From 5541bf69566beeadf520fcce75770fe69b404779 Mon Sep 17 00:00:00 2001
From: Valentin Zakharov <valentin.zakharov1@gmail.com>
Date: Thu, 24 Aug 2023 17:37:37 +0200
Subject: [PATCH] Improved vulnerability reporting data

---
 .../iast/sink/StacktraceLeakModuleImpl.java   | 23 +++++++++++++++----
 .../tomcat7/ErrorReportValueAdvice.java       |  3 ++-
 .../ErrorReportValueInstrumentation.java      |  4 +---
 .../api/iast/sink/StacktraceLeakModule.java   |  3 ++-
 4 files changed, 23 insertions(+), 10 deletions(-)

diff --git a/dd-java-agent/agent-iast/src/main/java/com/datadog/iast/sink/StacktraceLeakModuleImpl.java b/dd-java-agent/agent-iast/src/main/java/com/datadog/iast/sink/StacktraceLeakModuleImpl.java
index 0dc85297bf5..e8128516d52 100644
--- a/dd-java-agent/agent-iast/src/main/java/com/datadog/iast/sink/StacktraceLeakModuleImpl.java
+++ b/dd-java-agent/agent-iast/src/main/java/com/datadog/iast/sink/StacktraceLeakModuleImpl.java
@@ -1,22 +1,35 @@
 package com.datadog.iast.sink;
 
 import com.datadog.iast.model.Evidence;
+import com.datadog.iast.model.Location;
 import com.datadog.iast.model.Vulnerability;
 import com.datadog.iast.model.VulnerabilityType;
-import datadog.trace.api.Config;
 import datadog.trace.api.iast.sink.StacktraceLeakModule;
 import datadog.trace.bootstrap.instrumentation.api.AgentSpan;
 import datadog.trace.bootstrap.instrumentation.api.AgentTracer;
 
 public class StacktraceLeakModuleImpl extends SinkModuleBase implements StacktraceLeakModule {
   @Override
-  public void onStacktraceLeak(Throwable throwable) {
+  public void onStacktraceLeak(
+      Throwable throwable, String moduleName, String className, String methodName) {
     if (throwable != null) {
       final AgentSpan span = AgentTracer.activeSpan();
-      String serviceName = Config.get().getServiceName();
+
+      long spanId = -1;
+      if (span != null) {
+        spanId = span.getSpanId();
+      }
+
+      Evidence evidence =
+          new Evidence(
+              "ExceptionHandler in "
+                  + moduleName
+                  + " \r\nthrown "
+                  + throwable.getClass().getName());
+      Location location = Location.forSpanAndClassAndMethod(spanId, className, methodName);
+
       reporter.report(
-          span,
-          new Vulnerability(VulnerabilityType.STACKTRACE_LEAK, null, new Evidence(serviceName)));
+          span, new Vulnerability(VulnerabilityType.STACKTRACE_LEAK, location, evidence));
     }
   }
 }
diff --git a/dd-java-agent/instrumentation/tomcat-appsec-7/src/main/java/datadog/trace/instrumentation/tomcat7/ErrorReportValueAdvice.java b/dd-java-agent/instrumentation/tomcat-appsec-7/src/main/java/datadog/trace/instrumentation/tomcat7/ErrorReportValueAdvice.java
index c0fec063fa6..a73be816fc1 100644
--- a/dd-java-agent/instrumentation/tomcat-appsec-7/src/main/java/datadog/trace/instrumentation/tomcat7/ErrorReportValueAdvice.java
+++ b/dd-java-agent/instrumentation/tomcat-appsec-7/src/main/java/datadog/trace/instrumentation/tomcat7/ErrorReportValueAdvice.java
@@ -35,7 +35,8 @@ public static boolean onEnter(
       final StacktraceLeakModule module = InstrumentationBridge.STACKTRACE_LEAK_MODULE;
       if (module != null) {
         try {
-          module.onStacktraceLeak(throwable);
+          module.onStacktraceLeak(
+              throwable, "Tomcat 7+", "org.apache.catalina.valves.ErrorReportValve", "report");
         } catch (final Throwable e) {
           module.onUnexpectedException("onResponseException threw", e);
         }
diff --git a/dd-java-agent/instrumentation/tomcat-appsec-7/src/main/java/datadog/trace/instrumentation/tomcat7/ErrorReportValueInstrumentation.java b/dd-java-agent/instrumentation/tomcat-appsec-7/src/main/java/datadog/trace/instrumentation/tomcat7/ErrorReportValueInstrumentation.java
index 02a9098ecfc..65fac3a16f1 100644
--- a/dd-java-agent/instrumentation/tomcat-appsec-7/src/main/java/datadog/trace/instrumentation/tomcat7/ErrorReportValueInstrumentation.java
+++ b/dd-java-agent/instrumentation/tomcat-appsec-7/src/main/java/datadog/trace/instrumentation/tomcat7/ErrorReportValueInstrumentation.java
@@ -23,9 +23,7 @@ public String instrumentedType() {
 
   @Override
   public String[] helperClassNames() {
-    return new String[] {
-      "datadog.trace.bootstrap.blocking.BlockingActionHelper"
-    };
+    return new String[] {"datadog.trace.bootstrap.blocking.BlockingActionHelper"};
   }
 
   @Override
diff --git a/internal-api/src/main/java/datadog/trace/api/iast/sink/StacktraceLeakModule.java b/internal-api/src/main/java/datadog/trace/api/iast/sink/StacktraceLeakModule.java
index 05f11f75164..2a6a668303c 100644
--- a/internal-api/src/main/java/datadog/trace/api/iast/sink/StacktraceLeakModule.java
+++ b/internal-api/src/main/java/datadog/trace/api/iast/sink/StacktraceLeakModule.java
@@ -4,5 +4,6 @@
 import javax.annotation.Nullable;
 
 public interface StacktraceLeakModule extends IastModule {
-  void onStacktraceLeak(@Nullable final Throwable expression);
+  void onStacktraceLeak(
+      @Nullable final Throwable expression, String moduleName, String className, String methodName);
 }