Exclude false positive weak randomness #8232

jandro996 · 2025-01-16T15:11:00Z

What Does This Do

Exclude from iast:

com.microsoft.azure.storage.RetryExponentialRetry
com.facebook.presto.hive.RetryDriver
com.facebook.presto.verifier.retry.RetryDriver
io.fabric8.kubernetes.client.informers.impl.cache.Reflector
io.trino.plugin.hive.metastore.thrift.RetryDriver
io.trino.hdfs.s3.RetryDriver

Motivation

Additional Notes

Contributor Checklist

Format the title according the contribution guidelines
Assign the type: and (comp: or inst:) labels in addition to any usefull labels
Don't use close, fix or any linking keywords when referencing an issue.
Use solves instead, and assign the PR milestone to the issue
Update the public documentation in case of new configuration flag or behavior

Jira ticket: APPSEC-56331, [APPSEC-56323], [APPSEC-56322]

…ryDriver and io.trino

pr-commenter · 2025-01-16T15:39:13Z

Benchmarks

Startup

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	alejandro.gonzalez/Exclude-false-positive-APPSEC-56331
git_commit_date	1737359998	1737359996
git_commit_sha	`0767e3c`	`cd2d6b5`
release_version	1.46.0-SNAPSHOT~0767e3c446	1.46.0-SNAPSHOT~cd2d6b5a6b

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1737362486	1737362486
ci_job_id	772244302	772244302
ci_pipeline_id	53447212	53447212
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
module	Agent	Agent
parent	None	None
variant	iast	iast

Summary

Found 1 performance improvements and 0 performance regressions! Performance is the same for 57 metrics, 5 unstable metrics.

scenario	Δ mean execution_time	candidate mean execution_time	baseline mean execution_time
scenario:startup:petclinic:profiling:Remote Config	better [-61.989µs; -21.467µs] or [-8.676%; -3.005%]	672.765µs	714.493µs

Startup time reports for petclinic

gantt
    title petclinic - global startup overhead: candidate=1.46.0-SNAPSHOT~cd2d6b5a6b, baseline=1.46.0-SNAPSHOT~0767e3c446

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.06 s) : 0, 1060058
Total [baseline] (10.517 s) : 0, 10517112
Agent [candidate] (1.054 s) : 0, 1054457
Total [candidate] (10.5 s) : 0, 10499661
section appsec
Agent [baseline] (1.192 s) : 0, 1192042
Total [baseline] (10.714 s) : 0, 10713985
Agent [candidate] (1.195 s) : 0, 1194993
Total [candidate] (10.793 s) : 0, 10792756
section iast
Agent [baseline] (1.198 s) : 0, 1197534
Total [baseline] (11.051 s) : 0, 11050605
Agent [candidate] (1.19 s) : 0, 1190007
Total [candidate] (11.01 s) : 0, 11010151
section profiling
Agent [baseline] (1.257 s) : 0, 1257288
Total [baseline] (10.835 s) : 0, 10835450
Agent [candidate] (1.267 s) : 0, 1266908
Total [candidate] (10.838 s) : 0, 10837824

baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.06 s	-
Agent	appsec	1.192 s	131.985 ms (12.5%)
Agent	iast	1.198 s	137.476 ms (13.0%)
Agent	profiling	1.257 s	197.23 ms (18.6%)
Total	tracing	10.517 s	-
Total	appsec	10.714 s	196.873 ms (1.9%)
Total	iast	11.051 s	533.492 ms (5.1%)
Total	profiling	10.835 s	318.338 ms (3.0%)

candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.054 s	-
Agent	appsec	1.195 s	140.536 ms (13.3%)
Agent	iast	1.19 s	135.55 ms (12.9%)
Agent	profiling	1.267 s	212.451 ms (20.1%)
Total	tracing	10.5 s	-
Total	appsec	10.793 s	293.095 ms (2.8%)
Total	iast	11.01 s	510.49 ms (4.9%)
Total	profiling	10.838 s	338.163 ms (3.2%)

gantt
    title petclinic - break down per module: candidate=1.46.0-SNAPSHOT~cd2d6b5a6b, baseline=1.46.0-SNAPSHOT~0767e3c446

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (716.615 ms) : 0, 716615
BytebuddyAgent [candidate] (714.603 ms) : 0, 714603
GlobalTracer [baseline] (257.818 ms) : 0, 257818
GlobalTracer [candidate] (256.027 ms) : 0, 256027
AppSec [baseline] (56.902 ms) : 0, 56902
AppSec [candidate] (55.286 ms) : 0, 55286
Remote Config [baseline] (742.948 µs) : 0, 743
Remote Config [candidate] (721.452 µs) : 0, 721
Telemetry [baseline] (12.98 ms) : 0, 12980
Telemetry [candidate] (12.823 ms) : 0, 12823
section appsec
BytebuddyAgent [baseline] (733.124 ms) : 0, 733124
BytebuddyAgent [candidate] (735.02 ms) : 0, 735020
GlobalTracer [baseline] (253.895 ms) : 0, 253895
GlobalTracer [candidate] (254.526 ms) : 0, 254526
AppSec [baseline] (171.516 ms) : 0, 171516
AppSec [candidate] (171.31 ms) : 0, 171310
IAST [baseline] (19.365 ms) : 0, 19365
IAST [candidate] (19.646 ms) : 0, 19646
Remote Config [baseline] (669.033 µs) : 0, 669
Remote Config [candidate] (669.997 µs) : 0, 670
Telemetry [baseline] (8.208 ms) : 0, 8208
Telemetry [candidate] (8.58 ms) : 0, 8580
section iast
BytebuddyAgent [baseline] (841.683 ms) : 0, 841683
BytebuddyAgent [candidate] (836.716 ms) : 0, 836716
GlobalTracer [baseline] (249.974 ms) : 0, 249974
GlobalTracer [candidate] (248.722 ms) : 0, 248722
AppSec [baseline] (58.951 ms) : 0, 58951
AppSec [candidate] (58.294 ms) : 0, 58294
IAST [baseline] (22.129 ms) : 0, 22129
IAST [candidate] (21.626 ms) : 0, 21626
Remote Config [baseline] (698.641 µs) : 0, 699
Remote Config [candidate] (664.503 µs) : 0, 665
Telemetry [baseline] (9.01 ms) : 0, 9010
Telemetry [candidate] (8.868 ms) : 0, 8868
section profiling
BytebuddyAgent [baseline] (705.226 ms) : 0, 705226
BytebuddyAgent [candidate] (711.383 ms) : 0, 711383
GlobalTracer [baseline] (350.186 ms) : 0, 350186
GlobalTracer [candidate] (352.588 ms) : 0, 352588
AppSec [baseline] (54.975 ms) : 0, 54975
AppSec [candidate] (54.466 ms) : 0, 54466
Remote Config [baseline] (714.493 µs) : 0, 714
Remote Config [candidate] (672.765 µs) : 0, 673
Telemetry [baseline] (8.8 ms) : 0, 8800
Telemetry [candidate] (8.97 ms) : 0, 8970
ProfilingAgent [baseline] (95.416 ms) : 0, 95416
ProfilingAgent [candidate] (96.513 ms) : 0, 96513
Profiling [baseline] (95.44 ms) : 0, 95440
Profiling [candidate] (96.537 ms) : 0, 96537

Startup time reports for insecure-bank

gantt
    title insecure-bank - global startup overhead: candidate=1.46.0-SNAPSHOT~cd2d6b5a6b, baseline=1.46.0-SNAPSHOT~0767e3c446

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.059 s) : 0, 1058914
Total [baseline] (8.699 s) : 0, 8698711
Agent [candidate] (1.063 s) : 0, 1062780
Total [candidate] (8.687 s) : 0, 8686586
section iast
Agent [baseline] (1.199 s) : 0, 1198953
Total [baseline] (9.257 s) : 0, 9256923
Agent [candidate] (1.194 s) : 0, 1194212
Total [candidate] (9.269 s) : 0, 9269306
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.187 s) : 0, 1186717
Total [baseline] (9.173 s) : 0, 9172915
Agent [candidate] (1.188 s) : 0, 1187544
Total [candidate] (9.193 s) : 0, 9192653
section iast_TELEMETRY_OFF
Agent [baseline] (1.191 s) : 0, 1191220
Total [baseline] (9.209 s) : 0, 9208860
Agent [candidate] (1.184 s) : 0, 1184121
Total [candidate] (9.205 s) : 0, 9204593

baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.059 s	-
Agent	iast	1.199 s	140.039 ms (13.2%)
Agent	iast_HARDCODED_SECRET_DISABLED	1.187 s	127.803 ms (12.1%)
Agent	iast_TELEMETRY_OFF	1.191 s	132.306 ms (12.5%)
Total	tracing	8.699 s	-
Total	iast	9.257 s	558.211 ms (6.4%)
Total	iast_HARDCODED_SECRET_DISABLED	9.173 s	474.204 ms (5.5%)
Total	iast_TELEMETRY_OFF	9.209 s	510.149 ms (5.9%)

candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.063 s	-
Agent	iast	1.194 s	131.432 ms (12.4%)
Agent	iast_HARDCODED_SECRET_DISABLED	1.188 s	124.764 ms (11.7%)
Agent	iast_TELEMETRY_OFF	1.184 s	121.341 ms (11.4%)
Total	tracing	8.687 s	-
Total	iast	9.269 s	582.72 ms (6.7%)
Total	iast_HARDCODED_SECRET_DISABLED	9.193 s	506.067 ms (5.8%)
Total	iast_TELEMETRY_OFF	9.205 s	518.007 ms (6.0%)

gantt
    title insecure-bank - break down per module: candidate=1.46.0-SNAPSHOT~cd2d6b5a6b, baseline=1.46.0-SNAPSHOT~0767e3c446

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (716.933 ms) : 0, 716933
BytebuddyAgent [candidate] (719.48 ms) : 0, 719480
GlobalTracer [baseline] (256.124 ms) : 0, 256124
GlobalTracer [candidate] (258.01 ms) : 0, 258010
AppSec [baseline] (55.685 ms) : 0, 55685
AppSec [candidate] (55.78 ms) : 0, 55780
Remote Config [baseline] (738.029 µs) : 0, 738
Remote Config [candidate] (733.366 µs) : 0, 733
Telemetry [baseline] (14.388 ms) : 0, 14388
Telemetry [candidate] (13.737 ms) : 0, 13737
section iast
BytebuddyAgent [baseline] (842.481 ms) : 0, 842481
BytebuddyAgent [candidate] (840.15 ms) : 0, 840150
GlobalTracer [baseline] (250.449 ms) : 0, 250449
GlobalTracer [candidate] (248.949 ms) : 0, 248949
AppSec [baseline] (59.063 ms) : 0, 59063
AppSec [candidate] (58.501 ms) : 0, 58501
IAST [baseline] (22.11 ms) : 0, 22110
IAST [candidate] (21.713 ms) : 0, 21713
Remote Config [baseline] (687.322 µs) : 0, 687
Remote Config [candidate] (694.443 µs) : 0, 694
Telemetry [baseline] (9.053 ms) : 0, 9053
Telemetry [candidate] (8.919 ms) : 0, 8919
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (834.246 ms) : 0, 834246
BytebuddyAgent [candidate] (835.171 ms) : 0, 835171
GlobalTracer [baseline] (247.439 ms) : 0, 247439
GlobalTracer [candidate] (247.64 ms) : 0, 247640
AppSec [baseline] (58.636 ms) : 0, 58636
AppSec [candidate] (58.422 ms) : 0, 58422
IAST [baseline] (21.665 ms) : 0, 21665
IAST [candidate] (21.716 ms) : 0, 21716
Remote Config [baseline] (668.541 µs) : 0, 669
Remote Config [candidate] (683.202 µs) : 0, 683
Telemetry [baseline] (8.942 ms) : 0, 8942
Telemetry [candidate] (8.818 ms) : 0, 8818
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (838.781 ms) : 0, 838781
BytebuddyAgent [candidate] (832.809 ms) : 0, 832809
GlobalTracer [baseline] (248.658 ms) : 0, 248658
GlobalTracer [candidate] (247.798 ms) : 0, 247798
AppSec [baseline] (58.107 ms) : 0, 58107
AppSec [candidate] (58.079 ms) : 0, 58079
IAST [baseline] (21.158 ms) : 0, 21158
IAST [candidate] (20.92 ms) : 0, 20920
Remote Config [baseline] (694.849 µs) : 0, 695
Remote Config [candidate] (676.553 µs) : 0, 677
Telemetry [baseline] (8.76 ms) : 0, 8760
Telemetry [candidate] (8.662 ms) : 0, 8662

Load

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
end_time	2025-01-20T08:11:20	2025-01-20T08:18:25
git_branch	master	alejandro.gonzalez/Exclude-false-positive-APPSEC-56331
git_commit_date	1737359998	1737359996
git_commit_sha	`0767e3c`	`cd2d6b5`
release_version	1.46.0-SNAPSHOT~0767e3c446	1.46.0-SNAPSHOT~cd2d6b5a6b
start_time	2025-01-20T08:11:06	2025-01-20T08:18:11

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1737361463	1737361463
ci_job_id	772244303	772244303
ci_pipeline_id	53447212	53447212
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant	iast	iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 17 unstable metrics.

Request duration reports for petclinic

gantt
    title petclinic - request duration [CI 0.99] : candidate=1.46.0-SNAPSHOT~cd2d6b5a6b, baseline=1.46.0-SNAPSHOT~0767e3c446
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.359 ms) : 1340, 1378
.   : milestone, 1359,
appsec (1.757 ms) : 1733, 1782
.   : milestone, 1757,
appsec_no_iast (1.767 ms) : 1743, 1792
.   : milestone, 1767,
iast (1.503 ms) : 1479, 1528
.   : milestone, 1503,
profiling (1.58 ms) : 1555, 1605
.   : milestone, 1580,
tracing (1.48 ms) : 1454, 1505
.   : milestone, 1480,
section candidate
no_agent (1.367 ms) : 1346, 1387
.   : milestone, 1367,
appsec (1.761 ms) : 1736, 1786
.   : milestone, 1761,
appsec_no_iast (1.765 ms) : 1741, 1789
.   : milestone, 1765,
iast (1.517 ms) : 1493, 1542
.   : milestone, 1517,
profiling (1.523 ms) : 1499, 1547
.   : milestone, 1523,
tracing (1.478 ms) : 1452, 1504
.   : milestone, 1478,

baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.359 ms [1.34 ms, 1.378 ms]	-
appsec	1.757 ms [1.733 ms, 1.782 ms]	398.22 µs (29.3%)
appsec_no_iast	1.767 ms [1.743 ms, 1.792 ms]	408.292 µs (30.0%)
iast	1.503 ms [1.479 ms, 1.528 ms]	144.217 µs (10.6%)
profiling	1.58 ms [1.555 ms, 1.605 ms]	220.692 µs (16.2%)
tracing	1.48 ms [1.454 ms, 1.505 ms]	120.742 µs (8.9%)

candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.367 ms [1.346 ms, 1.387 ms]	-
appsec	1.761 ms [1.736 ms, 1.786 ms]	394.088 µs (28.8%)
appsec_no_iast	1.765 ms [1.741 ms, 1.789 ms]	398.189 µs (29.1%)
iast	1.517 ms [1.493 ms, 1.542 ms]	150.646 µs (11.0%)
profiling	1.523 ms [1.499 ms, 1.547 ms]	156.178 µs (11.4%)
tracing	1.478 ms [1.452 ms, 1.504 ms]	111.367 µs (8.1%)

Request duration reports for insecure-bank

gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.46.0-SNAPSHOT~cd2d6b5a6b, baseline=1.46.0-SNAPSHOT~0767e3c446
    dateFormat X
    axisFormat %s
section baseline
no_agent (386.366 µs) : 366, 406
.   : milestone, 386,
iast (508.371 µs) : 487, 530
.   : milestone, 508,
iast_FULL (737.966 µs) : 716, 760
.   : milestone, 738,
iast_GLOBAL (549.078 µs) : 528, 571
.   : milestone, 549,
iast_HARDCODED_SECRET_DISABLED (508.766 µs) : 487, 531
.   : milestone, 509,
iast_INACTIVE (458.943 µs) : 437, 480
.   : milestone, 459,
iast_TELEMETRY_OFF (495.187 µs) : 473, 517
.   : milestone, 495,
tracing (452.461 µs) : 431, 474
.   : milestone, 452,
section candidate
no_agent (381.563 µs) : 362, 401
.   : milestone, 382,
iast (507.676 µs) : 486, 530
.   : milestone, 508,
iast_FULL (742.566 µs) : 721, 765
.   : milestone, 743,
iast_GLOBAL (547.358 µs) : 526, 569
.   : milestone, 547,
iast_HARDCODED_SECRET_DISABLED (509.743 µs) : 488, 532
.   : milestone, 510,
iast_INACTIVE (459.853 µs) : 438, 481
.   : milestone, 460,
iast_TELEMETRY_OFF (492.202 µs) : 470, 514
.   : milestone, 492,
tracing (455.45 µs) : 434, 477
.   : milestone, 455,

baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	386.366 µs [366.424 µs, 406.308 µs]	-
iast	508.371 µs [486.91 µs, 529.833 µs]	122.005 µs (31.6%)
iast_FULL	737.966 µs [715.946 µs, 759.986 µs]	351.6 µs (91.0%)
iast_GLOBAL	549.078 µs [527.503 µs, 570.653 µs]	162.712 µs (42.1%)
iast_HARDCODED_SECRET_DISABLED	508.766 µs [486.847 µs, 530.685 µs]	122.4 µs (31.7%)
iast_INACTIVE	458.943 µs [437.387 µs, 480.499 µs]	72.577 µs (18.8%)
iast_TELEMETRY_OFF	495.187 µs [473.016 µs, 517.358 µs]	108.821 µs (28.2%)
tracing	452.461 µs [431.169 µs, 473.752 µs]	66.095 µs (17.1%)

candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	381.563 µs [361.853 µs, 401.273 µs]	-
iast	507.676 µs [485.669 µs, 529.683 µs]	126.113 µs (33.1%)
iast_FULL	742.566 µs [720.61 µs, 764.522 µs]	361.003 µs (94.6%)
iast_GLOBAL	547.358 µs [525.643 µs, 569.074 µs]	165.795 µs (43.5%)
iast_HARDCODED_SECRET_DISABLED	509.743 µs [487.793 µs, 531.693 µs]	128.18 µs (33.6%)
iast_INACTIVE	459.853 µs [438.379 µs, 481.327 µs]	78.29 µs (20.5%)
iast_TELEMETRY_OFF	492.202 µs [470.2 µs, 514.203 µs]	110.639 µs (29.0%)
tracing	455.45 µs [433.689 µs, 477.211 µs]	73.887 µs (19.4%)

Dacapo

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	alejandro.gonzalez/Exclude-false-positive-APPSEC-56331
git_commit_date	1737359998	1737359996
git_commit_sha	`0767e3c`	`cd2d6b5`
release_version	1.46.0-SNAPSHOT~0767e3c446	1.46.0-SNAPSHOT~cd2d6b5a6b

See matching parameters

	Baseline	Candidate
application	biojava	biojava
ci_job_date	1737361914	1737361914
ci_job_id	772244304	772244304
ci_pipeline_id	53447212	53447212
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant	appsec	appsec

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics.

Execution time for tomcat

gantt
    title tomcat - execution time [CI 0.99] : candidate=1.46.0-SNAPSHOT~cd2d6b5a6b, baseline=1.46.0-SNAPSHOT~0767e3c446
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.473 ms) : 1461, 1484
.   : milestone, 1473,
appsec (2.361 ms) : 2318, 2405
.   : milestone, 2361,
iast (2.113 ms) : 2059, 2168
.   : milestone, 2113,
iast_GLOBAL (2.152 ms) : 2097, 2207
.   : milestone, 2152,
profiling (1.955 ms) : 1911, 1998
.   : milestone, 1955,
tracing (1.95 ms) : 1908, 1993
.   : milestone, 1950,
section candidate
no_agent (1.473 ms) : 1461, 1484
.   : milestone, 1473,
appsec (2.364 ms) : 2321, 2407
.   : milestone, 2364,
iast (2.116 ms) : 2061, 2170
.   : milestone, 2116,
iast_GLOBAL (2.147 ms) : 2092, 2202
.   : milestone, 2147,
profiling (2.005 ms) : 1959, 2050
.   : milestone, 2005,
tracing (1.955 ms) : 1913, 1997
.   : milestone, 1955,

baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.473 ms [1.461 ms, 1.484 ms]	-
appsec	2.361 ms [2.318 ms, 2.405 ms]	888.496 µs (60.3%)
iast	2.113 ms [2.059 ms, 2.168 ms]	640.642 µs (43.5%)
iast_GLOBAL	2.152 ms [2.097 ms, 2.207 ms]	678.899 µs (46.1%)
profiling	1.955 ms [1.911 ms, 1.998 ms]	481.809 µs (32.7%)
tracing	1.95 ms [1.908 ms, 1.993 ms]	477.766 µs (32.4%)

candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.473 ms [1.461 ms, 1.484 ms]	-
appsec	2.364 ms [2.321 ms, 2.407 ms]	891.18 µs (60.5%)
iast	2.116 ms [2.061 ms, 2.17 ms]	643.226 µs (43.7%)
iast_GLOBAL	2.147 ms [2.092 ms, 2.202 ms]	674.327 µs (45.8%)
profiling	2.005 ms [1.959 ms, 2.05 ms]	531.932 µs (36.1%)
tracing	1.955 ms [1.913 ms, 1.997 ms]	482.588 µs (32.8%)

Execution time for biojava

gantt
    title biojava - execution time [CI 0.99] : candidate=1.46.0-SNAPSHOT~cd2d6b5a6b, baseline=1.46.0-SNAPSHOT~0767e3c446
    dateFormat X
    axisFormat %s
section baseline
no_agent (15.308 s) : 15308000, 15308000
.   : milestone, 15308000,
appsec (15.012 s) : 15012000, 15012000
.   : milestone, 15012000,
iast (18.763 s) : 18763000, 18763000
.   : milestone, 18763000,
iast_GLOBAL (18.093 s) : 18093000, 18093000
.   : milestone, 18093000,
profiling (14.956 s) : 14956000, 14956000
.   : milestone, 14956000,
tracing (14.92 s) : 14920000, 14920000
.   : milestone, 14920000,
section candidate
no_agent (15.292 s) : 15292000, 15292000
.   : milestone, 15292000,
appsec (15.188 s) : 15188000, 15188000
.   : milestone, 15188000,
iast (18.649 s) : 18649000, 18649000
.   : milestone, 18649000,
iast_GLOBAL (17.958 s) : 17958000, 17958000
.   : milestone, 17958000,
profiling (15.431 s) : 15431000, 15431000
.   : milestone, 15431000,
tracing (14.999 s) : 14999000, 14999000
.   : milestone, 14999000,

baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	15.308 s [15.308 s, 15.308 s]	-
appsec	15.012 s [15.012 s, 15.012 s]	-296.0 ms (-1.9%)
iast	18.763 s [18.763 s, 18.763 s]	3.455 s (22.6%)
iast_GLOBAL	18.093 s [18.093 s, 18.093 s]	2.785 s (18.2%)
profiling	14.956 s [14.956 s, 14.956 s]	-352.0 ms (-2.3%)
tracing	14.92 s [14.92 s, 14.92 s]	-388.0 ms (-2.5%)

candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	15.292 s [15.292 s, 15.292 s]	-
appsec	15.188 s [15.188 s, 15.188 s]	-104.0 ms (-0.7%)
iast	18.649 s [18.649 s, 18.649 s]	3.357 s (22.0%)
iast_GLOBAL	17.958 s [17.958 s, 17.958 s]	2.666 s (17.4%)
profiling	15.431 s [15.431 s, 15.431 s]	139.0 ms (0.9%)
tracing	14.999 s [14.999 s, 14.999 s]	-293.0 ms (-1.9%)

…APPSEC-56331

manuel-alvarez-alvarez · 2025-01-17T08:10:39Z

...menter/src/main/resources/datadog/trace/instrumentation/iastinstrumenter/iast_exclusion.trie

@@ -142,6 +149,9 @@
 1 io.r2dbc.*
 1 io.reactivex.*
 1 io.smallrye.*
+# APPSEC-56331
+1 io.trino.plugin.hive.metastore.thrift.RetryDriver
+1 io.trino.hdfs.s3.RetryDriver


The order is wrong 😄

| Package | Type | Package file | Manager | Update | Change | |---|---|---|---|---|---| | [com.google.cloud:google-cloud-datastore](https://github.com/googleapis/java-datastore) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `2.25.4` -> `2.26.0` | | [com.datadoghq:dd-trace-api](https://github.com/datadog/dd-trace-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `1.45.2` -> `1.46.0` | | [com.datadoghq:dd-trace-ot](https://github.com/datadog/dd-trace-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `1.45.2` -> `1.46.0` | | [software.amazon.awssdk:sdk-core](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.9` -> `2.30.10` | | [software.amazon.awssdk:dynamodb-enhanced](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.9` -> `2.30.10` | | [software.amazon.awssdk:dynamodb](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.9` -> `2.30.10` | | [software.amazon.awssdk:aws-core](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.9` -> `2.30.10` | | [software.amazon.awssdk:bom](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.9` -> `2.30.10` | | [software.amazon.awssdk:auth](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.9` -> `2.30.10` | --- ### Release Notes <details> <summary>googleapis/java-datastore (com.google.cloud:google-cloud-datastore)</summary> ### [`v2.26.0`](https://github.com/googleapis/java-datastore/blob/HEAD/CHANGELOG.md#2260-2025-01-29) ##### Features - Add firestoreInDatastoreMode for datastore emulator ([#1698](googleapis/java-datastore#1698)) ([50f106d](googleapis/java-datastore@50f106d)) ##### Dependencies - Update dependency com.google.cloud:sdk-platform-java-config to v3.42.0 ([#1725](googleapis/java-datastore#1725)) ([1cbaf22](googleapis/java-datastore@1cbaf22)) </details> <details> <summary>datadog/dd-trace-java (com.datadoghq:dd-trace-api)</summary> ### [`v1.46.0`](https://github.com/DataDog/dd-trace-java/releases/tag/v1.46.0): 1.46.0 ##### Breaking Changes > \[!WARNING] > jnr-unixsocket is now an external dependency of dd-trace-ot and must be included when deploying dd-trace-ot. > \[!NOTE] > The API `TracerScope.setAsync(boolean)`, used to manually control asynchronous span propagation, does no more apply to the scope instance but to the active span scope. ##### Components ##### Application Security Management (IAST) - 🐛 Fix String.replace instrumentation for IAST ([#8281](DataDog/dd-trace-java#8281) - [@Mariovido](https://github.com/Mariovido)) - ✨ Apply the standard nomenclature to the stacktrace configs ([#8244](DataDog/dd-trace-java#8244) - [@jandro996](https://github.com/jandro996)) - 🐛 Exclude false positive weak randomness ([#8232](DataDog/dd-trace-java#8232) - [@jandro996](https://github.com/jandro996)) - ✨ Propagation of translateEscapes of String class ([#8186](DataDog/dd-trace-java#8186) - [@sezen-datadog](https://github.com/sezen-datadog)) - ✨ Add security control metrics ([#8175](DataDog/dd-trace-java#8175) - [@jandro996](https://github.com/jandro996)) - ✨ Increase IAST propagation to StringBuffer setLength ([#8128](DataDog/dd-trace-java#8128) - [@Mariovido](https://github.com/Mariovido)) - ✨ Add IAST taint tracking for DB values ([#8072](DataDog/dd-trace-java#8072) - [@Mariovido](https://github.com/Mariovido)) ##### Application Security Management (WAF) - 🐛 Prevents a NPE when there is no subscriber for user events ([#8258](DataDog/dd-trace-java#8258) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - ✨ Apply the standard nomenclature to the stacktrace configs ([#8244](DataDog/dd-trace-java#8244) - [@jandro996](https://github.com/jandro996)) - 🐛 Ensure cached subscriptions are cleared on reconfiguration via RC ([#8229](DataDog/dd-trace-java#8229) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - ✨ Add support for session tracking in Vertx ([#8167](DataDog/dd-trace-java#8167) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - ✨ Create span tag: \_dd.appsec.rasp.timeout ([#8269](DataDog/dd-trace-java#8269) - [@Mariovido](https://github.com/Mariovido)) ##### Build & Tooling - 🐛 Ensure shaded helpers have unique names when injected into class-loaders ([#8192](DataDog/dd-trace-java#8192) - [@mcculls](https://github.com/mcculls)) ##### Configuration at Runtime - 🐛 Remove filtering of `DD_SERVICE` and `DD_ENV` from the tracer ([#8176](DataDog/dd-trace-java#8176) - [@mhlidd](https://github.com/mhlidd)) ##### Continuous Integration Visibility - 🧹 Generalize TestRetryPolicy to TestExecutionPolicy ([#8302](DataDog/dd-trace-java#8302) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - 🧹 Parallelize CI Visibility settings requests ([#8299](DataDog/dd-trace-java#8299) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - 🧹 Generalize test retry logic ([#8289](DataDog/dd-trace-java#8289) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - 🧹 Generalize tests skipping logic ([#8288](DataDog/dd-trace-java#8288) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - 🧹 Remove skip and shouldBeSkipped methods from TestEventsHandler in favor of isSkippable ([#8286](DataDog/dd-trace-java#8286) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨⚡ Optimize Git repository information computation ([#8270](DataDog/dd-trace-java#8270) - [@dougqh](https://github.com/dougqh)) - ✨ Always request known tests from the backend ([#8268](DataDog/dd-trace-java#8268) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Fix NPE when trying to get retry analyzer in Test NG ([#8253](DataDog/dd-trace-java#8253) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - 🐛 Set test framework and test framework version tags atomically ([#8252](DataDog/dd-trace-java#8252) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Add debug logging to Android Gradle module layout logic ([#8251](DataDog/dd-trace-java#8251) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - 🐛 Fix source and destination folders computation for Android Gradle projects ([#8190](DataDog/dd-trace-java#8190) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Add basic Scala Weaver sbt support ([#8189](DataDog/dd-trace-java#8189) - [@daniel-mohedano](https://github.com/daniel-mohedano)) - ✨ Implement impacted tests detection ([#8188](DataDog/dd-trace-java#8188) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) ##### Data Streams Monitoring - ✨ Change hash computation for protobuf to better represent impacting changes + save proto number in schema ([#8201](DataDog/dd-trace-java#8201) - [@vandonr](https://github.com/vandonr)) ##### Database Monitoring - Add peer service tag in dbm sql commenter ([#7913](DataDog/dd-trace-java#7913) - [@jordan-wong](https://github.com/jordan-wong)) ##### Dynamic Instrumentation - ✨ Add support for SymDB to scan directories ([#8306](DataDog/dd-trace-java#8306) - [@jpbempel](https://github.com/jpbempel)) - ✨ Add SymDB report for any jar scanning failures ([#8300](DataDog/dd-trace-java#8300) - [@jpbempel](https://github.com/jpbempel)) - ✨ Use two budgets depending on type ([#8283](DataDog/dd-trace-java#8283) - [@evanchooly](https://github.com/evanchooly)) - ✨ Institute a 10 snapshot per probe per trace budget ([#8277](DataDog/dd-trace-java#8277) - [@evanchooly](https://github.com/evanchooly)) - 🐛 Avoid double snapshots for Exception Replay ([#8273](DataDog/dd-trace-java#8273) - [@jpbempel](https://github.com/jpbempel)) - ✨ Simplify code origins. Separate out snapshot generation. ([#8263](DataDog/dd-trace-java#8263) - [@evanchooly](https://github.com/evanchooly)) - ✨ Add Exception probe custom instrumentation ([#8230](DataDog/dd-trace-java#8230) - [@jpbempel](https://github.com/jpbempel)) - ✨ Enhance log probes to honor debug session tags ([#8215](DataDog/dd-trace-java#8215) - [@evanchooly](https://github.com/evanchooly)) - 🐛 Don't redact env tokens from debugger probe snapshots ([#8211](DataDog/dd-trace-java#8211) - [@watson](https://github.com/watson)) - ✨⚡ Move Trace/SpanId capture at commit time ([#8184](DataDog/dd-trace-java#8184) - [@jpbempel](https://github.com/jpbempel)) - 🐛 Capture values at entry for method probe ([#8169](DataDog/dd-trace-java#8169) - [@jpbempel](https://github.com/jpbempel)) ##### JMX fetch - 🐛 Mute JMXFetch Shutdown in progress error ([#8068](DataDog/dd-trace-java#8068) - [@ygree](https://github.com/ygree)) ##### OpenTracing - ⚠️🧹 Make jnr-unixsocket an explicit dependency of dd-trace-ot ([#8307](DataDog/dd-trace-java#8307) - [@mcculls](https://github.com/mcculls)) ##### Profiling - 🐛 Avoid unsupported API call for creating folders on windows ([#8304](DataDog/dd-trace-java#8304) - [@jbachorik](https://github.com/jbachorik)) - ✨ Tag profiles for serverless ([#8279](DataDog/dd-trace-java#8279) - [@jbachorik](https://github.com/jbachorik)) - ✨ add queue type and length to queue events ([#8242](DataDog/dd-trace-java#8242) - [@richardstartin](https://github.com/richardstartin)) - 🐛 TempLocationManager Fixes and Improvements ([#8191](DataDog/dd-trace-java#8191) - [@jbachorik](https://github.com/jbachorik)) - ✨ Bump ddprof to 1.18.0 ([#8173](DataDog/dd-trace-java#8173) - [@jbachorik](https://github.com/jbachorik)) - ✨ Report profiler initialization and configuration errors to telemetry ([#8171](DataDog/dd-trace-java#8171) - [@jbachorik](https://github.com/jbachorik)) ##### Telemetry - ✨ Add pending traces report in tracer flares ([#8053](DataDog/dd-trace-java#8053) - [@mhlidd](https://github.com/mhlidd)) ##### Testing - ✨ Test http server requests in parallel ([#8222](DataDog/dd-trace-java#8222) - [@amarziali](https://github.com/amarziali)) ##### Trace context propagation - ✨ Add non default propagator registration ([#8310](DataDog/dd-trace-java#8310) - [@PerfectSlayer](https://github.com/PerfectSlayer)) ##### Tracer core - ✨ Probe for existence of IBMSASL or ACCP security providers ([#8276](DataDog/dd-trace-java#8276) - [@mcculls](https://github.com/mcculls)) - ✨⚡ Overhead improvement to agent feedback based sampling ([#8265](DataDog/dd-trace-java#8265) - [@dougqh](https://github.com/dougqh)) - 🧹 Move async propagation API from scope to tracer ([#8231](DataDog/dd-trace-java#8231) - [@PerfectSlayer](https://github.com/PerfectSlayer)) - ✨ Introduce context propagation API ([#8161](DataDog/dd-trace-java#8161) - [@PerfectSlayer](https://github.com/PerfectSlayer)) - ✨🧪 Use env-entry to add tags per webapp deployment ([#8138](DataDog/dd-trace-java#8138) - [@amarziali](https://github.com/amarziali)) - ✨ Introduce context helpers API ([#8134](DataDog/dd-trace-java#8134) - [@PerfectSlayer](https://github.com/PerfectSlayer)) - ✨ Support IPv6 values for `DD_AGENT_HOST` and `DD_TRACE_AGENT_URL` ([#7984](DataDog/dd-trace-java#7984) - [@mhlidd](https://github.com/mhlidd)) ##### Instrumentations ##### Apache HttpComponents - 🐛 Properly finish spans and support latest apache httpclient5 ([#8272](DataDog/dd-trace-java#8272) - [@amarziali](https://github.com/amarziali)) ##### AWS Lambda instrumentation - 🐛 Properly capture lambda payloads for all handler types. ([#8264](DataDog/dd-trace-java#8264) - [@purple4reina](https://github.com/purple4reina)) ##### AWS S3 instrumentation - 💡 Create S3 instrumentation + add span pointers ([#8075](DataDog/dd-trace-java#8075) - [@nhulston](https://github.com/nhulston)) ##### AWS SDK instrumentation - 🐛 Revert "Add avoid double instrumenting lambda non-streaming handlers." ([#8247](DataDog/dd-trace-java#8247) - [@nhulston](https://github.com/nhulston)) ##### Cassandra - ✨ Allow extracting keyspace from statement result ([#8239](DataDog/dd-trace-java#8239) - [@amarziali](https://github.com/amarziali)) ##### Core Java language instrumentation - ✨ Propagation of translateEscapes of String class ([#8186](DataDog/dd-trace-java#8186) - [@sezen-datadog](https://github.com/sezen-datadog)) ##### Eclipse Vert.x instrumentation - 🐛 Fix vertx worker propagation and error handling ([#8237](DataDog/dd-trace-java#8237) - [@amarziali](https://github.com/amarziali)) - ✨ Support vertx 5 ([#8220](DataDog/dd-trace-java#8220) - [@amarziali](https://github.com/amarziali)) - ✨ Add support for session tracking in Vertx ([#8167](DataDog/dd-trace-java#8167) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) ##### Kafka instrumentation - 🐛 Prevent possible NPE calculating Kafka record header size ([#8292](DataDog/dd-trace-java#8292) - [@ygree](https://github.com/ygree)) ##### Mule instrumentation - 🐛 Fix crash using Mule with JPMS ([#8187](DataDog/dd-trace-java#8187) - [@amarziali](https://github.com/amarziali)) ##### Protocol Buffer instrumentation - ✨ Change hash computation for protobuf to better represent impacting changes + save proto number in schema ([#8201](DataDog/dd-trace-java#8201) - [@vandonr](https://github.com/vandonr)) ##### Spring instrumentation - 🐛 Preserve getQualifier from spring scheduling runnables ([#8293](DataDog/dd-trace-java#8293) - [@amarziali](https://github.com/amarziali)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "after 6pm every weekday,before 2am every weekday" in timezone Australia/Melbourne, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). GitOrigin-RevId: bb09d47e4eed77a003f630273b4d0a84003eb899

Exclude false positive weak randomness from com.facebook.presto.*.Ret…

619f329

…ryDriver and io.trino

jandro996 added 2 commits January 16, 2025 17:15

Add more exclusions

e884a9c

Merge branch 'master' into alejandro.gonzalez/Exclude-false-positive-…

561a6e0

…APPSEC-56331

jandro996 added type: bug comp: asm iast Application Security Management (IAST) labels Jan 16, 2025

jandro996 marked this pull request as ready for review January 16, 2025 17:07

jandro996 requested a review from a team as a code owner January 16, 2025 17:07

jandro996 requested review from manuel-alvarez-alvarez, Mariovido and smola January 16, 2025 17:07

manuel-alvarez-alvarez reviewed Jan 17, 2025

View reviewed changes

change order

31612e8

jandro996 requested a review from manuel-alvarez-alvarez January 17, 2025 15:10

smola approved these changes Jan 20, 2025

View reviewed changes

change order

cd2d6b5

Mariovido approved these changes Jan 20, 2025

View reviewed changes

jandro996 added comp: api Tracer public API and removed comp: api Tracer public API labels Jan 20, 2025

jandro996 merged commit 74cdea0 into master Jan 20, 2025
174 checks passed

jandro996 deleted the alejandro.gonzalez/Exclude-false-positive-APPSEC-56331 branch January 20, 2025 11:35

github-actions bot added this to the 1.46.0 milestone Jan 20, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Exclude false positive weak randomness #8232

Exclude false positive weak randomness #8232

jandro996 commented Jan 16, 2025 •

edited

Loading

pr-commenter bot commented Jan 16, 2025 •

edited

Loading

manuel-alvarez-alvarez Jan 17, 2025

Exclude false positive weak randomness #8232

Exclude false positive weak randomness #8232

Conversation

jandro996 commented Jan 16, 2025 • edited Loading

What Does This Do

Motivation

Additional Notes

Contributor Checklist

pr-commenter bot commented Jan 16, 2025 • edited Loading

Benchmarks

Startup

Parameters

Summary

Load

Parameters

Summary

Dacapo

Parameters

Summary

manuel-alvarez-alvarez Jan 17, 2025

Choose a reason for hiding this comment

jandro996 commented Jan 16, 2025 •

edited

Loading

pr-commenter bot commented Jan 16, 2025 •

edited

Loading