Add marks to exclude ranges from vulnerability reporting (#5538)

##What Does This Do
Add mark attribute to Range
Provide a mark for each vulnerabilityType
Provide a new method get all ranges that are not marked for a vulnerability type
Overload taintString and taintObject methods with a mark parameter to allow tainting with marks
Improve highestPriorityRange algorithm using marks

##Motivation
Add an exclusion mark system to avoid reporting vulnerabilities if all its ranges are marked as excluded for that type of vulnerability.

##Additional Notes
Use an int bit field for flagging system to improve performance
Remove previous Range constructor to maintain ranges inmutables
highestPriorityRange algorithm can be more accurate but we decided to keep it simple for performance

Author: jandro996

dd-java-agent/agent-iast/src/jmh/java/com/datadog/iast/propagation/StringBuilderAppendBenchmark.java

@@ -1,5 +1,7 @@
 package com.datadog.iast.propagation;
 
+import static com.datadog.iast.model.Range.NOT_MARKED;
+
 import com.datadog.iast.IastRequestContext;
 import com.datadog.iast.model.Range;
 import datadog.trace.instrumentation.java.lang.StringBuilderCallSite;
@@ -13,12 +15,15 @@ public class StringBuilderAppendBenchmark
   protected Context initializeContext() {
     final IastRequestContext context = new IastRequestContext();
     final String notTainted = notTainted("I am not a tainted string");
-    final String tainted = tainted(context, "I am a tainted string", new Range(5, 6, source()));
+    final String tainted =
+        tainted(context, "I am a tainted string", new Range(5, 6, source(), NOT_MARKED));
     final StringBuilder notTaintedBuilder =
         notTainted(new StringBuilder("I am not a tainted string builder"));
     final StringBuilder taintedBuilder =
         tainted(
-            context, new StringBuilder("I am a tainted string builder"), new Range(5, 6, source()));
+            context,
+            new StringBuilder("I am a tainted string builder"),
+            new Range(5, 6, source(), NOT_MARKED));
     return new Context(context, notTainted, tainted, notTaintedBuilder, taintedBuilder);
   }
 

dd-java-agent/agent-iast/src/jmh/java/com/datadog/iast/propagation/StringBuilderBatchBenchmark.java

@@ -33,7 +33,9 @@ protected StringBuilderBatchBenchmark.Context initializeContext() {
       double current = i / (double) stringCount;
       final String value;
       if (current < limit) {
-        value = tainted(context, UUID.randomUUID().toString(), new Range(3, 6, source()));
+        value =
+            tainted(
+                context, UUID.randomUUID().toString(), new Range(3, 6, source(), Range.NOT_MARKED));
       } else {
         value = notTainted(UUID.randomUUID().toString());
       }

dd-java-agent/agent-iast/src/jmh/java/com/datadog/iast/propagation/StringBuilderInitBenchmark.java

@@ -13,7 +13,8 @@ public class StringBuilderInitBenchmark
   protected Context initializeContext() {
     final IastRequestContext context = new IastRequestContext();
     final String notTainted = notTainted("I am not a tainted string");
-    final String tainted = tainted(context, "I am a tainted string", new Range(3, 6, source()));
+    final String tainted =
+        tainted(context, "I am a tainted string", new Range(3, 6, source(), Range.NOT_MARKED));
     return new Context(context, notTainted, tainted);
   }
 

dd-java-agent/agent-iast/src/jmh/java/com/datadog/iast/propagation/StringBuilderToStringBenchmark.java

@@ -16,7 +16,9 @@ protected Context initializeContext() {
         notTainted(new StringBuilder("I am not a tainted string builder"));
     final StringBuilder taintedBuilder =
         tainted(
-            context, new StringBuilder("I am a tainted string builder"), new Range(5, 7, source()));
+            context,
+            new StringBuilder("I am a tainted string builder"),
+            new Range(5, 7, source(), Range.NOT_MARKED));
     return new Context(context, notTaintedBuilder, taintedBuilder);
   }
 

dd-java-agent/agent-iast/src/jmh/java/com/datadog/iast/propagation/StringConcatBenchmark.java

@@ -12,7 +12,8 @@ public class StringConcatBenchmark extends AbstractBenchmark<StringConcatBenchma
   protected StringConcatBenchmark.Context initializeContext() {
     final IastRequestContext context = new IastRequestContext();
     final String notTainted = notTainted("I am not a tainted string");
-    final String tainted = tainted(context, "I am a tainted string", new Range(3, 5, source()));
+    final String tainted =
+        tainted(context, "I am a tainted string", new Range(3, 5, source(), Range.NOT_MARKED));
     return new StringConcatBenchmark.Context(context, notTainted, tainted);
   }
 

dd-java-agent/agent-iast/src/jmh/java/com/datadog/iast/propagation/StringConcatFactoryBatchBenchmark.java

@@ -54,7 +54,7 @@ protected StringConcatFactoryBatchBenchmark.Context initializeContext() {
       double current = i / (double) stringCount;
       final String value;
       if (current < limit) {
-        value = tainted(context, "Yep, tainted", new Range(3, 5, source()));
+        value = tainted(context, "Yep, tainted", new Range(3, 5, source(), Range.NOT_MARKED));
       } else {
         value = notTainted("Nop, tainted");
       }

dd-java-agent/agent-iast/src/jmh/java/com/datadog/iast/propagation/StringConcatFactoryBenchmark.java

@@ -13,7 +13,8 @@ public class StringConcatFactoryBenchmark
   protected StringConcatFactoryBenchmark.Context initializeContext() {
     final IastRequestContext context = new IastRequestContext();
     final String notTainted = notTainted("Nop, tainted");
-    final String tainted = tainted(context, "Yep, tainted", new Range(3, 5, source()));
+    final String tainted =
+        tainted(context, "Yep, tainted", new Range(3, 5, source(), Range.NOT_MARKED));
     return new StringConcatFactoryBenchmark.Context(context, notTainted, tainted);
   }
 

dd-java-agent/agent-iast/src/jmh/java/com/datadog/iast/propagation/StringJoinBenchmark.java

@@ -1,5 +1,7 @@
 package com.datadog.iast.propagation;
 
+import static com.datadog.iast.model.Range.NOT_MARKED;
+
 import com.datadog.iast.IastRequestContext;
 import com.datadog.iast.model.Range;
 import com.datadog.iast.model.Source;
@@ -19,15 +21,18 @@ protected StringJoinBenchmark.Context initializeContext() {
         .getTaintedObjects()
         .taint(
             tainted,
-            new Range[] {new Range(0, tainted.length(), new Source((byte) 0, "key", "value"))});
+            new Range[] {
+              new Range(0, tainted.length(), new Source((byte) 0, "key", "value"), NOT_MARKED)
+            });
 
     final String taintedDelimiter = new String("-");
     iastRequestContext
         .getTaintedObjects()
         .taint(
             taintedDelimiter,
             new Range[] {
-              new Range(0, taintedDelimiter.length(), new Source((byte) 1, "key", "value"))
+              new Range(
+                  0, taintedDelimiter.length(), new Source((byte) 1, "key", "value"), NOT_MARKED)
             });
 
     return new StringJoinBenchmark.Context(

dd-java-agent/agent-iast/src/jmh/java/com/datadog/iast/propagation/StringSubsequenceBenchmark.java

@@ -1,5 +1,7 @@
 package com.datadog.iast.propagation;
 
+import static com.datadog.iast.model.Range.NOT_MARKED;
+
 import com.datadog.iast.IastRequestContext;
 import com.datadog.iast.model.Range;
 import com.datadog.iast.model.Source;
@@ -25,14 +27,18 @@ protected StringSubsequenceBenchmark.Context initializeContext() {
         .getTaintedObjects()
         .taint(
             taintedLoseRange,
-            new Range[] {new Range(0, RANGE_SIZE, new Source((byte) 0, "key", "value"))});
+            new Range[] {
+              new Range(0, RANGE_SIZE, new Source((byte) 0, "key", "value"), NOT_MARKED)
+            });
 
     final String taintedModifyRange = new String(DEFAULT_STRING);
     iastRequestContext
         .getTaintedObjects()
         .taint(
             taintedModifyRange,
-            new Range[] {new Range(1, RANGE_SIZE, new Source((byte) 1, "key", "value"))});
+            new Range[] {
+              new Range(1, RANGE_SIZE, new Source((byte) 1, "key", "value"), NOT_MARKED)
+            });
 
     return new StringSubsequenceBenchmark.Context(
         iastRequestContext, notTainted, taintedLoseRange, taintedModifyRange);

dd-java-agent/agent-iast/src/main/java/com/datadog/iast/model/Range.java

@@ -8,14 +8,19 @@
 import javax.annotation.Nonnull;
 
 public final class Range implements Ranged {
+
+  public static final int NOT_MARKED = 0;
+
   private final @Nonnegative int start;
   private final @Nonnegative int length;
   private final @Nonnull @SourceIndex Source source;
+  private final int marks;
 
-  public Range(final int start, final int length, final Source source) {
+  public Range(final int start, final int length, final Source source, final int marks) {
     this.start = start;
     this.length = length;
     this.source = source;
+    this.marks = marks;
   }
 
   @Override
@@ -32,10 +37,18 @@ public Source getSource() {
     return source;
   }
 
+  public int getMarks() {
+    return marks;
+  }
+
   @Override
   public boolean equals(Object o) {
-    if (this == o) return true;
-    if (o == null || getClass() != o.getClass()) return false;
+    if (this == o) {
+      return true;
+    }
+    if (o == null || getClass() != o.getClass()) {
+      return false;
+    }
     Range range = (Range) o;
     return start == range.start && length == range.length && Objects.equals(source, range.source);
   }
@@ -62,6 +75,10 @@ public Range shift(final int offset) {
     if (offset == 0) {
       return this;
     }
-    return new Range(start + offset, length, source);
+    return new Range(start + offset, length, source, marks);
+  }
+
+  public boolean isMarked(final int mark) {
+    return (marks & mark) != NOT_MARKED;
   }
 }