Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Expand SSRF support in IAST to apache-httpclient-5 and apache-httpasyncclient-4 #7920

Merged
merged 17 commits into from
Dec 9, 2024

Conversation

Mariovido
Copy link
Contributor

@Mariovido Mariovido commented Nov 8, 2024

What Does This Do

Add support for the apache-httpclient-5 and apache-httpasyncclient-4 client libraries to detect SSRF. This is done by detecting the vulnerability using the HttpClientDecorator.

The new HttpClient (apache-httpclient-5) methods that will be supported are:

  • execute(ClassicHttpRequest)
  • execute(ClassicHttpRequest, HttpClientResponseHandler<? extends T>
  • execute(ClassicHttpRequest, HttpContext)
  • execute(ClassicHttpRequest, HttpContext, HttpClientResponseHandler<? extends T>
  • execute(HttpHost, ClassicHttpRequest)
  • execute(HttpHost, ClassicHttpRequest, HttpClientResponseHandler<? extends T>
  • execute(HttpHost, ClassicHttpRequest, HttpContext)
  • execute(HttpHost, ClassicHttpRequest, HttpContext, HttpClientResponseHandler<? extends T>

The new HttpAsyncClient (apache-httpasyncclient-4) methods that will be supported are:

  • execute(HttpAsyncRequestProducer, HttpAsyncResponseConsumer<T>, FutureCallback<T>)
  • execute(HttpAsyncRequestProducer, HttpAsyncResponseConsumer<T>, HttpContext, FutureCallback<T>)
  • execute(HttpHost, HttpRequest)
  • execute(HttpHost, HttpRequest, HttpContext, FutureCallback<HttpResponse>)
  • execute(HttpUriRequest, FutureCallback<HttpResponse>)
  • execute(HttpUriRequest, HttpContext, FutureCallback<HttpResponse>)

Motivation

With this change we want to expand the support for SSRF in the different clients supported by the HttpClientDecorator.

Additional Notes

Contributor Checklist

Jira ticket: APPSEC-55635

@pr-commenter
Copy link

pr-commenter bot commented Nov 8, 2024

Benchmarks

Startup

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master mario.vidal/expand_support_ssrf_apache
git_commit_date 1733731349 1733737481
git_commit_sha 4df0a01 d7ed872
release_version 1.44.0-SNAPSHOT~4df0a01668 1.44.0-SNAPSHOT~d7ed872055
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1733739974 1733739974
ci_job_id 730439927 730439927
ci_pipeline_id 50539262 50539262
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
module Agent Agent
parent None None
variant iast iast

Summary

Found 1 performance improvements and 0 performance regressions! Performance is the same for 53 metrics, 9 unstable metrics.

scenario Δ mean execution_time candidate mean execution_time baseline mean execution_time
scenario:startup:petclinic:tracing:Remote Config better
[-45.885µs; -14.856µs] or [-6.553%; -2.122%]
669.804µs 700.174µs
Startup time reports for petclinic
gantt
    title petclinic - global startup overhead: candidate=1.44.0-SNAPSHOT~d7ed872055, baseline=1.44.0-SNAPSHOT~4df0a01668

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.103 s) : 0, 1102955
Total [baseline] (10.465 s) : 0, 10465147
Agent [candidate] (1.099 s) : 0, 1099172
Total [candidate] (10.463 s) : 0, 10463228
section appsec
Agent [baseline] (1.227 s) : 0, 1227400
Total [baseline] (10.733 s) : 0, 10733292
Agent [candidate] (1.227 s) : 0, 1227217
Total [candidate] (10.764 s) : 0, 10763823
section iast
Agent [baseline] (1.227 s) : 0, 1227176
Total [baseline] (11.022 s) : 0, 11021666
Agent [candidate] (1.219 s) : 0, 1219083
Total [candidate] (10.908 s) : 0, 10907674
section profiling
Agent [baseline] (1.32 s) : 0, 1319749
Total [baseline] (10.805 s) : 0, 10804539
Agent [candidate] (1.321 s) : 0, 1321359
Total [candidate] (10.807 s) : 0, 10806773
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.103 s -
Agent appsec 1.227 s 124.445 ms (11.3%)
Agent iast 1.227 s 124.222 ms (11.3%)
Agent profiling 1.32 s 216.795 ms (19.7%)
Total tracing 10.465 s -
Total appsec 10.733 s 268.145 ms (2.6%)
Total iast 11.022 s 556.519 ms (5.3%)
Total profiling 10.805 s 339.392 ms (3.2%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.099 s -
Agent appsec 1.227 s 128.045 ms (11.6%)
Agent iast 1.219 s 119.91 ms (10.9%)
Agent profiling 1.321 s 222.187 ms (20.2%)
Total tracing 10.463 s -
Total appsec 10.764 s 300.596 ms (2.9%)
Total iast 10.908 s 444.446 ms (4.2%)
Total profiling 10.807 s 343.545 ms (3.3%)
gantt
    title petclinic - break down per module: candidate=1.44.0-SNAPSHOT~d7ed872055, baseline=1.44.0-SNAPSHOT~4df0a01668

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (699.602 ms) : 0, 699602
BytebuddyAgent [candidate] (700.13 ms) : 0, 700130
GlobalTracer [baseline] (322.045 ms) : 0, 322045
GlobalTracer [candidate] (319.236 ms) : 0, 319236
AppSec [baseline] (55.268 ms) : 0, 55268
AppSec [candidate] (54.699 ms) : 0, 54699
Remote Config [baseline] (700.174 µs) : 0, 700
Remote Config [candidate] (669.804 µs) : 0, 670
Telemetry [baseline] (11.426 ms) : 0, 11426
Telemetry [candidate] (10.577 ms) : 0, 10577
section appsec
BytebuddyAgent [baseline] (713.662 ms) : 0, 713662
BytebuddyAgent [candidate] (712.738 ms) : 0, 712738
GlobalTracer [baseline] (315.049 ms) : 0, 315049
GlobalTracer [candidate] (315.411 ms) : 0, 315411
AppSec [baseline] (167.052 ms) : 0, 167052
AppSec [candidate] (167.023 ms) : 0, 167023
Remote Config [baseline] (638.473 µs) : 0, 638
Remote Config [candidate] (665.26 µs) : 0, 665
Telemetry [baseline] (7.803 ms) : 0, 7803
Telemetry [candidate] (7.734 ms) : 0, 7734
IAST [baseline] (18.835 ms) : 0, 18835
IAST [candidate] (19.76 ms) : 0, 19760
section iast
BytebuddyAgent [baseline] (818.003 ms) : 0, 818003
BytebuddyAgent [candidate] (811.761 ms) : 0, 811761
GlobalTracer [baseline] (307.72 ms) : 0, 307720
GlobalTracer [candidate] (306.404 ms) : 0, 306404
AppSec [baseline] (57.313 ms) : 0, 57313
AppSec [candidate] (58.1 ms) : 0, 58100
Remote Config [baseline] (639.322 µs) : 0, 639
Remote Config [candidate] (638.004 µs) : 0, 638
Telemetry [baseline] (7.572 ms) : 0, 7572
Telemetry [candidate] (7.52 ms) : 0, 7520
IAST [baseline] (22.064 ms) : 0, 22064
IAST [candidate] (20.909 ms) : 0, 20909
section profiling
ProfilingAgent [baseline] (94.364 ms) : 0, 94364
ProfilingAgent [candidate] (93.469 ms) : 0, 93469
BytebuddyAgent [baseline] (689.59 ms) : 0, 689590
BytebuddyAgent [candidate] (693.109 ms) : 0, 693109
GlobalTracer [baseline] (434.365 ms) : 0, 434365
GlobalTracer [candidate] (433.47 ms) : 0, 433470
AppSec [baseline] (53.899 ms) : 0, 53899
AppSec [candidate] (53.599 ms) : 0, 53599
Remote Config [baseline] (710.647 µs) : 0, 711
Remote Config [candidate] (677.56 µs) : 0, 678
Telemetry [baseline] (7.699 ms) : 0, 7699
Telemetry [candidate] (7.608 ms) : 0, 7608
Profiling [baseline] (94.388 ms) : 0, 94388
Profiling [candidate] (93.493 ms) : 0, 93493
Loading
Startup time reports for insecure-bank
gantt
    title insecure-bank - global startup overhead: candidate=1.44.0-SNAPSHOT~d7ed872055, baseline=1.44.0-SNAPSHOT~4df0a01668

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.106 s) : 0, 1105959
Total [baseline] (8.691 s) : 0, 8690730
Agent [candidate] (1.093 s) : 0, 1092575
Total [candidate] (8.709 s) : 0, 8709201
section iast
Agent [baseline] (1.223 s) : 0, 1222830
Total [baseline] (9.241 s) : 0, 9241438
Agent [candidate] (1.22 s) : 0, 1220245
Total [candidate] (9.233 s) : 0, 9232677
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.218 s) : 0, 1218492
Total [baseline] (9.188 s) : 0, 9188317
Agent [candidate] (1.232 s) : 0, 1231870
Total [candidate] (9.206 s) : 0, 9206404
section iast_TELEMETRY_OFF
Agent [baseline] (1.221 s) : 0, 1220712
Total [baseline] (9.183 s) : 0, 9182964
Agent [candidate] (1.218 s) : 0, 1218158
Total [candidate] (9.235 s) : 0, 9235291
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.106 s -
Agent iast 1.223 s 116.87 ms (10.6%)
Agent iast_HARDCODED_SECRET_DISABLED 1.218 s 112.532 ms (10.2%)
Agent iast_TELEMETRY_OFF 1.221 s 114.753 ms (10.4%)
Total tracing 8.691 s -
Total iast 9.241 s 550.708 ms (6.3%)
Total iast_HARDCODED_SECRET_DISABLED 9.188 s 497.587 ms (5.7%)
Total iast_TELEMETRY_OFF 9.183 s 492.234 ms (5.7%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.093 s -
Agent iast 1.22 s 127.67 ms (11.7%)
Agent iast_HARDCODED_SECRET_DISABLED 1.232 s 139.295 ms (12.7%)
Agent iast_TELEMETRY_OFF 1.218 s 125.583 ms (11.5%)
Total tracing 8.709 s -
Total iast 9.233 s 523.476 ms (6.0%)
Total iast_HARDCODED_SECRET_DISABLED 9.206 s 497.203 ms (5.7%)
Total iast_TELEMETRY_OFF 9.235 s 526.09 ms (6.0%)
gantt
    title insecure-bank - break down per module: candidate=1.44.0-SNAPSHOT~d7ed872055, baseline=1.44.0-SNAPSHOT~4df0a01668

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (704.996 ms) : 0, 704996
BytebuddyAgent [candidate] (695.444 ms) : 0, 695444
GlobalTracer [baseline] (321.064 ms) : 0, 321064
GlobalTracer [candidate] (318.198 ms) : 0, 318198
AppSec [baseline] (54.711 ms) : 0, 54711
AppSec [candidate] (54.632 ms) : 0, 54632
Remote Config [baseline] (703.726 µs) : 0, 704
Remote Config [candidate] (682.811 µs) : 0, 683
Telemetry [baseline] (10.52 ms) : 0, 10520
Telemetry [candidate] (9.833 ms) : 0, 9833
section iast
BytebuddyAgent [baseline] (813.848 ms) : 0, 813848
BytebuddyAgent [candidate] (811.594 ms) : 0, 811594
GlobalTracer [baseline] (307.824 ms) : 0, 307824
GlobalTracer [candidate] (307.66 ms) : 0, 307660
AppSec [baseline] (57.465 ms) : 0, 57465
AppSec [candidate] (57.206 ms) : 0, 57206
Remote Config [baseline] (627.321 µs) : 0, 627
Remote Config [candidate] (638.264 µs) : 0, 638
Telemetry [baseline] (7.533 ms) : 0, 7533
Telemetry [candidate] (7.548 ms) : 0, 7548
IAST [baseline] (21.796 ms) : 0, 21796
IAST [candidate] (21.8 ms) : 0, 21800
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (812.009 ms) : 0, 812009
BytebuddyAgent [candidate] (822.257 ms) : 0, 822257
GlobalTracer [baseline] (305.357 ms) : 0, 305357
GlobalTracer [candidate] (308.048 ms) : 0, 308048
AppSec [baseline] (57.26 ms) : 0, 57260
AppSec [candidate] (57.311 ms) : 0, 57311
Remote Config [baseline] (685.618 µs) : 0, 686
Remote Config [candidate] (648.599 µs) : 0, 649
Telemetry [baseline] (7.568 ms) : 0, 7568
Telemetry [candidate] (7.612 ms) : 0, 7612
IAST [baseline] (21.878 ms) : 0, 21878
IAST [candidate] (22.019 ms) : 0, 22019
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (814.131 ms) : 0, 814131
BytebuddyAgent [candidate] (810.293 ms) : 0, 810293
GlobalTracer [baseline] (306.181 ms) : 0, 306181
GlobalTracer [candidate] (306.692 ms) : 0, 306692
AppSec [baseline] (57.791 ms) : 0, 57791
AppSec [candidate] (58.789 ms) : 0, 58789
Remote Config [baseline] (641.387 µs) : 0, 641
Remote Config [candidate] (623.073 µs) : 0, 623
Telemetry [baseline] (7.519 ms) : 0, 7519
Telemetry [candidate] (7.461 ms) : 0, 7461
IAST [baseline] (20.579 ms) : 0, 20579
IAST [candidate] (20.476 ms) : 0, 20476
Loading

Load

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
end_time 2024-12-09T09:56:17 2024-12-09T10:03:14
git_branch master mario.vidal/expand_support_ssrf_apache
git_commit_date 1733731349 1733737481
git_commit_sha 4df0a01 d7ed872
release_version 1.44.0-SNAPSHOT~4df0a01668 1.44.0-SNAPSHOT~d7ed872055
start_time 2024-12-09T09:56:03 2024-12-09T10:03:00
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1733738946 1733738946
ci_job_id 730439928 730439928
ci_pipeline_id 50539262 50539262
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant iast iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 16 unstable metrics.

Request duration reports for insecure-bank
gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.44.0-SNAPSHOT~d7ed872055, baseline=1.44.0-SNAPSHOT~4df0a01668
    dateFormat X
    axisFormat %s
section baseline
no_agent (377.969 µs) : 357, 399
.   : milestone, 378,
iast (498.021 µs) : 476, 520
.   : milestone, 498,
iast_FULL (650.508 µs) : 629, 672
.   : milestone, 651,
iast_GLOBAL (520.619 µs) : 499, 542
.   : milestone, 521,
iast_HARDCODED_SECRET_DISABLED (487.286 µs) : 466, 508
.   : milestone, 487,
iast_INACTIVE (453.632 µs) : 433, 475
.   : milestone, 454,
iast_TELEMETRY_OFF (484.523 µs) : 463, 506
.   : milestone, 485,
tracing (439.782 µs) : 419, 460
.   : milestone, 440,
section candidate
no_agent (374.614 µs) : 355, 394
.   : milestone, 375,
iast (495.338 µs) : 473, 518
.   : milestone, 495,
iast_FULL (650.621 µs) : 629, 672
.   : milestone, 651,
iast_GLOBAL (518.066 µs) : 496, 540
.   : milestone, 518,
iast_HARDCODED_SECRET_DISABLED (487.847 µs) : 467, 509
.   : milestone, 488,
iast_INACTIVE (450.834 µs) : 430, 472
.   : milestone, 451,
iast_TELEMETRY_OFF (480.786 µs) : 459, 502
.   : milestone, 481,
tracing (447.465 µs) : 427, 468
.   : milestone, 447,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 377.969 µs [356.899 µs, 399.039 µs] -
iast 498.021 µs [475.917 µs, 520.126 µs] 120.052 µs (31.8%)
iast_FULL 650.508 µs [628.911 µs, 672.106 µs] 272.539 µs (72.1%)
iast_GLOBAL 520.619 µs [498.885 µs, 542.352 µs] 142.649 µs (37.7%)
iast_HARDCODED_SECRET_DISABLED 487.286 µs [466.235 µs, 508.337 µs] 109.317 µs (28.9%)
iast_INACTIVE 453.632 µs [432.612 µs, 474.653 µs] 75.663 µs (20.0%)
iast_TELEMETRY_OFF 484.523 µs [462.865 µs, 506.18 µs] 106.554 µs (28.2%)
tracing 439.782 µs [419.279 µs, 460.285 µs] 61.813 µs (16.4%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 374.614 µs [355.057 µs, 394.171 µs] -
iast 495.338 µs [473.093 µs, 517.583 µs] 120.724 µs (32.2%)
iast_FULL 650.621 µs [629.238 µs, 672.004 µs] 276.007 µs (73.7%)
iast_GLOBAL 518.066 µs [496.476 µs, 539.657 µs] 143.452 µs (38.3%)
iast_HARDCODED_SECRET_DISABLED 487.847 µs [466.685 µs, 509.01 µs] 113.233 µs (30.2%)
iast_INACTIVE 450.834 µs [429.832 µs, 471.837 µs] 76.22 µs (20.3%)
iast_TELEMETRY_OFF 480.786 µs [459.23 µs, 502.342 µs] 106.172 µs (28.3%)
tracing 447.465 µs [426.659 µs, 468.271 µs] 72.851 µs (19.4%)
Request duration reports for petclinic
gantt
    title petclinic - request duration [CI 0.99] : candidate=1.44.0-SNAPSHOT~d7ed872055, baseline=1.44.0-SNAPSHOT~4df0a01668
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.338 ms) : 1319, 1357
.   : milestone, 1338,
appsec (1.741 ms) : 1716, 1766
.   : milestone, 1741,
appsec_no_iast (1.762 ms) : 1738, 1785
.   : milestone, 1762,
iast (1.497 ms) : 1474, 1520
.   : milestone, 1497,
profiling (1.5 ms) : 1476, 1524
.   : milestone, 1500,
tracing (1.5 ms) : 1474, 1525
.   : milestone, 1500,
section candidate
no_agent (1.352 ms) : 1332, 1371
.   : milestone, 1352,
appsec (1.738 ms) : 1714, 1762
.   : milestone, 1738,
appsec_no_iast (1.759 ms) : 1734, 1784
.   : milestone, 1759,
iast (1.497 ms) : 1474, 1520
.   : milestone, 1497,
profiling (1.516 ms) : 1493, 1539
.   : milestone, 1516,
tracing (1.48 ms) : 1456, 1505
.   : milestone, 1480,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.338 ms [1.319 ms, 1.357 ms] -
appsec 1.741 ms [1.716 ms, 1.766 ms] 402.726 µs (30.1%)
appsec_no_iast 1.762 ms [1.738 ms, 1.785 ms] 423.611 µs (31.7%)
iast 1.497 ms [1.474 ms, 1.52 ms] 159.252 µs (11.9%)
profiling 1.5 ms [1.476 ms, 1.524 ms] 162.119 µs (12.1%)
tracing 1.5 ms [1.474 ms, 1.525 ms] 161.502 µs (12.1%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.352 ms [1.332 ms, 1.371 ms] -
appsec 1.738 ms [1.714 ms, 1.762 ms] 386.322 µs (28.6%)
appsec_no_iast 1.759 ms [1.734 ms, 1.784 ms] 407.653 µs (30.2%)
iast 1.497 ms [1.474 ms, 1.52 ms] 145.379 µs (10.8%)
profiling 1.516 ms [1.493 ms, 1.539 ms] 164.471 µs (12.2%)
tracing 1.48 ms [1.456 ms, 1.505 ms] 128.864 µs (9.5%)

Dacapo

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master mario.vidal/expand_support_ssrf_apache
git_commit_date 1733731349 1733737481
git_commit_sha 4df0a01 d7ed872
release_version 1.44.0-SNAPSHOT~4df0a01668 1.44.0-SNAPSHOT~d7ed872055
See matching parameters
Baseline Candidate
application biojava biojava
ci_job_date 1733739511 1733739511
ci_job_id 730439929 730439929
ci_pipeline_id 50539262 50539262
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant appsec appsec

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics.

Execution time for biojava
gantt
    title biojava - execution time [CI 0.99] : candidate=1.44.0-SNAPSHOT~d7ed872055, baseline=1.44.0-SNAPSHOT~4df0a01668
    dateFormat X
    axisFormat %s
section baseline
no_agent (14.936 s) : 14936000, 14936000
.   : milestone, 14936000,
appsec (15.109 s) : 15109000, 15109000
.   : milestone, 15109000,
iast (19.094 s) : 19094000, 19094000
.   : milestone, 19094000,
iast_GLOBAL (17.76 s) : 17760000, 17760000
.   : milestone, 17760000,
profiling (15.419 s) : 15419000, 15419000
.   : milestone, 15419000,
tracing (14.855 s) : 14855000, 14855000
.   : milestone, 14855000,
section candidate
no_agent (15.411 s) : 15411000, 15411000
.   : milestone, 15411000,
appsec (15.082 s) : 15082000, 15082000
.   : milestone, 15082000,
iast (18.859 s) : 18859000, 18859000
.   : milestone, 18859000,
iast_GLOBAL (18.344 s) : 18344000, 18344000
.   : milestone, 18344000,
profiling (15.087 s) : 15087000, 15087000
.   : milestone, 15087000,
tracing (15.128 s) : 15128000, 15128000
.   : milestone, 15128000,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 14.936 s [14.936 s, 14.936 s] -
appsec 15.109 s [15.109 s, 15.109 s] 173.0 ms (1.2%)
iast 19.094 s [19.094 s, 19.094 s] 4.158 s (27.8%)
iast_GLOBAL 17.76 s [17.76 s, 17.76 s] 2.824 s (18.9%)
profiling 15.419 s [15.419 s, 15.419 s] 483.0 ms (3.2%)
tracing 14.855 s [14.855 s, 14.855 s] -81.0 ms (-0.5%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.411 s [15.411 s, 15.411 s] -
appsec 15.082 s [15.082 s, 15.082 s] -329.0 ms (-2.1%)
iast 18.859 s [18.859 s, 18.859 s] 3.448 s (22.4%)
iast_GLOBAL 18.344 s [18.344 s, 18.344 s] 2.933 s (19.0%)
profiling 15.087 s [15.087 s, 15.087 s] -324.0 ms (-2.1%)
tracing 15.128 s [15.128 s, 15.128 s] -283.0 ms (-1.8%)
Execution time for tomcat
gantt
    title tomcat - execution time [CI 0.99] : candidate=1.44.0-SNAPSHOT~d7ed872055, baseline=1.44.0-SNAPSHOT~4df0a01668
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.466 ms) : 1454, 1477
.   : milestone, 1466,
appsec (2.337 ms) : 2296, 2379
.   : milestone, 2337,
iast (2.079 ms) : 2026, 2131
.   : milestone, 2079,
iast_GLOBAL (2.127 ms) : 2075, 2180
.   : milestone, 2127,
profiling (1.966 ms) : 1923, 2008
.   : milestone, 1966,
tracing (1.926 ms) : 1886, 1966
.   : milestone, 1926,
section candidate
no_agent (1.465 ms) : 1453, 1476
.   : milestone, 1465,
appsec (2.344 ms) : 2303, 2385
.   : milestone, 2344,
iast (2.095 ms) : 2042, 2148
.   : milestone, 2095,
iast_GLOBAL (2.132 ms) : 2079, 2185
.   : milestone, 2132,
profiling (1.947 ms) : 1905, 1989
.   : milestone, 1947,
tracing (1.926 ms) : 1885, 1966
.   : milestone, 1926,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.466 ms [1.454 ms, 1.477 ms] -
appsec 2.337 ms [2.296 ms, 2.379 ms] 871.601 µs (59.5%)
iast 2.079 ms [2.026 ms, 2.131 ms] 613.129 µs (41.8%)
iast_GLOBAL 2.127 ms [2.075 ms, 2.18 ms] 661.741 µs (45.2%)
profiling 1.966 ms [1.923 ms, 2.008 ms] 499.904 µs (34.1%)
tracing 1.926 ms [1.886 ms, 1.966 ms] 460.087 µs (31.4%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.465 ms [1.453 ms, 1.476 ms] -
appsec 2.344 ms [2.303 ms, 2.385 ms] 879.161 µs (60.0%)
iast 2.095 ms [2.042 ms, 2.148 ms] 630.236 µs (43.0%)
iast_GLOBAL 2.132 ms [2.079 ms, 2.185 ms] 667.24 µs (45.6%)
profiling 1.947 ms [1.905 ms, 1.989 ms] 481.889 µs (32.9%)
tracing 1.926 ms [1.885 ms, 1.966 ms] 461.029 µs (31.5%)

@Mariovido Mariovido added type: enhancement comp: asm iast Application Security Management (IAST) inst: java Core Java language instrumentation labels Nov 14, 2024
@Mariovido Mariovido changed the title Expand SSRF support in IAST to apache-httpclient5 Expand SSRF support in IAST to apache-httpclient-5 and apache-httpasyncclient-4 Nov 14, 2024
@Mariovido Mariovido marked this pull request as ready for review November 14, 2024 15:18
@Mariovido Mariovido requested review from a team as code owners November 14, 2024 15:18
@PerfectSlayer PerfectSlayer added inst: apache httpcomponents Apache HttpComponents and removed inst: java Core Java language instrumentation labels Nov 14, 2024
@Mariovido Mariovido merged commit 9ac8ab1 into master Dec 9, 2024
150 checks passed
@Mariovido Mariovido deleted the mario.vidal/expand_support_ssrf_apache branch December 9, 2024 10:51
@github-actions github-actions bot added this to the 1.44.0 milestone Dec 9, 2024
svc-squareup-copybara pushed a commit to cashapp/misk that referenced this pull request Dec 16, 2024
| Package | Type | Package file | Manager | Update | Change |
|---|---|---|---|---|---|
|
[com.google.api.grpc:proto-google-common-protos](https://github.com/googleapis/sdk-platform-java)
| dependencies | misk/gradle/libs.versions.toml | gradle | minor |
`2.49.0` -> `2.50.0` |
|
[com.google.cloud:google-cloud-core-http](https://github.com/googleapis/sdk-platform-java)
| dependencies | misk/gradle/libs.versions.toml | gradle | minor |
`2.48.0` -> `2.49.0` |
|
[com.google.cloud:google-cloud-spanner](https://github.com/googleapis/java-spanner)
| dependencies | misk/gradle/libs.versions.toml | gradle | minor |
`6.82.0` -> `6.83.0` |
|
[com.google.cloud:google-cloud-logging](https://github.com/googleapis/java-logging)
| dependencies | misk/gradle/libs.versions.toml | gradle | minor |
`3.20.7` -> `3.21.0` |
|
[com.google.cloud:google-cloud-datastore](https://github.com/googleapis/java-datastore)
| dependencies | misk/gradle/libs.versions.toml | gradle | minor |
`2.24.3` -> `2.25.1` |
|
[com.google.cloud:google-cloud-core](https://github.com/googleapis/sdk-platform-java)
| dependencies | misk/gradle/libs.versions.toml | gradle | minor |
`2.48.0` -> `2.49.0` |
| [com.google.api:gax](https://github.com/googleapis/sdk-platform-java)
| dependencies | misk/gradle/libs.versions.toml | gradle | minor |
`2.58.0` -> `2.59.0` |
|
[com.autonomousapps.dependency-analysis](https://github.com/autonomousapps/dependency-analysis-android-gradle-plugin)
| plugin | misk/gradle/libs.versions.toml | gradle | patch | `2.6.0` ->
`2.6.1` |
| [com.datadoghq:dd-trace-api](https://github.com/datadog/dd-trace-java)
| dependencies | misk/gradle/libs.versions.toml | gradle | minor |
`1.43.0` -> `1.44.1` |
| [com.datadoghq:dd-trace-ot](https://github.com/datadog/dd-trace-java)
| dependencies | misk/gradle/libs.versions.toml | gradle | minor |
`1.43.0` -> `1.44.1` |
| [software.amazon.awssdk:sdk-core](https://aws.amazon.com/sdkforjava) |
dependencies | misk/gradle/libs.versions.toml | gradle | patch |
`2.29.32` -> `2.29.34` |
|
[software.amazon.awssdk:dynamodb-enhanced](https://aws.amazon.com/sdkforjava)
| dependencies | misk/gradle/libs.versions.toml | gradle | patch |
`2.29.32` -> `2.29.34` |
| [software.amazon.awssdk:dynamodb](https://aws.amazon.com/sdkforjava) |
dependencies | misk/gradle/libs.versions.toml | gradle | patch |
`2.29.32` -> `2.29.34` |
| [software.amazon.awssdk:aws-core](https://aws.amazon.com/sdkforjava) |
dependencies | misk/gradle/libs.versions.toml | gradle | patch |
`2.29.32` -> `2.29.34` |
| [software.amazon.awssdk:bom](https://aws.amazon.com/sdkforjava) |
dependencies | misk/gradle/libs.versions.toml | gradle | patch |
`2.29.32` -> `2.29.34` |
| [software.amazon.awssdk:auth](https://aws.amazon.com/sdkforjava) |
dependencies | misk/gradle/libs.versions.toml | gradle | patch |
`2.29.32` -> `2.29.34` |
| [com.amazonaws:aws-java-sdk-sqs](https://aws.amazon.com/sdkforjava)
([source](https://github.com/aws/aws-sdk-java)) | dependencies |
misk/gradle/libs.versions.toml | gradle | patch | `1.12.779` ->
`1.12.780` |
| [com.amazonaws:aws-java-sdk-s3](https://aws.amazon.com/sdkforjava)
([source](https://github.com/aws/aws-sdk-java)) | dependencies |
misk/gradle/libs.versions.toml | gradle | patch | `1.12.779` ->
`1.12.780` |
|
[com.amazonaws:aws-java-sdk-dynamodb](https://aws.amazon.com/sdkforjava)
([source](https://github.com/aws/aws-sdk-java)) | dependencies |
misk/gradle/libs.versions.toml | gradle | patch | `1.12.779` ->
`1.12.780` |
| [com.amazonaws:aws-java-sdk-core](https://aws.amazon.com/sdkforjava)
([source](https://github.com/aws/aws-sdk-java)) | dependencies |
misk/gradle/libs.versions.toml | gradle | patch | `1.12.779` ->
`1.12.780` |

---

### Release Notes

<details>
<summary>googleapis/sdk-platform-java
(com.google.api.grpc:proto-google-common-protos)</summary>

###
[`v2.50.0`](https://github.com/googleapis/sdk-platform-java/blob/HEAD/CHANGELOG.md#2500-2024-11-14)

##### Features

- Add experimental S2A integration in client libraries grpc transport
([#&#8203;3326](googleapis/sdk-platform-java#3326))
([1138ca6](googleapis/sdk-platform-java@1138ca6))
- enable selective generation based on service config include list
([#&#8203;3323](googleapis/sdk-platform-java#3323))
([0cddadb](googleapis/sdk-platform-java@0cddadb))
- introduce `java.time` to java-core
([#&#8203;3330](googleapis/sdk-platform-java#3330))
([f202c3b](googleapis/sdk-platform-java@f202c3b))
- Update Gapic-Generator to generate libraries using `java.time` methods
([#&#8203;3321](googleapis/sdk-platform-java#3321))
([b21c9a4](googleapis/sdk-platform-java@b21c9a4))

##### Bug Fixes

- Fix flaky test
ScheduledRetryingExecutorTest.testCancelOuterFutureAfterStart
([#&#8203;3335](googleapis/sdk-platform-java#3335))
([e73740d](googleapis/sdk-platform-java@e73740d))
- httpjson callables to trace attempts (started, failed)
([#&#8203;3300](googleapis/sdk-platform-java#3300))
([15a64ee](googleapis/sdk-platform-java@15a64ee))
- instantiate GaxProperties at build time to ensure we get the protobuf
version
([#&#8203;3365](googleapis/sdk-platform-java#3365))
([bb2a3be](googleapis/sdk-platform-java@bb2a3be))
- protobuf version not always getting set in headers
([#&#8203;3322](googleapis/sdk-platform-java#3322))
([7f6e470](googleapis/sdk-platform-java@7f6e470))
- use BuildKit instead of legacy builder to build the Hermetic Build
images
([#&#8203;3338](googleapis/sdk-platform-java#3338))
([222fb45](googleapis/sdk-platform-java@222fb45))

##### Dependencies

- update google auth library dependencies to v1.30.0
([#&#8203;3367](googleapis/sdk-platform-java#3367))
([a31c682](googleapis/sdk-platform-java@a31c682))
- update grpc dependencies to v1.68.1
([#&#8203;3240](googleapis/sdk-platform-java#3240))
([c8e3941](googleapis/sdk-platform-java@c8e3941))

##### Documentation

- fix list num
([#&#8203;3356](googleapis/sdk-platform-java#3356))
([b7d6296](googleapis/sdk-platform-java@b7d6296))
- **hermetic-build:** indicate usage of Docker Buildkit in development
guide
([#&#8203;3337](googleapis/sdk-platform-java#3337))
([01e742d](googleapis/sdk-platform-java@01e742d))
- modify hermetic build docs
([#&#8203;3331](googleapis/sdk-platform-java#3331))
([25023af](googleapis/sdk-platform-java@25023af))

</details>

<details>
<summary>googleapis/java-spanner
(com.google.cloud:google-cloud-spanner)</summary>

###
[`v6.83.0`](https://github.com/googleapis/java-spanner/blob/HEAD/CHANGELOG.md#6830-2024-12-13)

##### Features

- Add Metrics host for built in metrics
([#&#8203;3519](googleapis/java-spanner#3519))
([4ed455a](googleapis/java-spanner@4ed455a))
- Add opt-in for using multiplexed sessions for blind writes
([#&#8203;3540](googleapis/java-spanner#3540))
([216f53e](googleapis/java-spanner@216f53e))
- Add UUID in Spanner TypeCode enum
([41f83dc](googleapis/java-spanner@41f83dc))
- Introduce java.time variables and methods
([#&#8203;3495](googleapis/java-spanner#3495))
([8a7d533](googleapis/java-spanner@8a7d533))
- **spanner:** Support multiplexed session for Partitioned operations
([#&#8203;3231](googleapis/java-spanner#3231))
([4501a3e](googleapis/java-spanner@4501a3e))
- Support 'set local' for retry_aborts_internally
([#&#8203;3532](googleapis/java-spanner#3532))
([331942f](googleapis/java-spanner@331942f))

##### Bug Fixes

- **deps:** Update the Java code generator (gapic-generator-java) to
2.51.0
([41f83dc](googleapis/java-spanner@41f83dc))

##### Dependencies

- Update sdk platform java dependencies
([#&#8203;3549](googleapis/java-spanner#3549))
([6235f0f](googleapis/java-spanner@6235f0f))

</details>

<details>
<summary>googleapis/java-logging
(com.google.cloud:google-cloud-logging)</summary>

###
[`v3.21.0`](https://github.com/googleapis/java-logging/blob/HEAD/CHANGELOG.md#3210-2024-12-13)

##### Features

- Introduce `java.time` methods
([#&#8203;1729](googleapis/java-logging#1729))
([323eb33](googleapis/java-logging@323eb33))

##### Bug Fixes

- **deps:** Update the Java code generator (gapic-generator-java) to
2.51.0
([04d8868](googleapis/java-logging@04d8868))

##### Dependencies

- Update dependency io.opentelemetry:opentelemetry-bom to v1.45.0
([#&#8203;1638](googleapis/java-logging#1638))
([7e007d4](googleapis/java-logging@7e007d4))
- Update sdk platform java dependencies
([#&#8203;1736](googleapis/java-logging#1736))
([88b4cdf](googleapis/java-logging@88b4cdf))

</details>

<details>
<summary>googleapis/java-datastore
(com.google.cloud:google-cloud-datastore)</summary>

###
[`v2.25.1`](https://github.com/googleapis/java-datastore/blob/HEAD/CHANGELOG.md#2251-2024-12-13)

##### Bug Fixes

- **deps:** Update the Java code generator (gapic-generator-java) to
2.51.0
([106ee4d](googleapis/java-datastore@106ee4d))

##### Dependencies

- Update sdk platform java dependencies
([#&#8203;1685](googleapis/java-datastore#1685))
([4372350](googleapis/java-datastore@4372350))

###
[`v2.25.0`](https://github.com/googleapis/java-datastore/blob/HEAD/CHANGELOG.md#2250-2024-12-11)

##### Features

- Introduce `java.time` methods and variables
([#&#8203;1671](googleapis/java-datastore#1671))
([5a78a80](googleapis/java-datastore@5a78a80))

##### Dependencies

- Update dependency com.google.cloud:gapic-libraries-bom to v1.48.0
([#&#8203;1605](googleapis/java-datastore#1605))
([5c6a678](googleapis/java-datastore@5c6a678))

##### Documentation

- Update gapic upgrade installation instructions
([#&#8203;1677](googleapis/java-datastore#1677))
([b3fbfcc](googleapis/java-datastore@b3fbfcc))

</details>

<details>
<summary>autonomousapps/dependency-analysis-android-gradle-plugin
(com.autonomousapps.dependency-analysis)</summary>

###
[`v2.6.1`](https://github.com/autonomousapps/dependency-analysis-android-gradle-plugin/blob/HEAD/CHANGELOG.md#Version-261)

-   \[Fix]: `superClassName` can be null (Object has no superclass).

</details>

<details>
<summary>datadog/dd-trace-java (com.datadoghq:dd-trace-api)</summary>

###
[`v1.44.1`](https://github.com/DataDog/dd-trace-java/releases/tag/v1.44.1):
1.44.1

##### Components

##### Continuous Integration Visibility

- 🐛 Fix tracing JUnit5 tests in Maven projects with multiple forks
([#&#8203;8089](DataDog/dd-trace-java#8089) -
[@&#8203;nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog))

###
[`v1.44.0`](https://github.com/DataDog/dd-trace-java/releases/tag/v1.44.0):
1.44.0

##### Known Issues

> \[!WARNING]\
> This release contains a known issue that causes failures when using
Test Optimization to trace JUnit 5 tests in a Maven project where Maven
Surefire is configured with `forkCount` > 1.
> The issue is fixed in v1.44.1

##### Breaking Changes

> \[!WARNING]\
> Support for `X-Forwarded` header is dropped from default client IP
resolution.
> It can still be re-activated using the
`dd.trace.client-ip-header=x-forwarded` system property, or the
`DD_TRACE_CLIENT_IP_HEADER=x-forwarded` environment variable. See
[#&#8203;7946](DataDog/dd-trace-java#7946).

##### Components

##### Application Security Management (IAST)

- ✨ Set unexpected IAST exceptions to debug log level
([#&#8203;8044](DataDog/dd-trace-java#8044) -
[@&#8203;smola](https://github.com/smola))
- ✨ Increase IAST propagation to StringBuffer subSequence
([#&#8203;8038](DataDog/dd-trace-java#8038) -
[@&#8203;Mariovido](https://github.com/Mariovido))
- ✨ Increase IAST propagation to StringBuilder subSequence
([#&#8203;8026](DataDog/dd-trace-java#8026) -
[@&#8203;Mariovido](https://github.com/Mariovido))
- ✨ Add IAST propagation to String valueOf
([#&#8203;8013](DataDog/dd-trace-java#8013) -
[@&#8203;Mariovido](https://github.com/Mariovido))
- ✨ Increase IAST propagation to StringBuilder append
([#&#8203;8010](DataDog/dd-trace-java#8010) -
[@&#8203;Mariovido](https://github.com/Mariovido))
- ✨ Expand SSRF support in IAST to apache-httpclient-5 and
apache-httpasyncclient-4
([#&#8203;7920](DataDog/dd-trace-java#7920) -
[@&#8203;Mariovido](https://github.com/Mariovido))

##### Build & Tooling

- ✨ Generate Muzzle classes for Groovy instrumentations
([#&#8203;8004](DataDog/dd-trace-java#8004) -
[@&#8203;nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog))

##### Continuous Integration Visibility

- ✨ Support distributed traces in tests
([#&#8203;8078](DataDog/dd-trace-java#8078) -
[@&#8203;nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog))
- ✨ Implement fail-fast tests ordering for JUnit 5
([#&#8203;8055](DataDog/dd-trace-java#8055) -
[@&#8203;nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog))
- ✨ Mark JUnit 5 setup and teardown action spans as failed if
there is an error
([#&#8203;8033](DataDog/dd-trace-java#8033) -
[@&#8203;nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog))
- ✨ Add tracing of setup and teardown actions in JUnit 4
([#&#8203;8030](DataDog/dd-trace-java#8030) -
[@&#8203;daniel-mohedano](https://github.com/daniel-mohedano))

##### Crash tracking

- ✨ Improve crash tracking install logging
([#&#8203;8045](DataDog/dd-trace-java#8045) -
[@&#8203;PerfectSlayer](https://github.com/PerfectSlayer))

##### Data Streams Monitoring

- 🐛 Add Data Streams support in AWS SQS without raw message delivery
([#&#8203;8071](DataDog/dd-trace-java#8071) -
[@&#8203;piochelepiotr](https://github.com/piochelepiotr))
- ✨ Add new tag for enabled products / features to DSM
checkpoints
([#&#8203;8051](DataDog/dd-trace-java#8051) -
[@&#8203;kr-igor](https://github.com/kr-igor))
- 💡 Instrument self hosted Kafka connectors
([#&#8203;7959](DataDog/dd-trace-java#7959) -
[@&#8203;piochelepiotr](https://github.com/piochelepiotr))

##### Dynamic Instrumentation

- ✨ Add Micronaut 4 support for code origin for spans
([#&#8203;8039](DataDog/dd-trace-java#8039) -
[@&#8203;jpbempel](https://github.com/jpbempel))
- ✨ Refactor probe matching for methods
([#&#8203;8021](DataDog/dd-trace-java#8021) -
[@&#8203;jpbempel](https://github.com/jpbempel))
- ✨ Update the CodeOriginProbe fingerprint to not rely on a
stack walk
([#&#8203;8016](DataDog/dd-trace-java#8016) -
[@&#8203;evanchooly](https://github.com/evanchooly))
- ✨ Implement code origin support for grpc server entry spans
([#&#8203;7942](DataDog/dd-trace-java#7942) -
[@&#8203;evanchooly](https://github.com/evanchooly))

##### GraalVM native-image

- 🐛 Update Graal build-time instrumentation config for
TracePropagationStyle
([#&#8203;8065](DataDog/dd-trace-java#8065) -
[@&#8203;MattAlp](https://github.com/MattAlp))
- 🐛 Fix NoClassDefFoundError: Could not initialize class
DDSpanLink$EncoderHolder in Graal native-image
([#&#8203;8036](DataDog/dd-trace-java#8036) -
[@&#8203;mcculls](https://github.com/mcculls))
- 🐛🧹 Fix native-image generation of reactive applications
([#&#8203;8012](DataDog/dd-trace-java#8012) -
[@&#8203;mcculls](https://github.com/mcculls))

##### OpenTracing

- 🧹 Custom ScopeManagers are deprecated and will be removed in a
future release of dd-trace-ot
([#&#8203;8058](DataDog/dd-trace-java#8058) -
[@&#8203;mcculls](https://github.com/mcculls))

##### Tracer core

- ✨🧪 Service naming: split by jee deployment
([#&#8203;8064](DataDog/dd-trace-java#8064) -
[@&#8203;amarziali](https://github.com/amarziali))
- ✨ Exclude jboss mdb proxies from instrumenting
([#&#8203;8061](DataDog/dd-trace-java#8061) -
[@&#8203;amarziali](https://github.com/amarziali))
- ✨ Add a built-in trace interceptor for keeping traces
depending of their latency
([#&#8203;8040](DataDog/dd-trace-java#8040) -
[@&#8203;cecile75](https://github.com/cecile75))
- 💡 Introduce marker mechanism for eagerly initializing helpers
([#&#8203;8028](DataDog/dd-trace-java#8028) -
[@&#8203;mcculls](https://github.com/mcculls))
- 💡 Add JSON component
([#&#8203;7973](DataDog/dd-trace-java#7973) -
[@&#8203;PerfectSlayer](https://github.com/PerfectSlayer))
- ✨⚠️ Remove support for X-Forwarded in client IP
resolution
([#&#8203;7946](DataDog/dd-trace-java#7946) -
[@&#8203;smola](https://github.com/smola))

##### Instrumentations

##### Apache HttpComponents

- ✨ Expand SSRF support in IAST to apache-httpclient-5 and
apache-httpasyncclient-4
([#&#8203;7920](DataDog/dd-trace-java#7920) -
[@&#8203;Mariovido](https://github.com/Mariovido))

##### gRPC instrumentation

- 🐛 Use lower priorities for grpc server errors
([#&#8203;8043](DataDog/dd-trace-java#8043) -
[@&#8203;amarziali](https://github.com/amarziali))

##### JDBC instrumentation

- ✨ Add trace injection for prepared statements in Postgres
([#&#8203;7940](DataDog/dd-trace-java#7940) -
[@&#8203;nenadnoveljic](https://github.com/nenadnoveljic))

##### JMS instrumentation

- 🐛 Protect mdb from instrumenting multiple time the same event
([#&#8203;8062](DataDog/dd-trace-java#8062) -
[@&#8203;amarziali](https://github.com/amarziali))

##### Kafka instrumentation

- 💡 Instrument self hosted Kafka connectors
([#&#8203;7959](DataDog/dd-trace-java#7959) -
[@&#8203;piochelepiotr](https://github.com/piochelepiotr))

##### OpenTelemetry instrumentation

- 🐛 Support using OpenTelemetry Event API inside `@WithSpan`
annotated method
([#&#8203;8019](DataDog/dd-trace-java#8019) -
[@&#8203;mcculls](https://github.com/mcculls))

##### Reactor instrumentation

- 🐛🧹 Fix native-image generation of reactive applications
([#&#8203;8012](DataDog/dd-trace-java#8012) -
[@&#8203;mcculls](https://github.com/mcculls))

##### Spring instrumentation

- 🐛 Avoid double instrumenting lambdas on latest spring scheduling
([#&#8203;8005](DataDog/dd-trace-java#8005) -
[@&#8203;amarziali](https://github.com/amarziali))

##### All other instrumentations

- 🐛 Twilio: allow service name flattening
([#&#8203;8025](DataDog/dd-trace-java#8025) -
[@&#8203;amarziali](https://github.com/amarziali))
- ✨ Instrument Mulesoft 4.5.0+
([#&#8203;7981](DataDog/dd-trace-java#7981) -
[@&#8203;amarziali](https://github.com/amarziali))

</details>

<details>
<summary>aws/aws-sdk-java (com.amazonaws:aws-java-sdk-sqs)</summary>

###
[`v1.12.780`](https://github.com/aws/aws-sdk-java/blob/HEAD/CHANGELOG.md#112780-2024-12-11)

[Compare
Source](aws/aws-sdk-java@1.12.779...1.12.780)

#### **Amazon Simple Storage Service**

-   ### Bugfixes
- AWS SDK for Java 1.x now includes additional validation for Amazon S3
client APIs to handle scenarios where an empty string ('') is passed as
the key argument to the following operations: PutObject, DeleteObject,
ListObjects, GetObjectMetaData, ListObjectsV2, SetObjectTagging,
GetObjectTagging, SetObjectAcl, GetObjectAcl, SetObjectLegalHold,
GetObjectLegalHold, CopyObject, CopyPart, SelectObjectContent,
SetObjectRetention, GetObjectRetention, AbortMultipartUpload,
CompleteMultipartUpload, InitiateMultipartUpload, ListParts, UploadPart,
RestoreObjectV2, and RestoreObject. The SDK will validate the key
argument and throw an exception if it is an empty string, ensuring
correct and expected behavior.

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "after 6pm every weekday,before 2am
every weekday" in timezone Australia/Melbourne, Automerge - At any time
(no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Renovate
Bot](https://github.com/renovatebot/renovate).

GitOrigin-RevId: 69831bc62ea4d80cdcd42cef2aa9bd8eda28ae8c
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
comp: asm iast Application Security Management (IAST) inst: apache httpcomponents Apache HttpComponents type: enhancement
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants