Increase IAST propagation to StringBuffer append #8082

Mariovido · 2024-12-12T15:42:50Z

What Does This Do

This adds the instrumentation to propagate the taint values through the following methods of StringBuffer:

append(CharSequence, int, int)
append(StringBuffer)

Motivation

Increase propagation of StringBuffer methods.

Additional Notes

Contributor Checklist

Format the title according the contribution guidelines
Assign the type: and (comp: or inst:) labels in addition to any usefull labels
Don't use close, fix or any linking keywords when referencing an issue.
Use solves instead, and assign the PR milestone to the issue
Update the public documentation in case of new configuration flag or behavior

Jira ticket: APPSEC-55365

pr-commenter · 2024-12-12T16:21:58Z

Benchmarks

Startup

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	mario.vidal/taint_tracking_append_string_buffer
git_commit_date	1734012159	1734017969
git_commit_sha	`4573a38`	`8feff99`
release_version	1.44.0-SNAPSHOT~4573a38b9e	1.45.0-SNAPSHOT~8feff99317

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1734020470	1734020470
ci_job_id	736885916	736885916
ci_pipeline_id	50968305	50968305
cpu_model	Intel(R) Xeon(R) Platinum 8175M CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8175M CPU @ 2.50GHz
module	Agent	Agent
parent	None	None
variant	iast	iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 52 metrics, 11 unstable metrics.

Startup time reports for petclinic

gantt
    title petclinic - global startup overhead: candidate=1.45.0-SNAPSHOT~8feff99317, baseline=1.44.0-SNAPSHOT~4573a38b9e

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.12 s) : 0, 1119756
Total [baseline] (10.717 s) : 0, 10716771
Agent [candidate] (1.119 s) : 0, 1118845
Total [candidate] (10.691 s) : 0, 10691256
section appsec
Agent [baseline] (1.256 s) : 0, 1256451
Total [baseline] (10.987 s) : 0, 10986908
Agent [candidate] (1.257 s) : 0, 1257447
Total [candidate] (10.971 s) : 0, 10971190
section iast
Agent [baseline] (1.25 s) : 0, 1249874
Total [baseline] (11.132 s) : 0, 11131611
Agent [candidate] (1.249 s) : 0, 1248882
Total [candidate] (11.152 s) : 0, 11152486
section profiling
Agent [baseline] (1.356 s) : 0, 1355878
Total [baseline] (11.069 s) : 0, 11068900
Agent [candidate] (1.356 s) : 0, 1355633
Total [candidate] (11.222 s) : 0, 11222379

baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.12 s	-
Agent	appsec	1.256 s	136.695 ms (12.2%)
Agent	iast	1.25 s	130.118 ms (11.6%)
Agent	profiling	1.356 s	236.122 ms (21.1%)
Total	tracing	10.717 s	-
Total	appsec	10.987 s	270.138 ms (2.5%)
Total	iast	11.132 s	414.84 ms (3.9%)
Total	profiling	11.069 s	352.13 ms (3.3%)

candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.119 s	-
Agent	appsec	1.257 s	138.603 ms (12.4%)
Agent	iast	1.249 s	130.038 ms (11.6%)
Agent	profiling	1.356 s	236.788 ms (21.2%)
Total	tracing	10.691 s	-
Total	appsec	10.971 s	279.934 ms (2.6%)
Total	iast	11.152 s	461.23 ms (4.3%)
Total	profiling	11.222 s	531.123 ms (5.0%)

gantt
    title petclinic - break down per module: candidate=1.45.0-SNAPSHOT~8feff99317, baseline=1.44.0-SNAPSHOT~4573a38b9e

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (710.993 ms) : 0, 710993
BytebuddyAgent [candidate] (710.68 ms) : 0, 710680
GlobalTracer [baseline] (326.872 ms) : 0, 326872
GlobalTracer [candidate] (327.042 ms) : 0, 327042
AppSec [baseline] (56.174 ms) : 0, 56174
AppSec [candidate] (56.767 ms) : 0, 56767
Remote Config [baseline] (704.961 µs) : 0, 705
Remote Config [candidate] (725.027 µs) : 0, 725
Telemetry [baseline] (11.106 ms) : 0, 11106
Telemetry [candidate] (9.739 ms) : 0, 9739
section appsec
BytebuddyAgent [baseline] (727.173 ms) : 0, 727173
BytebuddyAgent [candidate] (728.787 ms) : 0, 728787
GlobalTracer [baseline] (323.851 ms) : 0, 323851
GlobalTracer [candidate] (324.858 ms) : 0, 324858
AppSec [baseline] (171.925 ms) : 0, 171925
AppSec [candidate] (171.375 ms) : 0, 171375
Remote Config [baseline] (652.659 µs) : 0, 653
Remote Config [candidate] (665.771 µs) : 0, 666
Telemetry [baseline] (8.411 ms) : 0, 8411
Telemetry [candidate] (8.055 ms) : 0, 8055
IAST [baseline] (21.188 ms) : 0, 21188
IAST [candidate] (19.598 ms) : 0, 19598
section iast
BytebuddyAgent [baseline] (828.948 ms) : 0, 828948
BytebuddyAgent [candidate] (828.797 ms) : 0, 828797
GlobalTracer [baseline] (316.514 ms) : 0, 316514
GlobalTracer [candidate] (316.281 ms) : 0, 316281
AppSec [baseline] (57.445 ms) : 0, 57445
AppSec [candidate] (59.084 ms) : 0, 59084
Remote Config [baseline] (665.519 µs) : 0, 666
Remote Config [candidate] (644.611 µs) : 0, 645
Telemetry [baseline] (7.758 ms) : 0, 7758
Telemetry [candidate] (7.677 ms) : 0, 7677
IAST [baseline] (24.646 ms) : 0, 24646
IAST [candidate] (22.532 ms) : 0, 22532
section profiling
ProfilingAgent [baseline] (93.93 ms) : 0, 93930
ProfilingAgent [candidate] (94.29 ms) : 0, 94290
BytebuddyAgent [baseline] (705.783 ms) : 0, 705783
BytebuddyAgent [candidate] (705.959 ms) : 0, 705959
GlobalTracer [baseline] (453.089 ms) : 0, 453089
GlobalTracer [candidate] (451.909 ms) : 0, 451909
AppSec [baseline] (54.66 ms) : 0, 54660
AppSec [candidate] (54.913 ms) : 0, 54913
Remote Config [baseline] (702.543 µs) : 0, 703
Remote Config [candidate] (707.441 µs) : 0, 707
Telemetry [baseline] (7.919 ms) : 0, 7919
Telemetry [candidate] (8.024 ms) : 0, 8024
Profiling [baseline] (93.953 ms) : 0, 93953
Profiling [candidate] (94.314 ms) : 0, 94314

Startup time reports for insecure-bank

gantt
    title insecure-bank - global startup overhead: candidate=1.45.0-SNAPSHOT~8feff99317, baseline=1.44.0-SNAPSHOT~4573a38b9e

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.121 s) : 0, 1120787
Total [baseline] (9.241 s) : 0, 9241060
Agent [candidate] (1.123 s) : 0, 1123281
Total [candidate] (9.215 s) : 0, 9215291
section iast
Agent [baseline] (1.261 s) : 0, 1260795
Total [baseline] (9.776 s) : 0, 9776490
Agent [candidate] (1.26 s) : 0, 1260176
Total [candidate] (9.843 s) : 0, 9842876
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.249 s) : 0, 1249138
Total [baseline] (9.728 s) : 0, 9728384
Agent [candidate] (1.26 s) : 0, 1259632
Total [candidate] (9.714 s) : 0, 9713550
section iast_TELEMETRY_OFF
Agent [baseline] (1.252 s) : 0, 1251891
Total [baseline] (9.818 s) : 0, 9817723
Agent [candidate] (1.256 s) : 0, 1256098
Total [candidate] (9.785 s) : 0, 9784893

baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.121 s	-
Agent	iast	1.261 s	140.008 ms (12.5%)
Agent	iast_HARDCODED_SECRET_DISABLED	1.249 s	128.35 ms (11.5%)
Agent	iast_TELEMETRY_OFF	1.252 s	131.103 ms (11.7%)
Total	tracing	9.241 s	-
Total	iast	9.776 s	535.43 ms (5.8%)
Total	iast_HARDCODED_SECRET_DISABLED	9.728 s	487.324 ms (5.3%)
Total	iast_TELEMETRY_OFF	9.818 s	576.663 ms (6.2%)

candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.123 s	-
Agent	iast	1.26 s	136.895 ms (12.2%)
Agent	iast_HARDCODED_SECRET_DISABLED	1.26 s	136.35 ms (12.1%)
Agent	iast_TELEMETRY_OFF	1.256 s	132.816 ms (11.8%)
Total	tracing	9.215 s	-
Total	iast	9.843 s	627.585 ms (6.8%)
Total	iast_HARDCODED_SECRET_DISABLED	9.714 s	498.259 ms (5.4%)
Total	iast_TELEMETRY_OFF	9.785 s	569.602 ms (6.2%)

gantt
    title insecure-bank - break down per module: candidate=1.45.0-SNAPSHOT~8feff99317, baseline=1.44.0-SNAPSHOT~4573a38b9e

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (711.612 ms) : 0, 711612
BytebuddyAgent [candidate] (712.321 ms) : 0, 712321
GlobalTracer [baseline] (326.977 ms) : 0, 326977
GlobalTracer [candidate] (327.764 ms) : 0, 327764
AppSec [baseline] (56.457 ms) : 0, 56457
AppSec [candidate] (56.514 ms) : 0, 56514
Remote Config [baseline] (703.512 µs) : 0, 704
Remote Config [candidate] (711.772 µs) : 0, 712
Telemetry [baseline] (11.154 ms) : 0, 11154
Telemetry [candidate] (12.029 ms) : 0, 12029
section iast
BytebuddyAgent [baseline] (839.052 ms) : 0, 839052
BytebuddyAgent [candidate] (837.941 ms) : 0, 837941
GlobalTracer [baseline] (317.717 ms) : 0, 317717
GlobalTracer [candidate] (317.882 ms) : 0, 317882
AppSec [baseline] (58.032 ms) : 0, 58032
AppSec [candidate] (59.985 ms) : 0, 59985
IAST [baseline] (23.665 ms) : 0, 23665
IAST [candidate] (21.936 ms) : 0, 21936
Remote Config [baseline] (664.605 µs) : 0, 665
Remote Config [candidate] (658.041 µs) : 0, 658
Telemetry [baseline] (7.693 ms) : 0, 7693
Telemetry [candidate] (7.737 ms) : 0, 7737
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (829.053 ms) : 0, 829053
BytebuddyAgent [candidate] (837.17 ms) : 0, 837170
GlobalTracer [baseline] (315.848 ms) : 0, 315848
GlobalTracer [candidate] (317.799 ms) : 0, 317799
AppSec [baseline] (59.075 ms) : 0, 59075
AppSec [candidate] (59.4 ms) : 0, 59400
IAST [baseline] (22.871 ms) : 0, 22871
IAST [candidate] (22.821 ms) : 0, 22821
Remote Config [baseline] (659.083 µs) : 0, 659
Remote Config [candidate] (667.874 µs) : 0, 668
Telemetry [baseline] (7.711 ms) : 0, 7711
Telemetry [candidate] (7.773 ms) : 0, 7773
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (830.093 ms) : 0, 830093
BytebuddyAgent [candidate] (835.084 ms) : 0, 835084
GlobalTracer [baseline] (317.553 ms) : 0, 317553
GlobalTracer [candidate] (317.394 ms) : 0, 317394
AppSec [baseline] (59.811 ms) : 0, 59811
AppSec [candidate] (60.047 ms) : 0, 60047
IAST [baseline] (22.266 ms) : 0, 22266
IAST [candidate] (21.292 ms) : 0, 21292
Remote Config [baseline] (654.704 µs) : 0, 655
Remote Config [candidate] (667.05 µs) : 0, 667
Telemetry [baseline] (7.618 ms) : 0, 7618
Telemetry [candidate] (7.621 ms) : 0, 7621

Load

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
end_time	2024-12-12T15:52:10	2024-12-12T15:59:08
git_branch	master	mario.vidal/taint_tracking_append_string_buffer
git_commit_date	1734012159	1734017969
git_commit_sha	`4573a38`	`8feff99`
release_version	1.44.0-SNAPSHOT~4573a38b9e	1.45.0-SNAPSHOT~8feff99317
start_time	2024-12-12T15:51:57	2024-12-12T15:58:54

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1734019500	1734019500
ci_job_id	736885917	736885917
ci_pipeline_id	50968305	50968305
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant	iast	iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 16 unstable metrics.

Request duration reports for petclinic

gantt
    title petclinic - request duration [CI 0.99] : candidate=1.45.0-SNAPSHOT~8feff99317, baseline=1.44.0-SNAPSHOT~4573a38b9e
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.343 ms) : 1324, 1363
.   : milestone, 1343,
appsec (1.744 ms) : 1721, 1768
.   : milestone, 1744,
appsec_no_iast (1.748 ms) : 1723, 1773
.   : milestone, 1748,
iast (1.49 ms) : 1468, 1513
.   : milestone, 1490,
profiling (1.541 ms) : 1516, 1566
.   : milestone, 1541,
tracing (1.485 ms) : 1461, 1510
.   : milestone, 1485,
section candidate
no_agent (1.354 ms) : 1335, 1373
.   : milestone, 1354,
appsec (1.753 ms) : 1729, 1777
.   : milestone, 1753,
appsec_no_iast (1.746 ms) : 1722, 1771
.   : milestone, 1746,
iast (1.505 ms) : 1483, 1527
.   : milestone, 1505,
profiling (1.511 ms) : 1488, 1534
.   : milestone, 1511,
tracing (1.49 ms) : 1466, 1514
.   : milestone, 1490,

baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.343 ms [1.324 ms, 1.363 ms]	-
appsec	1.744 ms [1.721 ms, 1.768 ms]	400.79 µs (29.8%)
appsec_no_iast	1.748 ms [1.723 ms, 1.773 ms]	404.53 µs (30.1%)
iast	1.49 ms [1.468 ms, 1.513 ms]	146.666 µs (10.9%)
profiling	1.541 ms [1.516 ms, 1.566 ms]	197.722 µs (14.7%)
tracing	1.485 ms [1.461 ms, 1.51 ms]	141.628 µs (10.5%)

candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.354 ms [1.335 ms, 1.373 ms]	-
appsec	1.753 ms [1.729 ms, 1.777 ms]	398.857 µs (29.5%)
appsec_no_iast	1.746 ms [1.722 ms, 1.771 ms]	392.495 µs (29.0%)
iast	1.505 ms [1.483 ms, 1.527 ms]	151.36 µs (11.2%)
profiling	1.511 ms [1.488 ms, 1.534 ms]	156.63 µs (11.6%)
tracing	1.49 ms [1.466 ms, 1.514 ms]	136.17 µs (10.1%)

Request duration reports for insecure-bank

gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.45.0-SNAPSHOT~8feff99317, baseline=1.44.0-SNAPSHOT~4573a38b9e
    dateFormat X
    axisFormat %s
section baseline
no_agent (378.101 µs) : 358, 398
.   : milestone, 378,
iast (490.45 µs) : 469, 512
.   : milestone, 490,
iast_FULL (652.272 µs) : 631, 674
.   : milestone, 652,
iast_GLOBAL (513.497 µs) : 492, 535
.   : milestone, 513,
iast_HARDCODED_SECRET_DISABLED (490.313 µs) : 468, 512
.   : milestone, 490,
iast_INACTIVE (450.4 µs) : 429, 472
.   : milestone, 450,
iast_TELEMETRY_OFF (480.34 µs) : 459, 502
.   : milestone, 480,
tracing (450.012 µs) : 429, 471
.   : milestone, 450,
section candidate
no_agent (379.196 µs) : 358, 400
.   : milestone, 379,
iast (491.27 µs) : 470, 512
.   : milestone, 491,
iast_FULL (649.353 µs) : 628, 671
.   : milestone, 649,
iast_GLOBAL (518.986 µs) : 497, 541
.   : milestone, 519,
iast_HARDCODED_SECRET_DISABLED (485.838 µs) : 465, 507
.   : milestone, 486,
iast_INACTIVE (449.877 µs) : 428, 471
.   : milestone, 450,
iast_TELEMETRY_OFF (484.888 µs) : 462, 508
.   : milestone, 485,
tracing (440.445 µs) : 420, 461
.   : milestone, 440,

baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	378.101 µs [358.22 µs, 397.982 µs]	-
iast	490.45 µs [468.702 µs, 512.197 µs]	112.349 µs (29.7%)
iast_FULL	652.272 µs [631.005 µs, 673.538 µs]	274.171 µs (72.5%)
iast_GLOBAL	513.497 µs [492.176 µs, 534.817 µs]	135.396 µs (35.8%)
iast_HARDCODED_SECRET_DISABLED	490.313 µs [468.361 µs, 512.265 µs]	112.213 µs (29.7%)
iast_INACTIVE	450.4 µs [429.254 µs, 471.546 µs]	72.3 µs (19.1%)
iast_TELEMETRY_OFF	480.34 µs [458.799 µs, 501.881 µs]	102.239 µs (27.0%)
tracing	450.012 µs [428.557 µs, 471.467 µs]	71.912 µs (19.0%)

candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	379.196 µs [358.309 µs, 400.083 µs]	-
iast	491.27 µs [470.051 µs, 512.489 µs]	112.074 µs (29.6%)
iast_FULL	649.353 µs [627.806 µs, 670.899 µs]	270.157 µs (71.2%)
iast_GLOBAL	518.986 µs [496.818 µs, 541.153 µs]	139.79 µs (36.9%)
iast_HARDCODED_SECRET_DISABLED	485.838 µs [464.609 µs, 507.067 µs]	106.642 µs (28.1%)
iast_INACTIVE	449.877 µs [428.456 µs, 471.299 µs]	70.681 µs (18.6%)
iast_TELEMETRY_OFF	484.888 µs [462.264 µs, 507.512 µs]	105.692 µs (27.9%)
tracing	440.445 µs [420.153 µs, 460.736 µs]	61.249 µs (16.2%)

Dacapo

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	mario.vidal/taint_tracking_append_string_buffer
git_commit_date	1734012159	1734017969
git_commit_sha	`4573a38`	`8feff99`
release_version	1.44.0-SNAPSHOT~4573a38b9e	1.45.0-SNAPSHOT~8feff99317

See matching parameters

	Baseline	Candidate
application	biojava	biojava
ci_job_date	1734020055	1734020055
ci_job_id	736885919	736885919
ci_pipeline_id	50968305	50968305
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant	appsec	appsec

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics.

Execution time for tomcat

gantt
    title tomcat - execution time [CI 0.99] : candidate=1.45.0-SNAPSHOT~8feff99317, baseline=1.44.0-SNAPSHOT~4573a38b9e
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.477 ms) : 1465, 1489
.   : milestone, 1477,
appsec (2.351 ms) : 2309, 2393
.   : milestone, 2351,
iast (2.1 ms) : 2047, 2154
.   : milestone, 2100,
iast_GLOBAL (2.15 ms) : 2096, 2203
.   : milestone, 2150,
profiling (1.985 ms) : 1942, 2029
.   : milestone, 1985,
tracing (1.938 ms) : 1898, 1979
.   : milestone, 1938,
section candidate
no_agent (1.475 ms) : 1463, 1486
.   : milestone, 1475,
appsec (2.362 ms) : 2321, 2404
.   : milestone, 2362,
iast (2.092 ms) : 2040, 2145
.   : milestone, 2092,
iast_GLOBAL (2.149 ms) : 2096, 2203
.   : milestone, 2149,
profiling (1.959 ms) : 1917, 2002
.   : milestone, 1959,
tracing (1.939 ms) : 1899, 1980
.   : milestone, 1939,

baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.477 ms [1.465 ms, 1.489 ms]	-
appsec	2.351 ms [2.309 ms, 2.393 ms]	873.819 µs (59.2%)
iast	2.1 ms [2.047 ms, 2.154 ms]	623.504 µs (42.2%)
iast_GLOBAL	2.15 ms [2.096 ms, 2.203 ms]	672.897 µs (45.6%)
profiling	1.985 ms [1.942 ms, 2.029 ms]	508.31 µs (34.4%)
tracing	1.938 ms [1.898 ms, 1.979 ms]	461.493 µs (31.2%)

candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.475 ms [1.463 ms, 1.486 ms]	-
appsec	2.362 ms [2.321 ms, 2.404 ms]	887.571 µs (60.2%)
iast	2.092 ms [2.04 ms, 2.145 ms]	617.654 µs (41.9%)
iast_GLOBAL	2.149 ms [2.096 ms, 2.203 ms]	674.384 µs (45.7%)
profiling	1.959 ms [1.917 ms, 2.002 ms]	484.677 µs (32.9%)
tracing	1.939 ms [1.899 ms, 1.98 ms]	464.244 µs (31.5%)

Execution time for biojava

gantt
    title biojava - execution time [CI 0.99] : candidate=1.45.0-SNAPSHOT~8feff99317, baseline=1.44.0-SNAPSHOT~4573a38b9e
    dateFormat X
    axisFormat %s
section baseline
no_agent (15.416 s) : 15416000, 15416000
.   : milestone, 15416000,
appsec (14.897 s) : 14897000, 14897000
.   : milestone, 14897000,
iast (18.94 s) : 18940000, 18940000
.   : milestone, 18940000,
iast_GLOBAL (17.793 s) : 17793000, 17793000
.   : milestone, 17793000,
profiling (15.319 s) : 15319000, 15319000
.   : milestone, 15319000,
tracing (15.093 s) : 15093000, 15093000
.   : milestone, 15093000,
section candidate
no_agent (15.592 s) : 15592000, 15592000
.   : milestone, 15592000,
appsec (14.901 s) : 14901000, 14901000
.   : milestone, 14901000,
iast (18.719 s) : 18719000, 18719000
.   : milestone, 18719000,
iast_GLOBAL (17.881 s) : 17881000, 17881000
.   : milestone, 17881000,
profiling (15.186 s) : 15186000, 15186000
.   : milestone, 15186000,
tracing (15.068 s) : 15068000, 15068000
.   : milestone, 15068000,

baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	15.416 s [15.416 s, 15.416 s]	-
appsec	14.897 s [14.897 s, 14.897 s]	-519.0 ms (-3.4%)
iast	18.94 s [18.94 s, 18.94 s]	3.524 s (22.9%)
iast_GLOBAL	17.793 s [17.793 s, 17.793 s]	2.377 s (15.4%)
profiling	15.319 s [15.319 s, 15.319 s]	-97.0 ms (-0.6%)
tracing	15.093 s [15.093 s, 15.093 s]	-323.0 ms (-2.1%)

candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	15.592 s [15.592 s, 15.592 s]	-
appsec	14.901 s [14.901 s, 14.901 s]	-691.0 ms (-4.4%)
iast	18.719 s [18.719 s, 18.719 s]	3.127 s (20.1%)
iast_GLOBAL	17.881 s [17.881 s, 17.881 s]	2.289 s (14.7%)
profiling	15.186 s [15.186 s, 15.186 s]	-406.0 ms (-2.6%)
tracing	15.068 s [15.068 s, 15.068 s]	-524.0 ms (-3.4%)

| Package | Type | Package file | Manager | Update | Change | |---|---|---|---|---|---| | [com.google.api.grpc:proto-google-common-protos](https://github.com/googleapis/sdk-platform-java) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.50.0` -> `2.50.1` | | [com.google.cloud:google-cloud-core-http](https://github.com/googleapis/sdk-platform-java) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.49.0` -> `2.49.1` | | [com.google.cloud:google-cloud-core](https://github.com/googleapis/sdk-platform-java) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.49.0` -> `2.49.1` | | [com.google.api:gax](https://github.com/googleapis/sdk-platform-java) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.59.0` -> `2.59.1` | | [com.datadoghq:dd-trace-api](https://github.com/datadog/dd-trace-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `1.44.1` -> `1.45.0` | | [com.datadoghq:dd-trace-ot](https://github.com/datadog/dd-trace-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `1.44.1` -> `1.45.0` | | [software.amazon.awssdk:sdk-core](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.29.47` -> `2.29.48` | | [software.amazon.awssdk:dynamodb-enhanced](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.29.47` -> `2.29.48` | | [software.amazon.awssdk:dynamodb](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.29.47` -> `2.29.48` | | [software.amazon.awssdk:aws-core](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.29.47` -> `2.29.48` | | [software.amazon.awssdk:bom](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.29.47` -> `2.29.48` | | [software.amazon.awssdk:auth](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.29.47` -> `2.29.48` | --- ### Release Notes <details> <summary>datadog/dd-trace-java (com.datadoghq:dd-trace-api)</summary> ### [`v1.45.0`](https://github.com/DataDog/dd-trace-java/releases/tag/v1.45.0): 1.45.0 ##### Breaking changes > \[!WARNING]\ > Support for custom scope manager using OpenTelemetry tracer artifact (`dd-trace-ot`) is dropped. > Tracing with OpenTracing API and custom scope manager will continue to work on 1.44.x releases. ##### Components ##### Application Security Management (IAST) - ✨ Add propagation to URI#toURL method ([#8146](DataDog/dd-trace-java#8146) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - ✨ Increase IAST propagation to StringBuilder setLength ([#8119](DataDog/dd-trace-java#8119) - [@Mariovido](https://github.com/Mariovido)) - ✨ Increase IAST propagation to StringBuffer append ([#8082](DataDog/dd-trace-java#8082) - [@Mariovido](https://github.com/Mariovido)) - ✨ Handle IAST security controls custom validation and sanitization methods ([#7997](DataDog/dd-trace-java#7997) - [@jandro996](https://github.com/jandro996)) ##### Application Security Management (WAF) - ✨ Update user lifecycle tracking to V3 ([#8108](DataDog/dd-trace-java#8108) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - ✨ Exploit prevention for Shell Injection / Command Injection ([#7615](DataDog/dd-trace-java#7615) - [@jandro996](https://github.com/jandro996)) ##### Build & Tooling - 💡 Support instrumentation of repackaged libraries ([#8153](DataDog/dd-trace-java#8153) - [@mcculls](https://github.com/mcculls)) - ✨ Configure native image build setting for JDK-22 based GraalVM ([#8092](DataDog/dd-trace-java#8092) - [@MattAlp](https://github.com/MattAlp)) ##### Database Monitoring - ✨ Add full APM/DBM mode for Oracle ([#8090](DataDog/dd-trace-java#8090) - [@nenadnoveljic](https://github.com/nenadnoveljic)) ##### Dynamic Instrumentation - 🐛 make local var hoisting disabled by default ([#8158](DataDog/dd-trace-java#8158) - [@jpbempel](https://github.com/jpbempel)) - 🐛 Fix var hoisting issue when no previous store ([#8122](DataDog/dd-trace-java#8122) - [@jpbempel](https://github.com/jpbempel)) - ✨ Only decorate spans without code origin information ([#8105](DataDog/dd-trace-java#8105) - [@evanchooly](https://github.com/evanchooly)) - 🐛 Fix suspend Kotlin methods instrumentation ([#8080](DataDog/dd-trace-java#8080) - [@jpbempel](https://github.com/jpbempel)) - 🐛 Fix class file version detection ([#8057](DataDog/dd-trace-java#8057) - [@jpbempel](https://github.com/jpbempel)) ##### GraalVM native-image - ✨ Configure native image build setting for JDK-22 based GraalVM ([#8092](DataDog/dd-trace-java#8092) - [@MattAlp](https://github.com/MattAlp)) ##### ML Observability (LLMObs) - ✨🧪 Add LLMObs configuration ([#8076](DataDog/dd-trace-java#8076) - [@gary-huang](https://github.com/gary-huang)) ##### Metrics - Bump integrations-core submodule to 7.60.0 ([#8098](DataDog/dd-trace-java#8098) - [@mcculls](https://github.com/mcculls)) - Upgrade to java-dogstatsd-client v4.4.3 ([#8096](DataDog/dd-trace-java#8096) - [@mcculls](https://github.com/mcculls)) ##### OpenTracing - ⚠️🧹 Remove custom scope manager support ([#8164](DataDog/dd-trace-java#8164) - [@PerfectSlayer](https://github.com/PerfectSlayer)) ##### Telemetry - ✨ Retry telemetry requests if CI Visibility is enabled ([#8147](DataDog/dd-trace-java#8147) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Add configurable Dependency service resolution period ([#8079](DataDog/dd-trace-java#8079) - [@jandro996](https://github.com/jandro996)) ##### Testing - 🐛 Remove restriction to not run vertx4 latest tests on java 17 ([#8133](DataDog/dd-trace-java#8133) - [@vandonr](https://github.com/vandonr)) ##### Tracer core - ✨ Defer remote components to avoid OkHttp class-loading side-effects ([#8131](DataDog/dd-trace-java#8131) - [@mcculls](https://github.com/mcculls)) - ✨ Improve Context API null handling and Javadoc ([#8129](DataDog/dd-trace-java#8129) - [@PerfectSlayer](https://github.com/PerfectSlayer)) - 🐛⚡ Avoid performing blocking I/O operation on application thread ([#8120](DataDog/dd-trace-java#8120) - [@mcculls](https://github.com/mcculls)) - 💡 Introduce a shared context component, independent of tracing ([#8117](DataDog/dd-trace-java#8117) - [@mcculls](https://github.com/mcculls)) - ✨ Improves ServiceNameCollector ([#8109](DataDog/dd-trace-java#8109) - [@amarziali](https://github.com/amarziali)) - Upgrade to ASM 9.7.1 (adds new constant for Java 24) ([#8097](DataDog/dd-trace-java#8097) - [@mcculls](https://github.com/mcculls)) - 🐛 Dynamically evaluate service name for message consumers ([#8088](DataDog/dd-trace-java#8088) - [@amarziali](https://github.com/amarziali)) ##### Serverless - 🐛 Add avoid double instrumenting lambda non-streaming handlers. ([#8073](DataDog/dd-trace-java#8073) - [@purple4reina](https://github.com/purple4reina)) ##### Instrumentations ##### AWS SDK instrumentation - 💡 Instrument EMR's relocated AWS SDK ([#8157](DataDog/dd-trace-java#8157) - [@mcculls](https://github.com/mcculls)) ##### Eclipse Vert.x instrumentation - 🐛 Remove restriction to not run vertx4 latest tests on java 17 ([#8133](DataDog/dd-trace-java#8133) - [@vandonr](https://github.com/vandonr)) ##### JDBC instrumentation - ✨ Add full APM/DBM mode for Oracle ([#8090](DataDog/dd-trace-java#8090) - [@nenadnoveljic](https://github.com/nenadnoveljic)) ##### Jetty instrumentation - 🐛 Ensure jetty 12 has servlet.path starting with / ([#8093](DataDog/dd-trace-java#8093) - [@github-actions](https://github.com/github-actions)\[bot]) ##### JMS instrumentation - 🧹 Re-use `javax` JMS module for `jakarta` namespace ([#8155](DataDog/dd-trace-java#8155) - [@mcculls](https://github.com/mcculls)) - 🧹 Group `javax.jms` instrumentations under a single module ([#8154](DataDog/dd-trace-java#8154) - [@mcculls](https://github.com/mcculls)) ##### Reactor instrumentation - 🐛 Reactor: early propagate span in context when subscribing ([#8166](DataDog/dd-trace-java#8166) - [@amarziali](https://github.com/amarziali)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "after 6pm every weekday,before 2am every weekday" in timezone Australia/Melbourne, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). GitOrigin-RevId: ba2355aa4e2e39ab1fee27319cc4176238efd90b

Add new string buffer methods

8feff99

Mariovido added type: enhancement Enhancements and improvements comp: asm iast Application Security Management (IAST) labels Dec 12, 2024

Mariovido marked this pull request as ready for review December 13, 2024 11:57

Mariovido requested a review from a team as a code owner December 13, 2024 11:57

smola requested review from a team, smola and manuel-alvarez-alvarez December 16, 2024 09:45

smola approved these changes Dec 16, 2024

View reviewed changes

Mariovido merged commit 52aeeec into master Dec 16, 2024
155 checks passed

Mariovido deleted the mario.vidal/taint_tracking_append_string_buffer branch December 16, 2024 11:25

github-actions bot added this to the 1.45.0 milestone Dec 16, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Increase IAST propagation to StringBuffer append #8082

Increase IAST propagation to StringBuffer append #8082

Uh oh!

Mariovido commented Dec 12, 2024 •

edited by atlassian bot

Loading

Uh oh!

pr-commenter bot commented Dec 12, 2024

Uh oh!

Uh oh!

Uh oh!

Increase IAST propagation to StringBuffer append #8082

Increase IAST propagation to StringBuffer append #8082

Uh oh!

Conversation

Mariovido commented Dec 12, 2024 • edited by atlassian bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

What Does This Do

Motivation

Additional Notes

Contributor Checklist

Uh oh!

pr-commenter bot commented Dec 12, 2024

Benchmarks

Startup

Parameters

Summary

Load

Parameters

Summary

Dacapo

Parameters

Summary

Uh oh!

Uh oh!

Uh oh!

Mariovido commented Dec 12, 2024 •

edited by atlassian bot

Loading