Increase IAST propagation to StringBuilder setLength #8119

Mariovido · 2024-12-19T14:51:39Z

What Does This Do

This adds the instrumentation to propagate the taint values through the following methods of StringBuilder:

setLength(int)

Motivation

Increase propagation of StringBuilder methods.

Additional Notes

Contributor Checklist

Format the title according the contribution guidelines
Assign the type: and (comp: or inst:) labels in addition to any usefull labels
Don't use close, fix or any linking keywords when referencing an issue.
Use solves instead, and assign the PR milestone to the issue
Update the public documentation in case of new configuration flag or behavior

Jira ticket: APPSEC-55359

pr-commenter · 2024-12-19T15:28:30Z

Benchmarks

Startup

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	mario.vidal/taint_tracking_string_builder_set_length
git_commit_date	1734694675	1734699351
git_commit_sha	`a3e9bda`	`407adcb`
release_version	1.45.0-SNAPSHOT~a3e9bda406	1.45.0-SNAPSHOT~407adcb3cb

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1734701920	1734701920
ci_job_id	746958746	746958746
ci_pipeline_id	51651498	51651498
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
module	Agent	Agent
parent	None	None
variant	iast	iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 58 metrics, 5 unstable metrics.

Startup time reports for petclinic

gantt
    title petclinic - global startup overhead: candidate=1.45.0-SNAPSHOT~407adcb3cb, baseline=1.45.0-SNAPSHOT~a3e9bda406

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.054 s) : 0, 1054251
Total [baseline] (10.419 s) : 0, 10419289
Agent [candidate] (1.056 s) : 0, 1056181
Total [candidate] (10.362 s) : 0, 10362338
section appsec
Agent [baseline] (1.186 s) : 0, 1185906
Total [baseline] (10.706 s) : 0, 10705608
Agent [candidate] (1.189 s) : 0, 1189432
Total [candidate] (10.685 s) : 0, 10685406
section iast
Agent [baseline] (1.176 s) : 0, 1176142
Total [baseline] (10.979 s) : 0, 10978991
Agent [candidate] (1.18 s) : 0, 1180231
Total [candidate] (10.952 s) : 0, 10952320
section profiling
Agent [baseline] (1.273 s) : 0, 1272904
Total [baseline] (10.821 s) : 0, 10821414
Agent [candidate] (1.283 s) : 0, 1282762
Total [candidate] (10.849 s) : 0, 10849318

baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.054 s	-
Agent	appsec	1.186 s	131.655 ms (12.5%)
Agent	iast	1.176 s	121.891 ms (11.6%)
Agent	profiling	1.273 s	218.653 ms (20.7%)
Total	tracing	10.419 s	-
Total	appsec	10.706 s	286.319 ms (2.7%)
Total	iast	10.979 s	559.702 ms (5.4%)
Total	profiling	10.821 s	402.125 ms (3.9%)

candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.056 s	-
Agent	appsec	1.189 s	133.25 ms (12.6%)
Agent	iast	1.18 s	124.05 ms (11.7%)
Agent	profiling	1.283 s	226.581 ms (21.5%)
Total	tracing	10.362 s	-
Total	appsec	10.685 s	323.068 ms (3.1%)
Total	iast	10.952 s	589.981 ms (5.7%)
Total	profiling	10.849 s	486.979 ms (4.7%)

gantt
    title petclinic - break down per module: candidate=1.45.0-SNAPSHOT~407adcb3cb, baseline=1.45.0-SNAPSHOT~a3e9bda406

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (712.144 ms) : 0, 712144
BytebuddyAgent [candidate] (713.612 ms) : 0, 713612
GlobalTracer [baseline] (255.92 ms) : 0, 255920
GlobalTracer [candidate] (256.463 ms) : 0, 256463
AppSec [baseline] (57.72 ms) : 0, 57720
AppSec [candidate] (57.909 ms) : 0, 57909
Remote Config [baseline] (683.684 µs) : 0, 684
Remote Config [candidate] (685.628 µs) : 0, 686
Telemetry [baseline] (12.765 ms) : 0, 12765
Telemetry [candidate] (12.485 ms) : 0, 12485
section appsec
BytebuddyAgent [baseline] (729.056 ms) : 0, 729056
BytebuddyAgent [candidate] (731.882 ms) : 0, 731882
GlobalTracer [baseline] (252.788 ms) : 0, 252788
GlobalTracer [candidate] (253.556 ms) : 0, 253556
AppSec [baseline] (170.792 ms) : 0, 170792
AppSec [candidate] (170.682 ms) : 0, 170682
IAST [baseline] (19.337 ms) : 0, 19337
IAST [candidate] (19.352 ms) : 0, 19352
Remote Config [baseline] (658.253 µs) : 0, 658
Remote Config [candidate] (656.867 µs) : 0, 657
Telemetry [baseline] (7.999 ms) : 0, 7999
Telemetry [candidate] (7.928 ms) : 0, 7928
section iast
BytebuddyAgent [baseline] (827.109 ms) : 0, 827109
BytebuddyAgent [candidate] (829.924 ms) : 0, 829924
GlobalTracer [baseline] (246.151 ms) : 0, 246151
GlobalTracer [candidate] (246.987 ms) : 0, 246987
AppSec [baseline] (57.831 ms) : 0, 57831
AppSec [candidate] (58.0 ms) : 0, 58000
IAST [baseline] (21.011 ms) : 0, 21011
IAST [candidate] (21.22 ms) : 0, 21220
Remote Config [baseline] (664.581 µs) : 0, 665
Remote Config [candidate] (660.404 µs) : 0, 660
Telemetry [baseline] (8.488 ms) : 0, 8488
Telemetry [candidate] (8.483 ms) : 0, 8483
section profiling
BytebuddyAgent [baseline] (702.23 ms) : 0, 702230
BytebuddyAgent [candidate] (704.822 ms) : 0, 704822
GlobalTracer [baseline] (370.832 ms) : 0, 370832
GlobalTracer [candidate] (375.374 ms) : 0, 375374
AppSec [baseline] (54.056 ms) : 0, 54056
AppSec [candidate] (54.889 ms) : 0, 54889
Remote Config [baseline] (656.091 µs) : 0, 656
Remote Config [candidate] (661.86 µs) : 0, 662
Telemetry [baseline] (7.882 ms) : 0, 7882
Telemetry [candidate] (7.908 ms) : 0, 7908
ProfilingAgent [baseline] (95.601 ms) : 0, 95601
ProfilingAgent [candidate] (97.226 ms) : 0, 97226
Profiling [baseline] (95.625 ms) : 0, 95625
Profiling [candidate] (97.252 ms) : 0, 97252

Startup time reports for insecure-bank

gantt
    title insecure-bank - global startup overhead: candidate=1.45.0-SNAPSHOT~407adcb3cb, baseline=1.45.0-SNAPSHOT~a3e9bda406

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.057 s) : 0, 1056707
Total [baseline] (8.631 s) : 0, 8631009
Agent [candidate] (1.058 s) : 0, 1058357
Total [candidate] (8.59 s) : 0, 8589684
section iast
Agent [baseline] (1.184 s) : 0, 1183987
Total [baseline] (9.242 s) : 0, 9242455
Agent [candidate] (1.176 s) : 0, 1176411
Total [candidate] (9.203 s) : 0, 9203162
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.176 s) : 0, 1175959
Total [baseline] (9.171 s) : 0, 9171253
Agent [candidate] (1.178 s) : 0, 1177605
Total [candidate] (9.202 s) : 0, 9202451
section iast_TELEMETRY_OFF
Agent [baseline] (1.177 s) : 0, 1177139
Total [baseline] (9.156 s) : 0, 9155508
Agent [candidate] (1.18 s) : 0, 1179714
Total [candidate] (9.232 s) : 0, 9231654

baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.057 s	-
Agent	iast	1.184 s	127.28 ms (12.0%)
Agent	iast_HARDCODED_SECRET_DISABLED	1.176 s	119.252 ms (11.3%)
Agent	iast_TELEMETRY_OFF	1.177 s	120.432 ms (11.4%)
Total	tracing	8.631 s	-
Total	iast	9.242 s	611.446 ms (7.1%)
Total	iast_HARDCODED_SECRET_DISABLED	9.171 s	540.244 ms (6.3%)
Total	iast_TELEMETRY_OFF	9.156 s	524.498 ms (6.1%)

candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.058 s	-
Agent	iast	1.176 s	118.054 ms (11.2%)
Agent	iast_HARDCODED_SECRET_DISABLED	1.178 s	119.248 ms (11.3%)
Agent	iast_TELEMETRY_OFF	1.18 s	121.357 ms (11.5%)
Total	tracing	8.59 s	-
Total	iast	9.203 s	613.478 ms (7.1%)
Total	iast_HARDCODED_SECRET_DISABLED	9.202 s	612.767 ms (7.1%)
Total	iast_TELEMETRY_OFF	9.232 s	641.97 ms (7.5%)

gantt
    title insecure-bank - break down per module: candidate=1.45.0-SNAPSHOT~407adcb3cb, baseline=1.45.0-SNAPSHOT~a3e9bda406

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (712.466 ms) : 0, 712466
BytebuddyAgent [candidate] (715.928 ms) : 0, 715928
GlobalTracer [baseline] (257.712 ms) : 0, 257712
GlobalTracer [candidate] (256.079 ms) : 0, 256079
AppSec [baseline] (59.569 ms) : 0, 59569
AppSec [candidate] (56.682 ms) : 0, 56682
Remote Config [baseline] (697.001 µs) : 0, 697
Remote Config [candidate] (684.37 µs) : 0, 684
Telemetry [baseline] (11.212 ms) : 0, 11212
Telemetry [candidate] (14.004 ms) : 0, 14004
section iast
BytebuddyAgent [baseline] (834.868 ms) : 0, 834868
BytebuddyAgent [candidate] (827.344 ms) : 0, 827344
GlobalTracer [baseline] (246.077 ms) : 0, 246077
GlobalTracer [candidate] (246.054 ms) : 0, 246054
AppSec [baseline] (57.702 ms) : 0, 57702
AppSec [candidate] (57.913 ms) : 0, 57913
IAST [baseline] (21.107 ms) : 0, 21107
IAST [candidate] (21.066 ms) : 0, 21066
Remote Config [baseline] (658.916 µs) : 0, 659
Remote Config [candidate] (646.551 µs) : 0, 647
Telemetry [baseline] (8.54 ms) : 0, 8540
Telemetry [candidate] (8.433 ms) : 0, 8433
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (827.277 ms) : 0, 827277
BytebuddyAgent [candidate] (828.451 ms) : 0, 828451
GlobalTracer [baseline] (246.309 ms) : 0, 246309
GlobalTracer [candidate] (246.745 ms) : 0, 246745
AppSec [baseline] (57.595 ms) : 0, 57595
AppSec [candidate] (57.636 ms) : 0, 57636
IAST [baseline] (20.86 ms) : 0, 20860
IAST [candidate] (20.838 ms) : 0, 20838
Remote Config [baseline] (649.272 µs) : 0, 649
Remote Config [candidate] (655.522 µs) : 0, 656
Telemetry [baseline] (8.432 ms) : 0, 8432
Telemetry [candidate] (8.402 ms) : 0, 8402
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (828.5 ms) : 0, 828500
BytebuddyAgent [candidate] (831.464 ms) : 0, 831464
GlobalTracer [baseline] (246.508 ms) : 0, 246508
GlobalTracer [candidate] (246.471 ms) : 0, 246471
AppSec [baseline] (57.505 ms) : 0, 57505
AppSec [candidate] (57.292 ms) : 0, 57292
IAST [baseline] (20.674 ms) : 0, 20674
IAST [candidate] (20.483 ms) : 0, 20483
Remote Config [baseline] (652.405 µs) : 0, 652
Remote Config [candidate] (641.536 µs) : 0, 642
Telemetry [baseline] (8.308 ms) : 0, 8308
Telemetry [candidate] (8.316 ms) : 0, 8316

Load

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
end_time	2024-12-20T13:09:02	2024-12-20T13:16:00
git_branch	master	mario.vidal/taint_tracking_string_builder_set_length
git_commit_date	1734694675	1734699351
git_commit_sha	`a3e9bda`	`407adcb`
release_version	1.45.0-SNAPSHOT~a3e9bda406	1.45.0-SNAPSHOT~407adcb3cb
start_time	2024-12-20T13:08:48	2024-12-20T13:15:46

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1734700912	1734700912
ci_job_id	746958747	746958747
ci_pipeline_id	51651498	51651498
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant	iast	iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 16 unstable metrics.

Request duration reports for petclinic

gantt
    title petclinic - request duration [CI 0.99] : candidate=1.45.0-SNAPSHOT~407adcb3cb, baseline=1.45.0-SNAPSHOT~a3e9bda406
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.36 ms) : 1340, 1380
.   : milestone, 1360,
appsec (1.745 ms) : 1722, 1768
.   : milestone, 1745,
appsec_no_iast (1.744 ms) : 1720, 1767
.   : milestone, 1744,
iast (1.517 ms) : 1494, 1540
.   : milestone, 1517,
profiling (1.531 ms) : 1505, 1556
.   : milestone, 1531,
tracing (1.472 ms) : 1447, 1497
.   : milestone, 1472,
section candidate
no_agent (1.36 ms) : 1339, 1380
.   : milestone, 1360,
appsec (1.771 ms) : 1747, 1796
.   : milestone, 1771,
appsec_no_iast (1.744 ms) : 1719, 1768
.   : milestone, 1744,
iast (1.479 ms) : 1456, 1502
.   : milestone, 1479,
profiling (1.509 ms) : 1484, 1534
.   : milestone, 1509,
tracing (1.485 ms) : 1461, 1509
.   : milestone, 1485,

baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.36 ms [1.34 ms, 1.38 ms]	-
appsec	1.745 ms [1.722 ms, 1.768 ms]	385.199 µs (28.3%)
appsec_no_iast	1.744 ms [1.72 ms, 1.767 ms]	383.579 µs (28.2%)
iast	1.517 ms [1.494 ms, 1.54 ms]	156.817 µs (11.5%)
profiling	1.531 ms [1.505 ms, 1.556 ms]	170.671 µs (12.6%)
tracing	1.472 ms [1.447 ms, 1.497 ms]	111.666 µs (8.2%)

candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.36 ms [1.339 ms, 1.38 ms]	-
appsec	1.771 ms [1.747 ms, 1.796 ms]	411.682 µs (30.3%)
appsec_no_iast	1.744 ms [1.719 ms, 1.768 ms]	383.78 µs (28.2%)
iast	1.479 ms [1.456 ms, 1.502 ms]	119.171 µs (8.8%)
profiling	1.509 ms [1.484 ms, 1.534 ms]	149.564 µs (11.0%)
tracing	1.485 ms [1.461 ms, 1.509 ms]	125.53 µs (9.2%)

Request duration reports for insecure-bank

gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.45.0-SNAPSHOT~407adcb3cb, baseline=1.45.0-SNAPSHOT~a3e9bda406
    dateFormat X
    axisFormat %s
section baseline
no_agent (375.922 µs) : 356, 396
.   : milestone, 376,
iast (487.323 µs) : 466, 509
.   : milestone, 487,
iast_FULL (651.32 µs) : 630, 673
.   : milestone, 651,
iast_GLOBAL (514.126 µs) : 493, 536
.   : milestone, 514,
iast_HARDCODED_SECRET_DISABLED (497.093 µs) : 475, 519
.   : milestone, 497,
iast_INACTIVE (448.878 µs) : 427, 471
.   : milestone, 449,
iast_TELEMETRY_OFF (488.079 µs) : 466, 510
.   : milestone, 488,
tracing (456.449 µs) : 436, 477
.   : milestone, 456,
section candidate
no_agent (375.896 µs) : 355, 397
.   : milestone, 376,
iast (496.385 µs) : 474, 519
.   : milestone, 496,
iast_FULL (652.109 µs) : 630, 674
.   : milestone, 652,
iast_GLOBAL (522.281 µs) : 499, 545
.   : milestone, 522,
iast_HARDCODED_SECRET_DISABLED (485.506 µs) : 464, 507
.   : milestone, 486,
iast_INACTIVE (448.586 µs) : 428, 470
.   : milestone, 449,
iast_TELEMETRY_OFF (485.181 µs) : 462, 508
.   : milestone, 485,
tracing (448.019 µs) : 427, 469
.   : milestone, 448,

baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	375.922 µs [355.9 µs, 395.945 µs]	-
iast	487.323 µs [466.118 µs, 508.527 µs]	111.4 µs (29.6%)
iast_FULL	651.32 µs [629.756 µs, 672.884 µs]	275.398 µs (73.3%)
iast_GLOBAL	514.126 µs [492.734 µs, 535.517 µs]	138.203 µs (36.8%)
iast_HARDCODED_SECRET_DISABLED	497.093 µs [474.944 µs, 519.241 µs]	121.17 µs (32.2%)
iast_INACTIVE	448.878 µs [427.224 µs, 470.532 µs]	72.955 µs (19.4%)
iast_TELEMETRY_OFF	488.079 µs [465.939 µs, 510.22 µs]	112.157 µs (29.8%)
tracing	456.449 µs [435.615 µs, 477.284 µs]	80.527 µs (21.4%)

candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	375.896 µs [355.061 µs, 396.73 µs]	-
iast	496.385 µs [474.161 µs, 518.608 µs]	120.489 µs (32.1%)
iast_FULL	652.109 µs [630.498 µs, 673.719 µs]	276.213 µs (73.5%)
iast_GLOBAL	522.281 µs [499.105 µs, 545.458 µs]	146.386 µs (38.9%)
iast_HARDCODED_SECRET_DISABLED	485.506 µs [464.294 µs, 506.718 µs]	109.611 µs (29.2%)
iast_INACTIVE	448.586 µs [427.549 µs, 469.622 µs]	72.69 µs (19.3%)
iast_TELEMETRY_OFF	485.181 µs [462.383 µs, 507.979 µs]	109.286 µs (29.1%)
tracing	448.019 µs [427.144 µs, 468.893 µs]	72.123 µs (19.2%)

Dacapo

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	mario.vidal/taint_tracking_string_builder_set_length
git_commit_date	1734694675	1734699351
git_commit_sha	`a3e9bda`	`407adcb`
release_version	1.45.0-SNAPSHOT~a3e9bda406	1.45.0-SNAPSHOT~407adcb3cb

See matching parameters

	Baseline	Candidate
application	biojava	biojava
ci_job_date	1734701499	1734701499
ci_job_id	746958748	746958748
ci_pipeline_id	51651498	51651498
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant	appsec	appsec

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics.

Execution time for tomcat

gantt
    title tomcat - execution time [CI 0.99] : candidate=1.45.0-SNAPSHOT~407adcb3cb, baseline=1.45.0-SNAPSHOT~a3e9bda406
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.47 ms) : 1458, 1481
.   : milestone, 1470,
appsec (2.357 ms) : 2315, 2399
.   : milestone, 2357,
iast (2.088 ms) : 2036, 2141
.   : milestone, 2088,
iast_GLOBAL (2.142 ms) : 2088, 2195
.   : milestone, 2142,
profiling (1.95 ms) : 1908, 1992
.   : milestone, 1950,
tracing (1.937 ms) : 1896, 1978
.   : milestone, 1937,
section candidate
no_agent (1.476 ms) : 1465, 1488
.   : milestone, 1476,
appsec (2.356 ms) : 2314, 2397
.   : milestone, 2356,
iast (2.089 ms) : 2036, 2142
.   : milestone, 2089,
iast_GLOBAL (2.137 ms) : 2084, 2189
.   : milestone, 2137,
profiling (1.96 ms) : 1916, 2003
.   : milestone, 1960,
tracing (1.928 ms) : 1888, 1968
.   : milestone, 1928,

baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.47 ms [1.458 ms, 1.481 ms]	-
appsec	2.357 ms [2.315 ms, 2.399 ms]	886.994 µs (60.3%)
iast	2.088 ms [2.036 ms, 2.141 ms]	618.55 µs (42.1%)
iast_GLOBAL	2.142 ms [2.088 ms, 2.195 ms]	671.947 µs (45.7%)
profiling	1.95 ms [1.908 ms, 1.992 ms]	480.113 µs (32.7%)
tracing	1.937 ms [1.896 ms, 1.978 ms]	467.16 µs (31.8%)

candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.476 ms [1.465 ms, 1.488 ms]	-
appsec	2.356 ms [2.314 ms, 2.397 ms]	879.51 µs (59.6%)
iast	2.089 ms [2.036 ms, 2.142 ms]	612.859 µs (41.5%)
iast_GLOBAL	2.137 ms [2.084 ms, 2.189 ms]	660.291 µs (44.7%)
profiling	1.96 ms [1.916 ms, 2.003 ms]	483.334 µs (32.7%)
tracing	1.928 ms [1.888 ms, 1.968 ms]	451.576 µs (30.6%)

Execution time for biojava

gantt
    title biojava - execution time [CI 0.99] : candidate=1.45.0-SNAPSHOT~407adcb3cb, baseline=1.45.0-SNAPSHOT~a3e9bda406
    dateFormat X
    axisFormat %s
section baseline
no_agent (15.532 s) : 15532000, 15532000
.   : milestone, 15532000,
appsec (15.054 s) : 15054000, 15054000
.   : milestone, 15054000,
iast (18.674 s) : 18674000, 18674000
.   : milestone, 18674000,
iast_GLOBAL (17.64 s) : 17640000, 17640000
.   : milestone, 17640000,
profiling (15.307 s) : 15307000, 15307000
.   : milestone, 15307000,
tracing (14.654 s) : 14654000, 14654000
.   : milestone, 14654000,
section candidate
no_agent (15.27 s) : 15270000, 15270000
.   : milestone, 15270000,
appsec (14.936 s) : 14936000, 14936000
.   : milestone, 14936000,
iast (18.533 s) : 18533000, 18533000
.   : milestone, 18533000,
iast_GLOBAL (18.058 s) : 18058000, 18058000
.   : milestone, 18058000,
profiling (15.043 s) : 15043000, 15043000
.   : milestone, 15043000,
tracing (15.145 s) : 15145000, 15145000
.   : milestone, 15145000,

baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	15.532 s [15.532 s, 15.532 s]	-
appsec	15.054 s [15.054 s, 15.054 s]	-478.0 ms (-3.1%)
iast	18.674 s [18.674 s, 18.674 s]	3.142 s (20.2%)
iast_GLOBAL	17.64 s [17.64 s, 17.64 s]	2.108 s (13.6%)
profiling	15.307 s [15.307 s, 15.307 s]	-225.0 ms (-1.4%)
tracing	14.654 s [14.654 s, 14.654 s]	-878.0 ms (-5.7%)

candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	15.27 s [15.27 s, 15.27 s]	-
appsec	14.936 s [14.936 s, 14.936 s]	-334.0 ms (-2.2%)
iast	18.533 s [18.533 s, 18.533 s]	3.263 s (21.4%)
iast_GLOBAL	18.058 s [18.058 s, 18.058 s]	2.788 s (18.3%)
profiling	15.043 s [15.043 s, 15.043 s]	-227.0 ms (-1.5%)
tracing	15.145 s [15.145 s, 15.145 s]	-125.0 ms (-0.8%)

…set_length

| Package | Type | Package file | Manager | Update | Change | |---|---|---|---|---|---| | [com.google.api.grpc:proto-google-common-protos](https://github.com/googleapis/sdk-platform-java) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.50.0` -> `2.50.1` | | [com.google.cloud:google-cloud-core-http](https://github.com/googleapis/sdk-platform-java) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.49.0` -> `2.49.1` | | [com.google.cloud:google-cloud-core](https://github.com/googleapis/sdk-platform-java) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.49.0` -> `2.49.1` | | [com.google.api:gax](https://github.com/googleapis/sdk-platform-java) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.59.0` -> `2.59.1` | | [com.datadoghq:dd-trace-api](https://github.com/datadog/dd-trace-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `1.44.1` -> `1.45.0` | | [com.datadoghq:dd-trace-ot](https://github.com/datadog/dd-trace-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `1.44.1` -> `1.45.0` | | [software.amazon.awssdk:sdk-core](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.29.47` -> `2.29.48` | | [software.amazon.awssdk:dynamodb-enhanced](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.29.47` -> `2.29.48` | | [software.amazon.awssdk:dynamodb](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.29.47` -> `2.29.48` | | [software.amazon.awssdk:aws-core](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.29.47` -> `2.29.48` | | [software.amazon.awssdk:bom](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.29.47` -> `2.29.48` | | [software.amazon.awssdk:auth](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.29.47` -> `2.29.48` | --- ### Release Notes <details> <summary>datadog/dd-trace-java (com.datadoghq:dd-trace-api)</summary> ### [`v1.45.0`](https://github.com/DataDog/dd-trace-java/releases/tag/v1.45.0): 1.45.0 ##### Breaking changes > \[!WARNING]\ > Support for custom scope manager using OpenTelemetry tracer artifact (`dd-trace-ot`) is dropped. > Tracing with OpenTracing API and custom scope manager will continue to work on 1.44.x releases. ##### Components ##### Application Security Management (IAST) - ✨ Add propagation to URI#toURL method ([#8146](DataDog/dd-trace-java#8146) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - ✨ Increase IAST propagation to StringBuilder setLength ([#8119](DataDog/dd-trace-java#8119) - [@Mariovido](https://github.com/Mariovido)) - ✨ Increase IAST propagation to StringBuffer append ([#8082](DataDog/dd-trace-java#8082) - [@Mariovido](https://github.com/Mariovido)) - ✨ Handle IAST security controls custom validation and sanitization methods ([#7997](DataDog/dd-trace-java#7997) - [@jandro996](https://github.com/jandro996)) ##### Application Security Management (WAF) - ✨ Update user lifecycle tracking to V3 ([#8108](DataDog/dd-trace-java#8108) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - ✨ Exploit prevention for Shell Injection / Command Injection ([#7615](DataDog/dd-trace-java#7615) - [@jandro996](https://github.com/jandro996)) ##### Build & Tooling - 💡 Support instrumentation of repackaged libraries ([#8153](DataDog/dd-trace-java#8153) - [@mcculls](https://github.com/mcculls)) - ✨ Configure native image build setting for JDK-22 based GraalVM ([#8092](DataDog/dd-trace-java#8092) - [@MattAlp](https://github.com/MattAlp)) ##### Database Monitoring - ✨ Add full APM/DBM mode for Oracle ([#8090](DataDog/dd-trace-java#8090) - [@nenadnoveljic](https://github.com/nenadnoveljic)) ##### Dynamic Instrumentation - 🐛 make local var hoisting disabled by default ([#8158](DataDog/dd-trace-java#8158) - [@jpbempel](https://github.com/jpbempel)) - 🐛 Fix var hoisting issue when no previous store ([#8122](DataDog/dd-trace-java#8122) - [@jpbempel](https://github.com/jpbempel)) - ✨ Only decorate spans without code origin information ([#8105](DataDog/dd-trace-java#8105) - [@evanchooly](https://github.com/evanchooly)) - 🐛 Fix suspend Kotlin methods instrumentation ([#8080](DataDog/dd-trace-java#8080) - [@jpbempel](https://github.com/jpbempel)) - 🐛 Fix class file version detection ([#8057](DataDog/dd-trace-java#8057) - [@jpbempel](https://github.com/jpbempel)) ##### GraalVM native-image - ✨ Configure native image build setting for JDK-22 based GraalVM ([#8092](DataDog/dd-trace-java#8092) - [@MattAlp](https://github.com/MattAlp)) ##### ML Observability (LLMObs) - ✨🧪 Add LLMObs configuration ([#8076](DataDog/dd-trace-java#8076) - [@gary-huang](https://github.com/gary-huang)) ##### Metrics - Bump integrations-core submodule to 7.60.0 ([#8098](DataDog/dd-trace-java#8098) - [@mcculls](https://github.com/mcculls)) - Upgrade to java-dogstatsd-client v4.4.3 ([#8096](DataDog/dd-trace-java#8096) - [@mcculls](https://github.com/mcculls)) ##### OpenTracing - ⚠️🧹 Remove custom scope manager support ([#8164](DataDog/dd-trace-java#8164) - [@PerfectSlayer](https://github.com/PerfectSlayer)) ##### Telemetry - ✨ Retry telemetry requests if CI Visibility is enabled ([#8147](DataDog/dd-trace-java#8147) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Add configurable Dependency service resolution period ([#8079](DataDog/dd-trace-java#8079) - [@jandro996](https://github.com/jandro996)) ##### Testing - 🐛 Remove restriction to not run vertx4 latest tests on java 17 ([#8133](DataDog/dd-trace-java#8133) - [@vandonr](https://github.com/vandonr)) ##### Tracer core - ✨ Defer remote components to avoid OkHttp class-loading side-effects ([#8131](DataDog/dd-trace-java#8131) - [@mcculls](https://github.com/mcculls)) - ✨ Improve Context API null handling and Javadoc ([#8129](DataDog/dd-trace-java#8129) - [@PerfectSlayer](https://github.com/PerfectSlayer)) - 🐛⚡ Avoid performing blocking I/O operation on application thread ([#8120](DataDog/dd-trace-java#8120) - [@mcculls](https://github.com/mcculls)) - 💡 Introduce a shared context component, independent of tracing ([#8117](DataDog/dd-trace-java#8117) - [@mcculls](https://github.com/mcculls)) - ✨ Improves ServiceNameCollector ([#8109](DataDog/dd-trace-java#8109) - [@amarziali](https://github.com/amarziali)) - Upgrade to ASM 9.7.1 (adds new constant for Java 24) ([#8097](DataDog/dd-trace-java#8097) - [@mcculls](https://github.com/mcculls)) - 🐛 Dynamically evaluate service name for message consumers ([#8088](DataDog/dd-trace-java#8088) - [@amarziali](https://github.com/amarziali)) ##### Serverless - 🐛 Add avoid double instrumenting lambda non-streaming handlers. ([#8073](DataDog/dd-trace-java#8073) - [@purple4reina](https://github.com/purple4reina)) ##### Instrumentations ##### AWS SDK instrumentation - 💡 Instrument EMR's relocated AWS SDK ([#8157](DataDog/dd-trace-java#8157) - [@mcculls](https://github.com/mcculls)) ##### Eclipse Vert.x instrumentation - 🐛 Remove restriction to not run vertx4 latest tests on java 17 ([#8133](DataDog/dd-trace-java#8133) - [@vandonr](https://github.com/vandonr)) ##### JDBC instrumentation - ✨ Add full APM/DBM mode for Oracle ([#8090](DataDog/dd-trace-java#8090) - [@nenadnoveljic](https://github.com/nenadnoveljic)) ##### Jetty instrumentation - 🐛 Ensure jetty 12 has servlet.path starting with / ([#8093](DataDog/dd-trace-java#8093) - [@github-actions](https://github.com/github-actions)\[bot]) ##### JMS instrumentation - 🧹 Re-use `javax` JMS module for `jakarta` namespace ([#8155](DataDog/dd-trace-java#8155) - [@mcculls](https://github.com/mcculls)) - 🧹 Group `javax.jms` instrumentations under a single module ([#8154](DataDog/dd-trace-java#8154) - [@mcculls](https://github.com/mcculls)) ##### Reactor instrumentation - 🐛 Reactor: early propagate span in context when subscribing ([#8166](DataDog/dd-trace-java#8166) - [@amarziali](https://github.com/amarziali)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "after 6pm every weekday,before 2am every weekday" in timezone Australia/Melbourne, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). GitOrigin-RevId: ba2355aa4e2e39ab1fee27319cc4176238efd90b

Add support for setLength in the StringBuilder

c79490b

Mariovido added type: enhancement Enhancements and improvements comp: asm iast Application Security Management (IAST) labels Dec 19, 2024

Mariovido added 3 commits December 20, 2024 12:42

Change from before to after method

4ecb270

Merge branch 'master' into mario.vidal/taint_tracking_string_builder_…

4d3d99c

…set_length

Make new tests + change to after

407adcb

Mariovido marked this pull request as ready for review December 20, 2024 12:57

Mariovido requested review from a team as code owners December 20, 2024 12:57

Mariovido requested review from jandro996 and manuel-alvarez-alvarez December 20, 2024 12:57

amarziali removed the request for review from a team December 20, 2024 13:05

smola approved these changes Dec 20, 2024

View reviewed changes

jandro996 approved these changes Dec 20, 2024

View reviewed changes

manuel-alvarez-alvarez approved these changes Dec 20, 2024

View reviewed changes

Mariovido merged commit 46b5986 into master Dec 23, 2024
149 checks passed

Mariovido deleted the mario.vidal/taint_tracking_string_builder_set_length branch December 23, 2024 08:55

github-actions bot added this to the 1.45.0 milestone Dec 23, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Increase IAST propagation to StringBuilder setLength #8119

Increase IAST propagation to StringBuilder setLength #8119

Uh oh!

Mariovido commented Dec 19, 2024 •

edited by atlassian bot

Loading

Uh oh!

pr-commenter bot commented Dec 19, 2024 •

edited

Loading

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

Increase IAST propagation to StringBuilder setLength #8119

Increase IAST propagation to StringBuilder setLength #8119

Uh oh!

Conversation

Mariovido commented Dec 19, 2024 • edited by atlassian bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

What Does This Do

Motivation

Additional Notes

Contributor Checklist

Uh oh!

pr-commenter bot commented Dec 19, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Benchmarks

Startup

Parameters

Summary

Load

Parameters

Summary

Dacapo

Parameters

Summary

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

Mariovido commented Dec 19, 2024 •

edited by atlassian bot

Loading

pr-commenter bot commented Dec 19, 2024 •

edited

Loading