Fix appsec.waf.requests telemetry metric #8644

jandro996 · 2025-03-31T10:18:09Z

What Does This Do

Rework from scratch the appsec.waf.requests telemetry metric as the RFC diverges a lot from our previous implementation

Update metric once when request ends
Metric flags only need to be updated if we are dealing with WAF and not with RASP

appsec.waf.requests: this metric is used to count the requests analysed by libddwaf for the purpose of WAF analysis, which at this stage can be described as any request with calls to libddwaf which are not for the purpose of RASP, as those are clearly demarcated

Motivation

Additional Notes

RFC

Contributor Checklist

Format the title according the contribution guidelines
Assign the type: and (comp: or inst:) labels in addition to any usefull labels
Don't use close, fix or any linking keywords when referencing an issue.
Use solves instead, and assign the PR milestone to the issue
Update the public documentation in case of new configuration flag or behavior

Jira ticket: APPSEC-57055

pr-commenter · 2025-03-31T10:54:49Z

Benchmarks

Startup

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	alejandro.gonzalez/APPSEC-57055
git_commit_date	1744982456	1745219901
git_commit_sha	`368851d`	`18ede72`
release_version	1.49.0-SNAPSHOT~368851d216	1.49.0-SNAPSHOT~18ede7299f

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1745222814	1745222814
ci_job_id	904601894	904601894
ci_pipeline_id	62752823	62752823
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-ekfrqbyz-project-304-concurrent-0-7idsmylt 6.8.0-1024-aws #26~22.04.1-Ubuntu SMP Wed Feb 19 06:54:57 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-ekfrqbyz-project-304-concurrent-0-7idsmylt 6.8.0-1024-aws #26~22.04.1-Ubuntu SMP Wed Feb 19 06:54:57 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
module	Agent	Agent
parent	None	None
variant	iast	iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 61 metrics, 10 unstable metrics.

Startup time reports for petclinic

gantt title petclinic - global startup overhead: candidate=1.49.0-SNAPSHOT~18ede7299f, baseline=1.49.0-SNAPSHOT~368851d216 dateFormat X axisFormat %s section tracing Agent [baseline] (1.062 s) : 0, 1061902 Total [baseline] (10.503 s) : 0, 10502927 Agent [candidate] (1.054 s) : 0, 1054017 Total [candidate] (10.448 s) : 0, 10447530 section appsec Agent [baseline] (1.2 s) : 0, 1199588 Total [baseline] (10.797 s) : 0, 10797262 Agent [candidate] (1.199 s) : 0, 1198559 Total [candidate] (10.783 s) : 0, 10783242 section iast Agent [baseline] (1.19 s) : 0, 1189681 Total [baseline] (11.088 s) : 0, 11087721 Agent [candidate] (1.183 s) : 0, 1183280 Total [candidate] (10.979 s) : 0, 10978654 section profiling Agent [baseline] (1.314 s) : 0, 1313960 Total [baseline] (10.935 s) : 0, 10934824 Agent [candidate] (1.318 s) : 0, 1318024 Total [candidate] (10.98 s) : 0, 10979579

baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.062 s	-
Agent	appsec	1.2 s	137.686 ms (13.0%)
Agent	iast	1.19 s	127.779 ms (12.0%)
Agent	profiling	1.314 s	252.059 ms (23.7%)
Total	tracing	10.503 s	-
Total	appsec	10.797 s	294.335 ms (2.8%)
Total	iast	11.088 s	584.794 ms (5.6%)
Total	profiling	10.935 s	431.898 ms (4.1%)

candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.054 s	-
Agent	appsec	1.199 s	144.542 ms (13.7%)
Agent	iast	1.183 s	129.263 ms (12.3%)
Agent	profiling	1.318 s	264.006 ms (25.0%)
Total	tracing	10.448 s	-
Total	appsec	10.783 s	335.712 ms (3.2%)
Total	iast	10.979 s	531.124 ms (5.1%)
Total	profiling	10.98 s	532.048 ms (5.1%)

gantt title petclinic - break down per module: candidate=1.49.0-SNAPSHOT~18ede7299f, baseline=1.49.0-SNAPSHOT~368851d216 dateFormat X axisFormat %s section tracing BytebuddyAgent [baseline] (725.244 ms) : 0, 725244 BytebuddyAgent [candidate] (719.603 ms) : 0, 719603 GlobalTracer [baseline] (240.392 ms) : 0, 240392 GlobalTracer [candidate] (238.87 ms) : 0, 238870 AppSec [baseline] (55.432 ms) : 0, 55432 AppSec [candidate] (55.951 ms) : 0, 55951 Debugger [baseline] (4.387 ms) : 0, 4387 Debugger [candidate] (4.346 ms) : 0, 4346 Remote Config [baseline] (693.853 µs) : 0, 694 Remote Config [candidate] (689.271 µs) : 0, 689 Telemetry [baseline] (12.224 ms) : 0, 12224 Telemetry [candidate] (11.229 ms) : 0, 11229 section appsec BytebuddyAgent [baseline] (740.517 ms) : 0, 740517 BytebuddyAgent [candidate] (739.889 ms) : 0, 739889 GlobalTracer [baseline] (236.016 ms) : 0, 236016 GlobalTracer [candidate] (235.845 ms) : 0, 235845 AppSec [baseline] (175.538 ms) : 0, 175538 AppSec [candidate] (175.174 ms) : 0, 175174 Debugger [baseline] (4.212 ms) : 0, 4212 Debugger [candidate] (4.557 ms) : 0, 4557 Remote Config [baseline] (639.522 µs) : 0, 640 Remote Config [candidate] (634.893 µs) : 0, 635 Telemetry [baseline] (8.263 ms) : 0, 8263 Telemetry [candidate] (8.123 ms) : 0, 8123 IAST [baseline] (21.908 ms) : 0, 21908 IAST [candidate] (21.825 ms) : 0, 21825 section iast BytebuddyAgent [baseline] (842.854 ms) : 0, 842854 BytebuddyAgent [candidate] (838.258 ms) : 0, 838258 GlobalTracer [baseline] (230.754 ms) : 0, 230754 GlobalTracer [candidate] (229.69 ms) : 0, 229690 AppSec [baseline] (55.41 ms) : 0, 55410 AppSec [candidate] (55.53 ms) : 0, 55530 Debugger [baseline] (4.264 ms) : 0, 4264 Debugger [candidate] (4.227 ms) : 0, 4227 Remote Config [baseline] (611.371 µs) : 0, 611 Remote Config [candidate] (623.839 µs) : 0, 624 Telemetry [baseline] (8.764 ms) : 0, 8764 Telemetry [candidate] (8.676 ms) : 0, 8676 IAST [baseline] (23.643 ms) : 0, 23643 IAST [candidate] (22.86 ms) : 0, 22860 section profiling BytebuddyAgent [baseline] (717.396 ms) : 0, 717396 BytebuddyAgent [candidate] (718.535 ms) : 0, 718535 GlobalTracer [baseline] (375.894 ms) : 0, 375894 GlobalTracer [candidate] (378.034 ms) : 0, 378034 AppSec [baseline] (54.208 ms) : 0, 54208 AppSec [candidate] (53.633 ms) : 0, 53633 Debugger [baseline] (4.382 ms) : 0, 4382 Debugger [candidate] (4.448 ms) : 0, 4448 Remote Config [baseline] (658.068 µs) : 0, 658 Remote Config [candidate] (660.198 µs) : 0, 660 Telemetry [baseline] (8.969 ms) : 0, 8969 Telemetry [candidate] (9.008 ms) : 0, 9008 ProfilingAgent [baseline] (101.748 ms) : 0, 101748 ProfilingAgent [candidate] (102.954 ms) : 0, 102954 Profiling [baseline] (101.773 ms) : 0, 101773 Profiling [candidate] (102.979 ms) : 0, 102979

Startup time reports for insecure-bank

gantt title insecure-bank - global startup overhead: candidate=1.49.0-SNAPSHOT~18ede7299f, baseline=1.49.0-SNAPSHOT~368851d216 dateFormat X axisFormat %s section tracing Agent [baseline] (1.059 s) : 0, 1059317 Total [baseline] (8.68 s) : 0, 8680082 Agent [candidate] (1.06 s) : 0, 1059831 Total [candidate] (8.697 s) : 0, 8696912 section iast Agent [baseline] (1.184 s) : 0, 1184229 Total [baseline] (9.249 s) : 0, 9248623 Agent [candidate] (1.184 s) : 0, 1184346 Total [candidate] (9.24 s) : 0, 9239743 section iast_HARDCODED_SECRET_DISABLED Agent [baseline] (1.185 s) : 0, 1184678 Total [baseline] (9.219 s) : 0, 9218932 Agent [candidate] (1.183 s) : 0, 1183366 Total [candidate] (9.211 s) : 0, 9210870 section iast_TELEMETRY_OFF Agent [baseline] (1.178 s) : 0, 1177784 Total [baseline] (9.231 s) : 0, 9231092 Agent [candidate] (1.185 s) : 0, 1185116 Total [candidate] (9.256 s) : 0, 9256316

baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.059 s	-
Agent	iast	1.184 s	124.912 ms (11.8%)
Agent	iast_HARDCODED_SECRET_DISABLED	1.185 s	125.361 ms (11.8%)
Agent	iast_TELEMETRY_OFF	1.178 s	118.468 ms (11.2%)
Total	tracing	8.68 s	-
Total	iast	9.249 s	568.542 ms (6.5%)
Total	iast_HARDCODED_SECRET_DISABLED	9.219 s	538.85 ms (6.2%)
Total	iast_TELEMETRY_OFF	9.231 s	551.01 ms (6.3%)

candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.06 s	-
Agent	iast	1.184 s	124.515 ms (11.7%)
Agent	iast_HARDCODED_SECRET_DISABLED	1.183 s	123.535 ms (11.7%)
Agent	iast_TELEMETRY_OFF	1.185 s	125.285 ms (11.8%)
Total	tracing	8.697 s	-
Total	iast	9.24 s	542.83 ms (6.2%)
Total	iast_HARDCODED_SECRET_DISABLED	9.211 s	513.958 ms (5.9%)
Total	iast_TELEMETRY_OFF	9.256 s	559.404 ms (6.4%)

gantt title insecure-bank - break down per module: candidate=1.49.0-SNAPSHOT~18ede7299f, baseline=1.49.0-SNAPSHOT~368851d216 dateFormat X axisFormat %s section tracing BytebuddyAgent [baseline] (722.45 ms) : 0, 722450 BytebuddyAgent [candidate] (724.013 ms) : 0, 724013 GlobalTracer [baseline] (239.581 ms) : 0, 239581 GlobalTracer [candidate] (240.083 ms) : 0, 240083 AppSec [baseline] (55.26 ms) : 0, 55260 AppSec [candidate] (54.879 ms) : 0, 54879 Debugger [baseline] (5.077 ms) : 0, 5077 Debugger [candidate] (5.14 ms) : 0, 5140 Remote Config [baseline] (2.102 ms) : 0, 2102 Remote Config [candidate] (2.198 ms) : 0, 2198 Telemetry [baseline] (11.45 ms) : 0, 11450 Telemetry [candidate] (10.026 ms) : 0, 10026 section iast BytebuddyAgent [baseline] (838.668 ms) : 0, 838668 BytebuddyAgent [candidate] (838.63 ms) : 0, 838630 GlobalTracer [baseline] (229.915 ms) : 0, 229915 GlobalTracer [candidate] (230.113 ms) : 0, 230113 IAST [baseline] (23.567 ms) : 0, 23567 IAST [candidate] (23.522 ms) : 0, 23522 AppSec [baseline] (55.095 ms) : 0, 55095 AppSec [candidate] (55.179 ms) : 0, 55179 Debugger [baseline] (4.214 ms) : 0, 4214 Debugger [candidate] (4.264 ms) : 0, 4264 Remote Config [baseline] (612.386 µs) : 0, 612 Remote Config [candidate] (605.952 µs) : 0, 606 Telemetry [baseline] (8.788 ms) : 0, 8788 Telemetry [candidate] (8.74 ms) : 0, 8740 section iast_HARDCODED_SECRET_DISABLED BytebuddyAgent [baseline] (838.724 ms) : 0, 838724 BytebuddyAgent [candidate] (838.61 ms) : 0, 838610 GlobalTracer [baseline] (229.883 ms) : 0, 229883 GlobalTracer [candidate] (229.245 ms) : 0, 229245 IAST [baseline] (22.992 ms) : 0, 22992 IAST [candidate] (23.635 ms) : 0, 23635 AppSec [baseline] (56.025 ms) : 0, 56025 AppSec [candidate] (54.844 ms) : 0, 54844 Debugger [baseline] (4.274 ms) : 0, 4274 Debugger [candidate] (4.27 ms) : 0, 4270 Remote Config [baseline] (613.681 µs) : 0, 614 Remote Config [candidate] (622.053 µs) : 0, 622 Telemetry [baseline] (8.733 ms) : 0, 8733 Telemetry [candidate] (8.745 ms) : 0, 8745 section iast_TELEMETRY_OFF BytebuddyAgent [baseline] (834.502 ms) : 0, 834502 BytebuddyAgent [candidate] (840.117 ms) : 0, 840117 GlobalTracer [baseline] (229.081 ms) : 0, 229081 GlobalTracer [candidate] (229.51 ms) : 0, 229510 IAST [baseline] (22.229 ms) : 0, 22229 IAST [candidate] (22.556 ms) : 0, 22556 AppSec [baseline] (55.452 ms) : 0, 55452 AppSec [candidate] (55.96 ms) : 0, 55960 Debugger [baseline] (4.116 ms) : 0, 4116 Debugger [candidate] (4.185 ms) : 0, 4185 Remote Config [baseline] (635.269 µs) : 0, 635 Remote Config [candidate] (692.96 µs) : 0, 693 Telemetry [baseline] (8.533 ms) : 0, 8533 Telemetry [candidate] (8.674 ms) : 0, 8674

Load

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
end_time	2025-04-21T07:37:06	2025-04-21T07:44:51
git_branch	master	alejandro.gonzalez/APPSEC-57055
git_commit_date	1744982456	1745219901
git_commit_sha	`368851d`	`18ede72`
release_version	1.49.0-SNAPSHOT~368851d216	1.49.0-SNAPSHOT~18ede7299f
start_time	2025-04-21T07:36:52	2025-04-21T07:44:37

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1745221890	1745221890
ci_job_id	904601895	904601895
ci_pipeline_id	62752823	62752823
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-3cyvs5ny-project-304-concurrent-0-z43y9fiw 6.8.0-1024-aws #26~22.04.1-Ubuntu SMP Wed Feb 19 06:54:57 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-3cyvs5ny-project-304-concurrent-0-z43y9fiw 6.8.0-1024-aws #26~22.04.1-Ubuntu SMP Wed Feb 19 06:54:57 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
variant	iast	iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 14 metrics, 16 unstable metrics.

Request duration reports for insecure-bank

gantt title insecure-bank - request duration [CI 0.99] : candidate=1.49.0-SNAPSHOT~18ede7299f, baseline=1.49.0-SNAPSHOT~368851d216 dateFormat X axisFormat %s section baseline no_agent (384.643 µs) : 365, 404 . : milestone, 385, iast (512.545 µs) : 491, 534 . : milestone, 513, iast_FULL (732.33 µs) : 710, 754 . : milestone, 732, iast_GLOBAL (557.093 µs) : 535, 579 . : milestone, 557, iast_HARDCODED_SECRET_DISABLED (516.976 µs) : 495, 539 . : milestone, 517, iast_INACTIVE (466.082 µs) : 445, 488 . : milestone, 466, iast_TELEMETRY_OFF (503.924 µs) : 482, 526 . : milestone, 504, tracing (461.025 µs) : 440, 482 . : milestone, 461, section candidate no_agent (382.087 µs) : 363, 402 . : milestone, 382, iast (511.97 µs) : 490, 534 . : milestone, 512, iast_FULL (728.013 µs) : 706, 750 . : milestone, 728, iast_GLOBAL (561.274 µs) : 539, 584 . : milestone, 561, iast_HARDCODED_SECRET_DISABLED (514.069 µs) : 492, 536 . : milestone, 514, iast_INACTIVE (464.897 µs) : 444, 486 . : milestone, 465, iast_TELEMETRY_OFF (507.752 µs) : 486, 530 . : milestone, 508, tracing (456.496 µs) : 436, 477 . : milestone, 456,

baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	384.643 µs [364.978 µs, 404.308 µs]	-
iast	512.545 µs [490.631 µs, 534.459 µs]	127.902 µs (33.3%)
iast_FULL	732.33 µs [710.279 µs, 754.38 µs]	347.686 µs (90.4%)
iast_GLOBAL	557.093 µs [534.997 µs, 579.188 µs]	172.449 µs (44.8%)
iast_HARDCODED_SECRET_DISABLED	516.976 µs [494.884 µs, 539.069 µs]	132.333 µs (34.4%)
iast_INACTIVE	466.082 µs [444.571 µs, 487.592 µs]	81.439 µs (21.2%)
iast_TELEMETRY_OFF	503.924 µs [481.514 µs, 526.333 µs]	119.28 µs (31.0%)
tracing	461.025 µs [440.07 µs, 481.98 µs]	76.382 µs (19.9%)

candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	382.087 µs [362.562 µs, 401.613 µs]	-
iast	511.97 µs [490.205 µs, 533.734 µs]	129.882 µs (34.0%)
iast_FULL	728.013 µs [705.97 µs, 750.055 µs]	345.926 µs (90.5%)
iast_GLOBAL	561.274 µs [538.542 µs, 584.006 µs]	179.187 µs (46.9%)
iast_HARDCODED_SECRET_DISABLED	514.069 µs [492.36 µs, 535.778 µs]	131.982 µs (34.5%)
iast_INACTIVE	464.897 µs [443.921 µs, 485.874 µs]	82.81 µs (21.7%)
iast_TELEMETRY_OFF	507.752 µs [485.748 µs, 529.756 µs]	125.665 µs (32.9%)
tracing	456.496 µs [436.104 µs, 476.888 µs]	74.409 µs (19.5%)

Request duration reports for petclinic

gantt title petclinic - request duration [CI 0.99] : candidate=1.49.0-SNAPSHOT~18ede7299f, baseline=1.49.0-SNAPSHOT~368851d216 dateFormat X axisFormat %s section baseline no_agent (1.365 ms) : 1346, 1385 . : milestone, 1365, appsec (1.749 ms) : 1725, 1774 . : milestone, 1749, appsec_no_iast (1.735 ms) : 1712, 1759 . : milestone, 1735, code_origins (1.69 ms) : 1663, 1717 . : milestone, 1690, iast (1.539 ms) : 1514, 1564 . : milestone, 1539, profiling (1.516 ms) : 1493, 1539 . : milestone, 1516, tracing (1.502 ms) : 1477, 1527 . : milestone, 1502, section candidate no_agent (1.359 ms) : 1339, 1379 . : milestone, 1359, appsec (1.749 ms) : 1725, 1773 . : milestone, 1749, appsec_no_iast (1.747 ms) : 1724, 1771 . : milestone, 1747, code_origins (1.687 ms) : 1659, 1714 . : milestone, 1687, iast (1.532 ms) : 1507, 1557 . : milestone, 1532, profiling (1.51 ms) : 1487, 1534 . : milestone, 1510, tracing (1.508 ms) : 1483, 1532 . : milestone, 1508,

baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.365 ms [1.346 ms, 1.385 ms]	-
appsec	1.749 ms [1.725 ms, 1.774 ms]	383.944 µs (28.1%)
appsec_no_iast	1.735 ms [1.712 ms, 1.759 ms]	369.748 µs (27.1%)
code_origins	1.69 ms [1.663 ms, 1.717 ms]	324.766 µs (23.8%)
iast	1.539 ms [1.514 ms, 1.564 ms]	173.632 µs (12.7%)
profiling	1.516 ms [1.493 ms, 1.539 ms]	150.871 µs (11.1%)
tracing	1.502 ms [1.477 ms, 1.527 ms]	136.76 µs (10.0%)

candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.359 ms [1.339 ms, 1.379 ms]	-
appsec	1.749 ms [1.725 ms, 1.773 ms]	390.12 µs (28.7%)
appsec_no_iast	1.747 ms [1.724 ms, 1.771 ms]	388.827 µs (28.6%)
code_origins	1.687 ms [1.659 ms, 1.714 ms]	327.942 µs (24.1%)
iast	1.532 ms [1.507 ms, 1.557 ms]	173.682 µs (12.8%)
profiling	1.51 ms [1.487 ms, 1.534 ms]	151.819 µs (11.2%)
tracing	1.508 ms [1.483 ms, 1.532 ms]	149.002 µs (11.0%)

Dacapo

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	alejandro.gonzalez/APPSEC-57055
git_commit_date	1744982456	1745219901
git_commit_sha	`368851d`	`18ede72`
release_version	1.49.0-SNAPSHOT~368851d216	1.49.0-SNAPSHOT~18ede7299f

See matching parameters

	Baseline	Candidate
application	biojava	biojava
ci_job_date	1745222376	1745222376
ci_job_id	904601896	904601896
ci_pipeline_id	62752823	62752823
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-ekfrqbyz-project-304-concurrent-1-i1b2b3zt 6.8.0-1024-aws #26~22.04.1-Ubuntu SMP Wed Feb 19 06:54:57 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-ekfrqbyz-project-304-concurrent-1-i1b2b3zt 6.8.0-1024-aws #26~22.04.1-Ubuntu SMP Wed Feb 19 06:54:57 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
variant	appsec	appsec

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics.

Execution time for biojava

gantt title biojava - execution time [CI 0.99] : candidate=1.49.0-SNAPSHOT~18ede7299f, baseline=1.49.0-SNAPSHOT~368851d216 dateFormat X axisFormat %s section baseline no_agent (14.807 s) : 14807000, 14807000 . : milestone, 14807000, appsec (15.041 s) : 15041000, 15041000 . : milestone, 15041000, iast (18.553 s) : 18553000, 18553000 . : milestone, 18553000, iast_GLOBAL (18.21 s) : 18210000, 18210000 . : milestone, 18210000, profiling (15.202 s) : 15202000, 15202000 . : milestone, 15202000, tracing (15.006 s) : 15006000, 15006000 . : milestone, 15006000, section candidate no_agent (15.346 s) : 15346000, 15346000 . : milestone, 15346000, appsec (15.087 s) : 15087000, 15087000 . : milestone, 15087000, iast (18.679 s) : 18679000, 18679000 . : milestone, 18679000, iast_GLOBAL (18.103 s) : 18103000, 18103000 . : milestone, 18103000, profiling (15.172 s) : 15172000, 15172000 . : milestone, 15172000, tracing (15.037 s) : 15037000, 15037000 . : milestone, 15037000,

baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	14.807 s [14.807 s, 14.807 s]	-
appsec	15.041 s [15.041 s, 15.041 s]	234.0 ms (1.6%)
iast	18.553 s [18.553 s, 18.553 s]	3.746 s (25.3%)
iast_GLOBAL	18.21 s [18.21 s, 18.21 s]	3.403 s (23.0%)
profiling	15.202 s [15.202 s, 15.202 s]	395.0 ms (2.7%)
tracing	15.006 s [15.006 s, 15.006 s]	199.0 ms (1.3%)

candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	15.346 s [15.346 s, 15.346 s]	-
appsec	15.087 s [15.087 s, 15.087 s]	-259.0 ms (-1.7%)
iast	18.679 s [18.679 s, 18.679 s]	3.333 s (21.7%)
iast_GLOBAL	18.103 s [18.103 s, 18.103 s]	2.757 s (18.0%)
profiling	15.172 s [15.172 s, 15.172 s]	-174.0 ms (-1.1%)
tracing	15.037 s [15.037 s, 15.037 s]	-309.0 ms (-2.0%)

Execution time for tomcat

gantt title tomcat - execution time [CI 0.99] : candidate=1.49.0-SNAPSHOT~18ede7299f, baseline=1.49.0-SNAPSHOT~368851d216 dateFormat X axisFormat %s section baseline no_agent (1.477 ms) : 1465, 1489 . : milestone, 1477, appsec (2.35 ms) : 2307, 2394 . : milestone, 2350, iast (2.133 ms) : 2077, 2188 . : milestone, 2133, iast_GLOBAL (2.168 ms) : 2113, 2224 . : milestone, 2168, profiling (1.992 ms) : 1947, 2037 . : milestone, 1992, tracing (1.956 ms) : 1913, 1998 . : milestone, 1956, section candidate no_agent (1.475 ms) : 1464, 1487 . : milestone, 1475, appsec (2.348 ms) : 2304, 2391 . : milestone, 2348, iast (2.131 ms) : 2075, 2187 . : milestone, 2131, iast_GLOBAL (2.174 ms) : 2118, 2230 . : milestone, 2174, profiling (1.976 ms) : 1932, 2020 . : milestone, 1976, tracing (1.964 ms) : 1921, 2006 . : milestone, 1964,

baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.477 ms [1.465 ms, 1.489 ms]	-
appsec	2.35 ms [2.307 ms, 2.394 ms]	873.497 µs (59.1%)
iast	2.133 ms [2.077 ms, 2.188 ms]	655.861 µs (44.4%)
iast_GLOBAL	2.168 ms [2.113 ms, 2.224 ms]	691.445 µs (46.8%)
profiling	1.992 ms [1.947 ms, 2.037 ms]	515.066 µs (34.9%)
tracing	1.956 ms [1.913 ms, 1.998 ms]	478.592 µs (32.4%)

candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.475 ms [1.464 ms, 1.487 ms]	-
appsec	2.348 ms [2.304 ms, 2.391 ms]	872.135 µs (59.1%)
iast	2.131 ms [2.075 ms, 2.187 ms]	655.429 µs (44.4%)
iast_GLOBAL	2.174 ms [2.118 ms, 2.23 ms]	698.888 µs (47.4%)
profiling	1.976 ms [1.932 ms, 2.02 ms]	500.58 µs (33.9%)
tracing	1.964 ms [1.921 ms, 2.006 ms]	488.085 µs (33.1%)

sezen-datadog · 2025-04-10T12:28:31Z

dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/ddwaf/WAFModuleSpecification.groovy

 }
 2 * tracer.activeSpan()
 1 * ctx.reportEvents(_ as Collection<AppSecEvent>)
 2 * ctx.getWafMetrics()


not a comment for your PR in particular I suppose but man am I going to have a titanic of a conflict once the upgrade is done

Are you referring to the PR to update to libddwaf 1.24? 😅

| Package | Type | Package file | Manager | Update | Change | |---|---|---|---|---|---| | [com.google.cloud:google-cloud-logging](https://github.com/googleapis/java-logging) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `3.22.2` -> `3.22.3` | | [com.google.cloud:google-cloud-datastore](https://github.com/googleapis/java-datastore) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.28.0` -> `2.28.1` | | [com.datadoghq:dd-trace-api](https://github.com/datadog/dd-trace-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `1.48.2` -> `1.49.0` | | [software.amazon.awssdk:sdk-core](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.31.36` -> `2.31.37` | | [software.amazon.awssdk:sqs](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.31.36` -> `2.31.37` | | [software.amazon.awssdk:dynamodb-enhanced](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.31.36` -> `2.31.37` | | [software.amazon.awssdk:dynamodb](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.31.36` -> `2.31.37` | | [software.amazon.awssdk:aws-core](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.31.36` -> `2.31.37` | | [software.amazon.awssdk:bom](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.31.36` -> `2.31.37` | | [software.amazon.awssdk:auth](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.31.36` -> `2.31.37` | --- ### Release Notes <details> <summary>googleapis/java-logging (com.google.cloud:google-cloud-logging)</summary> ### [`v3.22.3`](https://github.com/googleapis/java-logging/blob/HEAD/CHANGELOG.md#3223-2025-05-06) ##### Bug Fixes - **deps:** Update the Java code generator (gapic-generator-java) to 2.56.3 ([844f4fa](googleapis/java-logging@844f4fa)) ##### Dependencies - Update dependency com.google.cloud:sdk-platform-java-config to v3.46.3 ([#1801](googleapis/java-logging#1801)) ([d7aa7bc](googleapis/java-logging@d7aa7bc)) - Update dependency com.google.cloud:sdk-platform-java-config to v3.47.0 ([#1803](googleapis/java-logging#1803)) ([5967ffe](googleapis/java-logging@5967ffe)) - Update googleapis/sdk-platform-java action to v2.57.0 ([#1804](googleapis/java-logging#1804)) ([e9a27ec](googleapis/java-logging@e9a27ec)) </details> <details> <summary>googleapis/java-datastore (com.google.cloud:google-cloud-datastore)</summary> ### [`v2.28.1`](https://github.com/googleapis/java-datastore/blob/HEAD/CHANGELOG.md#2281-2025-05-06) ##### Dependencies - Update dependency com.google.cloud:sdk-platform-java-config to v3.47.0 ([#1841](googleapis/java-datastore#1841)) ([ac393e6](googleapis/java-datastore@ac393e6)) - Update googleapis/sdk-platform-java action to v2.57.0 ([#1842](googleapis/java-datastore#1842)) ([0745906](googleapis/java-datastore@0745906)) </details> <details> <summary>datadog/dd-trace-java (com.datadoghq:dd-trace-api)</summary> ### [`v1.49.0`](https://github.com/DataDog/dd-trace-java/releases/tag/v1.49.0): 1.49.0 ### Components #### Configuration at Runtime - ✨ Add process tags as list to remote config payload ([#8705](DataDog/dd-trace-java#8705) - [@amarziali](https://github.com/amarziali)) #### Continuous Integration Visibility - 🐛 Add span propagation for Pekko scheduled tasks ([#8765](DataDog/dd-trace-java#8765) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Update test.retry_reason to use full name of the feature ([#8689](DataDog/dd-trace-java#8689) - [@daniel-mohedano](https://github.com/daniel-mohedano)) - 🧹 Remove unused TestEventsHandler methods ([#8674](DataDog/dd-trace-java#8674) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) #### Dynamic Instrumentation - 🐛 Fix exclude identifiers normalization ([#8742](DataDog/dd-trace-java#8742) - [@jpbempel](https://github.com/jpbempel)) - ✨ Make source file tracking asynchronous ([#8684](DataDog/dd-trace-java#8684) - [@jpbempel](https://github.com/jpbempel)) - ✨ Add scope filtering for symbol extraction ([#8676](DataDog/dd-trace-java#8676) - [@jpbempel](https://github.com/jpbempel)) - ✨ Add support for [@key](https://github.com/key) and [@value](https://github.com/value) for Map filtering ([#8669](DataDog/dd-trace-java#8669) - [@jpbempel](https://github.com/jpbempel)) #### Library Injection - ✨ Add system property to force injection of the tracing library even though multiple javaagents have been detected ([#8697](DataDog/dd-trace-java#8697) - [@cecile75](https://github.com/cecile75)) #### Metrics - ✨ Allow dogstatsd port to be configurable with DD_DOGSTATSD_PORT ([#8693](DataDog/dd-trace-java#8693) - [@randomanderson](https://github.com/randomanderson)) #### Profiling - ✨ Bump ddprof-java to 1.25.1 ([#8750](DataDog/dd-trace-java#8750) - [@jbachorik](https://github.com/jbachorik)) - 🐛 Remove cleanup-on-shutdown for temporary files ([#8746](DataDog/dd-trace-java#8746) - [@jbachorik](https://github.com/jbachorik)) - ✨⚡ Replace a regex-based SMAP parser with a hand-crafted one ([#8730](DataDog/dd-trace-java#8730) - [@jbachorik](https://github.com/jbachorik)) - ✨ Improve error reporting on profiler startup ([#8714](DataDog/dd-trace-java#8714) - [@jbachorik](https://github.com/jbachorik)) - ✨ Exclude ProxyLeakTask exception from exception profiling ([#8666](DataDog/dd-trace-java#8666) - [@jbachorik](https://github.com/jbachorik)) - ✨ Use jvmstat for JDKs 9+ programmatically ([#8641](DataDog/dd-trace-java#8641) - [@MattAlp](https://github.com/MattAlp)) #### Telemetry - ✨ Allow dogstatsd port to be configurable with DD_DOGSTATSD_PORT ([#8693](DataDog/dd-trace-java#8693) - [@randomanderson](https://github.com/randomanderson)) - 🐛 Fix appsec.waf.requests telemetry metric ([#8644](DataDog/dd-trace-java#8644) - [@jandro996](https://github.com/jandro996)) #### Tracer core - ✨ Exclude jackson afterburner dynamic classes from instrumentation ([#8747](DataDog/dd-trace-java#8747) - [@amarziali](https://github.com/amarziali)) - ✨ Introduce Java 8 bytecode bridge for instrumentation API ([#8736](DataDog/dd-trace-java#8736) - [@PerfectSlayer](https://github.com/PerfectSlayer)) - ⚡🧹 Use byte-buddy classes optimized for Java8+ ([#8735](DataDog/dd-trace-java#8735) - [@mcculls](https://github.com/mcculls)) - 🐛 Do not set the hibernate or datanucleus span service name when disabled ([#8727](DataDog/dd-trace-java#8727) - [@ygree](https://github.com/ygree)) - ✨ Update bytebuddy and ASM to support JDK 24 ([#8720](DataDog/dd-trace-java#8720) - [@sarahchen6](https://github.com/sarahchen6)) - 🐛 Turn off JDK socket support by default ([#8715](DataDog/dd-trace-java#8715) - [@mcculls](https://github.com/mcculls)) - 🐛 Log warning when trace buffer overflow occurs ([#8712](DataDog/dd-trace-java#8712) - [@ygree](https://github.com/ygree)) - ✨🧪 Introducing an internal integration name ([#8708](DataDog/dd-trace-java#8708) - [@amarziali](https://github.com/amarziali)) - ✨ Add process tags to client stats payload ([#8704](DataDog/dd-trace-java#8704) - [@amarziali](https://github.com/amarziali)) - ✨ Collect process tags for tracing ([#8698](DataDog/dd-trace-java#8698) - [@amarziali](https://github.com/amarziali)) - ✨ Stable Config file: target system properties in process_arguments and support template variables in YamlParser ([#8690](DataDog/dd-trace-java#8690) - [@mtoffl01](https://github.com/mtoffl01)) - ✨⚡ Use prefix trie for proxy ignores ([#8678](DataDog/dd-trace-java#8678) - [@amarziali](https://github.com/amarziali)) - ✨ Allow agent to be automatically injected when running aside Log4J patch agent ([#8648](DataDog/dd-trace-java#8648) - [@paullegranddc](https://github.com/paullegranddc)) - ✨ Use jvmstat for JDKs 9+ programmatically ([#8641](DataDog/dd-trace-java#8641) - [@MattAlp](https://github.com/MattAlp)) #### Tracer internal logging - 🐛 Delete print line ([#8686](DataDog/dd-trace-java#8686) - [@sarahchen6](https://github.com/sarahchen6)) ### Instrumentations #### Akka instrumentation - 🐛 Handle reentrant scope cleanup in Akka/Pekko actor instrumentations ([#8722](DataDog/dd-trace-java#8722) - [@mcculls](https://github.com/mcculls)) #### Apache Spark instrumentation - ✨ Use OpenLineage root parent information to generate trace id ([#8726](DataDog/dd-trace-java#8726) - [@mobuchowski](https://github.com/mobuchowski)) - ✨ Spark job cancellation no longer marks application as failed ([#8701](DataDog/dd-trace-java#8701) - [@paul-laffon-dd](https://github.com/paul-laffon-dd)) #### JDBC instrumentation - 💡 Add support for sybase tds jdbc driver ([#8764](DataDog/dd-trace-java#8764) - [@amarziali](https://github.com/amarziali)) #### Kotlin instrumentation - 🐛 Take defensive copy of parent scope stack when closing nested coroutines ([#8749](DataDog/dd-trace-java#8749) - [@mcculls](https://github.com/mcculls)) #### Reactor instrumentation - ✨⚡ Do not inspect reactor context when not needed ([#8745](DataDog/dd-trace-java#8745) - [@amarziali](https://github.com/amarziali)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "after 6pm every weekday,before 2am every weekday" in timezone Australia/Melbourne, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). GitOrigin-RevId: 795f347ae34d056efc1194c2f606cee7bca1beea

jandro996 added type: bug Bug report and fix comp: telemetry Telemetry labels Mar 31, 2025

jandro996 force-pushed the alejandro.gonzalez/APPSEC-57054 branch from 391b408 to e57d2c4 Compare April 1, 2025 07:08

jandro996 force-pushed the alejandro.gonzalez/APPSEC-57055 branch from f5a020d to 1776ef8 Compare April 1, 2025 07:23

jandro996 force-pushed the alejandro.gonzalez/APPSEC-57054 branch 3 times, most recently from 2963701 to d354d38 Compare April 2, 2025 10:36

jandro996 force-pushed the alejandro.gonzalez/APPSEC-57055 branch from 5119473 to fee4ea9 Compare April 2, 2025 10:43

jandro996 changed the title ~~Fix appsec.waf.requests waf_error telemetry metric~~ Fix appsec.waf.requests telemetry metric Apr 2, 2025

jandro996 force-pushed the alejandro.gonzalez/APPSEC-57055 branch from fee4ea9 to ff26203 Compare April 2, 2025 11:29

Base automatically changed from alejandro.gonzalez/APPSEC-57054 to master April 7, 2025 08:01

jandro996 force-pushed the alejandro.gonzalez/APPSEC-57055 branch 2 times, most recently from 5fe1015 to 2b6bf3d Compare April 7, 2025 08:10

jandro996 marked this pull request as ready for review April 10, 2025 09:39

jandro996 requested a review from a team as a code owner April 10, 2025 09:39

jandro996 requested review from robertpi, sezen-datadog and smola April 10, 2025 09:39

sezen-datadog reviewed Apr 10, 2025

View reviewed changes

Rework from scratch the appsec.waf.requests

dde8c18

jandro996 force-pushed the alejandro.gonzalez/APPSEC-57055 branch from f2789db to dde8c18 Compare April 10, 2025 12:34

jandro996 added 3 commits April 11, 2025 08:32

Merge branch 'master' into alejandro.gonzalez/APPSEC-57055

9fd1fc3

fix test

c89cebf

fix jacoco

ed077e0

jandro996 requested a review from a team as a code owner April 11, 2025 08:46

Merge branch 'master' into alejandro.gonzalez/APPSEC-57055

18ede72

smola approved these changes Apr 21, 2025

View reviewed changes

jandro996 merged commit f78a48b into master Apr 21, 2025
255 of 257 checks passed

jandro996 deleted the alejandro.gonzalez/APPSEC-57055 branch April 21, 2025 10:41

github-actions bot added this to the 1.49.0 milestone Apr 21, 2025

smola added the comp: asm waf Application Security Management (WAF) label May 6, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Fix appsec.waf.requests telemetry metric #8644

Fix appsec.waf.requests telemetry metric #8644

Uh oh!

jandro996 commented Mar 31, 2025 •

edited

Loading

pr-commenter bot commented Mar 31, 2025 •

edited

Loading

sezen-datadog Apr 10, 2025

jandro996 Apr 10, 2025

Uh oh!

Labels

3 participants

Fix appsec.waf.requests telemetry metric #8644

Fix appsec.waf.requests telemetry metric #8644

Uh oh!

Conversation

jandro996 commented Mar 31, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

What Does This Do

Motivation

Additional Notes

Contributor Checklist

pr-commenter bot commented Mar 31, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Benchmarks

Startup

Parameters

Summary

Load

Parameters

Summary

Dacapo

Parameters

Summary

sezen-datadog Apr 10, 2025

Choose a reason for hiding this comment

jandro996 Apr 10, 2025

Choose a reason for hiding this comment

Uh oh!

Labels

3 participants

jandro996 commented Mar 31, 2025 •

edited

Loading

pr-commenter bot commented Mar 31, 2025 •

edited

Loading