Exclude com.stripe.net.HttpURLConnectionClient to solve IAST SSRF vulnerability false positives

[jandro996]

What Does This Do

com.stripe.net.HttpURLConnectionClient excluded by the iast instrumenter

Motivation

Solve SSRF vulnerability false positives

Additional Notes

Contributor Checklist

• Format the title according the contribution guidelines
• Assign the type: and (comp: or inst:) labels in addition to any usefull labels
• Don't use close, fix or any linking keywords when referencing an issue.
  Use solves instead, and assign the PR milestone to the issue
• Update the public documentation in case of new configuration flag or behavior

Jira ticket: APPSEC-56641

[pr-commenter]

Benchmarks

Startup

Load

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
end_time	2025-03-03T14:11:55	2025-03-03T14:19:49
git_branch	master	alejandro.gonzalez/stripe-ssrf-false-positive
git_commit_date	1741008234	1741010406
git_commit_sha	cb3fea1	aaa6f41
release_version	1.47.0-SNAPSHOT~cb3fea19b4	1.47.0-SNAPSHOT~aaa6f41e7b
start_time	2025-03-03T14:11:41	2025-03-03T14:19:35

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1741011995	1741011995
ci_job_id	829719004	829719004
ci_pipeline_id	57493869	57493869
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-8ksbllmc-project-304-concurrent-4-ayvy2ljt 6.8.0-1021-aws #23~22.04.1-Ubuntu SMP Tue Dec 10 16:50:46 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-8ksbllmc-project-304-concurrent-4-ayvy2ljt 6.8.0-1021-aws #23~22.04.1-Ubuntu SMP Tue Dec 10 16:50:46 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
variant	iast	iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 18 unstable metrics.

Request duration reports for petclinic

gantt
    title petclinic - request duration [CI 0.99] : candidate=1.47.0-SNAPSHOT~aaa6f41e7b, baseline=1.47.0-SNAPSHOT~cb3fea19b4
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.361 ms) : 1340, 1381
.   : milestone, 1361,
appsec (1.712 ms) : 1688, 1736
.   : milestone, 1712,
appsec_no_iast (1.704 ms) : 1680, 1727
.   : milestone, 1704,
code_origins (1.666 ms) : 1632, 1699
.   : milestone, 1666,
iast (1.53 ms) : 1505, 1555
.   : milestone, 1530,
profiling (1.527 ms) : 1501, 1553
.   : milestone, 1527,
tracing (1.498 ms) : 1475, 1522
.   : milestone, 1498,
section candidate
no_agent (1.338 ms) : 1318, 1358
.   : milestone, 1338,
appsec (1.727 ms) : 1702, 1752
.   : milestone, 1727,
appsec_no_iast (1.723 ms) : 1700, 1747
.   : milestone, 1723,
code_origins (1.693 ms) : 1660, 1725
.   : milestone, 1693,
iast (1.508 ms) : 1483, 1533
.   : milestone, 1508,
profiling (1.511 ms) : 1484, 1539
.   : milestone, 1511,
tracing (1.496 ms) : 1473, 1520
.   : milestone, 1496,

Loading

• baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.361 ms [1.34 ms, 1.381 ms]	-
appsec	1.712 ms [1.688 ms, 1.736 ms]	351.384 µs (25.8%)
appsec_no_iast	1.704 ms [1.68 ms, 1.727 ms]	342.768 µs (25.2%)
code_origins	1.666 ms [1.632 ms, 1.699 ms]	304.786 µs (22.4%)
iast	1.53 ms [1.505 ms, 1.555 ms]	169.057 µs (12.4%)
profiling	1.527 ms [1.501 ms, 1.553 ms]	166.157 µs (12.2%)
tracing	1.498 ms [1.475 ms, 1.522 ms]	137.663 µs (10.1%)

• candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.338 ms [1.318 ms, 1.358 ms]	-
appsec	1.727 ms [1.702 ms, 1.752 ms]	388.918 µs (29.1%)
appsec_no_iast	1.723 ms [1.7 ms, 1.747 ms]	385.297 µs (28.8%)
code_origins	1.693 ms [1.66 ms, 1.725 ms]	354.423 µs (26.5%)
iast	1.508 ms [1.483 ms, 1.533 ms]	169.987 µs (12.7%)
profiling	1.511 ms [1.484 ms, 1.539 ms]	173.354 µs (13.0%)
tracing	1.496 ms [1.473 ms, 1.52 ms]	158.138 µs (11.8%)

Request duration reports for insecure-bank

gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.47.0-SNAPSHOT~aaa6f41e7b, baseline=1.47.0-SNAPSHOT~cb3fea19b4
    dateFormat X
    axisFormat %s
section baseline
no_agent (384.062 µs) : 364, 404
.   : milestone, 384,
iast (507.112 µs) : 485, 529
.   : milestone, 507,
iast_FULL (728.349 µs) : 706, 750
.   : milestone, 728,
iast_GLOBAL (562.236 µs) : 540, 585
.   : milestone, 562,
iast_HARDCODED_SECRET_DISABLED (516.1 µs) : 494, 538
.   : milestone, 516,
iast_INACTIVE (458.943 µs) : 437, 481
.   : milestone, 459,
iast_TELEMETRY_OFF (501.251 µs) : 478, 525
.   : milestone, 501,
tracing (451.591 µs) : 431, 472
.   : milestone, 452,
section candidate
no_agent (382.898 µs) : 363, 402
.   : milestone, 383,
iast (506.311 µs) : 484, 528
.   : milestone, 506,
iast_FULL (724.319 µs) : 702, 746
.   : milestone, 724,
iast_GLOBAL (554.92 µs) : 533, 577
.   : milestone, 555,
iast_HARDCODED_SECRET_DISABLED (515.805 µs) : 493, 538
.   : milestone, 516,
iast_INACTIVE (461.621 µs) : 440, 483
.   : milestone, 462,
iast_TELEMETRY_OFF (498.936 µs) : 477, 521
.   : milestone, 499,
tracing (454.93 µs) : 434, 476
.   : milestone, 455,

Loading

• baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	384.062 µs [364.138 µs, 403.985 µs]	-
iast	507.112 µs [485.463 µs, 528.762 µs]	123.051 µs (32.0%)
iast_FULL	728.349 µs [706.306 µs, 750.393 µs]	344.288 µs (89.6%)
iast_GLOBAL	562.236 µs [539.751 µs, 584.721 µs]	178.174 µs (46.4%)
iast_HARDCODED_SECRET_DISABLED	516.1 µs [494.165 µs, 538.035 µs]	132.038 µs (34.4%)
iast_INACTIVE	458.943 µs [437.114 µs, 480.773 µs]	74.882 µs (19.5%)
iast_TELEMETRY_OFF	501.251 µs [477.669 µs, 524.832 µs]	117.189 µs (30.5%)
tracing	451.591 µs [430.738 µs, 472.445 µs]	67.529 µs (17.6%)

• candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	382.898 µs [363.333 µs, 402.464 µs]	-
iast	506.311 µs [484.299 µs, 528.322 µs]	123.412 µs (32.2%)
iast_FULL	724.319 µs [702.146 µs, 746.493 µs]	341.421 µs (89.2%)
iast_GLOBAL	554.92 µs [532.6 µs, 577.239 µs]	172.021 µs (44.9%)
iast_HARDCODED_SECRET_DISABLED	515.805 µs [493.393 µs, 538.217 µs]	132.907 µs (34.7%)
iast_INACTIVE	461.621 µs [440.123 µs, 483.118 µs]	78.723 µs (20.6%)
iast_TELEMETRY_OFF	498.936 µs [476.953 µs, 520.92 µs]	116.038 µs (30.3%)
tracing	454.93 µs [433.543 µs, 476.317 µs]	72.032 µs (18.8%)

Dacapo

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	alejandro.gonzalez/stripe-ssrf-false-positive
git_commit_date	1741008234	1741010406
git_commit_sha	cb3fea1	aaa6f41
release_version	1.47.0-SNAPSHOT~cb3fea19b4	1.47.0-SNAPSHOT~aaa6f41e7b

See matching parameters

	Baseline	Candidate
application	biojava	biojava
ci_job_date	1741012542	1741012542
ci_job_id	829719006	829719006
ci_pipeline_id	57493869	57493869
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-8ksbllmc-project-304-concurrent-6-h93kn7mf 6.8.0-1021-aws #23~22.04.1-Ubuntu SMP Tue Dec 10 16:50:46 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-8ksbllmc-project-304-concurrent-6-h93kn7mf 6.8.0-1021-aws #23~22.04.1-Ubuntu SMP Tue Dec 10 16:50:46 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
variant	appsec	appsec

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics.

Execution time for biojava

gantt
    title biojava - execution time [CI 0.99] : candidate=1.47.0-SNAPSHOT~aaa6f41e7b, baseline=1.47.0-SNAPSHOT~cb3fea19b4
    dateFormat X
    axisFormat %s
section baseline
no_agent (15.315 s) : 15315000, 15315000
.   : milestone, 15315000,
appsec (14.758 s) : 14758000, 14758000
.   : milestone, 14758000,
iast (18.731 s) : 18731000, 18731000
.   : milestone, 18731000,
iast_GLOBAL (17.812 s) : 17812000, 17812000
.   : milestone, 17812000,
profiling (15.16 s) : 15160000, 15160000
.   : milestone, 15160000,
tracing (15.02 s) : 15020000, 15020000
.   : milestone, 15020000,
section candidate
no_agent (15.478 s) : 15478000, 15478000
.   : milestone, 15478000,
appsec (14.8 s) : 14800000, 14800000
.   : milestone, 14800000,
iast (18.79 s) : 18790000, 18790000
.   : milestone, 18790000,
iast_GLOBAL (17.975 s) : 17975000, 17975000
.   : milestone, 17975000,
profiling (14.936 s) : 14936000, 14936000
.   : milestone, 14936000,
tracing (14.812 s) : 14812000, 14812000
.   : milestone, 14812000,

Loading

• baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	15.315 s [15.315 s, 15.315 s]	-
appsec	14.758 s [14.758 s, 14.758 s]	-557.0 ms (-3.6%)
iast	18.731 s [18.731 s, 18.731 s]	3.416 s (22.3%)
iast_GLOBAL	17.812 s [17.812 s, 17.812 s]	2.497 s (16.3%)
profiling	15.16 s [15.16 s, 15.16 s]	-155.0 ms (-1.0%)
tracing	15.02 s [15.02 s, 15.02 s]	-295.0 ms (-1.9%)

• candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	15.478 s [15.478 s, 15.478 s]	-
appsec	14.8 s [14.8 s, 14.8 s]	-678.0 ms (-4.4%)
iast	18.79 s [18.79 s, 18.79 s]	3.312 s (21.4%)
iast_GLOBAL	17.975 s [17.975 s, 17.975 s]	2.497 s (16.1%)
profiling	14.936 s [14.936 s, 14.936 s]	-542.0 ms (-3.5%)
tracing	14.812 s [14.812 s, 14.812 s]	-666.0 ms (-4.3%)

Execution time for tomcat

gantt
    title tomcat - execution time [CI 0.99] : candidate=1.47.0-SNAPSHOT~aaa6f41e7b, baseline=1.47.0-SNAPSHOT~cb3fea19b4
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.465 ms) : 1454, 1477
.   : milestone, 1465,
appsec (2.337 ms) : 2293, 2381
.   : milestone, 2337,
iast (2.111 ms) : 2056, 2166
.   : milestone, 2111,
iast_GLOBAL (2.156 ms) : 2100, 2211
.   : milestone, 2156,
profiling (1.967 ms) : 1923, 2010
.   : milestone, 1967,
tracing (1.939 ms) : 1897, 1981
.   : milestone, 1939,
section candidate
no_agent (1.473 ms) : 1461, 1484
.   : milestone, 1473,
appsec (2.336 ms) : 2292, 2380
.   : milestone, 2336,
iast (2.11 ms) : 2055, 2165
.   : milestone, 2110,
iast_GLOBAL (2.156 ms) : 2101, 2212
.   : milestone, 2156,
profiling (1.961 ms) : 1918, 2005
.   : milestone, 1961,
tracing (1.948 ms) : 1905, 1990
.   : milestone, 1948,

Loading

• baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.465 ms [1.454 ms, 1.477 ms]	-
appsec	2.337 ms [2.293 ms, 2.381 ms]	871.605 µs (59.5%)
iast	2.111 ms [2.056 ms, 2.166 ms]	645.76 µs (44.1%)
iast_GLOBAL	2.156 ms [2.1 ms, 2.211 ms]	690.099 µs (47.1%)
profiling	1.967 ms [1.923 ms, 2.01 ms]	501.354 µs (34.2%)
tracing	1.939 ms [1.897 ms, 1.981 ms]	473.714 µs (32.3%)

• candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.473 ms [1.461 ms, 1.484 ms]	-
appsec	2.336 ms [2.292 ms, 2.38 ms]	863.392 µs (58.6%)
iast	2.11 ms [2.055 ms, 2.165 ms]	637.09 µs (43.3%)
iast_GLOBAL	2.156 ms [2.101 ms, 2.212 ms]	683.332 µs (46.4%)
profiling	1.961 ms [1.918 ms, 2.005 ms]	488.629 µs (33.2%)
tracing	1.948 ms [1.905 ms, 1.99 ms]	474.728 µs (32.2%)