[appsec] Implement SCA hot instrumentation via ClassFileTransformer

  Adds dynamic bytecode instrumentation for Supply Chain Analysis (SCA)
  vulnerability detection. When Remote Config sends instrumentation targets,
  the agent retransforms loaded classes and injects detection logic at method
  entry using ASM. Instrumented methods call AppSecSCADetector.onMethodInvocation()
  to log vulnerable library usage (POC implementation). Future versions will
  report to Datadog backend with CVE metadata and stack traces.

Author: jandro996

dd-java-agent/appsec/build.gradle

@@ -17,6 +17,7 @@ dependencies {
   implementation project(':telemetry')
   implementation group: 'io.sqreen', name: 'libsqreen', version: '17.2.0'
   implementation libs.moshi
+  implementation libs.bundles.asm
 
   testImplementation libs.bytebuddy
   testImplementation project(':remote-config:remote-config-core')

dd-java-agent/appsec/src/main/java/com/datadog/appsec/config/AppSecSCADetector.java

@@ -0,0 +1,50 @@
+package com.datadog.appsec.config;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * Detection handler for Supply Chain Analysis (SCA) vulnerability detection.
+ *
+ * <p>This class is called from instrumented methods to report when vulnerable third-party
+ * library methods are invoked at runtime.
+ *
+ * <p>POC implementation: Currently just logs detections. Future versions will report to Datadog
+ * backend with vulnerability metadata, stack traces, and context.
+ */
+public class AppSecSCADetector {
+
+  private static final Logger log = LoggerFactory.getLogger(AppSecSCADetector.class);
+
+  /**
+   * Called when an instrumented SCA target method is invoked.
+   *
+   * <p>This method is invoked from bytecode injected by {@link AppSecSCATransformer}.
+   *
+   * @param className the internal class name (e.g., "org/springframework/web/client/RestTemplate")
+   * @param methodName the method name (e.g., "execute")
+   * @param descriptor the method descriptor (e.g., "(Ljava/lang/String;)V")
+   */
+  public static void onMethodInvocation(String className, String methodName, String descriptor) {
+    try {
+      // POC: Log the detection
+      // Future: Report to Datadog backend with vulnerability context
+      log.info(
+          "[SCA DETECTION] Vulnerable method invoked: {}.{}{}",
+          className.replace('/', '.'),
+          methodName,
+          descriptor);
+
+      // TODO: Future enhancements:
+      // - Capture stack trace
+      // - Add vulnerability metadata (CVE ID, severity, etc.)
+      // - Report to Datadog backend via telemetry
+      // - Rate limiting to avoid log spam
+      // - Include request context if available
+
+    } catch (Throwable t) {
+      // Catch all exceptions to avoid breaking the instrumented method
+      log.error("Error in SCA detection handler", t);
+    }
+  }
+}

dd-java-agent/appsec/src/main/java/com/datadog/appsec/config/AppSecSCAInstrumentationUpdater.java

@@ -103,10 +103,9 @@ private void applyInstrumentation(AppSecSCAConfig oldConfig, AppSecSCAConfig new
     }
 
     // Install new transformer
-    // TODO: Create AppSecSCATransformer
     log.debug("Installing new SCA transformer for targets: {}", targetClassNames);
-    // currentTransformer = new AppSecSCATransformer(newConfig);
-    // instrumentation.addTransformer(currentTransformer, true);
+    currentTransformer = new AppSecSCATransformer(newConfig);
+    instrumentation.addTransformer(currentTransformer, true);
 
     // Find loaded classes that match targets
     List<Class<?>> classesToRetransform = findLoadedClasses(targetClassNames);

dd-java-agent/appsec/src/main/java/com/datadog/appsec/config/AppSecSCATransformer.java

@@ -0,0 +1,197 @@
+package com.datadog.appsec.config;
+
+import java.lang.instrument.ClassFileTransformer;
+import java.lang.instrument.IllegalClassFormatException;
+import java.security.ProtectionDomain;
+import java.util.HashMap;
+import java.util.Map;
+import org.objectweb.asm.ClassReader;
+import org.objectweb.asm.ClassVisitor;
+import org.objectweb.asm.ClassWriter;
+import org.objectweb.asm.MethodVisitor;
+import org.objectweb.asm.Opcodes;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * ClassFileTransformer for Supply Chain Analysis (SCA) vulnerability detection.
+ *
+ * <p>Instruments methods specified in the SCA configuration to detect when vulnerable
+ * third-party library methods are called at runtime.
+ *
+ * <p>This is a POC implementation that logs method invocations. Future versions will report
+ * to the Datadog backend with vulnerability details.
+ */
+public class AppSecSCATransformer implements ClassFileTransformer {
+
+  private static final Logger log = LoggerFactory.getLogger(AppSecSCATransformer.class);
+
+  private final Map<String, TargetMethods> targetsByClass;
+
+  /**
+   * Creates a new SCA transformer with the given instrumentation targets.
+   *
+   * @param config the SCA configuration containing instrumentation targets
+   */
+  public AppSecSCATransformer(AppSecSCAConfig config) {
+    this.targetsByClass = buildTargetsMap(config);
+    log.debug("Created SCA transformer with {} target classes", targetsByClass.size());
+  }
+
+  private Map<String, TargetMethods> buildTargetsMap(AppSecSCAConfig config) {
+    Map<String, TargetMethods> map = new HashMap<>();
+
+    if (config.instrumentationTargets == null) {
+      return map;
+    }
+
+    for (AppSecSCAConfig.InstrumentationTarget target : config.instrumentationTargets) {
+      if (target.className == null || target.methodName == null) {
+        continue;
+      }
+
+      // Convert internal format (org/foo/Bar) to internal format (already is internal)
+      String internalClassName = target.className;
+
+      TargetMethods methods = map.computeIfAbsent(internalClassName, k -> new TargetMethods());
+      methods.addMethod(target.methodName);
+    }
+
+    return map;
+  }
+
+  @Override
+  public byte[] transform(
+      ClassLoader loader,
+      String className,
+      Class<?> classBeingRedefined,
+      ProtectionDomain protectionDomain,
+      byte[] classfileBuffer)
+      throws IllegalClassFormatException {
+
+    if (className == null) {
+      return null;
+    }
+
+    // Check if this class is a target
+    TargetMethods targetMethods = targetsByClass.get(className);
+    if (targetMethods == null) {
+      return null; // Not a target class
+    }
+
+    try {
+      log.debug("Instrumenting SCA target class: {}", className);
+      return instrumentClass(classfileBuffer, className, targetMethods);
+    } catch (Exception e) {
+      log.error("Failed to instrument SCA target class: {}", className, e);
+      return null; // Return null to keep original bytecode
+    }
+  }
+
+  private byte[] instrumentClass(
+      byte[] originalBytecode, String className, TargetMethods targetMethods) {
+    ClassReader reader = new ClassReader(originalBytecode);
+    ClassWriter writer = new ClassWriter(reader, ClassWriter.COMPUTE_FRAMES);
+
+    ClassVisitor visitor = new SCAClassVisitor(writer, className, targetMethods);
+
+    try {
+      reader.accept(visitor, ClassReader.EXPAND_FRAMES);
+      byte[] transformedBytecode = writer.toByteArray();
+      log.info("Successfully instrumented SCA target class: {}", className);
+      return transformedBytecode;
+    } catch (Exception e) {
+      log.error("Error during ASM transformation for class: {}", className, e);
+      return null;
+    }
+  }
+
+  /**
+   * ASM ClassVisitor that instruments methods matching SCA targets.
+   */
+  private static class SCAClassVisitor extends ClassVisitor {
+    private final String className;
+    private final TargetMethods targetMethods;
+
+    SCAClassVisitor(ClassVisitor cv, String className, TargetMethods targetMethods) {
+      super(Opcodes.ASM9, cv);
+      this.className = className;
+      this.targetMethods = targetMethods;
+    }
+
+    @Override
+    public MethodVisitor visitMethod(
+        int access, String name, String descriptor, String signature, String[] exceptions) {
+      MethodVisitor mv = super.visitMethod(access, name, descriptor, signature, exceptions);
+
+      // Check if this method is a target
+      if (targetMethods.contains(name)) {
+        log.debug("Instrumenting SCA target method: {}::{}", className, name);
+        return new SCAMethodVisitor(mv, className, name, descriptor);
+      }
+
+      return mv;
+    }
+  }
+
+  /**
+   * ASM MethodVisitor that injects SCA detection logic at method entry.
+   */
+  private static class SCAMethodVisitor extends MethodVisitor {
+    private final String className;
+    private final String methodName;
+    private final String descriptor;
+
+    SCAMethodVisitor(MethodVisitor mv, String className, String methodName, String descriptor) {
+      super(Opcodes.ASM9, mv);
+      this.className = className;
+      this.methodName = methodName;
+      this.descriptor = descriptor;
+    }
+
+    @Override
+    public void visitCode() {
+      // Inject logging call at method entry
+      // This is POC code - in production this would call a detection handler
+      injectSCADetectionCall();
+      super.visitCode();
+    }
+
+    private void injectSCADetectionCall() {
+      // Generate bytecode equivalent to:
+      // AppSecSCADetector.onMethodInvocation("className", "methodName", "descriptor");
+
+      // Load the class name
+      mv.visitLdcInsn(className);
+
+      // Load the method name
+      mv.visitLdcInsn(methodName);
+
+      // Load the descriptor
+      mv.visitLdcInsn(descriptor);
+
+      // Call the static detection method
+      mv.visitMethodInsn(
+          Opcodes.INVOKESTATIC,
+          "com/datadog/appsec/config/AppSecSCADetector",
+          "onMethodInvocation",
+          "(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;)V",
+          false);
+    }
+  }
+
+  /**
+   * Helper class to store target methods for a class.
+   */
+  private static class TargetMethods {
+    private final Map<String, Boolean> methods = new HashMap<>();
+
+    void addMethod(String methodName) {
+      methods.put(methodName, Boolean.TRUE);
+    }
+
+    boolean contains(String methodName) {
+      return methods.containsKey(methodName);
+    }
+  }
+}