-
Notifications
You must be signed in to change notification settings - Fork 291
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Detect a vulnerability when a default application is deployed #6885
Conversation
BenchmarksStartupParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 50 metrics, 13 unstable metrics. Startup time reports for petclinicgantt
title petclinic - global startup overhead: candidate=1.35.0-SNAPSHOT~04c59ae87b, baseline=1.35.0-SNAPSHOT~6c2d477f7c
dateFormat X
axisFormat %s
section tracing
Agent [baseline] (1.078 s) : 0, 1077725
Total [baseline] (10.396 s) : 0, 10396016
Agent [candidate] (1.077 s) : 0, 1077478
Total [candidate] (10.432 s) : 0, 10432048
section appsec
Agent [baseline] (1.195 s) : 0, 1195374
Total [baseline] (10.466 s) : 0, 10465642
Agent [candidate] (1.197 s) : 0, 1196617
Total [candidate] (10.572 s) : 0, 10571530
section iast
Agent [baseline] (1.204 s) : 0, 1203696
Total [baseline] (10.758 s) : 0, 10757922
Agent [candidate] (1.203 s) : 0, 1202858
Total [candidate] (10.754 s) : 0, 10753812
section profiling
Agent [baseline] (1.281 s) : 0, 1281079
Total [baseline] (10.682 s) : 0, 10681991
Agent [candidate] (1.27 s) : 0, 1270174
Total [candidate] (10.593 s) : 0, 10593440
gantt
title petclinic - break down per module: candidate=1.35.0-SNAPSHOT~04c59ae87b, baseline=1.35.0-SNAPSHOT~6c2d477f7c
dateFormat X
axisFormat %s
section tracing
BytebuddyAgent [baseline] (674.056 ms) : 0, 674056
BytebuddyAgent [candidate] (674.135 ms) : 0, 674135
GlobalTracer [baseline] (311.676 ms) : 0, 311676
GlobalTracer [candidate] (311.256 ms) : 0, 311256
AppSec [baseline] (49.427 ms) : 0, 49427
AppSec [candidate] (49.511 ms) : 0, 49511
Remote Config [baseline] (657.742 µs) : 0, 658
Remote Config [candidate] (656.272 µs) : 0, 656
Telemetry [baseline] (7.583 ms) : 0, 7583
Telemetry [candidate] (7.577 ms) : 0, 7577
section appsec
BytebuddyAgent [baseline] (695.884 ms) : 0, 695884
BytebuddyAgent [candidate] (695.921 ms) : 0, 695921
GlobalTracer [baseline] (293.594 ms) : 0, 293594
GlobalTracer [candidate] (294.289 ms) : 0, 294289
AppSec [baseline] (152.563 ms) : 0, 152563
AppSec [candidate] (152.564 ms) : 0, 152564
Remote Config [baseline] (616.798 µs) : 0, 617
Remote Config [candidate] (618.764 µs) : 0, 619
Telemetry [baseline] (8.74 ms) : 0, 8740
Telemetry [candidate] (9.392 ms) : 0, 9392
IAST [baseline] (19.244 ms) : 0, 19244
IAST [candidate] (18.892 ms) : 0, 18892
section iast
BytebuddyAgent [baseline] (796.065 ms) : 0, 796065
BytebuddyAgent [candidate] (796.281 ms) : 0, 796281
GlobalTracer [baseline] (291.269 ms) : 0, 291269
GlobalTracer [candidate] (291.023 ms) : 0, 291023
AppSec [baseline] (50.69 ms) : 0, 50690
AppSec [candidate] (52.809 ms) : 0, 52809
Remote Config [baseline] (582.328 µs) : 0, 582
Remote Config [candidate] (605.706 µs) : 0, 606
Telemetry [baseline] (6.604 ms) : 0, 6604
Telemetry [candidate] (6.677 ms) : 0, 6677
IAST [baseline] (24.104 ms) : 0, 24104
IAST [candidate] (21.124 ms) : 0, 21124
section profiling
ProfilingAgent [baseline] (97.333 ms) : 0, 97333
ProfilingAgent [candidate] (95.473 ms) : 0, 95473
BytebuddyAgent [baseline] (683.852 ms) : 0, 683852
BytebuddyAgent [candidate] (677.423 ms) : 0, 677423
GlobalTracer [baseline] (384.127 ms) : 0, 384127
GlobalTracer [candidate] (382.034 ms) : 0, 382034
AppSec [baseline] (50.555 ms) : 0, 50555
AppSec [candidate] (50.519 ms) : 0, 50519
Remote Config [baseline] (718.972 µs) : 0, 719
Remote Config [candidate] (713.218 µs) : 0, 713
Telemetry [baseline] (7.492 ms) : 0, 7492
Telemetry [candidate] (7.442 ms) : 0, 7442
Profiling [baseline] (97.358 ms) : 0, 97358
Profiling [candidate] (95.497 ms) : 0, 95497
Startup time reports for insecure-bankgantt
title insecure-bank - global startup overhead: candidate=1.35.0-SNAPSHOT~04c59ae87b, baseline=1.35.0-SNAPSHOT~6c2d477f7c
dateFormat X
axisFormat %s
section tracing
Agent [baseline] (1.076 s) : 0, 1076049
Total [baseline] (8.556 s) : 0, 8556111
Agent [candidate] (1.084 s) : 0, 1084096
Total [candidate] (8.598 s) : 0, 8597522
section iast
Agent [baseline] (1.206 s) : 0, 1205678
Total [baseline] (9.025 s) : 0, 9025182
Agent [candidate] (1.203 s) : 0, 1203136
Total [candidate] (9.005 s) : 0, 9005033
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.205 s) : 0, 1205062
Total [baseline] (8.994 s) : 0, 8994402
Agent [candidate] (1.21 s) : 0, 1210146
Total [candidate] (9.005 s) : 0, 9004674
section iast_TELEMETRY_OFF
Agent [baseline] (1.202 s) : 0, 1202351
Total [baseline] (9.021 s) : 0, 9020677
Agent [candidate] (1.199 s) : 0, 1198987
Total [candidate] (8.998 s) : 0, 8998039
gantt
title insecure-bank - break down per module: candidate=1.35.0-SNAPSHOT~04c59ae87b, baseline=1.35.0-SNAPSHOT~6c2d477f7c
dateFormat X
axisFormat %s
section tracing
BytebuddyAgent [baseline] (673.475 ms) : 0, 673475
BytebuddyAgent [candidate] (678.789 ms) : 0, 678789
GlobalTracer [baseline] (310.583 ms) : 0, 310583
GlobalTracer [candidate] (312.647 ms) : 0, 312647
AppSec [baseline] (49.491 ms) : 0, 49491
AppSec [candidate] (49.793 ms) : 0, 49793
Remote Config [baseline] (659.828 µs) : 0, 660
Remote Config [candidate] (667.922 µs) : 0, 668
Telemetry [baseline] (7.561 ms) : 0, 7561
Telemetry [candidate] (7.615 ms) : 0, 7615
section iast
BytebuddyAgent [baseline] (797.815 ms) : 0, 797815
BytebuddyAgent [candidate] (795.64 ms) : 0, 795640
GlobalTracer [baseline] (291.851 ms) : 0, 291851
GlobalTracer [candidate] (291.396 ms) : 0, 291396
AppSec [baseline] (49.57 ms) : 0, 49570
AppSec [candidate] (49.377 ms) : 0, 49377
IAST [baseline] (24.186 ms) : 0, 24186
IAST [candidate] (24.51 ms) : 0, 24510
Remote Config [baseline] (1.289 ms) : 0, 1289
Remote Config [candidate] (584.929 µs) : 0, 585
Telemetry [baseline] (6.63 ms) : 0, 6630
Telemetry [candidate] (7.294 ms) : 0, 7294
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (797.164 ms) : 0, 797164
BytebuddyAgent [candidate] (801.193 ms) : 0, 801193
GlobalTracer [baseline] (291.704 ms) : 0, 291704
GlobalTracer [candidate] (292.719 ms) : 0, 292719
AppSec [baseline] (51.539 ms) : 0, 51539
AppSec [candidate] (50.905 ms) : 0, 50905
IAST [baseline] (23.069 ms) : 0, 23069
IAST [candidate] (23.533 ms) : 0, 23533
Remote Config [baseline] (580.796 µs) : 0, 581
Remote Config [candidate] (631.097 µs) : 0, 631
Telemetry [baseline] (6.602 ms) : 0, 6602
Telemetry [candidate] (6.588 ms) : 0, 6588
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (794.774 ms) : 0, 794774
BytebuddyAgent [candidate] (792.43 ms) : 0, 792430
GlobalTracer [baseline] (291.622 ms) : 0, 291622
GlobalTracer [candidate] (290.927 ms) : 0, 290927
AppSec [baseline] (53.109 ms) : 0, 53109
AppSec [candidate] (51.346 ms) : 0, 51346
IAST [baseline] (21.304 ms) : 0, 21304
IAST [candidate] (22.742 ms) : 0, 22742
Remote Config [baseline] (590.765 µs) : 0, 591
Remote Config [candidate] (668.667 µs) : 0, 669
Telemetry [baseline] (6.584 ms) : 0, 6584
Telemetry [candidate] (6.616 ms) : 0, 6616
LoadParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 17 unstable metrics. Request duration reports for insecure-bankgantt
title insecure-bank - request duration [CI 0.99] : candidate=1.35.0-SNAPSHOT~04c59ae87b, baseline=1.35.0-SNAPSHOT~6c2d477f7c
dateFormat X
axisFormat %s
section baseline
no_agent (371.42 µs) : 352, 391
. : milestone, 371,
iast (483.264 µs) : 462, 505
. : milestone, 483,
iast_FULL (550.31 µs) : 529, 571
. : milestone, 550,
iast_GLOBAL (515.266 µs) : 493, 537
. : milestone, 515,
iast_HARDCODED_SECRET_DISABLED (481.008 µs) : 460, 502
. : milestone, 481,
iast_INACTIVE (455.199 µs) : 434, 477
. : milestone, 455,
iast_TELEMETRY_OFF (468.061 µs) : 447, 489
. : milestone, 468,
tracing (447.238 µs) : 426, 468
. : milestone, 447,
section candidate
no_agent (371.598 µs) : 352, 391
. : milestone, 372,
iast (480.605 µs) : 460, 502
. : milestone, 481,
iast_FULL (552.878 µs) : 532, 574
. : milestone, 553,
iast_GLOBAL (509.178 µs) : 487, 531
. : milestone, 509,
iast_HARDCODED_SECRET_DISABLED (476.704 µs) : 456, 497
. : milestone, 477,
iast_INACTIVE (457.884 µs) : 436, 480
. : milestone, 458,
iast_TELEMETRY_OFF (470.68 µs) : 450, 491
. : milestone, 471,
tracing (443.166 µs) : 422, 464
. : milestone, 443,
Request duration reports for petclinicgantt
title petclinic - request duration [CI 0.99] : candidate=1.35.0-SNAPSHOT~04c59ae87b, baseline=1.35.0-SNAPSHOT~6c2d477f7c
dateFormat X
axisFormat %s
section baseline
no_agent (1.338 ms) : 1318, 1357
. : milestone, 1338,
appsec (1.716 ms) : 1692, 1741
. : milestone, 1716,
appsec_no_iast (1.733 ms) : 1709, 1756
. : milestone, 1733,
iast (1.477 ms) : 1454, 1499
. : milestone, 1477,
profiling (1.498 ms) : 1473, 1523
. : milestone, 1498,
tracing (1.472 ms) : 1447, 1496
. : milestone, 1472,
section candidate
no_agent (1.354 ms) : 1335, 1374
. : milestone, 1354,
appsec (1.729 ms) : 1705, 1753
. : milestone, 1729,
appsec_no_iast (1.709 ms) : 1684, 1734
. : milestone, 1709,
iast (1.463 ms) : 1440, 1486
. : milestone, 1463,
profiling (1.497 ms) : 1472, 1521
. : milestone, 1497,
tracing (1.462 ms) : 1438, 1487
. : milestone, 1462,
DacapoParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics. Execution time for tomcatgantt
title tomcat - execution time [CI 0.99] : candidate=1.35.0-SNAPSHOT~04c59ae87b, baseline=1.35.0-SNAPSHOT~6c2d477f7c
dateFormat X
axisFormat %s
section baseline
no_agent (1.463 ms) : 1452, 1475
. : milestone, 1463,
appsec (2.201 ms) : 2168, 2235
. : milestone, 2201,
iast (1.963 ms) : 1922, 2004
. : milestone, 1963,
iast_GLOBAL (2.006 ms) : 1965, 2047
. : milestone, 2006,
profiling (1.857 ms) : 1823, 1891
. : milestone, 1857,
tracing (1.84 ms) : 1808, 1872
. : milestone, 1840,
section candidate
no_agent (1.463 ms) : 1452, 1475
. : milestone, 1463,
appsec (2.212 ms) : 2177, 2246
. : milestone, 2212,
iast (1.964 ms) : 1923, 2005
. : milestone, 1964,
iast_GLOBAL (1.985 ms) : 1944, 2025
. : milestone, 1985,
profiling (1.853 ms) : 1820, 1885
. : milestone, 1853,
tracing (1.838 ms) : 1806, 1870
. : milestone, 1838,
Execution time for biojavagantt
title biojava - execution time [CI 0.99] : candidate=1.35.0-SNAPSHOT~04c59ae87b, baseline=1.35.0-SNAPSHOT~6c2d477f7c
dateFormat X
axisFormat %s
section baseline
no_agent (15.612 s) : 15612000, 15612000
. : milestone, 15612000,
appsec (15.195 s) : 15195000, 15195000
. : milestone, 15195000,
iast (18.808 s) : 18808000, 18808000
. : milestone, 18808000,
iast_GLOBAL (17.904 s) : 17904000, 17904000
. : milestone, 17904000,
profiling (15.944 s) : 15944000, 15944000
. : milestone, 15944000,
tracing (15.12 s) : 15120000, 15120000
. : milestone, 15120000,
section candidate
no_agent (15.397 s) : 15397000, 15397000
. : milestone, 15397000,
appsec (15.102 s) : 15102000, 15102000
. : milestone, 15102000,
iast (18.626 s) : 18626000, 18626000
. : milestone, 18626000,
iast_GLOBAL (17.909 s) : 17909000, 17909000
. : milestone, 17909000,
profiling (15.092 s) : 15092000, 15092000
. : milestone, 15092000,
tracing (15.124 s) : 15124000, 15124000
. : milestone, 15124000,
|
d2bb519
to
7a54b98
Compare
74f9979
to
645db4b
Compare
830be9a
to
e1e520f
Compare
ac1b217
to
231e977
Compare
4cdc57c
to
b7f5afb
Compare
@@ -212,6 +240,27 @@ private void checkWebXmlVulnerabilities(@Nonnull final Path path, final AgentSpa | |||
case TOMCAT_HOST_MANAGER_APP_PATTERN: | |||
reportAdminConsoleActive(span, TOMCAT_HOST_MANAGER_APP); | |||
break; | |||
case TOMCAT_SAMPLES_APP_PATTERN: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since this is growing quite a bit, wouldn't it make more sense to look for <display-name>
and then use a list of default apps to match?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Potentially It could grow even more, so I will go for your approach
446c7ec
to
d2a8699
Compare
4e5d5e3
to
b386ca0
Compare
85c0cc4
to
94878ca
Compare
What Does This Do
Add new default deployed vulnerability
Give support for Tomcat and Jetty default applications checking display-name tags into web.xml application file
Motivation
The applications supplied by default with application servers are mostly not intended to be deployed in secure production environments as they may be vulnerable, or even if they are not, their discovery by an attacker could encourage them to seek security flaws in that service.
Additional Notes
Jira ticket: [PROJ-IDENT]