Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix NPE in IAST evidence redaction #6099

Merged
merged 2 commits into from
Oct 25, 2023
Merged

Fix NPE in IAST evidence redaction #6099

merged 2 commits into from
Oct 25, 2023

Conversation

smola
Copy link
Member

@smola smola commented Oct 25, 2023
edited
Loading

What Does This Do

When serializing vulnerability evidence, we could trigger an NPE when the data source has no value (e.g. this happens with request body as source). The end result is losing these vulnerabilities.

Motivation

Additional Notes

Jira ticket: APPSEC-11847

@smola
Fix NPE in IAST evidence redaction
b9b32a0 
When serializing vulnerability evidence, we could trigger an NPE when
the data source has no value (e.g. this happens with request body as
source).
@smola smola added type: bug comp: asm iast Application Security Management (IAST) labels Oct 25, 2023
@smola smola requested a review from a team as a code owner October 25, 2023 14:10
@smola smola requested a review from jandro996 October 25, 2023 14:10
@pr-commenter
Copy link

pr-commenter bot commented Oct 25, 2023

Benchmarks

Startup

Parameters

Baseline Candidate
commit 1.22.0-SNAPSHOT~4b83850f24 1.22.0-SNAPSHOT~b9b32a0de1
config baseline candidate
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
module Agent Agent
parent None None
variant iast iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 54 cases.

Startup time reports for insecure-bank 
gantt
    title insecure-bank - global startup overhead: candidate=1.22.0-SNAPSHOT~b9b32a0de1, baseline=1.22.0-SNAPSHOT~4b83850f24

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.029 s) : 0, 1028674
Total [baseline] (8.733 s) : 0, 8732769
Agent [candidate] (1.036 s) : 0, 1036362
Total [candidate] (8.71 s) : 0, 8710127
section iast
Agent [baseline] (1.146 s) : 0, 1146395
Total [baseline] (9.232 s) : 0, 9232150
Agent [candidate] (1.148 s) : 0, 1147602
Total [candidate] (9.233 s) : 0, 9232655
section iast_TELEMETRY_OFF
Agent [baseline] (1.137 s) : 0, 1136866
Total [baseline] (9.189 s) : 0, 9188553
Agent [candidate] (1.14 s) : 0, 1140097
Total [candidate] (9.203 s) : 0, 9202842
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.029 s -
Agent iast 1.146 s 117.721 ms (11.4%)
Agent iast_TELEMETRY_OFF 1.137 s 108.193 ms (10.5%)
Total tracing 8.733 s -
Total iast 9.232 s 499.381 ms (5.7%)
Total iast_TELEMETRY_OFF 9.189 s 455.784 ms (5.2%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.036 s -
Agent iast 1.148 s 111.24 ms (10.7%)
Agent iast_TELEMETRY_OFF 1.14 s 103.736 ms (10.0%)
Total tracing 8.71 s -
Total iast 9.233 s 522.528 ms (6.0%)
Total iast_TELEMETRY_OFF 9.203 s 492.715 ms (5.7%) 
gantt
    title insecure-bank - break down per module: candidate=1.22.0-SNAPSHOT~b9b32a0de1, baseline=1.22.0-SNAPSHOT~4b83850f24

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (642.711 ms) : 0, 642711
BytebuddyAgent [candidate] (647.358 ms) : 0, 647358
GlobalTracer [baseline] (294.999 ms) : 0, 294999
GlobalTracer [candidate] (297.464 ms) : 0, 297464
AppSec [baseline] (49.492 ms) : 0, 49492
AppSec [candidate] (49.82 ms) : 0, 49820
Remote Config [baseline] (710.459 µs) : 0, 710
Remote Config [candidate] (696.666 µs) : 0, 697
Telemetry [baseline] (6.123 ms) : 0, 6123
Telemetry [candidate] (6.175 ms) : 0, 6175
section iast
BytebuddyAgent [baseline] (766.876 ms) : 0, 766876
BytebuddyAgent [candidate] (767.274 ms) : 0, 767274
GlobalTracer [baseline] (271.281 ms) : 0, 271281
GlobalTracer [candidate] (272.161 ms) : 0, 272161
AppSec [baseline] (49.252 ms) : 0, 49252
AppSec [candidate] (47.561 ms) : 0, 47561
IAST [baseline] (15.821 ms) : 0, 15821
IAST [candidate] (18.835 ms) : 0, 18835
Remote Config [baseline] (579.153 µs) : 0, 579
Remote Config [candidate] (589.364 µs) : 0, 589
Telemetry [baseline] (8.213 ms) : 0, 8213
Telemetry [candidate] (6.79 ms) : 0, 6790
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (760.15 ms) : 0, 760150
BytebuddyAgent [candidate] (761.971 ms) : 0, 761971
GlobalTracer [baseline] (271.653 ms) : 0, 271653
GlobalTracer [candidate] (272.81 ms) : 0, 272810
AppSec [baseline] (45.878 ms) : 0, 45878
AppSec [candidate] (46.455 ms) : 0, 46455
IAST [baseline] (17.516 ms) : 0, 17516
IAST [candidate] (14.934 ms) : 0, 14934
Remote Config [baseline] (599.911 µs) : 0, 600
Remote Config [candidate] (556.044 µs) : 0, 556
Telemetry [baseline] (6.758 ms) : 0, 6758
Telemetry [candidate] (8.925 ms) : 0, 8925
Loading
Startup time reports for petclinic 
gantt
    title petclinic - global startup overhead: candidate=1.22.0-SNAPSHOT~b9b32a0de1, baseline=1.22.0-SNAPSHOT~4b83850f24

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.021 s) : 0, 1020556
Total [baseline] (9.215 s) : 0, 9214974
Agent [candidate] (1.025 s) : 0, 1024538
Total [candidate] (9.306 s) : 0, 9306062
section appsec
Agent [baseline] (1.12 s) : 0, 1119723
Total [baseline] (9.319 s) : 0, 9319007
Agent [candidate] (1.109 s) : 0, 1108960
Total [candidate] (9.316 s) : 0, 9315616
section iast
Agent [baseline] (1.144 s) : 0, 1144460
Total [baseline] (9.436 s) : 0, 9436308
Agent [candidate] (1.147 s) : 0, 1147260
Total [candidate] (9.44 s) : 0, 9439645
section profiling
Agent [baseline] (1.203 s) : 0, 1203170
Total [baseline] (9.556 s) : 0, 9556060
Agent [candidate] (1.197 s) : 0, 1196611
Total [candidate] (9.508 s) : 0, 9507578
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.021 s -
Agent appsec 1.12 s 99.167 ms (9.7%)
Agent iast 1.144 s 123.904 ms (12.1%)
Agent profiling 1.203 s 182.614 ms (17.9%)
Total tracing 9.215 s -
Total appsec 9.319 s 104.033 ms (1.1%)
Total iast 9.436 s 221.334 ms (2.4%)
Total profiling 9.556 s 341.086 ms (3.7%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.025 s -
Agent appsec 1.109 s 84.422 ms (8.2%)
Agent iast 1.147 s 122.722 ms (12.0%)
Agent profiling 1.197 s 172.073 ms (16.8%)
Total tracing 9.306 s -
Total appsec 9.316 s 9.554 ms (0.1%)
Total iast 9.44 s 133.583 ms (1.4%)
Total profiling 9.508 s 201.516 ms (2.2%) 
gantt
    title petclinic - break down per module: candidate=1.22.0-SNAPSHOT~b9b32a0de1, baseline=1.22.0-SNAPSHOT~4b83850f24

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (637.257 ms) : 0, 637257
BytebuddyAgent [candidate] (638.493 ms) : 0, 638493
GlobalTracer [baseline] (292.853 ms) : 0, 292853
GlobalTracer [candidate] (295.604 ms) : 0, 295604
AppSec [baseline] (49.279 ms) : 0, 49279
AppSec [candidate] (49.32 ms) : 0, 49320
Remote Config [baseline] (686.279 µs) : 0, 686
Remote Config [candidate] (678.081 µs) : 0, 678
Telemetry [baseline] (6.105 ms) : 0, 6105
Telemetry [candidate] (6.177 ms) : 0, 6177
section appsec
BytebuddyAgent [baseline] (643.989 ms) : 0, 643989
BytebuddyAgent [candidate] (638.217 ms) : 0, 638217
GlobalTracer [baseline] (296.029 ms) : 0, 296029
GlobalTracer [candidate] (292.176 ms) : 0, 292176
AppSec [baseline] (138.685 ms) : 0, 138685
AppSec [candidate] (137.959 ms) : 0, 137959
Remote Config [baseline] (654.648 µs) : 0, 655
Remote Config [candidate] (643.673 µs) : 0, 644
Telemetry [baseline] (5.792 ms) : 0, 5792
Telemetry [candidate] (5.698 ms) : 0, 5698
section iast
BytebuddyAgent [baseline] (766.323 ms) : 0, 766323
BytebuddyAgent [candidate] (768.129 ms) : 0, 768129
GlobalTracer [baseline] (271.792 ms) : 0, 271792
GlobalTracer [candidate] (272.387 ms) : 0, 272387
AppSec [baseline] (46.991 ms) : 0, 46991
AppSec [candidate] (46.782 ms) : 0, 46782
IAST [baseline] (16.727 ms) : 0, 16727
IAST [candidate] (17.993 ms) : 0, 17993
Remote Config [baseline] (589.334 µs) : 0, 589
Remote Config [candidate] (586.163 µs) : 0, 586
Telemetry [baseline] (7.621 ms) : 0, 7621
Telemetry [candidate] (6.896 ms) : 0, 6896
section profiling
BytebuddyAgent [baseline] (654.238 ms) : 0, 654238
BytebuddyAgent [candidate] (650.35 ms) : 0, 650350
GlobalTracer [baseline] (357.832 ms) : 0, 357832
GlobalTracer [candidate] (356.347 ms) : 0, 356347
AppSec [baseline] (49.635 ms) : 0, 49635
AppSec [candidate] (49.163 ms) : 0, 49163
Remote Config [baseline] (646.737 µs) : 0, 647
Remote Config [candidate] (645.321 µs) : 0, 645
Telemetry [baseline] (6.052 ms) : 0, 6052
Telemetry [candidate] (6.045 ms) : 0, 6045
ProfilingAgent [baseline] (81.025 ms) : 0, 81025
ProfilingAgent [candidate] (80.72 ms) : 0, 80720
Profiling [baseline] (81.05 ms) : 0, 81050
Profiling [candidate] (80.744 ms) : 0, 80744
Loading

Load

Parameters

Baseline Candidate
commit 1.22.0-SNAPSHOT~4b83850f24 1.22.0-SNAPSHOT~b9b32a0de1
config baseline candidate
end_time 2023-10-25T14:34:21 2023-10-25T14:50:36
start_time 2023-10-25T14:34:08 2023-10-25T14:50:24
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
variant iast iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 22 cases.

Request duration reports for insecure-bank 
gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.22.0-SNAPSHOT~b9b32a0de1, baseline=1.22.0-SNAPSHOT~4b83850f24
    dateFormat X
    axisFormat %s
section baseline
no_agent (365.026 µs) : 345, 385
.   : milestone, 365,
iast (461.442 µs) : 440, 482
.   : milestone, 461,
iast_FULL (516.047 µs) : 495, 537
.   : milestone, 516,
iast_INACTIVE (428.319 µs) : 407, 449
.   : milestone, 428,
iast_TELEMETRY_OFF (451.448 µs) : 429, 473
.   : milestone, 451,
tracing (426.483 µs) : 406, 447
.   : milestone, 426,
section candidate
no_agent (356.651 µs) : 337, 376
.   : milestone, 357,
iast (457.201 µs) : 437, 478
.   : milestone, 457,
iast_FULL (524.248 µs) : 504, 545
.   : milestone, 524,
iast_INACTIVE (429.333 µs) : 409, 450
.   : milestone, 429,
iast_TELEMETRY_OFF (455.689 µs) : 435, 477
.   : milestone, 456,
tracing (427.274 µs) : 407, 448
.   : milestone, 427,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 365.026 µs [344.77 µs, 385.282 µs] -
iast 461.442 µs [440.462 µs, 482.422 µs] 96.416 µs (26.4%)
iast_FULL 516.047 µs [495.343 µs, 536.751 µs] 151.021 µs (41.4%)
iast_INACTIVE 428.319 µs [407.328 µs, 449.31 µs] 63.293 µs (17.3%)
iast_TELEMETRY_OFF 451.448 µs [429.465 µs, 473.432 µs] 86.423 µs (23.7%)
tracing 426.483 µs [405.692 µs, 447.274 µs] 61.457 µs (16.8%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 356.651 µs [336.91 µs, 376.392 µs] -
iast 457.201 µs [436.677 µs, 477.726 µs] 100.55 µs (28.2%)
iast_FULL 524.248 µs [503.763 µs, 544.733 µs] 167.597 µs (47.0%)
iast_INACTIVE 429.333 µs [408.911 µs, 449.755 µs] 72.682 µs (20.4%)
iast_TELEMETRY_OFF 455.689 µs [434.582 µs, 476.796 µs] 99.038 µs (27.8%)
tracing 427.274 µs [406.539 µs, 448.009 µs] 70.623 µs (19.8%)
Request duration reports for petclinic 
gantt
    title petclinic - request duration [CI 0.99] : candidate=1.22.0-SNAPSHOT~b9b32a0de1, baseline=1.22.0-SNAPSHOT~4b83850f24
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.331 ms) : 1312, 1350
.   : milestone, 1331,
appsec (1.712 ms) : 1688, 1736
.   : milestone, 1712,
iast (1.455 ms) : 1431, 1479
.   : milestone, 1455,
profiling (1.459 ms) : 1433, 1485
.   : milestone, 1459,
tracing (1.465 ms) : 1441, 1490
.   : milestone, 1465,
section candidate
no_agent (1.332 ms) : 1313, 1351
.   : milestone, 1332,
appsec (1.707 ms) : 1682, 1731
.   : milestone, 1707,
iast (1.467 ms) : 1443, 1491
.   : milestone, 1467,
profiling (1.469 ms) : 1445, 1493
.   : milestone, 1469,
tracing (1.448 ms) : 1424, 1472
.   : milestone, 1448,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.331 ms [1.312 ms, 1.35 ms] -
appsec 1.712 ms [1.688 ms, 1.736 ms] 381.032 µs (28.6%)
iast 1.455 ms [1.431 ms, 1.479 ms] 124.281 µs (9.3%)
profiling 1.459 ms [1.433 ms, 1.485 ms] 127.908 µs (9.6%)
tracing 1.465 ms [1.441 ms, 1.49 ms] 134.237 µs (10.1%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.332 ms [1.313 ms, 1.351 ms] -
appsec 1.707 ms [1.682 ms, 1.731 ms] 374.864 µs (28.1%)
iast 1.467 ms [1.443 ms, 1.491 ms] 135.056 µs (10.1%)
profiling 1.469 ms [1.445 ms, 1.493 ms] 137.127 µs (10.3%)
tracing 1.448 ms [1.424 ms, 1.472 ms] 115.941 µs (8.7%)

@smola smola merged commit 1d3d236 into master Oct 25, 2023
10 checks passed
@smola smola deleted the smola/evidenceadapter-fix-null-source branch October 25, 2023 15:27
@github-actions github-actions bot added this to the 1.22.0 milestone Oct 25, 2023
@smola smola mentioned this pull request Oct 26, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@manuel-alvarez-alvarez manuel-alvarez-alvarez manuel-alvarez-alvarez approved these changes

@anderruiz anderruiz anderruiz approved these changes

@jandro996 jandro996 Awaiting requested review from jandro996 jandro996 is a code owner automatically assigned from DataDog/asm-java

Assignees
No one assigned
Labels
comp: asm iast Application Security Management (IAST) type: bug
Projects
None yet
Milestone
1.22.0
Development

Successfully merging this pull request may close these issues.
3 participants
@smola @anderruiz @manuel-alvarez-alvarez