Add detection of untrusted deserialization in snakeyaml library

[Mariovido]

What Does This Do

Adds instrumentation for snakeyaml library versions prior to 2.0

Motivation

Detect untrusted deserialization vulnerability for the load method in the Yaml class of the snakeyaml library

Additional Notes

Contributor Checklist

• Format the title according the contribution guidelines
• Assign the type: and (comp: or inst:) labels in addition to any usefull labels
• Squash your commits prior merging or merge using GitHub's Squash and merge
• Don't use close, fix or any linking keywords when referencing an issue.
  Use solves instead, and assign the PR milestone to the issue
• Update the public documentation in case of new configuration flag or behavior

Jira ticket: APPSEC-54452

[pr-commenter]

Benchmarks

Startup

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	mario.vidal/untrusted_deserialization_snakeyaml
git_commit_date	1724336653	1724404165
git_commit_sha	f6c87de	c3f4563
release_version	1.39.0-SNAPSHOT~f6c87de39a	1.39.0-SNAPSHOT~c3f4563aad

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1724407180	1724407180
ci_job_id	614970745	614970745
ci_pipeline_id	42663182	42663182
cpu_model	Intel(R) Xeon(R) Platinum 8175M CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8175M CPU @ 2.50GHz
module	Agent	Agent
parent	None	None
variant	iast	iast

Summary

Found 1 performance improvements and 0 performance regressions! Performance is the same for 46 metrics, 16 unstable metrics.

scenario	Δ mean execution_time	candidate mean execution_time	baseline mean execution_time
scenario:startup:insecure-bank:iast_HARDCODED_SECRET_DISABLED:AppSec	better [-7.344ms; -1.890ms] or [-9.590%; -2.468%]	71.962ms	76.579ms

Startup time reports for insecure-bank

gantt
    title insecure-bank - global startup overhead: candidate=1.39.0-SNAPSHOT~c3f4563aad, baseline=1.39.0-SNAPSHOT~f6c87de39a

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.547 s) : 0, 1546603
Total [baseline] (11.795 s) : 0, 11795459
Agent [candidate] (1.555 s) : 0, 1554748
Total [candidate] (11.846 s) : 0, 11845568
section iast
Agent [baseline] (1.72 s) : 0, 1719770
Total [baseline] (12.486 s) : 0, 12485635
Agent [candidate] (1.717 s) : 0, 1717142
Total [candidate] (12.54 s) : 0, 12539855
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.721 s) : 0, 1721499
Total [baseline] (12.498 s) : 0, 12498084
Agent [candidate] (1.715 s) : 0, 1714567
Total [candidate] (12.494 s) : 0, 12494059
section iast_TELEMETRY_OFF
Agent [baseline] (1.71 s) : 0, 1709579
Total [baseline] (12.469 s) : 0, 12469225
Agent [candidate] (1.71 s) : 0, 1709584
Total [candidate] (12.468 s) : 0, 12468115

Loading

• baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.547 s	-
Agent	iast	1.72 s	173.167 ms (11.2%)
Agent	iast_HARDCODED_SECRET_DISABLED	1.721 s	174.897 ms (11.3%)
Agent	iast_TELEMETRY_OFF	1.71 s	162.976 ms (10.5%)
Total	tracing	11.795 s	-
Total	iast	12.486 s	690.176 ms (5.9%)
Total	iast_HARDCODED_SECRET_DISABLED	12.498 s	702.625 ms (6.0%)
Total	iast_TELEMETRY_OFF	12.469 s	673.766 ms (5.7%)

• candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.555 s	-
Agent	iast	1.717 s	162.394 ms (10.4%)
Agent	iast_HARDCODED_SECRET_DISABLED	1.715 s	159.819 ms (10.3%)
Agent	iast_TELEMETRY_OFF	1.71 s	154.836 ms (10.0%)
Total	tracing	11.846 s	-
Total	iast	12.54 s	694.287 ms (5.9%)
Total	iast_HARDCODED_SECRET_DISABLED	12.494 s	648.49 ms (5.5%)
Total	iast_TELEMETRY_OFF	12.468 s	622.547 ms (5.3%)

gantt
    title insecure-bank - break down per module: candidate=1.39.0-SNAPSHOT~c3f4563aad, baseline=1.39.0-SNAPSHOT~f6c87de39a

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (990.935 ms) : 0, 990935
BytebuddyAgent [candidate] (995.997 ms) : 0, 995997
GlobalTracer [baseline] (452.768 ms) : 0, 452768
GlobalTracer [candidate] (455.051 ms) : 0, 455051
AppSec [baseline] (72.265 ms) : 0, 72265
AppSec [candidate] (72.779 ms) : 0, 72779
Remote Config [baseline] (825.855 µs) : 0, 826
Remote Config [candidate] (838.115 µs) : 0, 838
Telemetry [baseline] (9.802 ms) : 0, 9802
Telemetry [candidate] (9.868 ms) : 0, 9868
section iast
BytebuddyAgent [baseline] (1.15 s) : 0, 1149823
BytebuddyAgent [candidate] (1.149 s) : 0, 1149441
GlobalTracer [baseline] (435.593 ms) : 0, 435593
GlobalTracer [candidate] (434.975 ms) : 0, 434975
AppSec [baseline] (70.539 ms) : 0, 70539
AppSec [candidate] (70.945 ms) : 0, 70945
IAST [baseline] (31.04 ms) : 0, 31040
IAST [candidate] (30.903 ms) : 0, 30903
Remote Config [baseline] (762.931 µs) : 0, 763
Remote Config [candidate] (741.481 µs) : 0, 741
Telemetry [baseline] (11.922 ms) : 0, 11922
Telemetry [candidate] (10.004 ms) : 0, 10004
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (1.151 s) : 0, 1150651
BytebuddyAgent [candidate] (1.146 s) : 0, 1145811
GlobalTracer [baseline] (436.989 ms) : 0, 436989
GlobalTracer [candidate] (434.856 ms) : 0, 434856
AppSec [baseline] (76.579 ms) : 0, 76579
AppSec [candidate] (71.962 ms) : 0, 71962
IAST [baseline] (27.249 ms) : 0, 27249
IAST [candidate] (31.074 ms) : 0, 31074
Remote Config [baseline] (724.366 µs) : 0, 724
Remote Config [candidate] (723.365 µs) : 0, 723
Telemetry [baseline] (9.199 ms) : 0, 9199
Telemetry [candidate] (10.034 ms) : 0, 10034
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (1.143 s) : 0, 1142537
BytebuddyAgent [candidate] (1.142 s) : 0, 1142482
GlobalTracer [baseline] (433.881 ms) : 0, 433881
GlobalTracer [candidate] (434.617 ms) : 0, 434617
AppSec [baseline] (71.047 ms) : 0, 71047
AppSec [candidate] (72.484 ms) : 0, 72484
IAST [baseline] (30.314 ms) : 0, 30314
IAST [candidate] (30.119 ms) : 0, 30119
Remote Config [baseline] (818.866 µs) : 0, 819
Remote Config [candidate] (732.334 µs) : 0, 732
Telemetry [baseline] (10.945 ms) : 0, 10945
Telemetry [candidate] (9.041 ms) : 0, 9041

Loading

Startup time reports for petclinic

gantt
    title petclinic - global startup overhead: candidate=1.39.0-SNAPSHOT~c3f4563aad, baseline=1.39.0-SNAPSHOT~f6c87de39a

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.547 s) : 0, 1546881
Total [baseline] (14.201 s) : 0, 14200910
Agent [candidate] (1.552 s) : 0, 1551506
Total [candidate] (14.259 s) : 0, 14258684
section appsec
Agent [baseline] (1.736 s) : 0, 1735919
Total [baseline] (14.379 s) : 0, 14379402
Agent [candidate] (1.738 s) : 0, 1737773
Total [candidate] (14.478 s) : 0, 14478455
section iast
Agent [baseline] (1.722 s) : 0, 1722189
Total [baseline] (14.812 s) : 0, 14812473
Agent [candidate] (1.724 s) : 0, 1723940
Total [candidate] (14.883 s) : 0, 14883416
section profiling
Agent [baseline] (1.863 s) : 0, 1863172
Total [baseline] (14.55 s) : 0, 14549687
Agent [candidate] (1.862 s) : 0, 1861577
Total [candidate] (14.588 s) : 0, 14588275

Loading

• baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.547 s	-
Agent	appsec	1.736 s	189.038 ms (12.2%)
Agent	iast	1.722 s	175.308 ms (11.3%)
Agent	profiling	1.863 s	316.291 ms (20.4%)
Total	tracing	14.201 s	-
Total	appsec	14.379 s	178.492 ms (1.3%)
Total	iast	14.812 s	611.563 ms (4.3%)
Total	profiling	14.55 s	348.777 ms (2.5%)

• candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.552 s	-
Agent	appsec	1.738 s	186.267 ms (12.0%)
Agent	iast	1.724 s	172.434 ms (11.1%)
Agent	profiling	1.862 s	310.072 ms (20.0%)
Total	tracing	14.259 s	-
Total	appsec	14.478 s	219.77 ms (1.5%)
Total	iast	14.883 s	624.731 ms (4.4%)
Total	profiling	14.588 s	329.59 ms (2.3%)

gantt
    title petclinic - break down per module: candidate=1.39.0-SNAPSHOT~c3f4563aad, baseline=1.39.0-SNAPSHOT~f6c87de39a

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (990.964 ms) : 0, 990964
BytebuddyAgent [candidate] (994.004 ms) : 0, 994004
GlobalTracer [baseline] (452.909 ms) : 0, 452909
GlobalTracer [candidate] (454.521 ms) : 0, 454521
AppSec [baseline] (72.447 ms) : 0, 72447
AppSec [candidate] (72.25 ms) : 0, 72250
Remote Config [baseline] (817.564 µs) : 0, 818
Remote Config [candidate] (819.76 µs) : 0, 820
Telemetry [baseline] (9.759 ms) : 0, 9759
Telemetry [candidate] (9.802 ms) : 0, 9802
section appsec
BytebuddyAgent [baseline] (1.01 s) : 0, 1009929
BytebuddyAgent [candidate] (1.01 s) : 0, 1009539
GlobalTracer [baseline] (446.744 ms) : 0, 446744
GlobalTracer [candidate] (447.964 ms) : 0, 447964
AppSec [baseline] (235.504 ms) : 0, 235504
AppSec [candidate] (235.247 ms) : 0, 235247
Remote Config [baseline] (753.999 µs) : 0, 754
Remote Config [candidate] (758.729 µs) : 0, 759
Telemetry [baseline] (10.299 ms) : 0, 10299
Telemetry [candidate] (12.053 ms) : 0, 12053
IAST [baseline] (25.356 ms) : 0, 25356
IAST [candidate] (24.267 ms) : 0, 24267
section iast
BytebuddyAgent [baseline] (1.153 s) : 0, 1152545
BytebuddyAgent [candidate] (1.154 s) : 0, 1153719
GlobalTracer [baseline] (436.21 ms) : 0, 436210
GlobalTracer [candidate] (436.009 ms) : 0, 436009
AppSec [baseline] (71.332 ms) : 0, 71332
AppSec [candidate] (72.185 ms) : 0, 72185
Remote Config [baseline] (754.205 µs) : 0, 754
Remote Config [candidate] (758.284 µs) : 0, 758
Telemetry [baseline] (10.873 ms) : 0, 10873
Telemetry [candidate] (12.569 ms) : 0, 12569
IAST [baseline] (30.369 ms) : 0, 30369
IAST [candidate] (28.525 ms) : 0, 28525
section profiling
BytebuddyAgent [baseline] (988.816 ms) : 0, 988816
BytebuddyAgent [candidate] (986.382 ms) : 0, 986382
GlobalTracer [baseline] (584.966 ms) : 0, 584966
GlobalTracer [candidate] (583.984 ms) : 0, 583984
AppSec [baseline] (73.983 ms) : 0, 73983
AppSec [candidate] (73.519 ms) : 0, 73519
Remote Config [baseline] (881.037 µs) : 0, 881
Remote Config [candidate] (885.477 µs) : 0, 885
Telemetry [baseline] (9.452 ms) : 0, 9452
Telemetry [candidate] (9.434 ms) : 0, 9434
ProfilingAgent [baseline] (149.059 ms) : 0, 149059
ProfilingAgent [candidate] (151.445 ms) : 0, 151445
Profiling [baseline] (149.134 ms) : 0, 149134
Profiling [candidate] (151.517 ms) : 0, 151517

Loading

Load

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
end_time	2024-08-23T09:22:05	2024-08-23T09:31:05
git_branch	master	mario.vidal/untrusted_deserialization_snakeyaml
git_commit_date	1724336653	1724404165
git_commit_sha	f6c87de	c3f4563
release_version	1.39.0-SNAPSHOT~f6c87de39a	1.39.0-SNAPSHOT~c3f4563aad
start_time	2024-08-23T09:21:48	2024-08-23T09:30:48

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1724405920	1724405920
ci_job_id	614970748	614970748
ci_pipeline_id	42663182	42663182
cpu_model	Intel(R) Xeon(R) Platinum 8175M CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8175M CPU @ 2.50GHz
variant	iast	iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 6 metrics, 22 unstable metrics.

Request duration reports for insecure-bank

gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.39.0-SNAPSHOT~c3f4563aad, baseline=1.39.0-SNAPSHOT~f6c87de39a
    dateFormat X
    axisFormat %s
section baseline
no_agent (445.531 µs) : 417, 474
.   : milestone, 446,
iast (582.934 µs) : 550, 616
.   : milestone, 583,
iast_FULL (678.412 µs) : 645, 711
.   : milestone, 678,
iast_GLOBAL (609.805 µs) : 577, 643
.   : milestone, 610,
iast_HARDCODED_SECRET_DISABLED (577.43 µs) : 545, 610
.   : milestone, 577,
iast_INACTIVE (544.488 µs) : 514, 575
.   : milestone, 544,
iast_TELEMETRY_OFF (575.897 µs) : 544, 608
.   : milestone, 576,
tracing (532.717 µs) : 503, 562
.   : milestone, 533,
section candidate
no_agent (442.329 µs) : 413, 471
.   : milestone, 442,
iast (591.803 µs) : 559, 625
.   : milestone, 592,
iast_FULL (680.171 µs) : 647, 713
.   : milestone, 680,
iast_GLOBAL (621.342 µs) : 588, 655
.   : milestone, 621,
iast_HARDCODED_SECRET_DISABLED (590.128 µs) : 556, 624
.   : milestone, 590,
iast_INACTIVE (539.959 µs) : 510, 570
.   : milestone, 540,
iast_TELEMETRY_OFF (571.719 µs) : 539, 605
.   : milestone, 572,
tracing (534.208 µs) : 504, 564
.   : milestone, 534,

Loading

• baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	445.531 µs [416.871 µs, 474.191 µs]	-
iast	582.934 µs [549.798 µs, 616.071 µs]	137.403 µs (30.8%)
iast_FULL	678.412 µs [645.345 µs, 711.479 µs]	232.881 µs (52.3%)
iast_GLOBAL	609.805 µs [576.794 µs, 642.816 µs]	164.274 µs (36.9%)
iast_HARDCODED_SECRET_DISABLED	577.43 µs [545.05 µs, 609.811 µs]	131.899 µs (29.6%)
iast_INACTIVE	544.488 µs [514.233 µs, 574.742 µs]	98.957 µs (22.2%)
iast_TELEMETRY_OFF	575.897 µs [543.818 µs, 607.977 µs]	130.366 µs (29.3%)
tracing	532.717 µs [502.979 µs, 562.455 µs]	87.186 µs (19.6%)

• candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	442.329 µs [413.497 µs, 471.161 µs]	-
iast	591.803 µs [558.613 µs, 624.993 µs]	149.474 µs (33.8%)
iast_FULL	680.171 µs [646.991 µs, 713.351 µs]	237.842 µs (53.8%)
iast_GLOBAL	621.342 µs [588.051 µs, 654.632 µs]	179.013 µs (40.5%)
iast_HARDCODED_SECRET_DISABLED	590.128 µs [555.997 µs, 624.26 µs]	147.799 µs (33.4%)
iast_INACTIVE	539.959 µs [509.656 µs, 570.263 µs]	97.63 µs (22.1%)
iast_TELEMETRY_OFF	571.719 µs [538.853 µs, 604.585 µs]	129.39 µs (29.3%)
tracing	534.208 µs [504.027 µs, 564.39 µs]	91.879 µs (20.8%)

Request duration reports for petclinic

gantt
    title petclinic - request duration [CI 0.99] : candidate=1.39.0-SNAPSHOT~c3f4563aad, baseline=1.39.0-SNAPSHOT~f6c87de39a
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.695 ms) : 1670, 1720
.   : milestone, 1695,
appsec (2.18 ms) : 2149, 2211
.   : milestone, 2180,
appsec_no_iast (2.189 ms) : 2156, 2222
.   : milestone, 2189,
iast (1.873 ms) : 1843, 1903
.   : milestone, 1873,
profiling (1.95 ms) : 1913, 1987
.   : milestone, 1950,
tracing (1.866 ms) : 1834, 1897
.   : milestone, 1866,
section candidate
no_agent (1.689 ms) : 1663, 1714
.   : milestone, 1689,
appsec (2.198 ms) : 2166, 2229
.   : milestone, 2198,
appsec_no_iast (2.198 ms) : 2166, 2230
.   : milestone, 2198,
iast (1.86 ms) : 1830, 1889
.   : milestone, 1860,
profiling (1.946 ms) : 1909, 1982
.   : milestone, 1946,
tracing (1.835 ms) : 1802, 1867
.   : milestone, 1835,

Loading

• baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.695 ms [1.67 ms, 1.72 ms]	-
appsec	2.18 ms [2.149 ms, 2.211 ms]	484.952 µs (28.6%)
appsec_no_iast	2.189 ms [2.156 ms, 2.222 ms]	494.035 µs (29.1%)
iast	1.873 ms [1.843 ms, 1.903 ms]	177.592 µs (10.5%)
profiling	1.95 ms [1.913 ms, 1.987 ms]	255.204 µs (15.1%)
tracing	1.866 ms [1.834 ms, 1.897 ms]	170.752 µs (10.1%)

• candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.689 ms [1.663 ms, 1.714 ms]	-
appsec	2.198 ms [2.166 ms, 2.229 ms]	509.164 µs (30.2%)
appsec_no_iast	2.198 ms [2.166 ms, 2.23 ms]	509.186 µs (30.2%)
iast	1.86 ms [1.83 ms, 1.889 ms]	171.077 µs (10.1%)
profiling	1.946 ms [1.909 ms, 1.982 ms]	257.046 µs (15.2%)
tracing	1.835 ms [1.802 ms, 1.867 ms]	145.961 µs (8.6%)

Dacapo

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	mario.vidal/untrusted_deserialization_snakeyaml
git_commit_date	1724336653	1724404165
git_commit_sha	f6c87de	c3f4563
release_version	1.39.0-SNAPSHOT~f6c87de39a	1.39.0-SNAPSHOT~c3f4563aad

See matching parameters

	Baseline	Candidate
application	biojava	biojava
ci_job_date	1724406770	1724406770
ci_job_id	614970749	614970749
ci_pipeline_id	42663182	42663182
cpu_model	Intel(R) Xeon(R) Platinum 8175M CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8175M CPU @ 2.50GHz
variant	appsec	appsec

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics.

Execution time for biojava

gantt
    title biojava - execution time [CI 0.99] : candidate=1.39.0-SNAPSHOT~c3f4563aad, baseline=1.39.0-SNAPSHOT~f6c87de39a
    dateFormat X
    axisFormat %s
section baseline
no_agent (20.553 s) : 20553000, 20553000
.   : milestone, 20553000,
appsec (21.507 s) : 21507000, 21507000
.   : milestone, 21507000,
iast (24.724 s) : 24724000, 24724000
.   : milestone, 24724000,
iast_GLOBAL (24.943 s) : 24943000, 24943000
.   : milestone, 24943000,
profiling (22.015 s) : 22015000, 22015000
.   : milestone, 22015000,
tracing (21.867 s) : 21867000, 21867000
.   : milestone, 21867000,
section candidate
no_agent (20.605 s) : 20605000, 20605000
.   : milestone, 20605000,
appsec (21.546 s) : 21546000, 21546000
.   : milestone, 21546000,
iast (23.945 s) : 23945000, 23945000
.   : milestone, 23945000,
iast_GLOBAL (24.962 s) : 24962000, 24962000
.   : milestone, 24962000,
profiling (21.095 s) : 21095000, 21095000
.   : milestone, 21095000,
tracing (21.54 s) : 21540000, 21540000
.   : milestone, 21540000,

Loading

• baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	20.553 s [20.553 s, 20.553 s]	-
appsec	21.507 s [21.507 s, 21.507 s]	954.0 ms (4.6%)
iast	24.724 s [24.724 s, 24.724 s]	4.171 s (20.3%)
iast_GLOBAL	24.943 s [24.943 s, 24.943 s]	4.39 s (21.4%)
profiling	22.015 s [22.015 s, 22.015 s]	1.462 s (7.1%)
tracing	21.867 s [21.867 s, 21.867 s]	1.314 s (6.4%)

• candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	20.605 s [20.605 s, 20.605 s]	-
appsec	21.546 s [21.546 s, 21.546 s]	941.0 ms (4.6%)
iast	23.945 s [23.945 s, 23.945 s]	3.34 s (16.2%)
iast_GLOBAL	24.962 s [24.962 s, 24.962 s]	4.357 s (21.1%)
profiling	21.095 s [21.095 s, 21.095 s]	490.0 ms (2.4%)
tracing	21.54 s [21.54 s, 21.54 s]	935.0 ms (4.5%)

Execution time for tomcat

gantt
    title tomcat - execution time [CI 0.99] : candidate=1.39.0-SNAPSHOT~c3f4563aad, baseline=1.39.0-SNAPSHOT~f6c87de39a
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.541 ms) : 1529, 1554
.   : milestone, 1541,
appsec (2.726 ms) : 2663, 2788
.   : milestone, 2726,
iast (2.35 ms) : 2277, 2422
.   : milestone, 2350,
iast_GLOBAL (2.431 ms) : 2355, 2507
.   : milestone, 2431,
profiling (2.223 ms) : 2160, 2287
.   : milestone, 2223,
tracing (2.178 ms) : 2120, 2237
.   : milestone, 2178,
section candidate
no_agent (1.543 ms) : 1531, 1556
.   : milestone, 1543,
appsec (2.72 ms) : 2657, 2783
.   : milestone, 2720,
iast (2.386 ms) : 2310, 2461
.   : milestone, 2386,
iast_GLOBAL (2.412 ms) : 2337, 2486
.   : milestone, 2412,
profiling (2.209 ms) : 2148, 2270
.   : milestone, 2209,
tracing (2.181 ms) : 2122, 2240
.   : milestone, 2181,

Loading

• baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.541 ms [1.529 ms, 1.554 ms]	-
appsec	2.726 ms [2.663 ms, 2.788 ms]	1.184 ms (76.8%)
iast	2.35 ms [2.277 ms, 2.422 ms]	808.293 µs (52.4%)
iast_GLOBAL	2.431 ms [2.355 ms, 2.507 ms]	889.192 µs (57.7%)
profiling	2.223 ms [2.16 ms, 2.287 ms]	681.954 µs (44.2%)
tracing	2.178 ms [2.12 ms, 2.237 ms]	636.876 µs (41.3%)

• candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.543 ms [1.531 ms, 1.556 ms]	-
appsec	2.72 ms [2.657 ms, 2.783 ms]	1.177 ms (76.2%)
iast	2.386 ms [2.31 ms, 2.461 ms]	842.217 µs (54.6%)
iast_GLOBAL	2.412 ms [2.337 ms, 2.486 ms]	868.262 µs (56.3%)
profiling	2.209 ms [2.148 ms, 2.27 ms]	665.615 µs (43.1%)
tracing	2.181 ms [2.122 ms, 2.24 ms]	637.253 µs (41.3%)

[jandro996]

IMHO we can improve it a little bit removing some complexity like the multiple Module methods

[jandro996]

We can simplify this test using one method with a where condition. For instance

void 'test snakeyaml load  method'() {
    given:
    final module = Mock(UntrustedDeserializationModule)
    InstrumentationBridge.registerIastModule(module)

    when:
    new Yaml().load(obj)

    then:
    1 * module.onObject(_)

    where:
    obj | _
    new ByteArrayInputStream("test".getBytes()) | _
    new StringReader("test") | _
    "test" | _
  }

[Mariovido]

In this case I don't it could be possible as the load method only accepts a specific type which are InputStream, Reader or String. I cannot pass to it the Object method. One option is to do a casting previous to make the call but IMHO I think it is better to leave it as it is and don't try to simplify it as it will be hard to follow the test

[smola]

Would you mind creating a separate PR with just this change?

[Mariovido]

FYI the PR where the change will be made is #7484

After merging it I'll rebase this branch with master