Fix weak randomness false positive in Kafka client #8408

smola · 2025-02-17T18:38:26Z

What Does This Do

Motivation

Additional Notes

Contributor Checklist

Format the title according the contribution guidelines
Assign the type: and (comp: or inst:) labels in addition to any usefull labels
Don't use close, fix or any linking keywords when referencing an issue.
Use solves instead, and assign the PR milestone to the issue
Update the public documentation in case of new configuration flag or behavior

Jira ticket: APPSEC-56801

pr-commenter · 2025-02-17T19:24:30Z

Benchmarks

Startup

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	smola/kafka-random
git_commit_date	1739875872	1739875888
git_commit_sha	`ebdbdd4`	`2882e6f`
release_version	1.47.0-SNAPSHOT~ebdbdd43a2	1.47.0-SNAPSHOT~2882e6fbe1

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1739878347	1739878347
ci_job_id	811666721	811666721
ci_pipeline_id	56135166	56135166
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-pf96l-bk-project-304-concurrent-0-db8jlr0d 6.8.0-1021-aws #23~22.04.1-Ubuntu SMP Tue Dec 10 16:50:46 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-pf96l-bk-project-304-concurrent-0-db8jlr0d 6.8.0-1021-aws #23~22.04.1-Ubuntu SMP Tue Dec 10 16:50:46 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
module	Agent	Agent
parent	None	None
variant	iast	iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 59 metrics, 4 unstable metrics.

Startup time reports for petclinic

gantt
    title petclinic - global startup overhead: candidate=1.47.0-SNAPSHOT~2882e6fbe1, baseline=1.47.0-SNAPSHOT~ebdbdd43a2

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.038 s) : 0, 1038253
Total [baseline] (10.595 s) : 0, 10595119
Agent [candidate] (1.048 s) : 0, 1048302
Total [candidate] (10.509 s) : 0, 10509080
section appsec
Agent [baseline] (1.18 s) : 0, 1180297
Total [baseline] (10.706 s) : 0, 10705749
Agent [candidate] (1.182 s) : 0, 1181818
Total [candidate] (10.734 s) : 0, 10734010
section iast
Agent [baseline] (1.17 s) : 0, 1170297
Total [baseline] (10.951 s) : 0, 10951367
Agent [candidate] (1.171 s) : 0, 1170629
Total [candidate] (10.969 s) : 0, 10968564
section profiling
Agent [baseline] (1.263 s) : 0, 1263214
Total [baseline] (10.893 s) : 0, 10893485
Agent [candidate] (1.261 s) : 0, 1261336
Total [candidate] (10.841 s) : 0, 10840972

baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.038 s	-
Agent	appsec	1.18 s	142.044 ms (13.7%)
Agent	iast	1.17 s	132.045 ms (12.7%)
Agent	profiling	1.263 s	224.961 ms (21.7%)
Total	tracing	10.595 s	-
Total	appsec	10.706 s	110.631 ms (1.0%)
Total	iast	10.951 s	356.248 ms (3.4%)
Total	profiling	10.893 s	298.366 ms (2.8%)

candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.048 s	-
Agent	appsec	1.182 s	133.516 ms (12.7%)
Agent	iast	1.171 s	122.326 ms (11.7%)
Agent	profiling	1.261 s	213.034 ms (20.3%)
Total	tracing	10.509 s	-
Total	appsec	10.734 s	224.93 ms (2.1%)
Total	iast	10.969 s	459.484 ms (4.4%)
Total	profiling	10.841 s	331.892 ms (3.2%)

gantt
    title petclinic - break down per module: candidate=1.47.0-SNAPSHOT~2882e6fbe1, baseline=1.47.0-SNAPSHOT~ebdbdd43a2

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (714.949 ms) : 0, 714949
BytebuddyAgent [candidate] (722.456 ms) : 0, 722456
GlobalTracer [baseline] (238.732 ms) : 0, 238732
GlobalTracer [candidate] (242.306 ms) : 0, 242306
AppSec [baseline] (55.346 ms) : 0, 55346
AppSec [candidate] (56.134 ms) : 0, 56134
Remote Config [baseline] (696.001 µs) : 0, 696
Remote Config [candidate] (708.462 µs) : 0, 708
Telemetry [baseline] (13.374 ms) : 0, 13374
Telemetry [candidate] (11.469 ms) : 0, 11469
section appsec
BytebuddyAgent [baseline] (732.639 ms) : 0, 732639
BytebuddyAgent [candidate] (733.254 ms) : 0, 733254
GlobalTracer [baseline] (236.328 ms) : 0, 236328
GlobalTracer [candidate] (236.817 ms) : 0, 236817
IAST [baseline] (21.338 ms) : 0, 21338
IAST [candidate] (21.319 ms) : 0, 21319
AppSec [baseline] (176.583 ms) : 0, 176583
AppSec [candidate] (177.002 ms) : 0, 177002
Remote Config [baseline] (661.365 µs) : 0, 661
Remote Config [candidate] (660.837 µs) : 0, 661
Telemetry [baseline] (8.235 ms) : 0, 8235
Telemetry [candidate] (8.24 ms) : 0, 8240
section iast
BytebuddyAgent [baseline] (835.765 ms) : 0, 835765
BytebuddyAgent [candidate] (835.422 ms) : 0, 835422
GlobalTracer [baseline] (230.126 ms) : 0, 230126
GlobalTracer [candidate] (230.144 ms) : 0, 230144
IAST [baseline] (22.818 ms) : 0, 22818
IAST [candidate] (23.023 ms) : 0, 23023
AppSec [baseline] (57.156 ms) : 0, 57156
AppSec [candidate] (57.504 ms) : 0, 57504
Remote Config [baseline] (601.771 µs) : 0, 602
Remote Config [candidate] (616.867 µs) : 0, 617
Telemetry [baseline] (8.603 ms) : 0, 8603
Telemetry [candidate] (8.769 ms) : 0, 8769
section profiling
BytebuddyAgent [baseline] (708.012 ms) : 0, 708012
BytebuddyAgent [candidate] (708.506 ms) : 0, 708506
GlobalTracer [baseline] (350.99 ms) : 0, 350990
GlobalTracer [candidate] (350.279 ms) : 0, 350279
AppSec [baseline] (55.634 ms) : 0, 55634
AppSec [candidate] (54.582 ms) : 0, 54582
Remote Config [baseline] (679.269 µs) : 0, 679
Remote Config [candidate] (663.618 µs) : 0, 664
Telemetry [baseline] (8.968 ms) : 0, 8968
Telemetry [candidate] (8.882 ms) : 0, 8882
ProfilingAgent [baseline] (96.642 ms) : 0, 96642
ProfilingAgent [candidate] (96.215 ms) : 0, 96215
Profiling [baseline] (96.667 ms) : 0, 96667
Profiling [candidate] (96.239 ms) : 0, 96239

Startup time reports for insecure-bank

gantt
    title insecure-bank - global startup overhead: candidate=1.47.0-SNAPSHOT~2882e6fbe1, baseline=1.47.0-SNAPSHOT~ebdbdd43a2

    dateFormat X
    axisFormat %s
sect
8000
ion tracing
Agent [baseline] (1.04 s) : 0, 1039842
Total [baseline] (8.657 s) : 0, 8656522
Agent [candidate] (1.041 s) : 0, 1040775
Total [candidate] (8.657 s) : 0, 8657371
section iast
Agent [baseline] (1.17 s) : 0, 1170060
Total [baseline] (9.226 s) : 0, 9225993
Agent [candidate] (1.171 s) : 0, 1171119
Total [candidate] (9.274 s) : 0, 9273549
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.172 s) : 0, 1171908
Total [baseline] (9.203 s) : 0, 9202820
Agent [candidate] (1.169 s) : 0, 1168968
Total [candidate] (9.201 s) : 0, 9200796
section iast_TELEMETRY_OFF
Agent [baseline] (1.166 s) : 0, 1165640
Total [baseline] (9.256 s) : 0, 9255916
Agent [candidate] (1.17 s) : 0, 1170096
Total [candidate] (9.236 s) : 0, 9235594

baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.04 s	-
Agent	iast	1.17 s	130.218 ms (12.5%)
Agent	iast_HARDCODED_SECRET_DISABLED	1.172 s	132.066 ms (12.7%)
Agent	iast_TELEMETRY_OFF	1.166 s	125.798 ms (12.1%)
Total	tracing	8.657 s	-
Total	iast	9.226 s	569.471 ms (6.6%)
Total	iast_HARDCODED_SECRET_DISABLED	9.203 s	546.298 ms (6.3%)
Total	iast_TELEMETRY_OFF	9.256 s	599.395 ms (6.9%)

candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.041 s	-
Agent	iast	1.171 s	130.344 ms (12.5%)
Agent	iast_HARDCODED_SECRET_DISABLED	1.169 s	128.193 ms (12.3%)
Agent	iast_TELEMETRY_OFF	1.17 s	129.32 ms (12.4%)
Total	tracing	8.657 s	-
Total	iast	9.274 s	616.179 ms (7.1%)
Total	iast_HARDCODED_SECRET_DISABLED	9.201 s	543.425 ms (6.3%)
Total	iast_TELEMETRY_OFF	9.236 s	578.223 ms (6.7%)

gantt
    title insecure-bank - break down per module: candidate=1.47.0-SNAPSHOT~2882e6fbe1, baseline=1.47.0-SNAPSHOT~ebdbdd43a2

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (716.889 ms) : 0, 716889
BytebuddyAgent [candidate] (717.639 ms) : 0, 717639
GlobalTracer [baseline] (239.251 ms) : 0, 239251
GlobalTracer [candidate] (239.496 ms) : 0, 239496
AppSec [baseline] (55.766 ms) : 0, 55766
AppSec [candidate] (55.476 ms) : 0, 55476
Remote Config [baseline] (695.697 µs) : 0, 696
Remote Config [candidate] (699.062 µs) : 0, 699
Telemetry [baseline] (12.08 ms) : 0, 12080
Telemetry [candidate] (12.324 ms) : 0, 12324
section iast
BytebuddyAgent [baseline] (835.702 ms) : 0, 835702
BytebuddyAgent [candidate] (836.288 ms) : 0, 836288
GlobalTracer [baseline] (230.369 ms) : 0, 230369
GlobalTracer [candidate] (230.546 ms) : 0, 230546
IAST [baseline] (22.553 ms) : 0, 22553
IAST [candidate] (22.724 ms) : 0, 22724
AppSec [baseline] (56.924 ms) : 0, 56924
AppSec [candidate] (57.067 ms) : 0, 57067
Remote Config [baseline] (603.865 µs) : 0, 604
Remote Config [candidate] (602.971 µs) : 0, 603
Telemetry [baseline] (8.667 ms) : 0, 8667
Telemetry [candidate] (8.657 ms) : 0, 8657
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (836.245 ms) : 0, 836245
BytebuddyAgent [candidate] (834.295 ms) : 0, 834295
GlobalTracer [baseline] (230.557 ms) : 0, 230557
GlobalTracer [candidate] (229.996 ms) : 0, 229996
IAST [baseline] (23.108 ms) : 0, 23108
IAST [candidate] (22.846 ms) : 0, 22846
AppSec [baseline] (57.422 ms) : 0, 57422
AppSec [candidate] (57.227 ms) : 0, 57227
Remote Config [baseline] (622.644 µs) : 0, 623
Remote Config [candidate] (616.409 µs) : 0, 616
Telemetry [baseline] (8.773 ms) : 0, 8773
Telemetry [candidate] (8.738 ms) : 0, 8738
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (832.147 ms) : 0, 832147
BytebuddyAgent [candidate] (835.133 ms) : 0, 835133
GlobalTracer [baseline] (229.551 ms) : 0, 229551
GlobalTracer [candidate] (230.296 ms) : 0, 230296
IAST [baseline] (26.321 ms) : 0, 26321
IAST [candidate] (26.433 ms) : 0, 26433
AppSec [baseline] (53.205 ms) : 0, 53205
AppSec [candidate] (53.639 ms) : 0, 53639
Remote Config [baseline] (627.068 µs) : 0, 627
Remote Config [candidate] (628.573 µs) : 0, 629
Telemetry [baseline] (8.607 ms) : 0, 8607
Telemetry [candidate] (8.758 ms) : 0, 8758

Load

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
end_time	2025-02-18T11:02:23	2025-02-18T11:09:28
git_branch	master	smola/kafka-random
git_commit_date	1739875872	1739875888
git_commit_sha	`ebdbdd4`	`2882e6f`
release_version	1.47.0-SNAPSHOT~ebdbdd43a2	1.47.0-SNAPSHOT~2882e6fbe1
start_time	2025-02-18T11:02:09	2025-02-18T11:09:14

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1739877327	1739877327
ci_job_id	811666723	811666723
ci_pipeline_id	56135166	56135166
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-yzw1vlp-project-304-concurrent-1-6336inds 6.8.0-1021-aws #23~22.04.1-Ubuntu SMP Tue Dec 10 16:50:46 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-yzw1vlp-project-304-concurrent-1-6336inds 6.8.0-1021-aws #23~22.04.1-Ubuntu SMP Tue Dec 10 16:50:46 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
variant	iast	iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 13 metrics, 15 unstable metrics.

Request duration reports for petclinic

gantt
    title petclinic - request duration [CI 0.99] : candidate=1.47.0-SNAPSHOT~2882e6fbe1, baseline=1.47.0-SNAPSHOT~ebdbdd43a2
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.344 ms) : 1325, 1363
.   : milestone, 1344,
appsec (1.756 ms) : 1733, 1780
.   : milestone, 1756,
appsec_no_iast (1.769 ms) : 1743, 1795
.   : milestone, 1769,
iast (1.512 ms) : 1488, 1535
.   : milestone, 1512,
profiling (1.561 ms) : 1536, 1585
.   : milestone, 1561,
tracing (1.495 ms) : 1467, 1522
.   : milestone, 1495,
section candidate
no_agent (1.35 ms) : 1330, 1370
.   : milestone, 1350,
appsec (1.752 ms) : 1728, 1776
.   : milestone, 1752,
appsec_no_iast (1.751 ms) : 1726, 1777
.   : milestone, 1751,
iast (1.513 ms) : 1489, 1537
.   : milestone, 1513,
profiling (1.569 ms) : 1544, 1594
.   : milestone, 1569,
tracing (1.498 ms) : 1474, 1522
.   : milestone, 1498,

baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.344 ms [1.325 ms, 1.363 ms]	-
appsec	1.756 ms [1.733 ms, 1.78 ms]	412.17 µs (30.7%)
appsec_no_iast	1.769 ms [1.743 ms, 1.795 ms]	424.883 µs (31.6%)
iast	1.512 ms [1.488 ms, 1.535 ms]	167.433 µs (12.5%)
profiling	1.561 ms [1.536 ms, 1.585 ms]	216.403 µs (16.1%)
tracing	1.495 ms [1.467 ms, 1.522 ms]	150.636 µs (11.2%)

candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.35 ms [1.33 ms, 1.37 ms]	-
appsec	1.752 ms [1.728 ms, 1.776 ms]	401.775 µs (29.8%)
appsec_no_iast	1.751 ms [1.726 ms, 1.777 ms]	401.098 µs (29.7%)
iast	1.513 ms [1.489 ms, 1.537 ms]	162.917 µs (12.1%)
profiling	1.569 ms [1.544 ms, 1.594 ms]	218.985 µs (16.2%)
tracing	1.498 ms [1.474 ms, 1.522 ms]	147.632 µs (10.9%)

Request duration reports for insecure-bank

gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.47.0-SNAPSHOT~2882e6fbe1, baseline=1.47.0-SNAPSHOT~ebdbdd43a2
    dateFormat X
    axisFormat %s
section baseline
no_agent (378.679 µs) : 358, 399
.   : milestone, 379,
iast (508.787 µs) : 487, 531
.   : milestone, 509,
iast_FULL (741.965 µs) : 720, 764
.   : milestone, 742,
iast_GLOBAL (554.224 µs) : 533, 576
.   : milestone, 554,
iast_HARDCODED_SECRET_DISABLED (508.602 µs) : 487, 531
.   : milestone, 509,
iast_INACTIVE (458.453 µs) : 437, 480
.   : milestone, 458,
iast_TELEMETRY_OFF (496.42 µs) : 475, 518
.   : milestone, 496,
tracing (452.5 µs) : 432, 473
.   : milestone, 453,
section candidate
no_agent (378.743 µs) : 359, 399
.   : milestone, 379,
iast (508.334 µs) : 486, 531
.   : milestone, 508,
iast_FULL (742.469 µs) : 721, 764
.   : milestone, 742,
iast_GLOBAL (558.359 µs) : 535, 581
.   : milestone, 558,
iast_HARDCODED_SECRET_DISABLED (517.155 µs) : 494, 540
.   : milestone, 517,
iast_INACTIVE (457.463 µs) : 436, 479
.   : milestone, 457,
iast_TELEMETRY_OFF (503.438 µs) : 480, 527
.   : milestone, 503,
tracing (454.771 µs) : 434, 476
.   : milestone, 455,

baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	378.679 µs [358.038 µs, 399.319 µs]	-
iast	508.787 µs [486.696 µs, 530.877 µs]	130.108 µs (34.4%)
iast_FULL	741.965 µs [720.022 µs, 763.909 µs]	363.286 µs (95.9%)
iast_GLOBAL	554.224 µs [532.556 µs, 575.892 µs]	175.545 µs (46.4%)
iast_HARDCODED_SECRET_DISABLED	508.602 µs [486.537 µs, 530.668 µs]	129.924 µs (34.3%)
iast_INACTIVE	458.453 µs [437.175 µs, 479.73 µs]	79.774 µs (21.1%)
iast_TELEMETRY_OFF	496.42 µs [474.667 µs, 518.172 µs]	117.741 µs (31.1%)
tracing	452.5 µs [431.832 µs, 473.168 µs]	73.821 µs (19.5%)

candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	378.743 µs [358.824 µs, 398.663 µs]	-
iast	508.334 µs [485.577 µs, 531.092 µs]	129.591 µs (34.2%)
iast_FULL	742.469 µs [720.505 µs, 764.432 µs]	363.725 µs (96.0%)
iast_GLOBAL	558.359 µs [535.379 µs, 581.338 µs]	179.615 µs (47.4%)
iast_HARDCODED_SECRET_DISABLED	517.155 µs [494.384 µs, 539.925 µs]	138.411 µs (36.5%)
iast_INACTIVE	457.463 µs [436.215 µs, 478.711 µs]	78.72 µs (20.8%)
iast_TELEMETRY_OFF	503.438 µs [479.76 µs, 527.117 µs]	124.695 µs (32.9%)
tracing	454.771 µs [433.931 µs, 475.612 µs]	76.028 µs (20.1%)

Dacapo

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	smola/kafka-random
git_commit_date	1739875872	1739875888
git_commit_sha	`ebdbdd4`	`2882e6f`
release_version	1.47.0-SNAPSHOT~ebdbdd43a2	1.47.0-SNAPSHOT~2882e6fbe1

See matching parameters

	Baseline	Candidate
application	biojava	biojava
ci_job_date	1739877919	1739877919
ci_job_id	811666725	811666725
ci_pipeline_id	56135166	56135166
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-wxk4-4f-project-304-concurrent-2-1ocucn4x 6.8.0-1021-aws #23~22.04.1-Ubuntu SMP Tue Dec 10 16:50:46 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-wxk4-4f-project-304-concurrent-2-1ocucn4x 6.8.0-1021-aws #23~22.04.1-Ubuntu SMP Tue Dec 10 16:50:46 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
variant	appsec	appsec

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics.

Execution time for biojava

gantt
    title biojava - execution time [CI 0.99] : candidate=1.47.0-SNAPSHOT~2882e6fbe1, baseline=1.47.0-SNAPSHOT~ebdbdd43a2
    dateFormat X
    axisFormat %s
section baseline
no_agent (15.482 s) : 15482000, 15482000
.   : milestone, 15482000,
appsec (15.059 s) : 15059000, 15059000
.   : milestone, 15059000,
iast (18.519 s) : 18519000, 18519000
.   : milestone, 18519000,
iast_GLOBAL (18.062 s) : 18062000, 18062000
.   : milestone, 18062000,
profiling (15.493 s) : 15493000, 15493000
.   : milestone, 15493000,
tracing (15.067 s) : 15067000, 15067000
.   : milestone, 15067000,
section candidate
no_agent (15.563 s) : 15563000, 15563000
.   : milestone, 15563000,
appsec (14.938 s) : 14938000, 14938000
.   : milestone, 14938000,
iast (18.938 s) : 18938000, 18938000
.   : milestone, 18938000,
iast_GLOBAL (17.62 s) : 17620000, 17620000
.   : milestone, 17620000,
profiling (15.665 s) : 15665000, 15665000
.   : milestone, 15665000,
tracing (14.968 s) : 14968000, 14968000
.   : milestone, 14968000,

baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	15.482 s [15.482 s, 15.482 s]	-
appsec	15.059 s [15.059 s, 15.059 s]	-423.0 ms (-2.7%)
iast	18.519 s [18.519 s, 18.519 s]	3.037 s (19.6%)
iast_GLOBAL	18.062 s [18.062 s, 18.062 s]	2.58 s (16.7%)
profiling	15.493 s [15.493 s, 15.493 s]	11.0 ms (0.1%)
tracing	15.067 s [15.067 s, 15.067 s]	-415.0 ms (-2.7%)

candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	15.563 s [15.563 s, 15.563 s]	-
appsec	14.938 s [14.938 s, 14.938 s]	-625.0 ms (-4.0%)
iast	18.938 s [18.938 s, 18.938 s]	3.375 s (21.7%)
iast_GLOBAL	17.62 s [17.62 s, 17.62 s]	2.057 s (13.2%)
profiling	15.665 s [15.665 s, 15.665 s]	102.0 ms (0.7%)
tracing	14.968 s [14.968 s, 14.968 s]	-595.0 ms (-3.8%)

Execution time for tomcat

gantt
    title tomcat - execution time [CI 0.99] : candidate=1.47.0-SNAPSHOT~2882e6fbe1, baseline=1.47.0-SNAPSHOT~ebdbdd43a2
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.47 ms) : 1458, 1482
.   : milestone, 1470,
appsec (2.335 ms) : 2292, 2377
.   : milestone, 2335,
iast (2.108 ms) : 2052, 2163
.   : milestone, 2108,
iast_GLOBAL (2.133 ms) : 2078, 2188
.   : milestone, 2133,
profiling (1.963 ms) : 1919, 2007
.   : milestone, 1963,
tracing (1.942 ms) : 1900, 1985
.   : milestone, 1942,
section candidate
no_agent (1.466 ms) : 1454, 1477
.   : milestone, 1466,
appsec (2.343 ms) : 2300, 2386
.   : milestone, 2343,
iast (2.096 ms) : 2041, 2151
.   : milestone, 2096,
iast_GLOBAL (2.149 ms) : 2093, 2204
.   : milestone, 2149,
profiling (1.958 ms) : 1914, 2001
.   : milestone, 1958,
tracing (1.929 ms) : 1888, 1971
.   : milestone, 1929,

baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.47 ms [1.458 ms, 1.482 ms]	-
appsec	2.335 ms [2.292 ms, 2.377 ms]	864.538 µs (58.8%)
iast	2.108 ms [2.052 ms, 2.163 ms]	637.749 µs (43.4%)
iast_GLOBAL	2.133 ms [2.078 ms, 2.188 ms]	663.269 µs (45.1%)
profiling	1.963 ms [1.919 ms, 2.007 ms]	493.122 µs (33.5%)
tracing	1.942 ms [1.9 ms, 1.985 ms]	472.227 µs (32.1%)

candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.466 ms [1.454 ms, 1.477 ms]	-
appsec	2.343 ms [2.3 ms, 2.386 ms]	877.781 µs (59.9%)
iast	2.096 ms [2.041 ms, 2.151 ms]	630.45 µs (43.0%)
iast_GLOBAL	2.149 ms [2.093 ms, 2.204 ms]	682.982 µs (46.6%)
profiling	1.958 ms [1.914 ms, 2.001 ms]	491.975 µs (33.6%)
tracing	1.929 ms [1.888 ms, 1.971 ms]	463.64 µs (31.6%)

| Package | Type | Package file | Manager | Update | Change | |---|---|---|---|---|---| | [com.datadoghq:dd-trace-api](https://github.com/datadog/dd-trace-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `1.46.1` -> `1.47.0` | | [com.datadoghq:dd-trace-ot](https://github.com/datadog/dd-trace-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `1.46.1` -> `1.47.0` | | [software.amazon.awssdk:sdk-core](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.33` -> `2.30.34` | | [software.amazon.awssdk:sqs](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.33` -> `2.30.34` | | [software.amazon.awssdk:dynamodb-enhanced](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.33` -> `2.30.34` | | [software.amazon.awssdk:dynamodb](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.33` -> `2.30.34` | | [software.amazon.awssdk:aws-core](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.33` -> `2.30.34` | | [software.amazon.awssdk:bom](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.33` -> `2.30.34` | | [software.amazon.awssdk:auth](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.33` -> `2.30.34` | --- ### Release Notes <details> <summary>datadog/dd-trace-java (com.datadoghq:dd-trace-api)</summary> ### [`v1.47.0`](https://github.com/DataDog/dd-trace-java/releases/tag/v1.47.0): 1.47.0 ##### Components ##### Application Security Management (IAST) - 🐛 Exclude com.stripe.net.HttpURLConnectionClient to solve IAST SSRF vulnerability false positives ([#8483](DataDog/dd-trace-java#8483) - [@jandro996](https://github.com/jandro996)) - 🐛 Add exclusion to solve IAST weak randomness vulnerability false positives ([#8462](DataDog/dd-trace-java#8462) - [@jandro996](https://github.com/jandro996)) - ✨ Fix weak randomness false positive in Kafka client ([#8408](DataDog/dd-trace-java#8408) - [@smola](https://github.com/smola)) - ✨ Fix location for SSRF with Kong Unirest ([#8407](DataDog/dd-trace-java#8407) - [@smola](https://github.com/smola)) - ✨ Exclude IBM Instana from IAST ([#8406](DataDog/dd-trace-java#8406) - [@smola](https://github.com/smola)) - 🐛 Fix org.json iast instrumentation test for latest dependency ([#8347](DataDog/dd-trace-java#8347) - [@jandro996](https://github.com/jandro996)) - ✨ Configuration to Disable APM Tracing ([#8219](DataDog/dd-trace-java#8219) - [@jandro996](https://github.com/jandro996)) - ✨ Address cookie vulnerability cardinality issues ([#8210](DataDog/dd-trace-java#8210) - [@jandro996](https://github.com/jandro996)) - ✨ Email HTML Injection detection in IAST ([#8205](DataDog/dd-trace-java#8205) - [@sezen-datadog](https://github.com/sezen-datadog)) ##### Application Security Management (WAF) - 🐛✨ Ensure usr.exists tag is not overridden when UsernameNotFoundException is thrown ([#8376](DataDog/dd-trace-java#8376) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - 🐛✨ Ensure usr.exists tag is not overridden by auto instrumentation ([#8374](DataDog/dd-trace-java#8374) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - ✨ Update appsec metrics with event_rules_version tag ([#8354](DataDog/dd-trace-java#8354) - [@sezen-datadog](https://github.com/sezen-datadog)) - ✨ Update metrics: appsec.waf.requests ([#8353](DataDog/dd-trace-java#8353) - [@Mariovido](https://github.com/Mariovido)) - ✨ Improve ASM support in vert.x 5.0 ([#8285](DataDog/dd-trace-java#8285) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - ✨ Update metrics: appsec.waf.updates and appsec.waf.init ([#8280](DataDog/dd-trace-java#8280) - [@Mariovido](https://github.com/Mariovido)) - ✨ Configuration to Disable APM Tracing ([#8219](DataDog/dd-trace-java#8219) - [@jandro996](https://github.com/jandro996)) ##### Build & Tooling - 🐛 Do not generate Muzzle references for primitive arrays in method body ([#8361](DataDog/dd-trace-java#8361) - [@amarziali](https://github.com/amarziali)) - 📖 Improve dev env setup documentation for Windows ([#8180](DataDog/dd-trace-java#8180) - [@lucaspimentel](https://github.com/lucaspimentel)) ##### Continuous Integration Visibility - ✨ Add support for skip-EFD tagging ([#8487](DataDog/dd-trace-java#8487) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - 🐛 Fix an NPE in Gradle Android instrumentation ([#8484](DataDog/dd-trace-java#8484) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Consider modified tests when applying fail-fast tests ordering ([#8474](DataDog/dd-trace-java#8474) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Implement tests reordering for TestNG ([#8467](DataDog/dd-trace-java#8467) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - 🐛 Fix Gradle Launcher instrumentation to not interfere with Gradle Test Kit ([#8465](DataDog/dd-trace-java#8465) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - 🧹 Use separate TestEventHandlers per framework in CI Vis instrumentations ([#8451](DataDog/dd-trace-java#8451) - [@daniel-mohedano](https://github.com/daniel-mohedano)) - ✨ Remove warning log when JUnit 4 test method cannot be retrieved ([#8445](DataDog/dd-trace-java#8445) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - 🐛 Fix Scalatest tracing for tests that are reported asynchronously ([#8444](DataDog/dd-trace-java#8444) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Implement attempt to fix tests ([#8393](DataDog/dd-trace-java#8393) - [@daniel-mohedano](https://github.com/daniel-mohedano)) - ✨ Implement test disabling ([#8377](DataDog/dd-trace-java#8377) - [@daniel-mohedano](https://github.com/daniel-mohedano)) - ✨ Update CODEOWNERS parser to not log errors on comments with leading whitespace ([#8349](DataDog/dd-trace-java#8349) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Request Test Management tests list ([#8345](DataDog/dd-trace-java#8345) - [@daniel-mohedano](https://github.com/daniel-mohedano)) - ✨ Receive test management settings from CIVis settings request ([#8331](DataDog/dd-trace-java#8331) - [@daniel-mohedano](https://github.com/daniel-mohedano)) - ✨ Implement quarantined tests tagging ([#8326](DataDog/dd-trace-java#8326) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Implement tests quarantining ([#8320](DataDog/dd-trace-java#8320) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Add tag to specify if the user is setting DD_SERVICE ([#8318](DataDog/dd-trace-java#8318) - [@daniel-mohedano](https://github.com/daniel-mohedano)) ##### Crash tracking - ✨ Only fork jps when required ([#8419](DataDog/dd-trace-java#8419) - [@mcculls](https://github.com/mcculls)) - 🐛 Use Java home of the crashed process to launch crash uploader ([#8348](DataDog/dd-trace-java#8348) - [@jbachorik](https://github.com/jbachorik)) ##### Data Streams Monitoring - 🐛 Fix error happening when sqs message attributes are readonly ([#8473](DataDog/dd-trace-java#8473) - [@vandonr](https://github.com/vandonr)) - 🐛 Fix bug on proto schema extraction ([#8403](DataDog/dd-trace-java#8403) - [@vandonr](https://github.com/vandonr)) - 🐛 Fix service name overrides in consumers ([#8387](DataDog/dd-trace-java#8387) - [@piochelepiotr](https://github.com/piochelepiotr)) ##### Database Monitoring - ✨ Add DBMTracePreparedStatements to tracer configuration log ([#8508](DataDog/dd-trace-java#8508) - [@cecile75](https://github.com/cecile75)) ##### Dynamic Instrumentation - ✨ Look in another location for grpc service methods ([#8468](DataDog/dd-trace-java#8468) - [@evanchooly](https://github.com/evanchooly)) - 🐛 Fix Exception Replay with Lambda proxy classes ([#8452](DataDog/dd-trace-java#8452) - [@jpbempel](https://github.com/jpbempel)) - ✨ Add code origin support for spring-webmvc ([#8416](DataDog/dd-trace-java#8416) - [@evanchooly](https://github.com/evanchooly)) - ✨ Add support for scanning jar from loaded class ([#8370](DataDog/dd-trace-java#8370) - [@jpbempel](https://github.com/jpbempel)) - 🐛 Disable capture of entry values ([#8369](DataDog/dd-trace-java#8369) - [@jpbempel](https://github.com/jpbempel)) - 🐛 Fix CodeOrigin for `@Trace` annotation ([#8344](DataDog/dd-trace-java#8344) - [@jpbempel](https://github.com/jpbempel)) - 🐛 Fix equals/hashCode for CodeOrigin probe ([#8319](DataDog/dd-trace-java#8319) - [@jpbempel](https://github.com/jpbempel)) - ✨ Add code origin support to kafka message listeners ([#8301](DataDog/dd-trace-java#8301) - [@evanchooly](https://github.com/evanchooly)) ##### Metrics - ✨ Create metric: appsec.waf.error ([#8381](DataDog/dd-trace-java#8381) - [@sezen-datadog](https://github.com/sezen-datadog)) - ✨ Create metric: appsec.rasp.error ([#8364](DataDog/dd-trace-java#8364) - [@sezen-datadog](https://github.com/sezen-datadog)) ##### Profiling - ✨ Bump ddprof library to 1.22.0 ([#8463](DataDog/dd-trace-java#8463) - [@jbachorik](https://github.com/jbachorik)) - IBM J9 8u361 corresponds to OpenJDK 8u362 by [@jbachorik](https://github.com/jbachorik) in DataDog/java-profiler#187 - Fix compatibility with musl libc 1.2.4 by [@jbachorik](https://github.com/jbachorik) in DataDog/java-profiler#189 - Modify version extraction by [@jbachorik](https://github.com/jbachorik) in DataDog/java-profiler#179 - Do not write null values to jvminfo event by [@jbachorik](https://github.com/jbachorik) in DataDog/java-profiler#184 - Productize VMStructs-based stack walker by [@jbachorik](https://github.com/jbachorik) in DataDog/java-profiler#177 - A few minor downport issues by [@jbachorik](https://github.com/jbachorik) in DataDog/java-profiler#180 - Enable ASGCT by default on fairly safe J9 JDK versions by [@jbachorik](https://github.com/jbachorik) in DataDog/java-profiler#181 - 🐛 Exclude OrderedThreadPoolExecutor from queue-time measurements ([#8456](DataDog/dd-trace-java#8456) - [@jbachorik](https://github.com/jbachorik)) - ✨ Record JVM info on JVMs without JFR ([#8431](DataDog/dd-trace-java#8431) - [@jbachorik](https://github.com/jbachorik)) - 🐛 Actually use CleanupTask in TempLocationManager ([#8420](DataDog/dd-trace-java#8420) - [@mcculls](https://github.com/mcculls)) - ✨ Only fork jps when required ([#8419](DataDog/dd-trace-java#8419) - [@mcculls](https://github.com/mcculls)) - 🐛 Adjust JFR checks for J9 ([#8405](DataDog/dd-trace-java#8405) - [@jbachorik](https://github.com/jbachorik)) - 🧹 Disable smap RSS parsing by default ([#8342](DataDog/dd-trace-java#8342) - [@MattAlp](https://github.com/MattAlp)) ##### Telemetry - 🐛 Add support for JBoss jar:file format to DependencyResolver ([#8428](DataDog/dd-trace-java#8428) - [@jandro996](https://github.com/jandro996)) - ✨ Update metrics: appsec.waf.requests ([#8353](DataDog/dd-trace-java#8353) - [@Mariovido](https://github.com/Mariovido)) ##### Trace context propagation - ✨ Introduce tracing propagator ([#8313](DataDog/dd-trace-java#8313) - [@PerfectSlayer](https://github.com/PerfectSlayer)) ##### Tracer core - 🐛 Fix Stable Config telemetry source names ([#8460](DataDog/dd-trace-java#8460) - [@BaptisteFoy](https://github.com/BaptisteFoy)) - ✨ Probe trace endpoints with a valid payload of empty arrays ([#8414](DataDog/dd-trace-java#8414) - [@mcculls](https://github.com/mcculls)) - ✨ Add 1 minute fail-safe to JUL/JMX class-loading callback ([#8399](DataDog/dd-trace-java#8399) - [@mcculls](https://github.com/mcculls)) - ✨ Migrate DSM injection calls to context-first APIs ([#8383](DataDog/dd-trace-java#8383) - [@PerfectSlayer](https://github.com/PerfectSlayer)) - 🧹 Move continuation capture methods from scope to tracer ([#8371](DataDog/dd-trace-java#8371) - [@mcculls](https://github.com/mcculls)) - ✨ Migrate context extraction calls to context-first APIs ([#8368](DataDog/dd-trace-java#8368) - [@PerfectSlayer](https://github.com/PerfectSlayer)) - 🧹 Migrate context injection calls to context-first APIs ([#8358](DataDog/dd-trace-java#8358) - [@PerfectSlayer](https://github.com/PerfectSlayer)) - 💡 Support reading configurations from files ([#8338](DataDog/dd-trace-java#8338) - [@mtoffl01](https://github.com/mtoffl01)) - 💡 Implementation of BaggagePropagator and BaggageContext ([#8330](DataDog/dd-trace-java#8330) - [@mhlidd](https://github.com/mhlidd)) - 🧹 Combine continuation implementations into one which supports multiple activations ([#8324](DataDog/dd-trace-java#8324) - [@mcculls](https://github.com/mcculls)) - ✨ Introduce tracing propagator ([#8313](DataDog/dd-trace-java#8313) - [@PerfectSlayer](https://github.com/PerfectSlayer)) - ✨ Remove old context propagation API ([#8271](DataDog/dd-trace-java#8271) - [@PerfectSlayer](https://github.com/PerfectSlayer)) ##### Instrumentations ##### AWS Lambda instrumentation - 🐛 Send error message and stack to Lambda extension ([#8417](DataDog/dd-trace-java#8417) - [@nhulston](https://github.com/nhulston)) ##### AWS SDK instrumentation - 🐛 Fix error happening when sqs message attributes are readonly ([#8473](DataDog/dd-trace-java#8473) - [@vandonr](https://github.com/vandonr)) - 💡 Inject trace context into AWS Step Functions input ([#7585](DataDog/dd-trace-java#7585) - [@DylanLovesCoffee](https://github.com/DylanLovesCoffee)) ##### Core Java language instrumentation - ✨ Look in another location for grpc service methods ([#8468](DataDog/dd-trace-java#8468) - [@evanchooly](https://github.com/evanchooly)) - ✨ Add code origin support for spring-webmvc ([#8416](DataDog/dd-trace-java#8416) - [@evanchooly](https://github.com/evanchooly)) - 💡 Implementation of BaggagePropagator and BaggageContext ([#8330](DataDog/dd-trace-java#8330) - [@mhlidd](https://github.com/mhlidd)) - ✨ Add code origin support to kafka message listeners ([#8301](DataDog/dd-trace-java#8301) - [@evanchooly](https://github.com/evanchooly)) ##### gRPC instrumentation - ✨ Look in another location for grpc service methods ([#8468](DataDog/dd-trace-java#8468) - [@evanchooly](https://github.com/evanchooly)) ##### Kafka instrumentation - ✨ Add messaging.destination.name tag to kafka integrations ([#8366](DataDog/dd-trace-java#8366) - [@rarguelloF](https://github.com/rarguelloF)) ##### Protocol Buffer instrumentation - 🐛 Fix bug on proto schema extraction ([#8403](DataDog/dd-trace-java#8403) - [@vandonr](https://github.com/vandonr)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "after 6pm every weekday,before 2am every weekday" in timezone Australia/Melbourne, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). GitOrigin-RevId: 108a0f86aa59ab4c938cbac0688dd4c19cb301fa

Fix weak randomness false positive in Kafka client

edbf042

smola added type: enhancement comp: asm iast Application Security Management (IAST) labels Feb 17, 2025

smola requested a review from a team as a code owner February 17, 2025 18:38

smola requested review from manuel-alvarez-alvarez and Mariovido February 17, 2025 18:38

manuel-alvarez-alvarez approved these changes Feb 18, 2025

View reviewed changes

Merge branch 'master' into smola/kafka-random

2882e6f

smola enabled auto-merge (squash) February 18, 2025 10:51

Merge branch 'master' into smola/kafka-random

334334e

smola merged commit 919d607 into master Feb 18, 2025
200 of 201 checks passed

smola deleted the smola/kafka-random branch February 18, 2025 17:22

github-actions bot added this to the 1.47.0 milestone Feb 18, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Fix weak randomness false positive in Kafka client #8408

Fix weak randomness false positive in Kafka client #8408

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Fix weak randomness false positive in Kafka client #8408

Fix weak randomness false positive in Kafka client #8408

Uh oh!

Conversation

Uh oh!

What Does This Do

Motivation

Additional Notes

Contributor Checklist

Uh oh!

Uh oh!

Benchmarks

Startup

Parameters

Summary

Load

Parameters

Summary

Dacapo

Parameters

Summary

Uh oh!

Uh oh!

Uh oh!