Add security control metrics #8175

jandro996 · 2025-01-09T08:52:06Z

What Does This Do

Add suppressed.vulnerabilities metrics when a vulnerability is suppressed due to a security control

RFC (Milestone 1)

Motivation

Additional Notes

When checking if a vulnerability has occurred, if there are no ranges without the mark for the vulnerability being detected, and all ranges are marked with the CUSTOM_SECURE_MARK, we will send the metric.

Contributor Checklist

Format the title according the contribution guidelines
Assign the type: and (comp: or inst:) labels in addition to any usefull labels
Don't use close, fix or any linking keywords when referencing an issue.
Use solves instead, and assign the PR milestone to the issue
Update the public documentation in case of new configuration flag or behavior

Jira ticket: [PROJ-IDENT]

github-actions · 2025-01-09T10:44:51Z

Hi! 👋 Thanks for your pull request! 🎉

To help us review it, please make sure to:

Add at least one type, and one component or instrumentation label to the pull request

If you need help, please check our contributing guidelines.

manuel-alvarez-alvarez · 2025-01-10T08:27:50Z

dd-java-agent/agent-iast/src/main/java/com/datadog/iast/sink/SinkModuleBase.java

+    // check if there are tainted ranges without the security control mark
+    Range[] marked = Ranges.getNotMarkedRanges(taintedRanges, CUSTOM_SECURITY_CONTROL_MARK);
+    if (marked == null || marked.length == 0) {
+      IastMetricCollector.add(IastMetric.SUPPRESSED_VULNERABILITIES, type.type(), 1);


The parent method has access to the IastContext you should pass it to the IastMetticCollector#add(IastMetric, byte, int, Object)

pr-commenter · 2025-01-10T10:35:30Z

Benchmarks

Startup

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	alejandro.gonzalez/security-controls-metrics
git_commit_date	1736758880	1736773858
git_commit_sha	`8bcee06`	`9164fbe`
release_version	1.46.0-SNAPSHOT~8bcee06789	1.46.0-SNAPSHOT~9164fbeb28

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1736776316	1736776316
ci_job_id	763704407	763704407
ci_pipeline_id	52811166	52811166
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
module	Agent	Agent
parent	None	None
variant	iast	iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 59 metrics, 4 unstable metrics.

Startup time reports for petclinic

gantt
    title petclinic - global startup overhead: candidate=1.46.0-SNAPSHOT~9164fbeb28, baseline=1.46.0-SNAPSHOT~8bcee06789

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.052 s) : 0, 1052286
Total [baseline] (10.463 s) : 0, 10463234
Agent [candidate] (1.057 s) : 0, 1056698
Total [candidate] (10.387 s) : 0, 10386596
section appsec
Agent [baseline] (1.186 s) : 0, 1186011
Total [baseline] (10.666 s) : 0, 10665590
Agent [candidate] (1.191 s) : 0, 1190835
Total [candidate] (10.802 s) : 0, 10802114
section iast
Agent [baseline] (1.195 s) : 0, 1194802
Total [baseline] (11.028 s) : 0, 11028152
Agent [candidate] (1.189 s) : 0, 1189441
Total [candidate] (10.982 s) : 0, 10982186
section profiling
Agent [baseline] (1.277 s) : 0, 1276910
Total [baseline] (10.863 s) : 0, 10863487
Agent [candidate] (1.276 s) : 0, 1276041
Total [candidate] (10.89 s) : 0, 10889954

baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.052 s	-
Agent	appsec	1.186 s	133.725 ms (12.7%)
Agent	iast	1.195 s	142.516 ms (13.5%)
Agent	profiling	1.277 s	224.624 ms (21.3%)
Total	tracing	10.463 s	-
Total	appsec	10.666 s	202.355 ms (1.9%)
Total	iast	11.028 s	564.918 ms (5.4%)
Total	profiling	10.863 s	400.252 ms (3.8%)

candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.057 s	-
Agent	appsec	1.191 s	134.137 ms (12.7%)
Agent	iast	1.189 s	132.743 ms (12.6%)
Agent	profiling	1.276 s	219.343 ms (20.8%)
Total	tracing	10.387 s	-
Total	appsec	10.802 s	415.518 ms (4.0%)
Total	iast	10.982 s	595.591 ms (5.7%)
Total	profiling	10.89 s	503.359 ms (4.8%)

gantt
    title petclinic - break down per module: candidate=1.46.0-SNAPSHOT~9164fbeb28, baseline=1.46.0-SNAPSHOT~8bcee06789

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (711.831 ms) : 0, 711831
BytebuddyAgent [candidate] (712.959 ms) : 0, 712959
GlobalTracer [baseline] (255.265 ms) : 0, 255265
GlobalTracer [candidate] (256.097 ms) : 0, 256097
AppSec [baseline] (55.938 ms) : 0, 55938
AppSec [candidate] (56.616 ms) : 0, 56616
Remote Config [baseline] (719.238 µs) : 0, 719
Remote Config [candidate] (724.626 µs) : 0, 725
Telemetry [baseline] (13.552 ms) : 0, 13552
Telemetry [candidate] (15.247 ms) : 0, 15247
section appsec
BytebuddyAgent [baseline] (729.422 ms) : 0, 729422
BytebuddyAgent [candidate] (733.37 ms) : 0, 733370
GlobalTracer [baseline] (252.299 ms) : 0, 252299
GlobalTracer [candidate] (252.856 ms) : 0, 252856
AppSec [baseline] (170.518 ms) : 0, 170518
AppSec [candidate] (170.512 ms) : 0, 170512
Remote Config [baseline] (668.971 µs) : 0, 669
Remote Config [candidate] (675.36 µs) : 0, 675
Telemetry [baseline] (8.541 ms) : 0, 8541
Telemetry [candidate] (8.618 ms) : 0, 8618
IAST [baseline] (19.348 ms) : 0, 19348
IAST [candidate] (19.558 ms) : 0, 19558
section iast
BytebuddyAgent [baseline] (837.78 ms) : 0, 837780
BytebuddyAgent [candidate] (836.41 ms) : 0, 836410
GlobalTracer [baseline] (250.611 ms) : 0, 250611
GlobalTracer [candidate] (248.47 ms) : 0, 248470
AppSec [baseline] (59.374 ms) : 0, 59374
AppSec [candidate] (58.408 ms) : 0, 58408
Remote Config [baseline] (718.563 µs) : 0, 719
Remote Config [candidate] (694.001 µs) : 0, 694
Telemetry [baseline] (9.064 ms) : 0, 9064
Telemetry [candidate] (8.81 ms) : 0, 8810
IAST [baseline] (22.137 ms) : 0, 22137
IAST [candidate] (21.556 ms) : 0, 21556
section profiling
ProfilingAgent [baseline] (95.95 ms) : 0, 95950
ProfilingAgent [candidate] (95.596 ms) : 0, 95596
BytebuddyAgent [baseline] (705.867 ms) : 0, 705867
BytebuddyAgent [candidate] (705.644 ms) : 0, 705644
GlobalTracer [baseline] (368.419 ms) : 0, 368419
GlobalTracer [candidate] (369.181 ms) : 0, 369181
AppSec [baseline] (54.851 ms) : 0, 54851
AppSec [candidate] (53.873 ms) : 0, 53873
Remote Config [baseline] (697.538 µs) : 0, 698
Remote Config [candidate] (695.614 µs) : 0, 696
Telemetry [baseline] (8.835 ms) : 0, 8835
Telemetry [candidate] (8.826 ms) : 0, 8826
Profiling [baseline] (95.974 ms) : 0, 95974
Profiling [candidate] (95.62 ms) : 0, 95620

Startup time reports for insecure-bank

gantt
    title insecure-bank - global startup overhead: candidate=1.46.0-SNAPSHOT~9164fbeb28, baseline=1.46.0-SNAPSHOT~8bcee06789

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.059 s) : 0, 1058548
Total [baseline] (8.641 s) : 0, 8640556
Agent [candidate] (1.056 s) : 0, 1055958
Total [candidate] (8.63 s) : 0, 8629847
section iast
Agent [baseline] (1.181 s) : 0, 1181055
Total [baseline] (9.218 s) : 0, 9218246
Agent [candidate] (1.195 s) : 0, 1194935
Total [candidate] (9.207 s) : 0, 9206841
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.188 s) : 0, 1188487
Total [baseline] (9.154 s) : 0, 9154035
Agent [candidate] (1.19 s) : 0, 1190407
Total [candidate] (9.214 s) : 0, 9214018
section iast_TELEMETRY_OFF
Agent [baseline] (1.179 s) : 0, 1178642
Total [baseline] (9.214 s) : 0, 9213741
Agent [candidate] (1.177 s) : 0, 1177072
Total [candidate] (9.19 s) : 0, 9190376

baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.059 s	-
Agent	iast	1.181 s	122.508 ms (11.6%)
Agent	iast_HARDCODED_SECRET_DISABLED	1.188 s	129.939 ms (12.3%)
Agent	iast_TELEMETRY_OFF	1.179 s	120.094 ms (11.3%)
Total	tracing	8.641 s	-
Total	iast	9.218 s	577.69 ms (6.7%)
Total	iast_HARDCODED_SECRET_DISABLED	9.154 s	513.479 ms (5.9%)
Total	iast_TELEMETRY_OFF	9.214 s	573.184 ms (6.6%)

candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.056 s	-
Agent	iast	1.195 s	138.977 ms (13.2%)
Agent	iast_HARDCODED_SECRET_DISABLED	1.19 s	134.449 ms (12.7%)
Agent	iast_TELEMETRY_OFF	1.177 s	121.114 ms (11.5%)
Total	tracing	8.63 s	-
Total	iast	9.207 s	576.994 ms (6.7%)
Total	iast_HARDCODED_SECRET_DISABLED	9.214 s	584.171 ms (6.8%)
Total	iast_TELEMETRY_OFF	9.19 s	560.529 ms (6.5%)

gantt
    title insecure-bank - break down per module: candidate=1.46.0-SNAPSHOT~9164fbeb28, baseline=1.46.0-SNAPSHOT~8bcee06789

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (713.989 ms) : 0, 713989
BytebuddyAgent [candidate] (713.996 ms) : 0, 713996
GlobalTracer [baseline] (256.292 ms) : 0, 256292
GlobalTracer [candidate] (256.119 ms) : 0, 256119
AppSec [baseline] (55.938 ms) : 0, 55938
AppSec [candidate] (56.205 ms) : 0, 56205
Remote Config [baseline] (728.81 µs) : 0, 729
Remote Config [candidate] (726.823 µs) : 0, 727
Telemetry [baseline] (16.645 ms) : 0, 16645
Telemetry [candidate] (13.957 ms) : 0, 13957
section iast
BytebuddyAgent [baseline] (830.473 ms) : 0, 830473
BytebuddyAgent [candidate] (839.177 ms) : 0, 839177
GlobalTracer [baseline] (246.302 ms) : 0, 246302
GlobalTracer [candidate] (250.238 ms) : 0, 250238
AppSec [baseline] (58.152 ms) : 0, 58152
AppSec [candidate] (58.898 ms) : 0, 58898
IAST [baseline] (21.635 ms) : 0, 21635
IAST [candidate] (21.791 ms) : 0, 21791
Remote Config [baseline] (703.596 µs) : 0, 704
Remote Config [candidate] (715.691 µs) : 0, 716
Telemetry [baseline] (8.815 ms) : 0, 8815
Telemetry [candidate] (8.951 ms) : 0, 8951
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (837.888 ms) : 0, 837888
BytebuddyAgent [candidate] (836.987 ms) : 0, 836987
GlobalTracer [baseline] (246.909 ms) : 0, 246909
GlobalTracer [candidate] (248.473 ms) : 0, 248473
AppSec [baseline] (58.133 ms) : 0, 58133
AppSec [candidate] (58.682 ms) : 0, 58682
IAST [baseline] (21.063 ms) : 0, 21063
IAST [candidate] (21.619 ms) : 0, 21619
Remote Config [baseline] (670.618 µs) : 0, 671
Remote Config [candidate] (695.046 µs) : 0, 695
Telemetry [baseline] (8.73 ms) : 0, 8730
Telemetry [candidate] (8.874 ms) : 0, 8874
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (829.486 ms) : 0, 829486
BytebuddyAgent [candidate] (827.9 ms) : 0, 827900
GlobalTracer [baseline] (246.762 ms) : 0, 246762
GlobalTracer [candidate] (246.594 ms) : 0, 246594
AppSec [baseline] (57.656 ms) : 0, 57656
AppSec [candidate] (57.724 ms) : 0, 57724
IAST [baseline] (20.483 ms) : 0, 20483
IAST [candidate] (20.662 ms) : 0, 20662
Remote Config [baseline] (650.284 µs) : 0, 650
Remote Config [candidate] (643.674 µs) : 0, 644
Telemetry [baseline] (8.563 ms) : 0, 8563
Telemetry [candidate] (8.584 ms) : 0, 8584

Load

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
end_time	2025-01-13T13:22:12	2025-01-13T13:29:11
git_branch	master	alejandro.gonzalez/security-controls-metrics
git_commit_date	1736758880	1736773858
git_commit_sha	`8bcee06`	`9164fbe`
release_version	1.46.0-SNAPSHOT~8bcee06789	1.46.0-SNAPSHOT~9164fbeb28
start_time	2025-01-13T13:21:59	2025-01-13T13:28:57

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1736775303	1736775303
ci_job_id	763704408	763704408
ci_pipeline_id	52811166	52811166
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant	iast	iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 17 unstable metrics.

Request duration reports for insecure-bank

gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.46.0-SNAPSHOT~9164fbeb28, baseline=1.46.0-SNAPSHOT~8bcee06789
    dateFormat X
    axisFormat %s
section baseline
no_agent (371.856 µs) : 352, 391
.   : milestone, 372,
iast (487.744 µs) : 466, 509
.   : milestone, 488,
iast_FULL (653.64 µs) : 632, 675
.   : milestone, 654,
iast_GLOBAL (514.701 µs) : 493, 536
.   : milestone, 515,
iast_HARDCODED_SECRET_DISABLED (491.618 µs) : 470, 513
.   : milestone, 492,
iast_INACTIVE (454.27 µs) : 433, 476
.   : milestone, 454,
iast_TELEMETRY_OFF (479.775 µs) : 458, 501
.   : milestone, 480,
tracing (448.971 µs) : 428, 470
.   : milestone, 449,
section candidate
no_agent (377.751 µs) : 358, 397
.   : milestone, 378,
iast (491.545 µs) : 470, 513
.   : milestone, 492,
iast_FULL (658.864 µs) : 637, 680
.   : milestone, 659,
iast_GLOBAL (513.377 µs) : 492, 535
.   : milestone, 513,
iast_HARDCODED_SECRET_DISABLED (492.258 µs) : 471, 514
.   : milestone, 492,
iast_INACTIVE (451.177 µs) : 430, 472
.   : milestone, 451,
iast_TELEMETRY_OFF (475.775 µs) : 454, 497
.   : milestone, 476,
tracing (453.325 µs) : 432, 475
.   : milestone, 453,

baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	371.856 µs [352.264 µs, 391.447 µs]	-
iast	487.744 µs [466.369 µs, 509.119 µs]	115.888 µs (31.2%)
iast_FULL	653.64 µs [631.974 µs, 675.307 µs]	281.785 µs (75.8%)
iast_GLOBAL	514.701 µs [493.258 µs, 536.144 µs]	142.846 µs (38.4%)
iast_HARDCODED_SECRET_DISABLED	491.618 µs [469.975 µs, 513.262 µs]	119.763 µs (32.2%)
iast_INACTIVE	454.27 µs [432.764 µs, 475.776 µs]	82.414 µs (22.2%)
iast_TELEMETRY_OFF	479.775 µs [458.189 µs, 501.362 µs]	107.92 µs (29.0%)
tracing	448.971 µs [428.162 µs, 469.781 µs]	77.116 µs (20.7%)

candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	377.751 µs [358.241 µs, 397.26 µs]	-
iast	491.545 µs [470.002 µs, 513.088 µs]	113.794 µs (30.1%)
iast_FULL	658.864 µs [637.342 µs, 680.387 µs]	281.114 µs (74.4%)
iast_GLOBAL	513.377 µs [492.036 µs, 534.719 µs]	135.627 µs (35.9%)
iast_HARDCODED_SECRET_DISABLED	492.258 µs [470.905 µs, 513.612 µs]	114.508 µs (30.3%)
iast_INACTIVE	451.177 µs [430.349 µs, 472.006 µs]	73.427 µs (19.4%)
iast_TELEMETRY_OFF	475.775 µs [454.052 µs, 497.498 µs]	98.025 µs (25.9%)
tracing	453.325 µs [432.074 µs, 474.576 µs]	75.575 µs (20.0%)

Request duration reports for petclinic

gantt
    title petclinic - request duration [CI 0.99] : candidate=1.46.0-SNAPSHOT~9164fbeb28, baseline=1.46.0-SNAPSHOT~8bcee06789
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.375 ms) : 1354, 1396
.   : milestone, 1375,
appsec (1.734 ms) : 1709, 1758
.   : milestone, 1734,
appsec_no_iast (1.754 ms) : 1730, 1777
.   : milestone, 1754,
iast (1.485 ms) : 1462, 1508
.   : milestone, 1485,
profiling (1.515 ms) : 1491, 1540
.   : milestone, 1515,
tracing (1.483 ms) : 1458, 1509
.   : milestone, 1483,
section candidate
no_agent (1.349 ms) : 1330, 1368
.   : milestone, 1349,
appsec (1.726 ms) : 1702, 1750
.   : milestone, 1726,
appsec_no_iast (1.749 ms) : 1726, 1773
.   : milestone, 1749,
iast (1.485 ms) : 1461, 1508
.   : milestone, 1485,
profiling (1.554 ms) : 1529, 1579
.   : milestone, 1554,
tracing (1.475 ms) : 1451, 1499
.   : milestone, 1475,

baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.375 ms [1.354 ms, 1.396 ms]	-
appsec	1.734 ms [1.709 ms, 1.758 ms]	358.494 µs (26.1%)
appsec_no_iast	1.754 ms [1.73 ms, 1.777 ms]	378.344 µs (27.5%)
iast	1.485 ms [1.462 ms, 1.508 ms]	109.756 µs (8.0%)
profiling	1.515 ms [1.491 ms, 1.54 ms]	140.212 µs (10.2%)
tracing	1.483 ms [1.458 ms, 1.509 ms]	108.26 µs (7.9%)

candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.349 ms [1.33 ms, 1.368 ms]	-
appsec	1.726 ms [1.702 ms, 1.75 ms]	376.584 µs (27.9%)
appsec_no_iast	1.749 ms [1.726 ms, 1.773 ms]	400.071 µs (29.6%)
iast	1.485 ms [1.461 ms, 1.508 ms]	135.537 µs (10.0%)
profiling	1.554 ms [1.529 ms, 1.579 ms]	204.236 µs (15.1%)
tracing	1.475 ms [1.451 ms, 1.499 ms]	125.27 µs (9.3%)

Dacapo

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	alejandro.gonzalez/security-controls-metrics
git_commit_date	1736758880	1736773858
git_commit_sha	`8bcee06`	`9164fbe`
release_version	1.46.0-SNAPSHOT~8bcee06789	1.46.0-SNAPSHOT~9164fbeb28

See matching parameters

	Baseline	Candidate
application	biojava	biojava
ci_job_date	1736775903	1736775903
ci_job_id	763704409	763704409
ci_pipeline_id	52811166	52811166
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant	appsec	appsec

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics.

Execution time for biojava

gantt
    title biojava - execution time [CI 0.99] : candidate=1.46.0-SNAPSHOT~9164fbeb28, baseline=1.46.0-SNAPSHOT~8bcee06789
    dateFormat X
    axisFormat %s
section baseline
no_agent (14.893 s) : 14893000, 14893000
.   : milestone, 14893000,
appsec (14.986 s) : 14986000, 14986000
.   : milestone, 14986000,
iast (18.662 s) : 18662000, 18662000
.   : milestone, 18662000,
iast_GLOBAL (17.914 s) : 17914000, 17914000
.   : milestone, 17914000,
profiling (15.049 s) : 15049000, 15049000
.   : milestone, 15049000,
tracing (14.975 s) : 14975000, 14975000
.   : milestone, 14975000,
section candidate
no_agent (15.271 s) : 15271000, 15271000
.   : milestone, 15271000,
appsec (14.664 s) : 14664000, 14664000
.   : milestone, 14664000,
iast (19.04 s) : 19040000, 19040000
.   : milestone, 19040000,
iast_GLOBAL (18.027 s) : 18027000, 18027000
.   : milestone, 18027000,
profiling (15.5 s) : 15500000, 15500000
.   : milestone, 15500000,
tracing (14.876 s) : 14876000, 14876000
.   : milestone, 14876000,

baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	14.893 s [14.893 s, 14.893 s]	-
appsec	14.986 s [14.986 s, 14.986 s]	93.0 ms (0.6%)
iast	18.662 s [18.662 s, 18.662 s]	3.769 s (25.3%)
iast_GLOBAL	17.914 s [17.914 s, 17.914 s]	3.021 s (20.3%)
profiling	15.049 s [15.049 s, 15.049 s]	156.0 ms (1.0%)
tracing	14.975 s [14.975 s, 14.975 s]	82.0 ms (0.6%)

candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	15.271 s [15.271 s, 15.271 s]	-
appsec	14.664 s [14.664 s, 14.664 s]	-607.0 ms (-4.0%)
iast	19.04 s [19.04 s, 19.04 s]	3.769 s (24.7%)
iast_GLOBAL	18.027 s [18.027 s, 18.027 s]	2.756 s (18.0%)
profiling	15.5 s [15.5 s, 15.5 s]	229.0 ms (1.5%)
tracing	14.876 s [14.876 s, 14.876 s]	-395.0 ms (-2.6%)

Execution time for tomcat

gantt
    title tomcat - execution time [CI 0.99] : candidate=1.46.0-SNAPSHOT~9164fbeb28, baseline=1.46.0-SNAPSHOT~8bcee06789
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.473 ms) : 1461, 1484
.   : milestone, 1473,
appsec (2.345 ms) : 2302, 2388
.   : milestone, 2345,
iast (2.103 ms) : 2049, 2157
.   : milestone, 2103,
iast_GLOBAL (2.148 ms) : 2093, 2202
.   : milestone, 2148,
profiling (1.971 ms) : 1927, 2015
.   : milestone, 1971,
tracing (1.951 ms) : 1909, 1994
.   : milestone, 1951,
section candidate
no_agent (1.466 ms) : 1455, 1477
.   : milestone, 1466,
appsec (2.363 ms) : 2321, 2406
.   : milestone, 2363,
iast (2.107 ms) : 2053, 2162
.   : milestone, 2107,
iast_GLOBAL (2.154 ms) : 2099, 2208
.   : milestone, 2154,
profiling (1.977 ms) : 1933, 2021
.   : milestone, 1977,
tracing (1.946 ms) : 1905, 1988
.   : milestone, 1946,

baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.473 ms [1.461 ms, 1.484 ms]	-
appsec	2.345 ms [2.302 ms, 2.388 ms]	872.336 µs (59.2%)
iast	2.103 ms [2.049 ms, 2.157 ms]	630.641 µs (42.8%)
iast_GLOBAL	2.148 ms [2.093 ms, 2.202 ms]	674.998 µs (45.8%)
profiling	1.971 ms [1.927 ms, 2.015 ms]	498.641 µs (33.9%)
tracing	1.951 ms [1.909 ms, 1.994 ms]	478.777 µs (32.5%)

candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.466 ms [1.455 ms, 1.477 ms]	-
appsec	2.363 ms [2.321 ms, 2.406 ms]	897.355 µs (61.2%)
iast	2.107 ms [2.053 ms, 2.162 ms]	641.393 µs (43.7%)
iast_GLOBAL	2.154 ms [2.099 ms, 2.208 ms]	687.656 µs (46.9%)
profiling	1.977 ms [1.933 ms, 2.021 ms]	510.7 µs (34.8%)
tracing	1.946 ms [1.905 ms, 1.988 ms]	480.308 µs (32.8%)

| Package | Type | Package file | Manager | Update | Change | |---|---|---|---|---|---| | [com.google.cloud:google-cloud-datastore](https://github.com/googleapis/java-datastore) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `2.25.4` -> `2.26.0` | | [com.datadoghq:dd-trace-api](https://github.com/datadog/dd-trace-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `1.45.2` -> `1.46.0` | | [com.datadoghq:dd-trace-ot](https://github.com/datadog/dd-trace-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `1.45.2` -> `1.46.0` | | [software.amazon.awssdk:sdk-core](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.9` -> `2.30.10` | | [software.amazon.awssdk:dynamodb-enhanced](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.9` -> `2.30.10` | | [software.amazon.awssdk:dynamodb](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.9` -> `2.30.10` | | [software.amazon.awssdk:aws-core](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.9` -> `2.30.10` | | [software.amazon.awssdk:bom](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.9` -> `2.30.10` | | [software.amazon.awssdk:auth](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.9` -> `2.30.10` | --- ### Release Notes <details> <summary>googleapis/java-datastore (com.google.cloud:google-cloud-datastore)</summary> ### [`v2.26.0`](https://github.com/googleapis/java-datastore/blob/HEAD/CHANGELOG.md#2260-2025-01-29) ##### Features - Add firestoreInDatastoreMode for datastore emulator ([#1698](googleapis/java-datastore#1698)) ([50f106d](googleapis/java-datastore@50f106d)) ##### Dependencies - Update dependency com.google.cloud:sdk-platform-java-config to v3.42.0 ([#1725](googleapis/java-datastore#1725)) ([1cbaf22](googleapis/java-datastore@1cbaf22)) </details> <details> <summary>datadog/dd-trace-java (com.datadoghq:dd-trace-api)</summary> ### [`v1.46.0`](https://github.com/DataDog/dd-trace-java/releases/tag/v1.46.0): 1.46.0 ##### Breaking Changes > \[!WARNING] > jnr-unixsocket is now an external dependency of dd-trace-ot and must be included when deploying dd-trace-ot. > \[!NOTE] > The API `TracerScope.setAsync(boolean)`, used to manually control asynchronous span propagation, does no more apply to the scope instance but to the active span scope. ##### Components ##### Application Security Management (IAST) - 🐛 Fix String.replace instrumentation for IAST ([#8281](DataDog/dd-trace-java#8281) - [@Mariovido](https://github.com/Mariovido)) - ✨ Apply the standard nomenclature to the stacktrace configs ([#8244](DataDog/dd-trace-java#8244) - [@jandro996](https://github.com/jandro996)) - 🐛 Exclude false positive weak randomness ([#8232](DataDog/dd-trace-java#8232) - [@jandro996](https://github.com/jandro996)) - ✨ Propagation of translateEscapes of String class ([#8186](DataDog/dd-trace-java#8186) - [@sezen-datadog](https://github.com/sezen-datadog)) - ✨ Add security control metrics ([#8175](DataDog/dd-trace-java#8175) - [@jandro996](https://github.com/jandro996)) - ✨ Increase IAST propagation to StringBuffer setLength ([#8128](DataDog/dd-trace-java#8128) - [@Mariovido](https://github.com/Mariovido)) - ✨ Add IAST taint tracking for DB values ([#8072](DataDog/dd-trace-java#8072) - [@Mariovido](https://github.com/Mariovido)) ##### Application Security Management (WAF) - 🐛 Prevents a NPE when there is no subscriber for user events ([#8258](DataDog/dd-trace-java#8258) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - ✨ Apply the standard nomenclature to the stacktrace configs ([#8244](DataDog/dd-trace-java#8244) - [@jandro996](https://github.com/jandro996)) - 🐛 Ensure cached subscriptions are cleared on reconfiguration via RC ([#8229](DataDog/dd-trace-java#8229) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - ✨ Add support for session tracking in Vertx ([#8167](DataDog/dd-trace-java#8167) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - ✨ Create span tag: \_dd.appsec.rasp.timeout ([#8269](DataDog/dd-trace-java#8269) - [@Mariovido](https://github.com/Mariovido)) ##### Build & Tooling - 🐛 Ensure shaded helpers have unique names when injected into class-loaders ([#8192](DataDog/dd-trace-java#8192) - [@mcculls](https://github.com/mcculls)) ##### Configuration at Runtime - 🐛 Remove filtering of `DD_SERVICE` and `DD_ENV` from the tracer ([#8176](DataDog/dd-trace-java#8176) - [@mhlidd](https://github.com/mhlidd)) ##### Continuous Integration Visibility - 🧹 Generalize TestRetryPolicy to TestExecutionPolicy ([#8302](DataDog/dd-trace-java#8302) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - 🧹 Parallelize CI Visibility settings requests ([#8299](DataDog/dd-trace-java#8299) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - 🧹 Generalize test retry logic ([#8289](DataDog/dd-trace-java#8289) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - 🧹 Generalize tests skipping logic ([#8288](DataDog/dd-trace-java#8288) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - 🧹 Remove skip and shouldBeSkipped methods from TestEventsHandler in favor of isSkippable ([#8286](DataDog/dd-trace-java#8286) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨⚡ Optimize Git repository information computation ([#8270](DataDog/dd-trace-java#8270) - [@dougqh](https://github.com/dougqh)) - ✨ Always request known tests from the backend ([#8268](DataDog/dd-trace-java#8268) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Fix NPE when trying to get retry analyzer in Test NG ([#8253](DataDog/dd-trace-java#8253) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - 🐛 Set test framework and test framework version tags atomically ([#8252](DataDog/dd-trace-java#8252) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Add debug logging to Android Gradle module layout logic ([#8251](DataDog/dd-trace-java#8251) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - 🐛 Fix source and destination folders computation for Android Gradle projects ([#8190](DataDog/dd-trace-java#8190) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Add basic Scala Weaver sbt support ([#8189](DataDog/dd-trace-java#8189) - [@daniel-mohedano](https://github.com/daniel-mohedano)) - ✨ Implement impacted tests detection ([#8188](DataDog/dd-trace-java#8188) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) ##### Data Streams Monitoring - ✨ Change hash computation for protobuf to better represent impacting changes + save proto number in schema ([#8201](DataDog/dd-trace-java#8201) - [@vandonr](https://github.com/vandonr)) ##### Database Monitoring - Add peer service tag in dbm sql commenter ([#7913](DataDog/dd-trace-java#7913) - [@jordan-wong](https://github.com/jordan-wong)) ##### Dynamic Instrumentation - ✨ Add support for SymDB to scan directories ([#8306](DataDog/dd-trace-java#8306) - [@jpbempel](https://github.com/jpbempel)) - ✨ Add SymDB report for any jar scanning failures ([#8300](DataDog/dd-trace-java#8300) - [@jpbempel](https://github.com/jpbempel)) - ✨ Use two budgets depending on type ([#8283](DataDog/dd-trace-java#8283) - [@evanchooly](https://github.com/evanchooly)) - ✨ Institute a 10 snapshot per probe per trace budget ([#8277](DataDog/dd-trace-java#8277) - [@evanchooly](https://github.com/evanchooly)) - 🐛 Avoid double snapshots for Exception Replay ([#8273](DataDog/dd-trace-java#8273) - [@jpbempel](https://github.com/jpbempel)) - ✨ Simplify code origins. Separate out snapshot generation. ([#8263](DataDog/dd-trace-java#8263) - [@evanchooly](https://github.com/evanchooly)) - ✨ Add Exception probe custom instrumentation ([#8230](DataDog/dd-trace-java#8230) - [@jpbempel](https://github.com/jpbempel)) - ✨ Enhance log probes to honor debug session tags ([#8215](DataDog/dd-trace-java#8215) - [@evanchooly](https://github.com/evanchooly)) - 🐛 Don't redact env tokens from debugger probe snapshots ([#8211](DataDog/dd-trace-java#8211) - [@watson](https://github.com/watson)) - ✨⚡ Move Trace/SpanId capture at commit time ([#8184](DataDog/dd-trace-java#8184) - [@jpbempel](https://github.com/jpbempel)) - 🐛 Capture values at entry for method probe ([#8169](DataDog/dd-trace-java#8169) - [@jpbempel](https://github.com/jpbempel)) ##### JMX fetch - 🐛 Mute JMXFetch Shutdown in progress error ([#8068](DataDog/dd-trace-java#8068) - [@ygree](https://github.com/ygree)) ##### OpenTracing - ⚠️🧹 Make jnr-unixsocket an explicit dependency of dd-trace-ot ([#8307](DataDog/dd-trace-java#8307) - [@mcculls](https://github.com/mcculls)) ##### Profiling - 🐛 Avoid unsupported API call for creating folders on windows ([#8304](DataDog/dd-trace-java#8304) - [@jbachorik](https://github.com/jbachorik)) - ✨ Tag profiles for serverless ([#8279](DataDog/dd-trace-java#8279) - [@jbachorik](https://github.com/jbachorik)) - ✨ add queue type and length to queue events ([#8242](DataDog/dd-trace-java#8242) - [@richardstartin](https://github.com/richardstartin)) - 🐛 TempLocationManager Fixes and Improvements ([#8191](DataDog/dd-trace-java#8191) - [@jbachorik](https://github.com/jbachorik)) - ✨ Bump ddprof to 1.18.0 ([#8173](DataDog/dd-trace-java#8173) - [@jbachorik](https://github.com/jbachorik)) - ✨ Report profiler initialization and configuration errors to telemetry ([#8171](DataDog/dd-trace-java#8171) - [@jbachorik](https://github.com/jbachorik)) ##### Telemetry - ✨ Add pending traces report in tracer flares ([#8053](DataDog/dd-trace-java#8053) - [@mhlidd](https://github.com/mhlidd)) ##### Testing - ✨ Test http server requests in parallel ([#8222](DataDog/dd-trace-java#8222) - [@amarziali](https://github.com/amarziali)) ##### Trace context propagation - ✨ Add non default propagator registration ([#8310](DataDog/dd-trace-java#8310) - [@PerfectSlayer](https://github.com/PerfectSlayer)) ##### Tracer core - ✨ Probe for existence of IBMSASL or ACCP security providers ([#8276](DataDog/dd-trace-java#8276) - [@mcculls](https://github.com/mcculls)) - ✨⚡ Overhead improvement to agent feedback based sampling ([#8265](DataDog/dd-trace-java#8265) - [@dougqh](https://github.com/dougqh)) - 🧹 Move async propagation API from scope to tracer ([#8231](DataDog/dd-trace-java#8231) - [@PerfectSlayer](https://github.com/PerfectSlayer)) - ✨ Introduce context propagation API ([#8161](DataDog/dd-trace-java#8161) - [@PerfectSlayer](https://github.com/PerfectSlayer)) - ✨🧪 Use env-entry to add tags per webapp deployment ([#8138](DataDog/dd-trace-java#8138) - [@amarziali](https://github.com/amarziali)) - ✨ Introduce context helpers API ([#8134](DataDog/dd-trace-java#8134) - [@PerfectSlayer](https://github.com/PerfectSlayer)) - ✨ Support IPv6 values for `DD_AGENT_HOST` and `DD_TRACE_AGENT_URL` ([#7984](DataDog/dd-trace-java#7984) - [@mhlidd](https://github.com/mhlidd)) ##### Instrumentations ##### Apache HttpComponents - 🐛 Properly finish spans and support latest apache httpclient5 ([#8272](DataDog/dd-trace-java#8272) - [@amarziali](https://github.com/amarziali)) ##### AWS Lambda instrumentation - 🐛 Properly capture lambda payloads for all handler types. ([#8264](DataDog/dd-trace-java#8264) - [@purple4reina](https://github.com/purple4reina)) ##### AWS S3 instrumentation - 💡 Create S3 instrumentation + add span pointers ([#8075](DataDog/dd-trace-java#8075) - [@nhulston](https://github.com/nhulston)) ##### AWS SDK instrumentation - 🐛 Revert "Add avoid double instrumenting lambda non-streaming handlers." ([#8247](DataDog/dd-trace-java#8247) - [@nhulston](https://github.com/nhulston)) ##### Cassandra - ✨ Allow extracting keyspace from statement result ([#8239](DataDog/dd-trace-java#8239) - [@amarziali](https://github.com/amarziali)) ##### Core Java language instrumentation - ✨ Propagation of translateEscapes of String class ([#8186](DataDog/dd-trace-java#8186) - [@sezen-datadog](https://github.com/sezen-datadog)) ##### Eclipse Vert.x instrumentation - 🐛 Fix vertx worker propagation and error handling ([#8237](DataDog/dd-trace-java#8237) - [@amarziali](https://github.com/amarziali)) - ✨ Support vertx 5 ([#8220](DataDog/dd-trace-java#8220) - [@amarziali](https://github.com/amarziali)) - ✨ Add support for session tracking in Vertx ([#8167](DataDog/dd-trace-java#8167) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) ##### Kafka instrumentation - 🐛 Prevent possible NPE calculating Kafka record header size ([#8292](DataDog/dd-trace-java#8292) - [@ygree](https://github.com/ygree)) ##### Mule instrumentation - 🐛 Fix crash using Mule with JPMS ([#8187](DataDog/dd-trace-java#8187) - [@amarziali](https://github.com/amarziali)) ##### Protocol Buffer instrumentation - ✨ Change hash computation for protobuf to better represent impacting changes + save proto number in schema ([#8201](DataDog/dd-trace-java#8201) - [@vandonr](https://github.com/vandonr)) ##### Spring instrumentation - 🐛 Preserve getQualifier from spring scheduling runnables ([#8293](DataDog/dd-trace-java#8293) - [@amarziali](https://github.com/amarziali)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "after 6pm every weekday,before 2am every weekday" in timezone Australia/Melbourne, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). GitOrigin-RevId: bb09d47e4eed77a003f630273b4d0a84003eb899

jandro996 marked this pull request as ready for review January 9, 2025 10:44

jandro996 requested a review from a team as a code owner January 9, 2025 10:44

jandro996 requested review from smola and ValentinZakharov January 9, 2025 10:44

jandro996 added the comp: asm iast Application Security Management (IAST) label Jan 9, 2025

PerfectSlayer added the type: enhancement label Jan 9, 2025

manuel-alvarez-alvarez reviewed Jan 10, 2025

View reviewed changes

manuel-alvarez-alvarez approved these changes Jan 10, 2025

View reviewed changes

Add security control metrics

87eab75

jandro996 force-pushed the alejandro.gonzalez/security-controls-metrics branch from b63727a to 87eab75 Compare January 10, 2025 09:53

PR request

4a9b5c8

jandro996 added 3 commits January 10, 2025 14:49

remove not necessary property

e17c56a

missed security controls metrics check

8d0ca6d

Merge branch 'master' into alejandro.gonzalez/security-controls-metrics

9164fbe

smola approved these changes Jan 13, 2025

View reviewed changes

jandro996 merged commit d402356 into master Jan 13, 2025
174 checks passed

jandro996 deleted the alejandro.gonzalez/security-controls-metrics branch January 13, 2025 18:17

github-actions bot added this to the 1.46.0 milestone Jan 13, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add security control metrics #8175

Add security control metrics #8175

jandro996 commented Jan 9, 2025 •

edited

Loading

github-actions bot commented Jan 9, 2025 •

edited

Loading

manuel-alvarez-alvarez Jan 10, 2025

pr-commenter bot commented Jan 10, 2025 •

edited

Loading

Add security control metrics #8175

Add security control metrics #8175

Conversation

jandro996 commented Jan 9, 2025 • edited Loading

What Does This Do

Motivation

Additional Notes

Contributor Checklist

github-actions bot commented Jan 9, 2025 • edited Loading

manuel-alvarez-alvarez Jan 10, 2025

Choose a reason for hiding this comment

pr-commenter bot commented Jan 10, 2025 • edited Loading

Benchmarks

Startup

Parameters

Summary

Load

Parameters

Summary

Dacapo

Parameters

Summary

jandro996 commented Jan 9, 2025 •

edited

Loading

github-actions bot commented Jan 9, 2025 •

edited

Loading

pr-commenter bot commented Jan 10, 2025 •

edited

Loading