change cookie vulns hash calculation (#8210)

jandro996 · web-flow · commit b74cc247658f · 2025-02-05T11:03:23.000+01:00
What Does This Do
Change the evidence hash calculation for the location one

Motivation
Using evidence for the cookie vulnerabilities hash is not the most effective approach. In some applications, a different cookie name is used per request or session. This leads to a large number of duplicate vulnerabilities. Deduplicating by location leads to a predictably low and bounded number of vulnerabilities.
diff --git a/dd-java-agent/agent-iast/src/main/java/com/datadog/iast/model/VulnerabilityType.java b/dd-java-agent/agent-iast/src/main/java/com/datadog/iast/model/VulnerabilityType.java
@@ -31,12 +31,12 @@ public interface VulnerabilityType {
       type(VulnerabilityTypes.WEAK_HASH).excludedSources(Builder.DB_EXCLUDED).build();
   VulnerabilityType INSECURE_COOKIE =
       type(VulnerabilityTypes.INSECURE_COOKIE)
-          .hash(VulnerabilityType::evidenceHash)
+          .hash(VulnerabilityType::fileAndLineHash)
           .excludedSources(Builder.DB_EXCLUDED)
           .build();
   VulnerabilityType NO_HTTPONLY_COOKIE =
       type(VulnerabilityTypes.NO_HTTPONLY_COOKIE)
-          .hash(VulnerabilityType::evidenceHash)
+          .hash(VulnerabilityType::fileAndLineHash)
           .excludedSources(Builder.DB_EXCLUDED)
           .build();
   VulnerabilityType HSTS_HEADER_MISSING =
@@ -51,7 +51,7 @@ public interface VulnerabilityType {
           .build();
   VulnerabilityType NO_SAMESITE_COOKIE =
       type(VulnerabilityTypes.NO_SAMESITE_COOKIE)
-          .hash(VulnerabilityType::evidenceHash)
+          .hash(VulnerabilityType::fileAndLineHash)
           .excludedSources(Builder.DB_EXCLUDED)
           .build();
 
diff --git a/dd-java-agent/agent-iast/src/test/groovy/com/datadog/iast/model/VulnerabilityTypeTest.groovy b/dd-java-agent/agent-iast/src/test/groovy/com/datadog/iast/model/VulnerabilityTypeTest.groovy
@@ -30,15 +30,15 @@ class VulnerabilityTypeTest extends DDSpecification {
     WEAK_CIPHER                 | getSpanAndClassAndMethodLocation(123)  | new Evidence("MD5")                    | 3265519776
     WEAK_CIPHER                 | getSpanAndClassAndMethodLocation(456)  | new Evidence("MD4")                    | 3265519776
     WEAK_CIPHER                 | getSpanAndClassAndMethodLocation(789)  | null                                   | 3265519776
-    INSECURE_COOKIE             | getSpanAndStackLocation(123)           | null                                   | 3471934557
-    INSECURE_COOKIE             | getSpanAndStackLocation(123)           | new Evidence("cookieName1")            | 360083726
-    INSECURE_COOKIE             | getSpanAndStackLocation(123)           | new Evidence("cookieName2")            | 2357141684
-    NO_HTTPONLY_COOKIE          | getSpanAndStackLocation(123)           | null                                   | 2115643285
-    NO_HTTPONLY_COOKIE          | getSpanAndStackLocation(123)           | new Evidence("cookieName1")            | 585548920
-    NO_HTTPONLY_COOKIE          | getSpanAndStackLocation(123)           | new Evidence("cookieName2")            | 3153040834
-    NO_SAMESITE_COOKIE          | getSpanAndStackLocation(123)           | null                                   | 3683185539
-    NO_SAMESITE_COOKIE          | getSpanAndStackLocation(123)           | new Evidence("cookieName1")            | 881944211
-    NO_SAMESITE_COOKIE          | getSpanAndStackLocation(123)           | new Evidence("cookieName2")            | 2912433961
+    INSECURE_COOKIE             | getSpanAndStackLocation(123)           | null                                   | 1156210466
+    INSECURE_COOKIE             | getSpanAndStackLocation(123)           | new Evidence("cookieName1")            | 1156210466
+    INSECURE_COOKIE             | getSpanAndStackLocation(123)           | new Evidence("cookieName2")            | 1156210466
+    NO_HTTPONLY_COOKIE          | getSpanAndStackLocation(123)           | null                                   | 1522983769
+    NO_HTTPONLY_COOKIE          | getSpanAndStackLocation(123)           | new Evidence("cookieName1")            | 1522983769
+    NO_HTTPONLY_COOKIE          | getSpanAndStackLocation(123)           | new Evidence("cookieName2")            | 1522983769
+    NO_SAMESITE_COOKIE          | getSpanAndStackLocation(123)           | null                                   | 1090504969
+    NO_SAMESITE_COOKIE          | getSpanAndStackLocation(123)           | new Evidence("cookieName1")            | 1090504969
+    NO_SAMESITE_COOKIE          | getSpanAndStackLocation(123)           | new Evidence("cookieName2")            | 1090504969
     XCONTENTTYPE_HEADER_MISSING | getSpanAndService(123, null)           | null                                   | 3429203725
     XCONTENTTYPE_HEADER_MISSING | getSpanAndService(123, 'serviceName1') | null                                   | 2718833340
     XCONTENTTYPE_HEADER_MISSING | getSpanAndService(123, 'serviceName2') | null                                   | 990333702
