-
Notifications
You must be signed in to change notification settings - Fork 291
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Increase IAST propagation to StringBuilder append #8010
Merged
Mariovido
merged 5 commits into
master
from
mario.vidal/taint_tracking_string_builder_append
Dec 12, 2024
Merged
Increase IAST propagation to StringBuilder append #8010
Mariovido
merged 5 commits into
master
from
mario.vidal/taint_tracking_string_builder_append
Dec 12, 2024
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…rinbBuilder.append with buffer
Mariovido
added
type: enhancement
comp: asm iast
Application Security Management (IAST)
inst: java
Core Java language instrumentation
labels
Nov 25, 2024
smola
changed the title
Increase propagation to StringBuilder append
Increase IAST propagation to StringBuilder append
Nov 25, 2024
BenchmarksStartupParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 53 metrics, 10 unstable metrics. Startup time reports for petclinicgantt
title petclinic - global startup overhead: candidate=1.44.0-SNAPSHOT~454fad6e2a, baseline=1.44.0-SNAPSHOT~aa7092b92b
dateFormat X
axisFormat %s
section tracing
Agent [baseline] (1.097 s) : 0, 1096674
Total [baseline] (10.489 s) : 0, 10488627
Agent [candidate] (1.108 s) : 0, 1108168
Total [candidate] (10.521 s) : 0, 10520963
section appsec
Agent [baseline] (1.231 s) : 0, 1231273
Total [baseline] (10.747 s) : 0, 10746646
Agent [candidate] (1.228 s) : 0, 1228159
Total [candidate] (10.752 s) : 0, 10752471
section iast
Agent [baseline] (1.229 s) : 0, 1229298
Total [baseline] (11.047 s) : 0, 11047244
Agent [candidate] (1.221 s) : 0, 1220916
Total [candidate] (11.014 s) : 0, 11013886
section profiling
Agent [baseline] (1.321 s) : 0, 1321484
Total [baseline] (10.836 s) : 0, 10836318
Agent [candidate] (1.325 s) : 0, 1324525
Total [candidate] (10.817 s) : 0, 10816518
gantt
title petclinic - break down per module: candidate=1.44.0-SNAPSHOT~454fad6e2a, baseline=1.44.0-SNAPSHOT~aa7092b92b
dateFormat X
axisFormat %s
section tracing
BytebuddyAgent [baseline] (698.61 ms) : 0, 698610
BytebuddyAgent [candidate] (705.41 ms) : 0, 705410
GlobalTracer [baseline] (318.913 ms) : 0, 318913
GlobalTracer [candidate] (322.224 ms) : 0, 322224
AppSec [baseline] (54.719 ms) : 0, 54719
AppSec [candidate] (55.213 ms) : 0, 55213
Remote Config [baseline] (680.989 µs) : 0, 681
Remote Config [candidate] (707.133 µs) : 0, 707
Telemetry [baseline] (9.943 ms) : 0, 9943
Telemetry [candidate] (10.7 ms) : 0, 10700
section appsec
BytebuddyAgent [baseline] (715.062 ms) : 0, 715062
BytebuddyAgent [candidate] (712.757 ms) : 0, 712757
GlobalTracer [baseline] (315.567 ms) : 0, 315567
GlobalTracer [candidate] (315.071 ms) : 0, 315071
AppSec [baseline] (168.387 ms) : 0, 168387
AppSec [candidate] (167.814 ms) : 0, 167814
IAST [baseline] (19.112 ms) : 0, 19112
IAST [candidate] (19.108 ms) : 0, 19108
Remote Config [baseline] (1.038 ms) : 0, 1038
Remote Config [candidate] (657.488 µs) : 0, 657
Telemetry [baseline] (7.899 ms) : 0, 7899
Telemetry [candidate] (8.551 ms) : 0, 8551
section iast
BytebuddyAgent [baseline] (819.765 ms) : 0, 819765
BytebuddyAgent [candidate] (813.894 ms) : 0, 813894
GlobalTracer [baseline] (307.732 ms) : 0, 307732
GlobalTracer [candidate] (306.237 ms) : 0, 306237
AppSec [baseline] (58.295 ms) : 0, 58295
AppSec [candidate] (56.993 ms) : 0, 56993
IAST [baseline] (21.324 ms) : 0, 21324
IAST [candidate] (21.844 ms) : 0, 21844
Remote Config [baseline] (659.52 µs) : 0, 660
Remote Config [candidate] (649.281 µs) : 0, 649
Telemetry [baseline] (7.682 ms) : 0, 7682
Telemetry [candidate] (7.521 ms) : 0, 7521
section profiling
BytebuddyAgent [baseline] (691.05 ms) : 0, 691050
BytebuddyAgent [candidate] (695.424 ms) : 0, 695424
GlobalTracer [baseline] (434.913 ms) : 0, 434913
GlobalTracer [candidate] (433.597 ms) : 0, 433597
AppSec [baseline] (53.827 ms) : 0, 53827
AppSec [candidate] (53.818 ms) : 0, 53818
Remote Config [baseline] (677.855 µs) : 0, 678
Remote Config [candidate] (655.718 µs) : 0, 656
Telemetry [baseline] (7.756 ms) : 0, 7756
Telemetry [candidate] (7.733 ms) : 0, 7733
ProfilingAgent [baseline] (94.066 ms) : 0, 94066
ProfilingAgent [candidate] (93.844 ms) : 0, 93844
Profiling [baseline] (94.089 ms) : 0, 94089
Profiling [candidate] (93.868 ms) : 0, 93868
Startup time reports for insecure-bankgantt
title insecure-bank - global startup overhead: candidate=1.44.0-SNAPSHOT~454fad6e2a, baseline=1.44.0-SNAPSHOT~aa7092b92b
dateFormat X
axisFormat %s
section tracing
Agent [baseline] (1.1 s) : 0, 1100003
Total [baseline] (8.675 s) : 0, 8674846
Agent [candidate] (1.1 s) : 0, 1100188
Total [candidate] (8.698 s) : 0, 8697897
section iast
Agent [baseline] (1.22 s) : 0, 1219897
Total [baseline] (9.223 s) : 0, 9222533
Agent [candidate] (1.221 s) : 0, 1220975
Total [candidate] (9.214 s) : 0, 9214275
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.226 s) : 0, 1226132
Total [baseline] (9.153 s) : 0, 9153259
Agent [candidate] (1.22 s) : 0, 1219847
Total [candidate] (9.185 s) : 0, 9184702
section iast_TELEMETRY_OFF
Agent [baseline] (1.217 s) : 0, 1217236
Total [baseline] (9.173 s) : 0, 9173389
Agent [candidate] (1.215 s) : 0, 1215222
Total [candidate] (9.178 s) : 0, 9177722
gantt
title insecure-bank - break down per module: candidate=1.44.0-SNAPSHOT~454fad6e2a, baseline=1.44.0-SNAPSHOT~aa7092b92b
dateFormat X
axisFormat %s
section tracing
BytebuddyAgent [baseline] (700.272 ms) : 0, 700272
BytebuddyAgent [candidate] (700.883 ms) : 0, 700883
GlobalTracer [baseline] (317.615 ms) : 0, 317615
GlobalTracer [candidate] (319.302 ms) : 0, 319302
AppSec [baseline] (54.861 ms) : 0, 54861
AppSec [candidate] (54.834 ms) : 0, 54834
Remote Config [baseline] (696.449 µs) : 0, 696
Remote Config [candidate] (687.395 µs) : 0, 687
Telemetry [baseline] (12.788 ms) : 0, 12788
Telemetry [candidate] (10.615 ms) : 0, 10615
section iast
BytebuddyAgent [baseline] (813.077 ms) : 0, 813077
BytebuddyAgent [candidate] (813.823 ms) : 0, 813823
GlobalTracer [baseline] (305.857 ms) : 0, 305857
GlobalTracer [candidate] (305.739 ms) : 0, 305739
AppSec [baseline] (57.194 ms) : 0, 57194
AppSec [candidate] (58.008 ms) : 0, 58008
IAST [baseline] (21.866 ms) : 0, 21866
IAST [candidate] (21.381 ms) : 0, 21381
Remote Config [baseline] (637.174 µs) : 0, 637
Remote Config [candidate] (667.338 µs) : 0, 667
Telemetry [baseline] (7.53 ms) : 0, 7530
Telemetry [candidate] (7.568 ms) : 0, 7568
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (818.487 ms) : 0, 818487
BytebuddyAgent [candidate] (813.234 ms) : 0, 813234
GlobalTracer [baseline] (306.433 ms) : 0, 306433
GlobalTracer [candidate] (305.469 ms) : 0, 305469
AppSec [baseline] (57.811 ms) : 0, 57811
AppSec [candidate] (56.428 ms) : 0, 56428
IAST [baseline] (21.203 ms) : 0, 21203
IAST [candidate] (22.794 ms) : 0, 22794
Remote Config [baseline] (650.366 µs) : 0, 650
Remote Config [candidate] (639.692 µs) : 0, 640
Telemetry [baseline] (7.579 ms) : 0, 7579
Telemetry [candidate] (7.486 ms) : 0, 7486
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (810.8 ms) : 0, 810800
BytebuddyAgent [candidate] (809.62 ms) : 0, 809620
GlobalTracer [baseline] (305.182 ms) : 0, 305182
GlobalTracer [candidate] (305.606 ms) : 0, 305606
AppSec [baseline] (57.735 ms) : 0, 57735
AppSec [candidate] (56.927 ms) : 0, 56927
IAST [baseline] (21.593 ms) : 0, 21593
IAST [candidate] (21.278 ms) : 0, 21278
Remote Config [baseline] (657.751 µs) : 0, 658
Remote Config [candidate] (623.921 µs) : 0, 624
Telemetry [baseline] (7.514 ms) : 0, 7514
Telemetry [candidate] (7.42 ms) : 0, 7420
LoadParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 17 unstable metrics. Request duration reports for petclinicgantt
title petclinic - request duration [CI 0.99] : candidate=1.44.0-SNAPSHOT~454fad6e2a, baseline=1.44.0-SNAPSHOT~aa7092b92b
dateFormat X
axisFormat %s
section baseline
no_agent (1.353 ms) : 1333, 1372
. : milestone, 1353,
appsec (1.748 ms) : 1723, 1773
. : milestone, 1748,
appsec_no_iast (1.738 ms) : 1713, 1763
. : milestone, 1738,
iast (1.494 ms) : 1470, 1517
. : milestone, 1494,
profiling (1.502 ms) : 1479, 1525
. : milestone, 1502,
tracing (1.492 ms) : 1467, 1517
. : milestone, 1492,
section candidate
no_agent (1.343 ms) : 1323, 1362
. : milestone, 1343,
appsec (1.728 ms) : 1705, 1752
. : milestone, 1728,
appsec_no_iast (1.741 ms) : 1715, 1766
. : milestone, 1741,
iast (1.495 ms) : 1472, 1518
. : milestone, 1495,
profiling (1.479 ms) : 1456, 1503
. : milestone, 1479,
tracing (1.477 ms) : 1453, 1501
. : milestone, 1477,
Request duration reports for insecure-bankgantt
title insecure-bank - request duration [CI 0.99] : candidate=1.44.0-SNAPSHOT~454fad6e2a, baseline=1.44.0-SNAPSHOT~aa7092b92b
dateFormat X
axisFormat %s
section baseline
no_agent (370.356 µs) : 351, 390
. : milestone, 370,
iast (487.494 µs) : 466, 509
. : milestone, 487,
iast_FULL (647.204 µs) : 626, 669
. : milestone, 647,
iast_GLOBAL (522.899 µs) : 500, 546
. : milestone, 523,
iast_HARDCODED_SECRET_DISABLED (492.328 µs) : 470, 514
. : milestone, 492,
iast_INACTIVE (446.687 µs) : 426, 468
. : milestone, 447,
iast_TELEMETRY_OFF (474.577 µs) : 453, 496
. : milestone, 475,
tracing (448.423 µs) : 427, 470
. : milestone, 448,
section candidate
no_agent (374.946 µs) : 355, 395
. : milestone, 375,
iast (492.24 µs) : 470, 514
. : milestone, 492,
iast_FULL (649.224 µs) : 628, 671
. : milestone, 649,
iast_GLOBAL (516.618 µs) : 495, 538
. : milestone, 517,
iast_HARDCODED_SECRET_DISABLED (488.321 µs) : 467, 510
. : milestone, 488,
iast_INACTIVE (454.794 µs) : 434, 476
. : milestone, 455,
iast_TELEMETRY_OFF (478.609 µs) : 457, 500
. : milestone, 479,
tracing (451.709 µs) : 430, 473
. : milestone, 452,
DacapoParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics. Execution time for tomcatgantt
title tomcat - execution time [CI 0.99] : candidate=1.44.0-SNAPSHOT~454fad6e2a, baseline=1.44.0-SNAPSHOT~aa7092b92b
dateFormat X
axisFormat %s
section baseline
no_agent (1.483 ms) : 1471, 1494
. : milestone, 1483,
appsec (2.626 ms) : 2557, 2694
. : milestone, 2626,
iast (2.397 ms) : 2313, 2481
. : milestone, 2397,
iast_GLOBAL (2.435 ms) : 2351, 2519
. : milestone, 2435,
profiling (2.271 ms) : 2199, 2343
. : milestone, 2271,
tracing (2.21 ms) : 2142, 2277
. : milestone, 2210,
section candidate
no_agent (1.484 ms) : 1472, 1496
. : milestone, 1484,
appsec (2.624 ms) : 2556, 2692
. : milestone, 2624,
iast (2.4 ms) : 2316, 2484
. : milestone, 2400,
iast_GLOBAL (2.444 ms) : 2359, 2528
. : milestone, 2444,
profiling (2.264 ms) : 2192, 2335
. : milestone, 2264,
tracing (2.209 ms) : 2141, 2277
. : milestone, 2209,
Execution time for biojavagantt
title biojava - execution time [CI 0.99] : candidate=1.44.0-SNAPSHOT~454fad6e2a, baseline=1.44.0-SNAPSHOT~aa7092b92b
dateFormat X
axisFormat %s
section baseline
no_agent (15.055 s) : 15055000, 15055000
. : milestone, 15055000,
appsec (14.696 s) : 14696000, 14696000
. : milestone, 14696000,
iast (18.274 s) : 18274000, 18274000
. : milestone, 18274000,
iast_GLOBAL (17.225 s) : 17225000, 17225000
. : milestone, 17225000,
profiling (15.353 s) : 15353000, 15353000
. : milestone, 15353000,
tracing (14.577 s) : 14577000, 14577000
. : milestone, 14577000,
section candidate
no_agent (14.936 s) : 14936000, 14936000
. : milestone, 14936000,
appsec (14.853 s) : 14853000, 14853000
. : milestone, 14853000,
iast (18.346 s) : 18346000, 18346000
. : milestone, 18346000,
iast_GLOBAL (17.265 s) : 17265000, 17265000
. : milestone, 17265000,
profiling (14.437 s) : 14437000, 14437000
. : milestone, 14437000,
tracing (14.598 s) : 14598000, 14598000
. : milestone, 14598000,
|
smola
requested changes
Nov 28, 2024
dd-java-agent/agent-iast/src/test/groovy/com/datadog/iast/propagation/StringModuleTest.groovy
Show resolved
Hide resolved
smola
approved these changes
Dec 11, 2024
Mariovido
deleted the
mario.vidal/taint_tracking_string_builder_append
branch
December 12, 2024 10:49
svc-squareup-copybara
pushed a commit
to cashapp/misk
that referenced
this pull request
Dec 16, 2024
| Package | Type | Package file | Manager | Update | Change | |---|---|---|---|---|---| | [com.google.api.grpc:proto-google-common-protos](https://github.com/googleapis/sdk-platform-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `2.49.0` -> `2.50.0` | | [com.google.cloud:google-cloud-core-http](https://github.com/googleapis/sdk-platform-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `2.48.0` -> `2.49.0` | | [com.google.cloud:google-cloud-spanner](https://github.com/googleapis/java-spanner) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `6.82.0` -> `6.83.0` | | [com.google.cloud:google-cloud-logging](https://github.com/googleapis/java-logging) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `3.20.7` -> `3.21.0` | | [com.google.cloud:google-cloud-datastore](https://github.com/googleapis/java-datastore) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `2.24.3` -> `2.25.1` | | [com.google.cloud:google-cloud-core](https://github.com/googleapis/sdk-platform-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `2.48.0` -> `2.49.0` | | [com.google.api:gax](https://github.com/googleapis/sdk-platform-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `2.58.0` -> `2.59.0` | | [com.autonomousapps.dependency-analysis](https://github.com/autonomousapps/dependency-analysis-android-gradle-plugin) | plugin | misk/gradle/libs.versions.toml | gradle | patch | `2.6.0` -> `2.6.1` | | [com.datadoghq:dd-trace-api](https://github.com/datadog/dd-trace-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `1.43.0` -> `1.44.1` | | [com.datadoghq:dd-trace-ot](https://github.com/datadog/dd-trace-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `1.43.0` -> `1.44.1` | | [software.amazon.awssdk:sdk-core](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.29.32` -> `2.29.34` | | [software.amazon.awssdk:dynamodb-enhanced](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.29.32` -> `2.29.34` | | [software.amazon.awssdk:dynamodb](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.29.32` -> `2.29.34` | | [software.amazon.awssdk:aws-core](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.29.32` -> `2.29.34` | | [software.amazon.awssdk:bom](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.29.32` -> `2.29.34` | | [software.amazon.awssdk:auth](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.29.32` -> `2.29.34` | | [com.amazonaws:aws-java-sdk-sqs](https://aws.amazon.com/sdkforjava) ([source](https://github.com/aws/aws-sdk-java)) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `1.12.779` -> `1.12.780` | | [com.amazonaws:aws-java-sdk-s3](https://aws.amazon.com/sdkforjava) ([source](https://github.com/aws/aws-sdk-java)) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `1.12.779` -> `1.12.780` | | [com.amazonaws:aws-java-sdk-dynamodb](https://aws.amazon.com/sdkforjava) ([source](https://github.com/aws/aws-sdk-java)) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `1.12.779` -> `1.12.780` | | [com.amazonaws:aws-java-sdk-core](https://aws.amazon.com/sdkforjava) ([source](https://github.com/aws/aws-sdk-java)) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `1.12.779` -> `1.12.780` | --- ### Release Notes <details> <summary>googleapis/sdk-platform-java (com.google.api.grpc:proto-google-common-protos)</summary> ### [`v2.50.0`](https://github.com/googleapis/sdk-platform-java/blob/HEAD/CHANGELOG.md#2500-2024-11-14) ##### Features - Add experimental S2A integration in client libraries grpc transport ([#​3326](googleapis/sdk-platform-java#3326)) ([1138ca6](googleapis/sdk-platform-java@1138ca6)) - enable selective generation based on service config include list ([#​3323](googleapis/sdk-platform-java#3323)) ([0cddadb](googleapis/sdk-platform-java@0cddadb)) - introduce `java.time` to java-core ([#​3330](googleapis/sdk-platform-java#3330)) ([f202c3b](googleapis/sdk-platform-java@f202c3b)) - Update Gapic-Generator to generate libraries using `java.time` methods ([#​3321](googleapis/sdk-platform-java#3321)) ([b21c9a4](googleapis/sdk-platform-java@b21c9a4)) ##### Bug Fixes - Fix flaky test ScheduledRetryingExecutorTest.testCancelOuterFutureAfterStart ([#​3335](googleapis/sdk-platform-java#3335)) ([e73740d](googleapis/sdk-platform-java@e73740d)) - httpjson callables to trace attempts (started, failed) ([#​3300](googleapis/sdk-platform-java#3300)) ([15a64ee](googleapis/sdk-platform-java@15a64ee)) - instantiate GaxProperties at build time to ensure we get the protobuf version ([#​3365](googleapis/sdk-platform-java#3365)) ([bb2a3be](googleapis/sdk-platform-java@bb2a3be)) - protobuf version not always getting set in headers ([#​3322](googleapis/sdk-platform-java#3322)) ([7f6e470](googleapis/sdk-platform-java@7f6e470)) - use BuildKit instead of legacy builder to build the Hermetic Build images ([#​3338](googleapis/sdk-platform-java#3338)) ([222fb45](googleapis/sdk-platform-java@222fb45)) ##### Dependencies - update google auth library dependencies to v1.30.0 ([#​3367](googleapis/sdk-platform-java#3367)) ([a31c682](googleapis/sdk-platform-java@a31c682)) - update grpc dependencies to v1.68.1 ([#​3240](googleapis/sdk-platform-java#3240)) ([c8e3941](googleapis/sdk-platform-java@c8e3941)) ##### Documentation - fix list num ([#​3356](googleapis/sdk-platform-java#3356)) ([b7d6296](googleapis/sdk-platform-java@b7d6296)) - **hermetic-build:** indicate usage of Docker Buildkit in development guide ([#​3337](googleapis/sdk-platform-java#3337)) ([01e742d](googleapis/sdk-platform-java@01e742d)) - modify hermetic build docs ([#​3331](googleapis/sdk-platform-java#3331)) ([25023af](googleapis/sdk-platform-java@25023af)) </details> <details> <summary>googleapis/java-spanner (com.google.cloud:google-cloud-spanner)</summary> ### [`v6.83.0`](https://github.com/googleapis/java-spanner/blob/HEAD/CHANGELOG.md#6830-2024-12-13) ##### Features - Add Metrics host for built in metrics ([#​3519](googleapis/java-spanner#3519)) ([4ed455a](googleapis/java-spanner@4ed455a)) - Add opt-in for using multiplexed sessions for blind writes ([#​3540](googleapis/java-spanner#3540)) ([216f53e](googleapis/java-spanner@216f53e)) - Add UUID in Spanner TypeCode enum ([41f83dc](googleapis/java-spanner@41f83dc)) - Introduce java.time variables and methods ([#​3495](googleapis/java-spanner#3495)) ([8a7d533](googleapis/java-spanner@8a7d533)) - **spanner:** Support multiplexed session for Partitioned operations ([#​3231](googleapis/java-spanner#3231)) ([4501a3e](googleapis/java-spanner@4501a3e)) - Support 'set local' for retry_aborts_internally ([#​3532](googleapis/java-spanner#3532)) ([331942f](googleapis/java-spanner@331942f)) ##### Bug Fixes - **deps:** Update the Java code generator (gapic-generator-java) to 2.51.0 ([41f83dc](googleapis/java-spanner@41f83dc)) ##### Dependencies - Update sdk platform java dependencies ([#​3549](googleapis/java-spanner#3549)) ([6235f0f](googleapis/java-spanner@6235f0f)) </details> <details> <summary>googleapis/java-logging (com.google.cloud:google-cloud-logging)</summary> ### [`v3.21.0`](https://github.com/googleapis/java-logging/blob/HEAD/CHANGELOG.md#3210-2024-12-13) ##### Features - Introduce `java.time` methods ([#​1729](googleapis/java-logging#1729)) ([323eb33](googleapis/java-logging@323eb33)) ##### Bug Fixes - **deps:** Update the Java code generator (gapic-generator-java) to 2.51.0 ([04d8868](googleapis/java-logging@04d8868)) ##### Dependencies - Update dependency io.opentelemetry:opentelemetry-bom to v1.45.0 ([#​1638](googleapis/java-logging#1638)) ([7e007d4](googleapis/java-logging@7e007d4)) - Update sdk platform java dependencies ([#​1736](googleapis/java-logging#1736)) ([88b4cdf](googleapis/java-logging@88b4cdf)) </details> <details> <summary>googleapis/java-datastore (com.google.cloud:google-cloud-datastore)</summary> ### [`v2.25.1`](https://github.com/googleapis/java-datastore/blob/HEAD/CHANGELOG.md#2251-2024-12-13) ##### Bug Fixes - **deps:** Update the Java code generator (gapic-generator-java) to 2.51.0 ([106ee4d](googleapis/java-datastore@106ee4d)) ##### Dependencies - Update sdk platform java dependencies ([#​1685](googleapis/java-datastore#1685)) ([4372350](googleapis/java-datastore@4372350)) ### [`v2.25.0`](https://github.com/googleapis/java-datastore/blob/HEAD/CHANGELOG.md#2250-2024-12-11) ##### Features - Introduce `java.time` methods and variables ([#​1671](googleapis/java-datastore#1671)) ([5a78a80](googleapis/java-datastore@5a78a80)) ##### Dependencies - Update dependency com.google.cloud:gapic-libraries-bom to v1.48.0 ([#​1605](googleapis/java-datastore#1605)) ([5c6a678](googleapis/java-datastore@5c6a678)) ##### Documentation - Update gapic upgrade installation instructions ([#​1677](googleapis/java-datastore#1677)) ([b3fbfcc](googleapis/java-datastore@b3fbfcc)) </details> <details> <summary>autonomousapps/dependency-analysis-android-gradle-plugin (com.autonomousapps.dependency-analysis)</summary> ### [`v2.6.1`](https://github.com/autonomousapps/dependency-analysis-android-gradle-plugin/blob/HEAD/CHANGELOG.md#Version-261) - \[Fix]: `superClassName` can be null (Object has no superclass). </details> <details> <summary>datadog/dd-trace-java (com.datadoghq:dd-trace-api)</summary> ### [`v1.44.1`](https://github.com/DataDog/dd-trace-java/releases/tag/v1.44.1): 1.44.1 ##### Components ##### Continuous Integration Visibility - 🐛 Fix tracing JUnit5 tests in Maven projects with multiple forks ([#​8089](DataDog/dd-trace-java#8089) - [@​nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) ### [`v1.44.0`](https://github.com/DataDog/dd-trace-java/releases/tag/v1.44.0): 1.44.0 ##### Known Issues > \[!WARNING]\ > This release contains a known issue that causes failures when using Test Optimization to trace JUnit 5 tests in a Maven project where Maven Surefire is configured with `forkCount` > 1. > The issue is fixed in v1.44.1 ##### Breaking Changes > \[!WARNING]\ > Support for `X-Forwarded` header is dropped from default client IP resolution. > It can still be re-activated using the `dd.trace.client-ip-header=x-forwarded` system property, or the `DD_TRACE_CLIENT_IP_HEADER=x-forwarded` environment variable. See [#​7946](DataDog/dd-trace-java#7946). ##### Components ##### Application Security Management (IAST) - ✨ Set unexpected IAST exceptions to debug log level ([#​8044](DataDog/dd-trace-java#8044) - [@​smola](https://github.com/smola)) - ✨ Increase IAST propagation to StringBuffer subSequence ([#​8038](DataDog/dd-trace-java#8038) - [@​Mariovido](https://github.com/Mariovido)) - ✨ Increase IAST propagation to StringBuilder subSequence ([#​8026](DataDog/dd-trace-java#8026) - [@​Mariovido](https://github.com/Mariovido)) - ✨ Add IAST propagation to String valueOf ([#​8013](DataDog/dd-trace-java#8013) - [@​Mariovido](https://github.com/Mariovido)) - ✨ Increase IAST propagation to StringBuilder append ([#​8010](DataDog/dd-trace-java#8010) - [@​Mariovido](https://github.com/Mariovido)) - ✨ Expand SSRF support in IAST to apache-httpclient-5 and apache-httpasyncclient-4 ([#​7920](DataDog/dd-trace-java#7920) - [@​Mariovido](https://github.com/Mariovido)) ##### Build & Tooling - ✨ Generate Muzzle classes for Groovy instrumentations ([#​8004](DataDog/dd-trace-java#8004) - [@​nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) ##### Continuous Integration Visibility - ✨ Support distributed traces in tests ([#​8078](DataDog/dd-trace-java#8078) - [@​nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Implement fail-fast tests ordering for JUnit 5 ([#​8055](DataDog/dd-trace-java#8055) - [@​nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Mark JUnit 5 setup and teardown action spans as failed if there is an error ([#​8033](DataDog/dd-trace-java#8033) - [@​nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Add tracing of setup and teardown actions in JUnit 4 ([#​8030](DataDog/dd-trace-java#8030) - [@​daniel-mohedano](https://github.com/daniel-mohedano)) ##### Crash tracking - ✨ Improve crash tracking install logging ([#​8045](DataDog/dd-trace-java#8045) - [@​PerfectSlayer](https://github.com/PerfectSlayer)) ##### Data Streams Monitoring - 🐛 Add Data Streams support in AWS SQS without raw message delivery ([#​8071](DataDog/dd-trace-java#8071) - [@​piochelepiotr](https://github.com/piochelepiotr)) - ✨ Add new tag for enabled products / features to DSM checkpoints ([#​8051](DataDog/dd-trace-java#8051) - [@​kr-igor](https://github.com/kr-igor)) - 💡 Instrument self hosted Kafka connectors ([#​7959](DataDog/dd-trace-java#7959) - [@​piochelepiotr](https://github.com/piochelepiotr)) ##### Dynamic Instrumentation - ✨ Add Micronaut 4 support for code origin for spans ([#​8039](DataDog/dd-trace-java#8039) - [@​jpbempel](https://github.com/jpbempel)) - ✨ Refactor probe matching for methods ([#​8021](DataDog/dd-trace-java#8021) - [@​jpbempel](https://github.com/jpbempel)) - ✨ Update the CodeOriginProbe fingerprint to not rely on a stack walk ([#​8016](DataDog/dd-trace-java#8016) - [@​evanchooly](https://github.com/evanchooly)) - ✨ Implement code origin support for grpc server entry spans ([#​7942](DataDog/dd-trace-java#7942) - [@​evanchooly](https://github.com/evanchooly)) ##### GraalVM native-image - 🐛 Update Graal build-time instrumentation config for TracePropagationStyle ([#​8065](DataDog/dd-trace-java#8065) - [@​MattAlp](https://github.com/MattAlp)) - 🐛 Fix NoClassDefFoundError: Could not initialize class DDSpanLink$EncoderHolder in Graal native-image ([#​8036](DataDog/dd-trace-java#8036) - [@​mcculls](https://github.com/mcculls)) - 🐛🧹 Fix native-image generation of reactive applications ([#​8012](DataDog/dd-trace-java#8012) - [@​mcculls](https://github.com/mcculls)) ##### OpenTracing - 🧹 Custom ScopeManagers are deprecated and will be removed in a future release of dd-trace-ot ([#​8058](DataDog/dd-trace-java#8058) - [@​mcculls](https://github.com/mcculls)) ##### Tracer core - ✨🧪 Service naming: split by jee deployment ([#​8064](DataDog/dd-trace-java#8064) - [@​amarziali](https://github.com/amarziali)) - ✨ Exclude jboss mdb proxies from instrumenting ([#​8061](DataDog/dd-trace-java#8061) - [@​amarziali](https://github.com/amarziali)) - ✨ Add a built-in trace interceptor for keeping traces depending of their latency ([#​8040](DataDog/dd-trace-java#8040) - [@​cecile75](https://github.com/cecile75)) - 💡 Introduce marker mechanism for eagerly initializing helpers ([#​8028](DataDog/dd-trace-java#8028) - [@​mcculls](https://github.com/mcculls)) - 💡 Add JSON component ([#​7973](DataDog/dd-trace-java#7973) - [@​PerfectSlayer](https://github.com/PerfectSlayer)) - ✨⚠️ Remove support for X-Forwarded in client IP resolution ([#​7946](DataDog/dd-trace-java#7946) - [@​smola](https://github.com/smola)) ##### Instrumentations ##### Apache HttpComponents - ✨ Expand SSRF support in IAST to apache-httpclient-5 and apache-httpasyncclient-4 ([#​7920](DataDog/dd-trace-java#7920) - [@​Mariovido](https://github.com/Mariovido)) ##### gRPC instrumentation - 🐛 Use lower priorities for grpc server errors ([#​8043](DataDog/dd-trace-java#8043) - [@​amarziali](https://github.com/amarziali)) ##### JDBC instrumentation - ✨ Add trace injection for prepared statements in Postgres ([#​7940](DataDog/dd-trace-java#7940) - [@​nenadnoveljic](https://github.com/nenadnoveljic)) ##### JMS instrumentation - 🐛 Protect mdb from instrumenting multiple time the same event ([#​8062](DataDog/dd-trace-java#8062) - [@​amarziali](https://github.com/amarziali)) ##### Kafka instrumentation - 💡 Instrument self hosted Kafka connectors ([#​7959](DataDog/dd-trace-java#7959) - [@​piochelepiotr](https://github.com/piochelepiotr)) ##### OpenTelemetry instrumentation - 🐛 Support using OpenTelemetry Event API inside `@WithSpan` annotated method ([#​8019](DataDog/dd-trace-java#8019) - [@​mcculls](https://github.com/mcculls)) ##### Reactor instrumentation - 🐛🧹 Fix native-image generation of reactive applications ([#​8012](DataDog/dd-trace-java#8012) - [@​mcculls](https://github.com/mcculls)) ##### Spring instrumentation - 🐛 Avoid double instrumenting lambdas on latest spring scheduling ([#​8005](DataDog/dd-trace-java#8005) - [@​amarziali](https://github.com/amarziali)) ##### All other instrumentations - 🐛 Twilio: allow service name flattening ([#​8025](DataDog/dd-trace-java#8025) - [@​amarziali](https://github.com/amarziali)) - ✨ Instrument Mulesoft 4.5.0+ ([#​7981](DataDog/dd-trace-java#7981) - [@​amarziali](https://github.com/amarziali)) </details> <details> <summary>aws/aws-sdk-java (com.amazonaws:aws-java-sdk-sqs)</summary> ### [`v1.12.780`](https://github.com/aws/aws-sdk-java/blob/HEAD/CHANGELOG.md#112780-2024-12-11) [Compare Source](aws/aws-sdk-java@1.12.779...1.12.780) #### **Amazon Simple Storage Service** - ### Bugfixes - AWS SDK for Java 1.x now includes additional validation for Amazon S3 client APIs to handle scenarios where an empty string ('') is passed as the key argument to the following operations: PutObject, DeleteObject, ListObjects, GetObjectMetaData, ListObjectsV2, SetObjectTagging, GetObjectTagging, SetObjectAcl, GetObjectAcl, SetObjectLegalHold, GetObjectLegalHold, CopyObject, CopyPart, SelectObjectContent, SetObjectRetention, GetObjectRetention, AbortMultipartUpload, CompleteMultipartUpload, InitiateMultipartUpload, ListParts, UploadPart, RestoreObjectV2, and RestoreObject. The SDK will validate the key argument and throw an exception if it is an empty string, ensuring correct and expected behavior. </details> --- ### Configuration 📅 **Schedule**: Branch creation - "after 6pm every weekday,before 2am every weekday" in timezone Australia/Melbourne, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). GitOrigin-RevId: 69831bc62ea4d80cdcd42cef2aa9bd8eda28ae8c
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What Does This Do
This adds the instrumentation to propagate the taint values through the following methods of
StringBuilder
:append(CharSequence, int, int)
append(StringBuffer)
Motivation
Increase propagation of
StringBuilder
methods.Additional Notes
Contributor Checklist
type:
and (comp:
orinst:
) labels in addition to any usefull labelsclose
,fix
or any linking keywords when referencing an issue.Use
solves
instead, and assign the PR milestone to the issueJira ticket: APPSEC-55358