Remove deduplication for session rewriting vulnerability report (#6895)

##What Does This Do Add a new method Reporter#noDepupReport to allow report vulnerabilities without deduplication Remove deduplication for session rewriting vulnerability report ##Motivation If several apps are deployed in the same server only the first one session rewriting vulnerability find will be reported
DataDog · Apr 16, 2024 · 4c97fc1 · 4c97fc1
1 parent b075ba5
commit 4c97fc1
Show file tree

Hide file tree

Showing 5 changed files with 52 additions and 3 deletions.
diff --git a/dd-java-agent/agent-iast/src/main/java/com/datadog/iast/Reporter.java b/dd-java-agent/agent-iast/src/main/java/com/datadog/iast/Reporter.java
@@ -152,6 +152,9 @@ public HashBasedDeduplication(@Nullable final AgentTaskScheduler taskScheduler)
 
     @Override
     public boolean test(final Vulnerability vulnerability) {
+      if (!vulnerability.getType().isDeduplicable()) {
+        return false;
+      }
       final boolean newVulnerability = hashes.add(vulnerability.getHash());
       if (newVulnerability && hashes.size() > maxSize) {
         hashes.clear();

diff --git a/dd-java-agent/agent-iast/src/main/java/com/datadog/iast/model/VulnerabilityType.java b/dd-java-agent/agent-iast/src/main/java/com/datadog/iast/model/VulnerabilityType.java
@@ -87,7 +87,7 @@ public interface VulnerabilityType {
           VulnerabilityTypes.REFLECTION_INJECTION, VulnerabilityMarks.REFLECTION_INJECTION_MARK);
 
   VulnerabilityType SESSION_REWRITING =
-      new ServiceVulnerabilityType(VulnerabilityTypes.SESSION_REWRITING);
+      new ServiceVulnerabilityType(VulnerabilityTypes.SESSION_REWRITING, false);
 
   String name();
 
@@ -98,6 +98,9 @@ public interface VulnerabilityType {
 
   long calculateHash(@Nonnull final Vulnerability vulnerability);
 
+  /** A flag to indicate if the vulnerability is deduplicable. */
+  boolean isDeduplicable();
+
   class VulnerabilityTypeImpl implements VulnerabilityType {
 
     private final byte type;
@@ -106,14 +109,26 @@ class VulnerabilityTypeImpl implements VulnerabilityType {
 
     private final int mark;
 
+    private final boolean deduplicable;
+
     public VulnerabilityTypeImpl(final byte type, final int... marks) {
       this(type, ' ', marks);
     }
 
+    public VulnerabilityTypeImpl(final byte type, boolean deduplicable, final int... marks) {
+      this(type, ' ', deduplicable, marks);
+    }
+
     public VulnerabilityTypeImpl(final byte type, final char separator, final int... marks) {
+      this(type, separator, true, marks);
+    }
+
+    public VulnerabilityTypeImpl(
+        final byte type, final char separator, final boolean deduplicable, final int... marks) {
       this.type = type;
       this.separator = separator;
       mark = computeMarks(marks);
+      this.deduplicable = deduplicable;
     }
 
     @Override
@@ -148,6 +163,11 @@ public long calculateHash(@Nonnull final Vulnerability vulnerability) {
       return crc.getValue();
     }
 
+    @Override
+    public boolean isDeduplicable() {
+      return deduplicable;
+    }
+
     protected void update(final CRC32 crc, final String value) {
       final byte[] bytes = value.getBytes(StandardCharsets.UTF_8);
       crc.update(bytes, 0, bytes.length);
@@ -197,8 +217,8 @@ public long calculateHash(@Nonnull final Vulnerability vulnerability) {
   }
 
   class ServiceVulnerabilityType extends VulnerabilityTypeImpl {
-    public ServiceVulnerabilityType(byte type, int... marks) {
-      super(type, marks);
+    public ServiceVulnerabilityType(byte type, boolean deduplicable, int... marks) {
+      super(type, deduplicable, marks);
     }
 
     @Override

diff --git a/dd-java-agent/agent-iast/src/main/java/com/datadog/iast/sink/ApplicationModuleImpl.java b/dd-java-agent/agent-iast/src/main/java/com/datadog/iast/sink/ApplicationModuleImpl.java
@@ -112,6 +112,7 @@ public void checkSessionTrackingModes(@Nonnull Set<String> sessionTrackingModes)
     }
     final AgentSpan span = AgentTracer.activeSpan();
     // overhead is not checked here as it's called once per application context
+    // No deduplication is needed as same service can have multiple applications
     reporter.report(
         span,
         new Vulnerability(

diff --git a/dd-java-agent/agent-iast/src/test/groovy/com/datadog/iast/ReporterTest.groovy b/dd-java-agent/agent-iast/src/test/groovy/com/datadog/iast/ReporterTest.groovy
@@ -449,6 +449,30 @@ class ReporterTest extends DDSpecification {
     0 * _
   }
 
+  void 'Reporter when vulnerability is no deduplicable does not prevent duplicates'() {
+    given:
+    final Reporter reporter = new Reporter()
+    final batch = new VulnerabilityBatch()
+    final span = spanWithBatch(batch)
+    final vulnerability = new Vulnerability(
+      VulnerabilityType.SESSION_REWRITING,
+      Location.forSpan(span),
+      new Evidence("SESSION_REWRITING")
+      )
+
+    when: 'first time a vulnerability is reported'
+    reporter.report(span, vulnerability)
+
+    then:
+    batch.vulnerabilities.size() == 1
+
+    when: 'second time the a vulnerability is reported'
+    reporter.report(span, vulnerability)
+
+    then:
+    batch.vulnerabilities.size() == 2
+  }
+
   private AgentSpan spanWithBatch(final VulnerabilityBatch batch) {
     final traceSegment = Mock(TraceSegment) {
       getDataTop('iast') >> batch

diff --git a/dd-java-agent/agent-iast/src/test/groovy/com/datadog/iast/sink/ApplicationModuleTest.groovy b/dd-java-agent/agent-iast/src/test/groovy/com/datadog/iast/sink/ApplicationModuleTest.groovy
@@ -84,6 +84,7 @@ class ApplicationModuleTest extends IastModuleImplTestBase {
     } else {
       0 * reporter.report(_, _)
     }
+    0 * reporter.report(_, _)
 
     where:
     sessionTrackingModes        | expected