Add new Default app deployed vulnerability

DataDog · Apr 10, 2024 · 645db4b · 645db4b
1 parent b32b4df
commit 645db4b
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 9 deletions.
diff --git a/dd-java-agent/agent-iast/src/main/java/com/datadog/iast/model/VulnerabilityType.java b/dd-java-agent/agent-iast/src/main/java/com/datadog/iast/model/VulnerabilityType.java
@@ -89,6 +89,9 @@ public interface VulnerabilityType {
   VulnerabilityType SESSION_REWRITING =
       new ServiceVulnerabilityType(VulnerabilityTypes.SESSION_REWRITING);
 
+  VulnerabilityType DEFAULT_APP_DEPLOYED =
+      new ServiceVulnerabilityType(VulnerabilityTypes.DEFAULT_APP_DEPLOYED);
+
   String name();
 
   /** A bit flag to ignore tainted ranges for this vulnerability. Set to 0 if none. */

diff --git a/dd-java-agent/agent-iast/src/main/java/com/datadog/iast/sink/ApplicationModuleImpl.java b/dd-java-agent/agent-iast/src/main/java/com/datadog/iast/sink/ApplicationModuleImpl.java
@@ -241,25 +241,25 @@ private void checkWebXmlVulnerabilities(@Nonnull Path path, AgentSpan span) {
           reportAdminConsoleActive(span, TOMCAT_HOST_MANAGER_APP);
           break;
         case TOMCAT_SAMPLES_APP_PATTERN:
-          reportAdminConsoleActive(span, TOMCAT_SAMPLES_APP);
+          reportDefaultAppDeployed(span, TOMCAT_SAMPLES_APP);
           break;
         case JETTY_ASYNC_REST_APP_PATTERN:
-          reportAdminConsoleActive(span, JETTY_ASYNC_REST_APP);
+          reportDefaultAppDeployed(span, JETTY_ASYNC_REST_APP);
           break;
         case JETTY_JAVADOC_APP_PATTERN:
-          reportAdminConsoleActive(span, JETTY_JAVADOC_APP);
+          reportDefaultAppDeployed(span, JETTY_JAVADOC_APP);
           break;
         case JETTY_JAAS_APP_PATTERN:
-          reportAdminConsoleActive(span, JETTY_JAAS_APP);
+          reportDefaultAppDeployed(span, JETTY_JAAS_APP);
           break;
         case JETTY_JNDI_APP_PATTERN:
-          reportAdminConsoleActive(span, JETTY_JNDI_APP);
+          reportDefaultAppDeployed(span, JETTY_JNDI_APP);
           break;
         case JETTY_SPEC_APP_PATTERN:
-          reportAdminConsoleActive(span, JETTY_SPEC_APP);
+          reportDefaultAppDeployed(span, JETTY_SPEC_APP);
           break;
         case JETTY_TEST_APP_PATTERN:
-          reportAdminConsoleActive(span, JETTY_TEST_APP);
+          reportDefaultAppDeployed(span, JETTY_TEST_APP);
           break;
         case LISTINGS_PATTERN:
         case JETTY_LISTINGS_PATTERN:
@@ -315,6 +315,15 @@ private void reportAdminConsoleActive(AgentSpan span, final String evidence) {
             new Evidence(evidence)));
   }
 
+  private void reportDefaultAppDeployed(final AgentSpan span, final String evidence) {
+    reporter.report(
+        span,
+        new Vulnerability(
+            VulnerabilityType.DEFAULT_APP_DEPLOYED,
+            Location.forSpan(span),
+            new Evidence(evidence)));
+  }
+
   private void checkDirectoryListingLeak(
       final String webXmlContent, int index, final AgentSpan span) {
     int valueIndex =

diff --git a/internal-api/src/main/java/datadog/trace/api/iast/VulnerabilityTypes.java b/internal-api/src/main/java/datadog/trace/api/iast/VulnerabilityTypes.java
@@ -35,6 +35,7 @@ private VulnerabilityTypes() {}
   public static final byte INSECURE_AUTH_PROTOCOL = 26;
   public static final byte REFLECTION_INJECTION = 27;
   public static final byte SESSION_REWRITING = 28;
+  public static final byte DEFAULT_APP_DEPLOYED = 29;
 
   /**
    * Use for telemetry only, this is a special vulnerability type that is not reported, reported
@@ -75,7 +76,8 @@ private VulnerabilityTypes() {}
     SESSION_TIMEOUT,
     DIRECTORY_LISTING_LEAK,
     INSECURE_JSP_LAYOUT,
-    SESSION_REWRITING
+    SESSION_REWRITING,
+    DEFAULT_APP_DEPLOYED,
   };
 
   /**
@@ -111,7 +113,8 @@ private VulnerabilityTypes() {}
     "HARDCODED_SECRET",
     "INSECURE_AUTH_PROTOCOL",
     "REFLECTION_INJECTION",
-    "SESSION_REWRITING"
+    "SESSION_REWRITING",
+    "DEFAULT_APP_DEPLOYED"
   };
 
   public static String toString(final byte vulnerability) {

diff --git a/internal-api/src/test/groovy/datadog/trace/api/iast/VulnerabilityTypesTest.groovy b/internal-api/src/test/groovy/datadog/trace/api/iast/VulnerabilityTypesTest.groovy
@@ -43,5 +43,6 @@ class VulnerabilityTypesTest extends DDSpecification {
     VulnerabilityTypes.INSECURE_AUTH_PROTOCOL      | 'INSECURE_AUTH_PROTOCOL'
     VulnerabilityTypes.REFLECTION_INJECTION        | 'REFLECTION_INJECTION'
     VulnerabilityTypes.SESSION_REWRITING           | 'SESSION_REWRITING'
+    VulnerabilityTypes.DEFAULT_APP_DEPLOYED        | 'DEFAULT_APP_DEPLOYED'
   }
 }