iframe-proxy

jandro996 · 2025-05-26T10:54:09Z

What Does This Do

Implements the new algorithm for detecting IAST vulnerabilities, where vulnerabilities that were already explored in previous runs for a given endpoint are skipped, ensuring that all remaining ones are eventually explored.

This addresses the current limitation where only the first matching vulnerabilities are consistently reported, causing others to remain hidden.

Changes to OverheadContext

The OverheadContext class has been extended to support three separate tracking maps:

globalMap

Used to track vulnerability detection counts per endpoint across all requests.
Keys are strings combining the request method and route (GET /login, POST /submit, etc.).
Values are maps from vulnerabilityType → int (count of occurrences).
Capped at 4,096 entries using a clear‐on‐overflow strategy, to ensure bounded memory usage.
Oldest entries are cleared once the limit is reached.

copyMap

Created per request to copy the global counts at the start of the request, ensuring a consistent baseline to compare against throughout the lifecycle of the request.

requestMap

Tracks vulnerability type counts within the request.

An additional field, isGlobal, has been added to indicate whether the context is global or request-scoped. If isGlobal is true, the maps are not used, and quota checks proceed using the global strategy only.

A new method, resetMaps(), has been added to update globalMap when the request ends and vulnerability data has been reported. Two scenarios are supported:

Case 1: Budget not fully used → The entry for the endpoint in globalMap is cleared, since the request stayed within budget.
Case 2: Budget fully used → The counts from requestMap are compared to those in copyMap. For each vulnerability type, if the value in requestMap is greater, it is used to update the corresponding entry in globalMap.

Changes to OverheadController

The method consumeQuota() has been extended to receive a vulnerabilityType and modified to support the new logic:

If an OverheadContext is present and not global, and there is remaining quota and a valid span, the controller now invokes a new method maybeSkipVulnerability() to determine whether quota should actually be consumed or not, based on endpoint-specific history.

It's better to check the Algorithm execution example flow diagram to understand how this should work

Changes to IastRequestContext

In releaseRequestContext(), the request now calls resetMaps() on the associated OverheadContext, ensuring globalMap is updated at the end of each request.

Motivation

[RFC-1029] Optimizing IAST Vulnerability Detection implementation

Additional Notes

java tracer needs to implement also [RFC-1029-A1] Solution for dynamic http routes

Contributor Checklist

Format the title according the contribution guidelines
Assign the type: and (comp: or inst:) labels in addition to any usefull labels
Don't use close, fix or any linking keywords when referencing an issue.
Use solves instead, and assign the PR milestone to the issue
Update the CODEOWNERS file on source file addition, move, or deletion
Update the public documentation in case of new configuration flag or behavior

Jira ticket: APPSEC-57267

pr-commenter · 2025-05-29T13:25:38Z

Benchmarks

Startup

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	alejandro.gonzalez/Optimize-IAST-Vulnerability-Detection
git_commit_date	1751531069	1751534692
git_commit_sha	`1666056`	cde392dc87
release_version	1.51.0-SNAPSHOT~1666056a38	1.51.0-SNAPSHOT~9cde392dc87

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1751535943	1751535943
ci_job_id	1011704689	1011704689
ci_pipeline_id	69533740	69533740
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-zfyrx7zua-project-304-concurrent-3-gqnkbnh5 6.8.0-1030-aws #32~22.04.1-Ubuntu SMP Thu Jun 5 08:38:24 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-zfyrx7zua-project-304-concurrent-3-gqnkbnh5 6.8.0-1030-aws #32~22.04.1-Ubuntu SMP Thu Jun 5 08:38:24 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
module	Agent	Agent
parent	None	None

Summary

Found 0 performance improvements and 1 performance regressions! Performance is the same for 43 metrics, 9 unstable metrics.

scenario	Δ mean execution_time	candidate mean execution_time	baseline mean execution_time
scenario:startup:petclinic:appsec:IAST	worse [+1.006ms; +1.277ms] or [+4.569%; +5.799%]	23.160ms	22.018ms

Startup time reports for petclinic

gantt
    title petclinic - global startup overhead: candidate=1.51.0-SNAPSHOT~9cde392dc87, baseline=1.51.0-SNAPSHOT~1666056a38

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (995.132 ms) : 0, 995132
Total [baseline] (10.57 s) : 0, 10569593
Agent [candidate] (995.173 ms) : 0, 995173
Total [candidate] (10.573 s) : 0, 10572916
section appsec
Agent [baseline] (1.173 s) : 0, 1173264
Total [baseline] (10.713 s) : 0, 10712828
Agent [candidate] (1.173 s) : 0, 1173131
Total [candidate] (10.733 s) : 0, 10732898
section iast
Agent [baseline] (1.13 s) : 0, 1129802
Total [baseline] (10.795 s) : 0, 10794530
Agent [candidate] (1.134 s) : 0, 1133843
Total [candidate] (10.908 s) : 0, 10908050
section profiling
Agent [baseline] (1.244 s) : 0, 1244379
Total [baseline] (10.955 s) : 0, 10955220
Agent [candidate] (1.248 s) : 0, 1247791
Total [candidate] (10.956 s) : 0, 10955585

baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	995.132 ms	-
Agent	appsec	1.173 s	178.132 ms (17.9%)
Agent	iast	1.13 s	134.671 ms (13.5%)
Agent	profiling	1.244 s	249.248 ms (25.0%)
Total	tracing	10.57 s	-
Total	appsec	10.713 s	143.235 ms (1.4%)
Total	iast	10.795 s	224.937 ms (2.1%)
Total	profiling	10.955 s	385.627 ms (3.6%)

candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	995.173 ms	-
Agent	appsec	1.173 s	177.958 ms (17.9%)
Agent	iast	1.134 s	138.669 ms (13.9%)
Agent	profiling	1.248 s	252.617 ms (25.4%)
Total	tracing	10.573 s	-
Total	appsec	10.733 s	159.983 ms (1.5%)
Total	iast	10.908 s	335.135 ms (3.2%)
Total	profiling	10.956 s	382.669 ms (3.6%)

gantt
    title petclinic - break down per module: candidate=1.51.0-SNAPSHOT~9cde392dc87, baseline=1.51.0-SNAPSHOT~1666056a38

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (687.638 ms) : 0, 687638
BytebuddyAgent [candidate] (687.436 ms) : 0, 687436
GlobalTracer [baseline] (241.668 ms) : 0, 241668
GlobalTracer [candidate] (241.849 ms) : 0, 241849
AppSec [baseline] (30.213 ms) : 0, 30213
AppSec [candidate] (30.279 ms) : 0, 30279
Debugger [baseline] (6.025 ms) : 0, 6025
Debugger [candidate] (6.046 ms) : 0, 6046
Remote Config [baseline] (679.358 µs) : 0, 679
Remote Config [candidate] (685.568 µs) : 0, 686
Telemetry [baseline] (8.199 ms) : 0, 8199
Telemetry [candidate] (8.135 ms) : 0, 8135
section appsec
BytebuddyAgent [baseline] (709.926 ms) : 0, 709926
BytebuddyAgent [candidate] (709.232 ms) : 0, 709232
GlobalTracer [baseline] (235.335 ms) : 0, 235335
GlobalTracer [candidate] (234.881 ms) : 0, 234881
IAST [baseline] (22.018 ms) : 0, 22018
IAST [candidate] (23.16 ms) : 0, 23160
AppSec [baseline] (170.783 ms) : 0, 170783
AppSec [candidate] (170.634 ms) : 0, 170634
Debugger [baseline] (5.781 ms) : 0, 5781
Debugger [candidate] (5.774 ms) : 0, 5774
Remote Config [baseline] (600.004 µs) : 0, 600
Remote Config [candidate] (597.803 µs) : 0, 598
Telemetry [baseline] (8.06 ms) : 0, 8060
Telemetry [candidate] (8.105 ms) : 0, 8105
section iast
BytebuddyAgent [baseline] (806.542 ms) : 0, 806542
BytebuddyAgent [candidate] (808.312 ms) : 0, 808312
GlobalTracer [baseline] (232.536 ms) : 0, 232536
GlobalTracer [candidate] (233.028 ms) : 0, 233028
IAST [baseline] (28.743 ms) : 0, 28743
IAST [candidate] (29.366 ms) : 0, 29366
AppSec [baseline] (26.778 ms) : 0, 26778
AppSec [candidate] (27.873 ms) : 0, 27873
Debugger [baseline] (5.825 ms) : 0, 5825
Debugger [candidate] (5.892 ms) : 0, 5892
Remote Config [baseline] (599.117 µs) : 0, 599
Remote Config [candidate] (591.786 µs) : 0, 592
Telemetry [baseline] (7.954 ms) : 0, 7954
Telemetry [candidate] (8.074 ms) : 0, 8074
section profiling
BytebuddyAgent [baseline] (678.808 ms) : 0, 678808
BytebuddyAgent [candidate] (680.679 ms) : 0, 680679
GlobalTracer [baseline] (360.812 ms) : 0, 360812
GlobalTracer [candidate] (361.387 ms) : 0, 361387
AppSec [baseline] (32.196 ms) : 0, 32196
AppSec [candidate] (33.013 ms) : 0, 33013
Debugger [baseline] (10.648 ms) : 0, 10648
Debugger [candidate] (9.076 ms) : 0, 9076
Remote Config [baseline] (1.353 ms) : 0, 1353
Remote Config [candidate] (664.974 µs) : 0, 665
Telemetry [baseline] (8.025 ms) : 0, 8025
Telemetry [candidate] (8.789 ms) : 0, 8789
ProfilingAgent [baseline] (103.377 ms) : 0, 103377
ProfilingAgent [candidate] (103.902 ms) : 0, 103902
Profiling [baseline] (103.401 ms) : 0, 103401
Profiling [candidate] (103.927 ms) : 0, 103927

Startup time reports for insecure-bank

gantt
    title insecure-bank - global startup overhead: candidate=1.51.0-SNAPSHOT~9cde392dc87, baseline=1.51.0-SNAPSHOT~1666056a38

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (994.682 ms) : 0, 994682
Total [baseline] (8.566 s) : 0, 8566186
Agent [candidate] (996.759 ms) : 0, 996759
Total [candidate] (8.54 s) : 0, 8539558
section iast
Agent [baseline] (1.14 s) : 0, 1139702
Total [baseline] (9.277 s) : 0, 9277466
Agent [candidate] (1.144 s) : 0, 1143997
Total [candidate] (9.323 s) : 0, 9323280

baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	994.682 ms	-
Agent	iast	1.14 s	145.02 ms (14.6%)
Total	tracing	8.566 s	-
Total	iast	9.277 s	711.279 ms (8.3%)

candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	996.759 ms	-
Agent	iast	1.144 s	147.238 ms (14.8%)
Total	tracing	8.54 s	-
Total	iast	9.323 s	783.722 ms (9.2%)

gantt
    title insecure-bank - break down per module: candidate=1.51.0-SNAPSHOT~9cde392dc87, baseline=1.51.0-SNAPSHOT~1666056a38

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (687.471 ms) : 0, 687471
BytebuddyAgent [candidate] (688.605 ms) : 0, 688605
GlobalTracer [baseline] (241.352 ms) : 0, 241352
GlobalTracer [candidate] (242.168 ms) : 0, 242168
AppSec [baseline] (30.242 ms) : 0, 30242
AppSec [candidate] (30.33 ms) : 0, 30330
Debugger [baseline] (6.03 ms) : 0, 6030
Debugger [candidate] (6.017 ms) : 0, 6017
Remote Config [baseline] (672.268 µs) : 0, 672
Remote Config [candidate] (682.224 µs) : 0, 682
Telemetry [baseline] (8.19 ms) : 0, 8190
Telemetry [candidate] (8.206 ms) : 0, 8206
section iast
BytebuddyAgent [baseline] (814.282 ms) : 0, 814282
BytebuddyAgent [candidate] (815.895 ms) : 0, 815895
GlobalTracer [baseline] (234.27 ms) : 0, 234270
GlobalTracer [candidate] (234.752 ms) : 0, 234752
IAST [baseline] (28.199 ms) : 0, 28199
IAST [candidate] (29.017 ms) : 0, 29017
AppSec [baseline] (27.722 ms) : 0, 27722
AppSec [candidate] (28.847 ms) : 0, 28847
Debugger [baseline] (5.83 ms) : 0, 5830
Debugger [candidate] (5.906 ms) : 0, 5906
Remote Config [baseline] (576.617 µs) : 0, 577
Remote Config [candidate] (584.193 µs) : 0, 584
Telemetry [baseline] (7.983 ms) : 0, 7983
Telemetry [candidate] (8.204 ms) : 0, 8204

Load

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	alejandro.gonzalez/Optimize-IAST-Vulnerability-Detection
git_commit_date	1751531069	1751534811
git_commit_sha	`1666056`	cde392dc87
release_version	1.51.0-SNAPSHOT~1666056a38	1.51.0-SNAPSHOT~9cde392dc87

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1751535751	1751535751
ci_job_id	1011704691	1011704691
ci_pipeline_id	69533740	69533740
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-zfyrx7zua-project-304-concurrent-4-ysajhrjm 6.8.0-1030-aws #32~22.04.1-Ubuntu SMP Thu Jun 5 08:38:24 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-zfyrx7zua-project-304-concurrent-4-ysajhrjm 6.8.0-1030-aws #32~22.04.1-Ubuntu SMP Thu Jun 5 08:38:24 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 2 performance improvements and 2 performance regressions! Performance is the same for 8 metrics, 12 unstable metrics.

scenario	Δ mean http_req_duration	Δ mean throughput	candidate mean http_req_duration	candidate mean throughput	baseline mean http_req_duration	baseline mean throughput
scenario:load:insecure-bank:no_agent:high_load	worse [+137.240µs; +248.228µs] or [+3.238%; +5.856%]	unstable [-159.350op/s; +67.850op/s] or [-14.726%; +6.270%]	4.431ms	1036.312op/s	4.239ms	1082.062op/s
scenario:load:insecure-bank:iast_FULL:high_load	worse [+0.817ms; +1.427ms] or [+5.971%; +10.428%]	unstable [-59.933op/s; +8.933op/s] or [-17.606%; +2.624%]	14.807ms	314.906op/s	13.684ms	340.406op/s
scenario:load:insecure-bank:tracing:high_load	better [-602.947µs; -360.693µs] or [-7.511%; -4.493%]	unstable [-35.043op/s; +107.230op/s] or [-6.069%; +18.571%]	7.546ms	613.500op/s	8.028ms	577.406op/s
scenario:load:petclinic:tracing:high_load	better [-1.984ms; -1.185ms] or [-4.427%; -2.645%]	unstable [-3.551op/s; +11.151op/s] or [-3.400%; +10.676%]	43.225ms	108.250op/s	44.810ms	104.450op/s

Request duration reports for insecure-bank

gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.51.0-SNAPSHOT~9cde392dc87, baseline=1.51.0-SNAPSHOT~1666056a38
    dateFormat X
    axisFormat %s
section baseline
no_agent (4.239 ms) : 4185, 4292
.   : milestone, 4239,
iast (9.264 ms) : 9109, 9419
.   : milestone, 9264,
iast_FULL (13.684 ms) : 13411, 13958
.   : milestone, 13684,
iast_GLOBAL (10.214 ms) : 10032, 10396
.   : milestone, 10214,
profiling (8.706 ms) : 8561, 8852
.   : milestone, 8706,
tracing (8.028 ms) : 7909, 8146
.   : milestone, 8028,
section candidate
no_agent (4.431 ms) : 4382, 4481
.   : milestone, 4431,
iast (9.266 ms) : 9116, 9416
.   : milestone, 9266,
iast_FULL (14.807 ms) : 14513, 15100
.   : milestone, 14807,
iast_GLOBAL (10.38 ms) : 10198, 10562
.   : milestone, 10380,
profiling (8.937 ms) : 8799, 9075
.   : milestone, 8937,
tracing (7.546 ms) : 7440, 7652
.   : milestone, 7546,

baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	4.239 ms [4.185 ms, 4.292 ms]	-
iast	9.264 ms [9.109 ms, 9.419 ms]	5.025 ms (118.6%)
iast_FULL	13.684 ms [13.411 ms, 13.958 ms]	9.446 ms (222.9%)
iast_GLOBAL	10.214 ms [10.032 ms, 10.396 ms]	5.976 ms (141.0%)
profiling	8.706 ms [8.561 ms, 8.852 ms]	4.468 ms (105.4%)
tracing	8.028 ms [7.909 ms, 8.146 ms]	3.789 ms (89.4%)

candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	4.431 ms [4.382 ms, 4.481 ms]	-
iast	9.266 ms [9.116 ms, 9.416 ms]	4.835 ms (109.1%)
iast_FULL	14.807 ms [14.513 ms, 15.1 ms]	10.375 ms (234.1%)
iast_GLOBAL	10.38 ms [10.198 ms, 10.562 ms]	5.949 ms (134.2%)
profiling	8.937 ms [8.799 ms, 9.075 ms]	4.506 ms (101.7%)
tracing	7.546 ms [7.44 ms, 7.652 ms]	3.115 ms (70.3%)

Request duration reports for petclinic

gantt
    title petclinic - request duration [CI 0.99] : candidate=1.51.0-SNAPSHOT~9cde392dc87, baseline=1.51.0-SNAPSHOT~1666056a38
    dateFormat X
    axisFormat %s
section baseline
no_agent (37.416 ms) : 37108, 37723
.   : milestone, 37416,
appsec (48.292 ms) : 47849, 48734
.   : milestone, 48292,
code_origins (44.777 ms) : 44394, 45159
.   : milestone, 44777,
iast (43.814 ms) : 43438, 44190
.   : milestone, 43814,
profiling (47.847 ms) : 47398, 48295
.   : milestone, 47847,
tracing (44.81 ms) : 44436, 45183
.   : milestone, 44810,
section candidate
no_agent (38.417 ms) : 38107, 38726
.   : milestone, 38417,
appsec (49.229 ms) : 48786, 49671
.   : milestone, 49229,
code_origins (44.818 ms) : 44440, 45196
.   : milestone, 44818,
iast (44.904 ms) : 44515, 45294
.   : milestone, 44904,
profiling (48.154 ms) : 47691, 48618
.   : milestone, 48154,
tracing (43.225 ms) : 42856, 43594
.   : milestone, 43225,

baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	37.416 ms [37.108 ms, 37.723 ms]	-
appsec	48.292 ms [47.849 ms, 48.734 ms]	10.876 ms (29.1%)
code_origins	44.777 ms [44.394 ms, 45.159 ms]	7.361 ms (19.7%)
iast	43.814 ms [43.438 ms, 44.19 ms]	6.399 ms (17.1%)
profiling	47.847 ms [47.398 ms, 48.295 ms]	10.431 ms (27.9%)
tracing	44.81 ms [44.436 ms, 45.183 ms]	7.394 ms (19.8%)

candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	38.417 ms [38.107 ms, 38.726 ms]	-
appsec	49.229 ms [48.786 ms, 49.671 ms]	10.812 ms (28.1%)
code_origins	44.818 ms [44.44 ms, 45.196 ms]	6.402 ms (16.7%)
iast	44.904 ms [44.515 ms, 45.294 ms]	6.488 ms (16.9%)
profiling	48.154 ms [47.691 ms, 48.618 ms]	9.738 ms (25.3%)
tracing	43.225 ms [42.856 ms, 43.594 ms]	4.809 ms (12.5%)

Dacapo

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	alejandro.gonzalez/Optimize-IAST-Vulnerability-Detection
git_commit_date	1751531069	1751534741
git_commit_sha	`1666056`	cde392dc87
release_version	1.51.0-SNAPSHOT~1666056a38	1.51.0-SNAPSHOT~9cde392dc87

See matching parameters

	Baseline	Candidate
application	biojava	biojava
ci_job_date	1751536185	1751536185
ci_job_id	1011704693	1011704693
ci_pipeline_id	69533740	69533740
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-zfyrx7zua-project-304-concurrent-5-jmoqmp0l 6.8.0-1030-aws #32~22.04.1-Ubuntu SMP Thu Jun 5 08:38:24 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-zfyrx7zua-project-304-concurrent-5-jmoqmp0l 6.8.0-1030-aws #32~22.04.1-Ubuntu SMP Thu Jun 5 08:38:24 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics.

Execution time for biojava

gantt
    title biojava - execution time [CI 0.99] : candidate=1.51.0-SNAPSHOT~9cde392dc87, baseline=1.51.0-SNAPSHOT~1666056a38
    dateFormat X
    axisFormat %s
section baseline
no_agent (14.927 s) : 14927000, 14927000
.   : milestone, 14927000,
appsec (14.819 s) : 14819000, 14819000
.   : milestone, 14819000,
iast (18.513 s) : 18513000, 18513000
.   : milestone, 18513000,
iast_GLOBAL (18.133 s) : 18133000, 18133000
.   : milestone, 18133000,
profiling (15.322 s) : 15322000, 15322000
.   : milestone, 15322000,
tracing (14.908 s) : 14908000, 14908000
.   : milestone, 14908000,
section candidate
no_agent (15.635 s) : 15635000, 15635000
.   : milestone, 15635000,
appsec (15.011 s) : 15011000, 15011000
.   : milestone, 15011000,
iast (18.583 s) : 18583000, 18583000
.   : milestone, 18583000,
iast_GLOBAL (17.844 s) : 17844000, 17844000
.   : milestone, 17844000,
profiling (15.248 s) : 15248000, 15248000
.   : milestone, 15248000,
tracing (14.941 s) : 14941000, 14941000
.   : milestone, 14941000,

baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	14.927 s [14.927 s, 14.927 s]	-
appsec	14.819 s [14.819 s, 14.819 s]	-108.0 ms (-0.7%)
iast	18.513 s [18.513 s, 18.513 s]	3.586 s (24.0%)
iast_GLOBAL	18.133 s [18.133 s, 18.133 s]	3.206 s (21.5%)
profiling	15.322 s [15.322 s, 15.322 s]	395.0 ms (2.6%)
tracing	14.908 s [14.908 s, 14.908 s]	-19.0 ms (-0.1%)

candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	15.635 s [15.635 s, 15.635 s]	-
appsec	15.011 s [15.011 s, 15.011 s]	-624.0 ms (-4.0%)
iast	18.583 s [18.583 s, 18.583 s]	2.948 s (18.9%)
iast_GLOBAL	17.844 s [17.844 s, 17.844 s]	2.209 s (14.1%)
profiling	15.248 s [15.248 s, 15.248 s]	-387.0 ms (-2.5%)
tracing	14.941 s [14.941 s, 14.941 s]	-694.0 ms (-4.4%)

Execution time for tomcat

gantt
    title tomcat - execution time [CI 0.99] : candidate=1.51.0-SNAPSHOT~9cde392dc87, baseline=1.51.0-SNAPSHOT~1666056a38
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.481 ms) : 1469, 1492
.   : milestone, 1481,
appsec (2.419 ms) : 2370, 2469
.   : milestone, 2419,
iast (2.21 ms) : 2147, 2273
.   : milestone, 2210,
iast_GLOBAL (2.258 ms) : 2195, 2321
.   : milestone, 2258,
profiling (2.065 ms) : 2014, 2117
.   : milestone, 2065,
tracing (2.035 ms) : 1986, 2084
.   : milestone, 2035,
section candidate
no_agent (1.482 ms) : 1471, 1494
.   : milestone, 1482,
appsec (2.421 ms) : 2371, 2471
.   : milestone, 2421,
iast (2.205 ms) : 2142, 2268
.   : milestone, 2205,
iast_GLOBAL (2.255 ms) : 2192, 2318
.   : milestone, 2255,
profiling (2.064 ms) : 2013, 2116
.   : milestone, 2064,
tracing (2.033 ms) : 1984, 2082
.   : milestone, 2033,

baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.481 ms [1.469 ms, 1.492 ms]	-
appsec	2.419 ms [2.37 ms, 2.469 ms]	938.858 µs (63.4%)
iast	2.21 ms [2.147 ms, 2.273 ms]	729.013 µs (49.2%)
iast_GLOBAL	2.258 ms [2.195 ms, 2.321 ms]	777.103 µs (52.5%)
profiling	2.065 ms [2.014 ms, 2.117 ms]	584.737 µs (39.5%)
tracing	2.035 ms [1.986 ms, 2.084 ms]	554.592 µs (37.5%)

candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.482 ms [1.471 ms, 1.494 ms]	-
appsec	2.421 ms [2.371 ms, 2.471 ms]	938.962 µs (63.3%)
iast	2.205 ms [2.142 ms, 2.268 ms]	722.555 µs (48.7%)
iast_GLOBAL	2.255 ms [2.192 ms, 2.318 ms]	772.202 µs (52.1%)
profiling	2.064 ms [2.013 ms, 2.116 ms]	581.875 µs (39.3%)
tracing	2.033 ms [1.984 ms, 2.082 ms]	550.484 µs (37.1%)

…ad/OverheadController.java Co-authored-by: datadog-datadog-prod-us1[bot] <88084959+datadog-datadog-prod-us1[bot]@users.noreply.github.com>

…lity-Detection

github-actions · 2025-06-03T11:11:17Z

Hi! 👋 Thanks for your pull request! 🎉

To help us review it, please make sure to:

Add at least one type, and one component or instrumentation label to the pull request

If you need help, please check our contributing guidelines.

…lity-Detection

manuel-alvarez-alvarez · 2025-06-26T08:47:26Z

+import org.springframework.web.bind.annotation.RestController;
+
+@RestController
+public class IastSamplingController {


Can we introduce a test with different code paths that can be controlled though query/path parameters?, the order in which we trigger vulns is always deterministic and it would be nice to also test with some variability.

…lity-Detection

smola

I'd like an extra reviewer on this.
On the startup time regression: I think we can accept the 1ms startup regression for IAST in pet clinic. It does not affect scenarios other than DD_IAST_ENABLED=true, and the improved detection rate here is worth it.

manuel-alvarez-alvarez · 2025-07-03T08:07:14Z

+    ]
+  }
+
+  void 'test'() {


Can you improve the name of the test?

manuel-alvarez-alvarez · 2025-07-03T08:09:58Z

+    hasVulnerability { vul -> vul.type == 'WEAK_HASH' && vul.location.method == 'differentVulns' && vul.evidence.value == 'RIPEMD128'}
+
+    //TODO the current algorithm is not able to detect all the vulnerabilities in the same endpoint if those vulnerabilities are not present in all requests. We need to improve it.
+    //hasVulnerability { vul -> vul.type == 'WEAK_HASH' && vul.location.method == 'differentVulns' && vul.evidence.value == 'MD2'}


Was this discussed in the working group?, I did wonder if the same behavior happens in other tracers or its just our implementation.

Yes, there is a discussion in the working group slack channel and also was mentioned in the last meeting. It should happen in al the tracer as is an algorithm issue not an implementation one.

manuel-alvarez-alvarez

LGTM, but we have to discuss in the working group the issue about the algorithm degrading when the codepaths can change.

…lity-Detection

| Package | Type | Package file | Manager | Update | Change | |---|---|---|---|---|---| | [com.google.errorprone:error_prone_annotations](https://errorprone.info) ([source](https://github.com/google/error-prone)) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `2.39.0` -> `2.40.0` | | [org.apache.commons:commons-lang3](https://commons.apache.org/proper/commons-lang/) ([source](https://gitbox.apache.org/repos/asf/commons-lang.git)) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `3.17.0` -> `3.18.0` | | [org.jetbrains.kotlinx.binary-compatibility-validator](https://github.com/Kotlin/binary-compatibility-validator) | plugin | misk/gradle/libs.versions.toml | gradle | patch | `0.18.0` -> `0.18.1` | | [com.datadoghq:dd-trace-api](https://github.com/datadog/dd-trace-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `1.50.1` -> `1.51.0` | | [software.amazon.awssdk:sdk-core](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.31.77` -> `2.31.78` | | [software.amazon.awssdk:sqs](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.31.77` -> `2.31.78` | | [software.amazon.awssdk:dynamodb-enhanced](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.31.77` -> `2.31.78` | | [software.amazon.awssdk:dynamodb](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.31.77` -> `2.31.78` | | [software.amazon.awssdk:aws-core](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.31.77` -> `2.31.78` | | [software.amazon.awssdk:bom](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.31.77` -> `2.31.78` | | [software.amazon.awssdk:auth](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.31.77` -> `2.31.78` | --- ### Release Notes <details> <summary>google/error-prone (com.google.errorprone:error_prone_annotations)</summary> ### [`v2.40.0`](https://github.com/google/error-prone/releases/tag/v2.40.0): Error Prone 2.40.0 Changes: - Bug fixes and improvements - Releases (including snapshots) have migrated from [OSSRH to the Central Publisher Portal](https://central.sonatype.org/pages/ossrh-eol/#process-to-migrate) Full changelog: google/error-prone@v2.39.0...v2.40.0 </details> <details> <summary>Kotlin/binary-compatibility-validator (org.jetbrains.kotlinx.binary-compatibility-validator)</summary> ### [`v0.18.1`](https://github.com/Kotlin/binary-compatibility-validator/releases/tag/0.18.1) [Compare Source](Kotlin/binary-compatibility-validator@0.18.0...0.18.1) #### What's Changed - Fixed a bug preventing use of cross-compilation support during KLIB dump validation \[[#304](https://github.com/Kotlin/binary-compatibility-validator/issues/304)]\[[#306](https://github.com/Kotlin/binary-compatibility-validator/issues/306)] </details> <details> <summary>datadog/dd-trace-java (com.datadoghq:dd-trace-api)</summary> ### [`v1.51.0`](https://github.com/DataDog/dd-trace-java/releases/tag/v1.51.0): 1.51.0 ### Components #### Application Security Management (IAST) - 🐛 Fix verify error when ctor params are used after a call site ([#9083](DataDog/dd-trace-java#9083) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - 🐛 Limit the maximum size of the location path in IAST vulnerabilities ([#9028](DataDog/dd-trace-java#9028) - [@jandro996](https://github.com/jandro996)) - 🐛 Fix IAST gRPC handler with null superclass ([#8984](DataDog/dd-trace-java#8984) - [@smola](https://github.com/smola)) - ✨ Optimize IAST Vulnerability Detection ([#8885](DataDog/dd-trace-java#8885) - [@jandro996](https://github.com/jandro996)) #### Application Security Management (WAF) - ✨ Upgrade libddwaf-java to 15.0.0 ([#9022](DataDog/dd-trace-java#9022) - [@sezen-datadog](https://github.com/sezen-datadog)) - ✨ Extract RestEasy json body response schemas ([#9015](DataDog/dd-trace-java#9015) - [@jandro996](https://github.com/jandro996)) - ✨ Extract Jersey json body response schemas ([#9014](DataDog/dd-trace-java#9014) - [@jandro996](https://github.com/jandro996)) - ✨ Extract Ratpack json body response schemas ([#9013](DataDog/dd-trace-java#9013) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - ✨ Enable API Security by default and make it lazy loading ([#9009](DataDog/dd-trace-java#9009) - [@smola](https://github.com/smola)) - ✨ Extract Vert.x json body response schemas ([#9001](DataDog/dd-trace-java#9001) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - ✨ Extract Play json body response schemas ([#8995](DataDog/dd-trace-java#8995) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - 🐛 Fix Jackson nodes introspection for request/response schema extraction ([#8980](DataDog/dd-trace-java#8980) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - ✨ Extract Spring json body response schemas ([#8938](DataDog/dd-trace-java#8938) - [@sezen-datadog](https://github.com/sezen-datadog)) - ✨ Default obfuscation regexp update ([#8937](DataDog/dd-trace-java#8937) - [@sezen-datadog](https://github.com/sezen-datadog)) #### Build & Tooling - ✨ Cancel GitLab running pipeline on new PR push ([#9023](DataDog/dd-trace-java#9023) - [@PerfectSlayer](https://github.com/PerfectSlayer)) - ✨ Migrate publishing to Maven Central Portal ([#8807](DataDog/dd-trace-java#8807) - [@sarahchen6](https://github.com/sarahchen6)) #### Continuous Integration Visibility - 🐛 Fix Test Optimization to work with JDK 24 ([#9114](DataDog/dd-trace-java#9114) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Add repo root as safe directory on git client creation ([#9033](DataDog/dd-trace-java#9033) - [@daniel-mohedano](https://github.com/daniel-mohedano)) - ✨ Add PR number tag and improve PR information building ([#8990](DataDog/dd-trace-java#8990) - [@daniel-mohedano](https://github.com/daniel-mohedano)) - ✨ Update impacted tests logic ([#8923](DataDog/dd-trace-java#8923) - [@daniel-mohedano](https://github.com/daniel-mohedano)) #### Data Streams Monitoring - 🧹 Clean up DSM context injection ([#8776](DataDog/dd-trace-java#8776) - [@PerfectSlayer](https://github.com/PerfectSlayer)) #### Database Monitoring - 🐛 Set trace\_injected in try block ([#9025](DataDog/dd-trace-java#9025) - [@natashadada](https://github.com/natashadada)) #### Dynamic Instrumentation - 🐛 Add source file tracking enable option ([#9115](DataDog/dd-trace-java#9115) - [@jpbempel](https://github.com/jpbempel)) - ✨ Add java.util.Date support ([#9111](DataDog/dd-trace-java#9111) - [@jpbempel](https://github.com/jpbempel)) - ✨ Update file probe format ([#9047](DataDog/dd-trace-java#9047) - [@jpbempel](https://github.com/jpbempel)) - ✨ add safe local var hoisting ([#9034](DataDog/dd-trace-java#9034) - [@jpbempel](https://github.com/jpbempel)) - 🧹 Add new config for debugger upload interval ([#8959](DataDog/dd-trace-java#8959) - [@jpbempel](https://github.com/jpbempel)) - ✨ Enable Code Origin with Dynamic instrumentation ([#8940](DataDog/dd-trace-java#8940) - [@jpbempel](https://github.com/jpbempel)) #### ML Observability (LLMObs) - 💡 LLM Observability SDK ([#8781](DataDog/dd-trace-java#8781) - [@gary-huang](https://github.com/gary-huang), [@nayeem-kamal](https://github.com/nayeem-kamal)) #### Metrics - 🐛 Ensure client stat reporter is started when the agent is not available at bootstrap ([#9082](DataDog/dd-trace-java#9082) - [@amarziali](https://github.com/amarziali)) - ✨ Create metric: appsec.waf.config\_errors ([#8394](DataDog/dd-trace-java#8394) - [@sezen-datadog](https://github.com/sezen-datadog)) #### Platform components - ✨ Introduce environment component ([#9071](DataDog/dd-trace-java#9071) - [@PerfectSlayer](https://github.com/PerfectSlayer)) #### Profiling - 🐛 Remove annoying warning for smap event parsing ([#9119](DataDog/dd-trace-java#9119) - [@jbachorik](https://github.com/jbachorik)) - 🐛 Fix ByteCountingInputStream when reading past EOF ([#8988](DataDog/dd-trace-java#8988) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) #### Realtime User Monitoring - ✨ Add RUM SDK injection for servlet based web servers ([#9110](DataDog/dd-trace-java#9110) - [@PerfectSlayer](https://github.com/PerfectSlayer) [@amarziali](https://github.com/amarziali)) #### Telemetry - ✨ Update the config origin metric to match what it's mapping ([#9045](DataDog/dd-trace-java#9045) - [@sezen-datadog](https://github.com/sezen-datadog)) #### Testing - ✨ Add testing for latest stable version (JDK 24) ([#8875](DataDog/dd-trace-java#8875) - [@sarahchen6](https://github.com/sarahchen6)) #### Trace context propagation - 🐛 Fix bug with dropping baggage when `TracePropagationBehaviorExtract=IGNORE` ([#9037](DataDog/dd-trace-java#9037) - [@mhlidd](https://github.com/mhlidd)) - 🐛 Fix ArrayIndexOutOfBoundsException in PercentEscaper ([#9032](DataDog/dd-trace-java#9032) - [@mhlidd](https://github.com/mhlidd)) #### Tracer core - 🐛 Fix `Error` handling for trace interceptors ([#9097](DataDog/dd-trace-java#9097) - [@AlexeyKuznetsov-DD](https://github.com/AlexeyKuznetsov-DD)) - 💡 Add wildcard feature for `DD_TRACE_HEADER_TAGS` and enabling for Http Response headers ([#9067](DataDog/dd-trace-java#9067) - [@mhlidd](https://github.com/mhlidd)) #### Tracer public API - 💡 Add LLM Observability SDK ([#8781](DataDog/dd-trace-java#8781) - [@gary-huang](https://github.com/gary-huang)) ### Instrumentations #### Akka instrumentation - 🐛 Fix NPE in akka-http and pekko-http integrations ([#9019](DataDog/dd-trace-java#9019) - [@mcculls](https://github.com/mcculls)) #### Eclipse Vert.x instrumentation - ✨ Extract Vert.x json body response schemas ([#9001](DataDog/dd-trace-java#9001) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - ✨ Write http.route tag as soon as possible in vert.x ([#8952](DataDog/dd-trace-java#8952) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) #### JAX-WS instrumentation - 💡⚠️ Enable jax-ws integration by default ([#9030](DataDog/dd-trace-java#9030) - [@bm1549](https://github.com/bm1549)) - ✨ Extract Jersey json body response schemas ([#9014](DataDog/dd-trace-java#9014) - [@jandro996](https://github.com/jandro996)) #### Mule instrumentation - 🐛 Propagate grizzly http span in filters if nothing is active ([#9016](DataDog/dd-trace-java#9016) - [@amarziali](https://github.com/amarziali)) #### Play Framework instrumentation - ✨ Extract Play json body response schemas ([#8995](DataDog/dd-trace-java#8995) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) #### Ratpack instrumentation - ✨ Extract Ratpack json body response schemas ([#9013](DataDog/dd-trace-java#9013) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) #### Spring instrumentation - ✨ Extract Spring json body response schemas ([#8938](DataDog/dd-trace-java#8938) - [@sezen-datadog](https://github.com/sezen-datadog)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "after 6pm every weekday,before 2am every weekday" in timezone Australia/Melbourne, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). GitOrigin-RevId: 649b690d4c9d7dcb572c457f0802b42b8e3e682e

What Does This Do Implements the new algorithm for detecting IAST vulnerabilities, where vulnerabilities that were already explored in previous runs for a given endpoint are skipped, ensuring that all remaining ones are eventually explored. This addresses the current limitation where only the first matching vulnerabilities are consistently reported, causing others to remain hidden. Changes to OverheadContext The OverheadContext class has been extended to support three separate tracking maps: globalMap Used to track vulnerability detection counts per endpoint across all requests. Keys are strings combining the request method and route (GET /login, POST /submit, etc.). Values are maps from vulnerabilityType → int (count of occurrences). Capped at 4,096 entries using a clear‐on‐overflow strategy, to ensure bounded memory usage. Oldest entries are cleared once the limit is reached. copyMap Created per request to copy the global counts at the start of the request, ensuring a consistent baseline to compare against throughout the lifecycle of the request. requestMap Tracks vulnerability type counts within the request. An additional field, isGlobal, has been added to indicate whether the context is global or request-scoped. If isGlobal is true, the maps are not used, and quota checks proceed using the global strategy only. A new method, resetMaps(), has been added to update globalMap when the request ends and vulnerability data has been reported. Two scenarios are supported: Case 1: Budget not fully used → The entry for the endpoint in globalMap is cleared, since the request stayed within budget. Case 2: Budget fully used → The counts from requestMap are compared to those in copyMap. For each vulnerability type, if the value in requestMap is greater, it is used to update the corresponding entry in globalMap. Changes to OverheadController The method consumeQuota() has been extended to receive a vulnerabilityType and modified to support the new logic: If an OverheadContext is present and not global, and there is remaining quota and a valid span, the controller now invokes a new method maybeSkipVulnerability() to determine whether quota should actually be consumed or not, based on endpoint-specific history. It's better to check the Algorithm execution example flow diagram to understand how this should work Changes to IastRequestContext In releaseRequestContext(), the request now calls resetMaps() on the associated OverheadContext, ensuring globalMap is updated at the end of each request. Motivation [RFC-1029] Optimizing IAST Vulnerability Detection implementation Additional Notes java tracer needs to implement also [RFC-1029-A1] Solution for dynamic http routes (cherry picked from commit 99ecab7)

datadog-datadog-prod-us1 Bot reviewed May 26, 2025

View reviewed changes

wip

416dbae

jandro996 force-pushed the alejandro.gonzalez/Optimize-IAST-Vulnerability-Detection branch from 600341f to 416dbae Compare May 30, 2025 10:34

jandro996 and others added 2 commits June 2, 2025 11:30

wip

ea49404

Update dd-java-agent/agent-iast/src/main/java/com/datadog/iast/overhe…

61319c9

…ad/OverheadController.java Co-authored-by: datadog-datadog-prod-us1[bot] <88084959+datadog-datadog-prod-us1[bot]@users.noreply.github.com>

jandro996 commented Jun 2, 2025

View reviewed changes

Comment thread dd-java-agent/agent-iast/src/main/java/com/datadog/iast/sink/HttpResponseHeaderModuleImpl.java Outdated

jandro996 commented Jun 2, 2025

View reviewed changes

Comment thread ...s/springboot/src/test/groovy/datadog/smoketest/IastOverheadControlSpringBootSmokeTest.groovy

jandro996 added 4 commits June 2, 2025 11:45

wip

b22b445

wip

472547c

Merge branch 'master' into alejandro.gonzalez/Optimize-IAST-Vulnerabi…

0921d3d

…lity-Detection

wip

97d2a10

jandro996 marked this pull request as ready for review June 3, 2025 11:11

jandro996 requested a review from a team as a code owner June 3, 2025 11:11

jandro996 requested review from robertpi and smola June 3, 2025 11:11

jandro996 requested a review from manuel-alvarez-alvarez June 3, 2025 11:11

jandro996 added type: enhancement Enhancements and improvements comp: asm iast Application Security Management (IAST) labels Jun 3, 2025

wip

b0e2a61

smola requested changes Jun 3, 2025

View reviewed changes

jandro996 added 7 commits June 3, 2025 14:58

change approach in smoke test to check evidence instead of lines

b345cc0

remove todo

46dea01

reuse span.getLocalRootSpan();

4dc2e87

change data types to improve performance

96c0003

wip

1ed6931

wip

21458cf

wip

1ff5c57

jandro996 requested a review from smola June 5, 2025 09:46

wip

5a13cfe

jandro996 requested a review from manuel-alvarez-alvarez June 26, 2025 05:59

Merge branch 'master' into alejandro.gonzalez/Optimize-IAST-Vulnerabi…

534bd7c

…lity-Detection

smola reviewed Jun 26, 2025

View reviewed changes

Comment thread dd-java-agent/agent-iast/src/main/java/com/datadog/iast/overhead/OverheadContext.java Outdated

Comment thread dd-java-agent/agent-iast/src/main/java/com/datadog/iast/overhead/OverheadContext.java Outdated

manuel-alvarez-alvarez reviewed Jun 26, 2025

View reviewed changes

jandro996 added 4 commits June 26, 2025 12:59

fix global map

b7ebe05

WIP

18c73ce

WIP - Not working tests

6eec036

WIP

67080d7

jandro996 requested review from manuel-alvarez-alvarez and smola June 27, 2025 09:54

smola requested changes Jun 27, 2025

View reviewed changes

jandro996 added 2 commits June 27, 2025 13:14

Improve performance avoiding extra calls to maps

2f1d08f

leftovers

7b0bd85

jandro996 requested a review from smola June 27, 2025 11:40

jandro996 added 2 commits July 1, 2025 11:23

improve performance

e0cc794

Merge branch 'master' into alejandro.gonzalez/Optimize-IAST-Vulnerabi…

ffe3efc

…lity-Detection

smola reviewed Jul 1, 2025

View reviewed changes

manuel-alvarez-alvarez reviewed Jul 3, 2025

View reviewed changes

manuel-alvarez-alvarez approved these changes Jul 3, 2025

View reviewed changes

jandro996 added 2 commits July 3, 2025 11:15

fix naming

3b39517

Merge branch 'master' into alejandro.gonzalez/Optimize-IAST-Vulnerabi…

9cde392

…lity-Detection

smola approved these changes Jul 3, 2025

View reviewed changes

jandro996 merged commit 99ecab7 into master Jul 3, 2025
508 checks passed

jandro996 deleted the alejandro.gonzalez/Optimize-IAST-Vulnerability-Detection branch July 3, 2025 11:27

github-actions Bot added this to the 1.51.0 milestone Jul 3, 2025

sarahchen6 mentioned this pull request Jul 24, 2025

🍒 8885, 8952 - Optimize IAST Vulnerability Detection... #9241

Closed

Sunbelt Computer Software

PL/B Language Development and Support

Uh oh!

Conversation

jandro996 commented May 26, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

What Does This Do

Changes to OverheadContext

Changes to OverheadController

Changes to IastRequestContext

Motivation

Additional Notes

Contributor Checklist

Uh oh!

Uh oh!

Uh oh!

Uh oh!

pr-commenter Bot commented May 29, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Benchmarks

Startup

Parameters

Summary

Load

Parameters

Summary

Dacapo

Parameters

Summary

Uh oh!

Uh oh!

Uh oh!

github-actions Bot commented Jun 3, 2025

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

manuel-alvarez-alvarez Jun 26, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

smola left a comment

Choose a reason for hiding this comment

Uh oh!

manuel-alvarez-alvarez Jul 3, 2025

Choose a reason for hiding this comment

Uh oh!

manuel-alvarez-alvarez Jul 3, 2025

Choose a reason for hiding this comment

Uh oh!

jandro996 Jul 3, 2025

Choose a reason for hiding this comment

Uh oh!

manuel-alvarez-alvarez left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

jandro996 commented May 26, 2025 •

edited

Loading

pr-commenter Bot commented May 29, 2025 •

edited

Loading