Skip to content

Extended appsec request body collection #8748

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
May 26, 2025
Merged

Extended appsec request body collection #8748

merged 5 commits into from
May 26, 2025

Conversation

jandro996
Copy link
Member

@jandro996 jandro996 commented Apr 29, 2025
edited
Loading

What Does This Do

Adds the APPSEC_RASP_COLLECT_REQUEST_BODY flag, which enables collection of request body. This feature is disabled by default.

if APPSEC_RASP_COLLECT_REQUEST_BODY is enabled and there is a RASP event put the same parsed request body that is sent to the WAF via meta_struct with http.request.body key

Add listener to ObjectInstrospection#convert to add boolean tag _dd.appsec.rasp.request_body_size.exceeded if a limit is surpassed

Motivation

Additional Notes

Contributor Checklist

Jira ticket: APPSEC-57268
@jandro996 jandro996 added type: enhancement Enhancements and improvements comp: asm waf Application Security Management (WAF) labels Apr 29, 2025
@pr-commenter
Copy link

pr-commenter bot commented Apr 29, 2025
edited
Loading

Benchmarks

Startup

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/WaPo-request-body
git_commit_date 1746789389 1748257028
git_commit_sha ad6d5fe 2a3b7b7
release_version 1.50.0-SNAPSHOT~ad6d5fef42 1.50.0-SNAPSHOT~2a3b7b72ce
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1748259323 1748259323
ci_job_id 953905717 953905717
ci_pipeline_id 66098780 66098780
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zghvxubd-project-304-concurrent-0-4hcxt6d5 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zghvxubd-project-304-concurrent-0-4hcxt6d5 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
module Agent Agent
parent None None
variant iast iast

Summary

Found 1 performance improvements and 1 performance regressions! Performance is the same for 58 metrics, 11 unstable metrics.

scenario Δ mean execution_time candidate mean execution_time baseline mean execution_time
scenario:startup:petclinic:profiling:GlobalTracer better
[-22.639ms; -14.402ms] or [-5.965%; -3.795%]		 361.001ms 379.522ms
scenario:startup:petclinic:profiling:AppSec worse
[+5.866ms; +8.943ms] or [+10.743%; +16.379%]		 62.005ms 54.601ms
Startup time reports for insecure-bank 
gantt title insecure-bank - global startup overhead: candidate=1.50.0-SNAPSHOT~2a3b7b72ce, baseline=1.50.0-SNAPSHOT~ad6d5fef42 dateFormat X axisFormat %s section tracing Agent [baseline] (1.02 s) : 0, 1020077 Total [baseline] (8.654 s) : 0, 8654146 Agent [candidate] (1.025 s) : 0, 1024998 Total [candidate] (8.674 s) : 0, 8674255 section iast Agent [baseline] (1.149 s) : 0, 1148747 Total [baseline] (9.272 s) : 0, 9271819 Agent [candidate] (1.154 s) : 0, 1153737 Total [candidate] (9.218 s) : 0, 9217562 section iast_HARDCODED_SECRET_DISABLED Agent [baseline] (1.149 s) : 0, 1149411 Total [baseline] (9.21 s) : 0, 9209961 Agent [candidate] (1.147 s) : 0, 1147424 Total [candidate] (9.179 s) : 0, 9178887 section iast_TELEMETRY_OFF Agent [baseline] (1.151 s) : 0, 1151286 Total [baseline] (9.249 s) : 0, 9249124 Agent [candidate] (1.149 s) : 0, 1148516 Total [candidate] (9.228 s) : 0, 9227597
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.02 s -
Agent iast 1.149 s 128.67 ms (12.6%)
Agent iast_HARDCODED_SECRET_DISABLED 1.149 s 129.334 ms (12.7%)
Agent iast_TELEMETRY_OFF 1.151 s 131.208 ms (12.9%)
Total tracing 8.654 s -
Total iast 9.272 s 617.673 ms (7.1%)
Total iast_HARDCODED_SECRET_DISABLED 9.21 s 555.815 ms (6.4%)
Total iast_TELEMETRY_OFF 9.249 s 594.978 ms (6.9%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.025 s -
Agent iast 1.154 s 128.738 ms (12.6%)
Agent iast_HARDCODED_SECRET_DISABLED 1.147 s 122.426 ms (11.9%)
Agent iast_TELEMETRY_OFF 1.149 s 123.518 ms (12.1%)
Total tracing 8.674 s -
Total iast 9.218 s 543.308 ms (6.3%)
Total iast_HARDCODED_SECRET_DISABLED 9.179 s 504.632 ms (5.8%)
Total iast_TELEMETRY_OFF 9.228 s 553.342 ms (6.4%) 
gantt title insecure-bank - break down per module: candidate=1.50.0-SNAPSHOT~2a3b7b72ce, baseline=1.50.0-SNAPSHOT~ad6d5fef42 dateFormat X axisFormat %s section tracing BytebuddyAgent [baseline] (681.451 ms) : 0, 681451 BytebuddyAgent [candidate] (683.588 ms) : 0, 683588 GlobalTracer [baseline] (239.823 ms) : 0, 239823 GlobalTracer [candidate] (241.15 ms) : 0, 241150 AppSec [baseline] (54.439 ms) : 0, 54439 AppSec [candidate] (55.451 ms) : 0, 55451 Debugger [baseline] (8.939 ms) : 0, 8939 Debugger [candidate] (9.143 ms) : 0, 9143 Remote Config [baseline] (681.654 µs) : 0, 682 Remote Config [candidate] (708.618 µs) : 0, 709 Telemetry [baseline] (11.128 ms) : 0, 11128 Telemetry [candidate] (11.374 ms) : 0, 11374 section iast BytebuddyAgent [baseline] (801.934 ms) : 0, 801934 BytebuddyAgent [candidate] (804.399 ms) : 0, 804399 GlobalTracer [baseline] (230.302 ms) : 0, 230302 GlobalTracer [candidate] (231.916 ms) : 0, 231916 IAST [baseline] (28.273 ms) : 0, 28273 IAST [candidate] (28.638 ms) : 0, 28638 AppSec [baseline] (50.266 ms) : 0, 50266 AppSec [candidate] (50.602 ms) : 0, 50602 Debugger [baseline] (5.922 ms) : 0, 5922 Debugger [candidate] (5.994 ms) : 0, 5994 Remote Config [baseline] (596.958 µs) : 0, 597 Remote Config [candidate] (596.691 µs) : 0, 597 Telemetry [baseline] (7.927 ms) : 0, 7927 Telemetry [candidate] (7.964 ms) : 0, 7964 section iast_HARDCODED_SECRET_DISABLED BytebuddyAgent [baseline] (802.437 ms) : 0, 802437 BytebuddyAgent [candidate] (800.743 ms) : 0, 800743 GlobalTracer [baseline] (230.423 ms) : 0, 230423 GlobalTracer [candidate] (230.421 ms) : 0, 230421 IAST [baseline] (27.457 ms) : 0, 27457 IAST [candidate] (28.843 ms) : 0, 28843 AppSec [baseline] (51.099 ms) : 0, 51099 AppSec [candidate] (49.457 ms) : 0, 49457 Debugger [baseline] (5.932 ms) : 0, 5932 Debugger [candidate] (5.91 ms) : 0, 5910 Remote Config [baseline] (589.156 µs) : 0, 589 Remote Config [candidate] (604.684 µs) : 0, 605 Telemetry [baseline] (7.879 ms) : 0, 7879 Telemetry [candidate] (7.906 ms) : 0, 7906 section iast_TELEMETRY_OFF BytebuddyAgent [baseline] (803.876 ms) : 0, 803876 BytebuddyAgent [candidate] (802.505 ms) : 0, 802505 GlobalTracer [baseline] (231.193 ms) : 0, 231193 GlobalTracer [candidate] (230.667 ms) : 0, 230667 IAST [baseline] (23.261 ms) : 0, 23261 IAST [candidate] (23.755 ms) : 0, 23755 AppSec [baseline] (54.923 ms) : 0, 54923 AppSec [candidate] (53.893 ms) : 0, 53893 Debugger [baseline] (5.97 ms) : 0, 5970 Debugger [candidate] (5.831 ms) : 0, 5831 Remote Config [baseline] (605.698 µs) : 0, 606 Remote Config [candidate] (585.326 µs) : 0, 585 Telemetry [baseline] (7.837 ms) : 0, 7837 Telemetry [candidate] (7.724 ms) : 0, 7724
Loading
Startup time reports for petclinic 
gantt title petclinic - global startup overhead: candidate=1.50.0-SNAPSHOT~2a3b7b72ce, baseline=1.50.0-SNAPSHOT~ad6d5fef42 dateFormat X axisFormat %s section tracing Agent [baseline] (1.021 s) : 0, 1021434 Total [baseline] (10.452 s) : 0, 10451713 Agent [candidate] (1.024 s) : 0, 1024084 Total [candidate] (10.435 s) : 0, 10434916 section appsec Agent [baseline] (1.167 s) : 0, 1167086 Total [baseline] (10.713 s) : 0, 10712853 Agent [candidate] (1.168 s) : 0, 1168288 Total [candidate] (10.674 s) : 0, 10674433 section iast Agent [baseline] (1.156 s) : 0, 1155696 Total [baseline] (10.938 s) : 0, 10937947 Agent [candidate] (1.152 s) : 0, 1151737 Total [candidate] (10.953 s) : 0, 10953439 section profiling Agent [baseline] (1.287 s) : 0, 1287435 Total [baseline] (10.813 s) : 0, 10813332 Agent [candidate] (1.27 s) : 0, 1270359 Total [candidate] (10.812 s) : 0, 10812354
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.021 s -
Agent appsec 1.167 s 145.652 ms (14.3%)
Agent iast 1.156 s 134.262 ms (13.1%)
Agent profiling 1.287 s 266.001 ms (26.0%)
Total tracing 10.452 s -
Total appsec 10.713 s 261.141 ms (2.5%)
Total iast 10.938 s 486.235 ms (4.7%)
Total profiling 10.813 s 361.62 ms (3.5%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.024 s -
Agent appsec 1.168 s 144.204 ms (14.1%)
Agent iast 1.152 s 127.652 ms (12.5%)
Agent profiling 1.27 s 246.275 ms (24.0%)
Total tracing 10.435 s -
Total appsec 10.674 s 239.517 ms (2.3%)
Total iast 10.953 s 518.523 ms (5.0%)
Total profiling 10.812 s 377.439 ms (3.6%) 
gantt title petclinic - break down per module: candidate=1.50.0-SNAPSHOT~2a3b7b72ce, baseline=1.50.0-SNAPSHOT~ad6d5fef42 dateFormat X axisFormat %s section tracing BytebuddyAgent [baseline] (683.238 ms) : 0, 683238 BytebuddyAgent [candidate] (685.915 ms) : 0, 685915 GlobalTracer [baseline] (240.116 ms) : 0, 240116 GlobalTracer [candidate] (241.741 ms) : 0, 241741 AppSec [baseline] (55.823 ms) : 0, 55823 AppSec [candidate] (55.278 ms) : 0, 55278 Debugger [baseline] (8.961 ms) : 0, 8961 Debugger [candidate] (7.634 ms) : 0, 7634 Remote Config [baseline] (683.598 µs) : 0, 684 Remote Config [candidate] (715.271 µs) : 0, 715 Telemetry [baseline] (8.96 ms) : 0, 8960 Telemetry [candidate] (9.062 ms) : 0, 9062 section appsec BytebuddyAgent [baseline] (705.023 ms) : 0, 705023 BytebuddyAgent [candidate] (706.33 ms) : 0, 706330 GlobalTracer [baseline] (237.74 ms) : 0, 237740 GlobalTracer [candidate] (237.367 ms) : 0, 237367 AppSec [baseline] (175.895 ms) : 0, 175895 AppSec [candidate] (175.957 ms) : 0, 175957 Debugger [baseline] (5.923 ms) : 0, 5923 Debugger [candidate] (5.999 ms) : 0, 5999 Remote Config [baseline] (630.128 µs) : 0, 630 Remote Config [candidate] (634.433 µs) : 0, 634 Telemetry [baseline] (7.371 ms) : 0, 7371 Telemetry [candidate] (7.408 ms) : 0, 7408 IAST [baseline] (21.79 ms) : 0, 21790 IAST [candidate] (21.833 ms) : 0, 21833 section iast BytebuddyAgent [baseline] (807.14 ms) : 0, 807140 BytebuddyAgent [candidate] (803.997 ms) : 0, 803997 GlobalTracer [baseline] (231.454 ms) : 0, 231454 GlobalTracer [candidate] (231.205 ms) : 0, 231205 AppSec [baseline] (51.386 ms) : 0, 51386 AppSec [candidate] (48.769 ms) : 0, 48769 Debugger [baseline] (5.933 ms) : 0, 5933 Debugger [candidate] (5.925 ms) : 0, 5925 Remote Config [baseline] (600.588 µs) : 0, 601 Remote Config [candidate] (601.244 µs) : 0, 601 Telemetry [baseline] (7.995 ms) : 0, 7995 Telemetry [candidate] (7.922 ms) : 0, 7922 IAST [baseline] (26.7 ms) : 0, 26700 IAST [candidate] (29.764 ms) : 0, 29764 section profiling ProfilingAgent [baseline] (109.759 ms) : 0, 109759 ProfilingAgent [candidate] (105.342 ms) : 0, 105342 BytebuddyAgent [baseline] (677.64 ms) : 0, 677640 BytebuddyAgent [candidate] (675.63 ms) : 0, 675630 GlobalTracer [baseline] (379.522 ms) : 0, 379522 GlobalTracer [candidate] (361.001 ms) : 0, 361001 AppSec [baseline] (54.601 ms) : 0, 54601 AppSec [candidate] (62.005 ms) : 0, 62005 Debugger [baseline] (6.156 ms) : 0, 6156 Debugger [candidate] (6.317 ms) : 0, 6317 Remote Config [baseline] (652.956 µs) : 0, 653 Remote Config [candidate] (655.439 µs) : 0, 655 Telemetry [baseline] (8.184 ms) : 0, 8184 Telemetry [candidate] (8.261 ms) : 0, 8261 Profiling [baseline] (109.784 ms) : 0, 109784 Profiling [candidate] (105.366 ms) : 0, 105366
Loading

Load

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
end_time 2025-05-26T11:05:45 2025-05-26T11:13:32
git_branch master alejandro.gonzalez/WaPo-request-body
git_commit_date 1746789389 1748257028
git_commit_sha ad6d5fe 2a3b7b7
release_version 1.50.0-SNAPSHOT~ad6d5fef42 1.50.0-SNAPSHOT~2a3b7b72ce
start_time 2025-05-26T11:05:31 2025-05-26T11:13:18
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1748258412 1748258412
ci_job_id 953905718 953905718
ci_pipeline_id 66098780 66098780
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zghvxubd-project-304-concurrent-1-f5j7pwx0 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zghvxubd-project-304-concurrent-1-f5j7pwx0 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
variant iast iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 18 unstable metrics.

Request duration reports for petclinic 
gantt title petclinic - request duration [CI 0.99] : candidate=1.50.0-SNAPSHOT~2a3b7b72ce, baseline=1.50.0-SNAPSHOT~ad6d5fef42 dateFormat X axisFormat %s section baseline no_agent (1.38 ms) : 1360, 1400 . : milestone, 1380, appsec (1.746 ms) : 1723, 1770 . : milestone, 1746, appsec_no_iast (1.723 ms) : 1700, 1747 . : milestone, 1723, code_origins (1.675 ms) : 1648, 1702 . : milestone, 1675, iast (1.518 ms) : 1495, 1542 . : milestone, 1518, profiling (1.524 ms) : 1501, 1548 . : milestone, 1524, tracing (1.506 ms) : 1481, 1531 . : milestone, 1506, section candidate no_agent (1.371 ms) : 1351, 1390 . : milestone, 1371, appsec (1.751 ms) : 1727, 1775 . : milestone, 1751, appsec_no_iast (1.732 ms) : 1709, 1755 . : milestone, 1732, code_origins (1.669 ms) : 1642, 1696 . : milestone, 1669, iast (1.522 ms) : 1498, 1546 . : milestone, 1522, profiling (1.548 ms) : 1523, 1573 . : milestone, 1548, tracing (1.502 ms) : 1478, 1525 . : milestone, 1502,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.38 ms [1.36 ms, 1.4 ms] -
appsec 1.746 ms [1.723 ms, 1.77 ms] 366.316 µs (26.5%)
appsec_no_iast 1.723 ms [1.7 ms, 1.747 ms] 343.281 µs (24.9%)
code_origins 1.675 ms [1.648 ms, 1.702 ms] 294.914 µs (21.4%)
iast 1.518 ms [1.495 ms, 1.542 ms] 138.21 µs (10.0%)
profiling 1.524 ms [1.501 ms, 1.548 ms] 144.254 µs (10.5%)
tracing 1.506 ms [1.481 ms, 1.531 ms] 126.31 µs (9.2%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.371 ms [1.351 ms, 1.39 ms] -
appsec 1.751 ms [1.727 ms, 1.775 ms] 380.468 µs (27.8%)
appsec_no_iast 1.732 ms [1.709 ms, 1.755 ms] 361.402 µs (26.4%)
code_origins 1.669 ms [1.642 ms, 1.696 ms] 298.774 µs (21.8%)
iast 1.522 ms [1.498 ms, 1.546 ms] 151.472 µs (11.1%)
profiling 1.548 ms [1.523 ms, 1.573 ms] 177.499 µs (13.0%)
tracing 1.502 ms [1.478 ms, 1.525 ms] 131.183 µs (9.6%)
Request duration reports for insecure-bank 
gantt title insecure-bank - request duration [CI 0.99] : candidate=1.50.0-SNAPSHOT~2a3b7b72ce, baseline=1.50.0-SNAPSHOT~ad6d5fef42 dateFormat X axisFormat %s section baseline no_agent (387.935 µs) : 367, 409 . : milestone, 388, iast (526.218 µs) : 505, 548 . : milestone, 526, iast_FULL (744.035 µs) : 722, 766 . : milestone, 744, iast_GLOBAL (564.593 µs) : 543, 586 . : milestone, 565, iast_HARDCODED_SECRET_DISABLED (521.674 µs) : 500, 543 . : milestone, 522, iast_INACTIVE (465.995 µs) : 443, 489 . : milestone, 466, iast_TELEMETRY_OFF (519.73 µs) : 496, 543 . : milestone, 520, tracing (462.694 µs) : 441, 484 . : milestone, 463, section candidate no_agent (389.406 µs) : 369, 410 . : milestone, 389, iast (520.933 µs) : 499, 543 . : milestone, 521, iast_FULL (736.113 µs) : 714, 758 . : milestone, 736, iast_GLOBAL (576.654 µs) : 555, 599 . : milestone, 577, iast_HARDCODED_SECRET_DISABLED (519.678 µs) : 498, 542 . : milestone, 520, iast_INACTIVE (467.578 µs) : 445, 490 . : milestone, 468, iast_TELEMETRY_OFF (511.957 µs) : 488, 536 . : milestone, 512, tracing (466.068 µs) : 444, 488 . : milestone, 466,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 387.935 µs [367.344 µs, 408.525 µs] -
iast 526.218 µs [504.544 µs, 547.892 µs] 138.284 µs (35.6%)
iast_FULL 744.035 µs [721.986 µs, 766.085 µs] 356.101 µs (91.8%)
iast_GLOBAL 564.593 µs [542.755 µs, 586.432 µs] 176.659 µs (45.5%)
iast_HARDCODED_SECRET_DISABLED 521.674 µs [500.047 µs, 543.3 µs] 133.739 µs (34.5%)
iast_INACTIVE 465.995 µs [443.396 µs, 488.594 µs] 78.06 µs (20.1%)
iast_TELEMETRY_OFF 519.73 µs [496.308 µs, 543.153 µs] 131.796 µs (34.0%)
tracing 462.694 µs [441.146 µs, 484.242 µs] 74.759 µs (19.3%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 389.406 µs [368.82 µs, 409.992 µs] -
iast 520.933 µs [499.341 µs, 542.525 µs] 131.527 µs (33.8%)
iast_FULL 736.113 µs [714.233 µs, 757.994 µs] 346.707 µs (89.0%)
iast_GLOBAL 576.654 µs [554.718 µs, 598.589 µs] 187.248 µs (48.1%)
iast_HARDCODED_SECRET_DISABLED 519.678 µs [497.824 µs, 541.531 µs] 130.272 µs (33.5%)
iast_INACTIVE 467.578 µs [445.273 µs, 489.883 µs] 78.173 µs (20.1%)
iast_TELEMETRY_OFF 511.957 µs [488.226 µs, 535.688 µs] 122.551 µs (31.5%)
tracing 466.068 µs [444.054 µs, 488.082 µs] 76.662 µs (19.7%)

Dacapo

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/WaPo-request-body
git_commit_date 1746789389 1748257028
git_commit_sha ad6d5fe 2a3b7b7
release_version 1.50.0-SNAPSHOT~ad6d5fef42 1.50.0-SNAPSHOT~2a3b7b72ce
See matching parameters
Baseline Candidate
application biojava biojava
ci_job_date 1748259044 1748259044
ci_job_id 953905719 953905719
ci_pipeline_id 66098780 66098780
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-6b4twteb-project-304-concurrent-0-9v0jer70 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-6b4twteb-project-304-concurrent-0-9v0jer70 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
variant appsec appsec

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics.

Execution time for biojava 
gantt title biojava - execution time [CI 0.99] : candidate=1.50.0-SNAPSHOT~2a3b7b72ce, baseline=1.50.0-SNAPSHOT~ad6d5fef42 dateFormat X axisFormat %s section baseline no_agent (15.54 s) : 15540000, 15540000 . : milestone, 15540000, appsec (15.005 s) : 15005000, 15005000 . : milestone, 15005000, iast (18.858 s) : 18858000, 18858000 . : milestone, 18858000, iast_GLOBAL (18.094 s) : 18094000, 18094000 . : milestone, 18094000, profiling (14.942 s) : 14942000, 14942000 . : milestone, 14942000, tracing (14.961 s) : 14961000, 14961000 . : milestone, 14961000, section candidate no_agent (15.191 s) : 15191000, 15191000 . : milestone, 15191000, appsec (14.667 s) : 14667000, 14667000 . : milestone, 14667000, iast (19.118 s) : 19118000, 19118000 . : milestone, 19118000, iast_GLOBAL (18.345 s) : 18345000, 18345000 . : milestone, 18345000, profiling (15.059 s) : 15059000, 15059000 . : milestone, 15059000, tracing (14.905 s) : 14905000, 14905000 . : milestone, 14905000,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.54 s [15.54 s, 15.54 s] -
appsec 15.005 s [15.005 s, 15.005 s] -535.0 ms (-3.4%)
iast 18.858 s [18.858 s, 18.858 s] 3.318 s (21.4%)
iast_GLOBAL 18.094 s [18.094 s, 18.094 s] 2.554 s (16.4%)
profiling 14.942 s [14.942 s, 14.942 s] -598.0 ms (-3.8%)
tracing 14.961 s [14.961 s, 14.961 s] -579.0 ms (-3.7%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.191 s [15.191 s, 15.191 s] -
appsec 14.667 s [14.667 s, 14.667 s] -524.0 ms (-3.4%)
iast 19.118 s [19.118 s, 19.118 s] 3.927 s (25.9%)
iast_GLOBAL 18.345 s [18.345 s, 18.345 s] 3.154 s (20.8%)
profiling 15.059 s [15.059 s, 15.059 s] -132.0 ms (-0.9%)
tracing 14.905 s [14.905 s, 14.905 s] -286.0 ms (-1.9%)
Execution time for tomcat 
gantt title tomcat - execution time [CI 0.99] : candidate=1.50.0-SNAPSHOT~2a3b7b72ce, baseline=1.50.0-SNAPSHOT~ad6d5fef42 dateFormat X axisFormat %s section baseline no_agent (1.479 ms) : 1467, 1490 . : milestone, 1479, appsec (2.409 ms) : 2360, 2457 . : milestone, 2409, iast (2.169 ms) : 2109, 2229 . : milestone, 2169, iast_GLOBAL (2.224 ms) : 2163, 2284 . : milestone, 2224, profiling (2.044 ms) : 1994, 2094 . : milestone, 2044, tracing (2.015 ms) : 1968, 2062 . : milestone, 2015, section candidate no_agent (1.478 ms) : 1466, 1489 . : milestone, 1478, appsec (2.401 ms) : 2352, 2449 . : milestone, 2401, iast (2.187 ms) : 2127, 2248 . : milestone, 2187, iast_GLOBAL (2.226 ms) : 2165, 2288 . : milestone, 2226, profiling (2.041 ms) : 1992, 2091 . : milestone, 2041, tracing (2.017 ms) : 1969, 2065 . : milestone, 2017,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.479 ms [1.467 ms, 1.49 ms] -
appsec 2.409 ms [2.36 ms, 2.457 ms] 929.674 µs (62.9%)
iast 2.169 ms [2.109 ms, 2.229 ms] 690.144 µs (46.7%)
iast_GLOBAL 2.224 ms [2.163 ms, 2.284 ms] 744.665 µs (50.4%)
profiling 2.044 ms [1.994 ms, 2.094 ms] 564.908 µs (38.2%)
tracing 2.015 ms [1.968 ms, 2.062 ms] 536.154 µs (36.3%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.478 ms [1.466 ms, 1.489 ms] -
appsec 2.401 ms [2.352 ms, 2.449 ms] 922.889 µs (62.5%)
iast 2.187 ms [2.127 ms, 2.248 ms] 709.315 µs (48.0%)
iast_GLOBAL 2.226 ms [2.165 ms, 2.288 ms] 748.67 µs (50.7%)
profiling 2.041 ms [1.992 ms, 2.091 ms] 563.764 µs (38.2%)
tracing 2.017 ms [1.969 ms, 2.065 ms] 539.266 µs (36.5%)
@jandro996 jandro996 force-pushed the alejandro.gonzalez/WaPo-headers branch from dc48fa1 to 761eade Compare April 30, 2025 11:32
@jandro996 jandro996 force-pushed the alejandro.gonzalez/WaPo-request-body branch from bdc855c to 5dcd1cf Compare May 8, 2025 07:07
@jandro996 jandro996 mentioned this pull request May 13, 2025
Merged
jandro996 added a commit that referenced this pull request May 13, 2025
@jandro996
Add appsec.waf.input_truncated metric
933cb97 
This PR adds support for a new telemetry metric: appsec.waf.input_truncated. This is a count metric that tracks the number of times a WAF input was truncated, which may happen multiple times per request. The metric includes a truncation_reason tag, represented as a bitfield, with the following values: 1: string too long 2: list or map too large 4: object too deep Additional Notes For every call to WAF, if truncation occurred during serialization, we should emit the metric. This will increment the count for each run where truncation was detected, and each metric will include the bitfield indicating the types of truncation that occurred. This metric should also be triggered when ObjectInstrospector truncates the object send to the WAF. This corner case affects parsed request body and grpc. This should be fixed after #8748
@jandro996 jandro996 force-pushed the alejandro.gonzalez/WaPo-headers branch from c117ce0 to 09b77c3 Compare May 19, 2025 07:07
Base automatically changed from alejandro.gonzalez/WaPo-headers to master May 21, 2025 10:18
@jandro996
Collect parsed request body if RASP event
502cf6a 
improve truncation wip wip - not working wip - fix
@jandro996 jandro996 force-pushed the alejandro.gonzalez/WaPo-request-body branch from fad042b to 502cf6a Compare May 21, 2025 10:30
@jandro996 jandro996 marked this pull request as ready for review May 22, 2025 06:12
@jandro996 jandro996 requested review from a team as code owners May 22, 2025 06:12
@jandro996 jandro996 removed the comp: asm waf Application Security Management (WAF) label May 26, 2025
@github-actions GitHub Actions
Copy link
Contributor

Hi! 👋 Thanks for your pull request! 🎉

To help us review it, please make sure to:

  • Add at least one type, and one component or instrumentation label to the pull request

If you need help, please check our contributing guidelines.
@jandro996 jandro996 added the comp: asm waf Application Security Management (WAF) label May 26, 2025
@jandro996 jandro996 merged commit 37a783c into master May 26, 2025
523 of 524 checks passed
@jandro996 jandro996 deleted the alejandro.gonzalez/WaPo-request-body branch May 26, 2025 12:31
@github-actions github-actions bot added this to the 1.50.0 milestone May 26, 2025
svc-squareup-copybara pushed a commit to cashapp/misk that referenced this pull request Jun 20, 2025
@github-cash-renovate-jvm-2 @svc-squareup-copybara
This PR contains the following updates:
e424f8d 
| Package | Type | Package file | Manager | Update | Change | |---|---|---|---|---|---| | [com.datadoghq:dd-trace-api](https://github.com/datadog/dd-trace-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `1.49.0` -> `1.50.0` | --- ### Release Notes <details> <summary>datadog/dd-trace-java (com.datadoghq:dd-trace-api)</summary> ### [`v1.50.0`](https://github.com/DataDog/dd-trace-java/releases/tag/v1.50.0): 1.50.0 ### Deprecation Notice > \[!NOTE] > `DD_RUNTIME_ID_ENABLED` has been deprecated and will be removed in future releases. Please use `DD_RUNTIME_METRICS_RUNTIME_ID_ENABLED` instead. ### Components #### Application Security Management (WAF) - 🐛 Add String length truncation limit to ObjectIntrospector and update truncation metrics ([#&#8203;8825](DataDog/dd-trace-java#8825) - [@&#8203;jandro996](https://github.com/jandro996)) - 🐛 Adapt standalone ASM to support API Security ([#&#8203;8804](DataDog/dd-trace-java#8804) - [@&#8203;jandro996](https://github.com/jandro996)) - ✨ Add appsec.waf.input\_truncated metric ([#&#8203;8791](DataDog/dd-trace-java#8791) - [@&#8203;jandro996](https://github.com/jandro996)) - ✨ Extended appsec request body collection ([#&#8203;8748](DataDog/dd-trace-java#8748) - [@&#8203;jandro996](https://github.com/jandro996)) - ✨ Extended appsec request/response headers collection ([#&#8203;8724](DataDog/dd-trace-java#8724) - [@&#8203;jandro996](https://github.com/jandro996)) #### Build & Tooling - ✨ Add artifacts to public s3 bucket ([#&#8203;8947](DataDog/dd-trace-java#8947) - [@&#8203;randomanderson](https://github.com/randomanderson)) #### Continuous Integration Visibility - ✨ Improve PR information building ([#&#8203;8908](DataDog/dd-trace-java#8908) - [@&#8203;daniel-mohedano](https://github.com/daniel-mohedano)) - ✨ Truncate span stack traces when Test Optimization is enabled ([#&#8203;8903](DataDog/dd-trace-java#8903) - [@&#8203;nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - 🐛 Ensure auto-detected service name is the same for every process in the same build ([#&#8203;8902](DataDog/dd-trace-java#8902) - [@&#8203;nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - 🐛 Use tag as fallback in api requests if no branch is available ([#&#8203;8876](DataDog/dd-trace-java#8876) - [@&#8203;daniel-mohedano](https://github.com/daniel-mohedano)) - ✨ Add support for JUnit 5.13-RC1 ([#&#8203;8865](DataDog/dd-trace-java#8865), [#&#8203;8871](DataDog/dd-trace-java#8871) - [@&#8203;daniel-mohedano](https://github.com/daniel-mohedano)) - ✨ Implement attempt to fix v3 and v4 and bump capability version ([#&#8203;8824](DataDog/dd-trace-java#8824) - [@&#8203;daniel-mohedano](https://github.com/daniel-mohedano)) - 🧹 Align retry logic for all test framework instrumentations ([#&#8203;8803](DataDog/dd-trace-java#8803) - [@&#8203;daniel-mohedano](https://github.com/daniel-mohedano)) - 🐛 Always build ci workspace without trailing separator ([#&#8203;8788](DataDog/dd-trace-java#8788) - [@&#8203;daniel-mohedano](https://github.com/daniel-mohedano)) - ✨ Add commit discrepancies telemetry when building repository git information ([#&#8203;8763](DataDog/dd-trace-java#8763) - [@&#8203;daniel-mohedano](https://github.com/daniel-mohedano)) #### Data Streams Monitoring - 💡 Surface process tags in dsm payloads and use them for base hash calculation ([#&#8203;8836](DataDog/dd-trace-java#8836) - [@&#8203;amarziali](https://github.com/amarziali)) #### Dynamic Instrumentation - ✨ Optimized allocations for collection filter functions ([#&#8203;8896](DataDog/dd-trace-java#8896) - [@&#8203;jpbempel](https://github.com/jpbempel)) - 🐛 Fix SymDB upload size check ([#&#8203;8887](DataDog/dd-trace-java#8887) - [@&#8203;jpbempel](https://github.com/jpbempel)) - 🐛 Add support for Set in filter function ([#&#8203;8873](DataDog/dd-trace-java#8873) - [@&#8203;jpbempel](https://github.com/jpbempel)) - 🐛 Add support for isDefined in log template ([#&#8203;8859](DataDog/dd-trace-java#8859) - [@&#8203;jpbempel](https://github.com/jpbempel)) - 🐛 Fix Max captured frames for Exception Replay ([#&#8203;8856](DataDog/dd-trace-java#8856) - [@&#8203;jpbempel](https://github.com/jpbempel)) - 🐛 Remove static inherited fields collection ([#&#8203;8832](DataDog/dd-trace-java#8832) - [@&#8203;jpbempel](https://github.com/jpbempel)) - 💡 Add process tags to dynamic instrumentation intake payload ([#&#8203;8779](DataDog/dd-trace-java#8779) - [@&#8203;amarziali](https://github.com/amarziali)) #### GraalVM native-image - ✨ Add support for GraalVM Native GC metrics ([#&#8203;8913](DataDog/dd-trace-java#8913) - [@&#8203;ygree](https://github.com/ygree)) - ✨ Add JMXFetch support for GraalVM Native ([#&#8203;8569](DataDog/dd-trace-java#8569) - [@&#8203;ygree](https://github.com/ygree)) #### JMX fetch - ✨ Add support for GraalVM Native GC metrics ([#&#8203;8913](DataDog/dd-trace-java#8913) - [@&#8203;ygree](https://github.com/ygree)) #### Library Injection - ✨ Deny oracle db jvm based tools ([#&#8203;8909](DataDog/dd-trace-java#8909) - [@&#8203;bric3](https://github.com/bric3)) #### OpenTracing - 🐛 Fix OT packaging for exception replay ([#&#8203;8912](DataDog/dd-trace-java#8912) - [@&#8203;jpbempel](https://github.com/jpbempel)) #### Profiling - ✨ Bump ddprof to 1.27.0 ([#&#8203;8893](DataDog/dd-trace-java#8893) - [@&#8203;jbachorik](https://github.com/jbachorik)) - Properly handle the adaptive sampling interval overflow by [@&#8203;jbachorik](https://github.com/jbachorik) in DataDog/java-profiler#213 - Fix [#&#8203;200](DataDog/dd-trace-java#200) Crash related to aligned\_alloc and free in context by [@&#8203;yanglong1010](https://github.com/yanglong1010) in DataDog/java-profiler#208 - Explicitly initialize empty context page by [@&#8203;jbachorik](https://github.com/jbachorik) in DataDog/java-profiler#210 - Re-connect crash recursion protection with VM stackwalker by [@&#8203;jbachorik](https://github.com/jbachorik) in DataDog/java-profiler#214 - ✨ Enable ZSTD compression for profiling ([#&#8203;8862](DataDog/dd-trace-java#8862) - [@&#8203;MattAlp](https://github.com/MattAlp)) - ✨ Extend JPS re-implementation to J9 family ([#&#8203;8813](DataDog/dd-trace-java#8813) - [@&#8203;MattAlp](https://github.com/MattAlp)) - 💡 Collect process tags for profiling upload requests ([#&#8203;8780](DataDog/dd-trace-java#8780) - [@&#8203;amarziali](https://github.com/amarziali)) #### Telemetry - 💡 Surface process tags on telemetry payloads ([#&#8203;8837](DataDog/dd-trace-java#8837) - [@&#8203;amarziali](https://github.com/amarziali)) #### Trace context propagation - ✨ Migrating all HttpClient Instrumentations to Inject Full Context ([#&#8203;8826](DataDog/dd-trace-java#8826) - [@&#8203;mhlidd](https://github.com/mhlidd)) - ✨ Migrating all HttpServer Instrumentations to Extract full Context ([#&#8203;8820](DataDog/dd-trace-java#8820) - [@&#8203;mhlidd](https://github.com/mhlidd)) - ✨ Add context API support OTel propagators ([#&#8203;8770](DataDog/dd-trace-java#8770) - [@&#8203;PerfectSlayer](https://github.com/PerfectSlayer)) #### Tracer core - ✨⚡ Skip JAXB generated classes classloader ([#&#8203;9003](DataDog/dd-trace-java#9003) - [@&#8203;bric3](https://github.com/bric3)) - ✨ Add DD\_RUNTIME\_METRICS\_RUNTIME\_ID\_ENABLED alias for runtime id generation ([#&#8203;8981](DataDog/dd-trace-java#8981) - [@&#8203;amarziali](https://github.com/amarziali)) - 🐛 Use resolved address for peer.hostname when available without hitting the cache ([#&#8203;8915](DataDog/dd-trace-java#8915) - [@&#8203;amarziali](https://github.com/amarziali)) - 💡 Surface server name process tag for tomcat ([#&#8203;8894](DataDog/dd-trace-java#8894) - [@&#8203;amarziali](https://github.com/amarziali)) - 💡 Surface websphere cell and server name on process tags ([#&#8203;8880](DataDog/dd-trace-java#8880) - [@&#8203;amarziali](https://github.com/amarziali)) - ✨ Added special lightweight pre-main class that skips installation on incompatible JVMs. ([#&#8203;8855](DataDog/dd-trace-java#8855) - [@&#8203;AlexeyKuznetsov-DD](https://github.com/AlexeyKuznetsov-DD)) - 💡 Add entrypoint type to process tags ([#&#8203;8839](DataDog/dd-trace-java#8839) - [@&#8203;amarziali](https://github.com/amarziali)) - ✨ Extend JPS re-implementation to J9 family ([#&#8203;8813](DataDog/dd-trace-java#8813) - [@&#8203;MattAlp](https://github.com/MattAlp)) - ✨ Notify listeners when the scope top changes after switching scope stacks ([#&#8203;8797](DataDog/dd-trace-java#8797) - [@&#8203;mcculls](https://github.com/mcculls)) - ✨ Read hsperfdata for Java PIDs if jvmstat is unavailable ([#&#8203;8792](DataDog/dd-trace-java#8792) - [@&#8203;MattAlp](https://github.com/MattAlp)) - 🐛 Turn JDK socket support on by default ([#&#8203;8752](DataDog/dd-trace-java#8752) - [@&#8203;sarahchen6](https://github.com/sarahchen6)) - ✨ Simplify context propagation ([#&#8203;8719](DataDog/dd-trace-java#8719) - [@&#8203;PerfectSlayer](https://github.com/PerfectSlayer)) - ✨ Add JSON parsing support ([#&#8203;8579](DataDog/dd-trace-java#8579) - [@&#8203;PerfectSlayer](https://github.com/PerfectSlayer)) #### Tracer internal logging - ✨ Fix printing format of span identifiers ([#&#8203;8897](DataDog/dd-trace-java#8897) - [@&#8203;vandonr](https://github.com/vandonr)) #### Tracer public API - 💡 Track the source of installation ([#&#8203;8956](DataDog/dd-trace-java#8956) - [@&#8203;mabdinur](https://github.com/mabdinur)) - ✨ Enforce size limit on application\_monitoring.yaml files ([#&#8203;8789](DataDog/dd-trace-java#8789) - [@&#8203;mtoffl01](https://github.com/mtoffl01)) - ✨ Enabling baggage cache to support limits and non-ascii characters ([#&#8203;8713](DataDog/dd-trace-java#8713) - [@&#8203;mhlidd](https://github.com/mhlidd)) ### Instrumentations #### AWS Lambda instrumentation - ✨ Pass Lambda Request ID to Extension ([#&#8203;8814](DataDog/dd-trace-java#8814) - [@&#8203;nhulston](https://github.com/nhulston)) #### Core Java language instrumentation - ✨ Ensure ClassloadingInstrumentation is always applied even with `DD_TRACE_ENABLED=false` ([#&#8203;8863](DataDog/dd-trace-java#8863) - [@&#8203;mcculls](https://github.com/mcculls)) #### Eclipse Vert.x instrumentation - 🐛 Do not override route with / in vertx instrumentation ([#&#8203;8881](DataDog/dd-trace-java#8881) - [@&#8203;vandonr](https://github.com/vandonr)) #### IBM Liberty - 🐛 Fix error mark on http status for IBM liberty ([#&#8203;8822](DataDog/dd-trace-java#8822) - [@&#8203;amarziali](https://github.com/amarziali)) #### JDBC instrumentation - 🐛 Do not prepend DBM <> APM trace comment in SQLCommenter if there is a pg plan hint ([#&#8203;8864](DataDog/dd-trace-java#8864) - [@&#8203;edengorevoy](https://github.com/edengorevoy)) #### JMS instrumentation - ✨ Add jms as an extra integration name where there is JMS involved ([#&#8203;8933](DataDog/dd-trace-java#8933) - [@&#8203;vandonr](https://github.com/vandonr)) #### Kotlin instrumentation - ✨ Enable kotlin\_coroutine integration by default ([#&#8203;8848](DataDog/dd-trace-java#8848) - [@&#8203;mcculls](https://github.com/mcculls)) - 🧹 Rework Kotlin coroutines instrumentation around coroutine context ([#&#8203;8774](DataDog/dd-trace-java#8774) - [@&#8203;mcculls](https://github.com/mcculls)) #### OpenTelemetry instrumentation - 🐛 Support WithSpan inheritContext attribute ([#&#8203;8858](DataDog/dd-trace-java#8858) - [@&#8203;amarziali](https://github.com/amarziali)) - ✨ Add context API support OTel propagators ([#&#8203;8770](DataDog/dd-trace-java#8770) - [@&#8203;PerfectSlayer](https://github.com/PerfectSlayer)) #### Play Framework instrumentation - 🐛 Fix the Play Framework's span resource name priority so that the client JAX-RS 404 cannot override it ([#&#8203;8591](DataDog/dd-trace-java#8591) - [@&#8203;ygree](https://github.com/ygree)) #### Quarkus Instrumentation - 🐛 Ignore quarkus jaxrs stubs and cdi wrapper proxies ([#&#8203;8891](DataDog/dd-trace-java#8891) - [@&#8203;amarziali](https://github.com/amarziali)) #### ServiceTalk - ✨ Improve ServiceTalk Captured Context API Instrumentation for v0.42.56+ ([#&#8203;8821](DataDog/dd-trace-java#8821) - [@&#8203;ygree](https://github.com/ygree)) #### Spring instrumentation - ✨ Supporting Baggage for Instrumentations used in Weblog Tests ([#&#8203;8773](DataDog/dd-trace-java#8773) - [@&#8203;mhlidd](https://github.com/mhlidd)) #### WebSocket Instrumentation - 💡 Trace websocket for spring webflux reactive handlers ([#&#8203;8831](DataDog/dd-trace-java#8831) - [@&#8203;amarziali](https://github.com/amarziali)) - 💡:test\_tube: WebSocket support for Netty ([#&#8203;8632](DataDog/dd-trace-java#8632) - [@&#8203;ValentinZakharov](https://github.com/ValentinZakharov)) #### Zio Instrumentation - 🧹 Cleanup Zio fiber instrumentation to avoid repeated activation of continuation ([#&#8203;8798](DataDog/dd-trace-java#8798) - [@&#8203;mcculls](https://github.com/mcculls)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "after 6pm every weekday,before 2am every weekday" in timezone Australia/Melbourne, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). GitOrigin-RevId: 9207366cdb6a1bd098082305d354a0a3c4622d7a
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

comp: asm waf Application Security Management (WAF) type: enhancement Enhancements and improvements

2 participants

@jandro996 @smola