Improved vulnerability reporting data

dd-java-agent/agent-iast/src/main/java/com/datadog/iast/sink/StacktraceLeakModuleImpl.java

@@ -1,22 +1,30 @@
 package com.datadog.iast.sink;
 
 import com.datadog.iast.model.Evidence;
+import com.datadog.iast.model.Location;
 import com.datadog.iast.model.Vulnerability;
 import com.datadog.iast.model.VulnerabilityType;
-import datadog.trace.api.Config;
 import datadog.trace.api.iast.sink.StacktraceLeakModule;
 import datadog.trace.bootstrap.instrumentation.api.AgentSpan;
 import datadog.trace.bootstrap.instrumentation.api.AgentTracer;
 
 public class StacktraceLeakModuleImpl extends SinkModuleBase implements StacktraceLeakModule {
   @Override
-  public void onStacktraceLeak(Throwable throwable) {
+  public void onStacktraceLeak(
+      Throwable throwable, String moduleName, String className, String methodName) {
     if (throwable != null) {
       final AgentSpan span = AgentTracer.activeSpan();
-      String serviceName = Config.get().getServiceName();
+
+      Evidence evidence =
+          new Evidence(
+              "ExceptionHandler in "
+                  + moduleName
+                  + " \r\nthrown "
+                  + throwable.getClass().getName());
+      Location location = Location.forSpanAndClassAndMethod(span, className, methodName);
+
       reporter.report(
-          span,
-          new Vulnerability(VulnerabilityType.STACKTRACE_LEAK, null, new Evidence(serviceName)));
+          span, new Vulnerability(VulnerabilityType.STACKTRACE_LEAK, location, evidence));
     }
   }
 }

dd-java-agent/instrumentation/tomcat-appsec-7/src/main/java/datadog/trace/instrumentation/tomcat7/ErrorReportValueAdvice.java

@@ -19,7 +19,9 @@ public class ErrorReportValueAdvice {
   @Advice.OnMethodEnter(skipOn = Advice.OnNonDefaultValue.class)
   public static boolean onEnter(
       @Advice.Argument(value = 1) Response response,
-      @Advice.Argument(value = 2) Throwable throwable) {
+      @Advice.Argument(value = 2) Throwable throwable,
+      @Advice.Origin("#t") String className,
+      @Advice.Origin("#m") String methodName) {
     int statusCode = response.getStatus();
 
     // Do nothing on a 1xx, 2xx, 3xx and 404 status
@@ -35,7 +37,7 @@ public static boolean onEnter(
       final StacktraceLeakModule module = InstrumentationBridge.STACKTRACE_LEAK_MODULE;
       if (module != null) {
         try {
-          module.onStacktraceLeak(throwable);
+          module.onStacktraceLeak(throwable, "Tomcat 7+", className, methodName);
         } catch (final Throwable e) {
           module.onUnexpectedException("onResponseException threw", e);
         }

dd-java-agent/instrumentation/tomcat-appsec-7/src/main/java/datadog/trace/instrumentation/tomcat7/ErrorReportValueInstrumentation.java

@@ -16,6 +16,11 @@ public ErrorReportValueInstrumentation() {
     super("tomcat");
   }
 
+  @Override
+  public String muzzleDirective() {
+    return "from7";
+  }
+
   @Override
   public String instrumentedType() {
     return "org.apache.catalina.valves.ErrorReportValve";

internal-api/src/main/java/datadog/trace/api/iast/sink/StacktraceLeakModule.java

@@ -4,5 +4,6 @@
 import javax.annotation.Nullable;
 
 public interface StacktraceLeakModule extends IastModule {
-  void onStacktraceLeak(@Nullable final Throwable expression);
+  void onStacktraceLeak(
+      @Nullable final Throwable expression, String moduleName, String className, String methodName);
 }