Improved vulnerability reporting data

DataDog · Aug 28, 2023 · 5541bf6 · 5541bf6
1 parent 4ac1276
commit 5541bf6
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 10 deletions.
diff --git a/dd-java-agent/agent-iast/src/main/java/com/datadog/iast/sink/StacktraceLeakModuleImpl.java b/dd-java-agent/agent-iast/src/main/java/com/datadog/iast/sink/StacktraceLeakModuleImpl.java
@@ -1,22 +1,35 @@
 package com.datadog.iast.sink;
 
 import com.datadog.iast.model.Evidence;
+import com.datadog.iast.model.Location;
 import com.datadog.iast.model.Vulnerability;
 import com.datadog.iast.model.VulnerabilityType;
-import datadog.trace.api.Config;
 import datadog.trace.api.iast.sink.StacktraceLeakModule;
 import datadog.trace.bootstrap.instrumentation.api.AgentSpan;
 import datadog.trace.bootstrap.instrumentation.api.AgentTracer;
 
 public class StacktraceLeakModuleImpl extends SinkModuleBase implements StacktraceLeakModule {
   @Override
-  public void onStacktraceLeak(Throwable throwable) {
+  public void onStacktraceLeak(
+      Throwable throwable, String moduleName, String className, String methodName) {
     if (throwable != null) {
       final AgentSpan span = AgentTracer.activeSpan();
-      String serviceName = Config.get().getServiceName();
+
+      long spanId = -1;
+      if (span != null) {
+        spanId = span.getSpanId();
+      }
+
+      Evidence evidence =
+          new Evidence(
+              "ExceptionHandler in "
+                  + moduleName
+                  + " \r\nthrown "
+                  + throwable.getClass().getName());
+      Location location = Location.forSpanAndClassAndMethod(spanId, className, methodName);
+
       reporter.report(
-          span,
-          new Vulnerability(VulnerabilityType.STACKTRACE_LEAK, null, new Evidence(serviceName)));
+          span, new Vulnerability(VulnerabilityType.STACKTRACE_LEAK, location, evidence));
     }
   }
 }
diff --git a/...-appsec-7/src/main/java/datadog/trace/instrumentation/tomcat7/ErrorReportValueAdvice.java b/...-appsec-7/src/main/java/datadog/trace/instrumentation/tomcat7/ErrorReportValueAdvice.java
@@ -35,7 +35,8 @@ public static boolean onEnter(
       final StacktraceLeakModule module = InstrumentationBridge.STACKTRACE_LEAK_MODULE;
       if (module != null) {
         try {
-          module.onStacktraceLeak(throwable);
+          module.onStacktraceLeak(
+              throwable, "Tomcat 7+", "org.apache.catalina.valves.ErrorReportValve", "report");
         } catch (final Throwable e) {
           module.onUnexpectedException("onResponseException threw", e);
         }

diff --git a/.../src/main/java/datadog/trace/instrumentation/tomcat7/ErrorReportValueInstrumentation.java b/.../src/main/java/datadog/trace/instrumentation/tomcat7/ErrorReportValueInstrumentation.java
@@ -23,9 +23,7 @@ public String instrumentedType() {
 
   @Override
   public String[] helperClassNames() {
-    return new String[] {
-      "datadog.trace.bootstrap.blocking.BlockingActionHelper"
-    };
+    return new String[] {"datadog.trace.bootstrap.blocking.BlockingActionHelper"};
   }
 
   @Override

diff --git a/internal-api/src/main/java/datadog/trace/api/iast/sink/StacktraceLeakModule.java b/internal-api/src/main/java/datadog/trace/api/iast/sink/StacktraceLeakModule.java
@@ -4,5 +4,6 @@
 import javax.annotation.Nullable;
 
 public interface StacktraceLeakModule extends IastModule {
-  void onStacktraceLeak(@Nullable final Throwable expression);
+  void onStacktraceLeak(
+      @Nullable final Throwable expression, String moduleName, String className, String methodName);
 }