Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added support for SQLi exploit prevention (detection only) #7051

Merged
merged 14 commits into from
Jun 3, 2024

Conversation

ValentinZakharov
Copy link
Contributor

@ValentinZakharov ValentinZakharov commented May 20, 2024

What Does This Do

This PR introduces support for SQL capturing which can be used for detecting SQL injection attacks, e.i. added ability to collect data for server.db.system and server.db.statement addresses via instrumentation gateway with subsequent forwarding to RASP (ex-WAF).

  • server.db.system - sql dialect (mysql, postgresql, etc.)
  • server.db.statement - raw sql-query to check for sql-injection attacks

Motivation

This PR is part of ASM Exploit Prevention initiative (Runtime application self-protection).

Additional Notes

The current set of dialects supported is:

  • mysql
  • sqlite
  • pgsql

Jira ticket: APPSEC-47228

@smola smola changed the title Added support for SQLi exploit Added support for SQLi exploit prevention May 21, 2024
@smola smola added the comp: asm waf Application Security Management (WAF) label May 21, 2024
@ValentinZakharov ValentinZakharov force-pushed the vzakharov/rasp_sqli branch 2 times, most recently from 65f7400 to 4f59176 Compare May 24, 2024 14:52
@ValentinZakharov ValentinZakharov marked this pull request as ready for review May 24, 2024 22:01
@ValentinZakharov ValentinZakharov requested review from a team as code owners May 24, 2024 22:01
Copy link
Member

@smola smola left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing configuration flag, and possibly RC capability announcement.

RequestContext ctx = span.getRequestContext();
if (ctx != null) {
String dbType = dbInfo.getType();
if (dbType != null) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe the type is always non-null. In case of errors parsing the jdbc url, it takes the value database as default.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm convinced that is possible to have null type

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

* The method used to provide raw sql to prevent SQL-injection attacks SQL query should never be
* exposed because it may contain sensitive data.
*/
public AgentSpan onStatementRaw(AgentSpan span, String sql) {

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we move this into datadog.trace.bootstrap.instrumentation.decorator.DatabaseClientDecorator it can be used by other clients like vertx_sql_client

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good catch, moved to DatabaseClientDecorator

@ValentinZakharov ValentinZakharov force-pushed the vzakharov/rasp_sqli branch 3 times, most recently from 6de0ff7 to 7ba14a8 Compare May 28, 2024 11:29
@ValentinZakharov ValentinZakharov requested a review from smola May 29, 2024 11:06
Copy link
Member

@manuel-alvarez-alvarez manuel-alvarez-alvarez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For a future PR, we are very close to have it also available for vertx sql.

@@ -113,6 +113,7 @@ public static AgentScope onEnter(
appendComment);
}
DECORATE.onStatement(span, DBQueryInfo.ofStatement(copy));
DECORATE.onStatementRaw(span, sql);
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would use copy here because the original might be modified by dbm

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well spotted! Fixed

* The method used to provide raw sql to prevent SQL-injection attacks SQL query should never be
* exposed because it may contain sensitive data.
*/
public AgentSpan onStatementRaw(AgentSpan span, String sql) {
Copy link
Collaborator

@amarziali amarziali May 29, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would just have one method to call: either onStatement for prepared ones either onRawStatement for raw ones. onRawStatement may call onStatement upon return

This will leave the orchestration responsability to the decorator and not have to call 2 methods on the instrumentation itself

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Refactored as suggested

@pr-commenter
Copy link

pr-commenter bot commented May 29, 2024

Benchmarks

Startup

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master vzakharov/rasp_sqli
git_commit_date 1717113140 1717137665
git_commit_sha 489de24 967969c
release_version 1.35.0-SNAPSHOT~489de243b6 1.35.0-SNAPSHOT~967969c98f
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1717140467 1717140467
ci_job_id 528269731 528269731
ci_pipeline_id 35545475 35545475
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
module Agent Agent
parent None None
variant iast iast

Summary

Found 0 performance improvements and 2 performance regressions! Performance is the same for 45 metrics, 16 unstable metrics.

scenario Δ mean execution_time candidate mean execution_time baseline mean execution_time
scenario:startup:insecure-bank:tracing:Remote Config worse
[+29.125µs; +78.453µs] or [+4.343%; +11.697%]
724.482µs 670.693µs
scenario:startup:petclinic:tracing:Remote Config worse
[+36.914µs; +98.811µs] or [+5.522%; +14.782%]
736.325µs 668.462µs
Startup time reports for petclinic
gantt
    title petclinic - global startup overhead: candidate=1.35.0-SNAPSHOT~967969c98f, baseline=1.35.0-SNAPSHOT~489de243b6

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.058 s) : 0, 1058211
Total [baseline] (10.339 s) : 0, 10339226
Agent [candidate] (1.057 s) : 0, 1057233
Total [candidate] (10.346 s) : 0, 10345791
section appsec
Agent [baseline] (1.176 s) : 0, 1175916
Total [baseline] (10.518 s) : 0, 10517897
Agent [candidate] (1.177 s) : 0, 1176586
Total [candidate] (10.494 s) : 0, 10494376
section iast
Agent [baseline] (1.164 s) : 0, 1163773
Total [baseline] (10.767 s) : 0, 10766693
Agent [candidate] (1.163 s) : 0, 1163234
Total [candidate] (10.756 s) : 0, 10755874
section profiling
Agent [baseline] (1.258 s) : 0, 1258135
Total [baseline] (10.593 s) : 0, 10592998
Agent [candidate] (1.263 s) : 0, 1263449
Total [candidate] (10.484 s) : 0, 10483778
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.058 s -
Agent appsec 1.176 s 117.705 ms (11.1%)
Agent iast 1.164 s 105.562 ms (10.0%)
Agent profiling 1.258 s 199.924 ms (18.9%)
Total tracing 10.339 s -
Total appsec 10.518 s 178.671 ms (1.7%)
Total iast 10.767 s 427.467 ms (4.1%)
Total profiling 10.593 s 253.772 ms (2.5%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.057 s -
Agent appsec 1.177 s 119.353 ms (11.3%)
Agent iast 1.163 s 106.002 ms (10.0%)
Agent profiling 1.263 s 206.216 ms (19.5%)
Total tracing 10.346 s -
Total appsec 10.494 s 148.585 ms (1.4%)
Total iast 10.756 s 410.083 ms (4.0%)
Total profiling 10.484 s 137.987 ms (1.3%)
gantt
    title petclinic - break down per module: candidate=1.35.0-SNAPSHOT~967969c98f, baseline=1.35.0-SNAPSHOT~489de243b6

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (652.731 ms) : 0, 652731
BytebuddyAgent [candidate] (651.638 ms) : 0, 651638
GlobalTracer [baseline] (312.922 ms) : 0, 312922
GlobalTracer [candidate] (312.614 ms) : 0, 312614
AppSec [baseline] (49.948 ms) : 0, 49948
AppSec [candidate] (50.25 ms) : 0, 50250
Remote Config [baseline] (668.462 µs) : 0, 668
Remote Config [candidate] (736.325 µs) : 0, 736
Telemetry [baseline] (7.601 ms) : 0, 7601
Telemetry [candidate] (7.543 ms) : 0, 7543
section appsec
BytebuddyAgent [baseline] (674.745 ms) : 0, 674745
BytebuddyAgent [candidate] (674.755 ms) : 0, 674755
GlobalTracer [baseline] (296.14 ms) : 0, 296140
GlobalTracer [candidate] (295.394 ms) : 0, 295394
AppSec [baseline] (152.536 ms) : 0, 152536
AppSec [candidate] (153.271 ms) : 0, 153271
Remote Config [baseline] (621.62 µs) : 0, 622
Remote Config [candidate] (620.103 µs) : 0, 620
Telemetry [baseline] (8.112 ms) : 0, 8112
Telemetry [candidate] (8.707 ms) : 0, 8707
IAST [baseline] (18.732 ms) : 0, 18732
IAST [candidate] (18.723 ms) : 0, 18723
section iast
BytebuddyAgent [baseline] (777.276 ms) : 0, 777276
BytebuddyAgent [candidate] (776.686 ms) : 0, 776686
GlobalTracer [baseline] (291.812 ms) : 0, 291812
GlobalTracer [candidate] (291.989 ms) : 0, 291989
AppSec [baseline] (47.803 ms) : 0, 47803
AppSec [candidate] (49.026 ms) : 0, 49026
Remote Config [baseline] (598.643 µs) : 0, 599
Remote Config [candidate] (587.778 µs) : 0, 588
Telemetry [baseline] (8.248 ms) : 0, 8248
Telemetry [candidate] (8.492 ms) : 0, 8492
IAST [baseline] (24.814 ms) : 0, 24814
IAST [candidate] (23.214 ms) : 0, 23214
section profiling
BytebuddyAgent [baseline] (661.298 ms) : 0, 661298
BytebuddyAgent [candidate] (664.089 ms) : 0, 664089
GlobalTracer [baseline] (385.045 ms) : 0, 385045
GlobalTracer [candidate] (386.6 ms) : 0, 386600
AppSec [baseline] (50.425 ms) : 0, 50425
AppSec [candidate] (51.237 ms) : 0, 51237
Remote Config [baseline] (835.047 µs) : 0, 835
Remote Config [candidate] (749.868 µs) : 0, 750
Telemetry [baseline] (7.495 ms) : 0, 7495
Telemetry [candidate] (7.409 ms) : 0, 7409
ProfilingAgent [baseline] (96.499 ms) : 0, 96499
ProfilingAgent [candidate] (96.572 ms) : 0, 96572
Profiling [baseline] (96.524 ms) : 0, 96524
Profiling [candidate] (96.596 ms) : 0, 96596
Loading
Startup time reports for insecure-bank
gantt
    title insecure-bank - global startup overhead: candidate=1.35.0-SNAPSHOT~967969c98f, baseline=1.35.0-SNAPSHOT~489de243b6

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.063 s) : 0, 1062899
Total [baseline] (8.541 s) : 0, 8540919
Agent [candidate] (1.059 s) : 0, 1058802
Total [candidate] (8.567 s) : 0, 8566744
section iast
Agent [baseline] (1.165 s) : 0, 1165209
Total [baseline] (9.022 s) : 0, 9021601
Agent [candidate] (1.175 s) : 0, 1174768
Total [candidate] (9.047 s) : 0, 9046830
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.172 s) : 0, 1171606
Total [baseline] (8.955 s) : 0, 8954826
Agent [candidate] (1.164 s) : 0, 1164073
Total [candidate] (8.981 s) : 0, 8981148
section iast_TELEMETRY_OFF
Agent [baseline] (1.169 s) : 0, 1169000
Total [baseline] (9.05 s) : 0, 9049532
Agent [candidate] (1.167 s) : 0, 1167337
Total [candidate] (8.977 s) : 0, 8976567
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.063 s -
Agent iast 1.165 s 102.31 ms (9.6%)
Agent iast_HARDCODED_SECRET_DISABLED 1.172 s 108.708 ms (10.2%)
Agent iast_TELEMETRY_OFF 1.169 s 106.102 ms (10.0%)
Total tracing 8.541 s -
Total iast 9.022 s 480.683 ms (5.6%)
Total iast_HARDCODED_SECRET_DISABLED 8.955 s 413.908 ms (4.8%)
Total iast_TELEMETRY_OFF 9.05 s 508.614 ms (6.0%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.059 s -
Agent iast 1.175 s 115.965 ms (11.0%)
Agent iast_HARDCODED_SECRET_DISABLED 1.164 s 105.27 ms (9.9%)
Agent iast_TELEMETRY_OFF 1.167 s 108.534 ms (10.3%)
Total tracing 8.567 s -
Total iast 9.047 s 480.087 ms (5.6%)
Total iast_HARDCODED_SECRET_DISABLED 8.981 s 414.404 ms (4.8%)
Total iast_TELEMETRY_OFF 8.977 s 409.823 ms (4.8%)
gantt
    title insecure-bank - break down per module: candidate=1.35.0-SNAPSHOT~967969c98f, baseline=1.35.0-SNAPSHOT~489de243b6

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (655.635 ms) : 0, 655635
BytebuddyAgent [candidate] (652.432 ms) : 0, 652432
GlobalTracer [baseline] (314.393 ms) : 0, 314393
GlobalTracer [candidate] (313.04 ms) : 0, 313040
AppSec [baseline] (49.979 ms) : 0, 49979
AppSec [candidate] (50.595 ms) : 0, 50595
Remote Config [baseline] (670.693 µs) : 0, 671
Remote Config [candidate] (724.482 µs) : 0, 724
Telemetry [baseline] (7.575 ms) : 0, 7575
Telemetry [candidate] (7.588 ms) : 0, 7588
section iast
BytebuddyAgent [baseline] (777.677 ms) : 0, 777677
BytebuddyAgent [candidate] (783.658 ms) : 0, 783658
GlobalTracer [baseline] (291.884 ms) : 0, 291884
GlobalTracer [candidate] (294.176 ms) : 0, 294176
AppSec [baseline] (50.196 ms) : 0, 50196
AppSec [candidate] (51.277 ms) : 0, 51277
IAST [baseline] (23.962 ms) : 0, 23962
IAST [candidate] (23.277 ms) : 0, 23277
Remote Config [baseline] (607.722 µs) : 0, 608
Remote Config [candidate] (600.066 µs) : 0, 600
Telemetry [baseline] (7.653 ms) : 0, 7653
Telemetry [candidate] (8.406 ms) : 0, 8406
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (781.455 ms) : 0, 781455
BytebuddyAgent [candidate] (776.647 ms) : 0, 776647
GlobalTracer [baseline] (293.935 ms) : 0, 293935
GlobalTracer [candidate] (292.198 ms) : 0, 292198
AppSec [baseline] (50.931 ms) : 0, 50931
AppSec [candidate] (50.448 ms) : 0, 50448
IAST [baseline] (23.809 ms) : 0, 23809
IAST [candidate] (23.192 ms) : 0, 23192
Remote Config [baseline] (587.41 µs) : 0, 587
Remote Config [candidate] (586.8 µs) : 0, 587
Telemetry [baseline] (7.56 ms) : 0, 7560
Telemetry [candidate] (7.715 ms) : 0, 7715
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (780.82 ms) : 0, 780820
BytebuddyAgent [candidate] (777.924 ms) : 0, 777924
GlobalTracer [baseline] (293.446 ms) : 0, 293446
GlobalTracer [candidate] (293.013 ms) : 0, 293013
AppSec [baseline] (49.587 ms) : 0, 49587
AppSec [candidate] (51.291 ms) : 0, 51291
IAST [baseline] (23.652 ms) : 0, 23652
IAST [candidate] (23.651 ms) : 0, 23651
Remote Config [baseline] (602.27 µs) : 0, 602
Remote Config [candidate] (612.543 µs) : 0, 613
Telemetry [baseline] (7.56 ms) : 0, 7560
Telemetry [candidate] (7.516 ms) : 0, 7516
Loading

Load

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
end_time 2024-05-31T06:58:07 2024-05-31T07:07:10
git_branch master vzakharov/rasp_sqli
git_commit_date 1717113140 1717137665
git_commit_sha 489de24 967969c
release_version 1.35.0-SNAPSHOT~489de243b6 1.35.0-SNAPSHOT~967969c98f
start_time 2024-05-31T06:57:51 2024-05-31T07:06:54
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1717139686 1717139686
ci_job_id 528269732 528269732
ci_pipeline_id 35545475 35545475
cpu_model Intel(R) Xeon(R) Platinum 8175M CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8175M CPU @ 2.50GHz
variant iast iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 6 metrics, 22 unstable metrics.

Request duration reports for insecure-bank
gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.35.0-SNAPSHOT~967969c98f, baseline=1.35.0-SNAPSHOT~489de243b6
    dateFormat X
    axisFormat %s
section baseline
no_agent (452.559 µs) : 424, 481
.   : milestone, 453,
iast (586.244 µs) : 555, 618
.   : milestone, 586,
iast_FULL (697.308 µs) : 665, 730
.   : milestone, 697,
iast_GLOBAL (615.488 µs) : 584, 647
.   : milestone, 615,
iast_HARDCODED_SECRET_DISABLED (585.08 µs) : 554, 616
.   : milestone, 585,
iast_INACTIVE (556.647 µs) : 525, 588
.   : milestone, 557,
iast_TELEMETRY_OFF (571.71 µs) : 541, 602
.   : milestone, 572,
tracing (547.794 µs) : 518, 578
.   : milestone, 548,
section candidate
no_agent (453.28 µs) : 424, 482
.   : milestone, 453,
iast (586.654 µs) : 555, 619
.   : milestone, 587,
iast_FULL (685.523 µs) : 653, 718
.   : milestone, 686,
iast_GLOBAL (621.034 µs) : 589, 653
.   : milestone, 621,
iast_HARDCODED_SECRET_DISABLED (587.054 µs) : 556, 618
.   : milestone, 587,
iast_INACTIVE (559.102 µs) : 528, 590
.   : milestone, 559,
iast_TELEMETRY_OFF (573.783 µs) : 543, 605
.   : milestone, 574,
tracing (541.456 µs) : 512, 571
.   : milestone, 541,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 452.559 µs [423.808 µs, 481.309 µs] -
iast 586.244 µs [554.638 µs, 617.851 µs] 133.686 µs (29.5%)
iast_FULL 697.308 µs [664.804 µs, 729.812 µs] 244.749 µs (54.1%)
iast_GLOBAL 615.488 µs [583.962 µs, 647.015 µs] 162.93 µs (36.0%)
iast_HARDCODED_SECRET_DISABLED 585.08 µs [553.997 µs, 616.162 µs] 132.521 µs (29.3%)
iast_INACTIVE 556.647 µs [524.842 µs, 588.452 µs] 104.088 µs (23.0%)
iast_TELEMETRY_OFF 571.71 µs [541.427 µs, 601.993 µs] 119.151 µs (26.3%)
tracing 547.794 µs [517.857 µs, 577.732 µs] 95.236 µs (21.0%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 453.28 µs [424.076 µs, 482.483 µs] -
iast 586.654 µs [554.639 µs, 618.669 µs] 133.374 µs (29.4%)
iast_FULL 685.523 µs [652.686 µs, 718.36 µs] 232.244 µs (51.2%)
iast_GLOBAL 621.034 µs [589.331 µs, 652.736 µs] 167.754 µs (37.0%)
iast_HARDCODED_SECRET_DISABLED 587.054 µs [555.731 µs, 618.378 µs] 133.775 µs (29.5%)
iast_INACTIVE 559.102 µs [527.782 µs, 590.421 µs] 105.822 µs (23.3%)
iast_TELEMETRY_OFF 573.783 µs [543.057 µs, 604.508 µs] 120.503 µs (26.6%)
tracing 541.456 µs [511.686 µs, 571.227 µs] 88.176 µs (19.5%)
Request duration reports for petclinic
gantt
    title petclinic - request duration [CI 0.99] : candidate=1.35.0-SNAPSHOT~967969c98f, baseline=1.35.0-SNAPSHOT~489de243b6
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.71 ms) : 1685, 1734
.   : milestone, 1710,
appsec (2.214 ms) : 2183, 2246
.   : milestone, 2214,
appsec_no_iast (2.184 ms) : 2152, 2216
.   : milestone, 2184,
iast (1.9 ms) : 1870, 1929
.   : milestone, 1900,
profiling (1.942 ms) : 1908, 1975
.   : milestone, 1942,
tracing (1.853 ms) : 1823, 1883
.   : milestone, 1853,
section candidate
no_agent (1.703 ms) : 1678, 1727
.   : milestone, 1703,
appsec (2.18 ms) : 2147, 2212
.   : milestone, 2180,
appsec_no_iast (2.19 ms) : 2157, 2223
.   : milestone, 2190,
iast (1.857 ms) : 1825, 1890
.   : milestone, 1857,
profiling (1.877 ms) : 1846, 1908
.   : milestone, 1877,
tracing (1.855 ms) : 1822, 1887
.   : milestone, 1855,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.71 ms [1.685 ms, 1.734 ms] -
appsec 2.214 ms [2.183 ms, 2.246 ms] 504.42 µs (29.5%)
appsec_no_iast 2.184 ms [2.152 ms, 2.216 ms] 474.355 µs (27.7%)
iast 1.9 ms [1.87 ms, 1.929 ms] 189.781 µs (11.1%)
profiling 1.942 ms [1.908 ms, 1.975 ms] 231.888 µs (13.6%)
tracing 1.853 ms [1.823 ms, 1.883 ms] 143.551 µs (8.4%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.703 ms [1.678 ms, 1.727 ms] -
appsec 2.18 ms [2.147 ms, 2.212 ms] 476.973 µs (28.0%)
appsec_no_iast 2.19 ms [2.157 ms, 2.223 ms] 487.483 µs (28.6%)
iast 1.857 ms [1.825 ms, 1.89 ms] 154.887 µs (9.1%)
profiling 1.877 ms [1.846 ms, 1.908 ms] 174.23 µs (10.2%)
tracing 1.855 ms [1.822 ms, 1.887 ms] 152.0 µs (8.9%)

Dacapo

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master vzakharov/rasp_sqli
git_commit_date 1717113140 1717137665
git_commit_sha 489de24 967969c
release_version 1.35.0-SNAPSHOT~489de243b6 1.35.0-SNAPSHOT~967969c98f
See matching parameters
Baseline Candidate
application biojava biojava
ci_job_date 1717139910 1717139910
ci_job_id 528269733 528269733
ci_pipeline_id 35545475 35545475
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant appsec appsec

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics.

Execution time for tomcat
gantt
    title tomcat - execution time [CI 0.99] : candidate=1.35.0-SNAPSHOT~967969c98f, baseline=1.35.0-SNAPSHOT~489de243b6
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.457 ms) : 1446, 1469
.   : milestone, 1457,
appsec (2.193 ms) : 2159, 2227
.   : milestone, 2193,
iast (1.96 ms) : 1919, 2001
.   : milestone, 1960,
iast_GLOBAL (2.013 ms) : 1972, 2055
.   : milestone, 2013,
profiling (1.838 ms) : 1804, 1872
.   : milestone, 1838,
tracing (1.82 ms) : 1788, 1851
.   : milestone, 1820,
section candidate
no_agent (1.464 ms) : 1452, 1475
.   : milestone, 1464,
appsec (2.214 ms) : 2179, 2248
.   : milestone, 2214,
iast (1.962 ms) : 1921, 2003
.   : milestone, 1962,
iast_GLOBAL (1.987 ms) : 1946, 2027
.   : milestone, 1987,
profiling (1.857 ms) : 1824, 1890
.   : milestone, 1857,
tracing (1.829 ms) : 1797, 1861
.   : milestone, 1829,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.457 ms [1.446 ms, 1.469 ms] -
appsec 2.193 ms [2.159 ms, 2.227 ms] 735.646 µs (50.5%)
iast 1.96 ms [1.919 ms, 2.001 ms] 502.764 µs (34.5%)
iast_GLOBAL 2.013 ms [1.972 ms, 2.055 ms] 555.835 µs (38.1%)
profiling 1.838 ms [1.804 ms, 1.872 ms] 380.564 µs (26.1%)
tracing 1.82 ms [1.788 ms, 1.851 ms] 362.055 µs (24.8%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.464 ms [1.452 ms, 1.475 ms] -
appsec 2.214 ms [2.179 ms, 2.248 ms] 749.981 µs (51.2%)
iast 1.962 ms [1.921 ms, 2.003 ms] 498.124 µs (34.0%)
iast_GLOBAL 1.987 ms [1.946 ms, 2.027 ms] 522.959 µs (35.7%)
profiling 1.857 ms [1.824 ms, 1.89 ms] 393.391 µs (26.9%)
tracing 1.829 ms [1.797 ms, 1.861 ms] 364.909 µs (24.9%)
Execution time for biojava
gantt
    title biojava - execution time [CI 0.99] : candidate=1.35.0-SNAPSHOT~967969c98f, baseline=1.35.0-SNAPSHOT~489de243b6
    dateFormat X
    axisFormat %s
section baseline
no_agent (15.566 s) : 15566000, 15566000
.   : milestone, 15566000,
appsec (14.918 s) : 14918000, 14918000
.   : milestone, 14918000,
iast (18.875 s) : 18875000, 18875000
.   : milestone, 18875000,
iast_GLOBAL (17.994 s) : 17994000, 17994000
.   : milestone, 17994000,
profiling (15.392 s) : 15392000, 15392000
.   : milestone, 15392000,
tracing (15.01 s) : 15010000, 15010000
.   : milestone, 15010000,
section candidate
no_agent (14.943 s) : 14943000, 14943000
.   : milestone, 14943000,
appsec (15.179 s) : 15179000, 15179000
.   : milestone, 15179000,
iast (18.669 s) : 18669000, 18669000
.   : milestone, 18669000,
iast_GLOBAL (17.883 s) : 17883000, 17883000
.   : milestone, 17883000,
profiling (15.302 s) : 15302000, 15302000
.   : milestone, 15302000,
tracing (14.94 s) : 14940000, 14940000
.   : milestone, 14940000,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.566 s [15.566 s, 15.566 s] -
appsec 14.918 s [14.918 s, 14.918 s] -648.0 ms (-4.2%)
iast 18.875 s [18.875 s, 18.875 s] 3.309 s (21.3%)
iast_GLOBAL 17.994 s [17.994 s, 17.994 s] 2.428 s (15.6%)
profiling 15.392 s [15.392 s, 15.392 s] -174.0 ms (-1.1%)
tracing 15.01 s [15.01 s, 15.01 s] -556.0 ms (-3.6%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 14.943 s [14.943 s, 14.943 s] -
appsec 15.179 s [15.179 s, 15.179 s] 236.0 ms (1.6%)
iast 18.669 s [18.669 s, 18.669 s] 3.726 s (24.9%)
iast_GLOBAL 17.883 s [17.883 s, 17.883 s] 2.94 s (19.7%)
profiling 15.302 s [15.302 s, 15.302 s] 359.0 ms (2.4%)
tracing 14.94 s [14.94 s, 14.94 s] -3.0 ms (-0.0%)

Copy link
Collaborator

@amarziali amarziali left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks ok from instrumentations pov

}
}
}
return span;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like there's no need to return span b/o it's never modified inside of this method.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed

@@ -109,6 +109,10 @@ public interface KnownAddresses {

Address<String> USER_ID = new Address<>("usr.id");

Address<String> DB_TYPE = new Address<>("server.db.system");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps add a short javadoc for these new fields, similar to most other fields in this class.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

Copy link
Contributor

@ygree ygree left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ValentinZakharov ValentinZakharov force-pushed the vzakharov/rasp_sqli branch 2 times, most recently from 2e8685e to 967969c Compare May 31, 2024 06:41
@@ -96,7 +97,8 @@ private void subscribeConfigurationPoller() {
| CAPABILITY_ASM_USER_BLOCKING
| CAPABILITY_ASM_CUSTOM_RULES
| CAPABILITY_ASM_CUSTOM_BLOCKING_RESPONSE
| CAPABILITY_ASM_TRUSTED_IPS);
| CAPABILITY_ASM_TRUSTED_IPS
| CAPABILITY_ASM_RASP_SQLI);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should probably not announce the capability if RASP is disabled.

@ValentinZakharov ValentinZakharov self-assigned this Jun 3, 2024
@ValentinZakharov ValentinZakharov merged commit 148ac0f into master Jun 3, 2024
77 of 80 checks passed
@ValentinZakharov ValentinZakharov deleted the vzakharov/rasp_sqli branch June 3, 2024 21:03
@github-actions github-actions bot added this to the 1.35.0 milestone Jun 3, 2024
@smola smola changed the title Added support for SQLi exploit prevention Added support for SQLi exploit prevention (detection only) Jun 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
comp: asm waf Application Security Management (WAF)
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants