Skip to content

Map JSP stack traces to file names#7005

Merged
jandro996 merged 33 commits intomasterfrom
alejandro.gonzalez/xss_jsp_filename
Aug 7, 2024
Merged

Map JSP stack traces to file names#7005
jandro996 merged 33 commits intomasterfrom
alejandro.gonzalez/xss_jsp_filename

Conversation

@jandro996
Copy link
Member

@jandro996 jandro996 commented May 8, 2024
edited by smola
Loading

What Does This Do

Add StratumManger to deal with SMAP Syntax from Jakarta Debugging Support for Other Languages

Replace the StackTraceElement used to create the vulnerability location with the original file and line info.

This currently requires setting DD_IAST_SOURCE_MAPPING_ENABLED=true.

Motivation

If we want to show proper filename for vulnerabilities in JSP, we’ll need to map JSP stack traces to file names.

Additional Notes

Jira ticket: APPSEC-4703

New metric PR

@pr-commenter
Copy link

pr-commenter bot commented May 8, 2024
edited
Loading

Benchmarks

Startup

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/xss_jsp_filename
git_commit_date 1722861667 1722924624
git_commit_sha 60ddc9e eeec65e
release_version 1.38.0~60ddc9e0d7 1.39.0-SNAPSHOT~eeec65e478
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1722927011 1722927011
ci_job_id 595560626 595560626
ci_pipeline_id 40973908 40973908
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
module Agent Agent
parent None None
variant iast iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 49 metrics, 14 unstable metrics.

Startup time reports for petclinic 
gantt
    title petclinic - global startup overhead: candidate=1.39.0-SNAPSHOT~eeec65e478, baseline=1.38.0~60ddc9e0d7

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.044 s) : 0, 1043692
Total [baseline] (10.299 s) : 0, 10299297
Agent [candidate] (1.046 s) : 0, 1046114
Total [candidate] (10.287 s) : 0, 10287185
section appsec
Agent [baseline] (1.178 s) : 0, 1177501
Total [baseline] (10.573 s) : 0, 10572794
Agent [candidate] (1.167 s) : 0, 1167105
Total [candidate] (10.45 s) : 0, 10449927
section iast
Agent [baseline] (1.18 s) : 0, 1180261
Total [baseline] (10.78 s) : 0, 10779730
Agent [candidate] (1.172 s) : 0, 1172253
Total [candidate] (10.772 s) : 0, 10772021
section profiling
Agent [baseline] (1.242 s) : 0, 1242474
Total [baseline] (10.59 s) : 0, 10589597
Agent [candidate] (1.25 s) : 0, 1249575
Total [candidate] (10.599 s) : 0, 10599126
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.044 s -
Agent appsec 1.178 s 133.809 ms (12.8%)
Agent iast 1.18 s 136.569 ms (13.1%)
Agent profiling 1.242 s 198.782 ms (19.0%)
Total tracing 10.299 s -
Total appsec 10.573 s 273.498 ms (2.7%)
Total iast 10.78 s 480.433 ms (4.7%)
Total profiling 10.59 s 290.3 ms (2.8%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.046 s -
Agent appsec 1.167 s 120.991 ms (11.6%)
Agent iast 1.172 s 126.138 ms (12.1%)
Agent profiling 1.25 s 203.461 ms (19.4%)
Total tracing 10.287 s -
Total appsec 10.45 s 162.742 ms (1.6%)
Total iast 10.772 s 484.837 ms (4.7%)
Total profiling 10.599 s 311.941 ms (3.0%) 
gantt
    title petclinic - break down per module: candidate=1.39.0-SNAPSHOT~eeec65e478, baseline=1.38.0~60ddc9e0d7

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (667.108 ms) : 0, 667108
BytebuddyAgent [candidate] (668.841 ms) : 0, 668841
GlobalTracer [baseline] (305.02 ms) : 0, 305020
GlobalTracer [candidate] (305.458 ms) : 0, 305458
AppSec [baseline] (50.121 ms) : 0, 50121
AppSec [candidate] (50.314 ms) : 0, 50314
Remote Config [baseline] (685.708 µs) : 0, 686
Remote Config [candidate] (684.712 µs) : 0, 685
Telemetry [baseline] (7.33 ms) : 0, 7330
Telemetry [candidate] (7.371 ms) : 0, 7371
section appsec
BytebuddyAgent [baseline] (686.572 ms) : 0, 686572
BytebuddyAgent [candidate] (681.61 ms) : 0, 681610
GlobalTracer [baseline] (301.77 ms) : 0, 301770
GlobalTracer [candidate] (298.207 ms) : 0, 298207
AppSec [baseline] (155.721 ms) : 0, 155721
AppSec [candidate] (155.321 ms) : 0, 155321
IAST [baseline] (22.415 ms) : 0, 22415
IAST [candidate] (19.047 ms) : 0, 19047
Remote Config [baseline] (605.699 µs) : 0, 606
Remote Config [candidate] (601.645 µs) : 0, 602
Telemetry [baseline] (7.97 ms) : 0, 7970
Telemetry [candidate] (8.272 ms) : 0, 8272
section iast
BytebuddyAgent [baseline] (788.032 ms) : 0, 788032
BytebuddyAgent [candidate] (781.656 ms) : 0, 781656
GlobalTracer [baseline] (296.576 ms) : 0, 296576
GlobalTracer [candidate] (295.124 ms) : 0, 295124
AppSec [baseline] (50.502 ms) : 0, 50502
AppSec [candidate] (51.64 ms) : 0, 51640
IAST [baseline] (23.009 ms) : 0, 23009
IAST [candidate] (22.664 ms) : 0, 22664
Remote Config [baseline] (1.368 ms) : 0, 1368
Remote Config [candidate] (585.711 µs) : 0, 586
Telemetry [baseline] (7.211 ms) : 0, 7211
Telemetry [candidate] (7.084 ms) : 0, 7084
section profiling
BytebuddyAgent [baseline] (662.56 ms) : 0, 662560
BytebuddyAgent [candidate] (666.998 ms) : 0, 666998
GlobalTracer [baseline] (388.086 ms) : 0, 388086
GlobalTracer [candidate] (390.455 ms) : 0, 390455
AppSec [baseline] (51.757 ms) : 0, 51757
AppSec [candidate] (51.853 ms) : 0, 51853
Remote Config [baseline] (707.433 µs) : 0, 707
Remote Config [candidate] (690.642 µs) : 0, 691
Telemetry [baseline] (7.287 ms) : 0, 7287
Telemetry [candidate] (7.33 ms) : 0, 7330
ProfilingAgent [baseline] (94.952 ms) : 0, 94952
ProfilingAgent [candidate] (94.824 ms) : 0, 94824
Profiling [baseline] (94.977 ms) : 0, 94977
Profiling [candidate] (94.849 ms) : 0, 94849
Loading
Startup time reports for insecure-bank 
gantt
    title insecure-bank - global startup overhead: candidate=1.39.0-SNAPSHOT~eeec65e478, baseline=1.38.0~60ddc9e0d7

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.044 s) : 0, 1043617
Total [baseline] (8.452 s) : 0, 8451728
Agent [candidate] (1.044 s) : 0, 1044394
Total [candidate] (8.477 s) : 0, 8476638
section iast
Agent [baseline] (1.175 s) : 0, 1175114
Total [baseline] (8.952 s) : 0, 8952076
Agent [candidate] (1.173 s) : 0, 1172764
Total [candidate] (8.965 s) : 0, 8964874
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.171 s) : 0, 1171143
Total [baseline] (8.936 s) : 0, 8935942
Agent [candidate] (1.173 s) : 0, 1173184
Total [candidate] (8.95 s) : 0, 8949950
section iast_TELEMETRY_OFF
Agent [baseline] (1.179 s) : 0, 1178537
Total [baseline] (8.986 s) : 0, 8986055
Agent [candidate] (1.176 s) : 0, 1176386
Total [candidate] (8.959 s) : 0, 8959304
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.044 s -
Agent iast 1.175 s 131.497 ms (12.6%)
Agent iast_HARDCODED_SECRET_DISABLED 1.171 s 127.525 ms (12.2%)
Agent iast_TELEMETRY_OFF 1.179 s 134.92 ms (12.9%)
Total tracing 8.452 s -
Total iast 8.952 s 500.349 ms (5.9%)
Total iast_HARDCODED_SECRET_DISABLED 8.936 s 484.214 ms (5.7%)
Total iast_TELEMETRY_OFF 8.986 s 534.328 ms (6.3%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.044 s -
Agent iast 1.173 s 128.37 ms (12.3%)
Agent iast_HARDCODED_SECRET_DISABLED 1.173 s 128.79 ms (12.3%)
Agent iast_TELEMETRY_OFF 1.176 s 131.992 ms (12.6%)
Total tracing 8.477 s -
Total iast 8.965 s 488.236 ms (5.8%)
Total iast_HARDCODED_SECRET_DISABLED 8.95 s 473.312 ms (5.6%)
Total iast_TELEMETRY_OFF 8.959 s 482.666 ms (5.7%) 
gantt
    title insecure-bank - break down per module: candidate=1.39.0-SNAPSHOT~eeec65e478, baseline=1.38.0~60ddc9e0d7

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (667.566 ms) : 0, 667566
BytebuddyAgent [candidate] (667.455 ms) : 0, 667455
GlobalTracer [baseline] (304.544 ms) : 0, 304544
GlobalTracer [candidate] (305.251 ms) : 0, 305251
AppSec [baseline] (50.091 ms) : 0, 50091
AppSec [candidate] (50.309 ms) : 0, 50309
Remote Config [baseline] (683.402 µs) : 0, 683
Remote Config [candidate] (679.068 µs) : 0, 679
Telemetry [baseline] (7.323 ms) : 0, 7323
Telemetry [candidate] (7.28 ms) : 0, 7280
section iast
BytebuddyAgent [baseline] (784.032 ms) : 0, 784032
BytebuddyAgent [candidate] (782.977 ms) : 0, 782977
GlobalTracer [baseline] (294.566 ms) : 0, 294566
GlobalTracer [candidate] (295.242 ms) : 0, 295242
AppSec [baseline] (52.21 ms) : 0, 52210
AppSec [candidate] (51.423 ms) : 0, 51423
IAST [baseline] (22.357 ms) : 0, 22357
IAST [candidate] (21.898 ms) : 0, 21898
Remote Config [baseline] (612.904 µs) : 0, 613
Remote Config [candidate] (586.91 µs) : 0, 587
Telemetry [baseline] (7.83 ms) : 0, 7830
Telemetry [candidate] (7.145 ms) : 0, 7145
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (781.277 ms) : 0, 781277
BytebuddyAgent [candidate] (782.086 ms) : 0, 782086
GlobalTracer [baseline] (294.883 ms) : 0, 294883
GlobalTracer [candidate] (295.694 ms) : 0, 295694
AppSec [baseline] (50.843 ms) : 0, 50843
AppSec [candidate] (51.675 ms) : 0, 51675
IAST [baseline] (22.068 ms) : 0, 22068
IAST [candidate] (22.574 ms) : 0, 22574
Remote Config [baseline] (1.418 ms) : 0, 1418
Remote Config [candidate] (574.654 µs) : 0, 575
Telemetry [baseline] (7.098 ms) : 0, 7098
Telemetry [candidate] (7.042 ms) : 0, 7042
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (784.855 ms) : 0, 784855
BytebuddyAgent [candidate] (784.309 ms) : 0, 784309
GlobalTracer [baseline] (296.975 ms) : 0, 296975
GlobalTracer [candidate] (297.132 ms) : 0, 297132
AppSec [baseline] (47.223 ms) : 0, 47223
AppSec [candidate] (48.492 ms) : 0, 48492
IAST [baseline] (28.168 ms) : 0, 28168
IAST [candidate] (25.295 ms) : 0, 25295
Remote Config [baseline] (629.539 µs) : 0, 630
Remote Config [candidate] (617.463 µs) : 0, 617
Telemetry [baseline] (7.068 ms) : 0, 7068
Telemetry [candidate] (6.954 ms) : 0, 6954
Loading

Load

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
end_time 2024-08-06T06:22:08 2024-08-06T06:31:06
git_branch master alejandro.gonzalez/xss_jsp_filename
git_commit_date 1722861667 1722924624
git_commit_sha 60ddc9e eeec65e
release_version 1.38.0~60ddc9e0d7 1.39.0-SNAPSHOT~eeec65e478
start_time 2024-08-06T06:21:52 2024-08-06T06:30:50
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1722926322 1722926322
ci_job_id 595560627 595560627
ci_pipeline_id 40973908 40973908
cpu_model Intel(R) Xeon(R) Platinum 8175M CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8175M CPU @ 2.50GHz
variant iast iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 6 metrics, 22 unstable metrics.

Request duration reports for insecure-bank 
gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.39.0-SNAPSHOT~eeec65e478, baseline=1.38.0~60ddc9e0d7
    dateFormat X
    axisFormat %s
section baseline
no_agent (443.693 µs) : 415, 472
.   : milestone, 444,
iast (590.027 µs) : 558, 623
.   : milestone, 590,
iast_FULL (676.992 µs) : 645, 709
.   : milestone, 677,
iast_GLOBAL (612.737 µs) : 581, 645
.   : milestone, 613,
iast_HARDCODED_SECRET_DISABLED (579.638 µs) : 548, 611
.   : milestone, 580,
iast_INACTIVE (552.925 µs) : 521, 585
.   : milestone, 553,
iast_TELEMETRY_OFF (576.195 µs) : 544, 608
.   : milestone, 576,
tracing (527.92 µs) : 498, 558
.   : milestone, 528,
section candidate
no_agent (449.133 µs) : 420, 478
.   : milestone, 449,
iast (583.779 µs) : 553, 615
.   : milestone, 584,
iast_FULL (685.158 µs) : 654, 717
.   : milestone, 685,
iast_GLOBAL (614.101 µs) : 583, 646
.   : milestone, 614,
iast_HARDCODED_SECRET_DISABLED (582.487 µs) : 551, 614
.   : milestone, 582,
iast_INACTIVE (551.449 µs) : 519, 584
.   : milestone, 551,
iast_TELEMETRY_OFF (573.126 µs) : 541, 606
.   : milestone, 573,
tracing (538.543 µs) : 509, 569
.   : milestone, 539,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 443.693 µs [414.936 µs, 472.449 µs] -
iast 590.027 µs [557.505 µs, 622.549 µs] 146.335 µs (33.0%)
iast_FULL 676.992 µs [644.931 µs, 709.054 µs] 233.3 µs (52.6%)
iast_GLOBAL 612.737 µs [580.785 µs, 644.688 µs] 169.044 µs (38.1%)
iast_HARDCODED_SECRET_DISABLED 579.638 µs [548.014 µs, 611.262 µs] 135.945 µs (30.6%)
iast_INACTIVE 552.925 µs [520.745 µs, 585.105 µs] 109.232 µs (24.6%)
iast_TELEMETRY_OFF 576.195 µs [544.231 µs, 608.159 µs] 132.502 µs (29.9%)
tracing 527.92 µs [497.737 µs, 558.102 µs] 84.227 µs (19.0%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 449.133 µs [420.129 µs, 478.137 µs] -
iast 583.779 µs [552.949 µs, 614.609 µs] 134.647 µs (30.0%)
iast_FULL 685.158 µs [653.553 µs, 716.763 µs] 236.026 µs (52.6%)
iast_GLOBAL 614.101 µs [582.547 µs, 645.655 µs] 164.968 µs (36.7%)
iast_HARDCODED_SECRET_DISABLED 582.487 µs [550.917 µs, 614.056 µs] 133.354 µs (29.7%)
iast_INACTIVE 551.449 µs [519.159 µs, 583.739 µs] 102.316 µs (22.8%)
iast_TELEMETRY_OFF 573.126 µs [540.662 µs, 605.591 µs] 123.994 µs (27.6%)
tracing 538.543 µs [508.503 µs, 568.584 µs] 89.411 µs (19.9%)
Request duration reports for petclinic 
gantt
    title petclinic - request duration [CI 0.99] : candidate=1.39.0-SNAPSHOT~eeec65e478, baseline=1.38.0~60ddc9e0d7
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.695 ms) : 1670, 1720
.   : milestone, 1695,
appsec (2.144 ms) : 2113, 2176
.   : milestone, 2144,
appsec_no_iast (2.145 ms) : 2112, 2178
.   : milestone, 2145,
iast (1.891 ms) : 1861, 1921
.   : milestone, 1891,
profiling (1.876 ms) : 1844, 1908
.   : milestone, 1876,
tracing (1.855 ms) : 1821, 1890
.   : milestone, 1855,
section candidate
no_agent (1.703 ms) : 1678, 1728
.   : milestone, 1703,
appsec (2.171 ms) : 2139, 2203
.   : milestone, 2171,
appsec_no_iast (2.165 ms) : 2133, 2197
.   : milestone, 2165,
iast (1.896 ms) : 1867, 1926
.   : milestone, 1896,
profiling (1.9 ms) : 1864, 1936
.   : milestone, 1900,
tracing (1.872 ms) : 1839, 1906
.   : milestone, 1872,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.695 ms [1.67 ms, 1.72 ms] -
appsec 2.144 ms [2.113 ms, 2.176 ms] 449.546 µs (26.5%)
appsec_no_iast 2.145 ms [2.112 ms, 2.178 ms] 450.58 µs (26.6%)
iast 1.891 ms [1.861 ms, 1.921 ms] 196.183 µs (11.6%)
profiling 1.876 ms [1.844 ms, 1.908 ms] 181.349 µs (10.7%)
tracing 1.855 ms [1.821 ms, 1.89 ms] 160.53 µs (9.5%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.703 ms [1.678 ms, 1.728 ms] -
appsec 2.171 ms [2.139 ms, 2.203 ms] 467.831 µs (27.5%)
appsec_no_iast 2.165 ms [2.133 ms, 2.197 ms] 461.995 µs (27.1%)
iast 1.896 ms [1.867 ms, 1.926 ms] 193.409 µs (11.4%)
profiling 1.9 ms [1.864 ms, 1.936 ms] 196.725 µs (11.6%)
tracing 1.872 ms [1.839 ms, 1.906 ms] 169.186 µs (9.9%)

Dacapo

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/xss_jsp_filename
git_commit_date 1722861667 1722924624
git_commit_sha 60ddc9e eeec65e
release_version 1.38.0~60ddc9e0d7 1.39.0-SNAPSHOT~eeec65e478
See matching parameters
Baseline Candidate
application biojava biojava
ci_job_date 1722927227 1722927227
ci_job_id 595560628 595560628
ci_pipeline_id 40973908 40973908
cpu_model Intel(R) Xeon(R) Platinum 8175M CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8175M CPU @ 2.50GHz
variant appsec appsec

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics.

Execution time for biojava 
gantt
    title biojava - execution time [CI 0.99] : candidate=1.39.0-SNAPSHOT~eeec65e478, baseline=1.38.0~60ddc9e0d7
    dateFormat X
    axisFormat %s
section baseline
no_agent (21.058 s) : 21058000, 21058000
.   : milestone, 21058000,
appsec (21.661 s) : 21661000, 21661000
.   : milestone, 21661000,
iast (24.026 s) : 24026000, 24026000
.   : milestone, 24026000,
iast_GLOBAL (24.914 s) : 24914000, 24914000
.   : milestone, 24914000,
profiling (20.732 s) : 20732000, 20732000
.   : milestone, 20732000,
tracing (20.931 s) : 20931000, 20931000
.   : milestone, 20931000,
section candidate
no_agent (21.277 s) : 21277000, 21277000
.   : milestone, 21277000,
appsec (21.556 s) : 21556000, 21556000
.   : milestone, 21556000,
iast (24.719 s) : 24719000, 24719000
.   : milestone, 24719000,
iast_GLOBAL (25.038 s) : 25038000, 25038000
.   : milestone, 25038000,
profiling (21.165 s) : 21165000, 21165000
.   : milestone, 21165000,
tracing (20.359 s) : 20359000, 20359000
.   : milestone, 20359000,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 21.058 s [21.058 s, 21.058 s] -
appsec 21.661 s [21.661 s, 21.661 s] 603.0 ms (2.9%)
iast 24.026 s [24.026 s, 24.026 s] 2.968 s (14.1%)
iast_GLOBAL 24.914 s [24.914 s, 24.914 s] 3.856 s (18.3%)
profiling 20.732 s [20.732 s, 20.732 s] -326.0 ms (-1.5%)
tracing 20.931 s [20.931 s, 20.931 s] -127.0 ms (-0.6%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 21.277 s [21.277 s, 21.277 s] -
appsec 21.556 s [21.556 s, 21.556 s] 279.0 ms (1.3%)
iast 24.719 s [24.719 s, 24.719 s] 3.442 s (16.2%)
iast_GLOBAL 25.038 s [25.038 s, 25.038 s] 3.761 s (17.7%)
profiling 21.165 s [21.165 s, 21.165 s] -112.0 ms (-0.5%)
tracing 20.359 s [20.359 s, 20.359 s] -918.0 ms (-4.3%)
Execution time for tomcat 
gantt
    title tomcat - execution time [CI 0.99] : candidate=1.39.0-SNAPSHOT~eeec65e478, baseline=1.38.0~60ddc9e0d7
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.539 ms) : 1527, 1552
.   : milestone, 1539,
appsec (2.703 ms) : 2641, 2765
.   : milestone, 2703,
iast (2.352 ms) : 2280, 2424
.   : milestone, 2352,
iast_GLOBAL (2.434 ms) : 2360, 2508
.   : milestone, 2434,
profiling (2.21 ms) : 2147, 2273
.   : milestone, 2210,
tracing (2.189 ms) : 2130, 2249
.   : milestone, 2189,
section candidate
no_agent (1.54 ms) : 1527, 1553
.   : milestone, 1540,
appsec (2.704 ms) : 2641, 2766
.   : milestone, 2704,
iast (2.343 ms) : 2272, 2415
.   : milestone, 2343,
iast_GLOBAL (2.429 ms) : 2353, 2505
.   : milestone, 2429,
profiling (2.233 ms) : 2169, 2297
.   : milestone, 2233,
tracing (2.167 ms) : 2108, 2225
.   : milestone, 2167,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.539 ms [1.527 ms, 1.552 ms] -
appsec 2.703 ms [2.641 ms, 2.765 ms] 1.163 ms (75.6%)
iast 2.352 ms [2.28 ms, 2.424 ms] 812.754 µs (52.8%)
iast_GLOBAL 2.434 ms [2.36 ms, 2.508 ms] 894.562 µs (58.1%)
profiling 2.21 ms [2.147 ms, 2.273 ms] 671.079 µs (43.6%)
tracing 2.189 ms [2.13 ms, 2.249 ms] 650.063 µs (42.2%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.54 ms [1.527 ms, 1.553 ms] -
appsec 2.704 ms [2.641 ms, 2.766 ms] 1.163 ms (75.5%)
iast 2.343 ms [2.272 ms, 2.415 ms] 803.311 µs (52.2%)
iast_GLOBAL 2.429 ms [2.353 ms, 2.505 ms] 888.773 µs (57.7%)
profiling 2.233 ms [2.169 ms, 2.297 ms] 693.116 µs (45.0%)
tracing 2.167 ms [2.108 ms, 2.225 ms] 626.558 µs (40.7%)

@jandro996 jandro996 force-pushed the alejandro.gonzalez/xss_jsp branch from 183a51c to ae313e3 Compare May 8, 2024 11:57
@jandro996 jandro996 force-pushed the alejandro.gonzalez/xss_jsp_filename branch from eab21bd to 13aa99b Compare May 8, 2024 15:46
@smola smola added the comp: asm iast Application Security Management (IAST) label May 13, 2024
Base automatically changed from alejandro.gonzalez/xss_jsp to master May 13, 2024 11:18
@jandro996 jandro996 force-pushed the alejandro.gonzalez/xss_jsp_filename branch from 4b6a319 to 8468f2e Compare June 12, 2024 07:46
@jandro996 jandro996 marked this pull request as ready for review June 17, 2024 06:05
@jandro996 jandro996 requested review from a team as code owners June 17, 2024 06:05
smola
smola reviewed Jun 20, 2024
View reviewed changes
Copy link
Member

@smola smola left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few comments, but I still did not review all the parsing logic.

jandro996 and others added 11 commits July 3, 2024 10:43
@jandro996
Add StratumManager and some tests
4d2f1fe
@jandro996
improve StratumManager
fa33ab4
@jandro996
clean and link everything
6cc03b8
@jandro996
no necessary
daea85c
@jandro996
fix
5571e21
@jandro996
fix
3fd121a
@jandro996
avoid String#split to fix forbiddenapis
1841455
@jandro996 @manuel-alvarez-alvarez
Update dd-java-agent/agent-tooling/src/main/java/datadog/trace/agent/…
7ae5d1e 
…tooling/iast/stratum/StratumManagerImpl.java

Co-authored-by: Manuel Álvarez Álvarez <manuel-alvarez-alvarez@users.noreply.github.com>
@jandro996 @manuel-alvarez-alvarez
Update dd-java-agent/agent-tooling/src/main/java/datadog/trace/agent/…
86fa888 
…tooling/iast/stratum/StratumManagerImpl.java

Co-authored-by: Manuel Álvarez Álvarez <manuel-alvarez-alvarez@users.noreply.github.com>
@jandro996 @smola
Update dd-java-agent/agent-tooling/src/test/groovy/datadog/trace/agen…
23886b4 
…t/tooling/iast/stratum/StratumManagerImplTest.groovy

Co-authored-by: Santiago M. Mola <santiago.mola@datadoghq.com>
@jandro996 @smola
Update dd-java-agent/agent-tooling/src/test/groovy/datadog/trace/agen…
3c8ca9e 
…t/tooling/iast/stratum/StratumManagerImplTest.groovy

Co-authored-by: Santiago M. Mola <santiago.mola@datadoghq.com>
@jandro996 jandro996 force-pushed the alejandro.gonzalez/xss_jsp_filename branch from 81b6989 to 3c8ca9e Compare July 3, 2024 08:44
@jandro996 jandro996 requested a review from smola July 10, 2024 10:34
@jandro996
Copy link
Member Author

jandro996 commented Jul 18, 2024
edited
Loading

All changes reviewed to avoid logging at error level

@jandro996 jandro996 requested a review from smola July 18, 2024 06:35
jandro996 and others added 4 commits July 23, 2024 17:43
@jandro996 jandro996 merged commit facbcfa into master Aug 7, 2024
@jandro996 jandro996 deleted the alejandro.gonzalez/xss_jsp_filename branch August 7, 2024 12:36
@github-actions github-actions bot added this to the 1.39.0 milestone Aug 7, 2024
@bric3
Copy link
Contributor

bric3 commented Jan 14, 2026

For reference the original spec: is JSR 45

@bric3 bric3 mentioned this pull request Jan 15, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@smola smola smola approved these changes

@manuel-alvarez-alvarez manuel-alvarez-alvarez manuel-alvarez-alvarez approved these changes

@anderruiz anderruiz Awaiting requested review from anderruiz

@mcculls mcculls Awaiting requested review from mcculls mcculls is a code owner automatically assigned from DataDog/apm-java

@nayeem-kamal nayeem-kamal Awaiting requested review from nayeem-kamal nayeem-kamal is a code owner automatically assigned from DataDog/apm-java

Assignees

No one assigned

Labels

comp: asm iast Application Security Management (IAST)

Projects

None yet

Milestone

1.39.0

Development

Successfully merging this pull request may close these issues.

4 participants

@jandro996 @bric3 @smola @manuel-alvarez-alvarez