Fix IAST standalone sampling priority propagation (#4927)

CarlesDD · iunanua · web-flow · commit d19f3b03ade6 · 2024-11-27T08:36:24.000+01:00
* WIP

* Disable vuln deduplication in OCE test

* Test vuln deduplication on the fly

* Skip vuln dedup in multiple sends test

* Fix lint issues

* Remove multiple send test

* Move on the fly span creation for vulns out of req to addVulnerability method

* Move finish out-of-request span

* Update packages/dd-trace/src/appsec/iast/vulnerability-reporter.js

Co-authored-by: Igor Unanua &lt;igor.unanua@datadoghq.com&gt;

---------

Co-authored-by: Igor Unanua &lt;igor.unanua@datadoghq.com&gt;
diff --git a/packages/dd-trace/src/appsec/iast/vulnerability-reporter.js b/packages/dd-trace/src/appsec/iast/vulnerability-reporter.js
@@ -17,13 +17,36 @@ let resetVulnerabilityCacheTimer
 let deduplicationEnabled = true
 
 function addVulnerability (iastContext, vulnerability) {
-  if (vulnerability && vulnerability.evidence && vulnerability.type &&
-    vulnerability.location) {
-    if (iastContext && iastContext.rootSpan) {
+  if (vulnerability?.evidence && vulnerability?.type && vulnerability?.location) {
+    if (deduplicationEnabled && isDuplicatedVulnerability(vulnerability)) return
+
+    VULNERABILITY_HASHES.set(`${vulnerability.type}${vulnerability.hash}`, true)
+
+    let span = iastContext?.rootSpan
+
+    if (!span && tracer) {
+      span = tracer.startSpan('vulnerability', {
+        type: 'vulnerability'
+      })
+
+      vulnerability.location.spanId = span.context().toSpanId()
+
+      span.addTags({
+        [IAST_ENABLED_TAG_KEY]: 1
+      })
+    }
+
+    if (!span) return
+
+    keepTrace(span, SAMPLING_MECHANISM_APPSEC)
+    standalone.sample(span)
+
+    if (iastContext?.rootSpan) {
       iastContext[VULNERABILITIES_KEY] = iastContext[VULNERABILITIES_KEY] || []
       iastContext[VULNERABILITIES_KEY].push(vulnerability)
     } else {
-      sendVulnerabilities([vulnerability])
+      sendVulnerabilities([vulnerability], span)
+      span.finish()
     }
   }
 }
@@ -34,36 +57,17 @@ function isValidVulnerability (vulnerability) {
     vulnerability.location && vulnerability.location.spanId
 }
 
-function sendVulnerabilities (vulnerabilities, rootSpan) {
+function sendVulnerabilities (vulnerabilities, span) {
   if (vulnerabilities && vulnerabilities.length) {
-    let span = rootSpan
-    if (!span && tracer) {
-      span = tracer.startSpan('vulnerability', {
-        type: 'vulnerability'
-      })
-      vulnerabilities.forEach((vulnerability) => {
-        vulnerability.location.spanId = span.context().toSpanId()
-      })
-      span.addTags({
-        [IAST_ENABLED_TAG_KEY]: 1
-      })
-    }
-
     if (span && span.addTags) {
-      const validAndDedupVulnerabilities = deduplicateVulnerabilities(vulnerabilities).filter(isValidVulnerability)
-      const jsonToSend = vulnerabilitiesFormatter.toJson(validAndDedupVulnerabilities)
+      const validatedVulnerabilities = vulnerabilities.filter(isValidVulnerability)
+      const jsonToSend = vulnerabilitiesFormatter.toJson(validatedVulnerabilities)
 
       if (jsonToSend.vulnerabilities.length > 0) {
         const tags = {}
         // TODO: Store this outside of the span and set the tag in the exporter.
         tags[IAST_JSON_TAG_KEY] = JSON.stringify(jsonToSend)
         span.addTags(tags)
-
-        keepTrace(span, SAMPLING_MECHANISM_APPSEC)
-
-        standalone.sample(span)
-
-        if (!rootSpan) span.finish()
       }
     }
   }
@@ -86,17 +90,8 @@ function stopClearCacheTimer () {
   }
 }
 
-function deduplicateVulnerabilities (vulnerabilities) {
-  if (!deduplicationEnabled) return vulnerabilities
-  const deduplicated = vulnerabilities.filter((vulnerability) => {
-    const key = `${vulnerability.type}${vulnerability.hash}`
-    if (!VULNERABILITY_HASHES.get(key)) {
-      VULNERABILITY_HASHES.set(key, true)
-      return true
-    }
-    return false
-  })
-  return deduplicated
+function isDuplicatedVulnerability (vulnerability) {
+  return VULNERABILITY_HASHES.get(`${vulnerability.type}${vulnerability.hash}`)
 }
 
 function start (config, _tracer) {
diff --git a/packages/dd-trace/test/appsec/iast/overhead-controller.spec.js b/packages/dd-trace/test/appsec/iast/overhead-controller.spec.js
@@ -331,7 +331,8 @@ describe('Overhead controller', () => {
               iast: {
                 enabled: true,
                 requestSampling: 100,
-                maxConcurrentRequests: 2
+                maxConcurrentRequests: 2,
+                deduplicationEnabled: false
               }
             }
           })
@@ -365,15 +366,13 @@ describe('Overhead controller', () => {
             } else if (url === SECOND_REQUEST) {
               setImmediate(() => {
                 requestResolvers[FIRST_REQUEST]()
-                vulnerabilityReporter.clearCache()
               })
             }
           })
           testRequestEventEmitter.on(TEST_REQUEST_FINISHED, (url) => {
             if (url === FIRST_REQUEST) {
               setImmediate(() => {
                 requestResolvers[SECOND_REQUEST]()
-                vulnerabilityReporter.clearCache()
               })
             }
           })
@@ -388,7 +387,8 @@ describe('Overhead controller', () => {
               iast: {
                 enabled: true,
                 requestSampling: 100,
-                maxConcurrentRequests: 2
+                maxConcurrentRequests: 2,
+                deduplicationEnabled: false
               }
             }
           })
@@ -435,7 +435,6 @@ describe('Overhead controller', () => {
               requestResolvers[FIRST_REQUEST]()
             } else if (url === FIFTH_REQUEST) {
               requestResolvers[SECOND_REQUEST]()
-              vulnerabilityReporter.clearCache()
             }
           })
           testRequestEventEmitter.on(TEST_REQUEST_FINISHED, (url) => {
@@ -444,7 +443,6 @@ describe('Overhead controller', () => {
               axios.get(`http://localhost:${serverConfig.port}${FIFTH_REQUEST}`).then().catch(done)
             } else if (url === SECOND_REQUEST) {
               setImmediate(() => {
-                vulnerabilityReporter.clearCache()
                 requestResolvers[THIRD_REQUEST]()
                 requestResolvers[FOURTH_REQUEST]()
                 requestResolvers[FIFTH_REQUEST]()
diff --git a/packages/dd-trace/test/appsec/iast/vulnerability-reporter.spec.js b/packages/dd-trace/test/appsec/iast/vulnerability-reporter.spec.js
@@ -52,14 +52,14 @@ describe('vulnerability-reporter', () => {
         expect(iastContext.vulnerabilities).to.be.an('array')
       })
 
-      it('should add multiple vulnerabilities', () => {
+      it('should deduplicate same vulnerabilities', () => {
         addVulnerability(iastContext,
           vulnerabilityAnalyzer._createVulnerability('INSECURE_HASHING', { value: 'sha1' }, -555))
         addVulnerability(iastContext,
           vulnerabilityAnalyzer._createVulnerability('INSECURE_HASHING', { value: 'sha1' }, 888))
         addVulnerability(iastContext,
           vulnerabilityAnalyzer._createVulnerability('INSECURE_HASHING', { value: 'sha1' }, 123))
-        expect(iastContext.vulnerabilities).to.have.length(3)
+        expect(iastContext.vulnerabilities).to.have.length(1)
       })
 
       it('should add in the context evidence properties', () => {
@@ -260,7 +260,12 @@ describe('vulnerability-reporter', () => {
           '[{"value":"SELECT id FROM u WHERE email = \'"},{"value":"joe@mail.com","source":1},{"value":"\';"}]},' +
           '"location":{"spanId":888,"path":"filename.js","line":99}}]}'
       })
-      expect(prioritySampler.setPriority).to.have.been.calledOnceWithExactly(span, USER_KEEP, SAMPLING_MECHANISM_APPSEC)
+
+      expect(prioritySampler.setPriority).to.have.been.calledTwice
+      expect(prioritySampler.setPriority.firstCall)
+        .to.have.been.calledWithExactly(span, USER_KEEP, SAMPLING_MECHANISM_APPSEC)
+      expect(prioritySampler.setPriority.secondCall)
+        .to.have.been.calledWithExactly(span, USER_KEEP, SAMPLING_MECHANISM_APPSEC)
     })
 
     it('should send multiple vulnerabilities with same tainted source', () => {
@@ -313,7 +318,12 @@ describe('vulnerability-reporter', () => {
           '[{"value":"UPDATE u SET name=\'"},{"value":"joe","source":0},{"value":"\' WHERE id=1;"}]},' +
           '"location":{"spanId":888,"path":"filename.js","line":99}}]}'
       })
-      expect(prioritySampler.setPriority).to.have.been.calledOnceWithExactly(span, USER_KEEP, SAMPLING_MECHANISM_APPSEC)
+
+      expect(prioritySampler.setPriority).to.have.been.calledTwice
+      expect(prioritySampler.setPriority.firstCall)
+        .to.have.been.calledWithExactly(span, USER_KEEP, SAMPLING_MECHANISM_APPSEC)
+      expect(prioritySampler.setPriority.secondCall)
+        .to.have.been.calledWithExactly(span, USER_KEEP, SAMPLING_MECHANISM_APPSEC)
     })
 
     it('should send once with multiple vulnerabilities', () => {
@@ -334,7 +344,13 @@ describe('vulnerability-reporter', () => {
           '{"type":"INSECURE_HASHING","hash":1755238473,"evidence":{"value":"md5"},' +
             '"location":{"spanId":-5,"path":"/path/to/file3.js","line":3}}]}'
       })
-      expect(prioritySampler.setPriority).to.have.been.calledOnceWithExactly(span, USER_KEEP, SAMPLING_MECHANISM_APPSEC)
+      expect(prioritySampler.setPriority).to.have.been.calledThrice
+      expect(prioritySampler.setPriority.firstCall)
+        .to.have.been.calledWithExactly(span, USER_KEEP, SAMPLING_MECHANISM_APPSEC)
+      expect(prioritySampler.setPriority.secondCall)
+        .to.have.been.calledWithExactly(span, USER_KEEP, SAMPLING_MECHANISM_APPSEC)
+      expect(prioritySampler.setPriority.thirdCall)
+        .to.have.been.calledWithExactly(span, USER_KEEP, SAMPLING_MECHANISM_APPSEC)
     })
 
     it('should send once vulnerability with one vulnerability', () => {
@@ -366,23 +382,6 @@ describe('vulnerability-reporter', () => {
       expect(prioritySampler.setPriority).to.have.been.calledOnceWithExactly(span, USER_KEEP, SAMPLING_MECHANISM_APPSEC)
     })
 
-    it('should not send duplicated vulnerabilities in multiple sends', () => {
-      const iastContext = { rootSpan: span }
-      addVulnerability(iastContext,
-        vulnerabilityAnalyzer._createVulnerability('INSECURE_HASHING', { value: 'sha1' }, 888,
-          { path: 'filename.js', line: 88 }))
-      addVulnerability(iastContext,
-        vulnerabilityAnalyzer._createVulnerability('INSECURE_HASHING', { value: 'sha1' }, 888,
-          { path: 'filename.js', line: 88 }))
-      sendVulnerabilities(iastContext.vulnerabilities, span)
-      sendVulnerabilities(iastContext.vulnerabilities, span)
-      expect(span.addTags).to.have.been.calledOnceWithExactly({
-        '_dd.iast.json': '{"sources":[],"vulnerabilities":[{"type":"INSECURE_HASHING","hash":3410512691,' +
-          '"evidence":{"value":"sha1"},"location":{"spanId":888,"path":"filename.js","line":88}}]}'
-      })
-      expect(prioritySampler.setPriority).to.have.been.calledOnceWithExactly(span, USER_KEEP, SAMPLING_MECHANISM_APPSEC)
-    })
-
     it('should not deduplicate vulnerabilities if not enabled', () => {
       start({
         iast: {
@@ -401,7 +400,11 @@ describe('vulnerability-reporter', () => {
           '{"type":"INSECURE_HASHING","hash":3410512691,"evidence":{"value":"sha1"},"location":' +
           '{"spanId":888,"path":"filename.js","line":88}}]}'
       })
-      expect(prioritySampler.setPriority).to.have.been.calledOnceWithExactly(span, USER_KEEP, SAMPLING_MECHANISM_APPSEC)
+      expect(prioritySampler.setPriority).to.have.been.calledTwice
+      expect(prioritySampler.setPriority.firstCall)
+        .to.have.been.calledWithExactly(span, USER_KEEP, SAMPLING_MECHANISM_APPSEC)
+      expect(prioritySampler.setPriority.secondCall)
+        .to.have.been.calledWithExactly(span, USER_KEEP, SAMPLING_MECHANISM_APPSEC)
     })
 
     it('should add _dd.p.appsec trace tag with standalone enabled', () => {
