`	`89`	`where:`
`89`	`90`	`sessionTrackingModes \| expected`