License Type | SaaS & On-Premise |
Agent Mode | Assess & Protect |
Main Product Category | Java Agent |
Sub Category | Security Control |
Question
How to make my sanitizer or security control I am using show up in the Contrast data flow?
Answer
To find out a bit more of why this happens check out our previous knowledgeable article:
Why doesn't the sanitizer or security control I am using show up in the Contrast data flow?
When looking at the contrast.log that the Java agent generates you may see messages such as
[default task-17 ContrastDataFlowPropagationDispatcherImpl] DEBUG - Ignoring propagator owasp-encoder-1 because maximum reached
This indicates that the Java agent has reached the maximum number of propagation events. By default, that number is 250 events. Often times large applications or applications with a lot of propagation events will need to set this Java agent configuration value. Setting this value to something such as 2500 should be enough in most cases to allow Contrast to detect the security control.
The configuration option can be set either as an Environment variable, JVM argument or in a contrast_security.yaml file.
JVM argument
-Dcontrast.assess.max_propagation_events=2500
contrast_seccurrity.yaml file
assess:
max_propagation_events: 2500
Environmental variable
CONTRAST__ASSESS__MAX_PROPOGATION_EVENTS 2500
Does this impact performance?
Increasing this value won’t affect performance in terms of speed as much as it does memory. The agent caps the number of propagation events per request to avoid consuming too much of an application’s memory. With larger applications however, it’s necessary to increase this value to be able to track data flow all the way through the application.