Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve coverage for IAST web sources #6083

Merged
merged 1 commit into from
Oct 31, 2023
Merged

Improve coverage for IAST web sources #6083

merged 1 commit into from
Oct 31, 2023

Conversation

manuel-alvarez-alvarez
Copy link
Member

@manuel-alvarez-alvarez manuel-alvarez-alvarez commented Oct 23, 2023
edited
Loading

What Does This Do

Moves away from call sites to bytebuddy advices in servlet related IAST sources.

Motivation

Bytebuddy advice instrumentation offers several advantages over call site instrumentation for IAST sources. One of the main advantages is the increased coverage of the instrumentation in servlet related APIs due to the instrumentation of framework code instead of customer code.

Additional Notes

Jira ticket: APPSEC-8102

@manuel-alvarez-alvarez manuel-alvarez-alvarez added tag: no release notes Changes to exclude from release notes type: refactoring comp: asm iast Application Security Management (IAST) run-tests: all Run all tests labels Oct 23, 2023
@manuel-alvarez-alvarez manuel-alvarez-alvarez changed the base branch from master to malvarez/iast-taint-api-refactor October 23, 2023 11:54
@pr-commenter
Copy link

pr-commenter bot commented Oct 23, 2023
edited
Loading

Benchmarks

Startup

Parameters

Baseline Candidate
commit 1.23.0-SNAPSHOT~205e504500 1.23.0-SNAPSHOT~7c4ced6cdd
config baseline candidate
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
module Agent Agent
parent None None
variant iast iast

Summary

Found 2 performance improvements and 0 performance regressions! Performance is the same for 52 cases.

scenario Δ mean execution_time candidate mean execution_time baseline mean execution_time
scenario:insecure-bank:iast:Remote Config better
[-75.019µs; -17.986µs] or [-12.543%; -3.007%]		 551.574µs 598.077µs
scenario:insecure-bank:iast_TELEMETRY_OFF:Telemetry better
[-6.256ms; -1.587ms] or [-65.746%; -16.677%]		 5.594ms 9.516ms
Startup time reports for petclinic 
gantt
    title petclinic - global startup overhead: candidate=1.23.0-SNAPSHOT~7c4ced6cdd, baseline=1.23.0-SNAPSHOT~205e504500

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.026 s) : 0, 1026371
Total [baseline] (9.305 s) : 0, 9305360
Agent [candidate] (1.038 s) : 0, 1037644
Total [candidate] (9.393 s) : 0, 9393028
section appsec
Agent [baseline] (1.114 s) : 0, 1113699
Total [baseline] (9.41 s) : 0, 9409972
Agent [candidate] (1.123 s) : 0, 1123259
Total [candidate] (9.41 s) : 0, 9410494
section iast
Agent [baseline] (1.152 s) : 0, 1152196
Total [baseline] (9.52 s) : 0, 9519982
Agent [candidate] (1.153 s) : 0, 1153240
Total [candidate] (9.492 s) : 0, 9492356
section profiling
Agent [baseline] (1.203 s) : 0, 1202571
Total [baseline] (9.558 s) : 0, 9557631
Agent [candidate] (1.213 s) : 0, 1213216
Total [candidate] (9.668 s) : 0, 9668088
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.026 s -
Agent appsec 1.114 s 87.328 ms (8.5%)
Agent iast 1.152 s 125.825 ms (12.3%)
Agent profiling 1.203 s 176.201 ms (17.2%)
Total tracing 9.305 s -
Total appsec 9.41 s 104.612 ms (1.1%)
Total iast 9.52 s 214.622 ms (2.3%)
Total profiling 9.558 s 252.272 ms (2.7%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.038 s -
Agent appsec 1.123 s 85.615 ms (8.3%)
Agent iast 1.153 s 115.596 ms (11.1%)
Agent profiling 1.213 s 175.572 ms (16.9%)
Total tracing 9.393 s -
Total appsec 9.41 s 17.466 ms (0.2%)
Total iast 9.492 s 99.329 ms (1.1%)
Total profiling 9.668 s 275.06 ms (2.9%) 
gantt
    title petclinic - break down per module: candidate=1.23.0-SNAPSHOT~7c4ced6cdd, baseline=1.23.0-SNAPSHOT~205e504500

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (641.693 ms) : 0, 641693
BytebuddyAgent [candidate] (649.008 ms) : 0, 649008
GlobalTracer [baseline] (294.484 ms) : 0, 294484
GlobalTracer [candidate] (297.712 ms) : 0, 297712
AppSec [baseline] (49.044 ms) : 0, 49044
AppSec [candidate] (49.281 ms) : 0, 49281
Remote Config [baseline] (683.777 µs) : 0, 684
Remote Config [candidate] (699.691 µs) : 0, 700
Telemetry [baseline] (6.094 ms) : 0, 6094
Telemetry [candidate] (6.159 ms) : 0, 6159
section appsec
BytebuddyAgent [baseline] (641.518 ms) : 0, 641518
BytebuddyAgent [candidate] (647.387 ms) : 0, 647387
GlobalTracer [baseline] (292.703 ms) : 0, 292703
GlobalTracer [candidate] (296.445 ms) : 0, 296445
AppSec [baseline] (138.719 ms) : 0, 138719
AppSec [candidate] (138.464 ms) : 0, 138464
Remote Config [baseline] (639.199 µs) : 0, 639
Remote Config [candidate] (646.619 µs) : 0, 647
Telemetry [baseline] (5.7 ms) : 0, 5700
Telemetry [candidate] (5.733 ms) : 0, 5733
section iast
BytebuddyAgent [baseline] (771.528 ms) : 0, 771528
BytebuddyAgent [candidate] (767.975 ms) : 0, 767975
GlobalTracer [baseline] (274.119 ms) : 0, 274119
GlobalTracer [candidate] (276.609 ms) : 0, 276609
AppSec [baseline] (47.111 ms) : 0, 47111
AppSec [candidate] (47.432 ms) : 0, 47432
IAST [baseline] (16.895 ms) : 0, 16895
IAST [candidate] (17.837 ms) : 0, 17837
Remote Config [baseline] (586.855 µs) : 0, 587
Remote Config [candidate] (558.31 µs) : 0, 558
Telemetry [baseline] (7.545 ms) : 0, 7545
Telemetry [candidate] (8.142 ms) : 0, 8142
section profiling
BytebuddyAgent [baseline] (653.467 ms) : 0, 653467
BytebuddyAgent [candidate] (660.099 ms) : 0, 660099
GlobalTracer [baseline] (359.444 ms) : 0, 359444
GlobalTracer [candidate] (362.401 ms) : 0, 362401
AppSec [baseline] (49.457 ms) : 0, 49457
AppSec [candidate] (49.724 ms) : 0, 49724
Remote Config [baseline] (648.843 µs) : 0, 649
Remote Config [candidate] (666.794 µs) : 0, 667
Telemetry [baseline] (6.036 ms) : 0, 6036
Telemetry [candidate] (6.054 ms) : 0, 6054
ProfilingAgent [baseline] (80.143 ms) : 0, 80143
ProfilingAgent [candidate] (80.581 ms) : 0, 80581
Profiling [baseline] (80.167 ms) : 0, 80167
Profiling [candidate] (80.606 ms) : 0, 80606
Loading
Startup time reports for insecure-bank 
gantt
    title insecure-bank - global startup overhead: candidate=1.23.0-SNAPSHOT~7c4ced6cdd, baseline=1.23.0-SNAPSHOT~205e504500

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.03 s) : 0, 1030384
Total [baseline] (8.785 s) : 0, 8785308
Agent [candidate] (1.027 s) : 0, 1027242
Total [candidate] (8.777 s) : 0, 8777128
section iast
Agent [baseline] (1.153 s) : 0, 1153374
Total [baseline] (9.295 s) : 0, 9295481
Agent [candidate] (1.141 s) : 0, 1141319
Total [candidate] (9.318 s) : 0, 9318009
section iast_TELEMETRY_OFF
Agent [baseline] (1.157 s) : 0, 1156661
Total [baseline] (9.324 s) : 0, 9324448
Agent [candidate] (1.151 s) : 0, 1150747
Total [candidate] (9.354 s) : 0, 9354077
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.03 s -
Agent iast 1.153 s 122.989 ms (11.9%)
Agent iast_TELEMETRY_OFF 1.157 s 126.277 ms (12.3%)
Total tracing 8.785 s -
Total iast 9.295 s 510.174 ms (5.8%)
Total iast_TELEMETRY_OFF 9.324 s 539.141 ms (6.1%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.027 s -
Agent iast 1.141 s 114.077 ms (11.1%)
Agent iast_TELEMETRY_OFF 1.151 s 123.505 ms (12.0%)
Total tracing 8.777 s -
Total iast 9.318 s 540.882 ms (6.2%)
Total iast_TELEMETRY_OFF 9.354 s 576.949 ms (6.6%) 
gantt
    title insecure-bank - break down per module: candidate=1.23.0-SNAPSHOT~7c4ced6cdd, baseline=1.23.0-SNAPSHOT~205e504500

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (643.157 ms) : 0, 643157
BytebuddyAgent [candidate] (642.219 ms) : 0, 642219
GlobalTracer [baseline] (296.419 ms) : 0, 296419
GlobalTracer [candidate] (294.836 ms) : 0, 294836
AppSec [baseline] (49.405 ms) : 0, 49405
AppSec [candidate] (49.127 ms) : 0, 49127
Remote Config [baseline] (702.28 µs) : 0, 702
Remote Config [candidate] (691.051 µs) : 0, 691
Telemetry [baseline] (6.191 ms) : 0, 6191
Telemetry [candidate] (6.118 ms) : 0, 6118
section iast
BytebuddyAgent [baseline] (773.246 ms) : 0, 773246
BytebuddyAgent [candidate] (761.351 ms) : 0, 761351
GlobalTracer [baseline] (274.004 ms) : 0, 274004
GlobalTracer [candidate] (274.787 ms) : 0, 274787
AppSec [baseline] (46.217 ms) : 0, 46217
AppSec [candidate] (46.49 ms) : 0, 46490
IAST [baseline] (15.064 ms) : 0, 15064
IAST [candidate] (16.944 ms) : 0, 16944
Remote Config [baseline] (598.076 µs) : 0, 598
Remote Config [candidate] (551.574 µs) : 0, 552
Telemetry [baseline] (9.749 ms) : 0, 9749
Telemetry [candidate] (6.794 ms) : 0, 6794
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (772.528 ms) : 0, 772528
BytebuddyAgent [candidate] (768.127 ms) : 0, 768127
GlobalTracer [baseline] (275.996 ms) : 0, 275996
GlobalTracer [candidate] (278.567 ms) : 0, 278567
AppSec [baseline] (47.195 ms) : 0, 47195
AppSec [candidate] (46.93 ms) : 0, 46930
IAST [baseline] (16.072 ms) : 0, 16072
IAST [candidate] (15.971 ms) : 0, 15971
Remote Config [baseline] (566.944 µs) : 0, 567
Remote Config [candidate] (569.557 µs) : 0, 570
Telemetry [baseline] (9.516 ms) : 0, 9516
Telemetry [candidate] (5.594 ms) : 0, 5594
Loading

Load

Parameters

Baseline Candidate
commit 1.23.0-SNAPSHOT~205e504500 1.23.0-SNAPSHOT~7c4ced6cdd
config baseline candidate
end_time 2023-10-31T15:48:35 2023-10-31T16:05:01
start_time 2023-10-31T15:48:22 2023-10-31T16:04:48
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
variant iast iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 22 cases.

Request duration reports for petclinic 
gantt
    title petclinic - request duration [CI 0.99] : candidate=1.23.0-SNAPSHOT~7c4ced6cdd, baseline=1.23.0-SNAPSHOT~205e504500
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.383 ms) : 1364, 1403
.   : milestone, 1383,
appsec (1.719 ms) : 1694, 1744
.   : milestone, 1719,
iast (1.462 ms) : 1437, 1486
.   : milestone, 1462,
profiling (1.477 ms) : 1452, 1503
.   : milestone, 1477,
tracing (1.452 ms) : 1428, 1477
.   : milestone, 1452,
section candidate
no_agent (1.344 ms) : 1325, 1363
.   : milestone, 1344,
appsec (1.742 ms) : 1718, 1766
.   : milestone, 1742,
iast (1.471 ms) : 1447, 1494
.   : milestone, 1471,
profiling (1.488 ms) : 1463, 1512
.   : milestone, 1488,
tracing (1.463 ms) : 1437, 1488
.   : milestone, 1463,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.383 ms [1.364 ms, 1.403 ms] -
appsec 1.719 ms [1.694 ms, 1.744 ms] 335.187 µs (24.2%)
iast 1.462 ms [1.437 ms, 1.486 ms] 78.396 µs (5.7%)
profiling 1.477 ms [1.452 ms, 1.503 ms] 93.762 µs (6.8%)
tracing 1.452 ms [1.428 ms, 1.477 ms] 69.014 µs (5.0%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.344 ms [1.325 ms, 1.363 ms] -
appsec 1.742 ms [1.718 ms, 1.766 ms] 398.156 µs (29.6%)
iast 1.471 ms [1.447 ms, 1.494 ms] 126.716 µs (9.4%)
profiling 1.488 ms [1.463 ms, 1.512 ms] 143.936 µs (10.7%)
tracing 1.463 ms [1.437 ms, 1.488 ms] 119.064 µs (8.9%)
Request duration reports for insecure-bank 
gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.23.0-SNAPSHOT~7c4ced6cdd, baseline=1.23.0-SNAPSHOT~205e504500
    dateFormat X
    axisFormat %s
section baseline
no_agent (371.541 µs) : 352, 391
.   : milestone, 372,
iast (467.983 µs) : 447, 489
.   : milestone, 468,
iast_FULL (535.272 µs) : 515, 556
.   : milestone, 535,
iast_INACTIVE (440.616 µs) : 419, 462
.   : milestone, 441,
iast_TELEMETRY_OFF (466.302 µs) : 445, 487
.   : milestone, 466,
tracing (443.063 µs) : 421, 465
.   : milestone, 443,
section candidate
no_agent (364.032 µs) : 344, 384
.   : milestone, 364,
iast (464.553 µs) : 443, 486
.   : milestone, 465,
iast_FULL (539.707 µs) : 519, 561
.   : milestone, 540,
iast_INACTIVE (433.574 µs) : 413, 454
.   : milestone, 434,
iast_TELEMETRY_OFF (471.025 µs) : 450, 492
.   : milestone, 471,
tracing (431.347 µs) : 411, 452
.   : milestone, 431,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 371.541 µs [351.887 µs, 391.195 µs] -
iast 467.983 µs [447.234 µs, 488.732 µs] 96.442 µs (26.0%)
iast_FULL 535.272 µs [514.513 µs, 556.031 µs] 163.731 µs (44.1%)
iast_INACTIVE 440.616 µs [419.261 µs, 461.97 µs] 69.075 µs (18.6%)
iast_TELEMETRY_OFF 466.302 µs [445.327 µs, 487.277 µs] 94.761 µs (25.5%)
tracing 443.063 µs [421.315 µs, 464.811 µs] 71.522 µs (19.3%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 364.032 µs [344.192 µs, 383.871 µs] -
iast 464.553 µs [443.468 µs, 485.638 µs] 100.522 µs (27.6%)
iast_FULL 539.707 µs [518.786 µs, 560.629 µs] 175.676 µs (48.3%)
iast_INACTIVE 433.574 µs [412.751 µs, 454.398 µs] 69.543 µs (19.1%)
iast_TELEMETRY_OFF 471.025 µs [449.661 µs, 492.388 µs] 106.993 µs (29.4%)
tracing 431.347 µs [411.095 µs, 451.599 µs] 67.315 µs (18.5%)

@manuel-alvarez-alvarez manuel-alvarez-alvarez removed the tag: no release notes Changes to exclude from release notes label Oct 23, 2023
@manuel-alvarez-alvarez manuel-alvarez-alvarez changed the title Malvarez/iast remove callsites for web sources Improve coverage for IAST web sources Oct 23, 2023
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/iast-remove-callsites-for-web-sources branch from d98a9d2 to af944ea Compare October 23, 2023 16:05
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/iast-taint-api-refactor branch from 333c7a8 to 9f8489a Compare October 23, 2023 16:06
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/iast-remove-callsites-for-web-sources branch 5 times, most recently from 2b2d3c8 to 0dbd55b Compare October 24, 2023 08:47
@manuel-alvarez-alvarez manuel-alvarez-alvarez marked this pull request as ready for review October 24, 2023 08:49
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/iast-remove-callsites-for-web-sources branch from 0dbd55b to 30181e4 Compare October 24, 2023 08:52
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/iast-taint-api-refactor branch from 9f8489a to 29e3032 Compare October 24, 2023 09:18
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/iast-remove-callsites-for-web-sources branch from 30181e4 to b4612f6 Compare October 24, 2023 09:28
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/iast-taint-api-refactor branch 2 times, most recently from 20eb516 to 5f48814 Compare October 25, 2023 10:54
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/iast-remove-callsites-for-web-sources branch from b4612f6 to 170b90e Compare October 25, 2023 10:57
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/iast-taint-api-refactor branch from 5f48814 to 2116662 Compare October 25, 2023 15:01
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/iast-remove-callsites-for-web-sources branch from 170b90e to 016b1dd Compare October 25, 2023 15:03
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/iast-taint-api-refactor branch from 2116662 to 469769d Compare October 25, 2023 15:24
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/iast-remove-callsites-for-web-sources branch from 016b1dd to d94bd59 Compare October 25, 2023 15:25
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/iast-taint-api-refactor branch 4 times, most recently from 3a6030d to 072e68a Compare October 27, 2023 08:50
Base automatically changed from malvarez/iast-taint-api-refactor to master October 27, 2023 10:00
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/iast-remove-callsites-for-web-sources branch 3 times, most recently from 722027c to d11e7ff Compare October 30, 2023 13:32
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/iast-remove-callsites-for-web-sources branch from d11e7ff to 3a33dd3 Compare October 31, 2023 08:53
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/iast-remove-callsites-for-web-sources branch from 3a33dd3 to 2398229 Compare October 31, 2023 13:13
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/iast-remove-callsites-for-web-sources branch from 2398229 to 7c4ced6 Compare October 31, 2023 15:23
@manuel-alvarez-alvarez manuel-alvarez-alvarez merged commit 4ad36f5 into master Oct 31, 2023
10 of 11 checks passed
@manuel-alvarez-alvarez manuel-alvarez-alvarez deleted the malvarez/iast-remove-callsites-for-web-sources branch October 31, 2023 17:30
@github-actions github-actions bot added this to the 1.23.0 milestone Oct 31, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DDJavierSantos DDJavierSantos DDJavierSantos approved these changes

@jandro996 jandro996 jandro996 approved these changes

@PerfectSlayer PerfectSlayer PerfectSlayer approved these changes

@smola smola smola approved these changes

@bantonsson bantonsson Awaiting requested review from bantonsson bantonsson is a code owner automatically assigned from DataDog/apm-java

Assignees

@manuel-alvarez-alvarez manuel-alvarez-alvarez

Labels
comp: asm iast Application Security Management (IAST) run-tests: all Run all tests type: refactoring
Projects
None yet
Milestone
1.23.0
Development

Successfully merging this pull request may close these issues.
5 participants
@manuel-alvarez-alvarez @smola @PerfectSlayer @jandro996 @DDJavierSantos