HTTP response schema collection and data classification #8938

sezen-datadog · 2025-06-06T07:54:25Z

What Does This Do

Motivation

Additional Notes

Contributor Checklist

Format the title according the contribution guidelines
Assign the type: and (comp: or inst:) labels in addition to any usefull labels
Don't use close, fix or any linking keywords when referencing an issue.
Use solves instead, and assign the PR milestone to the issue
Update the CODEOWNERS file on source file addition, move, or deletion
Update the public documentation in case of new configuration flag or behavior

Jira ticket: APPSEC-57259

pr-commenter · 2025-06-06T12:53:32Z

Benchmarks

Startup

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	sezen.leblay/APPSEC-57259-extract-schema-spring
git_commit_date	1749044153	1749568410
git_commit_sha	`7787af7`	`89f9cac`
release_version	1.50.0-SNAPSHOT~7787af738f	1.50.0-SNAPSHOT~89f9cac69e

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1749570862	1749570862
ci_job_id	975417778	975417778
ci_pipeline_id	67379205	67379205
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-x-xayjyg-project-304-concurrent-0-1e9z60o6 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-x-xayjyg-project-304-concurrent-0-1e9z60o6 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
module	Agent	Agent
parent	None	None
variant	iast	iast

Summary

Found 1 performance improvements and 2 performance regressions! Performance is the same for 54 metrics, 14 unstable metrics.

scenario	Δ mean execution_time	candidate mean execution_time	baseline mean execution_time
scenario:startup:insecure-bank:tracing:Remote Config	better [-69.654µs; -17.351µs] or [-9.624%; -2.397%]	680.268µs	723.770µs
scenario:startup:petclinic:profiling:AppSec	worse [+3.119ms; +5.238ms] or [+4.982%; +8.366%]	66.785ms	62.607ms
scenario:startup:petclinic:tracing:AppSec	worse [+1.941ms; +6.518ms] or [+3.415%; +11.470%]	61.057ms	56.827ms

Startup time reports for petclinic

gantt
    title petclinic - global startup overhead: candidate=1.50.0-SNAPSHOT~89f9cac69e, baseline=1.50.0-SNAPSHOT~7787af738f

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.033 s) : 0, 1032650
Total [baseline] (11.16 s) : 0, 11160418
Agent [candidate] (1.033 s) : 0, 1032960
Total [candidate] (11.177 s) : 0, 11177108
section appsec
Agent [baseline] (1.165 s) : 0, 1164679
Total [baseline] (11.235 s) : 0, 11234939
Agent [candidate] (1.167 s) : 0, 1166569
Total [candidate] (11.315 s) : 0, 11315466
section iast
Agent [baseline] (1.155 s) : 0, 1154939
Total [baseline] (11.381 s) : 0, 11381198
Agent [candidate] (1.155 s) : 0, 1155331
Total [candidate] (11.393 s) : 0, 11392654
section profiling
Agent [baseline] (1.285 s) : 0, 1284600
Total [baseline] (11.662 s) : 0, 11662079
Agent [candidate] (1.276 s) : 0, 1276265
Total [candidate] (11.441 s) : 0, 11440724

baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.033 s	-
Agent	appsec	1.165 s	132.029 ms (12.8%)
Agent	iast	1.155 s	122.289 ms (11.8%)
Agent	profiling	1.285 s	251.95 ms (24.4%)
Total	tracing	11.16 s	-
Total	appsec	11.235 s	74.52 ms (0.7%)
Total	iast	11.381 s	220.78 ms (2.0%)
Total	profiling	11.662 s	501.66 ms (4.5%)

candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.033 s	-
Agent	appsec	1.167 s	133.608 ms (12.9%)
Agent	iast	1.155 s	122.371 ms (11.8%)
Agent	profiling	1.276 s	243.305 ms (23.6%)
Total	tracing	11.177 s	-
Total	appsec	11.315 s	138.358 ms (1.2%)
Total	iast	11.393 s	215.547 ms (1.9%)
Total	profiling	11.441 s	263.616 ms (2.4%)

gantt
    title petclinic - break down per module: candidate=1.50.0-SNAPSHOT~89f9cac69e, baseline=1.50.0-SNAPSHOT~7787af738f

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (690.768 ms) : 0, 690768
BytebuddyAgent [candidate] (685.228 ms) : 0, 685228
GlobalTracer [baseline] (242.864 ms) : 0, 242864
GlobalTracer [candidate] (241.693 ms) : 0, 241693
AppSec [baseline] (56.827 ms) : 0, 56827
AppSec [candidate] (61.057 ms) : 0, 61057
Debugger [baseline] (6.279 ms) : 0, 6279
Debugger [candidate] (6.361 ms) : 0, 6361
Remote Config [baseline] (740.857 µs) : 0, 741
Remote Config [candidate] (701.905 µs) : 0, 702
Telemetry [baseline] (11.36 ms) : 0, 11360
Telemetry [candidate] (14.376 ms) : 0, 14376
section appsec
BytebuddyAgent [baseline] (701.76 ms) : 0, 701760
BytebuddyAgent [candidate] (702.094 ms) : 0, 702094
GlobalTracer [baseline] (238.341 ms) : 0, 238341
GlobalTracer [candidate] (238.608 ms) : 0, 238608
AppSec [baseline] (176.159 ms) : 0, 176159
AppSec [candidate] (177.37 ms) : 0, 177370
Debugger [baseline] (5.942 ms) : 0, 5942
Debugger [candidate] (6.004 ms) : 0, 6004
Remote Config [baseline] (628.627 µs) : 0, 629
Remote Config [candidate] (630.183 µs) : 0, 630
Telemetry [baseline] (7.363 ms) : 0, 7363
Telemetry [candidate] (7.367 ms) : 0, 7367
IAST [baseline] (21.754 ms) : 0, 21754
IAST [candidate] (21.82 ms) : 0, 21820
section iast
BytebuddyAgent [baseline] (804.29 ms) : 0, 804290
BytebuddyAgent [candidate] (802.34 ms) : 0, 802340
GlobalTracer [baseline] (232.214 ms) : 0, 232214
GlobalTracer [candidate] (230.575 ms) : 0, 230575
AppSec [baseline] (56.344 ms) : 0, 56344
AppSec [candidate] (58.623 ms) : 0, 58623
Debugger [baseline] (6.014 ms) : 0, 6014
Debugger [candidate] (5.898 ms) : 0, 5898
Remote Config [baseline] (604.161 µs) : 0, 604
Remote Config [candidate] (593.692 µs) : 0, 594
Telemetry [baseline] (7.977 ms) : 0, 7977
Telemetry [candidate] (7.878 ms) : 0, 7878
IAST [baseline] (23.95 ms) : 0, 23950
IAST [candidate] (25.923 ms) : 0, 25923
section profiling
BytebuddyAgent [baseline] (685.232 ms) : 0, 685232
BytebuddyAgent [candidate] (681.192 ms) : 0, 681192
GlobalTracer [baseline] (365.33 ms) : 0, 365330
GlobalTracer [candidate] (360.969 ms) : 0, 360969
AppSec [baseline] (62.607 ms) : 0, 62607
AppSec [candidate] (66.785 ms) : 0, 66785
Debugger [baseline] (6.135 ms) : 0, 6135
Debugger [candidate] (6.17 ms) : 0, 6170
Remote Config [baseline] (677.03 µs) : 0, 677
Remote Config [candidate] (635.513 µs) : 0, 636
Telemetry [baseline] (8.176 ms) : 0, 8176
Telemetry [candidate] (8.123 ms) : 0, 8123
ProfilingAgent [baseline] (104.915 ms) : 0, 104915
ProfilingAgent [candidate] (101.154 ms) : 0, 101154
Profiling [baseline] (104.939 ms) : 0, 104939
Profiling [candidate] (101.179 ms) : 0, 101179

Startup time reports for insecure-bank

gantt
    title insecure-bank - global startup overhead: candidate=1.50.0-SNAPSHOT~89f9cac69e, baseline=1.50.0-SNAPSHOT~7787af738f

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.028 s) : 0, 1028460
Total [baseline] (8.55 s) : 0, 8550005
Agent [candidate] (1.035 s) : 0, 1035329
Total [candidate] (8.535 s) : 0, 8534762
section iast
Agent [baseline] (1.153 s) : 0, 1153161
Total [baseline] (9.179 s) : 0, 9178672
Agent [candidate] (1.155 s) : 0, 1154541
Total [candidate] (9.189 s) : 0, 9189271
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.166 s) : 0, 1165825
Total [baseline] (9.17 s) : 0, 9169766
Agent [candidate] (1.163 s) : 0, 1162671
Total [candidate] (9.147 s) : 0, 9146670
section iast_TELEMETRY_OFF
Agent [baseline] (1.154 s) : 0, 1153802
Total [baseline] (9.217 s) : 0, 9216780
Agent [candidate] (1.153 s) : 0, 1153413
Total [candidate] (9.26 s) : 0, 9259528

baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.028 s	-
Agent	iast	1.153 s	124.7 ms (12.1%)
Agent	iast_HARDCODED_SECRET_DISABLED	1.166 s	137.364 ms (13.4%)
Agent	iast_TELEMETRY_OFF	1.154 s	125.341 ms (12.2%)
Total	tracing	8.55 s	-
Total	iast	9.179 s	628.666 ms (7.4%)
Total	iast_HARDCODED_SECRET_DISABLED	9.17 s	619.761 ms (7.2%)
Total	iast_TELEMETRY_OFF	9.217 s	666.775 ms (7.8%)

candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.035 s	-
Agent	iast	1.155 s	119.212 ms (11.5%)
Agent	iast_HARDCODED_SECRET_DISABLED	1.163 s	127.343 ms (12.3%)
Agent	iast_TELEMETRY_OFF	1.153 s	118.084 ms (11.4%)
Total	tracing	8.535 s	-
Total	iast	9.189 s	654.509 ms (7.7%)
Total	iast_HARDCODED_SECRET_DISABLED	9.147 s	611.907 ms (7.2%)
Total	iast_TELEMETRY_OFF	9.26 s	724.766 ms (8.5%)

gantt
    title insecure-bank - break down per module: candidate=1.50.0-SNAPSHOT~89f9cac69e, baseline=1.50.0-SNAPSHOT~7787af738f

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (686.555 ms) : 0, 686555
BytebuddyAgent [candidate] (687.905 ms) : 0, 687905
GlobalTracer [baseline] (241.513 ms) : 0, 241513
GlobalTracer [candidate] (241.675 ms) : 0, 241675
AppSec [baseline] (57.014 ms) : 0, 57014
AppSec [candidate] (62.082 ms) : 0, 62082
Debugger [baseline] (6.191 ms) : 0, 6191
Debugger [candidate] (6.254 ms) : 0, 6254
Remote Config [baseline] (723.77 µs) : 0, 724
Remote Config [candidate] (680.268 µs) : 0, 680
Telemetry [baseline] (12.945 ms) : 0, 12945
Telemetry [candidate] (12.933 ms) : 0, 12933
section iast
BytebuddyAgent [baseline] (805.331 ms) : 0, 805331
BytebuddyAgent [candidate] (800.906 ms) : 0, 800906
GlobalTracer [baseline] (230.69 ms) : 0, 230690
GlobalTracer [candidate] (230.79 ms) : 0, 230790
AppSec [baseline] (51.45 ms) : 0, 51450
AppSec [candidate] (59.596 ms) : 0, 59596
Debugger [baseline] (5.943 ms) : 0, 5943
Debugger [candidate] (5.938 ms) : 0, 5938
Remote Config [baseline] (592.162 µs) : 0, 592
Remote Config [candidate] (603.367 µs) : 0, 603
Telemetry [baseline] (7.907 ms) : 0, 7907
Telemetry [candidate] (7.824 ms) : 0, 7824
IAST [baseline] (27.637 ms) : 0, 27637
IAST [candidate] (25.418 ms) : 0, 25418
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (813.635 ms) : 0, 813635
BytebuddyAgent [candidate] (807.629 ms) : 0, 807629
GlobalTracer [baseline] (233.054 ms) : 0, 233054
GlobalTracer [candidate] (231.724 ms) : 0, 231724
AppSec [baseline] (52.279 ms) : 0, 52279
AppSec [candidate] (57.113 ms) : 0, 57113
Debugger [baseline] (6.022 ms) : 0, 6022
Debugger [candidate] (6.026 ms) : 0, 6026
Remote Config [baseline] (608.511 µs) : 0, 609
Remote Config [candidate] (616.459 µs) : 0, 616
Telemetry [baseline] (8.133 ms) : 0, 8133
Telemetry [candidate] (7.991 ms) : 0, 7991
IAST [baseline] (28.297 ms) : 0, 28297
IAST [candidate] (27.876 ms) : 0, 27876
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (804.02 ms) : 0, 804020
BytebuddyAgent [candidate] (799.559 ms) : 0, 799559
GlobalTracer [baseline] (232.143 ms) : 0, 232143
GlobalTracer [candidate] (231.405 ms) : 0, 231405
AppSec [baseline] (50.461 ms) : 0, 50461
AppSec [candidate] (58.034 ms) : 0, 58034
Debugger [baseline] (6.041 ms) : 0, 6041
Debugger [candidate] (5.972 ms) : 0, 5972
Remote Config [baseline] (603.691 µs) : 0, 604
Remote Config [candidate] (611.641 µs) : 0, 612
Telemetry [baseline] (7.901 ms) : 0, 7901
Telemetry [candidate] (7.902 ms) : 0, 7902
IAST [baseline] (28.953 ms) : 0, 28953
IAST [candidate] (25.579 ms) : 0, 25579

Load

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
end_time	2025-06-10T15:31:57	2025-06-10T15:34:18
git_branch	master	sezen.leblay/APPSEC-57259-extract-schema-spring
git_commit_date	1749044153	1749568410
git_commit_sha	`7787af7`	`89f9cac`
release_version	1.50.0-SNAPSHOT~7787af738f	1.50.0-SNAPSHOT~89f9cac69e
start_time	2025-06-10T15:31:10	2025-06-10T15:33:31

See matching parameters

	Baseline	Candidate
application	petclinic	petclinic
ci_job_date	1749569658	1749569658
ci_job_id	975417779	975417779
ci_pipeline_id	67379205	67379205
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-qys7bcb-project-304-concurrent-0-j6l3crbt 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-qys7bcb-project-304-concurrent-0-j6l3crbt 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
thresholds_or_results	results	results
variant	appsec	appsec

Summary

Found 0 performance improvements and 3 performance regressions! Performance is the same for 0 metrics, 11 unstable metrics.

scenario	Δ mean http_req_duration	Δ mean throughput	candidate mean http_req_duration	candidate mean throughput	baseline mean http_req_duration	baseline mean throughput
scenario:load:petclinic:appsec	worse [+68.917ms; +75.003ms] or [+108.767%; +118.373%]	unstable [-47.151op/s; -33.349op/s] or [-61.803%; -43.713%]	135.322ms	36.042op/s	63.362ms	76.292op/s
scenario:load:petclinic:no_agent	unstable [+106.631ms; +110.710ms] or [+1218.248%; +1264.845%]	worse [-532.513op/s; -510.122op/s] or [-94.521%; -90.547%]	117.423ms	42.062op/s	8.753ms	563.380op/s
scenario:load:petclinic:profiling	worse [+72.404ms; +77.556ms] or [+136.144%; +145.832%]	unstable [-64.356op/s; -45.867op/s] or [-68.945%; -49.137%]	128.162ms	38.233op/s	53.182ms	93.345op/s

Request duration reports for petclinic

gantt
    title petclinic - request duration [CI 0.99] : candidate=1.50.0-SNAPSHOT~89f9cac69e, baseline=1.50.0-SNAPSHOT~7787af738f
    dateFormat X
    axisFormat %s
section baseline
no_agent (8.753 ms) : 8730, 8775
.   : milestone, 8753,
appsec (63.362 ms) : 62467, 64256
.   : milestone, 63362,
appsec_no_iast (72.132 ms) : 71068, 73196
.   : milestone, 72132,
code_origins (86.369 ms) : 84358, 88381
.   : milestone, 86369,
iast (79.982 ms) : 78667, 81297
.   : milestone, 79982,
profiling (53.182 ms) : 52393, 53971
.   : milestone, 53182,
tracing (12.402 ms) : 12284, 12520
.   : milestone, 12402,
section candidate
no_agent (117.423 ms) : 114743, 120103
.   : milestone, 117423,
appsec (135.322 ms) : 131424, 139220
.   : milestone, 135322,
appsec_no_iast (144.376 ms) : 139419, 149333
.   : milestone, 144376,
code_origins (149.763 ms) : 139896, 159631
.   : milestone, 149763,
iast (158.791 ms) : 151999, 165583
.   : milestone, 158791,
profiling (128.162 ms) : 124870, 131454
.   : milestone, 128162,
tracing (121.275 ms) : 118377, 124174
.   : milestone, 121275,

baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	8.753 ms [8.73 ms, 8.775 ms]	-
appsec	63.362 ms [62.467 ms, 64.256 ms]	54.609 ms (623.9%)
appsec_no_iast	72.132 ms [71.068 ms, 73.196 ms]	63.379 ms (724.1%)
code_origins	86.369 ms [84.358 ms, 88.381 ms]	77.617 ms (886.8%)
iast	79.982 ms [78.667 ms, 81.297 ms]	71.229 ms (813.8%)
profiling	53.182 ms [52.393 ms, 53.971 ms]	44.429 ms (507.6%)
tracing	12.402 ms [12.284 ms, 12.52 ms]	3.649 ms (41.7%)

candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	117.423 ms [114.743 ms, 120.103 ms]	-
appsec	135.322 ms [131.424 ms, 139.22 ms]	17.899 ms (15.2%)
appsec_no_iast	144.376 ms [139.419 ms, 149.333 ms]	26.953 ms (23.0%)
code_origins	149.763 ms [139.896 ms, 159.631 ms]	32.34 ms (27.5%)
iast	158.791 ms [151.999 ms, 165.583 ms]	41.368 ms (35.2%)
profiling	128.162 ms [124.87 ms, 131.454 ms]	10.739 ms (9.1%)
tracing	121.275 ms [118.377 ms, 124.174 ms]	3.852 ms (3.3%)

Dacapo

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	sezen.leblay/APPSEC-57259-extract-schema-spring
git_commit_date	1749044153	1749568410
git_commit_sha	`7787af7`	`89f9cac`
release_version	1.50.0-SNAPSHOT~7787af738f	1.50.0-SNAPSHOT~89f9cac69e

See matching parameters

	Baseline	Candidate
application	biojava	biojava
ci_job_date	1749570401	1749570401
ci_job_id	975417780	975417780
ci_pipeline_id	67379205	67379205
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-wygnhpf-project-304-concurrent-0-ne56a7m7 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-wygnhpf-project-304-concurrent-0-ne56a7m7 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
variant	appsec	appsec

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics.

Execution time for tomcat

gantt
    title tomcat - execution time [CI 0.99] : candidate=1.50.0-SNAPSHOT~89f9cac69e, baseline=1.50.0-SNAPSHOT~7787af738f
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.474 ms) : 1463, 1486
.   : milestone, 1474,
appsec (2.414 ms) : 2365, 2463
.   : milestone, 2414,
iast (2.186 ms) : 2125, 2247
.   : milestone, 2186,
iast_GLOBAL (2.229 ms) : 2167, 2290
.   : milestone, 2229,
profiling (2.036 ms) : 1986, 2086
.   : milestone, 2036,
tracing (2.001 ms) : 1954, 2049
.   : milestone, 2001,
section candidate
no_agent (1.472 ms) : 1460, 1483
.   : milestone, 1472,
appsec (2.394 ms) : 2345, 2442
.   : milestone, 2394,
iast (2.183 ms) : 2122, 2245
.   : milestone, 2183,
iast_GLOBAL (2.252 ms) : 2189, 2315
.   : milestone, 2252,
profiling (2.033 ms) : 1983, 2082
.   : milestone, 2033,
tracing (2.014 ms) : 1966, 2062
.   : milestone, 2014,

baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.474 ms [1.463 ms, 1.486 ms]	-
appsec	2.414 ms [2.365 ms, 2.463 ms]	939.967 µs (63.8%)
iast	2.186 ms [2.125 ms, 2.247 ms]	711.617 µs (48.3%)
iast_GLOBAL	2.229 ms [2.167 ms, 2.29 ms]	754.554 µs (51.2%)
profiling	2.036 ms [1.986 ms, 2.086 ms]	561.674 µs (38.1%)
tracing	2.001 ms [1.954 ms, 2.049 ms]	527.122 µs (35.8%)

candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.472 ms [1.46 ms, 1.483 ms]	-
appsec	2.394 ms [2.345 ms, 2.442 ms]	921.958 µs (62.6%)
iast	2.183 ms [2.122 ms, 2.245 ms]	711.878 µs (48.4%)
iast_GLOBAL	2.252 ms [2.189 ms, 2.315 ms]	780.546 µs (53.0%)
profiling	2.033 ms [1.983 ms, 2.082 ms]	560.891 µs (38.1%)
tracing	2.014 ms [1.966 ms, 2.062 ms]	542.437 µs (36.9%)

Execution time for biojava

gantt
    title biojava - execution time [CI 0.99] : candidate=1.50.0-SNAPSHOT~89f9cac69e, baseline=1.50.0-SNAPSHOT~7787af738f
    dateFormat X
    axisFormat %s
section baseline
no_agent (14.987 s) : 14987000, 14987000
.   : milestone, 14987000,
appsec (14.72 s) : 14720000, 14720000
.   : milestone, 14720000,
iast (18.97 s) : 18970000, 18970000
.   : milestone, 18970000,
iast_GLOBAL (18.03 s) : 18030000, 18030000
.   : milestone, 18030000,
profiling (15.257 s) : 15257000, 15257000
.   : milestone, 15257000,
tracing (15.023 s) : 15023000, 15023000
.   : milestone, 15023000,
section candidate
no_agent (14.796 s) : 14796000, 14796000
.   : milestone, 14796000,
appsec (14.862 s) : 14862000, 14862000
.   : milestone, 14862000,
iast (18.762 s) : 18762000, 18762000
.   : milestone, 18762000,
iast_GLOBAL (17.759 s) : 17759000, 17759000
.   : milestone, 17759000,
profiling (15.36 s) : 15360000, 15360000
.   : milestone, 15360000,
tracing (14.884 s) : 14884000, 14884000
.   : milestone, 14884000,

baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	14.987 s [14.987 s, 14.987 s]	-
appsec	14.72 s [14.72 s, 14.72 s]	-267.0 ms (-1.8%)
iast	18.97 s [18.97 s, 18.97 s]	3.983 s (26.6%)
iast_GLOBAL	18.03 s [18.03 s, 18.03 s]	3.043 s (20.3%)
profiling	15.257 s [15.257 s, 15.257 s]	270.0 ms (1.8%)
tracing	15.023 s [15.023 s, 15.023 s]	36.0 ms (0.2%)

candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	14.796 s [14.796 s, 14.796 s]	-
appsec	14.862 s [14.862 s, 14.862 s]	66.0 ms (0.4%)
iast	18.762 s [18.762 s, 18.762 s]	3.966 s (26.8%)
iast_GLOBAL	17.759 s [17.759 s, 17.759 s]	2.963 s (20.0%)
profiling	15.36 s [15.36 s, 15.36 s]	564.0 ms (3.8%)
tracing	14.884 s [14.884 s, 14.884 s]	88.0 ms (0.6%)

jandro996 · 2025-06-09T06:48:17Z

dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/GatewayBridge.java

@@ -627,6 +671,38 @@ private Flow<Void> onRequestBodyDone(RequestContext ctx_, StoredBodySupplier sup
    }
  }

+  private Flow<Void> onResponseBodyDone(RequestContext ctx_, StoredBodySupplier supplier) {


I need to check the RFC properly but AFAIK response body raw doesn't applies to schema collection

jandro996 · 2025-06-10T07:45:01Z

...c/main/java/datadog/trace/instrumentation/springweb/HttpMessageConverterInstrumentation.java

+      if (action instanceof Flow.Action.RequestBlockingAction) {
+        Flow.Action.RequestBlockingAction rba = (Flow.Action.RequestBlockingAction) action;
+        BlockResponseFunction brf = reqCtx.getBlockResponseFunction();
+        if (brf != null) {
+          brf.tryCommitBlockingResponse(
+              reqCtx.getTraceSegment(),
+              rba.getStatusCode(),
+              rba.getBlockingContentType(),
+              rba.getExtraHeaders());
+        }
+        throw new BlockingException("Blocked response (for HttpMessageConverter/write)");
+      }


Do we need to do this here? we do this in the request to block if it's necessary.

jandro996 · 2025-06-10T07:54:15Z

...c/main/java/datadog/trace/instrumentation/springweb/HttpMessageConverterInstrumentation.java

+    @Advice.OnMethodEnter(suppress = Throwable.class)
+    public static void before(
+        @Advice.Argument(0) final Object obj, @ActiveRequestContext RequestContext reqCtx) {
+      if (obj == null) {


As we don't want to collect the response if the request is blocked, maybe it's a good point to check something like AppSecRequestContext#isWafBlocked (only works for waf but we can add another flag for RASP)

jandro996 · 2025-06-10T07:58:34Z

dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/GatewayBridge.java

+      if (subInfo == null || subInfo.isEmpty()) {
+        return NoopFlow.INSTANCE;
+      }
+      Object converted = ObjectIntrospection.convert(obj, ctx, () -> {});


We need to change the ObjectInstrospection#conver to be able to use it for response schema collection

Limits
Currently most libraries enforce a set of limits before serialising addresses into ddwaf_object. The default global object limits are the following:
Maximum string length: 4096 bytes
Maximum container depth: 20 levels
Maximum container size: 256 nodes

The schema extraction algorithm has a different set of limits, which are lower than the limits mentioned above:
Maximum container depth: 18 levels
Maximum array size: 10 nodes
Maximum record size: 255 nodes

When serialising addresses to ddwaf_object which aren’t used for anything other than schema extraction, the library may use the schema extraction limits, rather than the global object limits.

https://docs.google.com/document/d/1965kNw_1CScNM15GgLZ0jvMhFH2kLpDYGztw8YeOfjM/edit?tab=t.0

jandro996 · 2025-06-10T08:01:56Z

internal-api/src/main/java/datadog/trace/api/gateway/Events.java

I think that we only need the RESPONSE_BODY_CONVERTED

jandro996 · 2025-06-10T08:02:35Z

internal-api/src/main/java/datadog/trace/api/gateway/InstrumentationGateway.java

Same here, I think that we are ok just with RESPONSE_BODY_CONVERTED_ID

jandro996 · 2025-06-10T08:05:09Z

dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/AppSecRequestContext.java

@@ -98,6 +98,7 @@ public class AppSecRequestContext implements DataBundle, Closeable {
  private String inferredClientIp;

  private volatile StoredBodySupplier storedRequestBodySupplier;
+  private volatile StoredBodySupplier storedResponseBodySupplier;


I think we don't need this, as we can pass the response object via callback directly

jandro996 · 2025-06-10T08:05:32Z

dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/AppSecRequestContext.java

@@ -106,6 +107,8 @@ public class AppSecRequestContext implements DataBundle, Closeable {
  private boolean rawReqBodyPublished;
  private boolean convertedReqBodyPublished;
  private boolean respDataPublished;
+  private boolean rawRespBodyPublished;


we don't need raw response

Signed-off-by: sezen.leblay <[email protected]>

sezen-datadog force-pushed the sezen.leblay/APPSEC-57259-extract-schema-spring branch from f3bdd40 to 7c044fd Compare June 6, 2025 12:27

jandro996 reviewed Jun 9, 2025

View reviewed changes

jandro996 reviewed Jun 10, 2025

View reviewed changes

internal-api/src/main/java/datadog/trace/api/gateway/Events.java Outdated

Copy link

Member

jandro996 Jun 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that we only need the RESPONSE_BODY_CONVERTED

jandro996 reviewed Jun 10, 2025

View reviewed changes

sezen-datadog force-pushed the sezen.leblay/APPSEC-57259-extract-schema-spring branch 2 times, most recently from ade8110 to 5aa9177 Compare June 10, 2025 12:54

sezen-datadog changed the base branch from master to malvarez/vertx-response-extraction June 10, 2025 12:55

HTTP response schema collection and data classification for spring

5000116

Signed-off-by: sezen.leblay <[email protected]>

sezen-datadog force-pushed the sezen.leblay/APPSEC-57259-extract-schema-spring branch from 5aa9177 to 5000116 Compare June 10, 2025 12:56

sezen-datadog added 2 commits June 10, 2025 14:58

correct to fit vertx base

38b00b6

Signed-off-by: sezen.leblay <[email protected]>

wip TODO tests

89f9cac

Signed-off-by: sezen.leblay <[email protected]>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

HTTP response schema collection and data classification #8938

HTTP response schema collection and data classification #8938

sezen-datadog commented Jun 6, 2025 •

edited by jira bot

Loading

Uh oh!

pr-commenter bot commented Jun 6, 2025 •

edited

Loading

Uh oh!

jandro996 Jun 9, 2025 •

edited

Loading

Uh oh!

jandro996 Jun 10, 2025

Uh oh!

jandro996 Jun 10, 2025

Uh oh!

jandro996 Jun 10, 2025

Uh oh!

jandro996 Jun 10, 2025

Uh oh!

jandro996 Jun 10, 2025

Uh oh!

jandro996 Jun 10, 2025

Uh oh!

jandro996 Jun 10, 2025

Uh oh!

Uh oh!

HTTP response schema collection and data classification #8938

Are you sure you want to change the base?

HTTP response schema collection and data classification #8938

Conversation

sezen-datadog commented Jun 6, 2025 • edited by jira bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

What Does This Do

Motivation

Additional Notes

Contributor Checklist

Uh oh!

pr-commenter bot commented Jun 6, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Benchmarks

Startup

Parameters

Summary

Load

Parameters

Summary

Dacapo

Parameters

Summary

Uh oh!

jandro996 Jun 9, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

jandro996 Jun 10, 2025

Choose a reason for hiding this comment

Uh oh!

jandro996 Jun 10, 2025

Choose a reason for hiding this comment

Uh oh!

jandro996 Jun 10, 2025

Choose a reason for hiding this comment

Uh oh!

jandro996 Jun 10, 2025

Choose a reason for hiding this comment

Uh oh!

jandro996 Jun 10, 2025

Choose a reason for hiding this comment

Uh oh!

jandro996 Jun 10, 2025

Choose a reason for hiding this comment

Uh oh!

jandro996 Jun 10, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!

sezen-datadog commented Jun 6, 2025 •

edited by jira bot

Loading

pr-commenter bot commented Jun 6, 2025 •

edited

Loading

jandro996 Jun 9, 2025 •

edited

Loading