Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Detect a vulnerability when a default application is deployed #6885

Merged
merged 4 commits into from
May 13, 2024

Conversation

jandro996
Copy link
Member

@jandro996 jandro996 commented Apr 4, 2024

What Does This Do

Add new default deployed vulnerability
Give support for Tomcat and Jetty default applications checking display-name tags into web.xml application file

Motivation

The applications supplied by default with application servers are mostly not intended to be deployed in secure production environments as they may be vulnerable, or even if they are not, their discovery by an attacker could encourage them to seek security flaws in that service.

Additional Notes

Jira ticket: [PROJ-IDENT]

@jandro996 jandro996 changed the base branch from master to alejandro.gonzalez/IW_directory_listing_improve April 4, 2024 10:06
@pr-commenter
Copy link

pr-commenter bot commented Apr 4, 2024

Benchmarks

Startup

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/IW_default_app_deployed
git_commit_date 1715615333 1715616103
git_commit_sha 6c2d477 04c59ae
release_version 1.35.0-SNAPSHOT~6c2d477f7c 1.35.0-SNAPSHOT~04c59ae87b
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1715618742 1715618742
ci_job_id 510368214 510368214
ci_pipeline_id 34162014 34162014
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
module Agent Agent
parent None None
variant iast iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 50 metrics, 13 unstable metrics.

Startup time reports for petclinic
gantt
    title petclinic - global startup overhead: candidate=1.35.0-SNAPSHOT~04c59ae87b, baseline=1.35.0-SNAPSHOT~6c2d477f7c

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.078 s) : 0, 1077725
Total [baseline] (10.396 s) : 0, 10396016
Agent [candidate] (1.077 s) : 0, 1077478
Total [candidate] (10.432 s) : 0, 10432048
section appsec
Agent [baseline] (1.195 s) : 0, 1195374
Total [baseline] (10.466 s) : 0, 10465642
Agent [candidate] (1.197 s) : 0, 1196617
Total [candidate] (10.572 s) : 0, 10571530
section iast
Agent [baseline] (1.204 s) : 0, 1203696
Total [baseline] (10.758 s) : 0, 10757922
Agent [candidate] (1.203 s) : 0, 1202858
Total [candidate] (10.754 s) : 0, 10753812
section profiling
Agent [baseline] (1.281 s) : 0, 1281079
Total [baseline] (10.682 s) : 0, 10681991
Agent [candidate] (1.27 s) : 0, 1270174
Total [candidate] (10.593 s) : 0, 10593440
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.078 s -
Agent appsec 1.195 s 117.649 ms (10.9%)
Agent iast 1.204 s 125.971 ms (11.7%)
Agent profiling 1.281 s 203.354 ms (18.9%)
Total tracing 10.396 s -
Total appsec 10.466 s 69.626 ms (0.7%)
Total iast 10.758 s 361.906 ms (3.5%)
Total profiling 10.682 s 285.975 ms (2.8%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.077 s -
Agent appsec 1.197 s 119.14 ms (11.1%)
Agent iast 1.203 s 125.38 ms (11.6%)
Agent profiling 1.27 s 192.696 ms (17.9%)
Total tracing 10.432 s -
Total appsec 10.572 s 139.481 ms (1.3%)
Total iast 10.754 s 321.763 ms (3.1%)
Total profiling 10.593 s 161.391 ms (1.5%)
gantt
    title petclinic - break down per module: candidate=1.35.0-SNAPSHOT~04c59ae87b, baseline=1.35.0-SNAPSHOT~6c2d477f7c

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (674.056 ms) : 0, 674056
BytebuddyAgent [candidate] (674.135 ms) : 0, 674135
GlobalTracer [baseline] (311.676 ms) : 0, 311676
GlobalTracer [candidate] (311.256 ms) : 0, 311256
AppSec [baseline] (49.427 ms) : 0, 49427
AppSec [candidate] (49.511 ms) : 0, 49511
Remote Config [baseline] (657.742 µs) : 0, 658
Remote Config [candidate] (656.272 µs) : 0, 656
Telemetry [baseline] (7.583 ms) : 0, 7583
Telemetry [candidate] (7.577 ms) : 0, 7577
section appsec
BytebuddyAgent [baseline] (695.884 ms) : 0, 695884
BytebuddyAgent [candidate] (695.921 ms) : 0, 695921
GlobalTracer [baseline] (293.594 ms) : 0, 293594
GlobalTracer [candidate] (294.289 ms) : 0, 294289
AppSec [baseline] (152.563 ms) : 0, 152563
AppSec [candidate] (152.564 ms) : 0, 152564
Remote Config [baseline] (616.798 µs) : 0, 617
Remote Config [candidate] (618.764 µs) : 0, 619
Telemetry [baseline] (8.74 ms) : 0, 8740
Telemetry [candidate] (9.392 ms) : 0, 9392
IAST [baseline] (19.244 ms) : 0, 19244
IAST [candidate] (18.892 ms) : 0, 18892
section iast
BytebuddyAgent [baseline] (796.065 ms) : 0, 796065
BytebuddyAgent [candidate] (796.281 ms) : 0, 796281
GlobalTracer [baseline] (291.269 ms) : 0, 291269
GlobalTracer [candidate] (291.023 ms) : 0, 291023
AppSec [baseline] (50.69 ms) : 0, 50690
AppSec [candidate] (52.809 ms) : 0, 52809
Remote Config [baseline] (582.328 µs) : 0, 582
Remote Config [candidate] (605.706 µs) : 0, 606
Telemetry [baseline] (6.604 ms) : 0, 6604
Telemetry [candidate] (6.677 ms) : 0, 6677
IAST [baseline] (24.104 ms) : 0, 24104
IAST [candidate] (21.124 ms) : 0, 21124
section profiling
ProfilingAgent [baseline] (97.333 ms) : 0, 97333
ProfilingAgent [candidate] (95.473 ms) : 0, 95473
BytebuddyAgent [baseline] (683.852 ms) : 0, 683852
BytebuddyAgent [candidate] (677.423 ms) : 0, 677423
GlobalTracer [baseline] (384.127 ms) : 0, 384127
GlobalTracer [candidate] (382.034 ms) : 0, 382034
AppSec [baseline] (50.555 ms) : 0, 50555
AppSec [candidate] (50.519 ms) : 0, 50519
Remote Config [baseline] (718.972 µs) : 0, 719
Remote Config [candidate] (713.218 µs) : 0, 713
Telemetry [baseline] (7.492 ms) : 0, 7492
Telemetry [candidate] (7.442 ms) : 0, 7442
Profiling [baseline] (97.358 ms) : 0, 97358
Profiling [candidate] (95.497 ms) : 0, 95497
Loading
Startup time reports for insecure-bank
gantt
    title insecure-bank - global startup overhead: candidate=1.35.0-SNAPSHOT~04c59ae87b, baseline=1.35.0-SNAPSHOT~6c2d477f7c

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.076 s) : 0, 1076049
Total [baseline] (8.556 s) : 0, 8556111
Agent [candidate] (1.084 s) : 0, 1084096
Total [candidate] (8.598 s) : 0, 8597522
section iast
Agent [baseline] (1.206 s) : 0, 1205678
Total [baseline] (9.025 s) : 0, 9025182
Agent [candidate] (1.203 s) : 0, 1203136
Total [candidate] (9.005 s) : 0, 9005033
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.205 s) : 0, 1205062
Total [baseline] (8.994 s) : 0, 8994402
Agent [candidate] (1.21 s) : 0, 1210146
Total [candidate] (9.005 s) : 0, 9004674
section iast_TELEMETRY_OFF
Agent [baseline] (1.202 s) : 0, 1202351
Total [baseline] (9.021 s) : 0, 9020677
Agent [candidate] (1.199 s) : 0, 1198987
Total [candidate] (8.998 s) : 0, 8998039
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.076 s -
Agent iast 1.206 s 129.629 ms (12.0%)
Agent iast_HARDCODED_SECRET_DISABLED 1.205 s 129.013 ms (12.0%)
Agent iast_TELEMETRY_OFF 1.202 s 126.302 ms (11.7%)
Total tracing 8.556 s -
Total iast 9.025 s 469.071 ms (5.5%)
Total iast_HARDCODED_SECRET_DISABLED 8.994 s 438.29 ms (5.1%)
Total iast_TELEMETRY_OFF 9.021 s 464.565 ms (5.4%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.084 s -
Agent iast 1.203 s 119.04 ms (11.0%)
Agent iast_HARDCODED_SECRET_DISABLED 1.21 s 126.049 ms (11.6%)
Agent iast_TELEMETRY_OFF 1.199 s 114.891 ms (10.6%)
Total tracing 8.598 s -
Total iast 9.005 s 407.511 ms (4.7%)
Total iast_HARDCODED_SECRET_DISABLED 9.005 s 407.152 ms (4.7%)
Total iast_TELEMETRY_OFF 8.998 s 400.517 ms (4.7%)
gantt
    title insecure-bank - break down per module: candidate=1.35.0-SNAPSHOT~04c59ae87b, baseline=1.35.0-SNAPSHOT~6c2d477f7c

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (673.475 ms) : 0, 673475
BytebuddyAgent [candidate] (678.789 ms) : 0, 678789
GlobalTracer [baseline] (310.583 ms) : 0, 310583
GlobalTracer [candidate] (312.647 ms) : 0, 312647
AppSec [baseline] (49.491 ms) : 0, 49491
AppSec [candidate] (49.793 ms) : 0, 49793
Remote Config [baseline] (659.828 µs) : 0, 660
Remote Config [candidate] (667.922 µs) : 0, 668
Telemetry [baseline] (7.561 ms) : 0, 7561
Telemetry [candidate] (7.615 ms) : 0, 7615
section iast
BytebuddyAgent [baseline] (797.815 ms) : 0, 797815
BytebuddyAgent [candidate] (795.64 ms) : 0, 795640
GlobalTracer [baseline] (291.851 ms) : 0, 291851
GlobalTracer [candidate] (291.396 ms) : 0, 291396
AppSec [baseline] (49.57 ms) : 0, 49570
AppSec [candidate] (49.377 ms) : 0, 49377
IAST [baseline] (24.186 ms) : 0, 24186
IAST [candidate] (24.51 ms) : 0, 24510
Remote Config [baseline] (1.289 ms) : 0, 1289
Remote Config [candidate] (584.929 µs) : 0, 585
Telemetry [baseline] (6.63 ms) : 0, 6630
Telemetry [candidate] (7.294 ms) : 0, 7294
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (797.164 ms) : 0, 797164
BytebuddyAgent [candidate] (801.193 ms) : 0, 801193
GlobalTracer [baseline] (291.704 ms) : 0, 291704
GlobalTracer [candidate] (292.719 ms) : 0, 292719
AppSec [baseline] (51.539 ms) : 0, 51539
AppSec [candidate] (50.905 ms) : 0, 50905
IAST [baseline] (23.069 ms) : 0, 23069
IAST [candidate] (23.533 ms) : 0, 23533
Remote Config [baseline] (580.796 µs) : 0, 581
Remote Config [candidate] (631.097 µs) : 0, 631
Telemetry [baseline] (6.602 ms) : 0, 6602
Telemetry [candidate] (6.588 ms) : 0, 6588
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (794.774 ms) : 0, 794774
BytebuddyAgent [candidate] (792.43 ms) : 0, 792430
GlobalTracer [baseline] (291.622 ms) : 0, 291622
GlobalTracer [candidate] (290.927 ms) : 0, 290927
AppSec [baseline] (53.109 ms) : 0, 53109
AppSec [candidate] (51.346 ms) : 0, 51346
IAST [baseline] (21.304 ms) : 0, 21304
IAST [candidate] (22.742 ms) : 0, 22742
Remote Config [baseline] (590.765 µs) : 0, 591
Remote Config [candidate] (668.667 µs) : 0, 669
Telemetry [baseline] (6.584 ms) : 0, 6584
Telemetry [candidate] (6.616 ms) : 0, 6616
Loading

Load

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
end_time 2024-05-13T16:18:21 2024-05-13T16:25:11
git_branch master alejandro.gonzalez/IW_default_app_deployed
git_commit_date 1715615333 1715616103
git_commit_sha 6c2d477 04c59ae
release_version 1.35.0-SNAPSHOT~6c2d477f7c 1.35.0-SNAPSHOT~04c59ae87b
start_time 2024-05-13T16:18:08 2024-05-13T16:24:57
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1715617855 1715617855
ci_job_id 510368216 510368216
ci_pipeline_id 34162014 34162014
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant iast iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 17 unstable metrics.

Request duration reports for insecure-bank
gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.35.0-SNAPSHOT~04c59ae87b, baseline=1.35.0-SNAPSHOT~6c2d477f7c
    dateFormat X
    axisFormat %s
section baseline
no_agent (371.42 µs) : 352, 391
.   : milestone, 371,
iast (483.264 µs) : 462, 505
.   : milestone, 483,
iast_FULL (550.31 µs) : 529, 571
.   : milestone, 550,
iast_GLOBAL (515.266 µs) : 493, 537
.   : milestone, 515,
iast_HARDCODED_SECRET_DISABLED (481.008 µs) : 460, 502
.   : milestone, 481,
iast_INACTIVE (455.199 µs) : 434, 477
.   : milestone, 455,
iast_TELEMETRY_OFF (468.061 µs) : 447, 489
.   : milestone, 468,
tracing (447.238 µs) : 426, 468
.   : milestone, 447,
section candidate
no_agent (371.598 µs) : 352, 391
.   : milestone, 372,
iast (480.605 µs) : 460, 502
.   : milestone, 481,
iast_FULL (552.878 µs) : 532, 574
.   : milestone, 553,
iast_GLOBAL (509.178 µs) : 487, 531
.   : milestone, 509,
iast_HARDCODED_SECRET_DISABLED (476.704 µs) : 456, 497
.   : milestone, 477,
iast_INACTIVE (457.884 µs) : 436, 480
.   : milestone, 458,
iast_TELEMETRY_OFF (470.68 µs) : 450, 491
.   : milestone, 471,
tracing (443.166 µs) : 422, 464
.   : milestone, 443,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 371.42 µs [351.626 µs, 391.213 µs] -
iast 483.264 µs [461.561 µs, 504.966 µs] 111.844 µs (30.1%)
iast_FULL 550.31 µs [529.32 µs, 571.299 µs] 178.89 µs (48.2%)
iast_GLOBAL 515.266 µs [493.29 µs, 537.242 µs] 143.846 µs (38.7%)
iast_HARDCODED_SECRET_DISABLED 481.008 µs [460.191 µs, 501.825 µs] 109.588 µs (29.5%)
iast_INACTIVE 455.199 µs [433.819 µs, 476.58 µs] 83.78 µs (22.6%)
iast_TELEMETRY_OFF 468.061 µs [447.189 µs, 488.933 µs] 96.641 µs (26.0%)
tracing 447.238 µs [426.464 µs, 468.011 µs] 75.818 µs (20.4%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 371.598 µs [352.184 µs, 391.012 µs] -
iast 480.605 µs [459.647 µs, 501.562 µs] 109.006 µs (29.3%)
iast_FULL 552.878 µs [531.766 µs, 573.99 µs] 181.28 µs (48.8%)
iast_GLOBAL 509.178 µs [487.485 µs, 530.871 µs] 137.579 µs (37.0%)
iast_HARDCODED_SECRET_DISABLED 476.704 µs [455.927 µs, 497.48 µs] 105.105 µs (28.3%)
iast_INACTIVE 457.884 µs [436.092 µs, 479.676 µs] 86.286 µs (23.2%)
iast_TELEMETRY_OFF 470.68 µs [449.87 µs, 491.49 µs] 99.082 µs (26.7%)
tracing 443.166 µs [422.361 µs, 463.972 µs] 71.568 µs (19.3%)
Request duration reports for petclinic
gantt
    title petclinic - request duration [CI 0.99] : candidate=1.35.0-SNAPSHOT~04c59ae87b, baseline=1.35.0-SNAPSHOT~6c2d477f7c
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.338 ms) : 1318, 1357
.   : milestone, 1338,
appsec (1.716 ms) : 1692, 1741
.   : milestone, 1716,
appsec_no_iast (1.733 ms) : 1709, 1756
.   : milestone, 1733,
iast (1.477 ms) : 1454, 1499
.   : milestone, 1477,
profiling (1.498 ms) : 1473, 1523
.   : milestone, 1498,
tracing (1.472 ms) : 1447, 1496
.   : milestone, 1472,
section candidate
no_agent (1.354 ms) : 1335, 1374
.   : milestone, 1354,
appsec (1.729 ms) : 1705, 1753
.   : milestone, 1729,
appsec_no_iast (1.709 ms) : 1684, 1734
.   : milestone, 1709,
iast (1.463 ms) : 1440, 1486
.   : milestone, 1463,
profiling (1.497 ms) : 1472, 1521
.   : milestone, 1497,
tracing (1.462 ms) : 1438, 1487
.   : milestone, 1462,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.338 ms [1.318 ms, 1.357 ms] -
appsec 1.716 ms [1.692 ms, 1.741 ms] 378.679 µs (28.3%)
appsec_no_iast 1.733 ms [1.709 ms, 1.756 ms] 395.236 µs (29.5%)
iast 1.477 ms [1.454 ms, 1.499 ms] 138.961 µs (10.4%)
profiling 1.498 ms [1.473 ms, 1.523 ms] 160.439 µs (12.0%)
tracing 1.472 ms [1.447 ms, 1.496 ms] 133.936 µs (10.0%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.354 ms [1.335 ms, 1.374 ms] -
appsec 1.729 ms [1.705 ms, 1.753 ms] 374.669 µs (27.7%)
appsec_no_iast 1.709 ms [1.684 ms, 1.734 ms] 354.488 µs (26.2%)
iast 1.463 ms [1.44 ms, 1.486 ms] 108.935 µs (8.0%)
profiling 1.497 ms [1.472 ms, 1.521 ms] 142.258 µs (10.5%)
tracing 1.462 ms [1.438 ms, 1.487 ms] 107.922 µs (8.0%)

Dacapo

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/IW_default_app_deployed
git_commit_date 1715615333 1715616103
git_commit_sha 6c2d477 04c59ae
release_version 1.35.0-SNAPSHOT~6c2d477f7c 1.35.0-SNAPSHOT~04c59ae87b
See matching parameters
Baseline Candidate
application biojava biojava
ci_job_date 1715618374 1715618374
ci_job_id 510368218 510368218
ci_pipeline_id 34162014 34162014
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant appsec appsec

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics.

Execution time for tomcat
gantt
    title tomcat - execution time [CI 0.99] : candidate=1.35.0-SNAPSHOT~04c59ae87b, baseline=1.35.0-SNAPSHOT~6c2d477f7c
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.463 ms) : 1452, 1475
.   : milestone, 1463,
appsec (2.201 ms) : 2168, 2235
.   : milestone, 2201,
iast (1.963 ms) : 1922, 2004
.   : milestone, 1963,
iast_GLOBAL (2.006 ms) : 1965, 2047
.   : milestone, 2006,
profiling (1.857 ms) : 1823, 1891
.   : milestone, 1857,
tracing (1.84 ms) : 1808, 1872
.   : milestone, 1840,
section candidate
no_agent (1.463 ms) : 1452, 1475
.   : milestone, 1463,
appsec (2.212 ms) : 2177, 2246
.   : milestone, 2212,
iast (1.964 ms) : 1923, 2005
.   : milestone, 1964,
iast_GLOBAL (1.985 ms) : 1944, 2025
.   : milestone, 1985,
profiling (1.853 ms) : 1820, 1885
.   : milestone, 1853,
tracing (1.838 ms) : 1806, 1870
.   : milestone, 1838,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.463 ms [1.452 ms, 1.475 ms] -
appsec 2.201 ms [2.168 ms, 2.235 ms] 738.158 µs (50.4%)
iast 1.963 ms [1.922 ms, 2.004 ms] 499.435 µs (34.1%)
iast_GLOBAL 2.006 ms [1.965 ms, 2.047 ms] 542.454 µs (37.1%)
profiling 1.857 ms [1.823 ms, 1.891 ms] 393.533 µs (26.9%)
tracing 1.84 ms [1.808 ms, 1.872 ms] 376.482 µs (25.7%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.463 ms [1.452 ms, 1.475 ms] -
appsec 2.212 ms [2.177 ms, 2.246 ms] 748.745 µs (51.2%)
iast 1.964 ms [1.923 ms, 2.005 ms] 500.529 µs (34.2%)
iast_GLOBAL 1.985 ms [1.944 ms, 2.025 ms] 521.448 µs (35.6%)
profiling 1.853 ms [1.82 ms, 1.885 ms] 389.466 µs (26.6%)
tracing 1.838 ms [1.806 ms, 1.87 ms] 374.64 µs (25.6%)
Execution time for biojava
gantt
    title biojava - execution time [CI 0.99] : candidate=1.35.0-SNAPSHOT~04c59ae87b, baseline=1.35.0-SNAPSHOT~6c2d477f7c
    dateFormat X
    axisFormat %s
section baseline
no_agent (15.612 s) : 15612000, 15612000
.   : milestone, 15612000,
appsec (15.195 s) : 15195000, 15195000
.   : milestone, 15195000,
iast (18.808 s) : 18808000, 18808000
.   : milestone, 18808000,
iast_GLOBAL (17.904 s) : 17904000, 17904000
.   : milestone, 17904000,
profiling (15.944 s) : 15944000, 15944000
.   : milestone, 15944000,
tracing (15.12 s) : 15120000, 15120000
.   : milestone, 15120000,
section candidate
no_agent (15.397 s) : 15397000, 15397000
.   : milestone, 15397000,
appsec (15.102 s) : 15102000, 15102000
.   : milestone, 15102000,
iast (18.626 s) : 18626000, 18626000
.   : milestone, 18626000,
iast_GLOBAL (17.909 s) : 17909000, 17909000
.   : milestone, 17909000,
profiling (15.092 s) : 15092000, 15092000
.   : milestone, 15092000,
tracing (15.124 s) : 15124000, 15124000
.   : milestone, 15124000,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.612 s [15.612 s, 15.612 s] -
appsec 15.195 s [15.195 s, 15.195 s] -417.0 ms (-2.7%)
iast 18.808 s [18.808 s, 18.808 s] 3.196 s (20.5%)
iast_GLOBAL 17.904 s [17.904 s, 17.904 s] 2.292 s (14.7%)
profiling 15.944 s [15.944 s, 15.944 s] 332.0 ms (2.1%)
tracing 15.12 s [15.12 s, 15.12 s] -492.0 ms (-3.2%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.397 s [15.397 s, 15.397 s] -
appsec 15.102 s [15.102 s, 15.102 s] -295.0 ms (-1.9%)
iast 18.626 s [18.626 s, 18.626 s] 3.229 s (21.0%)
iast_GLOBAL 17.909 s [17.909 s, 17.909 s] 2.512 s (16.3%)
profiling 15.092 s [15.092 s, 15.092 s] -305.0 ms (-2.0%)
tracing 15.124 s [15.124 s, 15.124 s] -273.0 ms (-1.8%)

@jandro996 jandro996 force-pushed the alejandro.gonzalez/IW_directory_listing_improve branch 2 times, most recently from d2bb519 to 7a54b98 Compare April 10, 2024 06:21
@jandro996 jandro996 force-pushed the alejandro.gonzalez/IW_default_app_deployed branch from 74f9979 to 645db4b Compare April 10, 2024 06:30
@jandro996 jandro996 changed the title IW - Add Default App Deployed vulnerability IW - III - Add Default App Deployed vulnerability Apr 10, 2024
@jandro996 jandro996 force-pushed the alejandro.gonzalez/IW_default_app_deployed branch from 830be9a to e1e520f Compare April 10, 2024 06:46
@smola smola added comp: asm iast Application Security Management (IAST) R&D labels Apr 15, 2024
@jandro996 jandro996 force-pushed the alejandro.gonzalez/IW_directory_listing_improve branch 2 times, most recently from ac1b217 to 231e977 Compare April 16, 2024 15:57
Base automatically changed from alejandro.gonzalez/IW_directory_listing_improve to master April 18, 2024 08:36
@jandro996 jandro996 force-pushed the alejandro.gonzalez/IW_default_app_deployed branch 2 times, most recently from 4cdc57c to b7f5afb Compare April 18, 2024 08:58
@jandro996 jandro996 changed the title IW - III - Add Default App Deployed vulnerability Add Default App Deployed vulnerability Apr 18, 2024
@jandro996 jandro996 marked this pull request as ready for review April 18, 2024 09:38
@jandro996 jandro996 requested a review from a team as a code owner April 18, 2024 09:38
@smola smola changed the title Add Default App Deployed vulnerability Detect a vulnerability when a default application is deployed Apr 18, 2024
@@ -212,6 +240,27 @@ private void checkWebXmlVulnerabilities(@Nonnull final Path path, final AgentSpa
case TOMCAT_HOST_MANAGER_APP_PATTERN:
reportAdminConsoleActive(span, TOMCAT_HOST_MANAGER_APP);
break;
case TOMCAT_SAMPLES_APP_PATTERN:

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since this is growing quite a bit, wouldn't it make more sense to look for <display-name> and then use a list of default apps to match?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Potentially It could grow even more, so I will go for your approach

@jandro996 jandro996 force-pushed the alejandro.gonzalez/IW_default_app_deployed branch 2 times, most recently from 446c7ec to d2a8699 Compare May 8, 2024 08:15
@jandro996 jandro996 force-pushed the alejandro.gonzalez/IW_default_app_deployed branch from 4e5d5e3 to b386ca0 Compare May 8, 2024 08:18
@jandro996 jandro996 force-pushed the alejandro.gonzalez/IW_default_app_deployed branch from 85c0cc4 to 94878ca Compare May 13, 2024 15:30
@jandro996 jandro996 merged commit 9d2fdc1 into master May 13, 2024
77 of 80 checks passed
@jandro996 jandro996 deleted the alejandro.gonzalez/IW_default_app_deployed branch May 13, 2024 16:49
@github-actions github-actions bot added this to the 1.35.0 milestone May 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
comp: asm iast Application Security Management (IAST)
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants