Add XSS support for JSP

[jandro996]

What Does This Do

Add instrumentation to call XSS module:

• javax.servlet.jsp.JspWriter#print
• javax.servlet.jsp.JspWriter#println
• javax.servlet.jsp.JspWriter#write
• jakarta.servlet.jsp.JspWriter#print
• jakarta.servlet.jsp.JspWriter#println
• jakarta.servlet.jsp.JspWriter#write

Add smoke tests

Motivation

Being able to report XSS vulnerabilities in JSP

Additional Notes

Jira ticket: APPSEC-16777

[pr-commenter]

Benchmarks

Startup

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	alejandro.gonzalez/xss_jsp
git_commit_date	1715593107	1715595837
git_commit_sha	0946fa5	75a330f
release_version	1.35.0-SNAPSHOT~0946fa5eba	1.35.0-SNAPSHOT~75a330fd71

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1715598578	1715598578
ci_job_id	509831804	509831804
ci_pipeline_id	34122674	34122674
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
module	Agent	Agent
parent	None	None
variant	iast	iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 49 metrics, 14 unstable metrics.

Startup time reports for insecure-bank

gantt
    title insecure-bank - global startup overhead: candidate=1.35.0-SNAPSHOT~75a330fd71, baseline=1.35.0-SNAPSHOT~0946fa5eba

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.076 s) : 0, 1076037
Total [baseline] (8.547 s) : 0, 8546640
Agent [candidate] (1.077 s) : 0, 1077068
Total [candidate] (8.542 s) : 0, 8541740
section iast
Agent [baseline] (1.2 s) : 0, 1200418
Total [baseline] (9.006 s) : 0, 9005705
Agent [candidate] (1.207 s) : 0, 1206784
Total [candidate] (9.047 s) : 0, 9047087
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.202 s) : 0, 1202298
Total [baseline] (8.985 s) : 0, 8984716
Agent [candidate] (1.215 s) : 0, 1215364
Total [candidate] (9.038 s) : 0, 9037974
section iast_TELEMETRY_OFF
Agent [baseline] (1.197 s) : 0, 1197492
Total [baseline] (9.008 s) : 0, 9007821
Agent [candidate] (1.203 s) : 0, 1203351
Total [candidate] (9.023 s) : 0, 9023427

Loading

• baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.076 s	-
Agent	iast	1.2 s	124.38 ms (11.6%)
Agent	iast_HARDCODED_SECRET_DISABLED	1.202 s	126.26 ms (11.7%)
Agent	iast_TELEMETRY_OFF	1.197 s	121.455 ms (11.3%)
Total	tracing	8.547 s	-
Total	iast	9.006 s	459.066 ms (5.4%)
Total	iast_HARDCODED_SECRET_DISABLED	8.985 s	438.076 ms (5.1%)
Total	iast_TELEMETRY_OFF	9.008 s	461.181 ms (5.4%)

• candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.077 s	-
Agent	iast	1.207 s	129.716 ms (12.0%)
Agent	iast_HARDCODED_SECRET_DISABLED	1.215 s	138.296 ms (12.8%)
Agent	iast_TELEMETRY_OFF	1.203 s	126.283 ms (11.7%)
Total	tracing	8.542 s	-
Total	iast	9.047 s	505.347 ms (5.9%)
Total	iast_HARDCODED_SECRET_DISABLED	9.038 s	496.234 ms (5.8%)
Total	iast_TELEMETRY_OFF	9.023 s	481.687 ms (5.6%)

gantt
    title insecure-bank - break down per module: candidate=1.35.0-SNAPSHOT~75a330fd71, baseline=1.35.0-SNAPSHOT~0946fa5eba

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (673.479 ms) : 0, 673479
BytebuddyAgent [candidate] (674.118 ms) : 0, 674118
GlobalTracer [baseline] (310.574 ms) : 0, 310574
GlobalTracer [candidate] (310.562 ms) : 0, 310562
AppSec [baseline] (49.373 ms) : 0, 49373
AppSec [candidate] (49.759 ms) : 0, 49759
Remote Config [baseline] (664.845 µs) : 0, 665
Remote Config [candidate] (662.074 µs) : 0, 662
Telemetry [baseline] (7.606 ms) : 0, 7606
Telemetry [candidate] (7.597 ms) : 0, 7597
section iast
BytebuddyAgent [baseline] (793.587 ms) : 0, 793587
BytebuddyAgent [candidate] (799.404 ms) : 0, 799404
GlobalTracer [baseline] (290.307 ms) : 0, 290307
GlobalTracer [candidate] (290.956 ms) : 0, 290956
AppSec [baseline] (51.452 ms) : 0, 51452
AppSec [candidate] (51.678 ms) : 0, 51678
IAST [baseline] (23.575 ms) : 0, 23575
IAST [candidate] (22.259 ms) : 0, 22259
Remote Config [baseline] (590.116 µs) : 0, 590
Remote Config [candidate] (561.436 µs) : 0, 561
Telemetry [baseline] (6.569 ms) : 0, 6569
Telemetry [candidate] (7.332 ms) : 0, 7332
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (795.249 ms) : 0, 795249
BytebuddyAgent [candidate] (804.061 ms) : 0, 804061
GlobalTracer [baseline] (290.62 ms) : 0, 290620
GlobalTracer [candidate] (293.423 ms) : 0, 293423
AppSec [baseline] (49.555 ms) : 0, 49555
AppSec [candidate] (51.288 ms) : 0, 51288
IAST [baseline] (24.526 ms) : 0, 24526
IAST [candidate] (24.436 ms) : 0, 24436
Remote Config [baseline] (1.326 ms) : 0, 1326
Remote Config [candidate] (585.911 µs) : 0, 586
Telemetry [baseline] (6.679 ms) : 0, 6679
Telemetry [candidate] (6.729 ms) : 0, 6729
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (790.618 ms) : 0, 790618
BytebuddyAgent [candidate] (794.802 ms) : 0, 794802
GlobalTracer [baseline] (290.258 ms) : 0, 290258
GlobalTracer [candidate] (291.856 ms) : 0, 291856
AppSec [baseline] (48.946 ms) : 0, 48946
AppSec [candidate] (49.707 ms) : 0, 49707
IAST [baseline] (25.464 ms) : 0, 25464
IAST [candidate] (25.511 ms) : 0, 25511
Remote Config [baseline] (596.832 µs) : 0, 597
Remote Config [candidate] (612.926 µs) : 0, 613
Telemetry [baseline] (7.275 ms) : 0, 7275
Telemetry [candidate] (6.505 ms) : 0, 6505

Loading

Startup time reports for petclinic

gantt
    title petclinic - global startup overhead: candidate=1.35.0-SNAPSHOT~75a330fd71, baseline=1.35.0-SNAPSHOT~0946fa5eba

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.085 s) : 0, 1084621
Total [baseline] (10.347 s) : 0, 10346879
Agent [candidate] (1.078 s) : 0, 1078113
Total [candidate] (10.41 s) : 0, 10409834
section appsec
Agent [baseline] (1.198 s) : 0, 1197810
Total [baseline] (10.522 s) : 0, 10522095
Agent [candidate] (1.193 s) : 0, 1192659
Total [candidate] (10.471 s) : 0, 10471410
section iast
Agent [baseline] (1.201 s) : 0, 1201323
Total [baseline] (10.722 s) : 0, 10721926
Agent [candidate] (1.219 s) : 0, 1219117
Total [candidate] (10.748 s) : 0, 10748194
section profiling
Agent [baseline] (1.267 s) : 0, 1266782
Total [baseline] (10.571 s) : 0, 10570609
Agent [candidate] (1.273 s) : 0, 1272573
Total [candidate] (10.684 s) : 0, 10684170

Loading

• baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.085 s	-
Agent	appsec	1.198 s	113.19 ms (10.4%)
Agent	iast	1.201 s	116.703 ms (10.8%)
Agent	profiling	1.267 s	182.161 ms (16.8%)
Total	tracing	10.347 s	-
Total	appsec	10.522 s	175.216 ms (1.7%)
Total	iast	10.722 s	375.047 ms (3.6%)
Total	profiling	10.571 s	223.73 ms (2.2%)

• candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.078 s	-
Agent	appsec	1.193 s	114.546 ms (10.6%)
Agent	iast	1.219 s	141.004 ms (13.1%)
Agent	profiling	1.273 s	194.46 ms (18.0%)
Total	tracing	10.41 s	-
Total	appsec	10.471 s	61.575 ms (0.6%)
Total	iast	10.748 s	338.36 ms (3.3%)
Total	profiling	10.684 s	274.336 ms (2.6%)

gantt
    title petclinic - break down per module: candidate=1.35.0-SNAPSHOT~75a330fd71, baseline=1.35.0-SNAPSHOT~0946fa5eba

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (679.217 ms) : 0, 679217
BytebuddyAgent [candidate] (674.887 ms) : 0, 674887
GlobalTracer [baseline] (312.826 ms) : 0, 312826
GlobalTracer [candidate] (311.172 ms) : 0, 311172
AppSec [baseline] (49.639 ms) : 0, 49639
AppSec [candidate] (49.307 ms) : 0, 49307
Remote Config [baseline] (663.881 µs) : 0, 664
Remote Config [candidate] (655.822 µs) : 0, 656
Telemetry [baseline] (7.626 ms) : 0, 7626
Telemetry [candidate] (7.645 ms) : 0, 7645
section appsec
BytebuddyAgent [baseline] (698.736 ms) : 0, 698736
BytebuddyAgent [candidate] (696.574 ms) : 0, 696574
GlobalTracer [baseline] (294.186 ms) : 0, 294186
GlobalTracer [candidate] (293.989 ms) : 0, 293989
AppSec [baseline] (152.554 ms) : 0, 152554
AppSec [candidate] (149.333 ms) : 0, 149333
IAST [baseline] (19.329 ms) : 0, 19329
IAST [candidate] (19.291 ms) : 0, 19291
Remote Config [baseline] (620.905 µs) : 0, 621
Remote Config [candidate] (618.03 µs) : 0, 618
Telemetry [baseline] (7.532 ms) : 0, 7532
Telemetry [candidate] (8.112 ms) : 0, 8112
section iast
BytebuddyAgent [baseline] (793.446 ms) : 0, 793446
BytebuddyAgent [candidate] (807.681 ms) : 0, 807681
GlobalTracer [baseline] (290.911 ms) : 0, 290911
GlobalTracer [candidate] (294.642 ms) : 0, 294642
AppSec [baseline] (49.534 ms) : 0, 49534
AppSec [candidate] (52.409 ms) : 0, 52409
IAST [baseline] (25.09 ms) : 0, 25090
IAST [candidate] (22.253 ms) : 0, 22253
Remote Config [baseline] (1.356 ms) : 0, 1356
Remote Config [candidate] (569.512 µs) : 0, 570
Telemetry [baseline] (6.626 ms) : 0, 6626
Telemetry [candidate] (6.65 ms) : 0, 6650
section profiling
BytebuddyAgent [baseline] (676.142 ms) : 0, 676142
BytebuddyAgent [candidate] (679.473 ms) : 0, 679473
GlobalTracer [baseline] (380.813 ms) : 0, 380813
GlobalTracer [candidate] (381.868 ms) : 0, 381868
AppSec [baseline] (50.139 ms) : 0, 50139
AppSec [candidate] (50.278 ms) : 0, 50278
Remote Config [baseline] (727.349 µs) : 0, 727
Remote Config [candidate] (708.947 µs) : 0, 709
Telemetry [baseline] (7.453 ms) : 0, 7453
Telemetry [candidate] (7.468 ms) : 0, 7468
ProfilingAgent [baseline] (95.138 ms) : 0, 95138
ProfilingAgent [candidate] (96.254 ms) : 0, 96254
Profiling [baseline] (95.162 ms) : 0, 95162
Profiling [candidate] (96.278 ms) : 0, 96278

Loading

Load

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
end_time	2024-05-13T10:40:34	2024-05-13T10:47:21
git_branch	master	alejandro.gonzalez/xss_jsp
git_commit_date	1715593107	1715595837
git_commit_sha	0946fa5	75a330f
release_version	1.35.0-SNAPSHOT~0946fa5eba	1.35.0-SNAPSHOT~75a330fd71
start_time	2024-05-13T10:40:21	2024-05-13T10:47:07

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1715597587	1715597587
ci_job_id	509831805	509831805
ci_pipeline_id	34122674	34122674
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant	iast	iast

Summary

Found 0 performance improvements and 1 performance regressions! Performance is the same for 10 metrics, 17 unstable metrics.

scenario	Δ mean http_req_duration	Δ mean throughput	candidate mean http_req_duration	candidate mean throughput	baseline mean http_req_duration	baseline mean throughput
scenario:load:petclinic:profiling	worse [+32.197µs; +85.618µs] or [+2.152%; +5.722%]	unstable [-761.349op/s; +287.275op/s] or [-23.792%; +8.977%]	1.555ms	2962.963op/s	1.496ms	3200.000op/s

Request duration reports for insecure-bank

gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.35.0-SNAPSHOT~75a330fd71, baseline=1.35.0-SNAPSHOT~0946fa5eba
    dateFormat X
    axisFormat %s
section baseline
no_agent (364.652 µs) : 345, 384
.   : milestone, 365,
iast (465.15 µs) : 445, 486
.   : milestone, 465,
iast_FULL (538.266 µs) : 517, 559
.   : milestone, 538,
iast_GLOBAL (489.554 µs) : 469, 510
.   : milestone, 490,
iast_HARDCODED_SECRET_DISABLED (467.339 µs) : 446, 488
.   : milestone, 467,
iast_INACTIVE (440.721 µs) : 420, 461
.   : milestone, 441,
iast_TELEMETRY_OFF (463.089 µs) : 442, 484
.   : milestone, 463,
tracing (442.086 µs) : 422, 463
.   : milestone, 442,
section candidate
no_agent (361.961 µs) : 342, 382
.   : milestone, 362,
iast (485.502 µs) : 464, 507
.   : milestone, 486,
iast_FULL (552.278 µs) : 531, 574
.   : milestone, 552,
iast_GLOBAL (507.764 µs) : 486, 530
.   : milestone, 508,
iast_HARDCODED_SECRET_DISABLED (474.829 µs) : 454, 496
.   : milestone, 475,
iast_INACTIVE (453.16 µs) : 432, 474
.   : milestone, 453,
iast_TELEMETRY_OFF (465.442 µs) : 444, 487
.   : milestone, 465,
tracing (443.931 µs) : 423, 465
.   : milestone, 444,

Loading

• baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	364.652 µs [345.388 µs, 383.915 µs]	-
iast	465.15 µs [444.716 µs, 485.584 µs]	100.498 µs (27.6%)
iast_FULL	538.266 µs [517.272 µs, 559.26 µs]	173.614 µs (47.6%)
iast_GLOBAL	489.554 µs [469.21 µs, 509.899 µs]	124.903 µs (34.3%)
iast_HARDCODED_SECRET_DISABLED	467.339 µs [446.483 µs, 488.195 µs]	102.687 µs (28.2%)
iast_INACTIVE	440.721 µs [419.99 µs, 461.453 µs]	76.07 µs (20.9%)
iast_TELEMETRY_OFF	463.089 µs [442.086 µs, 484.092 µs]	98.438 µs (27.0%)
tracing	442.086 µs [421.545 µs, 462.627 µs]	77.435 µs (21.2%)

• candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	361.961 µs [342.294 µs, 381.628 µs]	-
iast	485.502 µs [464.295 µs, 506.708 µs]	123.541 µs (34.1%)
iast_FULL	552.278 µs [530.923 µs, 573.632 µs]	190.317 µs (52.6%)
iast_GLOBAL	507.764 µs [485.959 µs, 529.57 µs]	145.803 µs (40.3%)
iast_HARDCODED_SECRET_DISABLED	474.829 µs [453.898 µs, 495.759 µs]	112.868 µs (31.2%)
iast_INACTIVE	453.16 µs [432.08 µs, 474.24 µs]	91.199 µs (25.2%)
iast_TELEMETRY_OFF	465.442 µs [444.289 µs, 486.594 µs]	103.481 µs (28.6%)
tracing	443.931 µs [423.361 µs, 464.502 µs]	81.97 µs (22.6%)

Request duration reports for petclinic

gantt
    title petclinic - request duration [CI 0.99] : candidate=1.35.0-SNAPSHOT~75a330fd71, baseline=1.35.0-SNAPSHOT~0946fa5eba
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.339 ms) : 1320, 1358
.   : milestone, 1339,
appsec (1.722 ms) : 1699, 1746
.   : milestone, 1722,
appsec_no_iast (1.692 ms) : 1667, 1716
.   : milestone, 1692,
iast (1.473 ms) : 1450, 1497
.   : milestone, 1473,
profiling (1.496 ms) : 1472, 1520
.   : milestone, 1496,
tracing (1.459 ms) : 1435, 1484
.   : milestone, 1459,
section candidate
no_agent (1.344 ms) : 1325, 1364
.   : milestone, 1344,
appsec (1.718 ms) : 1695, 1741
.   : milestone, 1718,
appsec_no_iast (1.72 ms) : 1696, 1744
.   : milestone, 1720,
iast (1.474 ms) : 1450, 1497
.   : milestone, 1474,
profiling (1.555 ms) : 1530, 1581
.   : milestone, 1555,
tracing (1.477 ms) : 1453, 1501
.   : milestone, 1477,

Loading

• baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.339 ms [1.32 ms, 1.358 ms]	-
appsec	1.722 ms [1.699 ms, 1.746 ms]	383.068 µs (28.6%)
appsec_no_iast	1.692 ms [1.667 ms, 1.716 ms]	352.403 µs (26.3%)
iast	1.473 ms [1.45 ms, 1.497 ms]	133.997 µs (10.0%)
profiling	1.496 ms [1.472 ms, 1.52 ms]	156.998 µs (11.7%)
tracing	1.459 ms [1.435 ms, 1.484 ms]	120.228 µs (9.0%)

• candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.344 ms [1.325 ms, 1.364 ms]	-
appsec	1.718 ms [1.695 ms, 1.741 ms]	373.469 µs (27.8%)
appsec_no_iast	1.72 ms [1.696 ms, 1.744 ms]	375.416 µs (27.9%)
iast	1.474 ms [1.45 ms, 1.497 ms]	129.087 µs (9.6%)
profiling	1.555 ms [1.53 ms, 1.581 ms]	210.64 µs (15.7%)
tracing	1.477 ms [1.453 ms, 1.501 ms]	132.461 µs (9.9%)

Dacapo

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	alejandro.gonzalez/xss_jsp
git_commit_date	1715593107	1715595837
git_commit_sha	0946fa5	75a330f
release_version	1.35.0-SNAPSHOT~0946fa5eba	1.35.0-SNAPSHOT~75a330fd71

See matching parameters

	Baseline	Candidate
application	biojava	biojava
ci_job_date	1715598118	1715598118
ci_job_id	509831806	509831806
ci_pipeline_id	34122674	34122674
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant	appsec	appsec

Summary

Found 0 performance improvements and 1 performance regressions! Performance is the same for 11 metrics, 0 unstable metrics.

scenario	Δ mean execution_time	candidate mean execution_time	baseline mean execution_time
scenario:dacapo:tomcat:iast_GLOBAL	worse [+44.091µs; +125.862µs] or [+2.311%; +6.596%]	1.993ms	1.908ms

Execution time for tomcat

gantt
    title tomcat - execution time [CI 0.99] : candidate=1.35.0-SNAPSHOT~75a330fd71, baseline=1.35.0-SNAPSHOT~0946fa5eba
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.458 ms) : 1447, 1469
.   : milestone, 1458,
appsec (2.206 ms) : 2171, 2240
.   : milestone, 2206,
iast (1.886 ms) : 1850, 1921
.   : milestone, 1886,
iast_GLOBAL (1.908 ms) : 1873, 1944
.   : milestone, 1908,
profiling (1.848 ms) : 1815, 1880
.   : milestone, 1848,
tracing (1.834 ms) : 1802, 1866
.   : milestone, 1834,
section candidate
no_agent (1.457 ms) : 1445, 1468
.   : milestone, 1457,
appsec (2.208 ms) : 2173, 2243
.   : milestone, 2208,
iast (1.949 ms) : 1909, 1990
.   : milestone, 1949,
iast_GLOBAL (1.993 ms) : 1953, 2034
.   : milestone, 1993,
profiling (1.841 ms) : 1807, 1876
.   : milestone, 1841,
tracing (1.821 ms) : 1790, 1853
.   : milestone, 1821,

Loading

• baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.458 ms [1.447 ms, 1.469 ms]	-
appsec	2.206 ms [2.171 ms, 2.24 ms]	747.692 µs (51.3%)
iast	1.886 ms [1.85 ms, 1.921 ms]	427.747 µs (29.3%)
iast_GLOBAL	1.908 ms [1.873 ms, 1.944 ms]	450.214 µs (30.9%)
profiling	1.848 ms [1.815 ms, 1.88 ms]	389.566 µs (26.7%)
tracing	1.834 ms [1.802 ms, 1.866 ms]	375.978 µs (25.8%)

• candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.457 ms [1.445 ms, 1.468 ms]	-
appsec	2.208 ms [2.173 ms, 2.243 ms]	751.268 µs (51.6%)
iast	1.949 ms [1.909 ms, 1.99 ms]	492.515 µs (33.8%)
iast_GLOBAL	1.993 ms [1.953 ms, 2.034 ms]	536.36 µs (36.8%)
profiling	1.841 ms [1.807 ms, 1.876 ms]	384.553 µs (26.4%)
tracing	1.821 ms [1.79 ms, 1.853 ms]	364.398 µs (25.0%)

Execution time for biojava

gantt
    title biojava - execution time [CI 0.99] : candidate=1.35.0-SNAPSHOT~75a330fd71, baseline=1.35.0-SNAPSHOT~0946fa5eba
    dateFormat X
    axisFormat %s
section baseline
no_agent (15.124 s) : 15124000, 15124000
.   : milestone, 15124000,
appsec (15.166 s) : 15166000, 15166000
.   : milestone, 15166000,
iast (18.723 s) : 18723000, 18723000
.   : milestone, 18723000,
iast_GLOBAL (17.943 s) : 17943000, 17943000
.   : milestone, 17943000,
profiling (14.904 s) : 14904000, 14904000
.   : milestone, 14904000,
tracing (14.919 s) : 14919000, 14919000
.   : milestone, 14919000,
section candidate
no_agent (15.043 s) : 15043000, 15043000
.   : milestone, 15043000,
appsec (15.183 s) : 15183000, 15183000
.   : milestone, 15183000,
iast (18.829 s) : 18829000, 18829000
.   : milestone, 18829000,
iast_GLOBAL (17.63 s) : 17630000, 17630000
.   : milestone, 17630000,
profiling (14.755 s) : 14755000, 14755000
.   : milestone, 14755000,
tracing (15.191 s) : 15191000, 15191000
.   : milestone, 15191000,

Loading

• baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	15.124 s [15.124 s, 15.124 s]	-
appsec	15.166 s [15.166 s, 15.166 s]	42.0 ms (0.3%)
iast	18.723 s [18.723 s, 18.723 s]	3.599 s (23.8%)
iast_GLOBAL	17.943 s [17.943 s, 17.943 s]	2.819 s (18.6%)
profiling	14.904 s [14.904 s, 14.904 s]	-220.0 ms (-1.5%)
tracing	14.919 s [14.919 s, 14.919 s]	-205.0 ms (-1.4%)

• candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	15.043 s [15.043 s, 15.043 s]	-
appsec	15.183 s [15.183 s, 15.183 s]	140.0 ms (0.9%)
iast	18.829 s [18.829 s, 18.829 s]	3.786 s (25.2%)
iast_GLOBAL	17.63 s [17.63 s, 17.63 s]	2.587 s (17.2%)
profiling	14.755 s [14.755 s, 14.755 s]	-288.0 ms (-1.9%)
tracing	15.191 s [15.191 s, 15.191 s]	148.0 ms (1.0%)

[manuel-alvarez-alvarez]

This should only be enabled in full detection mode, check datadog.trace.instrumentation.java.lang.StringFullDetectionCallSite

[manuel-alvarez-alvarez]

For this kind of methods you need the offset and length to check if the range is actually tainted (maybe there's no intersection so there is indeed no XSS).

Are the write methods inherited from Writer used by the compilation of JSPs? (maybe we can skip them altogether and remove the problem)

[jandro996]

Thanks for the advice! I think that the offset methods are not used in JSP, I will remove the callSites for this PR