Address cookie vulnerability cardinality issues #8210

jandro996 · 2025-01-15T14:32:35Z

What Does This Do

Change the evidence hash calculation for the location one

Motivation

Using evidence for the cookie vulnerabilities hash is not the most effective approach. In some applications, a different cookie name is used per request or session. This leads to a large number of duplicate vulnerabilities. Deduplicating by location leads to a predictably low and bounded number of vulnerabilities.

Additional Notes

Contributor Checklist

Format the title according the contribution guidelines
Assign the type: and (comp: or inst:) labels in addition to any usefull labels
Don't use close, fix or any linking keywords when referencing an issue.
Use solves instead, and assign the PR milestone to the issue
Update the public documentation in case of new configuration flag or behavior

Jira ticket: APPSEC-56366

pr-commenter · 2025-01-15T15:10:40Z

Benchmarks

Startup

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	alejandro.gonzalez/Address-cookie-vulnerability-cardinality-issues
git_commit_date	1736975505	1737012421
git_commit_sha	`6ece325`	`af7b5fa`
release_version	1.46.0-SNAPSHOT~6ece325a84	1.46.0-SNAPSHOT~af7b5fa5f3

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1737014953	1737014953
ci_job_id	768473858	768473858
ci_pipeline_id	53151392	53151392
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
module	Agent	Agent
parent	None	None
variant	iast	iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 59 metrics, 4 unstable metrics.

Startup time reports for petclinic

gantt
    title petclinic - global startup overhead: candidate=1.46.0-SNAPSHOT~af7b5fa5f3, baseline=1.46.0-SNAPSHOT~6ece325a84

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.055 s) : 0, 1054886
Total [baseline] (10.429 s) : 0, 10429022
Agent [candidate] (1.064 s) : 0, 1063517
Total [candidate] (10.49 s) : 0, 10489902
section appsec
Agent [baseline] (1.188 s) : 0, 1187801
Total [baseline] (10.665 s) : 0, 10664825
Agent [candidate] (1.192 s) : 0, 1192403
Total [candidate] (10.731 s) : 0, 10731144
section iast
Agent [baseline] (1.183 s) : 0, 1183217
Total [baseline] (11.053 s) : 0, 11053405
Agent [candidate] (1.181 s) : 0, 1180868
Total [candidate] (10.941 s) : 0, 10941146
section profiling
Agent [baseline] (1.252 s) : 0, 1252265
Total [baseline] (10.841 s) : 0, 10840591
Agent [candidate] (1.255 s) : 0, 1254763
Total [candidate] (10.783 s) : 0, 10782528

baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.055 s	-
Agent	appsec	1.188 s	132.915 ms (12.6%)
Agent	iast	1.183 s	128.33 ms (12.2%)
Agent	profiling	1.252 s	197.378 ms (18.7%)
Total	tracing	10.429 s	-
Total	appsec	10.665 s	235.803 ms (2.3%)
Total	iast	11.053 s	624.383 ms (6.0%)
Total	profiling	10.841 s	411.569 ms (3.9%)

candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.064 s	-
Agent	appsec	1.192 s	128.887 ms (12.1%)
Agent	iast	1.181 s	117.351 ms (11.0%)
Agent	profiling	1.255 s	191.247 ms (18.0%)
Total	tracing	10.49 s	-
Total	appsec	10.731 s	241.243 ms (2.3%)
Total	iast	10.941 s	451.245 ms (4.3%)
Total	profiling	10.783 s	292.627 ms (2.8%)

gantt
    title petclinic - break down per module: candidate=1.46.0-SNAPSHOT~af7b5fa5f3, baseline=1.46.0-SNAPSHOT~6ece325a84

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (712.455 ms) : 0, 712455
BytebuddyAgent [candidate] (720.568 ms) : 0, 720568
GlobalTracer [baseline] (255.118 ms) : 0, 255118
GlobalTracer [candidate] (257.326 ms) : 0, 257326
AppSec [baseline] (55.811 ms) : 0, 55811
AppSec [candidate] (56.22 ms) : 0, 56220
Remote Config [baseline] (719.522 µs) : 0, 720
Remote Config [candidate] (733.278 µs) : 0, 733
Telemetry [baseline] (15.819 ms) : 0, 15819
Telemetry [candidate] (13.605 ms) : 0, 13605
section appsec
BytebuddyAgent [baseline] (730.843 ms) : 0, 730843
BytebuddyAgent [candidate] (734.134 ms) : 0, 734134
GlobalTracer [baseline] (252.827 ms) : 0, 252827
GlobalTracer [candidate] (253.296 ms) : 0, 253296
AppSec [baseline] (170.625 ms) : 0, 170625
AppSec [candidate] (171.246 ms) : 0, 171246
Remote Config [baseline] (660.808 µs) : 0, 661
Remote Config [candidate] (667.781 µs) : 0, 668
Telemetry [baseline] (8.205 ms) : 0, 8205
Telemetry [candidate] (8.228 ms) : 0, 8228
IAST [baseline] (19.364 ms) : 0, 19364
IAST [candidate] (19.502 ms) : 0, 19502
section iast
BytebuddyAgent [baseline] (832.478 ms) : 0, 832478
BytebuddyAgent [candidate] (829.822 ms) : 0, 829822
GlobalTracer [baseline] (246.885 ms) : 0, 246885
GlobalTracer [candidate] (247.722 ms) : 0, 247722
AppSec [baseline] (57.901 ms) : 0, 57901
AppSec [candidate] (57.792 ms) : 0, 57792
Remote Config [baseline] (670.751 µs) : 0, 671
Remote Config [candidate] (649.659 µs) : 0, 650
Telemetry [baseline] (8.745 ms) : 0, 8745
Telemetry [candidate] (8.587 ms) : 0, 8587
IAST [baseline] (21.523 ms) : 0, 21523
IAST [candidate] (21.302 ms) : 0, 21302
section profiling
BytebuddyAgent [baseline] (702.377 ms) : 0, 702377
BytebuddyAgent [candidate] (702.847 ms) : 0, 702847
GlobalTracer [baseline] (349.36 ms) : 0, 349360
GlobalTracer [candidate] (352.146 ms) : 0, 352146
AppSec [baseline] (54.615 ms) : 0, 54615
AppSec [candidate] (53.534 ms) : 0, 53534
Remote Config [baseline] (655.554 µs) : 0, 656
Remote Config [candidate] (676.477 µs) : 0, 676
Telemetry [baseline] (8.824 ms) : 0, 8824
Telemetry [candidate] (8.889 ms) : 0, 8889
ProfilingAgent [baseline] (94.578 ms) : 0, 94578
ProfilingAgent [candidate] (94.785 ms) : 0, 94785
Profiling [baseline] (94.603 ms) : 0, 94603
Profiling [candidate] (94.81 ms) : 0, 94810

Startup time reports for insecure-bank

gantt
    title insecure-bank - global startup overhead: candidate=1.46.0-SNAPSHOT~af7b5fa5f3, baseline=1.46.0-SNAPSHOT~6ece325a84

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.064 s) : 0, 1063569
Total [baseline] (8.648 s) : 0, 8647755
Agent [candidate] (1.071 s) : 0, 1071430
Total [candidate] (8.655 s) : 0, 8655282
section iast
Agent [baseline] (1.182 s) : 0, 1182422
Total [baseline] (9.194 s) : 0, 9193699
Agent [candidate] (1.19 s) : 0, 1190054
Total [candidate] (9.197 s) : 0, 9196511
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.18 s) : 0, 1180419
Total [baseline] (9.152 s) : 0, 9152189
Agent [candidate] (1.186 s) : 0, 1185668
Total [candidate] (9.22 s) : 0, 9220172
section iast_TELEMETRY_OFF
Agent [baseline] (1.188 s) : 0, 1187704
Total [baseline] (9.2 s) : 0, 9199812
Agent [candidate] (1.178 s) : 0, 1177642
Total [candidate] (9.188 s) : 0, 9188243

baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.064 s	-
Agent	iast	1.182 s	118.853 ms (11.2%)
Agent	iast_HARDCODED_SECRET_DISABLED	1.18 s	116.85 ms (11.0%)
Agent	iast_TELEMETRY_OFF	1.188 s	124.135 ms (11.7%)
Total	tracing	8.648 s	-
Total	iast	9.194 s	545.943 ms (6.3%)
Total	iast_HARDCODED_SECRET_DISABLED	9.152 s	504.433 ms (5.8%)
Total	iast_TELEMETRY_OFF	9.2 s	552.057 ms (6.4%)

candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.071 s	-
Agent	iast	1.19 s	118.624 ms (11.1%)
Agent	iast_HARDCODED_SECRET_DISABLED	1.186 s	114.238 ms (10.7%)
Agent	iast_TELEMETRY_OFF	1.178 s	106.212 ms (9.9%)
Total	tracing	8.655 s	-
Total	iast	9.197 s	541.229 ms (6.3%)
Total	iast_HARDCODED_SECRET_DISABLED	9.22 s	564.89 ms (6.5%)
Total	iast_TELEMETRY_OFF	9.188 s	532.961 ms (6.2%)

gantt
    title insecure-bank - break down per module: candidate=1.46.0-SNAPSHOT~af7b5fa5f3, baseline=1.46.0-SNAPSHOT~6ece325a84

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (721.062 ms) : 0, 721062
BytebuddyAgent [candidate] (723.638 ms) : 0, 723638
GlobalTracer [baseline] (258.14 ms) : 0, 258140
GlobalTracer [candidate] (260.399 ms) : 0, 260399
AppSec [baseline] (56.373 ms) : 0, 56373
AppSec [candidate] (56.915 ms) : 0, 56915
Remote Config [baseline] (727.642 µs) : 0, 728
Remote Config [candidate] (738.267 µs) : 0, 738
Telemetry [baseline] (12.1 ms) : 0, 12100
Telemetry [candidate] (14.538 ms) : 0, 14538
section iast
BytebuddyAgent [baseline] (832.131 ms) : 0, 832131
BytebuddyAgent [candidate] (838.09 ms) : 0, 838090
GlobalTracer [baseline] (246.688 ms) : 0, 246688
GlobalTracer [candidate] (247.9 ms) : 0, 247900
AppSec [baseline] (58.044 ms) : 0, 58044
AppSec [candidate] (57.933 ms) : 0, 57933
Remote Config [baseline] (657.635 µs) : 0, 658
Remote Config [candidate] (682.455 µs) : 0, 682
Telemetry [baseline] (8.684 ms) : 0, 8684
Telemetry [candidate] (8.738 ms) : 0, 8738
IAST [baseline] (21.221 ms) : 0, 21221
IAST [candidate] (21.585 ms) : 0, 21585
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (829.978 ms) : 0, 829978
BytebuddyAgent [candidate] (834.323 ms) : 0, 834323
GlobalTracer [baseline] (246.386 ms) : 0, 246386
GlobalTracer [candidate] (247.189 ms) : 0, 247189
AppSec [baseline] (58.043 ms) : 0, 58043
AppSec [candidate] (58.09 ms) : 0, 58090
Remote Config [baseline] (658.572 µs) : 0, 659
Remote Config [candidate] (676.626 µs) : 0, 677
Telemetry [baseline] (8.763 ms) : 0, 8763
Telemetry [candidate] (8.783 ms) : 0, 8783
IAST [baseline] (21.571 ms) : 0, 21571
IAST [candidate] (21.447 ms) : 0, 21447
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (835.576 ms) : 0, 835576
BytebuddyAgent [candidate] (827.86 ms) : 0, 827860
GlobalTracer [baseline] (248.37 ms) : 0, 248370
GlobalTracer [candidate] (246.6 ms) : 0, 246600
AppSec [baseline] (58.035 ms) : 0, 58035
AppSec [candidate] (57.916 ms) : 0, 57916
Remote Config [baseline] (680.265 µs) : 0, 680
Remote Config [candidate] (664.377 µs) : 0, 664
Telemetry [baseline] (8.749 ms) : 0, 8749
Telemetry [candidate] (8.7 ms) : 0, 8700
IAST [baseline] (21.214 ms) : 0, 21214
IAST [candidate] (20.877 ms) : 0, 20877

Load

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
end_time	2025-01-16T07:39:14	2025-01-16T07:46:16
git_branch	master	alejandro.gonzalez/Address-cookie-vulnerability-cardinality-issues
git_commit_date	1736975505	1737012421
git_commit_sha	`6ece325`	`af7b5fa`
release_version	1.46.0-SNAPSHOT~6ece325a84	1.46.0-SNAPSHOT~af7b5fa5f3
start_time	2025-01-16T07:39:00	2025-01-16T07:46:03

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1737013934	1737013934
ci_job_id	768473859	768473859
ci_pipeline_id	53151392	53151392
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant	iast	iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 17 unstable metrics.

Request duration reports for insecure-bank

gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.46.0-SNAPSHOT~af7b5fa5f3, baseline=1.46.0-SNAPSHOT~6ece325a84
    dateFormat X
    axisFormat %s
section baseline
no_agent (374.131 µs) : 354, 394
.   : milestone, 374,
iast (499.801 µs) : 478, 521
.   : milestone, 500,
iast_FULL (741.899 µs) : 720, 764
.   : milestone, 742,
iast_GLOBAL (548.151 µs) : 526, 570
.   : milestone, 548,
iast_HARDCODED_SECRET_DISABLED (501.307 µs) : 480, 523
.   : milestone, 501,
iast_INACTIVE (449.236 µs) : 428, 470
.   : milestone, 449,
iast_TELEMETRY_OFF (485.501 µs) : 464, 507
.   : milestone, 486,
tracing (450.047 µs) : 428, 472
.   : milestone, 450,
section candidate
no_agent (380.931 µs) : 361, 401
.   : milestone, 381,
iast (501.937 µs) : 480, 523
.   : milestone, 502,
iast_FULL (744.772 µs) : 723, 767
.   : milestone, 745,
iast_GLOBAL (559.6 µs) : 536, 583
.   : milestone, 560,
iast_HARDCODED_SECRET_DISABLED (506.265 µs) : 484, 528
.   : milestone, 506,
iast_INACTIVE (450.172 µs) : 429, 471
.   : milestone, 450,
iast_TELEMETRY_OFF (485.046 µs) : 464, 507
.   : milestone, 485,
tracing (450.039 µs) : 429, 471
.   : milestone, 450,

baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	374.131 µs [354.4 µs, 393.862 µs]	-
iast	499.801 µs [478.25 µs, 521.352 µs]	125.67 µs (33.6%)
iast_FULL	741.899 µs [720.073 µs, 763.724 µs]	367.768 µs (98.3%)
iast_GLOBAL	548.151 µs [525.921 µs, 570.381 µs]	174.02 µs (46.5%)
iast_HARDCODED_SECRET_DISABLED	501.307 µs [479.775 µs, 522.838 µs]	127.176 µs (34.0%)
iast_INACTIVE	449.236 µs [428.417 µs, 470.055 µs]	75.105 µs (20.1%)
iast_TELEMETRY_OFF	485.501 µs [464.061 µs, 506.941 µs]	111.37 µs (29.8%)
tracing	450.047 µs [428.398 µs, 471.696 µs]	75.916 µs (20.3%)

candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	380.931 µs [361.102 µs, 400.759 µs]	-
iast	501.937 µs [480.397 µs, 523.476 µs]	121.006 µs (31.8%)
iast_FULL	744.772 µs [722.718 µs, 766.826 µs]	363.842 µs (95.5%)
iast_GLOBAL	559.6 µs [535.993 µs, 583.207 µs]	178.67 µs (46.9%)
iast_HARDCODED_SECRET_DISABLED	506.265 µs [484.359 µs, 528.171 µs]	125.334 µs (32.9%)
iast_INACTIVE	450.172 µs [429.241 µs, 471.103 µs]	69.241 µs (18.2%)
iast_TELEMETRY_OFF	485.046 µs [463.508 µs, 506.585 µs]	104.116 µs (27.3%)
tracing	450.039 µs [428.958 µs, 471.119 µs]	69.108 µs (18.1%)

Request duration reports for petclinic

gantt
    title petclinic - request duration [CI 0.99] : candidate=1.46.0-SNAPSHOT~af7b5fa5f3, baseline=1.46.0-SNAPSHOT~6ece325a84
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.341 ms) : 1322, 1361
.   : milestone, 1341,
appsec (1.736 ms) : 1712, 1761
.   : milestone, 1736,
appsec_no_iast (1.734 ms) : 1710, 1757
.   : milestone, 1734,
iast (1.498 ms) : 1474, 1523
.   : milestone, 1498,
profiling (1.557 ms) : 1531, 1584
.   : milestone, 1557,
tracing (1.471 ms) : 1446, 1496
.   : milestone, 1471,
section candidate
no_agent (1.367 ms) : 1348, 1386
.   : milestone, 1367,
appsec (1.755 ms) : 1731, 1779
.   : milestone, 1755,
appsec_no_iast (1.749 ms) : 1725, 1772
.   : milestone, 1749,
iast (1.519 ms) : 1495, 1544
.   : milestone, 1519,
profiling (1.52 ms) : 1494, 1545
.   : milestone, 1520,
tracing (1.47 ms) : 1445, 1496
.   : milestone, 1470,

baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.341 ms [1.322 ms, 1.361 ms]	-
appsec	1.736 ms [1.712 ms, 1.761 ms]	395.414 µs (29.5%)
appsec_no_iast	1.734 ms [1.71 ms, 1.757 ms]	392.467 µs (29.3%)
iast	1.498 ms [1.474 ms, 1.523 ms]	157.398 µs (11.7%)
profiling	1.557 ms [1.531 ms, 1.584 ms]	216.292 µs (16.1%)
tracing	1.471 ms [1.446 ms, 1.496 ms]	130.043 µs (9.7%)

candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.367 ms [1.348 ms, 1.386 ms]	-
appsec	1.755 ms [1.731 ms, 1.779 ms]	388.139 µs (28.4%)
appsec_no_iast	1.749 ms [1.725 ms, 1.772 ms]	381.806 µs (27.9%)
iast	1.519 ms [1.495 ms, 1.544 ms]	152.519 µs (11.2%)
profiling	1.52 ms [1.494 ms, 1.545 ms]	152.615 µs (11.2%)
tracing	1.47 ms [1.445 ms, 1.496 ms]	103.422 µs (7.6%)

Dacapo

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	alejandro.gonzalez/Address-cookie-vulnerability-cardinality-issues
git_commit_date	1736975505	1737012421
git_commit_sha	`6ece325`	`af7b5fa`
release_version	1.46.0-SNAPSHOT~6ece325a84	1.46.0-SNAPSHOT~af7b5fa5f3

See matching parameters

	Baseline	Candidate
application	biojava	biojava
ci_job_date	1737014515	1737014515
ci_job_id	768473860	768473860
ci_pipeline_id	53151392	53151392
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant	appsec	appsec

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics.

Execution time for biojava

gantt
    title biojava - execution time [CI 0.99] : candidate=1.46.0-SNAPSHOT~af7b5fa5f3, baseline=1.46.0-SNAPSHOT~6ece325a84
    dateFormat X
    axisFormat %s
section baseline
no_agent (15.516 s) : 15516000, 15516000
.   : milestone, 15516000,
appsec (15.35 s) : 15350000, 15350000
.   : milestone, 15350000,
iast (18.238 s) : 18238000, 18238000
.   : milestone, 18238000,
iast_GLOBAL (18.133 s) : 18133000, 18133000
.   : milestone, 18133000,
profiling (15.196 s) : 15196000, 15196000
.   : milestone, 15196000,
tracing (14.886 s) : 14886000, 14886000
.   : milestone, 14886000,
section candidate
no_agent (14.963 s) : 14963000, 14963000
.   : milestone, 14963000,
appsec (14.939 s) : 14939000, 14939000
.   : milestone, 14939000,
iast (18.716 s) : 18716000, 18716000
.   : milestone, 18716000,
iast_GLOBAL (18.309 s) : 18309000, 18309000
.   : milestone, 18309000,
profiling (15.602 s) : 15602000, 15602000
.   : milestone, 15602000,
tracing (14.917 s) : 14917000, 14917000
.   : milestone, 14917000,

baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	15.516 s [15.516 s, 15.516 s]	-
appsec	15.35 s [15.35 s, 15.35 s]	-166.0 ms (-1.1%)
iast	18.238 s [18.238 s, 18.238 s]	2.722 s (17.5%)
iast_GLOBAL	18.133 s [18.133 s, 18.133 s]	2.617 s (16.9%)
profiling	15.196 s [15.196 s, 15.196 s]	-320.0 ms (-2.1%)
tracing	14.886 s [14.886 s, 14.886 s]	-630.0 ms (-4.1%)

candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	14.963 s [14.963 s, 14.963 s]	-
appsec	14.939 s [14.939 s, 14.939 s]	-24.0 ms (-0.2%)
iast	18.716 s [18.716 s, 18.716 s]	3.753 s (25.1%)
iast_GLOBAL	18.309 s [18.309 s, 18.309 s]	3.346 s (22.4%)
profiling	15.602 s [15.602 s, 15.602 s]	639.0 ms (4.3%)
tracing	14.917 s [14.917 s, 14.917 s]	-46.0 ms (-0.3%)

Execution time for tomcat

gantt
    title tomcat - execution time [CI 0.99] : candidate=1.46.0-SNAPSHOT~af7b5fa5f3, baseline=1.46.0-SNAPSHOT~6ece325a84
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.474 ms) : 1462, 1485
.   : milestone, 1474,
appsec (2.373 ms) : 2330, 2416
.   : milestone, 2373,
iast (2.121 ms) : 2065, 2176
.   : milestone, 2121,
iast_GLOBAL (2.16 ms) : 2105, 2215
.   : milestone, 2160,
profiling (1.981 ms) : 1936, 2026
.   : milestone, 1981,
tracing (1.95 ms) : 1908, 1993
.   : milestone, 1950,
section candidate
no_agent (1.473 ms) : 1462, 1485
.   : milestone, 1473,
appsec (2.37 ms) : 2326, 2413
.   : milestone, 2370,
iast (2.119 ms) : 2064, 2174
.   : milestone, 2119,
iast_GLOBAL (2.162 ms) : 2107, 2217
.   : milestone, 2162,
profiling (1.995 ms) : 1950, 2040
.   : milestone, 1995,
tracing (1.954 ms) : 1912, 1996
.   : milestone, 1954,

baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.474 ms [1.462 ms, 1.485 ms]	-
appsec	2.373 ms [2.33 ms, 2.416 ms]	899.435 µs (61.0%)
iast	2.121 ms [2.065 ms, 2.176 ms]	646.691 µs (43.9%)
iast_GLOBAL	2.16 ms [2.105 ms, 2.215 ms]	686.143 µs (46.6%)
profiling	1.981 ms [1.936 ms, 2.026 ms]	506.987 µs (34.4%)
tracing	1.95 ms [1.908 ms, 1.993 ms]	476.621 µs (32.3%)

candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.473 ms [1.462 ms, 1.485 ms]	-
appsec	2.37 ms [2.326 ms, 2.413 ms]	896.54 µs (60.8%)
iast	2.119 ms [2.064 ms, 2.174 ms]	645.49 µs (43.8%)
iast_GLOBAL	2.162 ms [2.107 ms, 2.217 ms]	688.697 µs (46.7%)
profiling	1.995 ms [1.95 ms, 2.04 ms]	521.795 µs (35.4%)
tracing	1.954 ms [1.912 ms, 1.996 ms]	480.747 µs (32.6%)

smola

Looks good to me. To be approved in the next IAST sync or with the IAST working group before merge.

github-actions · 2025-02-05T09:59:53Z

Hi! 👋 Thanks for your pull request! 🎉

To help us review it, please make sure to:

Add at least one type, and one component or instrumentation label to the pull request

If you need help, please check our contributing guidelines.

| Package | Type | Package file | Manager | Update | Change | |---|---|---|---|---|---| | [com.datadoghq:dd-trace-api](https://github.com/datadog/dd-trace-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `1.46.1` -> `1.47.0` | | [com.datadoghq:dd-trace-ot](https://github.com/datadog/dd-trace-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `1.46.1` -> `1.47.0` | | [software.amazon.awssdk:sdk-core](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.33` -> `2.30.34` | | [software.amazon.awssdk:sqs](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.33` -> `2.30.34` | | [software.amazon.awssdk:dynamodb-enhanced](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.33` -> `2.30.34` | | [software.amazon.awssdk:dynamodb](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.33` -> `2.30.34` | | [software.amazon.awssdk:aws-core](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.33` -> `2.30.34` | | [software.amazon.awssdk:bom](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.33` -> `2.30.34` | | [software.amazon.awssdk:auth](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.33` -> `2.30.34` | --- ### Release Notes <details> <summary>datadog/dd-trace-java (com.datadoghq:dd-trace-api)</summary> ### [`v1.47.0`](https://github.com/DataDog/dd-trace-java/releases/tag/v1.47.0): 1.47.0 ##### Components ##### Application Security Management (IAST) - 🐛 Exclude com.stripe.net.HttpURLConnectionClient to solve IAST SSRF vulnerability false positives ([#8483](DataDog/dd-trace-java#8483) - [@jandro996](https://github.com/jandro996)) - 🐛 Add exclusion to solve IAST weak randomness vulnerability false positives ([#8462](DataDog/dd-trace-java#8462) - [@jandro996](https://github.com/jandro996)) - ✨ Fix weak randomness false positive in Kafka client ([#8408](DataDog/dd-trace-java#8408) - [@smola](https://github.com/smola)) - ✨ Fix location for SSRF with Kong Unirest ([#8407](DataDog/dd-trace-java#8407) - [@smola](https://github.com/smola)) - ✨ Exclude IBM Instana from IAST ([#8406](DataDog/dd-trace-java#8406) - [@smola](https://github.com/smola)) - 🐛 Fix org.json iast instrumentation test for latest dependency ([#8347](DataDog/dd-trace-java#8347) - [@jandro996](https://github.com/jandro996)) - ✨ Configuration to Disable APM Tracing ([#8219](DataDog/dd-trace-java#8219) - [@jandro996](https://github.com/jandro996)) - ✨ Address cookie vulnerability cardinality issues ([#8210](DataDog/dd-trace-java#8210) - [@jandro996](https://github.com/jandro996)) - ✨ Email HTML Injection detection in IAST ([#8205](DataDog/dd-trace-java#8205) - [@sezen-datadog](https://github.com/sezen-datadog)) ##### Application Security Management (WAF) - 🐛✨ Ensure usr.exists tag is not overridden when UsernameNotFoundException is thrown ([#8376](DataDog/dd-trace-java#8376) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - 🐛✨ Ensure usr.exists tag is not overridden by auto instrumentation ([#8374](DataDog/dd-trace-java#8374) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - ✨ Update appsec metrics with event_rules_version tag ([#8354](DataDog/dd-trace-java#8354) - [@sezen-datadog](https://github.com/sezen-datadog)) - ✨ Update metrics: appsec.waf.requests ([#8353](DataDog/dd-trace-java#8353) - [@Mariovido](https://github.com/Mariovido)) - ✨ Improve ASM support in vert.x 5.0 ([#8285](DataDog/dd-trace-java#8285) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - ✨ Update metrics: appsec.waf.updates and appsec.waf.init ([#8280](DataDog/dd-trace-java#8280) - [@Mariovido](https://github.com/Mariovido)) - ✨ Configuration to Disable APM Tracing ([#8219](DataDog/dd-trace-java#8219) - [@jandro996](https://github.com/jandro996)) ##### Build & Tooling - 🐛 Do not generate Muzzle references for primitive arrays in method body ([#8361](DataDog/dd-trace-java#8361) - [@amarziali](https://github.com/amarziali)) - 📖 Improve dev env setup documentation for Windows ([#8180](DataDog/dd-trace-java#8180) - [@lucaspimentel](https://github.com/lucaspimentel)) ##### Continuous Integration Visibility - ✨ Add support for skip-EFD tagging ([#8487](DataDog/dd-trace-java#8487) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - 🐛 Fix an NPE in Gradle Android instrumentation ([#8484](DataDog/dd-trace-java#8484) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Consider modified tests when applying fail-fast tests ordering ([#8474](DataDog/dd-trace-java#8474) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Implement tests reordering for TestNG ([#8467](DataDog/dd-trace-java#8467) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - 🐛 Fix Gradle Launcher instrumentation to not interfere with Gradle Test Kit ([#8465](DataDog/dd-trace-java#8465) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - 🧹 Use separate TestEventHandlers per framework in CI Vis instrumentations ([#8451](DataDog/dd-trace-java#8451) - [@daniel-mohedano](https://github.com/daniel-mohedano)) - ✨ Remove warning log when JUnit 4 test method cannot be retrieved ([#8445](DataDog/dd-trace-java#8445) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - 🐛 Fix Scalatest tracing for tests that are reported asynchronously ([#8444](DataDog/dd-trace-java#8444) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Implement attempt to fix tests ([#8393](DataDog/dd-trace-java#8393) - [@daniel-mohedano](https://github.com/daniel-mohedano)) - ✨ Implement test disabling ([#8377](DataDog/dd-trace-java#8377) - [@daniel-mohedano](https://github.com/daniel-mohedano)) - ✨ Update CODEOWNERS parser to not log errors on comments with leading whitespace ([#8349](DataDog/dd-trace-java#8349) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Request Test Management tests list ([#8345](DataDog/dd-trace-java#8345) - [@daniel-mohedano](https://github.com/daniel-mohedano)) - ✨ Receive test management settings from CIVis settings request ([#8331](DataDog/dd-trace-java#8331) - [@daniel-mohedano](https://github.com/daniel-mohedano)) - ✨ Implement quarantined tests tagging ([#8326](DataDog/dd-trace-java#8326) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Implement tests quarantining ([#8320](DataDog/dd-trace-java#8320) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Add tag to specify if the user is setting DD_SERVICE ([#8318](DataDog/dd-trace-java#8318) - [@daniel-mohedano](https://github.com/daniel-mohedano)) ##### Crash tracking - ✨ Only fork jps when required ([#8419](DataDog/dd-trace-java#8419) - [@mcculls](https://github.com/mcculls)) - 🐛 Use Java home of the crashed process to launch crash uploader ([#8348](DataDog/dd-trace-java#8348) - [@jbachorik](https://github.com/jbachorik)) ##### Data Streams Monitoring - 🐛 Fix error happening when sqs message attributes are readonly ([#8473](DataDog/dd-trace-java#8473) - [@vandonr](https://github.com/vandonr)) - 🐛 Fix bug on proto schema extraction ([#8403](DataDog/dd-trace-java#8403) - [@vandonr](https://github.com/vandonr)) - 🐛 Fix service name overrides in consumers ([#8387](DataDog/dd-trace-java#8387) - [@piochelepiotr](https://github.com/piochelepiotr)) ##### Database Monitoring - ✨ Add DBMTracePreparedStatements to tracer configuration log ([#8508](DataDog/dd-trace-java#8508) - [@cecile75](https://github.com/cecile75)) ##### Dynamic Instrumentation - ✨ Look in another location for grpc service methods ([#8468](DataDog/dd-trace-java#8468) - [@evanchooly](https://github.com/evanchooly)) - 🐛 Fix Exception Replay with Lambda proxy classes ([#8452](DataDog/dd-trace-java#8452) - [@jpbempel](https://github.com/jpbempel)) - ✨ Add code origin support for spring-webmvc ([#8416](DataDog/dd-trace-java#8416) - [@evanchooly](https://github.com/evanchooly)) - ✨ Add support for scanning jar from loaded class ([#8370](DataDog/dd-trace-java#8370) - [@jpbempel](https://github.com/jpbempel)) - 🐛 Disable capture of entry values ([#8369](DataDog/dd-trace-java#8369) - [@jpbempel](https://github.com/jpbempel)) - 🐛 Fix CodeOrigin for `@Trace` annotation ([#8344](DataDog/dd-trace-java#8344) - [@jpbempel](https://github.com/jpbempel)) - 🐛 Fix equals/hashCode for CodeOrigin probe ([#8319](DataDog/dd-trace-java#8319) - [@jpbempel](https://github.com/jpbempel)) - ✨ Add code origin support to kafka message listeners ([#8301](DataDog/dd-trace-java#8301) - [@evanchooly](https://github.com/evanchooly)) ##### Metrics - ✨ Create metric: appsec.waf.error ([#8381](DataDog/dd-trace-java#8381) - [@sezen-datadog](https://github.com/sezen-datadog)) - ✨ Create metric: appsec.rasp.error ([#8364](DataDog/dd-trace-java#8364) - [@sezen-datadog](https://github.com/sezen-datadog)) ##### Profiling - ✨ Bump ddprof library to 1.22.0 ([#8463](DataDog/dd-trace-java#8463) - [@jbachorik](https://github.com/jbachorik)) - IBM J9 8u361 corresponds to OpenJDK 8u362 by [@jbachorik](https://github.com/jbachorik) in DataDog/java-profiler#187 - Fix compatibility with musl libc 1.2.4 by [@jbachorik](https://github.com/jbachorik) in DataDog/java-profiler#189 - Modify version extraction by [@jbachorik](https://github.com/jbachorik) in DataDog/java-profiler#179 - Do not write null values to jvminfo event by [@jbachorik](https://github.com/jbachorik) in DataDog/java-profiler#184 - Productize VMStructs-based stack walker by [@jbachorik](https://github.com/jbachorik) in DataDog/java-profiler#177 - A few minor downport issues by [@jbachorik](https://github.com/jbachorik) in DataDog/java-profiler#180 - Enable ASGCT by default on fairly safe J9 JDK versions by [@jbachorik](https://github.com/jbachorik) in DataDog/java-profiler#181 - 🐛 Exclude OrderedThreadPoolExecutor from queue-time measurements ([#8456](DataDog/dd-trace-java#8456) - [@jbachorik](https://github.com/jbachorik)) - ✨ Record JVM info on JVMs without JFR ([#8431](DataDog/dd-trace-java#8431) - [@jbachorik](https://github.com/jbachorik)) - 🐛 Actually use CleanupTask in TempLocationManager ([#8420](DataDog/dd-trace-java#8420) - [@mcculls](https://github.com/mcculls)) - ✨ Only fork jps when required ([#8419](DataDog/dd-trace-java#8419) - [@mcculls](https://github.com/mcculls)) - 🐛 Adjust JFR checks for J9 ([#8405](DataDog/dd-trace-java#8405) - [@jbachorik](https://github.com/jbachorik)) - 🧹 Disable smap RSS parsing by default ([#8342](DataDog/dd-trace-java#8342) - [@MattAlp](https://github.com/MattAlp)) ##### Telemetry - 🐛 Add support for JBoss jar:file format to DependencyResolver ([#8428](DataDog/dd-trace-java#8428) - [@jandro996](https://github.com/jandro996)) - ✨ Update metrics: appsec.waf.requests ([#8353](DataDog/dd-trace-java#8353) - [@Mariovido](https://github.com/Mariovido)) ##### Trace context propagation - ✨ Introduce tracing propagator ([#8313](DataDog/dd-trace-java#8313) - [@PerfectSlayer](https://github.com/PerfectSlayer)) ##### Tracer core - 🐛 Fix Stable Config telemetry source names ([#8460](DataDog/dd-trace-java#8460) - [@BaptisteFoy](https://github.com/BaptisteFoy)) - ✨ Probe trace endpoints with a valid payload of empty arrays ([#8414](DataDog/dd-trace-java#8414) - [@mcculls](https://github.com/mcculls)) - ✨ Add 1 minute fail-safe to JUL/JMX class-loading callback ([#8399](DataDog/dd-trace-java#8399) - [@mcculls](https://github.com/mcculls)) - ✨ Migrate DSM injection calls to context-first APIs ([#8383](DataDog/dd-trace-java#8383) - [@PerfectSlayer](https://github.com/PerfectSlayer)) - 🧹 Move continuation capture methods from scope to tracer ([#8371](DataDog/dd-trace-java#8371) - [@mcculls](https://github.com/mcculls)) - ✨ Migrate context extraction calls to context-first APIs ([#8368](DataDog/dd-trace-java#8368) - [@PerfectSlayer](https://github.com/PerfectSlayer)) - 🧹 Migrate context injection calls to context-first APIs ([#8358](DataDog/dd-trace-java#8358) - [@PerfectSlayer](https://github.com/PerfectSlayer)) - 💡 Support reading configurations from files ([#8338](DataDog/dd-trace-java#8338) - [@mtoffl01](https://github.com/mtoffl01)) - 💡 Implementation of BaggagePropagator and BaggageContext ([#8330](DataDog/dd-trace-java#8330) - [@mhlidd](https://github.com/mhlidd)) - 🧹 Combine continuation implementations into one which supports multiple activations ([#8324](DataDog/dd-trace-java#8324) - [@mcculls](https://github.com/mcculls)) - ✨ Introduce tracing propagator ([#8313](DataDog/dd-trace-java#8313) - [@PerfectSlayer](https://github.com/PerfectSlayer)) - ✨ Remove old context propagation API ([#8271](DataDog/dd-trace-java#8271) - [@PerfectSlayer](https://github.com/PerfectSlayer)) ##### Instrumentations ##### AWS Lambda instrumentation - 🐛 Send error message and stack to Lambda extension ([#8417](DataDog/dd-trace-java#8417) - [@nhulston](https://github.com/nhulston)) ##### AWS SDK instrumentation - 🐛 Fix error happening when sqs message attributes are readonly ([#8473](DataDog/dd-trace-java#8473) - [@vandonr](https://github.com/vandonr)) - 💡 Inject trace context into AWS Step Functions input ([#7585](DataDog/dd-trace-java#7585) - [@DylanLovesCoffee](https://github.com/DylanLovesCoffee)) ##### Core Java language instrumentation - ✨ Look in another location for grpc service methods ([#8468](DataDog/dd-trace-java#8468) - [@evanchooly](https://github.com/evanchooly)) - ✨ Add code origin support for spring-webmvc ([#8416](DataDog/dd-trace-java#8416) - [@evanchooly](https://github.com/evanchooly)) - 💡 Implementation of BaggagePropagator and BaggageContext ([#8330](DataDog/dd-trace-java#8330) - [@mhlidd](https://github.com/mhlidd)) - ✨ Add code origin support to kafka message listeners ([#8301](DataDog/dd-trace-java#8301) - [@evanchooly](https://github.com/evanchooly)) ##### gRPC instrumentation - ✨ Look in another location for grpc service methods ([#8468](DataDog/dd-trace-java#8468) - [@evanchooly](https://github.com/evanchooly)) ##### Kafka instrumentation - ✨ Add messaging.destination.name tag to kafka integrations ([#8366](DataDog/dd-trace-java#8366) - [@rarguelloF](https://github.com/rarguelloF)) ##### Protocol Buffer instrumentation - 🐛 Fix bug on proto schema extraction ([#8403](DataDog/dd-trace-java#8403) - [@vandonr](https://github.com/vandonr)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "after 6pm every weekday,before 2am every weekday" in timezone Australia/Melbourne, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). GitOrigin-RevId: 108a0f86aa59ab4c938cbac0688dd4c19cb301fa

jandro996 added type: enhancement comp: asm iast Application Security Management (IAST) labels Jan 15, 2025

jandro996 force-pushed the alejandro.gonzalez/Address-cookie-vulnerability-cardinality-issues branch from 61b9d84 to 7fcd910 Compare January 15, 2025 14:52

jandro996 marked this pull request as ready for review January 16, 2025 08:23

jandro996 requested a review from a team as a code owner January 16, 2025 08:23

jandro996 requested review from ValentinZakharov, Mariovido, smola and manuel-alvarez-alvarez January 16, 2025 08:23

manuel-alvarez-alvarez approved these changes Jan 16, 2025

View reviewed changes

smola approved these changes Jan 16, 2025

View reviewed changes

Mariovido approved these changes Jan 16, 2025

View reviewed changes

change cookie vulns hash calculation

c3e3d08

jandro996 force-pushed the alejandro.gonzalez/Address-cookie-vulnerability-cardinality-issues branch from af7b5fa to c3e3d08 Compare February 4, 2025 14:15

jandro996 removed the comp: asm iast Application Security Management (IAST) label Feb 5, 2025

jandro996 added the comp: asm iast Application Security Management (IAST) label Feb 5, 2025

jandro996 merged commit b74cc24 into master Feb 5, 2025
197 of 198 checks passed

jandro996 deleted the alejandro.gonzalez/Address-cookie-vulnerability-cardinality-issues branch February 5, 2025 10:03

github-actions bot added this to the 1.47.0 milestone Feb 5, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Address cookie vulnerability cardinality issues #8210

Address cookie vulnerability cardinality issues #8210

jandro996 commented Jan 15, 2025 •

edited by jira bot

Loading

pr-commenter bot commented Jan 15, 2025 •

edited

Loading

smola left a comment

github-actions bot commented Feb 5, 2025

Address cookie vulnerability cardinality issues #8210

Address cookie vulnerability cardinality issues #8210

Conversation

jandro996 commented Jan 15, 2025 • edited by jira bot Loading

What Does This Do

Motivation

Additional Notes

Contributor Checklist

pr-commenter bot commented Jan 15, 2025 • edited Loading

Benchmarks

Startup

Parameters

Summary

Load

Parameters

Summary

Dacapo

Parameters

Summary

smola left a comment

Choose a reason for hiding this comment

github-actions bot commented Feb 5, 2025

jandro996 commented Jan 15, 2025 •

edited by jira bot

Loading

pr-commenter bot commented Jan 15, 2025 •

edited

Loading