As was covered in the article Why doesn't the sanitizer or security control I am using show up in the Contrast data flow?, there are scenarios in which a custom Security Control will not show up in the Contrast Data Flow. I believe that it is not being seen by the agent, so how do confirm that?
One possibility is that the Java agent has reached the maximum number of untrusted data flow propagations to be observed per request - referred to as "propagation events".
If this is the case, when looking at the log file generated by the Java Agent you may see messages like this:
[default task-17 ContrastDataFlowPropagationDispatcherImpl] DEBUG - Ignoring propagator owasp-encoder-1 because maximum reached
By default, that limit is 250 events. It is common that, for large applications or applications with many propagation events this limit will need to be raised to allow the agent to detect the security control.
Setting this value to 2500 should be sufficient in most cases.
The relevant configuration option is
contrast.assess.max_propagation_eventsand can be set (as can any configuration option) as an Environment variable, JVM argument or in a
contrast_security.yaml file - as detailed here.
Does this impact performance?
The agent caps the number of propagation events per request to avoid consuming too much of an application’s memory, so increasing this value may impact memory usage at runtime.