Skip to content

[Java} Enable SCA reachability system tests#6937

Draft
jandro996 wants to merge 2 commits into
mainfrom
alejandro.gonzalez/sca-reachability
Draft

[Java} Enable SCA reachability system tests#6937
jandro996 wants to merge 2 commits into
mainfrom
alejandro.gonzalez/sca-reachability

Conversation

@jandro996
Copy link
Copy Markdown
Member

@jandro996 jandro996 commented May 14, 2026

Summary

  • Add ScaReachability.java controller to the spring-boot weblog exposing /sca/vulnerable-call and /sca/vulnerable-call-alt endpoints that invoke org.yaml.snakeyaml.Yaml.load() (vulnerable via GHSA-mjmj-j48q-9wg2 — snakeyaml <= 1.33; Spring Boot 2.6.0 ships 1.29)
  • Add java entry to _LANG_CONFIG in test_sca_reachability.py with expected CVE, dependency name, and callsite class/method
  • Enable the five SCA reachability test classes in manifests/java.yml for spring-boot: v1.63.0-SNAPSHOT; all other weblogs marked irrelevant

Companion tracer PR

DataDog/dd-trace-java#11352 — SCA Reachability runtime detection (APPSEC-62260)

Test plan

  • Verify CI runs RUNTIME_SCA_REACHABILITY scenario against spring-boot weblog with DD_APPSEC_SCA_ENABLED=true
  • Confirm org.yaml:snakeyaml appears in app-dependencies-loaded telemetry with metadata[type=reachability]
  • Confirm reached:[] at startup and reached:[{path, symbol, line}] after /sca/vulnerable-call is hit
  • Confirm first-hit-wins: /sca/vulnerable-call-alt does not overwrite the first callsite

@jandro996
feat(appsec/java): add SCA reachability system tests for Java
1d9f424 
- Add ScaReachability.java controller to spring-boot weblog with
  /sca/vulnerable-call and /sca/vulnerable-call-alt endpoints
  (call snakeyaml Yaml.load(), vulnerable via GHSA-mjmj-j48q-9wg2)
- Add Java entry to _LANG_CONFIG in test_sca_reachability.py
  (org.yaml:snakeyaml, callsite: ScaReachability.scaVulnerableCall)
- Enable SCA reachability tests for spring-boot in manifests/java.yml
  (v1.63.0-SNAPSHOT, all other weblogs irrelevant)

Relates to DataDog/dd-trace-java#11352
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 14, 2026

CODEOWNERS have been resolved as:

utils/build/docker/java/spring-boot/src/main/java/com/datadoghq/system_tests/springboot/ScaReachability.java  @DataDog/apm-java @DataDog/asm-java @DataDog/system-tests-core
manifests/java.yml                                                      @DataDog/asm-java @DataDog/apm-java
tests/appsec/test_sca_reachability.py                                   @DataDog/asm-libraries @DataDog/system-tests-core

@jandro996 jandro996 changed the title feat(appsec/java): add SCA reachability system tests for Java [Java} Enable SCA reachability system tests May 14, 2026
@datadog-prod-us1-5
Copy link
Copy Markdown

datadog-prod-us1-5 Bot commented May 14, 2026
edited by datadog-datadog-prod-us1 Bot
Loading

Tests

Fix all issues with BitsAI or with Cursor

⚠️ Warnings

🧪 6 Tests failed

tests.appsec.test_sca_reachability.Test_SCA_Reachability_CVE_After_Vulnerable_Call.test_cve_metadata_after_vulnerable_call[spring-boot] from system_tests_suite   View in Datadog   (Fix with Cursor) 
AssertionError: GHSA-mjmj-j48q-9wg2 not found in org.yaml:snakeyaml metadata
assert 0 >= 1
 +  where 0 = len([])

self = <tests.appsec.test_sca_reachability.Test_SCA_Reachability_CVE_After_Vulnerable_Call object at 0x7f9e44602cf0>

    def test_cve_metadata_after_vulnerable_call(self) -> None:
        cve_entries = _get_dependency_cve_metadata(_vulnerable_dep(), _cve_id())
>       assert len(cve_entries) >= 1, f"{_cve_id()} not found in {_vulnerable_dep()} metadata"
E       AssertionError: GHSA-mjmj-j48q-9wg2 not found in org.yaml:snakeyaml metadata
...
tests.appsec.test_sca_reachability.Test_SCA_Reachability_CVE_Registered_At_Load_Time.test_cve_registered_at_load_time[spring-boot] from system_tests_suite   View in Datadog   (Fix with Cursor) 
AssertionError: GHSA-mjmj-j48q-9wg2 not found in org.yaml:snakeyaml dependency metadata at load time
assert 0 >= 1
 +  where 0 = len([])

self = <tests.appsec.test_sca_reachability.Test_SCA_Reachability_CVE_Registered_At_Load_Time object at 0x7f9e44602f00>

    def test_cve_registered_at_load_time(self) -> None:
        cve_entries = _get_dependency_cve_metadata(_vulnerable_dep(), _cve_id())
>       assert len(cve_entries) >= 1, f"{_cve_id()} not found in {_vulnerable_dep()} dependency metadata at load time"
E       AssertionError: GHSA-mjmj-j48q-9wg2 not found in org.yaml:snakeyaml dependency metadata at load time
...
tests.appsec.test_sca_reachability.Test_SCA_Reachability_Deduplication.test_deduplication_repeated_calls[spring-boot] from system_tests_suite   View in Datadog   (Fix with Cursor) 
AssertionError: GHSA-mjmj-j48q-9wg2 not found in org.yaml:snakeyaml metadata
assert 0 >= 1
 +  where 0 = len([])

self = <tests.appsec.test_sca_reachability.Test_SCA_Reachability_Deduplication object at 0x7f9e44602b10>

    def test_deduplication_repeated_calls(self) -> None:
        cve_entries = _get_dependency_cve_metadata(_vulnerable_dep(), _cve_id())
>       assert len(cve_entries) >= 1, f"{_cve_id()} not found in {_vulnerable_dep()} metadata"
E       AssertionError: GHSA-mjmj-j48q-9wg2 not found in org.yaml:snakeyaml metadata
...
View all

ℹ️ Info

No other issues found (see more)

❄️ No new flaky tests detected

Useful? React with 👍 / 👎

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: ead7339 | Docs | Datadog PR Page | Give us feedback!

@jandro996
fix(appsec/java): preload Yaml class at startup via @PostConstruct
ead7339 
Force org.yaml.snakeyaml.Yaml to load during Spring context
initialization, before any HTTP request. This ensures the SCA
transformer registers the CVE with reached=[] on startup, and a
telemetry heartbeat can send that state before test setups call
/sca/vulnerable-call. Without this, the class loads lazily on the
first endpoint request, making registerCve() and recordHit() fire
in the same request with no heartbeat window between them.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jandro996