Exclude com.stripe.net.HttpURLConnectionClient to solve IAST SSRF vulnerability false positives #8483

jandro996 · 2025-03-03T10:49:24Z

What Does This Do

com.stripe.net.HttpURLConnectionClient excluded by the iast instrumenter

Motivation

Solve SSRF vulnerability false positives

Additional Notes

Contributor Checklist

Format the title according the contribution guidelines
Assign the type: and (comp: or inst:) labels in addition to any usefull labels
Don't use close, fix or any linking keywords when referencing an issue.
Use solves instead, and assign the PR milestone to the issue
Update the public documentation in case of new configuration flag or behavior

Jira ticket: APPSEC-56641

pr-commenter · 2025-03-03T13:07:30Z

Benchmarks

Startup

Load

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
end_time	2025-03-03T14:11:55	2025-03-03T14:19:49
git_branch	master	alejandro.gonzalez/stripe-ssrf-false-positive
git_commit_date	1741008234	1741010406
git_commit_sha	`cb3fea1`	`aaa6f41`
release_version	1.47.0-SNAPSHOT~cb3fea19b4	1.47.0-SNAPSHOT~aaa6f41e7b
start_time	2025-03-03T14:11:41	2025-03-03T14:19:35

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1741011995	1741011995
ci_job_id	829719004	829719004
ci_pipeline_id	57493869	57493869
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-8ksbllmc-project-304-concurrent-4-ayvy2ljt 6.8.0-1021-aws #23~22.04.1-Ubuntu SMP Tue Dec 10 16:50:46 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-8ksbllmc-project-304-concurrent-4-ayvy2ljt 6.8.0-1021-aws #23~22.04.1-Ubuntu SMP Tue Dec 10 16:50:46 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
variant	iast	iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 18 unstable metrics.

Request duration reports for petclinic

gantt
    title petclinic - request duration [CI 0.99] : candidate=1.47.0-SNAPSHOT~aaa6f41e7b, baseline=1.47.0-SNAPSHOT~cb3fea19b4
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.361 ms) : 1340, 1381
.   : milestone, 1361,
appsec (1.712 ms) : 1688, 1736
.   : milestone, 1712,
appsec_no_iast (1.704 ms) : 1680, 1727
.   : milestone, 1704,
code_origins (1.666 ms) : 1632, 1699
.   : milestone, 1666,
iast (1.53 ms) : 1505, 1555
.   : milestone, 1530,
profiling (1.527 ms) : 1501, 1553
.   : milestone, 1527,
tracing (1.498 ms) : 1475, 1522
.   : milestone, 1498,
section candidate
no_agent (1.338 ms) : 1318, 1358
.   : milestone, 1338,
appsec (1.727 ms) : 1702, 1752
.   : milestone, 1727,
appsec_no_iast (1.723 ms) : 1700, 1747
.   : milestone, 1723,
code_origins (1.693 ms) : 1660, 1725
.   : milestone, 1693,
iast (1.508 ms) : 1483, 1533
.   : milestone, 1508,
profiling (1.511 ms) : 1484, 1539
.   : milestone, 1511,
tracing (1.496 ms) : 1473, 1520
.   : milestone, 1496,

baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.361 ms [1.34 ms, 1.381 ms]	-
appsec	1.712 ms [1.688 ms, 1.736 ms]	351.384 µs (25.8%)
appsec_no_iast	1.704 ms [1.68 ms, 1.727 ms]	342.768 µs (25.2%)
code_origins	1.666 ms [1.632 ms, 1.699 ms]	304.786 µs (22.4%)
iast	1.53 ms [1.505 ms, 1.555 ms]	169.057 µs (12.4%)
profiling	1.527 ms [1.501 ms, 1.553 ms]	166.157 µs (12.2%)
tracing	1.498 ms [1.475 ms, 1.522 ms]	137.663 µs (10.1%)

candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.338 ms [1.318 ms, 1.358 ms]	-
appsec	1.727 ms [1.702 ms, 1.752 ms]	388.918 µs (29.1%)
appsec_no_iast	1.723 ms [1.7 ms, 1.747 ms]	385.297 µs (28.8%)
code_origins	1.693 ms [1.66 ms, 1.725 ms]	354.423 µs (26.5%)
iast	1.508 ms [1.483 ms, 1.533 ms]	169.987 µs (12.7%)
profiling	1.511 ms [1.484 ms, 1.539 ms]	173.354 µs (13.0%)
tracing	1.496 ms [1.473 ms, 1.52 ms]	158.138 µs (11.8%)

Request duration reports for insecure-bank

gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.47.0-SNAPSHOT~aaa6f41e7b, baseline=1.47.0-SNAPSHOT~cb3fea19b4
    dateFormat X
    axisFormat %s
section baseline
no_agent (384.062 µs) : 364, 404
.   : milestone, 384,
iast (507.112 µs) : 485, 529
.   : milestone, 507,
iast_FULL (728.349 µs) : 706, 750
.   : milestone, 728,
iast_GLOBAL (562.236 µs) : 540, 585
.   : milestone, 562,
iast_HARDCODED_SECRET_DISABLED (516.1 µs) : 494, 538
.   : milestone, 516,
iast_INACTIVE (458.943 µs) : 437, 481
.   : milestone, 459,
iast_TELEMETRY_OFF (501.251 µs) : 478, 525
.   : milestone, 501,
tracing (451.591 µs) : 431, 472
.   : milestone, 452,
section candidate
no_agent (382.898 µs) : 363, 402
.   : milestone, 383,
iast (506.311 µs) : 484, 528
.   : milestone, 506,
iast_FULL (724.319 µs) : 702, 746
.   : milestone, 724,
iast_GLOBAL (554.92 µs) : 533, 577
.   : milestone, 555,
iast_HARDCODED_SECRET_DISABLED (515.805 µs) : 493, 538
.   : milestone, 516,
iast_INACTIVE (461.621 µs) : 440, 483
.   : milestone, 462,
iast_TELEMETRY_OFF (498.936 µs) : 477, 521
.   : milestone, 499,
tracing (454.93 µs) : 434, 476
.   : milestone, 455,

baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	384.062 µs [364.138 µs, 403.985 µs]	-
iast	507.112 µs [485.463 µs, 528.762 µs]	123.051 µs (32.0%)
iast_FULL	728.349 µs [706.306 µs, 750.393 µs]	344.288 µs (89.6%)
iast_GLOBAL	562.236 µs [539.751 µs, 584.721 µs]	178.174 µs (46.4%)
iast_HARDCODED_SECRET_DISABLED	516.1 µs [494.165 µs, 538.035 µs]	132.038 µs (34.4%)
iast_INACTIVE	458.943 µs [437.114 µs, 480.773 µs]	74.882 µs (19.5%)
iast_TELEMETRY_OFF	501.251 µs [477.669 µs, 524.832 µs]	117.189 µs (30.5%)
tracing	451.591 µs [430.738 µs, 472.445 µs]	67.529 µs (17.6%)

candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	382.898 µs [363.333 µs, 402.464 µs]	-
iast	506.311 µs [484.299 µs, 528.322 µs]	123.412 µs (32.2%)
iast_FULL	724.319 µs [702.146 µs, 746.493 µs]	341.421 µs (89.2%)
iast_GLOBAL	554.92 µs [532.6 µs, 577.239 µs]	172.021 µs (44.9%)
iast_HARDCODED_SECRET_DISABLED	515.805 µs [493.393 µs, 538.217 µs]	132.907 µs (34.7%)
iast_INACTIVE	461.621 µs [440.123 µs, 483.118 µs]	78.723 µs (20.6%)
iast_TELEMETRY_OFF	498.936 µs [476.953 µs, 520.92 µs]	116.038 µs (30.3%)
tracing	454.93 µs [433.543 µs, 476.317 µs]	72.032 µs (18.8%)

Dacapo

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	alejandro.gonzalez/stripe-ssrf-false-positive
git_commit_date	1741008234	1741010406
git_commit_sha	`cb3fea1`	`aaa6f41`
release_version	1.47.0-SNAPSHOT~cb3fea19b4	1.47.0-SNAPSHOT~aaa6f41e7b

See matching parameters

	Baseline	Candidate
application	biojava	biojava
ci_job_date	1741012542	1741012542
ci_job_id	829719006	829719006
ci_pipeline_id	57493869	57493869
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-8ksbllmc-project-304-concurrent-6-h93kn7mf 6.8.0-1021-aws #23~22.04.1-Ubuntu SMP Tue Dec 10 16:50:46 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-8ksbllmc-project-304-concurrent-6-h93kn7mf 6.8.0-1021-aws #23~22.04.1-Ubuntu SMP Tue Dec 10 16:50:46 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
variant	appsec	appsec

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics.

Execution time for biojava

gantt
    title biojava - execution time [CI 0.99] : candidate=1.47.0-SNAPSHOT~aaa6f41e7b, baseline=1.47.0-SNAPSHOT~cb3fea19b4
    dateFormat X
    axisFormat %s
section baseline
no_agent (15.315 s) : 15315000, 15315000
.   : milestone, 15315000,
appsec (14.758 s) : 14758000, 14758000
.   : milestone, 14758000,
iast (18.731 s) : 18731000, 18731000
.   : milestone, 18731000,
iast_GLOBAL (17.812 s) : 17812000, 17812000
.   : milestone, 17812000,
profiling (15.16 s) : 15160000, 15160000
.   : milestone, 15160000,
tracing (15.02 s) : 15020000, 15020000
.   : milestone, 15020000,
section candidate
no_agent (15.478 s) : 15478000, 15478000
.   : milestone, 15478000,
appsec (14.8 s) : 14800000, 14800000
.   : milestone, 14800000,
iast (18.79 s) : 18790000, 18790000
.   : milestone, 18790000,
iast_GLOBAL (17.975 s) : 17975000, 17975000
.   : milestone, 17975000,
profiling (14.936 s) : 14936000, 14936000
.   : milestone, 14936000,
tracing (14.812 s) : 14812000, 14812000
.   : milestone, 14812000,

baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	15.315 s [15.315 s, 15.315 s]	-
appsec	14.758 s [14.758 s, 14.758 s]	-557.0 ms (-3.6%)
iast	18.731 s [18.731 s, 18.731 s]	3.416 s (22.3%)
iast_GLOBAL	17.812 s [17.812 s, 17.812 s]	2.497 s (16.3%)
profiling	15.16 s [15.16 s, 15.16 s]	-155.0 ms (-1.0%)
tracing	15.02 s [15.02 s, 15.02 s]	-295.0 ms (-1.9%)

candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	15.478 s [15.478 s, 15.478 s]	-
appsec	14.8 s [14.8 s, 14.8 s]	-678.0 ms (-4.4%)
iast	18.79 s [18.79 s, 18.79 s]	3.312 s (21.4%)
iast_GLOBAL	17.975 s [17.975 s, 17.975 s]	2.497 s (16.1%)
profiling	14.936 s [14.936 s, 14.936 s]	-542.0 ms (-3.5%)
tracing	14.812 s [14.812 s, 14.812 s]	-666.0 ms (-4.3%)

Execution time for tomcat

gantt
    title tomcat - execution time [CI 0.99] : candidate=1.47.0-SNAPSHOT~aaa6f41e7b, baseline=1.47.0-SNAPSHOT~cb3fea19b4
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.465 ms) : 1454, 1477
.   : milestone, 1465,
appsec (2.337 ms) : 2293, 2381
.   : milestone, 2337,
iast (2.111 ms) : 2056, 2166
.   : milestone, 2111,
iast_GLOBAL (2.156 ms) : 2100, 2211
.   : milestone, 2156,
profiling (1.967 ms) : 1923, 2010
.   : milestone, 1967,
tracing (1.939 ms) : 1897, 1981
.   : milestone, 1939,
section candidate
no_agent (1.473 ms) : 1461, 1484
.   : milestone, 1473,
appsec (2.336 ms) : 2292, 2380
.   : milestone, 2336,
iast (2.11 ms) : 2055, 2165
.   : milestone, 2110,
iast_GLOBAL (2.156 ms) : 2101, 2212
.   : milestone, 2156,
profiling (1.961 ms) : 1918, 2005
.   : milestone, 1961,
tracing (1.948 ms) : 1905, 1990
.   : milestone, 1948,

baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.465 ms [1.454 ms, 1.477 ms]	-
appsec	2.337 ms [2.293 ms, 2.381 ms]	871.605 µs (59.5%)
iast	2.111 ms [2.056 ms, 2.166 ms]	645.76 µs (44.1%)
iast_GLOBAL	2.156 ms [2.1 ms, 2.211 ms]	690.099 µs (47.1%)
profiling	1.967 ms [1.923 ms, 2.01 ms]	501.354 µs (34.2%)
tracing	1.939 ms [1.897 ms, 1.981 ms]	473.714 µs (32.3%)

candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.473 ms [1.461 ms, 1.484 ms]	-
appsec	2.336 ms [2.292 ms, 2.38 ms]	863.392 µs (58.6%)
iast	2.11 ms [2.055 ms, 2.165 ms]	637.09 µs (43.3%)
iast_GLOBAL	2.156 ms [2.101 ms, 2.212 ms]	683.332 µs (46.4%)
profiling	1.961 ms [1.918 ms, 2.005 ms]	488.629 µs (33.2%)
tracing	1.948 ms [1.905 ms, 1.99 ms]	474.728 µs (32.2%)

| Package | Type | Package file | Manager | Update | Change | |---|---|---|---|---|---| | [com.datadoghq:dd-trace-api](https://github.com/datadog/dd-trace-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `1.46.1` -> `1.47.0` | | [com.datadoghq:dd-trace-ot](https://github.com/datadog/dd-trace-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `1.46.1` -> `1.47.0` | | [software.amazon.awssdk:sdk-core](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.33` -> `2.30.34` | | [software.amazon.awssdk:sqs](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.33` -> `2.30.34` | | [software.amazon.awssdk:dynamodb-enhanced](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.33` -> `2.30.34` | | [software.amazon.awssdk:dynamodb](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.33` -> `2.30.34` | | [software.amazon.awssdk:aws-core](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.33` -> `2.30.34` | | [software.amazon.awssdk:bom](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.33` -> `2.30.34` | | [software.amazon.awssdk:auth](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.33` -> `2.30.34` | --- ### Release Notes <details> <summary>datadog/dd-trace-java (com.datadoghq:dd-trace-api)</summary> ### [`v1.47.0`](https://github.com/DataDog/dd-trace-java/releases/tag/v1.47.0): 1.47.0 ##### Components ##### Application Security Management (IAST) - 🐛 Exclude com.stripe.net.HttpURLConnectionClient to solve IAST SSRF vulnerability false positives ([#8483](DataDog/dd-trace-java#8483) - [@jandro996](https://github.com/jandro996)) - 🐛 Add exclusion to solve IAST weak randomness vulnerability false positives ([#8462](DataDog/dd-trace-java#8462) - [@jandro996](https://github.com/jandro996)) - ✨ Fix weak randomness false positive in Kafka client ([#8408](DataDog/dd-trace-java#8408) - [@smola](https://github.com/smola)) - ✨ Fix location for SSRF with Kong Unirest ([#8407](DataDog/dd-trace-java#8407) - [@smola](https://github.com/smola)) - ✨ Exclude IBM Instana from IAST ([#8406](DataDog/dd-trace-java#8406) - [@smola](https://github.com/smola)) - 🐛 Fix org.json iast instrumentation test for latest dependency ([#8347](DataDog/dd-trace-java#8347) - [@jandro996](https://github.com/jandro996)) - ✨ Configuration to Disable APM Tracing ([#8219](DataDog/dd-trace-java#8219) - [@jandro996](https://github.com/jandro996)) - ✨ Address cookie vulnerability cardinality issues ([#8210](DataDog/dd-trace-java#8210) - [@jandro996](https://github.com/jandro996)) - ✨ Email HTML Injection detection in IAST ([#8205](DataDog/dd-trace-java#8205) - [@sezen-datadog](https://github.com/sezen-datadog)) ##### Application Security Management (WAF) - 🐛✨ Ensure usr.exists tag is not overridden when UsernameNotFoundException is thrown ([#8376](DataDog/dd-trace-java#8376) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - 🐛✨ Ensure usr.exists tag is not overridden by auto instrumentation ([#8374](DataDog/dd-trace-java#8374) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - ✨ Update appsec metrics with event_rules_version tag ([#8354](DataDog/dd-trace-java#8354) - [@sezen-datadog](https://github.com/sezen-datadog)) - ✨ Update metrics: appsec.waf.requests ([#8353](DataDog/dd-trace-java#8353) - [@Mariovido](https://github.com/Mariovido)) - ✨ Improve ASM support in vert.x 5.0 ([#8285](DataDog/dd-trace-java#8285) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - ✨ Update metrics: appsec.waf.updates and appsec.waf.init ([#8280](DataDog/dd-trace-java#8280) - [@Mariovido](https://github.com/Mariovido)) - ✨ Configuration to Disable APM Tracing ([#8219](DataDog/dd-trace-java#8219) - [@jandro996](https://github.com/jandro996)) ##### Build & Tooling - 🐛 Do not generate Muzzle references for primitive arrays in method body ([#8361](DataDog/dd-trace-java#8361) - [@amarziali](https://github.com/amarziali)) - 📖 Improve dev env setup documentation for Windows ([#8180](DataDog/dd-trace-java#8180) - [@lucaspimentel](https://github.com/lucaspimentel)) ##### Continuous Integration Visibility - ✨ Add support for skip-EFD tagging ([#8487](DataDog/dd-trace-java#8487) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - 🐛 Fix an NPE in Gradle Android instrumentation ([#8484](DataDog/dd-trace-java#8484) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Consider modified tests when applying fail-fast tests ordering ([#8474](DataDog/dd-trace-java#8474) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Implement tests reordering for TestNG ([#8467](DataDog/dd-trace-java#8467) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - 🐛 Fix Gradle Launcher instrumentation to not interfere with Gradle Test Kit ([#8465](DataDog/dd-trace-java#8465) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - 🧹 Use separate TestEventHandlers per framework in CI Vis instrumentations ([#8451](DataDog/dd-trace-java#8451) - [@daniel-mohedano](https://github.com/daniel-mohedano)) - ✨ Remove warning log when JUnit 4 test method cannot be retrieved ([#8445](DataDog/dd-trace-java#8445) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - 🐛 Fix Scalatest tracing for tests that are reported asynchronously ([#8444](DataDog/dd-trace-java#8444) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Implement attempt to fix tests ([#8393](DataDog/dd-trace-java#8393) - [@daniel-mohedano](https://github.com/daniel-mohedano)) - ✨ Implement test disabling ([#8377](DataDog/dd-trace-java#8377) - [@daniel-mohedano](https://github.com/daniel-mohedano)) - ✨ Update CODEOWNERS parser to not log errors on comments with leading whitespace ([#8349](DataDog/dd-trace-java#8349) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Request Test Management tests list ([#8345](DataDog/dd-trace-java#8345) - [@daniel-mohedano](https://github.com/daniel-mohedano)) - ✨ Receive test management settings from CIVis settings request ([#8331](DataDog/dd-trace-java#8331) - [@daniel-mohedano](https://github.com/daniel-mohedano)) - ✨ Implement quarantined tests tagging ([#8326](DataDog/dd-trace-java#8326) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Implement tests quarantining ([#8320](DataDog/dd-trace-java#8320) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Add tag to specify if the user is setting DD_SERVICE ([#8318](DataDog/dd-trace-java#8318) - [@daniel-mohedano](https://github.com/daniel-mohedano)) ##### Crash tracking - ✨ Only fork jps when required ([#8419](DataDog/dd-trace-java#8419) - [@mcculls](https://github.com/mcculls)) - 🐛 Use Java home of the crashed process to launch crash uploader ([#8348](DataDog/dd-trace-java#8348) - [@jbachorik](https://github.com/jbachorik)) ##### Data Streams Monitoring - 🐛 Fix error happening when sqs message attributes are readonly ([#8473](DataDog/dd-trace-java#8473) - [@vandonr](https://github.com/vandonr)) - 🐛 Fix bug on proto schema extraction ([#8403](DataDog/dd-trace-java#8403) - [@vandonr](https://github.com/vandonr)) - 🐛 Fix service name overrides in consumers ([#8387](DataDog/dd-trace-java#8387) - [@piochelepiotr](https://github.com/piochelepiotr)) ##### Database Monitoring - ✨ Add DBMTracePreparedStatements to tracer configuration log ([#8508](DataDog/dd-trace-java#8508) - [@cecile75](https://github.com/cecile75)) ##### Dynamic Instrumentation - ✨ Look in another location for grpc service methods ([#8468](DataDog/dd-trace-java#8468) - [@evanchooly](https://github.com/evanchooly)) - 🐛 Fix Exception Replay with Lambda proxy classes ([#8452](DataDog/dd-trace-java#8452) - [@jpbempel](https://github.com/jpbempel)) - ✨ Add code origin support for spring-webmvc ([#8416](DataDog/dd-trace-java#8416) - [@evanchooly](https://github.com/evanchooly)) - ✨ Add support for scanning jar from loaded class ([#8370](DataDog/dd-trace-java#8370) - [@jpbempel](https://github.com/jpbempel)) - 🐛 Disable capture of entry values ([#8369](DataDog/dd-trace-java#8369) - [@jpbempel](https://github.com/jpbempel)) - 🐛 Fix CodeOrigin for `@Trace` annotation ([#8344](DataDog/dd-trace-java#8344) - [@jpbempel](https://github.com/jpbempel)) - 🐛 Fix equals/hashCode for CodeOrigin probe ([#8319](DataDog/dd-trace-java#8319) - [@jpbempel](https://github.com/jpbempel)) - ✨ Add code origin support to kafka message listeners ([#8301](DataDog/dd-trace-java#8301) - [@evanchooly](https://github.com/evanchooly)) ##### Metrics - ✨ Create metric: appsec.waf.error ([#8381](DataDog/dd-trace-java#8381) - [@sezen-datadog](https://github.com/sezen-datadog)) - ✨ Create metric: appsec.rasp.error ([#8364](DataDog/dd-trace-java#8364) - [@sezen-datadog](https://github.com/sezen-datadog)) ##### Profiling - ✨ Bump ddprof library to 1.22.0 ([#8463](DataDog/dd-trace-java#8463) - [@jbachorik](https://github.com/jbachorik)) - IBM J9 8u361 corresponds to OpenJDK 8u362 by [@jbachorik](https://github.com/jbachorik) in DataDog/java-profiler#187 - Fix compatibility with musl libc 1.2.4 by [@jbachorik](https://github.com/jbachorik) in DataDog/java-profiler#189 - Modify version extraction by [@jbachorik](https://github.com/jbachorik) in DataDog/java-profiler#179 - Do not write null values to jvminfo event by [@jbachorik](https://github.com/jbachorik) in DataDog/java-profiler#184 - Productize VMStructs-based stack walker by [@jbachorik](https://github.com/jbachorik) in DataDog/java-profiler#177 - A few minor downport issues by [@jbachorik](https://github.com/jbachorik) in DataDog/java-profiler#180 - Enable ASGCT by default on fairly safe J9 JDK versions by [@jbachorik](https://github.com/jbachorik) in DataDog/java-profiler#181 - 🐛 Exclude OrderedThreadPoolExecutor from queue-time measurements ([#8456](DataDog/dd-trace-java#8456) - [@jbachorik](https://github.com/jbachorik)) - ✨ Record JVM info on JVMs without JFR ([#8431](DataDog/dd-trace-java#8431) - [@jbachorik](https://github.com/jbachorik)) - 🐛 Actually use CleanupTask in TempLocationManager ([#8420](DataDog/dd-trace-java#8420) - [@mcculls](https://github.com/mcculls)) - ✨ Only fork jps when required ([#8419](DataDog/dd-trace-java#8419) - [@mcculls](https://github.com/mcculls)) - 🐛 Adjust JFR checks for J9 ([#8405](DataDog/dd-trace-java#8405) - [@jbachorik](https://github.com/jbachorik)) - 🧹 Disable smap RSS parsing by default ([#8342](DataDog/dd-trace-java#8342) - [@MattAlp](https://github.com/MattAlp)) ##### Telemetry - 🐛 Add support for JBoss jar:file format to DependencyResolver ([#8428](DataDog/dd-trace-java#8428) - [@jandro996](https://github.com/jandro996)) - ✨ Update metrics: appsec.waf.requests ([#8353](DataDog/dd-trace-java#8353) - [@Mariovido](https://github.com/Mariovido)) ##### Trace context propagation - ✨ Introduce tracing propagator ([#8313](DataDog/dd-trace-java#8313) - [@PerfectSlayer](https://github.com/PerfectSlayer)) ##### Tracer core - 🐛 Fix Stable Config telemetry source names ([#8460](DataDog/dd-trace-java#8460) - [@BaptisteFoy](https://github.com/BaptisteFoy)) - ✨ Probe trace endpoints with a valid payload of empty arrays ([#8414](DataDog/dd-trace-java#8414) - [@mcculls](https://github.com/mcculls)) - ✨ Add 1 minute fail-safe to JUL/JMX class-loading callback ([#8399](DataDog/dd-trace-java#8399) - [@mcculls](https://github.com/mcculls)) - ✨ Migrate DSM injection calls to context-first APIs ([#8383](DataDog/dd-trace-java#8383) - [@PerfectSlayer](https://github.com/PerfectSlayer)) - 🧹 Move continuation capture methods from scope to tracer ([#8371](DataDog/dd-trace-java#8371) - [@mcculls](https://github.com/mcculls)) - ✨ Migrate context extraction calls to context-first APIs ([#8368](DataDog/dd-trace-java#8368) - [@PerfectSlayer](https://github.com/PerfectSlayer)) - 🧹 Migrate context injection calls to context-first APIs ([#8358](DataDog/dd-trace-java#8358) - [@PerfectSlayer](https://github.com/PerfectSlayer)) - 💡 Support reading configurations from files ([#8338](DataDog/dd-trace-java#8338) - [@mtoffl01](https://github.com/mtoffl01)) - 💡 Implementation of BaggagePropagator and BaggageContext ([#8330](DataDog/dd-trace-java#8330) - [@mhlidd](https://github.com/mhlidd)) - 🧹 Combine continuation implementations into one which supports multiple activations ([#8324](DataDog/dd-trace-java#8324) - [@mcculls](https://github.com/mcculls)) - ✨ Introduce tracing propagator ([#8313](DataDog/dd-trace-java#8313) - [@PerfectSlayer](https://github.com/PerfectSlayer)) - ✨ Remove old context propagation API ([#8271](DataDog/dd-trace-java#8271) - [@PerfectSlayer](https://github.com/PerfectSlayer)) ##### Instrumentations ##### AWS Lambda instrumentation - 🐛 Send error message and stack to Lambda extension ([#8417](DataDog/dd-trace-java#8417) - [@nhulston](https://github.com/nhulston)) ##### AWS SDK instrumentation - 🐛 Fix error happening when sqs message attributes are readonly ([#8473](DataDog/dd-trace-java#8473) - [@vandonr](https://github.com/vandonr)) - 💡 Inject trace context into AWS Step Functions input ([#7585](DataDog/dd-trace-java#7585) - [@DylanLovesCoffee](https://github.com/DylanLovesCoffee)) ##### Core Java language instrumentation - ✨ Look in another location for grpc service methods ([#8468](DataDog/dd-trace-java#8468) - [@evanchooly](https://github.com/evanchooly)) - ✨ Add code origin support for spring-webmvc ([#8416](DataDog/dd-trace-java#8416) - [@evanchooly](https://github.com/evanchooly)) - 💡 Implementation of BaggagePropagator and BaggageContext ([#8330](DataDog/dd-trace-java#8330) - [@mhlidd](https://github.com/mhlidd)) - ✨ Add code origin support to kafka message listeners ([#8301](DataDog/dd-trace-java#8301) - [@evanchooly](https://github.com/evanchooly)) ##### gRPC instrumentation - ✨ Look in another location for grpc service methods ([#8468](DataDog/dd-trace-java#8468) - [@evanchooly](https://github.com/evanchooly)) ##### Kafka instrumentation - ✨ Add messaging.destination.name tag to kafka integrations ([#8366](DataDog/dd-trace-java#8366) - [@rarguelloF](https://github.com/rarguelloF)) ##### Protocol Buffer instrumentation - 🐛 Fix bug on proto schema extraction ([#8403](DataDog/dd-trace-java#8403) - [@vandonr](https://github.com/vandonr)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "after 6pm every weekday,before 2am every weekday" in timezone Australia/Melbourne, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). GitOrigin-RevId: 108a0f86aa59ab4c938cbac0688dd4c19cb301fa

Exclude com.stripe.net.HttpURLConnectionClient

69325e5

jandro996 added type: bug Bug report and fix comp: asm iast Application Security Management (IAST) labels Mar 3, 2025

jandro996 requested a review from a team as a code owner March 3, 2025 10:49

jandro996 requested review from sezen-datadog and smola March 3, 2025 10:49

Change exclusion

23f07da

smola approved these changes Mar 3, 2025

View reviewed changes

Merge branch 'master' into alejandro.gonzalez/stripe-ssrf-false-positive

aaa6f41

jandro996 merged commit a336b59 into master Mar 3, 2025
209 checks passed

jandro996 deleted the alejandro.gonzalez/stripe-ssrf-false-positive branch March 3, 2025 14:56

github-actions bot added this to the 1.47.0 milestone Mar 3, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Exclude com.stripe.net.HttpURLConnectionClient to solve IAST SSRF vulnerability false positives #8483

Exclude com.stripe.net.HttpURLConnectionClient to solve IAST SSRF vulnerability false positives #8483

Uh oh!

jandro996 commented Mar 3, 2025 •

edited by atlassian bot

Loading

Uh oh!

pr-commenter bot commented Mar 3, 2025 •

edited

Loading

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Exclude com.stripe.net.HttpURLConnectionClient to solve IAST SSRF vulnerability false positives #8483

Exclude com.stripe.net.HttpURLConnectionClient to solve IAST SSRF vulnerability false positives #8483

Uh oh!

Conversation

jandro996 commented Mar 3, 2025 • edited by atlassian bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

What Does This Do

Motivation

Additional Notes

Contributor Checklist

Uh oh!

pr-commenter bot commented Mar 3, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Benchmarks

Startup

Load

Parameters

Summary

Dacapo

Parameters

Summary

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

jandro996 commented Mar 3, 2025 •

edited by atlassian bot

Loading

pr-commenter bot commented Mar 3, 2025 •

edited

Loading