Java deduplication for middleware vulnerabilities
Starting with Java 6.11.1, the agent contains enhancements that reduce redundant or duplicate vulnerabilities that occur in applications using middleware components, such as filters. This update improves the accuracy and efficiency of Contrast vulnerability reporting by deduplicating findings that originate from these middleware layers.
Middleware components play an essential role in web applications by intercepting and processing requests before they reach servlets and controllers. They handle responses after servlets or controllers complete execution.
A filter is a component that intercepts requests before they are passed to a servlet and processes responses before they are returned to the client. Filters have access to the request's routing data, current controller, and other contextual information.
Why is this update important?
Often, vulnerabilities tied to both routes and middleware result in duplicated findings, which inflate the number of vulnerabilities that security teams need to review. This situation causes wasted time, missed priorities, and inefficiency in remediation efforts. By enabling the new deduplication capability, Contrast reduces unnecessary noise and improves the overall security posture of applications.
Features
Middleware Instrumentation: The Java agent now recognizes filters and middleware as unique sources, allowing vulnerabilities identified within these layers to be appropriately categorized and reported.
The name of a vulnerability includes an indication that Contrast found it in a middleware component. For example, a vulnerability that Contrast discovers in a filter could look similar to the following example
Deduplication Process: Once the agent detects middleware vulnerabilities, Contrast automatically deduplicates them from the route-based vulnerabilities to which they are attached.
Auto-Verification Support: Vulnerabilities that the agent discovers in middleware are eligible for time-based auto-verification (see Vulnerability management policies). This type of auto-verification streamlines the process of validating resolved vulnerabilities and reduces manual intervention.
Route-based and session-based auto-verification are not currently supported.
Comprehensive Reporting: Contrast displays middleware vulnerabilities in its vulnerability reporting and telemetry, providing clear visibility into the status and lifecycle of these findings.
How it works
Filter handling: The Java agent instruments filters to gather information on vulnerabilities that may be attached to them. This process involves identifying vulnerabilities in the context of the request lifecycle, specifically in the filters where these vulnerabilities originate.
Deduplication logic and vulnerability identification: The agent treats middleware or filters and routes are treated as separate sources of vulnerabilities. The agent distinguishes between vulnerabilities originating from routes versus those originating from middleware components.
Auto-verification: Contrast automatically includes middleware-based vulnerabilities in the auto-verification workflow. The recommended auto-verification method is a time-based auto-verification to ensure comprehensive coverage. Set an auto-verification vulnerability policies describes how to set time-based auto-verification.
Session-based auto-verification(SBAV) and route-based auto-verification (RBAV)[ are not currently included in the workflow today.
Upgrade considerations
On-premises customers: Upgrade to Contrast version 3.11.8 or later before you upgrade the Java agent. If you upgrade the agent before upgrading your Contrast installation , you might see new middleware routes and a potentially significant change to your route coverage metrics.
Impact on existing vulnerabilities: Upgrading the Java agent results in enhanced accuracy in vulnerability reporting.
However, existing vulnerabilities that were duplicated before the update remain in the system. If you have not set up any auto-verification policies, consider manually deleting the outdated vulnerabilities. To identify potential duplicates, on the Vulnerabilities page in the Contrast web interface, select the Group by sink option.
For additional assistance, contact your Customer Success Manager or Contrast Support.