Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

IAST security controls: handling custom validation and sanitization methods #7997

Merged
merged 41 commits into from
Dec 20, 2024

Conversation

jandro996
Copy link
Member

@jandro996 jandro996 commented Nov 22, 2024

What Does This Do

Add secure marks to custom input validators and sanitisers via env variable

RFC (Milestone 0)

Motivation

IAST frequently identifies vulnerabilities that are reported despite the fact that the application executes custom validation mechanisms before reaching those points, effectively preventing any exploitation. As a result, security teams receive unnecessary alerts about potential vulnerabilities that are not actually exploitable.

There is a need for a mechanism to recognise when these custom validation methods are in place, to avoid false positives.

Additional Notes

Security Control Configuration Format

To configure a list of security controls, follow the format and field specifications below. This format uses specific separators to structure each security control entry.

Field Specifications:

Security Control Type: Defines the type of control
Accepted values: INPUT_VALIDATOR or SANITIZER
Secure Marks: List of vulnerability types to apply. Possible values are defined in vulnerability_schema. Optionally, use * to indicate applicability to all types.
Class/File: Fully qualified class or file implementing the security control.
Method: Name of the method implementing the security control.
Parameters(Optional): Fully qualified class parameters. Is used to discern between overloaded methods. If it’s not used and we have overloading security control will be applied to all the methods
Parameters to Validate (Optional): Zero-based list of parameter positions to validate, where the first parameter is position 0. This field applies only to INPUT_VALIDATOR types and is used when not all parameters require validation.

Separators:

; (Semicolon) - Separates each security control.
: (Colon) - Separates each field within a security control.
, (Comma) - Separates items within a field that accepts a list.

INPUT_VALIDATOR:SQLI,XSS:com.example.Validator:validateInput:java.lang.String,bar.foo.Something,java.lang.Object:0,1;
SANITIZER:Secure:*:com.example.Sanitizer:sanitizeInput

Note: Each security control is separated by ;, each field within a security control is separated by :, and items in lists (e.g., Secure Marks or Parameters to Validate) are separated by ,.

Contributor Checklist

Jira ticket: APPSEC-55329

@jandro996 jandro996 added the comp: asm iast Application Security Management (IAST) label Nov 22, 2024
@pr-commenter
Copy link

pr-commenter bot commented Nov 22, 2024

Benchmarks

Startup

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/security-controls
git_commit_date 1734688094 1734691302
git_commit_sha ab205f6 de8c198
release_version 1.45.0-SNAPSHOT~ab205f6a56 1.45.0-SNAPSHOT~de8c19855d
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1734693655 1734693655
ci_job_id 746838229 746838229
ci_pipeline_id 51644760 51644760
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
module Agent Agent
parent None None
variant iast iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 58 metrics, 5 unstable metrics.

Startup time reports for insecure-bank
gantt
    title insecure-bank - global startup overhead: candidate=1.45.0-SNAPSHOT~de8c19855d, baseline=1.45.0-SNAPSHOT~ab205f6a56

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.111 s) : 0, 1110839
Total [baseline] (8.655 s) : 0, 8654912
Agent [candidate] (1.111 s) : 0, 1111440
Total [candidate] (8.684 s) : 0, 8684007
section iast
Agent [baseline] (1.25 s) : 0, 1250128
Total [baseline] (9.338 s) : 0, 9338329
Agent [candidate] (1.242 s) : 0, 1241781
Total [candidate] (9.27 s) : 0, 9269601
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.249 s) : 0, 1248897
Total [baseline] (9.23 s) : 0, 9230333
Agent [candidate] (1.238 s) : 0, 1238278
Total [candidate] (9.225 s) : 0, 9225454
section iast_TELEMETRY_OFF
Agent [baseline] (1.238 s) : 0, 1237847
Total [baseline] (9.248 s) : 0, 9247518
Agent [candidate] (1.238 s) : 0, 1238461
Total [candidate] (9.215 s) : 0, 9215340
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.111 s -
Agent iast 1.25 s 139.29 ms (12.5%)
Agent iast_HARDCODED_SECRET_DISABLED 1.249 s 138.058 ms (12.4%)
Agent iast_TELEMETRY_OFF 1.238 s 127.008 ms (11.4%)
Total tracing 8.655 s -
Total iast 9.338 s 683.416 ms (7.9%)
Total iast_HARDCODED_SECRET_DISABLED 9.23 s 575.421 ms (6.6%)
Total iast_TELEMETRY_OFF 9.248 s 592.606 ms (6.8%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.111 s -
Agent iast 1.242 s 130.34 ms (11.7%)
Agent iast_HARDCODED_SECRET_DISABLED 1.238 s 126.838 ms (11.4%)
Agent iast_TELEMETRY_OFF 1.238 s 127.021 ms (11.4%)
Total tracing 8.684 s -
Total iast 9.27 s 585.594 ms (6.7%)
Total iast_HARDCODED_SECRET_DISABLED 9.225 s 541.447 ms (6.2%)
Total iast_TELEMETRY_OFF 9.215 s 531.333 ms (6.1%)
gantt
    title insecure-bank - break down per module: candidate=1.45.0-SNAPSHOT~de8c19855d, baseline=1.45.0-SNAPSHOT~ab205f6a56

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (712.338 ms) : 0, 712338
BytebuddyAgent [candidate] (712.721 ms) : 0, 712721
GlobalTracer [baseline] (318.887 ms) : 0, 318887
GlobalTracer [candidate] (318.964 ms) : 0, 318964
AppSec [baseline] (55.122 ms) : 0, 55122
AppSec [candidate] (55.255 ms) : 0, 55255
Remote Config [baseline] (664.925 µs) : 0, 665
Remote Config [candidate] (663.514 µs) : 0, 664
Telemetry [baseline] (8.887 ms) : 0, 8887
Telemetry [candidate] (8.891 ms) : 0, 8891
section iast
BytebuddyAgent [baseline] (836.198 ms) : 0, 836198
BytebuddyAgent [candidate] (830.355 ms) : 0, 830355
GlobalTracer [baseline] (313.276 ms) : 0, 313276
GlobalTracer [candidate] (310.798 ms) : 0, 310798
AppSec [baseline] (55.611 ms) : 0, 55611
AppSec [candidate] (56.083 ms) : 0, 56083
IAST [baseline] (21.134 ms) : 0, 21134
IAST [candidate] (20.771 ms) : 0, 20771
Remote Config [baseline] (595.904 µs) : 0, 596
Remote Config [candidate] (599.334 µs) : 0, 599
Telemetry [baseline] (8.312 ms) : 0, 8312
Telemetry [candidate] (8.23 ms) : 0, 8230
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (834.593 ms) : 0, 834593
BytebuddyAgent [candidate] (826.871 ms) : 0, 826871
GlobalTracer [baseline] (311.437 ms) : 0, 311437
GlobalTracer [candidate] (309.676 ms) : 0, 309676
AppSec [baseline] (57.901 ms) : 0, 57901
AppSec [candidate] (56.708 ms) : 0, 56708
IAST [baseline] (21.113 ms) : 0, 21113
IAST [candidate] (21.193 ms) : 0, 21193
Remote Config [baseline] (631.23 µs) : 0, 631
Remote Config [candidate] (618.467 µs) : 0, 618
Telemetry [baseline] (8.25 ms) : 0, 8250
Telemetry [candidate] (8.323 ms) : 0, 8323
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (827.574 ms) : 0, 827574
BytebuddyAgent [candidate] (826.755 ms) : 0, 826755
GlobalTracer [baseline] (307.922 ms) : 0, 307922
GlobalTracer [candidate] (309.195 ms) : 0, 309195
AppSec [baseline] (58.206 ms) : 0, 58206
AppSec [candidate] (58.192 ms) : 0, 58192
IAST [baseline] (20.583 ms) : 0, 20583
IAST [candidate] (20.638 ms) : 0, 20638
Remote Config [baseline] (581.448 µs) : 0, 581
Remote Config [candidate] (589.082 µs) : 0, 589
Telemetry [baseline] (8.081 ms) : 0, 8081
Telemetry [candidate] (8.136 ms) : 0, 8136
Loading
Startup time reports for petclinic
gantt
    title petclinic - global startup overhead: candidate=1.45.0-SNAPSHOT~de8c19855d, baseline=1.45.0-SNAPSHOT~ab205f6a56

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.109 s) : 0, 1109242
Total [baseline] (10.453 s) : 0, 10452953
Agent [candidate] (1.113 s) : 0, 1113073
Total [candidate] (10.55 s) : 0, 10550310
section appsec
Agent [baseline] (1.25 s) : 0, 1249572
Total [baseline] (10.806 s) : 0, 10806251
Agent [candidate] (1.25 s) : 0, 1249828
Total [candidate] (10.7 s) : 0, 10699851
section iast
Agent [baseline] (1.248 s) : 0, 1247750
Total [baseline] (10.971 s) : 0, 10970573
Agent [candidate] (1.256 s) : 0, 1256252
Total [candidate] (10.995 s) : 0, 10995337
section profiling
Agent [baseline] (1.34 s) : 0, 1339790
Total [baseline] (10.859 s) : 0, 10859108
Agent [candidate] (1.341 s) : 0, 1341475
Total [candidate] (10.89 s) : 0, 10889741
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.109 s -
Agent appsec 1.25 s 140.33 ms (12.7%)
Agent iast 1.248 s 138.507 ms (12.5%)
Agent profiling 1.34 s 230.547 ms (20.8%)
Total tracing 10.453 s -
Total appsec 10.806 s 353.298 ms (3.4%)
Total iast 10.971 s 517.62 ms (5.0%)
Total profiling 10.859 s 406.155 ms (3.9%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.113 s -
Agent appsec 1.25 s 136.756 ms (12.3%)
Agent iast 1.256 s 143.179 ms (12.9%)
Agent profiling 1.341 s 228.402 ms (20.5%)
Total tracing 10.55 s -
Total appsec 10.7 s 149.541 ms (1.4%)
Total iast 10.995 s 445.027 ms (4.2%)
Total profiling 10.89 s 339.431 ms (3.2%)
gantt
    title petclinic - break down per module: candidate=1.45.0-SNAPSHOT~de8c19855d, baseline=1.45.0-SNAPSHOT~ab205f6a56

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (711.919 ms) : 0, 711919
BytebuddyAgent [candidate] (713.789 ms) : 0, 713789
GlobalTracer [baseline] (317.77 ms) : 0, 317770
GlobalTracer [candidate] (319.329 ms) : 0, 319329
AppSec [baseline] (55.127 ms) : 0, 55127
AppSec [candidate] (55.288 ms) : 0, 55288
Remote Config [baseline] (676.434 µs) : 0, 676
Remote Config [candidate] (695.855 µs) : 0, 696
Telemetry [baseline] (8.849 ms) : 0, 8849
Telemetry [candidate] (8.928 ms) : 0, 8928
section appsec
BytebuddyAgent [baseline] (730.408 ms) : 0, 730408
BytebuddyAgent [candidate] (730.438 ms) : 0, 730438
GlobalTracer [baseline] (316.158 ms) : 0, 316158
GlobalTracer [candidate] (316.701 ms) : 0, 316701
AppSec [baseline] (168.85 ms) : 0, 168850
AppSec [candidate] (168.843 ms) : 0, 168843
Remote Config [baseline] (645.18 µs) : 0, 645
Remote Config [candidate] (644.629 µs) : 0, 645
Telemetry [baseline] (8.253 ms) : 0, 8253
Telemetry [candidate] (7.95 ms) : 0, 7950
IAST [baseline] (20.571 ms) : 0, 20571
IAST [candidate] (20.566 ms) : 0, 20566
section iast
BytebuddyAgent [baseline] (834.605 ms) : 0, 834605
BytebuddyAgent [candidate] (840.515 ms) : 0, 840515
GlobalTracer [baseline] (310.292 ms) : 0, 310292
GlobalTracer [candidate] (312.044 ms) : 0, 312044
AppSec [baseline] (58.255 ms) : 0, 58255
AppSec [candidate] (58.759 ms) : 0, 58759
Remote Config [baseline] (601.245 µs) : 0, 601
Remote Config [candidate] (611.089 µs) : 0, 611
Telemetry [baseline] (8.189 ms) : 0, 8189
Telemetry [candidate] (8.238 ms) : 0, 8238
IAST [baseline] (20.819 ms) : 0, 20819
IAST [candidate] (20.977 ms) : 0, 20977
section profiling
ProfilingAgent [baseline] (94.885 ms) : 0, 94885
ProfilingAgent [candidate] (94.68 ms) : 0, 94680
BytebuddyAgent [baseline] (701.89 ms) : 0, 701890
BytebuddyAgent [candidate] (701.625 ms) : 0, 701625
GlobalTracer [baseline] (439.013 ms) : 0, 439013
GlobalTracer [candidate] (440.791 ms) : 0, 440791
AppSec [baseline] (53.827 ms) : 0, 53827
AppSec [candidate] (54.207 ms) : 0, 54207
Remote Config [baseline] (643.443 µs) : 0, 643
Remote Config [candidate] (660.882 µs) : 0, 661
Telemetry [baseline] (7.889 ms) : 0, 7889
Telemetry [candidate] (7.826 ms) : 0, 7826
Profiling [baseline] (94.911 ms) : 0, 94911
Profiling [candidate] (94.706 ms) : 0, 94706
Loading

Load

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
end_time 2024-12-20T10:53:15 2024-12-20T11:00:15
git_branch master alejandro.gonzalez/security-controls
git_commit_date 1734688094 1734691302
git_commit_sha ab205f6 de8c198
release_version 1.45.0-SNAPSHOT~ab205f6a56 1.45.0-SNAPSHOT~de8c19855d
start_time 2024-12-20T10:53:01 2024-12-20T11:00:01
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1734692768 1734692768
ci_job_id 746838230 746838230
ci_pipeline_id 51644760 51644760
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant iast iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 16 unstable metrics.

Request duration reports for petclinic
gantt
    title petclinic - request duration [CI 0.99] : candidate=1.45.0-SNAPSHOT~de8c19855d, baseline=1.45.0-SNAPSHOT~ab205f6a56
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.354 ms) : 1334, 1374
.   : milestone, 1354,
appsec (1.745 ms) : 1721, 1769
.   : milestone, 1745,
appsec_no_iast (1.736 ms) : 1711, 1761
.   : milestone, 1736,
iast (1.502 ms) : 1479, 1525
.   : milestone, 1502,
profiling (1.555 ms) : 1529, 1580
.   : milestone, 1555,
tracing (1.47 ms) : 1445, 1495
.   : milestone, 1470,
section candidate
no_agent (1.353 ms) : 1332, 1374
.   : milestone, 1353,
appsec (1.727 ms) : 1703, 1751
.   : milestone, 1727,
appsec_no_iast (1.769 ms) : 1745, 1794
.   : milestone, 1769,
iast (1.506 ms) : 1483, 1529
.   : milestone, 1506,
profiling (1.52 ms) : 1496, 1544
.   : milestone, 1520,
tracing (1.501 ms) : 1477, 1525
.   : milestone, 1501,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.354 ms [1.334 ms, 1.374 ms] -
appsec 1.745 ms [1.721 ms, 1.769 ms] 391.575 µs (28.9%)
appsec_no_iast 1.736 ms [1.711 ms, 1.761 ms] 382.443 µs (28.3%)
iast 1.502 ms [1.479 ms, 1.525 ms] 148.222 µs (11.0%)
profiling 1.555 ms [1.529 ms, 1.58 ms] 201.141 µs (14.9%)
tracing 1.47 ms [1.445 ms, 1.495 ms] 116.532 µs (8.6%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.353 ms [1.332 ms, 1.374 ms] -
appsec 1.727 ms [1.703 ms, 1.751 ms] 374.118 µs (27.7%)
appsec_no_iast 1.769 ms [1.745 ms, 1.794 ms] 416.525 µs (30.8%)
iast 1.506 ms [1.483 ms, 1.529 ms] 153.431 µs (11.3%)
profiling 1.52 ms [1.496 ms, 1.544 ms] 166.872 µs (12.3%)
tracing 1.501 ms [1.477 ms, 1.525 ms] 147.768 µs (10.9%)
Request duration reports for insecure-bank
gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.45.0-SNAPSHOT~de8c19855d, baseline=1.45.0-SNAPSHOT~ab205f6a56
    dateFormat X
    axisFormat %s
section baseline
no_agent (378.209 µs) : 357, 399
.   : milestone, 378,
iast (497.351 µs) : 476, 519
.   : milestone, 497,
iast_FULL (653.514 µs) : 632, 675
.   : milestone, 654,
iast_GLOBAL (521.306 µs) : 499, 544
.   : milestone, 521,
iast_HARDCODED_SECRET_DISABLED (490.862 µs) : 470, 512
.   : milestone, 491,
iast_INACTIVE (451.53 µs) : 431, 473
.   : milestone, 452,
iast_TELEMETRY_OFF (479.095 µs) : 458, 500
.   : milestone, 479,
tracing (449.77 µs) : 429, 471
.   : milestone, 450,
section candidate
no_agent (374.988 µs) : 355, 395
.   : milestone, 375,
iast (494.859 µs) : 473, 517
.   : milestone, 495,
iast_FULL (651.524 µs) : 630, 673
.   : milestone, 652,
iast_GLOBAL (523.028 µs) : 500, 546
.   : milestone, 523,
iast_HARDCODED_SECRET_DISABLED (496.307 µs) : 475, 518
.   : milestone, 496,
iast_INACTIVE (453.791 µs) : 432, 475
.   : milestone, 454,
iast_TELEMETRY_OFF (485.861 µs) : 464, 508
.   : milestone, 486,
tracing (452.306 µs) : 431, 473
.   : milestone, 452,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 378.209 µs [357.201 µs, 399.216 µs] -
iast 497.351 µs [475.753 µs, 518.95 µs] 119.143 µs (31.5%)
iast_FULL 653.514 µs [631.744 µs, 675.285 µs] 275.306 µs (72.8%)
iast_GLOBAL 521.306 µs [498.835 µs, 543.777 µs] 143.097 µs (37.8%)
iast_HARDCODED_SECRET_DISABLED 490.862 µs [469.531 µs, 512.193 µs] 112.653 µs (29.8%)
iast_INACTIVE 451.53 µs [430.544 µs, 472.516 µs] 73.321 µs (19.4%)
iast_TELEMETRY_OFF 479.095 µs [457.875 µs, 500.315 µs] 100.886 µs (26.7%)
tracing 449.77 µs [428.935 µs, 470.606 µs] 71.562 µs (18.9%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 374.988 µs [355.37 µs, 394.607 µs] -
iast 494.859 µs [472.761 µs, 516.957 µs] 119.871 µs (32.0%)
iast_FULL 651.524 µs [629.789 µs, 673.259 µs] 276.536 µs (73.7%)
iast_GLOBAL 523.028 µs [500.435 µs, 545.622 µs] 148.04 µs (39.5%)
iast_HARDCODED_SECRET_DISABLED 496.307 µs [474.905 µs, 517.709 µs] 121.319 µs (32.4%)
iast_INACTIVE 453.791 µs [432.348 µs, 475.234 µs] 78.803 µs (21.0%)
iast_TELEMETRY_OFF 485.861 µs [464.133 µs, 507.589 µs] 110.873 µs (29.6%)
tracing 452.306 µs [431.435 µs, 473.176 µs] 77.318 µs (20.6%)

Dacapo

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/security-controls
git_commit_date 1734688094 1734691302
git_commit_sha ab205f6 de8c198
release_version 1.45.0-SNAPSHOT~ab205f6a56 1.45.0-SNAPSHOT~de8c19855d
See matching parameters
Baseline Candidate
application biojava biojava
ci_job_date 1734693331 1734693331
ci_job_id 746838231 746838231
ci_pipeline_id 51644760 51644760
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant appsec appsec

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 1 unstable metrics.

Execution time for tomcat
gantt
    title tomcat - execution time [CI 0.99] : candidate=1.45.0-SNAPSHOT~de8c19855d, baseline=1.45.0-SNAPSHOT~ab205f6a56
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.472 ms) : 1460, 1483
.   : milestone, 1472,
appsec (2.339 ms) : 2297, 2381
.   : milestone, 2339,
iast (2.09 ms) : 2037, 2143
.   : milestone, 2090,
iast_GLOBAL (2.133 ms) : 2079, 2186
.   : milestone, 2133,
profiling (1.969 ms) : 1925, 2013
.   : milestone, 1969,
tracing (1.94 ms) : 1899, 1981
.   : milestone, 1940,
section candidate
no_agent (1.47 ms) : 1459, 1482
.   : milestone, 1470,
appsec (2.341 ms) : 2299, 2382
.   : milestone, 2341,
iast (2.092 ms) : 2039, 2145
.   : milestone, 2092,
iast_GLOBAL (2.137 ms) : 2083, 2190
.   : milestone, 2137,
profiling (2.426 ms) : 2184, 2667
.   : milestone, 2426,
tracing (1.936 ms) : 1896, 1977
.   : milestone, 1936,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.472 ms [1.46 ms, 1.483 ms] -
appsec 2.339 ms [2.297 ms, 2.381 ms] 867.225 µs (58.9%)
iast 2.09 ms [2.037 ms, 2.143 ms] 618.321 µs (42.0%)
iast_GLOBAL 2.133 ms [2.079 ms, 2.186 ms] 661.301 µs (44.9%)
profiling 1.969 ms [1.925 ms, 2.013 ms] 497.462 µs (33.8%)
tracing 1.94 ms [1.899 ms, 1.981 ms] 468.793 µs (31.9%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.47 ms [1.459 ms, 1.482 ms] -
appsec 2.341 ms [2.299 ms, 2.382 ms] 870.222 µs (59.2%)
iast 2.092 ms [2.039 ms, 2.145 ms] 621.719 µs (42.3%)
iast_GLOBAL 2.137 ms [2.083 ms, 2.19 ms] 666.307 µs (45.3%)
profiling 2.426 ms [2.184 ms, 2.667 ms] 955.232 µs (65.0%)
tracing 1.936 ms [1.896 ms, 1.977 ms] 466.053 µs (31.7%)
Execution time for biojava
gantt
    title biojava - execution time [CI 0.99] : candidate=1.45.0-SNAPSHOT~de8c19855d, baseline=1.45.0-SNAPSHOT~ab205f6a56
    dateFormat X
    axisFormat %s
section baseline
no_agent (14.885 s) : 14885000, 14885000
.   : milestone, 14885000,
appsec (15.001 s) : 15001000, 15001000
.   : milestone, 15001000,
iast (18.812 s) : 18812000, 18812000
.   : milestone, 18812000,
iast_GLOBAL (17.834 s) : 17834000, 17834000
.   : milestone, 17834000,
profiling (14.903 s) : 14903000, 14903000
.   : milestone, 14903000,
tracing (14.94 s) : 14940000, 14940000
.   : milestone, 14940000,
section candidate
no_agent (14.926 s) : 14926000, 14926000
.   : milestone, 14926000,
appsec (15.077 s) : 15077000, 15077000
.   : milestone, 15077000,
iast (18.43 s) : 18430000, 18430000
.   : milestone, 18430000,
iast_GLOBAL (17.886 s) : 17886000, 17886000
.   : milestone, 17886000,
profiling (15.069 s) : 15069000, 15069000
.   : milestone, 15069000,
tracing (15.14 s) : 15140000, 15140000
.   : milestone, 15140000,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 14.885 s [14.885 s, 14.885 s] -
appsec 15.001 s [15.001 s, 15.001 s] 116.0 ms (0.8%)
iast 18.812 s [18.812 s, 18.812 s] 3.927 s (26.4%)
iast_GLOBAL 17.834 s [17.834 s, 17.834 s] 2.949 s (19.8%)
profiling 14.903 s [14.903 s, 14.903 s] 18.0 ms (0.1%)
tracing 14.94 s [14.94 s, 14.94 s] 55.0 ms (0.4%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 14.926 s [14.926 s, 14.926 s] -
appsec 15.077 s [15.077 s, 15.077 s] 151.0 ms (1.0%)
iast 18.43 s [18.43 s, 18.43 s] 3.504 s (23.5%)
iast_GLOBAL 17.886 s [17.886 s, 17.886 s] 2.96 s (19.8%)
profiling 15.069 s [15.069 s, 15.069 s] 143.0 ms (1.0%)
tracing 15.14 s [15.14 s, 15.14 s] 214.0 ms (1.4%)

@jandro996 jandro996 force-pushed the alejandro.gonzalez/security-controls branch from 43c6e55 to 7362963 Compare November 25, 2024 09:23
@jandro996 jandro996 changed the title Alejandro.gonzalez/security controls IAST Security controls Nov 26, 2024
@smola smola changed the title IAST Security controls IAST security controls: handling custom validation and sanitization functions Dec 11, 2024
@smola smola changed the title IAST security controls: handling custom validation and sanitization functions IAST security controls: handling custom validation and sanitization methods Dec 11, 2024

public SecurityControlMethodAdapter(
final MethodVisitor mv, final SecurityControl securityControl, final String desc) {
super(Opcodes.ASM8, mv);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is possibly not valid if the method uses newer Java?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i've updated it to ASM9, that is the most higher version that our library version supports (there is an experimental ASM10). I think that this cover new bytecode introduced until java 17

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, Santi, my previous comment wasn’t accurate. Let me provide some additional context with this response.

First of all, when we instantiate a new org.objectweb.asm.ClassReader, it internally checks whether the class version is supported by the ASM version. If it isn’t, an IllegalArgumentException is thrown. To handle this, I’ve added a safeguard to log that exception and avoid breaking the code.

Secondly, my earlier explanation about the opcode was incorrect. In this case, the opcode represents the ASM API version and, for the MethodVisitor, it determines the functionalities available for that specific API version.

To confirm, the entire tracer uses ASM version 9.7, which can be verified in the libs.versions.toml file.

@jandro996 jandro996 requested review from Mariovido and smola December 17, 2024 18:10
@jandro996 jandro996 marked this pull request as ready for review December 18, 2024 09:08
@jandro996 jandro996 requested review from a team as code owners December 18, 2024 09:08
Copy link
Contributor

Hi! 👋 Thanks for your pull request! 🎉

To help us review it, please make sure to:

  • Add at least one type, and one component or instrumentation label to the pull request

If you need help, please check our contributing guidelines.

@jandro996 jandro996 added this to the 1.45.0 milestone Dec 18, 2024
@jandro996 jandro996 force-pushed the alejandro.gonzalez/security-controls branch from ee746f9 to dee1faf Compare December 19, 2024 07:35
@jandro996
Copy link
Member Author

Hey @manuel-alvarez-alvarez thanks a lot for your review of the SecurtyControl instrumentation, I've made all your suggested changes and added more tests. you can check them in my last commit.

…tycontrol/SecurityControlMethodClassVisitor.java

Co-authored-by: Manuel Álvarez Álvarez <[email protected]>
@jandro996 jandro996 merged commit 8b2bb8e into master Dec 20, 2024
145 of 146 checks passed
@jandro996 jandro996 deleted the alejandro.gonzalez/security-controls branch December 20, 2024 11:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
comp: asm iast Application Security Management (IAST)
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants