Skip to content

Increase SCA vulnerability test coverage#11785

Merged
gh-worker-dd-mergequeue-cf854d[bot] merged 4 commits into
masterfrom
bdu/sca-appsec-coverage
Jun 30, 2026
Merged

Increase SCA vulnerability test coverage#11785
gh-worker-dd-mergequeue-cf854d[bot] merged 4 commits into
masterfrom
bdu/sca-appsec-coverage

Conversation

@bric3

@bric3 bric3 commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

What Does This Do

Expands the test coverage for SCA (Software Composition Analysis) vulnerabilities.

Motivation

Additional Notes

Contributor Checklist

  • Format the title according to the contribution guidelines
  • Assign the type: and (comp: or inst:) labels in addition to any other useful labels
  • Avoid using close, fix, or any linking keywords when referencing an issue
    Use solves instead, and assign the PR milestone to the issue
  • Update the CODEOWNERS file on source file addition, migration, or deletion
  • Update public documentation with any new configuration flags or behaviors
  • Add your completed PR to the merge queue by commenting /merge. You can also:
    • Customize the commit message associated with the merge with /merge --commit-message "..."
    • Remove your PR from the merge queue with /merge -c
    • Skip all merge queue checks with /merge -f --reason "reason"; please use this judiciously, as some checks do not run at the PR-level (note: the PR still needs to be mergeable, this will only skip the pre-merge build)
    • Get more information in this doc

Jira ticket: [PROJ-IDENT]

@bric3 bric3 requested a review from a team as a code owner June 29, 2026 16:20
@dd-octo-sts

dd-octo-sts Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Hi! 👋 Thanks for your pull request! 🎉

To help us review it, please make sure to:

  • Add at least one type, and one component or instrumentation label to the pull request

If you need help, please check our contributing guidelines.

@bric3 bric3 added type: bug Bug report and fix tag: no release notes Changes to exclude from release notes comp: tooling Build & Tooling labels Jun 29, 2026

@AlexeyKuznetsov-DD AlexeyKuznetsov-DD left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left minor comments.

Comment thread dd-java-agent/appsec/src/test/java/com/datadog/appsec/sca/ScaCveDatabaseTest.java Outdated
@dd-octo-sts

dd-octo-sts Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

🟢 Java Benchmark SLOs — All performance SLOs passed

Suite Status
Startup 🟢 pass

SLO thresholds are defined here based on automatically generated metrics. A warning is raised when results are within 5% of the threshold.

PR vs. master results
Scenario Candidate master Δ (95% CI of mean)
startup:insecure-bank:iast:Agent 14.79 s 14.63 s [+0.2%; +2.0%] (maybe worse)
startup:insecure-bank:tracing:Agent 13.62 s 13.70 s [-1.1%; +0.0%] (no difference)
startup:petclinic:appsec:Agent 16.92 s 16.74 s [+0.2%; +1.9%] (maybe worse)
startup:petclinic:iast:Agent 16.48 s 16.95 s [-7.0%; +1.5%] (no difference)
startup:petclinic:profiling:Agent 16.84 s 16.92 s [-1.3%; +0.4%] (no difference)
startup:petclinic:sca:Agent 16.96 s 16.82 s [-0.2%; +1.9%] (no difference)
startup:petclinic:tracing:Agent 16.08 s 16.13 s [-1.2%; +0.5%] (no difference)

Commit: e608fd46 · CI Pipeline · Benchmarking Platform UI


Load and DaCapo benchmarks can be triggered manually in the GitLab pipeline. Results will appear in the Benchmarking Platform UI after completion.

@bric3 bric3 force-pushed the bdu/sca-appsec-coverage branch from e66206d to 3d56b60 Compare June 29, 2026 20:10

@jandro996 jandro996 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nits

dd-java-agent/appsec/src/test/java/com/datadog/appsec/sca/ScaReachabilityMethodLevelTest.java:46
nit: static class could be enough here

dd-java-agent/appsec/src/test/java/com/datadog/appsec/sca/ScaCveDatabaseTest.java:129
nit: two independent behaviors in one test method (immutability + version matching), but good enough

@jandro996 jandro996 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for take care of this!

@bric3 bric3 force-pushed the bdu/sca-appsec-coverage branch from 516b25a to 0104ebb Compare June 30, 2026 08:41
@bric3 bric3 enabled auto-merge June 30, 2026 08:49
@bric3 bric3 added this pull request to the merge queue Jun 30, 2026
@dd-octo-sts

dd-octo-sts Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

/merge

@gh-worker-devflow-routing-ef8351

gh-worker-devflow-routing-ef8351 Bot commented Jun 30, 2026

Copy link
Copy Markdown

View all feedbacks in Devflow UI.

2026-06-30 09:44:31 UTC ℹ️ Start processing command /merge


2026-06-30 09:44:35 UTC ℹ️ MergeQueue: pull request added to the queue

The expected merge time in master is approximately 2h (p90).


2026-06-30 11:08:29 UTC ℹ️ MergeQueue: This merge request was merged

@github-merge-queue github-merge-queue Bot removed this pull request from the merge queue due to failed status checks Jun 30, 2026
@gh-worker-dd-mergequeue-cf854d gh-worker-dd-mergequeue-cf854d Bot merged commit 8df9f05 into master Jun 30, 2026
777 of 780 checks passed
@gh-worker-dd-mergequeue-cf854d gh-worker-dd-mergequeue-cf854d Bot deleted the bdu/sca-appsec-coverage branch June 30, 2026 11:08
@github-actions github-actions Bot added this to the 1.64.0 milestone Jun 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

comp: tooling Build & Tooling tag: no release notes Changes to exclude from release notes type: bug Bug report and fix

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants