Fix vulnerability location org.jose4j.lang.HashUtil #8610

jandro996 · 2025-03-24T08:22:17Z

What Does This Do

Exclude org.jose4j.lang.HashUtil in iAST

Motivation

Additional Notes

Contributor Checklist

Format the title according the contribution guidelines
Assign the type: and (comp: or inst:) labels in addition to any usefull labels
Don't use close, fix or any linking keywords when referencing an issue.
Use solves instead, and assign the PR milestone to the issue
Update the public documentation in case of new configuration flag or behavior

Jira ticket: APPSEC-57044

smola

Edited title, since this is not really a false positive.

pr-commenter · 2025-03-24T10:44:55Z

Benchmarks

Startup

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	alejandro.gonzalez/APPSEC-57044-3
git_commit_date	1742825749	1742890741
git_commit_sha	`51813bd`	`75dd719`
release_version	1.48.0-SNAPSHOT~51813bdfcb	1.48.0-SNAPSHOT~75dd719733

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1742893635	1742893635
ci_job_id	862830767	862830767
ci_pipeline_id	59860040	59860040
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-jzzy7jrd-project-304-concurrent-0-mgy00x3f 6.8.0-1024-aws #26~22.04.1-Ubuntu SMP Wed Feb 19 06:54:57 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-jzzy7jrd-project-304-concurrent-0-mgy00x3f 6.8.0-1024-aws #26~22.04.1-Ubuntu SMP Wed Feb 19 06:54:57 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
module	Agent	Agent
parent	None	None
variant	iast	iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 66 metrics, 5 unstable metrics.

Startup time reports for petclinic

gantt
    title petclinic - global startup overhead: candidate=1.48.0-SNAPSHOT~75dd719733, baseline=1.48.0-SNAPSHOT~51813bdfcb

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.06 s) : 0, 1059736
Total [baseline] (10.481 s) : 0, 10481156
Agent [candidate] (1.052 s) : 0, 1051503
Total [candidate] (10.497 s) : 0, 10496923
section appsec
Agent [baseline] (1.194 s) : 0, 1194373
Total [baseline] (10.721 s) : 0, 10721142
Agent [candidate] (1.198 s) : 0, 1198238
Total [candidate] (10.801 s) : 0, 10800926
section iast
Agent [baseline] (1.18 s) : 0, 1179602
Total [baseline] (11.025 s) : 0, 11024884
Agent [candidate] (1.181 s) : 0, 1181473
Total [candidate] (11.043 s) : 0, 11043082
section profiling
Agent [baseline] (1.281 s) : 0, 1281175
Total [baseline] (10.858 s) : 0, 10857626
Agent [candidate] (1.274 s) : 0, 1273975
Total [candidate] (10.895 s) : 0, 10894605

baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.06 s	-
Agent	appsec	1.194 s	134.638 ms (12.7%)
Agent	iast	1.18 s	119.866 ms (11.3%)
Agent	profiling	1.281 s	221.44 ms (20.9%)
Total	tracing	10.481 s	-
Total	appsec	10.721 s	239.986 ms (2.3%)
Total	iast	11.025 s	543.728 ms (5.2%)
Total	profiling	10.858 s	376.47 ms (3.6%)

candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.052 s	-
Agent	appsec	1.198 s	146.735 ms (14.0%)
Agent	iast	1.181 s	129.97 ms (12.4%)
Agent	profiling	1.274 s	222.472 ms (21.2%)
Total	tracing	10.497 s	-
Total	appsec	10.801 s	304.003 ms (2.9%)
Total	iast	11.043 s	546.159 ms (5.2%)
Total	profiling	10.895 s	397.683 ms (3.8%)

gantt
    title petclinic - break down per module: candidate=1.48.0-SNAPSHOT~75dd719733, baseline=1.48.0-SNAPSHOT~51813bdfcb

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (726.014 ms) : 0, 726014
BytebuddyAgent [candidate] (720.555 ms) : 0, 720555
GlobalTracer [baseline] (241.965 ms) : 0, 241965
GlobalTracer [candidate] (240.523 ms) : 0, 240523
AppSec [baseline] (55.404 ms) : 0, 55404
AppSec [candidate] (54.891 ms) : 0, 54891
Debugger [baseline] (5.182 ms) : 0, 5182
Debugger [candidate] (5.202 ms) : 0, 5202
Remote Config [baseline] (718.973 µs) : 0, 719
Remote Config [candidate] (707.64 µs) : 0, 708
Telemetry [baseline] (14.263 ms) : 0, 14263
Telemetry [candidate] (13.577 ms) : 0, 13577
section appsec
BytebuddyAgent [baseline] (740.222 ms) : 0, 740222
BytebuddyAgent [candidate] (742.957 ms) : 0, 742957
GlobalTracer [baseline] (237.341 ms) : 0, 237341
GlobalTracer [candidate] (238.174 ms) : 0, 238174
AppSec [baseline] (176.116 ms) : 0, 176116
AppSec [candidate] (176.722 ms) : 0, 176722
Debugger [baseline] (4.32 ms) : 0, 4320
Debugger [candidate] (4.333 ms) : 0, 4333
Remote Config [baseline] (652.882 µs) : 0, 653
Remote Config [candidate] (654.152 µs) : 0, 654
Telemetry [baseline] (8.911 ms) : 0, 8911
Telemetry [candidate] (8.625 ms) : 0, 8625
IAST [baseline] (21.416 ms) : 0, 21416
IAST [candidate] (21.344 ms) : 0, 21344
section iast
BytebuddyAgent [baseline] (840.353 ms) : 0, 840353
BytebuddyAgent [candidate] (841.485 ms) : 0, 841485
GlobalTracer [baseline] (231.084 ms) : 0, 231084
GlobalTracer [candidate] (231.447 ms) : 0, 231447
AppSec [baseline] (55.877 ms) : 0, 55877
AppSec [candidate] (56.182 ms) : 0, 56182
Debugger [baseline] (4.177 ms) : 0, 4177
Debugger [candidate] (4.145 ms) : 0, 4145
Remote Config [baseline] (601.123 µs) : 0, 601
Remote Config [candidate] (589.504 µs) : 0, 590
Telemetry [baseline] (8.759 ms) : 0, 8759
Telemetry [candidate] (8.757 ms) : 0, 8757
IAST [baseline] (22.812 ms) : 0, 22812
IAST [candidate] (22.901 ms) : 0, 22901
section profiling
ProfilingAgent [baseline] (102.486 ms) : 0, 102486
ProfilingAgent [candidate] (102.383 ms) : 0, 102383
BytebuddyAgent [baseline] (716.046 ms) : 0, 716046
BytebuddyAgent [candidate] (711.31 ms) : 0, 711310
GlobalTracer [baseline] (352.186 ms) : 0, 352186
GlobalTracer [candidate] (351.25 ms) : 0, 351250
AppSec [baseline] (54.51 ms) : 0, 54510
AppSec [candidate] (53.504 ms) : 0, 53504
Debugger [baseline] (4.263 ms) : 0, 4263
Debugger [candidate] (4.262 ms) : 0, 4262
Remote Config [baseline] (701.167 µs) : 0, 701
Remote Config [candidate] (714.265 µs) : 0, 714
Telemetry [baseline] (8.899 ms) : 0, 8899
Telemetry [candidate] (8.933 ms) : 0, 8933
Profiling [baseline] (102.65 ms) : 0, 102650
Profiling [candidate] (102.409 ms) : 0, 102409

Startup time reports for insecure-bank

gantt
    title insecure-bank - global startup overhead: candidate=1.48.0-SNAPSHOT~75dd719733, baseline=1.48.0-SNAPSHOT~51813bdfcb

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.053 s) : 0, 1052914
Total [baseline] (8.716 s) : 0, 8715777
Agent [candidate] (1.058 s) : 0, 1058477
Total [candidate] (8.728 s) : 0, 8727993
section iast
Agent [baseline] (1.178 s) : 0, 1178077
Total [baseline] (9.224 s) : 0, 9223600
Agent [candidate] (1.181 s) : 0, 1180955
Total [candidate] (9.24 s) : 0, 9240379
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.181 s) : 0, 1180561
Total [baseline] (9.252 s) : 0, 9252194
Agent [candidate] (1.182 s) : 0, 1182261
Total [candidate] (9.233 s) : 0, 9233074
section iast_TELEMETRY_OFF
Agent [baseline] (1.174 s) : 0, 1173834
Total [baseline] (9.222 s) : 0, 9222105
Agent [candidate] (1.174 s) : 0, 1174221
Total [candidate] (9.225 s) : 0, 9224634

baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.053 s	-
Agent	iast	1.178 s	125.164 ms (11.9%)
Agent	iast_HARDCODED_SECRET_DISABLED	1.181 s	127.647 ms (12.1%)
Agent	iast_TELEMETRY_OFF	1.174 s	120.92 ms (11.5%)
Total	tracing	8.716 s	-
Total	iast	9.224 s	507.822 ms (5.8%)
Total	iast_HARDCODED_SECRET_DISABLED	9.252 s	536.417 ms (6.2%)
Total	iast_TELEMETRY_OFF	9.222 s	506.327 ms (5.8%)

candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.058 s	-
Agent	iast	1.181 s	122.478 ms (11.6%)
Agent	iast_HARDCODED_SECRET_DISABLED	1.182 s	123.784 ms (11.7%)
Agent	iast_TELEMETRY_OFF	1.174 s	115.744 ms (10.9%)
Total	tracing	8.728 s	-
Total	iast	9.24 s	512.387 ms (5.9%)
Total	iast_HARDCODED_SECRET_DISABLED	9.233 s	505.081 ms (5.8%)
Total	iast_TELEMETRY_OFF	9.225 s	496.641 ms (5.7%)

gantt
    title insecure-bank - break down per module: candidate=1.48.0-SNAPSHOT~75dd719733, baseline=1.48.0-SNAPSHOT~51813bdfcb

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (721.153 ms) : 0, 721153
BytebuddyAgent [candidate] (724.813 ms) : 0, 724813
GlobalTracer [baseline] (240.459 ms) : 0, 240459
GlobalTracer [candidate] (241.948 ms) : 0, 241948
AppSec [baseline] (54.862 ms) : 0, 54862
AppSec [candidate] (54.642 ms) : 0, 54642
Debugger [baseline] (4.429 ms) : 0, 4429
Debugger [candidate] (4.45 ms) : 0, 4450
Remote Config [baseline] (781.507 µs) : 0, 782
Remote Config [candidate] (718.49 µs) : 0, 718
Telemetry [baseline] (15.173 ms) : 0, 15173
Telemetry [candidate] (15.799 ms) : 0, 15799
section iast
BytebuddyAgent [baseline] (839.596 ms) : 0, 839596
BytebuddyAgent [candidate] (841.037 ms) : 0, 841037
GlobalTracer [baseline] (230.426 ms) : 0, 230426
GlobalTracer [candidate] (231.192 ms) : 0, 231192
IAST [baseline] (22.733 ms) : 0, 22733
IAST [candidate] (22.976 ms) : 0, 22976
AppSec [baseline] (55.852 ms) : 0, 55852
AppSec [candidate] (56.181 ms) : 0, 56181
Debugger [baseline] (4.13 ms) : 0, 4130
Debugger [candidate] (4.2 ms) : 0, 4200
Remote Config [baseline] (598.837 µs) : 0, 599
Remote Config [candidate] (605.829 µs) : 0, 606
Telemetry [baseline] (8.735 ms) : 0, 8735
Telemetry [candidate] (8.727 ms) : 0, 8727
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (840.533 ms) : 0, 840533
BytebuddyAgent [candidate] (841.476 ms) : 0, 841476
GlobalTracer [baseline] (230.592 ms) : 0, 230592
GlobalTracer [candidate] (231.686 ms) : 0, 231686
IAST [baseline] (23.154 ms) : 0, 23154
IAST [candidate] (23.092 ms) : 0, 23092
AppSec [baseline] (56.562 ms) : 0, 56562
AppSec [candidate] (56.377 ms) : 0, 56377
Debugger [baseline] (4.19 ms) : 0, 4190
Debugger [candidate] (4.182 ms) : 0, 4182
Remote Config [baseline] (610.034 µs) : 0, 610
Remote Config [candidate] (609.734 µs) : 0, 610
Telemetry [baseline] (8.832 ms) : 0, 8832
Telemetry [candidate] (8.817 ms) : 0, 8817
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (835.544 ms) : 0, 835544
BytebuddyAgent [candidate] (835.98 ms) : 0, 835980
GlobalTracer [baseline] (230.079 ms) : 0, 230079
GlobalTracer [candidate] (230.336 ms) : 0, 230336
IAST [baseline] (22.37 ms) : 0, 22370
IAST [candidate] (22.536 ms) : 0, 22536
AppSec [baseline] (56.347 ms) : 0, 56347
AppSec [candidate] (55.918 ms) : 0, 55918
Debugger [baseline] (4.167 ms) : 0, 4167
Debugger [candidate] (4.166 ms) : 0, 4166
Remote Config [baseline] (605.875 µs) : 0, 606
Remote Config [candidate] (608.339 µs) : 0, 608
Telemetry [baseline] (8.706 ms) : 0, 8706
Telemetry [candidate] (8.599 ms) : 0, 8599

Load

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
end_time	2025-03-25T08:39:30	2025-03-25T08:47:13
git_branch	master	alejandro.gonzalez/APPSEC-57044-3
git_commit_date	1742825749	1742890741
git_commit_sha	`51813bd`	`75dd719`
release_version	1.48.0-SNAPSHOT~51813bdfcb	1.48.0-SNAPSHOT~75dd719733
start_time	2025-03-25T08:39:16	2025-03-25T08:46:59

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1742892830	1742892830
ci_job_id	862830768	862830768
ci_pipeline_id	59860040	59860040
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-5gca-jya-project-304-concurrent-0-d9w5xtrn 6.8.0-1024-aws #26~22.04.1-Ubuntu SMP Wed Feb 19 06:54:57 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-5gca-jya-project-304-concurrent-0-d9w5xtrn 6.8.0-1024-aws #26~22.04.1-Ubuntu SMP Wed Feb 19 06:54:57 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
variant	iast	iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 14 metrics, 16 unstable metrics.

Request duration reports for petclinic

gantt
    title petclinic - request duration [CI 0.99] : candidate=1.48.0-SNAPSHOT~75dd719733, baseline=1.48.0-SNAPSHOT~51813bdfcb
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.359 ms) : 1339, 1378
.   : milestone, 1359,
appsec (1.717 ms) : 1694, 1739
.   : milestone, 1717,
appsec_no_iast (1.73 ms) : 1707, 1753
.   : milestone, 1730,
code_origins (1.656 ms) : 1629, 1682
.   : milestone, 1656,
iast (1.514 ms) : 1490, 1539
.   : milestone, 1514,
profiling (1.521 ms) : 1498, 1544
.   : milestone, 1521,
tracing (1.496 ms) : 1471, 1520
.   : milestone, 1496,
section candidate
no_agent (1.346 ms) : 1327, 1365
.   : milestone, 1346,
appsec (1.732 ms) : 1708, 1756
.   : milestone, 1732,
appsec_no_iast (1.731 ms) : 1708, 1755
.   : milestone, 1731,
code_origins (1.672 ms) : 1644, 1700
.   : milestone, 1672,
iast (1.526 ms) : 1502, 1550
.   : milestone, 1526,
profiling (1.502 ms) : 1478, 1525
.   : milestone, 1502,
tracing (1.508 ms) : 1484, 1532
.   : milestone, 1508,

baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.359 ms [1.339 ms, 1.378 ms]	-
appsec	1.717 ms [1.694 ms, 1.739 ms]	358.021 µs (26.4%)
appsec_no_iast	1.73 ms [1.707 ms, 1.753 ms]	371.278 µs (27.3%)
code_origins	1.656 ms [1.629 ms, 1.682 ms]	296.875 µs (21.9%)
iast	1.514 ms [1.49 ms, 1.539 ms]	155.497 µs (11.4%)
profiling	1.521 ms [1.498 ms, 1.544 ms]	161.959 µs (11.9%)
tracing	1.496 ms [1.471 ms, 1.52 ms]	137.098 µs (10.1%)

candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.346 ms [1.327 ms, 1.365 ms]	-
appsec	1.732 ms [1.708 ms, 1.756 ms]	386.125 µs (28.7%)
appsec_no_iast	1.731 ms [1.708 ms, 1.755 ms]	385.025 µs (28.6%)
code_origins	1.672 ms [1.644 ms, 1.7 ms]	325.741 µs (24.2%)
iast	1.526 ms [1.502 ms, 1.55 ms]	180.036 µs (13.4%)
profiling	1.502 ms [1.478 ms, 1.525 ms]	155.471 µs (11.5%)
tracing	1.508 ms [1.484 ms, 1.532 ms]	162.088 µs (12.0%)

Request duration reports for insecure-bank

gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.48.0-SNAPSHOT~75dd719733, baseline=1.48.0-SNAPSHOT~51813bdfcb
    dateFormat X
    axisFormat %s
section baseline
no_agent (383.882 µs) : 364, 404
.   : milestone, 384,
iast (507.048 µs) : 485, 529
.   : milestone, 507,
iast_FULL (732.296 µs) : 710, 754
.   : milestone, 732,
iast_GLOBAL (557.405 µs) : 536, 579
.   : milestone, 557,
iast_HARDCODED_SECRET_DISABLED (511.48 µs) : 490, 533
.   : milestone, 511,
iast_INACTIVE (470.92 µs) : 450, 492
.   : milestone, 471,
iast_TELEMETRY_OFF (500.899 µs) : 479, 523
.   : milestone, 501,
tracing (461.048 µs) : 439, 483
.   : milestone, 461,
section candidate
no_agent (380.466 µs) : 359, 402
.   : milestone, 380,
iast (512.104 µs) : 490, 534
.   : milestone, 512,
iast_FULL (732.649 µs) : 711, 755
.   : milestone, 733,
iast_GLOBAL (556.431 µs) : 535, 578
.   : milestone, 556,
iast_HARDCODED_SECRET_DISABLED (509.447 µs) : 488, 531
.   : milestone, 509,
iast_INACTIVE (463.869 µs) : 443, 485
.   : milestone, 464,
iast_TELEMETRY_OFF (502.674 µs) : 480, 525
.   : milestone, 503,
tracing (451.943 µs) : 431, 473
.   : milestone, 452,

baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	383.882 µs [364.021 µs, 403.742 µs]	-
iast	507.048 µs [485.495 µs, 528.601 µs]	123.167 µs (32.1%)
iast_FULL	732.296 µs [710.307 µs, 754.285 µs]	348.414 µs (90.8%)
iast_GLOBAL	557.405 µs [535.977 µs, 578.834 µs]	173.524 µs (45.2%)
iast_HARDCODED_SECRET_DISABLED	511.48 µs [489.948 µs, 533.012 µs]	127.598 µs (33.2%)
iast_INACTIVE	470.92 µs [449.502 µs, 492.338 µs]	87.038 µs (22.7%)
iast_TELEMETRY_OFF	500.899 µs [478.998 µs, 522.8 µs]	117.018 µs (30.5%)
tracing	461.048 µs [439.474 µs, 482.622 µs]	77.166 µs (20.1%)

candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	380.466 µs [358.811 µs, 402.121 µs]	-
iast	512.104 µs [490.233 µs, 533.976 µs]	131.638 µs (34.6%)
iast_FULL	732.649 µs [710.678 µs, 754.619 µs]	352.183 µs (92.6%)
iast_GLOBAL	556.431 µs [534.96 µs, 577.903 µs]	175.965 µs (46.2%)
iast_HARDCODED_SECRET_DISABLED	509.447 µs [487.689 µs, 531.205 µs]	128.981 µs (33.9%)
iast_INACTIVE	463.869 µs [442.766 µs, 484.972 µs]	83.403 µs (21.9%)
iast_TELEMETRY_OFF	502.674 µs [480.437 µs, 524.911 µs]	122.208 µs (32.1%)
tracing	451.943 µs [431.305 µs, 472.58 µs]	71.477 µs (18.8%)

Dacapo

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	alejandro.gonzalez/APPSEC-57044-3
git_commit_date	1742825749	1742890741
git_commit_sha	`51813bd`	`75dd719`
release_version	1.48.0-SNAPSHOT~51813bdfcb	1.48.0-SNAPSHOT~75dd719733

See matching parameters

	Baseline	Candidate
application	biojava	biojava
ci_job_date	1742893312	1742893312
ci_job_id	862830769	862830769
ci_pipeline_id	59860040	59860040
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-jzzy7jrd-project-304-concurrent-1-834ygnfu 6.8.0-1024-aws #26~22.04.1-Ubuntu SMP Wed Feb 19 06:54:57 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-jzzy7jrd-project-304-concurrent-1-834ygnfu 6.8.0-1024-aws #26~22.04.1-Ubuntu SMP Wed Feb 19 06:54:57 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
variant	appsec	appsec

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics.

Execution time for tomcat

gantt
    title tomcat - execution time [CI 0.99] : candidate=1.48.0-SNAPSHOT~75dd719733, baseline=1.48.0-SNAPSHOT~51813bdfcb
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.471 ms) : 1460, 1483
.   : milestone, 1471,
appsec (2.34 ms) : 2297, 2384
.   : milestone, 2340,
iast (2.128 ms) : 2072, 2183
.   : milestone, 2128,
iast_GLOBAL (2.173 ms) : 2117, 2229
.   : milestone, 2173,
profiling (1.982 ms) : 1938, 2027
.   : milestone, 1982,
tracing (1.956 ms) : 1913, 1998
.   : milestone, 1956,
section candidate
no_agent (1.48 ms) : 1468, 1491
.   : milestone, 1480,
appsec (2.335 ms) : 2292, 2379
.   : milestone, 2335,
iast (2.124 ms) : 2069, 2179
.   : milestone, 2124,
iast_GLOBAL (2.163 ms) : 2108, 2219
.   : milestone, 2163,
profiling (1.973 ms) : 1929, 2017
.   : milestone, 1973,
tracing (1.951 ms) : 1909, 1994
.   : milestone, 1951,

baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.471 ms [1.46 ms, 1.483 ms]	-
appsec	2.34 ms [2.297 ms, 2.384 ms]	868.928 µs (59.1%)
iast	2.128 ms [2.072 ms, 2.183 ms]	656.419 µs (44.6%)
iast_GLOBAL	2.173 ms [2.117 ms, 2.229 ms]	701.823 µs (47.7%)
profiling	1.982 ms [1.938 ms, 2.027 ms]	511.232 µs (34.7%)
tracing	1.956 ms [1.913 ms, 1.998 ms]	484.357 µs (32.9%)

candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.48 ms [1.468 ms, 1.491 ms]	-
appsec	2.335 ms [2.292 ms, 2.379 ms]	855.534 µs (57.8%)
iast	2.124 ms [2.069 ms, 2.179 ms]	644.186 µs (43.5%)
iast_GLOBAL	2.163 ms [2.108 ms, 2.219 ms]	683.394 µs (46.2%)
profiling	1.973 ms [1.929 ms, 2.017 ms]	492.977 µs (33.3%)
tracing	1.951 ms [1.909 ms, 1.994 ms]	471.416 µs (31.9%)

Execution time for biojava

gantt
    title biojava - execution time [CI 0.99] : candidate=1.48.0-SNAPSHOT~75dd719733, baseline=1.48.0-SNAPSHOT~51813bdfcb
    dateFormat X
    axisFormat %s
section baseline
no_agent (15.505 s) : 15505000, 15505000
.   : milestone, 15505000,
appsec (14.967 s) : 14967000, 14967000
.   : milestone, 14967000,
iast (18.304 s) : 18304000, 18304000
.   : milestone, 18304000,
iast_GLOBAL (17.464 s) : 17464000, 17464000
.   : milestone, 17464000,
profiling (15.075 s) : 15075000, 15075000
.   : milestone, 15075000,
tracing (15.086 s) : 15086000, 15086000
.   : milestone, 15086000,
section candidate
no_agent (14.883 s) : 14883000, 14883000
.   : milestone, 14883000,
appsec (14.772 s) : 14772000, 14772000
.   : milestone, 14772000,
iast (19.248 s) : 19248000, 19248000
.   : milestone, 19248000,
iast_GLOBAL (17.669 s) : 17669000, 17669000
.   : milestone, 17669000,
profiling (15.244 s) : 15244000, 15244000
.   : milestone, 15244000,
tracing (15.295 s) : 15295000, 15295000
.   : milestone, 15295000,

baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	15.505 s [15.505 s, 15.505 s]	-
appsec	14.967 s [14.967 s, 14.967 s]	-538.0 ms (-3.5%)
iast	18.304 s [18.304 s, 18.304 s]	2.799 s (18.1%)
iast_GLOBAL	17.464 s [17.464 s, 17.464 s]	1.959 s (12.6%)
profiling	15.075 s [15.075 s, 15.075 s]	-430.0 ms (-2.8%)
tracing	15.086 s [15.086 s, 15.086 s]	-419.0 ms (-2.7%)

candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	14.883 s [14.883 s, 14.883 s]	-
appsec	14.772 s [14.772 s, 14.772 s]	-111.0 ms (-0.7%)
iast	19.248 s [19.248 s, 19.248 s]	4.365 s (29.3%)
iast_GLOBAL	17.669 s [17.669 s, 17.669 s]	2.786 s (18.7%)
profiling	15.244 s [15.244 s, 15.244 s]	361.0 ms (2.4%)
tracing	15.295 s [15.295 s, 15.295 s]	412.0 ms (2.8%)

| Package | Type | Package file | Manager | Update | Change | |---|---|---|---|---|---| | org.flywaydb.flyway | plugin | misk/gradle/libs.versions.toml | gradle | minor | `11.6.0` -> `11.7.0` | | [com.squareup.okio:okio-fakefilesystem](https://github.com/square/okio) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `3.10.2` -> `3.11.0` | | [com.squareup.okio:okio](https://github.com/square/okio) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `3.10.2` -> `3.11.0` | | [com.autonomousapps.dependency-analysis](https://github.com/autonomousapps/dependency-analysis-android-gradle-plugin) | plugin | misk/gradle/libs.versions.toml | gradle | minor | `2.15.0` -> `2.16.0` | | [com.datadoghq:dd-trace-api](https://github.com/datadog/dd-trace-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `1.47.3` -> `1.48.1` | | [com.datadoghq:dd-trace-ot](https://github.com/datadog/dd-trace-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `1.47.3` -> `1.48.1` | | [software.amazon.awssdk:sdk-core](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.31.18` -> `2.31.20` | | [software.amazon.awssdk:sqs](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.31.18` -> `2.31.20` | | [software.amazon.awssdk:dynamodb-enhanced](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.31.18` -> `2.31.20` | | [software.amazon.awssdk:dynamodb](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.31.18` -> `2.31.20` | | [software.amazon.awssdk:aws-core](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.31.18` -> `2.31.20` | | [software.amazon.awssdk:bom](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.31.18` -> `2.31.20` | | [software.amazon.awssdk:auth](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.31.18` -> `2.31.20` | --- ### Release Notes <details> <summary>square/okio (com.squareup.okio:okio-fakefilesystem)</summary> ### [`v3.11.0`](https://github.com/square/okio/blob/HEAD/CHANGELOG.md#Version-3110) *2025-04-09* - Fix: Clear the deflater's byte array reference - New: Faster implementation of `String.decodeHex()` on Kotlin/JS. - New: Declare `EXACTLY_ONCE` execution for blocks like `Closeable.use {}` and `FileSystem.read {}`. - Upgrade: \[Kotlin 2.1.20]\[kotlin\_2\_1\_20]. </details> <details> <summary>autonomousapps/dependency-analysis-android-gradle-plugin (com.autonomousapps.dependency-analysis)</summary> ### [`v2.16.0`](https://github.com/autonomousapps/dependency-analysis-android-gradle-plugin/blob/HEAD/CHANGELOG.md#Version-2160) - \[Feat]: support `com.android.test` projects. - \[Feat]: support typesafe project accessors with opt-in. ```kotlin dependencyAnalysis { useTypesafeProjectAccessors(true) // false by default } ``` </details> <details> <summary>datadog/dd-trace-java (com.datadoghq:dd-trace-api)</summary> ### [`v1.48.1`](https://github.com/DataDog/dd-trace-java/releases/tag/v1.48.1): 1.48.1 ### Components #### Tracer internal logging - 🐛 Remove print line causing unnecessary logs ([#8687](DataDog/dd-trace-java#8687) - [@sarahchen6](https://github.com/sarahchen6)) ### [`v1.48.0`](https://github.com/DataDog/dd-trace-java/releases/tag/v1.48.0): 1.48.0 ### Known Bugs > \[!NOTE] > If you are experiencing issues with spamming timeout logs, please update to the [latest version](https://github.com/DataDog/dd-trace-java/releases/latest) or set [JDK_SOCKET_ENABLED](https://github.com/DataDog/dd-trace-java/blob/33fc3c9a9b7cda3beda88b8b3e5224ae2b10764a/dd-trace-api/src/main/java/datadog/trace/api/config/GeneralConfig.java#L98) to false. ### Components #### Application Security Management (IAST) - ✨ Fix vulnerability location org.jose4j.lang.HashUtil ([#8610](DataDog/dd-trace-java#8610) - [@jandro996](https://github.com/jandro996)) - ✨ Fix weak randomness in oracle.ucp.util.OpaqueString ([#8609](DataDog/dd-trace-java#8609) - [@jandro996](https://github.com/jandro996)) - ✨ Fix weak hash false positive in oracle.security.o5logon.O5Logon ([#8608](DataDog/dd-trace-java#8608) - [@jandro996](https://github.com/jandro996)) - 🐛 Prevent before callsites targeting constructors in super calls ([#8549](DataDog/dd-trace-java#8549) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) #### Application Security Management (WAF) - ✨ Update login events public SDK to V2 ([#8620](DataDog/dd-trace-java#8620) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - 🐛 Send RASP LFI capability only when AppSec is statically enabled ([#8573](DataDog/dd-trace-java#8573) - [@jandro996](https://github.com/jandro996)) - ✨ Improve detection of missing request end events ([#8510](DataDog/dd-trace-java#8510) - [@smola](https://github.com/smola)) - 🧹 Remove remote configuration for API Security sampling rate ([#8486](DataDog/dd-trace-java#8486) - [@smola](https://github.com/smola)) - ✨ Add setUser to user monitoring SDK ([#8482](DataDog/dd-trace-java#8482) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - ✨ Add missing address for signup event ([#8469](DataDog/dd-trace-java#8469) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - ✨ Allow login events SDK to be used with appsec disabled ([#8464](DataDog/dd-trace-java#8464) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - ✨ Add support for endpoint discovery in spring mvc ([#8352](DataDog/dd-trace-java#8352) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - ✨ New API Security sampling algorithm ([#8178](DataDog/dd-trace-java#8178) - [@ValentinZakharov](https://github.com/ValentinZakharov)) #### Build & Tooling - ✨ Add buffer size customizability to JDK UDS support ([#8629](DataDog/dd-trace-java#8629) - [@sarahchen6](https://github.com/sarahchen6)) - ✨ Add JDK built-in support for UDS on Java 16+ ([#8314](DataDog/dd-trace-java#8314) - [@sarahchen6](https://github.com/sarahchen6)) #### Configuration at Runtime - 🐛 Send RASP LFI capability only when AppSec is statically enabled ([#8573](DataDog/dd-trace-java#8573) - [@jandro996](https://github.com/jandro996)) #### Continuous Integration Visibility - 🐛 Prevent double reporting of Scalatest events when using SBT with test forking ([#8682](DataDog/dd-trace-java#8682) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - 🐛 Shutdown CI Visibility test event handlers before tracer ([#8677](DataDog/dd-trace-java#8677) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - 🐛 Do not apply JUnit 4 instrumentation to MUnit runners ([#8675](DataDog/dd-trace-java#8675), [#8683](DataDog/dd-trace-java#8683) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Remove error log when source path resolution fails on isModified check ([#8663](DataDog/dd-trace-java#8663) - [@daniel-mohedano](https://github.com/daniel-mohedano)) - ✨ Implement tests reordering for JUnit 4 ([#8650](DataDog/dd-trace-java#8650) - [@daniel-mohedano](https://github.com/daniel-mohedano)) - 🐛 Set default Attempt to Fix retries if none provided from the backend ([#8615](DataDog/dd-trace-java#8615) - [@daniel-mohedano](https://github.com/daniel-mohedano)) - ✨ Allow to manually set PR info ([#8566](DataDog/dd-trace-java#8566) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - 🐛 Fix Test Optimization init when repo root cannot be determined ([#8533](DataDog/dd-trace-java#8533) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Add capabilities tagging ([#8499](DataDog/dd-trace-java#8499), [#8540](DataDog/dd-trace-java#8540) - [@daniel-mohedano](https://github.com/daniel-mohedano)) #### Crash tracking - 🐛 Remove dependency on bash from crash/oome uploder scripts ([#8652](DataDog/dd-trace-java#8652) - [@jbachorik](https://github.com/jbachorik)) #### Data Streams Monitoring - ✨ e2e pipeline configuration when data jobs is enabled ([#8553](DataDog/dd-trace-java#8553) - [@kr-igor](https://github.com/kr-igor)) #### Dynamic Instrumentation - 🐛 Fix In-Product when config is empty ([#8679](DataDog/dd-trace-java#8679) - [@jpbempel](https://github.com/jpbempel)) - ✨ Add support for filtering shaded third-party libs ([#8612](DataDog/dd-trace-java#8612) - [@jpbempel](https://github.com/jpbempel)) - ✨ Add In-Product Enablement ([#8587](DataDog/dd-trace-java#8587) - [@jpbempel](https://github.com/jpbempel)) - ✨⚡ Reduce footprint of SourceFile tracking ([#8524](DataDog/dd-trace-java#8524) - [@jpbempel](https://github.com/jpbempel)) - ✨⚡ Optimize the SourceFile tracking ([#8520](DataDog/dd-trace-java#8520) - [@jpbempel](https://github.com/jpbempel)) #### OpenTracing - 🧹 Remove activeScope() use in OpenTracing shim ([#8478](DataDog/dd-trace-java#8478) - [@mcculls](https://github.com/mcculls)) #### Profiling - ✨ Add profiler env check command to AgentCLI ([#8671](DataDog/dd-trace-java#8671) - [@jbachorik](https://github.com/jbachorik)) - ✨ Bump ddprof to 1.23.0 ([#8668](DataDog/dd-trace-java#8668) - [@jbachorik](https://github.com/jbachorik)) - Fix a crash related to ElfParser::loadSymbolTable ([#191](DataDog/dd-trace-java#191)) by [@yanglong1010](https://github.com/yanglong1010) in DataDog/java-profiler#192 - Unwind String.indexOf intrinsic on AArch64 by [@MattAlp](https://github.com/MattAlp) in DataDog/java-profiler#193 - Fix Java 24 support by [@jbachorik](https://github.com/jbachorik) in DataDog/java-profiler#194 - A set of fixes related to clang, aarch64 and musl pecularities of vmstructs stack unwinder by [@jbachorik](https://github.com/jbachorik) in DataDog/java-profiler#199 - 🐛 Remove process information from JFR recording ([#8661](DataDog/dd-trace-java#8661) - [@r1viollet](https://github.com/r1viollet)) - 🐛 Make TempLocationManager USER aware ([#8605](DataDog/dd-trace-java#8605) - [@jbachorik](https://github.com/jbachorik)) - ✨ Extract git tags from embedded git.properties and datadog_git.properties ([#8561](DataDog/dd-trace-java#8561) - [@wmouchere](https://github.com/wmouchere)) #### Telemetry - 🐛 Fix appsec.rasp.error and appsec.waf.error telemetry metrics ([#8624](DataDog/dd-trace-java#8624) - [@jandro996](https://github.com/jandro996)) - ✨ Create metric: appsec.rasp.rule.skipped ([#8618](DataDog/dd-trace-java#8618) - [@jandro996](https://github.com/jandro996)) - ✨ Extract git tags from embedded git.properties and datadog_git.properties ([#8561](DataDog/dd-trace-java#8561) - [@wmouchere](https://github.com/wmouchere)) #### Testing - 🧹 Simplify ssi tests one-pipeline ([#8558](DataDog/dd-trace-java#8558) - [@robertomonteromiguel](https://github.com/robertomonteromiguel)) - ✨ Add smoke tests for java's concurrent API ([#8438](DataDog/dd-trace-java#8438) - [@sarahchen6](https://github.com/sarahchen6)) #### Trace context propagation - ✨ Adding Support for `TRACE_PROPAGATION_BEHAVIOR_EXTRACT` ([#8535](DataDog/dd-trace-java#8535) - [@mhlidd](https://github.com/mhlidd)) #### Tracer core - 🐛 Ensure shaded helpers have unique names ([#8559](DataDog/dd-trace-java#8559) - [@amarziali](https://github.com/amarziali)) - ✨ Support common config sources for user-provided git info ([#8547](DataDog/dd-trace-java#8547) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Make the default config sources more robust when a security manager is installed ([#8544](DataDog/dd-trace-java#8544) - [@mcculls](https://github.com/mcculls)) - ✨ Support targeting services with configurations in stable configuration file ([#8526](DataDog/dd-trace-java#8526) - [@mtoffl01](https://github.com/mtoffl01)) - ✨ Add new parser for `DD_TAGS` and prioritizing `DD_SERVICE` ([#8296](DataDog/dd-trace-java#8296) - [@mhlidd](https://github.com/mhlidd)) #### Tracer internal logging - 🐛 Add missing debug log for the cloudPayloadTaggingServices config ([#8600](DataDog/dd-trace-java#8600) - [@ygree](https://github.com/ygree)) - ✨ Add the possibility to output the logs of the Java tracer in JSON ([#8083](DataDog/dd-trace-java#8083) - [@cecile75](https://github.com/cecile75)) #### Tracer public API - ✨ Introducing `DD_TRACE_EXPERIMENTAL_FEATURES_ENABLED` Config ([#8536](DataDog/dd-trace-java#8536) - [@mhlidd](https://github.com/mhlidd)) - ✨ Config Consistency Round 2 ([#8489](DataDog/dd-trace-java#8489) - [@mhlidd](https://github.com/mhlidd)) ### Instrumentations #### - 🐛 Fix NPE in getMdcCopy of LoggingEventInstrumentation ([#8599](DataDog/dd-trace-java#8599) - [@ygree](https://github.com/ygree)) #### Apache Spark instrumentation - ✨ Instrument Runtime.exit() to finish spark application spans ([#8572](DataDog/dd-trace-java#8572) - [@paul-laffon-dd](https://github.com/paul-laffon-dd)) - ✨ Configure OpenLineage if present in Spark instrumentation ([#8541](DataDog/dd-trace-java#8541) - [@mobuchowski](https://github.com/mobuchowski)) #### Armeria Instrumentation - ✨ Support armeria grpc 1.32.3 ([#8606](DataDog/dd-trace-java#8606) - [@github-actions](https://github.com/github-actions)\[bot]) #### AWS DynamoDB Instrumentation - ✨ Create DynamoDB instrumentation + add span pointers for `updateItem` and `deleteItem` ([#8490](DataDog/dd-trace-java#8490) - [@nhulston](https://github.com/nhulston)) #### AWS SDK instrumentation - ✨ Add DynamoDB in DEFAULT_TRACE_CLOUD_PAYLOAD_TAGGING_SERVICES ([#8595](DataDog/dd-trace-java#8595) - [@joeyzhao2018](https://github.com/joeyzhao2018)) #### Azure Functions instrumentation - ✨ Enable tracer computed trace metrics by default for Azure Functions ([#8518](DataDog/dd-trace-java#8518) - [@duncanpharvey](https://github.com/duncanpharvey)) - 💡 Add azure-functions instrumentation ([#8432](DataDog/dd-trace-java#8432) - [@duncanpharvey](https://github.com/duncanpharvey)) #### Core Java language instrumentation - 🐛 Fix ForkJoinPool.execute() instrumentation on Java 21+ ([#8560](DataDog/dd-trace-java#8560) - [@PerfectSlayer](https://github.com/PerfectSlayer)) #### Eclipse Vert.x instrumentation - ✨ Add vertx postgresql client instrumentation ([#8471](DataDog/dd-trace-java#8471) - [@vandonr](https://github.com/vandonr) - thanks for the contribution!) #### Kafka instrumentation - ✨ Support and test kafka-clients 4 ([#8581](DataDog/dd-trace-java#8581) - [@amarziali](https://github.com/amarziali)) #### Kotlin instrumentation - ✨ Avoid disconnected traces when using Kotlin flowOn ([#8651](DataDog/dd-trace-java#8651) - [@mcculls](https://github.com/mcculls)) #### OpenTelemetry instrumentation - 🧹 Migrate OtelContext wrapper to new internal Context API ([#8645](DataDog/dd-trace-java#8645) - [@mcculls](https://github.com/mcculls)) #### Spring instrumentation - 🐛 Support CompletableFuture on spring webmvc controllers ([#8659](DataDog/dd-trace-java#8659) - [@amarziali](https://github.com/amarziali)) - ✨ Add support for endpoint discovery in spring mvc ([#8352](DataDog/dd-trace-java#8352) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) #### WebSocket Instrumentation - ✨ Instrument Jetty websocket pojo ([#8562](DataDog/dd-trace-java#8562) - [@amarziali](https://github.com/amarziali)) - 💡 Instrument Java Websocket API (JSR356) ([#8440](DataDog/dd-trace-java#8440) - [@amarziali](https://github.com/amarziali)) #### All other instrumentations - ✨ Introduce cache for peer.hostname lookup ([#8601](DataDog/dd-trace-java#8601) - [@mcculls](https://github.com/mcculls)) - ✨ Support pekko http 1.1 ([#8532](DataDog/dd-trace-java#8532) - [@amarziali](https://github.com/amarziali)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "after 6pm every weekday,before 2am every weekday" in timezone Australia/Melbourne, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). GitOrigin-RevId: 331314f71acaced3adc75ea5d7e855c248d593fc

Exclude org.jose4j.lang.HashUtil

d1d1b3b

jandro996 added type: enhancement comp: asm iast Application Security Management (IAST) labels Mar 24, 2025

jandro996 requested a review from a team as a code owner March 24, 2025 08:22

jandro996 requested review from robertpi, manuel-alvarez-alvarez and smola March 24, 2025 08:22

smola changed the title ~~Fix weak hash false positive in org.jose4j.lang.HashUtil~~ Fix vulnerability location org.jose4j.lang.HashUtil Mar 24, 2025

smola approved these changes Mar 24, 2025

View reviewed changes

manuel-alvarez-alvarez approved these changes Mar 24, 2025

View reviewed changes

Merge branch 'master' into alejandro.gonzalez/APPSEC-57044-3

d821692

jandro996 added 3 commits March 24, 2025 12:18

Merge branch 'master' into alejandro.gonzalez/APPSEC-57044-3

0e4b631

Merge branch 'master' into alejandro.gonzalez/APPSEC-57044-3

fdf454f

Merge branch 'master' into alejandro.gonzalez/APPSEC-57044-3

75dd719

jandro996 added this to the 1.48.0 milestone Mar 25, 2025

jandro996 merged commit 06605d7 into master Mar 25, 2025
246 of 269 checks passed

jandro996 deleted the alejandro.gonzalez/APPSEC-57044-3 branch March 25, 2025 11:42

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix vulnerability location org.jose4j.lang.HashUtil #8610

Fix vulnerability location org.jose4j.lang.HashUtil #8610

jandro996 commented Mar 24, 2025 •

edited by jira bot

Loading

smola left a comment

pr-commenter bot commented Mar 24, 2025 •

edited

Loading

Fix vulnerability location org.jose4j.lang.HashUtil #8610

Fix vulnerability location org.jose4j.lang.HashUtil #8610

Conversation

jandro996 commented Mar 24, 2025 • edited by jira bot Loading

What Does This Do

Motivation

Additional Notes

Contributor Checklist

smola left a comment

Choose a reason for hiding this comment

pr-commenter bot commented Mar 24, 2025 • edited Loading

Benchmarks

Startup

Parameters

Summary

Load

Parameters

Summary

Dacapo

Parameters

Summary

jandro996 commented Mar 24, 2025 •

edited by jira bot

Loading

pr-commenter bot commented Mar 24, 2025 •

edited

Loading