Detect a vulnerability when a default application is deployed #6885

jandro996 · 2024-04-04T10:06:18Z

What Does This Do

Add new default deployed vulnerability
Give support for Tomcat and Jetty default applications checking display-name tags into web.xml application file

Motivation

The applications supplied by default with application servers are mostly not intended to be deployed in secure production environments as they may be vulnerable, or even if they are not, their discovery by an attacker could encourage them to seek security flaws in that service.

Additional Notes

Jira ticket: [PROJ-IDENT]

pr-commenter · 2024-04-04T10:49:01Z

Benchmarks

Startup

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	alejandro.gonzalez/IW_default_app_deployed
git_commit_date	1715615333	1715616103
git_commit_sha	`6c2d477`	`04c59ae`
release_version	1.35.0-SNAPSHOT~6c2d477f7c	1.35.0-SNAPSHOT~04c59ae87b

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1715618742	1715618742
ci_job_id	510368214	510368214
ci_pipeline_id	34162014	34162014
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
module	Agent	Agent
parent	None	None
variant	iast	iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 50 metrics, 13 unstable metrics.

Startup time reports for petclinic

gantt
    title petclinic - global startup overhead: candidate=1.35.0-SNAPSHOT~04c59ae87b, baseline=1.35.0-SNAPSHOT~6c2d477f7c

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.078 s) : 0, 1077725
Total [baseline] (10.396 s) : 0, 10396016
Agent [candidate] (1.077 s) : 0, 1077478
Total [candidate] (10.432 s) : 0, 10432048
section appsec
Agent [baseline] (1.195 s) : 0, 1195374
Total [baseline] (10.466 s) : 0, 10465642
Agent [candidate] (1.197 s) : 0, 1196617
Total [candidate] (10.572 s) : 0, 10571530
section iast
Agent [baseline] (1.204 s) : 0, 1203696
Total [baseline] (10.758 s) : 0, 10757922
Agent [candidate] (1.203 s) : 0, 1202858
Total [candidate] (10.754 s) : 0, 10753812
section profiling
Agent [baseline] (1.281 s) : 0, 1281079
Total [baseline] (10.682 s) : 0, 10681991
Agent [candidate] (1.27 s) : 0, 1270174
Total [candidate] (10.593 s) : 0, 10593440

baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.078 s	-
Agent	appsec	1.195 s	117.649 ms (10.9%)
Agent	iast	1.204 s	125.971 ms (11.7%)
Agent	profiling	1.281 s	203.354 ms (18.9%)
Total	tracing	10.396 s	-
Total	appsec	10.466 s	69.626 ms (0.7%)
Total	iast	10.758 s	361.906 ms (3.5%)
Total	profiling	10.682 s	285.975 ms (2.8%)

candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.077 s	-
Agent	appsec	1.197 s	119.14 ms (11.1%)
Agent	iast	1.203 s	125.38 ms (11.6%)
Agent	profiling	1.27 s	192.696 ms (17.9%)
Total	tracing	10.432 s	-
Total	appsec	10.572 s	139.481 ms (1.3%)
Total	iast	10.754 s	321.763 ms (3.1%)
Total	profiling	10.593 s	161.391 ms (1.5%)

gantt
    title petclinic - break down per module: candidate=1.35.0-SNAPSHOT~04c59ae87b, baseline=1.35.0-SNAPSHOT~6c2d477f7c

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (674.056 ms) : 0, 674056
BytebuddyAgent [candidate] (674.135 ms) : 0, 674135
GlobalTracer [baseline] (311.676 ms) : 0, 311676
GlobalTracer [candidate] (311.256 ms) : 0, 311256
AppSec [baseline] (49.427 ms) : 0, 49427
AppSec [candidate] (49.511 ms) : 0, 49511
Remote Config [baseline] (657.742 µs) : 0, 658
Remote Config [candidate] (656.272 µs) : 0, 656
Telemetry [baseline] (7.583 ms) : 0, 7583
Telemetry [candidate] (7.577 ms) : 0, 7577
section appsec
BytebuddyAgent [baseline] (695.884 ms) : 0, 695884
BytebuddyAgent [candidate] (695.921 ms) : 0, 695921
GlobalTracer [baseline] (293.594 ms) : 0, 293594
GlobalTracer [candidate] (294.289 ms) : 0, 294289
AppSec [baseline] (152.563 ms) : 0, 152563
AppSec [candidate] (152.564 ms) : 0, 152564
Remote Config [baseline] (616.798 µs) : 0, 617
Remote Config [candidate] (618.764 µs) : 0, 619
Telemetry [baseline] (8.74 ms) : 0, 8740
Telemetry [candidate] (9.392 ms) : 0, 9392
IAST [baseline] (19.244 ms) : 0, 19244
IAST [candidate] (18.892 ms) : 0, 18892
section iast
BytebuddyAgent [baseline] (796.065 ms) : 0, 796065
BytebuddyAgent [candidate] (796.281 ms) : 0, 796281
GlobalTracer [baseline] (291.269 ms) : 0, 291269
GlobalTracer [candidate] (291.023 ms) : 0, 291023
AppSec [baseline] (50.69 ms) : 0, 50690
AppSec [candidate] (52.809 ms) : 0, 52809
Remote Config [baseline] (582.328 µs) : 0, 582
Remote Config [candidate] (605.706 µs) : 0, 606
Telemetry [baseline] (6.604 ms) : 0, 6604
Telemetry [candidate] (6.677 ms) : 0, 6677
IAST [baseline] (24.104 ms) : 0, 24104
IAST [candidate] (21.124 ms) : 0, 21124
section profiling
ProfilingAgent [baseline] (97.333 ms) : 0, 97333
ProfilingAgent [candidate] (95.473 ms) : 0, 95473
BytebuddyAgent [baseline] (683.852 ms) : 0, 683852
BytebuddyAgent [candidate] (677.423 ms) : 0, 677423
GlobalTracer [baseline] (384.127 ms) : 0, 384127
GlobalTracer [candidate] (382.034 ms) : 0, 382034
AppSec [baseline] (50.555 ms) : 0, 50555
AppSec [candidate] (50.519 ms) : 0, 50519
Remote Config [baseline] (718.972 µs) : 0, 719
Remote Config [candidate] (713.218 µs) : 0, 713
Telemetry [baseline] (7.492 ms) : 0, 7492
Telemetry [candidate] (7.442 ms) : 0, 7442
Profiling [baseline] (97.358 ms) : 0, 97358
Profiling [candidate] (95.497 ms) : 0, 95497

Startup time reports for insecure-bank

gantt
    title insecure-bank - global startup overhead: candidate=1.35.0-SNAPSHOT~04c59ae87b, baseline=1.35.0-SNAPSHOT~6c2d477f7c

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.076 s) : 0, 1076049
Total [baseline] (8.556 s) : 0, 8556111
Agent [candidate] (1.084 s) : 0, 1084096
Total [candidate] (8.598 s) : 0, 8597522
section iast
Agent [baseline] (1.206 s) : 0, 1205678
Total [baseline] (9.025 s) : 0, 9025182
Agent [candidate] (1.203 s) : 0, 1203136
Total [candidate] (9.005 s) : 0, 9005033
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.205 s) : 0, 1205062
Total [baseline] (8.994 s) : 0, 8994402
Agent [candidate] (1.21 s) : 0, 1210146
Total [candidate] (9.005 s) : 0, 9004674
section iast_TELEMETRY_OFF
Agent [baseline] (1.202 s) : 0, 1202351
Total [baseline] (9.021 s) : 0, 9020677
Agent [candidate] (1.199 s) : 0, 1198987
Total [candidate] (8.998 s) : 0, 8998039

baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.076 s	-
Agent	iast	1.206 s	129.629 ms (12.0%)
Agent	iast_HARDCODED_SECRET_DISABLED	1.205 s	129.013 ms (12.0%)
Agent	iast_TELEMETRY_OFF	1.202 s	126.302 ms (11.7%)
Total	tracing	8.556 s	-
Total	iast	9.025 s	469.071 ms (5.5%)
Total	iast_HARDCODED_SECRET_DISABLED	8.994 s	438.29 ms (5.1%)
Total	iast_TELEMETRY_OFF	9.021 s	464.565 ms (5.4%)

candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.084 s	-
Agent	iast	1.203 s	119.04 ms (11.0%)
Agent	iast_HARDCODED_SECRET_DISABLED	1.21 s	126.049 ms (11.6%)
Agent	iast_TELEMETRY_OFF	1.199 s	114.891 ms (10.6%)
Total	tracing	8.598 s	-
Total	iast	9.005 s	407.511 ms (4.7%)
Total	iast_HARDCODED_SECRET_DISABLED	9.005 s	407.152 ms (4.7%)
Total	iast_TELEMETRY_OFF	8.998 s	400.517 ms (4.7%)

gantt
    title insecure-bank - break down per module: candidate=1.35.0-SNAPSHOT~04c59ae87b, baseline=1.35.0-SNAPSHOT~6c2d477f7c

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (673.475 ms) : 0, 673475
BytebuddyAgent [candidate] (678.789 ms) : 0, 678789
GlobalTracer [baseline] (310.583 ms) : 0, 310583
GlobalTracer [candidate] (312.647 ms) : 0, 312647
AppSec [baseline] (49.491 ms) : 0, 49491
AppSec [candidate] (49.793 ms) : 0, 49793
Remote Config [baseline] (659.828 µs) : 0, 660
Remote Config [candidate] (667.922 µs) : 0, 668
Telemetry [baseline] (7.561 ms) : 0, 7561
Telemetry [candidate] (7.615 ms) : 0, 7615
section iast
BytebuddyAgent [baseline] (797.815 ms) : 0, 797815
BytebuddyAgent [candidate] (795.64 ms) : 0, 795640
GlobalTracer [baseline] (291.851 ms) : 0, 291851
GlobalTracer [candidate] (291.396 ms) : 0, 291396
AppSec [baseline] (49.57 ms) : 0, 49570
AppSec [candidate] (49.377 ms) : 0, 49377
IAST [baseline] (24.186 ms) : 0, 24186
IAST [candidate] (24.51 ms) : 0, 24510
Remote Config [baseline] (1.289 ms) : 0, 1289
Remote Config [candidate] (584.929 µs) : 0, 585
Telemetry [baseline] (6.63 ms) : 0, 6630
Telemetry [candidate] (7.294 ms) : 0, 7294
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (797.164 ms) : 0, 797164
BytebuddyAgent [candidate] (801.193 ms) : 0, 801193
GlobalTracer [baseline] (291.704 ms) : 0, 291704
GlobalTracer [candidate] (292.719 ms) : 0, 292719
AppSec [baseline] (51.539 ms) : 0, 51539
AppSec [candidate] (50.905 ms) : 0, 50905
IAST [baseline] (23.069 ms) : 0, 23069
IAST [candidate] (23.533 ms) : 0, 23533
Remote Config [baseline] (580.796 µs) : 0, 581
Remote Config [candidate] (631.097 µs) : 0, 631
Telemetry [baseline] (6.602 ms) : 0, 6602
Telemetry [candidate] (6.588 ms) : 0, 6588
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (794.774 ms) : 0, 794774
BytebuddyAgent [candidate] (792.43 ms) : 0, 792430
GlobalTracer [baseline] (291.622 ms) : 0, 291622
GlobalTracer [candidate] (290.927 ms) : 0, 290927
AppSec [baseline] (53.109 ms) : 0, 53109
AppSec [candidate] (51.346 ms) : 0, 51346
IAST [baseline] (21.304 ms) : 0, 21304
IAST [candidate] (22.742 ms) : 0, 22742
Remote Config [baseline] (590.765 µs) : 0, 591
Remote Config [candidate] (668.667 µs) : 0, 669
Telemetry [baseline] (6.584 ms) : 0, 6584
Telemetry [candidate] (6.616 ms) : 0, 6616

Load

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
end_time	2024-05-13T16:18:21	2024-05-13T16:25:11
git_branch	master	alejandro.gonzalez/IW_default_app_deployed
git_commit_date	1715615333	1715616103
git_commit_sha	`6c2d477`	`04c59ae`
release_version	1.35.0-SNAPSHOT~6c2d477f7c	1.35.0-SNAPSHOT~04c59ae87b
start_time	2024-05-13T16:18:08	2024-05-13T16:24:57

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1715617855	1715617855
ci_job_id	510368216	510368216
ci_pipeline_id	34162014	34162014
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant	iast	iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 17 unstable metrics.

Request duration reports for insecure-bank

gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.35.0-SNAPSHOT~04c59ae87b, baseline=1.35.0-SNAPSHOT~6c2d477f7c
    dateFormat X
    axisFormat %s
section baseline
no_agent (371.42 µs) : 352, 391
.   : milestone, 371,
iast (483.264 µs) : 462, 505
.   : milestone, 483,
iast_FULL (550.31 µs) : 529, 571
.   : milestone, 550,
iast_GLOBAL (515.266 µs) : 493, 537
.   : milestone, 515,
iast_HARDCODED_SECRET_DISABLED (481.008 µs) : 460, 502
.   : milestone, 481,
iast_INACTIVE (455.199 µs) : 434, 477
.   : milestone, 455,
iast_TELEMETRY_OFF (468.061 µs) : 447, 489
.   : milestone, 468,
tracing (447.238 µs) : 426, 468
.   : milestone, 447,
section candidate
no_agent (371.598 µs) : 352, 391
.   : milestone, 372,
iast (480.605 µs) : 460, 502
.   : milestone, 481,
iast_FULL (552.878 µs) : 532, 574
.   : milestone, 553,
iast_GLOBAL (509.178 µs) : 487, 531
.   : milestone, 509,
iast_HARDCODED_SECRET_DISABLED (476.704 µs) : 456, 497
.   : milestone, 477,
iast_INACTIVE (457.884 µs) : 436, 480
.   : milestone, 458,
iast_TELEMETRY_OFF (470.68 µs) : 450, 491
.   : milestone, 471,
tracing (443.166 µs) : 422, 464
.   : milestone, 443,

baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	371.42 µs [351.626 µs, 391.213 µs]	-
iast	483.264 µs [461.561 µs, 504.966 µs]	111.844 µs (30.1%)
iast_FULL	550.31 µs [529.32 µs, 571.299 µs]	178.89 µs (48.2%)
iast_GLOBAL	515.266 µs [493.29 µs, 537.242 µs]	143.846 µs (38.7%)
iast_HARDCODED_SECRET_DISABLED	481.008 µs [460.191 µs, 501.825 µs]	109.588 µs (29.5%)
iast_INACTIVE	455.199 µs [433.819 µs, 476.58 µs]	83.78 µs (22.6%)
iast_TELEMETRY_OFF	468.061 µs [447.189 µs, 488.933 µs]	96.641 µs (26.0%)
tracing	447.238 µs [426.464 µs, 468.011 µs]	75.818 µs (20.4%)

candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	371.598 µs [352.184 µs, 391.012 µs]	-
iast	480.605 µs [459.647 µs, 501.562 µs]	109.006 µs (29.3%)
iast_FULL	552.878 µs [531.766 µs, 573.99 µs]	181.28 µs (48.8%)
iast_GLOBAL	509.178 µs [487.485 µs, 530.871 µs]	137.579 µs (37.0%)
iast_HARDCODED_SECRET_DISABLED	476.704 µs [455.927 µs, 497.48 µs]	105.105 µs (28.3%)
iast_INACTIVE	457.884 µs [436.092 µs, 479.676 µs]	86.286 µs (23.2%)
iast_TELEMETRY_OFF	470.68 µs [449.87 µs, 491.49 µs]	99.082 µs (26.7%)
tracing	443.166 µs [422.361 µs, 463.972 µs]	71.568 µs (19.3%)

Request duration reports for petclinic

gantt
    title petclinic - request duration [CI 0.99] : candidate=1.35.0-SNAPSHOT~04c59ae87b, baseline=1.35.0-SNAPSHOT~6c2d477f7c
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.338 ms) : 1318, 1357
.   : milestone, 1338,
appsec (1.716 ms) : 1692, 1741
.   : milestone, 1716,
appsec_no_iast (1.733 ms) : 1709, 1756
.   : milestone, 1733,
iast (1.477 ms) : 1454, 1499
.   : milestone, 1477,
profiling (1.498 ms) : 1473, 1523
.   : milestone, 1498,
tracing (1.472 ms) : 1447, 1496
.   : milestone, 1472,
section candidate
no_agent (1.354 ms) : 1335, 1374
.   : milestone, 1354,
appsec (1.729 ms) : 1705, 1753
.   : milestone, 1729,
appsec_no_iast (1.709 ms) : 1684, 1734
.   : milestone, 1709,
iast (1.463 ms) : 1440, 1486
.   : milestone, 1463,
profiling (1.497 ms) : 1472, 1521
.   : milestone, 1497,
tracing (1.462 ms) : 1438, 1487
.   : milestone, 1462,

baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.338 ms [1.318 ms, 1.357 ms]	-
appsec	1.716 ms [1.692 ms, 1.741 ms]	378.679 µs (28.3%)
appsec_no_iast	1.733 ms [1.709 ms, 1.756 ms]	395.236 µs (29.5%)
iast	1.477 ms [1.454 ms, 1.499 ms]	138.961 µs (10.4%)
profiling	1.498 ms [1.473 ms, 1.523 ms]	160.439 µs (12.0%)
tracing	1.472 ms [1.447 ms, 1.496 ms]	133.936 µs (10.0%)

candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.354 ms [1.335 ms, 1.374 ms]	-
appsec	1.729 ms [1.705 ms, 1.753 ms]	374.669 µs (27.7%)
appsec_no_iast	1.709 ms [1.684 ms, 1.734 ms]	354.488 µs (26.2%)
iast	1.463 ms [1.44 ms, 1.486 ms]	108.935 µs (8.0%)
profiling	1.497 ms [1.472 ms, 1.521 ms]	142.258 µs (10.5%)
tracing	1.462 ms [1.438 ms, 1.487 ms]	107.922 µs (8.0%)

Dacapo

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	alejandro.gonzalez/IW_default_app_deployed
git_commit_date	1715615333	1715616103
git_commit_sha	`6c2d477`	`04c59ae`
release_version	1.35.0-SNAPSHOT~6c2d477f7c	1.35.0-SNAPSHOT~04c59ae87b

See matching parameters

	Baseline	Candidate
application	biojava	biojava
ci_job_date	1715618374	1715618374
ci_job_id	510368218	510368218
ci_pipeline_id	34162014	34162014
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant	appsec	appsec

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics.

Execution time for tomcat

gantt
    title tomcat - execution time [CI 0.99] : candidate=1.35.0-SNAPSHOT~04c59ae87b, baseline=1.35.0-SNAPSHOT~6c2d477f7c
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.463 ms) : 1452, 1475
.   : milestone, 1463,
appsec (2.201 ms) : 2168, 2235
.   : milestone, 2201,
iast (1.963 ms) : 1922, 2004
.   : milestone, 1963,
iast_GLOBAL (2.006 ms) : 1965, 2047
.   : milestone, 2006,
profiling (1.857 ms) : 1823, 1891
.   : milestone, 1857,
tracing (1.84 ms) : 1808, 1872
.   : milestone, 1840,
section candidate
no_agent (1.463 ms) : 1452, 1475
.   : milestone, 1463,
appsec (2.212 ms) : 2177, 2246
.   : milestone, 2212,
iast (1.964 ms) : 1923, 2005
.   : milestone, 1964,
iast_GLOBAL (1.985 ms) : 1944, 2025
.   : milestone, 1985,
profiling (1.853 ms) : 1820, 1885
.   : milestone, 1853,
tracing (1.838 ms) : 1806, 1870
.   : milestone, 1838,

baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.463 ms [1.452 ms, 1.475 ms]	-
appsec	2.201 ms [2.168 ms, 2.235 ms]	738.158 µs (50.4%)
iast	1.963 ms [1.922 ms, 2.004 ms]	499.435 µs (34.1%)
iast_GLOBAL	2.006 ms [1.965 ms, 2.047 ms]	542.454 µs (37.1%)
profiling	1.857 ms [1.823 ms, 1.891 ms]	393.533 µs (26.9%)
tracing	1.84 ms [1.808 ms, 1.872 ms]	376.482 µs (25.7%)

candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.463 ms [1.452 ms, 1.475 ms]	-
appsec	2.212 ms [2.177 ms, 2.246 ms]	748.745 µs (51.2%)
iast	1.964 ms [1.923 ms, 2.005 ms]	500.529 µs (34.2%)
iast_GLOBAL	1.985 ms [1.944 ms, 2.025 ms]	521.448 µs (35.6%)
profiling	1.853 ms [1.82 ms, 1.885 ms]	389.466 µs (26.6%)
tracing	1.838 ms [1.806 ms, 1.87 ms]	374.64 µs (25.6%)

Execution time for biojava

gantt
    title biojava - execution time [CI 0.99] : candidate=1.35.0-SNAPSHOT~04c59ae87b, baseline=1.35.0-SNAPSHOT~6c2d477f7c
    dateFormat X
    axisFormat %s
section baseline
no_agent (15.612 s) : 15612000, 15612000
.   : milestone, 15612000,
appsec (15.195 s) : 15195000, 15195000
.   : milestone, 15195000,
iast (18.808 s) : 18808000, 18808000
.   : milestone, 18808000,
iast_GLOBAL (17.904 s) : 17904000, 17904000
.   : milestone, 17904000,
profiling (15.944 s) : 15944000, 15944000
.   : milestone, 15944000,
tracing (15.12 s) : 15120000, 15120000
.   : milestone, 15120000,
section candidate
no_agent (15.397 s) : 15397000, 15397000
.   : milestone, 15397000,
appsec (15.102 s) : 15102000, 15102000
.   : milestone, 15102000,
iast (18.626 s) : 18626000, 18626000
.   : milestone, 18626000,
iast_GLOBAL (17.909 s) : 17909000, 17909000
.   : milestone, 17909000,
profiling (15.092 s) : 15092000, 15092000
.   : milestone, 15092000,
tracing (15.124 s) : 15124000, 15124000
.   : milestone, 15124000,

baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	15.612 s [15.612 s, 15.612 s]	-
appsec	15.195 s [15.195 s, 15.195 s]	-417.0 ms (-2.7%)
iast	18.808 s [18.808 s, 18.808 s]	3.196 s (20.5%)
iast_GLOBAL	17.904 s [17.904 s, 17.904 s]	2.292 s (14.7%)
profiling	15.944 s [15.944 s, 15.944 s]	332.0 ms (2.1%)
tracing	15.12 s [15.12 s, 15.12 s]	-492.0 ms (-3.2%)

candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	15.397 s [15.397 s, 15.397 s]	-
appsec	15.102 s [15.102 s, 15.102 s]	-295.0 ms (-1.9%)
iast	18.626 s [18.626 s, 18.626 s]	3.229 s (21.0%)
iast_GLOBAL	17.909 s [17.909 s, 17.909 s]	2.512 s (16.3%)
profiling	15.092 s [15.092 s, 15.092 s]	-305.0 ms (-2.0%)
tracing	15.124 s [15.124 s, 15.124 s]	-273.0 ms (-1.8%)

manuel-alvarez-alvarez · 2024-05-07T07:26:30Z

dd-java-agent/agent-iast/src/main/java/com/datadog/iast/sink/ApplicationModuleImpl.java

@@ -212,6 +240,27 @@ private void checkWebXmlVulnerabilities(@Nonnull final Path path, final AgentSpa
        case TOMCAT_HOST_MANAGER_APP_PATTERN:
          reportAdminConsoleActive(span, TOMCAT_HOST_MANAGER_APP);
          break;
+        case TOMCAT_SAMPLES_APP_PATTERN:


Since this is growing quite a bit, wouldn't it make more sense to look for <display-name> and then use a list of default apps to match?

Potentially It could grow even more, so I will go for your approach

jandro996 changed the base branch from master to alejandro.gonzalez/IW_directory_listing_improve April 4, 2024 10:06

jandro996 force-pushed the alejandro.gonzalez/IW_directory_listing_improve branch 2 times, most recently from d2bb519 to 7a54b98 Compare April 10, 2024 06:21

jandro996 force-pushed the alejandro.gonzalez/IW_default_app_deployed branch from 74f9979 to 645db4b Compare April 10, 2024 06:30

jandro996 changed the title ~~IW - Add Default App Deployed vulnerability~~ IW - III - Add Default App Deployed vulnerability Apr 10, 2024

jandro996 force-pushed the alejandro.gonzalez/IW_default_app_deployed branch from 830be9a to e1e520f Compare April 10, 2024 06:46

smola added comp: asm iast Application Security Management (IAST) R&D labels Apr 15, 2024

jandro996 force-pushed the alejandro.gonzalez/IW_directory_listing_improve branch 2 times, most recently from ac1b217 to 231e977 Compare April 16, 2024 15:57

Base automatically changed from alejandro.gonzalez/IW_directory_listing_improve to master April 18, 2024 08:36

jandro996 force-pushed the alejandro.gonzalez/IW_default_app_deployed branch 2 times, most recently from 4cdc57c to b7f5afb Compare April 18, 2024 08:58

jandro996 changed the title ~~IW - III - Add Default App Deployed vulnerability~~ Add Default App Deployed vulnerability Apr 18, 2024

jandro996 marked this pull request as ready for review April 18, 2024 09:38

jandro996 requested a review from a team as a code owner April 18, 2024 09:38

jandro996 requested review from smola and manuel-alvarez-alvarez April 18, 2024 09:38

smola changed the title ~~Add Default App Deployed vulnerability~~ Detect a vulnerability when a default application is deployed Apr 18, 2024

manuel-alvarez-alvarez reviewed May 7, 2024

View reviewed changes

Add new Default app deployed vulnerability for Tomcat and Jetty

cd26371

jandro996 force-pushed the alejandro.gonzalez/IW_default_app_deployed branch 2 times, most recently from 446c7ec to d2a8699 Compare May 8, 2024 08:15

Admin console active and default app matchers simplification

b386ca0

jandro996 force-pushed the alejandro.gonzalez/IW_default_app_deployed branch from 4e5d5e3 to b386ca0 Compare May 8, 2024 08:18

jandro996 requested a review from manuel-alvarez-alvarez May 8, 2024 10:48

change list for set

94878ca

jandro996 force-pushed the alejandro.gonzalez/IW_default_app_deployed branch from 85c0cc4 to 94878ca Compare May 13, 2024 15:30

Merge branch 'master' into alejandro.gonzalez/IW_default_app_deployed

04c59ae

manuel-alvarez-alvarez approved these changes May 13, 2024

View reviewed changes

jandro996 merged commit 9d2fdc1 into master May 13, 2024
77 of 80 checks passed

jandro996 deleted the alejandro.gonzalez/IW_default_app_deployed branch May 13, 2024 16:49

github-actions bot added this to the 1.35.0 milestone May 13, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Detect a vulnerability when a default application is deployed #6885

Detect a vulnerability when a default application is deployed #6885

jandro996 commented Apr 4, 2024 •

edited

pr-commenter bot commented Apr 4, 2024 •

edited

manuel-alvarez-alvarez May 7, 2024

jandro996 May 7, 2024

Detect a vulnerability when a default application is deployed #6885

Detect a vulnerability when a default application is deployed #6885

Conversation

jandro996 commented Apr 4, 2024 • edited

What Does This Do

Motivation

Additional Notes

pr-commenter bot commented Apr 4, 2024 • edited

Benchmarks

Startup

Parameters

Summary

Load

Parameters

Summary

Dacapo

Parameters

Summary

manuel-alvarez-alvarez May 7, 2024

Choose a reason for hiding this comment

jandro996 May 7, 2024

Choose a reason for hiding this comment

jandro996 commented Apr 4, 2024 •

edited

pr-commenter bot commented Apr 4, 2024 •

edited