Remove deduplication for session rewriting vulnerability report by jandro996 · Pull Request #6895 · DataDog/dd-trace-java

jandro996 · 2024-04-08T11:41:55Z

What Does This Do

Add a new method Reporter#noDepupReport to allow report vulnerabilities without deduplication
Remove deduplication for session rewriting vulnerability report

Motivation

If several apps are deployed in the same server only the first one session rewriting vulnerability find will be reported

Additional Notes

Jira ticket: APPSEC-52434

pr-commenter · 2024-04-08T12:25:54Z

Benchmarks

Startup

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	alejandro.gonzalez/remove_app_vuln_dedup
git_commit_date	1712873045	1712925586
git_commit_sha	`8a3889a`	`299a865`
release_version	1.33.0-SNAPSHOT~8a3889a6aa	1.33.0-SNAPSHOT~299a865fb0

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1712928938	1712928938
ci_job_id	485341140	485341140
ci_pipeline_id	32000437	32000437
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
module	Agent	Agent
parent	None	None
variant	iast	iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 50 metrics, 13 unstable metrics.

Startup time reports for insecure-bank

gantt
    title insecure-bank - global startup overhead: candidate=1.33.0-SNAPSHOT~299a865fb0, baseline=1.33.0-SNAPSHOT~8a3889a6aa

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.074 s) : 0, 1074241
Total [baseline] (8.551 s) : 0, 8550583
Agent [candidate] (1.076 s) : 0, 1075618
Total [candidate] (8.571 s) : 0, 8570705
section iast
Agent [baseline] (1.194 s) : 0, 1194080
Total [baseline] (9.002 s) : 0, 9001975
Agent [candidate] (1.2 s) : 0, 1199979
Total [candidate] (9.026 s) : 0, 9025900
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.199 s) : 0, 1198702
Total [baseline] (9.007 s) : 0, 9007188
Agent [candidate] (1.204 s) : 0, 1204471
Total [candidate] (9.011 s) : 0, 9011013
section iast_TELEMETRY_OFF
Agent [baseline] (1.202 s) : 0, 1202288
Total [baseline] (8.998 s) : 0, 8997675
Agent [candidate] (1.197 s) : 0, 1196501
Total [candidate] (8.989 s) : 0, 8989317

baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.074 s	-
Agent	iast	1.194 s	119.839 ms (11.2%)
Agent	iast_HARDCODED_SECRET_DISABLED	1.199 s	124.46 ms (11.6%)
Agent	iast_TELEMETRY_OFF	1.202 s	128.047 ms (11.9%)
Total	tracing	8.551 s	-
Total	iast	9.002 s	451.392 ms (5.3%)
Total	iast_HARDCODED_SECRET_DISABLED	9.007 s	456.605 ms (5.3%)
Total	iast_TELEMETRY_OFF	8.998 s	447.092 ms (5.2%)

candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.076 s	-
Agent	iast	1.2 s	124.362 ms (11.6%)
Agent	iast_HARDCODED_SECRET_DISABLED	1.204 s	128.853 ms (12.0%)
Agent	iast_TELEMETRY_OFF	1.197 s	120.883 ms (11.2%)
Total	tracing	8.571 s	-
Total	iast	9.026 s	455.195 ms (5.3%)
Total	iast_HARDCODED_SECRET_DISABLED	9.011 s	440.308 ms (5.1%)
Total	iast_TELEMETRY_OFF	8.989 s	418.612 ms (4.9%)

gantt
    title insecure-bank - break down per module: candidate=1.33.0-SNAPSHOT~299a865fb0, baseline=1.33.0-SNAPSHOT~8a3889a6aa

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (673.007 ms) : 0, 673007
BytebuddyAgent [candidate] (673.797 ms) : 0, 673797
GlobalTracer [baseline] (309.249 ms) : 0, 309249
GlobalTracer [candidate] (309.771 ms) : 0, 309771
AppSec [baseline] (49.459 ms) : 0, 49459
AppSec [candidate] (49.472 ms) : 0, 49472
Remote Config [baseline] (662.848 µs) : 0, 663
Remote Config [candidate] (655.557 µs) : 0, 656
Telemetry [baseline] (7.628 ms) : 0, 7628
Telemetry [candidate] (7.601 ms) : 0, 7601
section iast
BytebuddyAgent [baseline] (792.606 ms) : 0, 792606
BytebuddyAgent [candidate] (794.784 ms) : 0, 794784
GlobalTracer [baseline] (287.257 ms) : 0, 287257
GlobalTracer [candidate] (288.65 ms) : 0, 288650
AppSec [baseline] (50.151 ms) : 0, 50151
AppSec [candidate] (49.506 ms) : 0, 49506
IAST [baseline] (21.84 ms) : 0, 21840
IAST [candidate] (23.82 ms) : 0, 23820
Remote Config [baseline] (588.824 µs) : 0, 589
Remote Config [candidate] (576.638 µs) : 0, 577
Telemetry [baseline] (7.425 ms) : 0, 7425
Telemetry [candidate] (8.187 ms) : 0, 8187
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (795.267 ms) : 0, 795267
BytebuddyAgent [candidate] (798.542 ms) : 0, 798542
GlobalTracer [baseline] (288.193 ms) : 0, 288193
GlobalTracer [candidate] (289.501 ms) : 0, 289501
AppSec [baseline] (50.099 ms) : 0, 50099
AppSec [candidate] (50.994 ms) : 0, 50994
IAST [baseline] (23.527 ms) : 0, 23527
IAST [candidate] (22.039 ms) : 0, 22039
Remote Config [baseline] (585.879 µs) : 0, 586
Remote Config [candidate] (582.105 µs) : 0, 582
Telemetry [baseline] (6.619 ms) : 0, 6619
Telemetry [candidate] (8.158 ms) : 0, 8158
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (796.815 ms) : 0, 796815
BytebuddyAgent [candidate] (792.249 ms) : 0, 792249
GlobalTracer [baseline] (289.739 ms) : 0, 289739
GlobalTracer [candidate] (288.446 ms) : 0, 288446
AppSec [baseline] (49.891 ms) : 0, 49891
AppSec [candidate] (50.483 ms) : 0, 50483
IAST [baseline] (24.074 ms) : 0, 24074
IAST [candidate] (22.399 ms) : 0, 22399
Remote Config [baseline] (594.111 µs) : 0, 594
Remote Config [candidate] (581.084 µs) : 0, 581
Telemetry [baseline] (6.596 ms) : 0, 6596
Telemetry [candidate] (8.053 ms) : 0, 8053

Startup time reports for petclinic

gantt
    title petclinic - global startup overhead: candidate=1.33.0-SNAPSHOT~299a865fb0, baseline=1.33.0-SNAPSHOT~8a3889a6aa

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.078 s) : 0, 1077585
Total [baseline] (10.396 s) : 0, 10395778
Agent [candidate] (1.075 s) : 0, 1075336
Total [candidate] (10.464 s) : 0, 10464272
section appsec
Agent [baseline] (1.206 s) : 0, 1206207
Total [baseline] (10.489 s) : 0, 10488576
Agent [candidate] (1.207 s) : 0, 1206857
Total [candidate] (10.536 s) : 0, 10536192
section iast
Agent [baseline] (1.207 s) : 0, 1206943
Total [baseline] (10.807 s) : 0, 10806537
Agent [candidate] (1.21 s) : 0, 1209949
Total [candidate] (10.873 s) : 0, 10872979
section profiling
Agent [baseline] (1.275 s) : 0, 1275038
Total [baseline] (10.691 s) : 0, 10691327
Agent [candidate] (1.286 s) : 0, 1286265
Total [candidate] (10.636 s) : 0, 10636288

baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.078 s	-
Agent	appsec	1.206 s	128.621 ms (11.9%)
Agent	iast	1.207 s	129.358 ms (12.0%)
Agent	profiling	1.275 s	197.453 ms (18.3%)
Total	tracing	10.396 s	-
Total	appsec	10.489 s	92.797 ms (0.9%)
Total	iast	10.807 s	410.759 ms (4.0%)
Total	profiling	10.691 s	295.548 ms (2.8%)

candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.075 s	-
Agent	appsec	1.207 s	131.521 ms (12.2%)
Agent	iast	1.21 s	134.613 ms (12.5%)
Agent	profiling	1.286 s	210.929 ms (19.6%)
Total	tracing	10.464 s	-
Total	appsec	10.536 s	71.92 ms (0.7%)
Total	iast	10.873 s	408.707 ms (3.9%)
Total	profiling	10.636 s	172.016 ms (1.6%)

gantt
    title petclinic - break down per module: candidate=1.33.0-SNAPSHOT~299a865fb0, baseline=1.33.0-SNAPSHOT~8a3889a6aa

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (675.299 ms) : 0, 675299
BytebuddyAgent [candidate] (673.284 ms) : 0, 673284
GlobalTracer [baseline] (309.946 ms) : 0, 309946
GlobalTracer [candidate] (309.923 ms) : 0, 309923
AppSec [baseline] (49.513 ms) : 0, 49513
AppSec [candidate] (49.637 ms) : 0, 49637
Remote Config [baseline] (668.594 µs) : 0, 669
Remote Config [candidate] (656.064 µs) : 0, 656
Telemetry [baseline] (7.647 ms) : 0, 7647
Telemetry [candidate] (7.551 ms) : 0, 7551
section appsec
BytebuddyAgent [baseline] (701.422 ms) : 0, 701422
BytebuddyAgent [candidate] (700.399 ms) : 0, 700399
GlobalTracer [baseline] (293.236 ms) : 0, 293236
GlobalTracer [candidate] (293.78 ms) : 0, 293780
AppSec [baseline] (149.81 ms) : 0, 149810
AppSec [candidate] (150.778 ms) : 0, 150778
IAST [baseline] (18.984 ms) : 0, 18984
IAST [candidate] (19.067 ms) : 0, 19067
Remote Config [baseline] (609.197 µs) : 0, 609
Remote Config [candidate] (613.049 µs) : 0, 613
Telemetry [baseline] (7.51 ms) : 0, 7510
Telemetry [candidate] (7.51 ms) : 0, 7510
section iast
BytebuddyAgent [baseline] (800.679 ms) : 0, 800679
BytebuddyAgent [candidate] (802.853 ms) : 0, 802853
GlobalTracer [baseline] (289.893 ms) : 0, 289893
GlobalTracer [candidate] (291.334 ms) : 0, 291334
AppSec [baseline] (50.251 ms) : 0, 50251
AppSec [candidate] (52.683 ms) : 0, 52683
IAST [baseline] (23.669 ms) : 0, 23669
IAST [candidate] (21.255 ms) : 0, 21255
Remote Config [baseline] (565.01 µs) : 0, 565
Remote Config [candidate] (566.166 µs) : 0, 566
Telemetry [baseline] (7.287 ms) : 0, 7287
Telemetry [candidate] (6.609 ms) : 0, 6609
section profiling
BytebuddyAgent [baseline] (681.182 ms) : 0, 681182
BytebuddyAgent [candidate] (687.08 ms) : 0, 687080
GlobalTracer [baseline] (382.4 ms) : 0, 382400
GlobalTracer [candidate] (385.667 ms) : 0, 385667
AppSec [baseline] (50.535 ms) : 0, 50535
AppSec [candidate] (50.808 ms) : 0, 50808
Remote Config [baseline] (743.055 µs) : 0, 743
Remote Config [candidate] (732.443 µs) : 0, 732
Telemetry [baseline] (7.511 ms) : 0, 7511
Telemetry [candidate] (7.568 ms) : 0, 7568
ProfilingAgent [baseline] (96.019 ms) : 0, 96019
ProfilingAgent [candidate] (97.145 ms) : 0, 97145
Profiling [baseline] (96.044 ms) : 0, 96044
Profiling [candidate] (97.169 ms) : 0, 97169

Load

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
end_time	2024-04-12T13:07:53	2024-04-12T13:29:54
git_branch	master	alejandro.gonzalez/remove_app_vuln_dedup
git_commit_date	1712873045	1712925586
git_commit_sha	`8a3889a`	`299a865`
release_version	1.33.0-SNAPSHOT~8a3889a6aa	1.33.0-SNAPSHOT~299a865fb0
start_time	2024-04-12T13:07:40	2024-04-12T13:29:41

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1712928938	1712928938
ci_job_id	485341140	485341140
ci_pipeline_id	32000437	32000437
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant	iast	iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 17 unstable metrics.

Request duration reports for insecure-bank

gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.33.0-SNAPSHOT~299a865fb0, baseline=1.33.0-SNAPSHOT~8a3889a6aa
    dateFormat X
    axisFormat %s
section baseline
no_agent (368.281 µs) : 347, 389
.   : milestone, 368,
iast (467.917 µs) : 447, 489
.   : milestone, 468,
iast_FULL (537.715 µs) : 516, 559
.   : milestone, 538,
iast_GLOBAL (489.839 µs) : 469, 511
.   : milestone, 490,
iast_HARDCODED_SECRET_DISABLED (475.873 µs) : 455, 497
.   : milestone, 476,
iast_INACTIVE (444.117 µs) : 423, 465
.   : milestone, 444,
iast_TELEMETRY_OFF (462.977 µs) : 443, 483
.   : milestone, 463,
tracing (440.639 µs) : 420, 462
.   : milestone, 441,
section candidate
no_agent (363.796 µs) : 344, 383
.   : milestone, 364,
iast (470.972 µs) : 449, 493
.   : milestone, 471,
iast_FULL (532.546 µs) : 511, 554
.   : milestone, 533,
iast_GLOBAL (494.461 µs) : 473, 516
.   : milestone, 494,
iast_HARDCODED_SECRET_DISABLED (466.768 µs) : 446, 487
.   : milestone, 467,
iast_INACTIVE (447.248 µs) : 426, 469
.   : milestone, 447,
iast_TELEMETRY_OFF (462.756 µs) : 442, 483
.   : milestone, 463,
tracing (434.27 µs) : 414, 454
.   : milestone, 434,

baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	368.281 µs [347.44 µs, 389.122 µs]	-
iast	467.917 µs [446.888 µs, 488.945 µs]	99.636 µs (27.1%)
iast_FULL	537.715 µs [516.243 µs, 559.186 µs]	169.434 µs (46.0%)
iast_GLOBAL	489.839 µs [468.891 µs, 510.787 µs]	121.558 µs (33.0%)
iast_HARDCODED_SECRET_DISABLED	475.873 µs [454.522 µs, 497.223 µs]	107.592 µs (29.2%)
iast_INACTIVE	444.117 µs [423.369 µs, 464.864 µs]	75.836 µs (20.6%)
iast_TELEMETRY_OFF	462.977 µs [442.529 µs, 483.426 µs]	94.696 µs (25.7%)
tracing	440.639 µs [419.766 µs, 461.512 µs]	72.358 µs (19.6%)

candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	363.796 µs [344.166 µs, 383.426 µs]	-
iast	470.972 µs [448.942 µs, 493.002 µs]	107.176 µs (29.5%)
iast_FULL	532.546 µs [511.381 µs, 553.711 µs]	168.75 µs (46.4%)
iast_GLOBAL	494.461 µs [472.608 µs, 516.314 µs]	130.665 µs (35.9%)
iast_HARDCODED_SECRET_DISABLED	466.768 µs [446.191 µs, 487.345 µs]	102.972 µs (28.3%)
iast_INACTIVE	447.248 µs [425.806 µs, 468.689 µs]	83.452 µs (22.9%)
iast_TELEMETRY_OFF	462.756 µs [442.097 µs, 483.415 µs]	98.96 µs (27.2%)
tracing	434.27 µs [414.187 µs, 454.352 µs]	70.474 µs (19.4%)

Request duration reports for petclinic

gantt
    title petclinic - request duration [CI 0.99] : candidate=1.33.0-SNAPSHOT~299a865fb0, baseline=1.33.0-SNAPSHOT~8a3889a6aa
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.344 ms) : 1324, 1364
.   : milestone, 1344,
appsec (1.732 ms) : 1708, 1757
.   : milestone, 1732,
appsec_no_iast (1.73 ms) : 1707, 1754
.   : milestone, 1730,
iast (1.501 ms) : 1479, 1523
.   : milestone, 1501,
profiling (1.549 ms) : 1524, 1575
.   : milestone, 1549,
tracing (1.489 ms) : 1465, 1513
.   : milestone, 1489,
section candidate
no_agent (1.342 ms) : 1322, 1361
.   : milestone, 1342,
appsec (1.718 ms) : 1694, 1743
.   : milestone, 1718,
appsec_no_iast (1.726 ms) : 1702, 1750
.   : milestone, 1726,
iast (1.497 ms) : 1475, 1519
.   : milestone, 1497,
profiling (1.513 ms) : 1488, 1539
.   : milestone, 1513,
tracing (1.475 ms) : 1451, 1499
.   : milestone, 1475,

baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.344 ms [1.324 ms, 1.364 ms]	-
appsec	1.732 ms [1.708 ms, 1.757 ms]	388.546 µs (28.9%)
appsec_no_iast	1.73 ms [1.707 ms, 1.754 ms]	386.603 µs (28.8%)
iast	1.501 ms [1.479 ms, 1.523 ms]	156.866 µs (11.7%)
profiling	1.549 ms [1.524 ms, 1.575 ms]	205.714 µs (15.3%)
tracing	1.489 ms [1.465 ms, 1.513 ms]	145.326 µs (10.8%)

candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.342 ms [1.322 ms, 1.361 ms]	-
appsec	1.718 ms [1.694 ms, 1.743 ms]	376.848 µs (28.1%)
appsec_no_iast	1.726 ms [1.702 ms, 1.75 ms]	384.726 µs (28.7%)
iast	1.497 ms [1.475 ms, 1.519 ms]	155.857 µs (11.6%)
profiling	1.513 ms [1.488 ms, 1.539 ms]	171.657 µs (12.8%)
tracing	1.475 ms [1.451 ms, 1.499 ms]	133.47 µs (9.9%)

manuel-alvarez-alvarez · 2024-04-12T07:33:38Z

    if (duplicated.test(vulnerability)) {
      return;
    }
+    noDedupReport(span, vulnerability);


Can we move this information to the vulnerability metadata? (e.g. a flag in the vulnerability that specifies if it requires deduplication). This way we remove the extra method and it's easier to check which vulnerabilities require no dedup.

Thanks for the advice!

Remove dedup for session rewriting

a4739f0

dougqh approved these changes Apr 8, 2024

View reviewed changes

fix test

679bc8f

jandro996 added the comp: asm iast Application Security Management (IAST) label Apr 9, 2024

jandro996 marked this pull request as ready for review April 9, 2024 06:51

jandro996 requested a review from a team as a code owner April 9, 2024 06:51

jandro996 requested review from manuel-alvarez-alvarez and smola April 9, 2024 06:51

manuel-alvarez-alvarez reviewed Apr 12, 2024

View reviewed changes

change the approach to maintain only one method to report

b01a5c4

jandro996 requested a review from manuel-alvarez-alvarez April 12, 2024 12:18

Add deduplicable to constructors

299a865

manuel-alvarez-alvarez approved these changes Apr 15, 2024

View reviewed changes

jandro996 merged commit 4c97fc1 into master Apr 16, 2024

jandro996 deleted the alejandro.gonzalez/remove_app_vuln_dedup branch April 16, 2024 06:21

github-actions Bot added this to the 1.33.0 milestone Apr 16, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Remove deduplication for session rewriting vulnerability report#6895

Remove deduplication for session rewriting vulnerability report#6895
jandro996 merged 4 commits intomasterfrom
alejandro.gonzalez/remove_app_vuln_dedup

jandro996 commented Apr 8, 2024 •

edited

Loading

Uh oh!

pr-commenter Bot commented Apr 8, 2024 •

edited

Loading

Uh oh!

manuel-alvarez-alvarez Apr 12, 2024 •

edited

Loading

Uh oh!

jandro996 Apr 12, 2024

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

jandro996 commented Apr 8, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

What Does This Do

Motivation

Additional Notes

Uh oh!

pr-commenter Bot commented Apr 8, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Benchmarks

Startup

Parameters

Summary

Load

Parameters

Summary

Uh oh!

manuel-alvarez-alvarez Apr 12, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

jandro996 Apr 12, 2024

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

jandro996 commented Apr 8, 2024 •

edited

Loading

pr-commenter Bot commented Apr 8, 2024 •

edited

Loading

manuel-alvarez-alvarez Apr 12, 2024 •

edited

Loading