Fix IAST standalone sampling priority propagation #4927
Conversation
Overall package sizeSelf size: 8.1 MB Dependency sizes| name | version | self size | total size | |------|---------|-----------|------------| | @datadog/libdatadog | 0.2.2 | 29.27 MB | 29.27 MB | | @datadog/native-appsec | 8.3.0 | 19.37 MB | 19.38 MB | | @datadog/native-iast-taint-tracking | 3.2.0 | 13.9 MB | 13.91 MB | | @datadog/pprof | 5.4.1 | 9.76 MB | 10.13 MB | | protobufjs | 7.2.5 | 2.77 MB | 5.16 MB | | @datadog/native-iast-rewriter | 2.5.0 | 2.51 MB | 2.65 MB | | @opentelemetry/core | 1.14.0 | 872.87 kB | 1.47 MB | | @datadog/native-metrics | 3.0.1 | 1.06 MB | 1.46 MB | | @opentelemetry/api | 1.8.0 | 1.21 MB | 1.21 MB | | import-in-the-middle | 1.11.2 | 112.74 kB | 826.22 kB | | msgpack-lite | 0.1.26 | 201.16 kB | 281.59 kB | | opentracing | 0.14.7 | 194.81 kB | 194.81 kB | | lru-cache | 7.18.3 | 133.92 kB | 133.92 kB | | pprof-format | 2.1.0 | 111.69 kB | 111.69 kB | | @datadog/sketches-js | 2.1.0 | 109.9 kB | 109.9 kB | | semver | 7.6.3 | 95.82 kB | 95.82 kB | | lodash.sortby | 4.7.0 | 75.76 kB | 75.76 kB | | ignore | 5.3.1 | 51.46 kB | 51.46 kB | | int64-buffer | 0.1.10 | 49.18 kB | 49.18 kB | | shell-quote | 1.8.1 | 44.96 kB | 44.96 kB | | istanbul-lib-coverage | 3.2.0 | 29.34 kB | 29.34 kB | | rfdc | 1.3.1 | 25.21 kB | 25.21 kB | | @isaacs/ttlcache | 1.4.1 | 25.2 kB | 25.2 kB | | tlhunter-sorted-set | 0.1.0 | 24.94 kB | 24.94 kB | | limiter | 1.1.5 | 23.17 kB | 23.17 kB | | dc-polyfill | 0.1.4 | 23.1 kB | 23.1 kB | | retry | 0.13.1 | 18.85 kB | 18.85 kB | | jest-docblock | 29.7.0 | 8.99 kB | 12.76 kB | | crypto-randomuuid | 1.0.0 | 11.18 kB | 11.18 kB | | koalas | 1.0.2 | 6.47 kB | 6.47 kB | | path-to-regexp | 0.1.10 | 6.38 kB | 6.38 kB | | module-details-from-path | 1.0.3 | 4.47 kB | 4.47 kB |🤖 This report was automatically generated by heaviest-objects-in-the-universe |
BenchmarksBenchmark execution time: 2024-11-22 07:43:10 Comparing candidate commit 8a16b64 in PR branch Found 0 performance improvements and 0 performance regressions! Performance is the same for 262 metrics, 4 unstable metrics. |
| if (iastContext?.rootSpan) { | ||
| keepTrace(iastContext.rootSpan, SAMPLING_MECHANISM_APPSEC) | ||
| standalone.sample(iastContext.rootSpan) |
There was a problem hiding this comment.
Could you move these two out of the if, and remove them from sendVulnerabilities method (lines 57 and 58)?
| if (iastContext?.rootSpan) { | |
| keepTrace(iastContext.rootSpan, SAMPLING_MECHANISM_APPSEC) | |
| standalone.sample(iastContext.rootSpan) | |
| keepTrace(iastContext.rootSpan, SAMPLING_MECHANISM_APPSEC) | |
| standalone.sample(iastContext.rootSpan) | |
| if (iastContext?.rootSpan) { | |
There was a problem hiding this comment.
No I cannot. If these calls were moved outside the conditional, there would be no certainty that a span exists - it is necessary to take into account the cases of vulnerabilities outside the request, in which there is no span and it is created on the fly in the sendVulnerabilities method.
There was a problem hiding this comment.
In order to avoid having multiple calls to keepTrace and standalone.sample, span on the fly creation can be moved to addVulnerability method.
WDYT?
There was a problem hiding this comment.
ah true!
span on the fly creation can be moved to addVulnerability method.
i like it!!
What does this PR do?
Moves the handling the standalone sampling priority from the end of the request - when vulnerabilites are sent - to the detection itself.
Motivation
Set the correct priority for a downstream request whenever an IAST event occurs. Prior to these changes, since the priority was set at the end of the request, the priority of all downstream requests was set incorrectly, as tracer did not know at that time whether an IAST event had occurred.
Additional Notes
System Tests PR to enable the test for these cases.
APPSEC-55778