DataDog · sezen-datadog · Feb 4, 2025 · Feb 4, 2025 · Feb 5, 2025 · Feb 5, 2025
@@ -36,7 +36,8 @@ instrumentation_modules: &instrumentation_modules "dd-java-agent/instrumentation
 debugger_modules: &debugger_modules "dd-java-agent/agent-debugger|dd-java-agent/agent-bootstrap|dd-java-agent/agent-builder|internal-api|communication|dd-trace-core"
 profiling_modules: &profiling_modules "dd-java-agent/agent-profiling"
 
-default_system_tests_commit: &default_system_tests_commit 35bb7f9753dc82b7c8e4a8276bf6f0ccad0e5dc3
+default_system_tests_commit: &default_system_tests_commit d2064ebdcf7c6bd1ace2a6efb8fca6fa1a4e7c34
+
 
 parameters:
   nightly:

@@ -1,5 +1,6 @@
 package com.datadog.iast.model;
 
+import com.squareup.moshi.Json;
 import datadog.trace.bootstrap.instrumentation.api.AgentSpan;
 import javax.annotation.Nullable;
 
@@ -15,45 +16,52 @@ public final class Location {
 
   @Nullable private transient String serviceName;
 
+  @Nullable
+  @Json(name = "class")
+  private final String className;
+
   private Location(
       @Nullable final Long spanId,
       @Nullable final String path,
       final int line,
+      @Nullable final String className,
       @Nullable final String method,
       @Nullable final String serviceName) {
     this.spanId = spanId;
     this.path = path;
     this.line = line;
     this.method = method;
     this.serviceName = serviceName;
+    this.className = className;
   }
 
   public static Location forSpanAndStack(
       @Nullable final AgentSpan span, final StackTraceElement stack) {
     return new Location(
         spanId(span),
-        stack.getClassName(),
+        stack.getFileName(),
         stack.getLineNumber(),
+        stack.getClassName(),
         stack.getMethodName(),
         serviceName(span));
   }
 
   public static Location forSpanAndClassAndMethod(
       @Nullable final AgentSpan span, final String clazz, final String method) {
-    return new Location(spanId(span), clazz, -1, method, serviceName(span));
+    return new Location(spanId(span), null, -1, clazz, method, serviceName(span));
   }
 
   public static Location forSpanAndFileAndLine(
       @Nullable final AgentSpan span, final String file, final int line) {
-    return new Location(spanId(span), file, line, null, serviceName(span));
+    return new Location(spanId(span), file, line, null, null, serviceName(span));
   }
 
   public static Location forSpan(@Nullable final AgentSpan span) {
-    return new Location(spanId(span), null, -1, null, serviceName(span));
+    return new Location(spanId(span), null, -1, null, null, serviceName(span));
   }
 
   public static Location forClassAndMethodAndLine(String clazz, String method, int currentLine) {
-    return new Location(null, clazz, currentLine, method, null);
+    return new Location(null, null, currentLine, clazz, method, null);
   }
 
   public long getSpanId() {
@@ -79,6 +87,11 @@ public String getServiceName() {
     return serviceName;
   }
 
+  @Nullable
+  public String getClassName() {
+    return className;
+  }
+
   public void updateSpan(@Nullable final AgentSpan span) {
     if (span != null) {
       this.spanId = span.getSpanId();

@@ -31,15 +31,9 @@ public interface VulnerabilityType {
   VulnerabilityType WEAK_HASH =
       type(VulnerabilityTypes.WEAK_HASH).excludedSources(Builder.DB_EXCLUDED).build();
   VulnerabilityType INSECURE_COOKIE =
-      type(VulnerabilityTypes.INSECURE_COOKIE)
-          .hash(VulnerabilityType::fileAndLineHash)
-          .excludedSources(Builder.DB_EXCLUDED)
-          .build();
+      type(VulnerabilityTypes.INSECURE_COOKIE).excludedSources(Builder.DB_EXCLUDED).build();
   VulnerabilityType NO_HTTPONLY_COOKIE =
-      type(VulnerabilityTypes.NO_HTTPONLY_COOKIE)
-          .hash(VulnerabilityType::fileAndLineHash)
-          .excludedSources(Builder.DB_EXCLUDED)
-          .build();
+      type(VulnerabilityTypes.NO_HTTPONLY_COOKIE).excludedSources(Builder.DB_EXCLUDED).build();
   VulnerabilityType HSTS_HEADER_MISSING =
       type(VulnerabilityTypes.HSTS_HEADER_MISSING)
           .hash(VulnerabilityType::serviceHash)
@@ -51,10 +45,7 @@ public interface VulnerabilityType {
           .excludedSources(Builder.DB_EXCLUDED)
           .build();
   VulnerabilityType NO_SAMESITE_COOKIE =
-      type(VulnerabilityTypes.NO_SAMESITE_COOKIE)
-          .hash(VulnerabilityType::fileAndLineHash)
-          .excludedSources(Builder.DB_EXCLUDED)
-          .build();
+      type(VulnerabilityTypes.NO_SAMESITE_COOKIE).excludedSources(Builder.DB_EXCLUDED).build();
 
   VulnerabilityType SQL_INJECTION =
       type(VulnerabilityTypes.SQL_INJECTION).mark(SQL_INJECTION_MARK).build();
@@ -292,7 +283,7 @@ class Builder {
     private boolean deduplicable = true;
     private BitSet excludedSources = new BitSet();
     private BiFunction<VulnerabilityType, Vulnerability, Long> hash =
-        VulnerabilityType::fileAndLineHash;
+        VulnerabilityType::classAndLineHash;
 
     public Builder(byte type) {
       this.type = type;
@@ -328,14 +319,14 @@ public VulnerabilityType build() {
     }
   }
 
-  static long fileAndLineHash(final VulnerabilityType type, final Vulnerability vulnerability) {
+  static long classAndLineHash(final VulnerabilityType type, final Vulnerability vulnerability) {
     CRC32 crc = new CRC32();
     update(crc, type.name());
     final Location location = vulnerability.getLocation();
     if (location != null) {
       crc.update(location.getLine());
-      if (location.getPath() != null) {
-        update(crc, location.getPath());
+      if (location.getClassName() != null) {
+        update(crc, location.getClassName());
       }
       if (location.getLine() <= -1 && location.getMethod() != null) {
         update(crc, location.getMethod());

@@ -56,7 +56,7 @@ class ReporterTest extends DDSpecification {
 
     final v = new Vulnerability(
       VulnerabilityType.WEAK_HASH,
-      Location.forSpanAndStack(span, new StackTraceElement("foo", "foo", "foo", 1)),
+      Location.forSpanAndStack(span, new StackTraceElement("foo", "foo", "fooPath", 1)),
       new Evidence("MD5")
       )
 
@@ -76,8 +76,9 @@ class ReporterTest extends DDSpecification {
           "location": {
             "spanId":123456,
             "line":1,
-            "path": "foo",
-            "method": "foo"
+            "path": "fooPath",
+            "method": "foo",
+            "class": "foo"
           },
           "stackId":"1",
           "type":"WEAK_HASH"
@@ -109,7 +110,7 @@ class ReporterTest extends DDSpecification {
 
     final v = new Vulnerability(
       VulnerabilityType.WEAK_HASH,
-      Location.forSpanAndStack(span, new StackTraceElement("foo", "foo", "foo", 1)),
+      Location.forSpanAndStack(span, new StackTraceElement("foo", "foo", "fooPath", 1)),
       new Evidence("MD5")
       )
 
@@ -127,8 +128,9 @@ class ReporterTest extends DDSpecification {
           "location": {
             "spanId":123456,
             "line":1,
-            "path": "foo",
-            "method": "foo"
+            "path": "fooPath",
+            "method": "foo",
+            "class": "foo"
           },
           "type":"WEAK_HASH"
         }
@@ -155,12 +157,12 @@ class ReporterTest extends DDSpecification {
 
     final v1 = new Vulnerability(
       VulnerabilityType.WEAK_HASH,
-      Location.forSpanAndStack(span, new StackTraceElement("foo", "foo", "foo", 1)),
+      Location.forSpanAndStack(span, new StackTraceElement("foo", "foo", "fooPath1", 1)),
       new Evidence("MD5")
       )
     final v2 = new Vulnerability(
       VulnerabilityType.WEAK_HASH,
-      Location.forSpanAndStack(span, new StackTraceElement("foo", "foo", "foo", 2)),
+      Location.forSpanAndStack(span, new StackTraceElement("foo", "foo", "fooPath2", 2)),
       new Evidence("MD4")
       )
 
@@ -185,8 +187,9 @@ class ReporterTest extends DDSpecification {
           "location": {
             "spanId":123456,
             "line":1,
-            "path":"foo",
-            "method": "foo"
+            "path": "fooPath1",
+            "method": "foo",
+            "class": "foo"
           },
           "stackId":"1",
           "type":"WEAK_HASH"
@@ -197,8 +200,9 @@ class ReporterTest extends DDSpecification {
           "location": {
             "spanId":123456,
             "line":2,
-            "path":"foo",
-            "method": "foo"
+            "path": "fooPath2",
+            "method": "foo",
+            "class": "foo"
           },
           "stackId":"2",
           "type":"WEAK_HASH"

@@ -17,7 +17,8 @@ class LocationTest extends DDSpecification {
 
     then:
     location.getSpanId() == spanId
-    location.getPath() == "declaringClass"
+    location.getPath() == "fileName"
+    location.getClassName() == "declaringClass"
     location.getLine() == 42
     location.getMethod() == stack.methodName
   }
@@ -35,7 +36,7 @@ class LocationTest extends DDSpecification {
 
     then:
     location.getSpanId() == spanId
-    location.getPath() == "declaringClass"
+    location.getClassName() == "declaringClass"
     location.getLine() == -1
     location.getMethod() == methodName
   }
@@ -50,7 +51,7 @@ class LocationTest extends DDSpecification {
     final location = Location.forClassAndMethodAndLine(declaringClass, methodName, line)
 
     then:
-    location.getPath() == "declaringClass"
+    location.getClassName() == "declaringClass"
     location.getLine() == line
     location.getMethod() == methodName
   }