iframe-proxy

manuel-alvarez-alvarez · 2025-06-17T17:28:20Z

What Does This Do

Adds response body extraction for Vert.x JSON endpoints to enable automatic API schema discovery and protection by the Web Application Firewall (WAF). Support is for Vert.x >= 4.x (leverages new JSON response API introduced in v4.x)

Motivation

Additional Notes

Contributor Checklist

Format the title according the contribution guidelines
Assign the type: and (comp: or inst:) labels in addition to any usefull labels
Don't use close, fix or any linking keywords when referencing an issue.
Use solves instead, and assign the PR milestone to the issue
Update the CODEOWNERS file on source file addition, move, or deletion
Update the public documentation in case of new configuration flag or behavior

Jira ticket: APPSEC-57920

pr-commenter · 2025-06-17T17:40:39Z

Benchmarks

Startup

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	malvarez/vertx-response-extraction
git_commit_date	1750835724	1750835738
git_commit_sha	`c065926`	`bd96ea3`
release_version	1.51.0-SNAPSHOT~c0659266e2	1.51.0-SNAPSHOT~bd96ea3c17

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1750837559	1750837559
ci_job_id	997274119	997274119
ci_pipeline_id	68693975	68693975
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-bziamzy-project-304-concurrent-0-89rzjbj2 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-bziamzy-project-304-concurrent-0-89rzjbj2 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
module	Agent	Agent
parent	None	None

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 41 metrics, 12 unstable metrics.

Startup time reports for insecure-bank

gantt
    title insecure-bank - global startup overhead: candidate=1.51.0-SNAPSHOT~bd96ea3c17, baseline=1.51.0-SNAPSHOT~c0659266e2

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (994.126 ms) : 0, 994126
Total [baseline] (8.536 s) : 0, 8535539
Agent [candidate] (994.702 ms) : 0, 994702
Total [candidate] (8.515 s) : 0, 8515458
section iast
Agent [baseline] (1.144 s) : 0, 1144073
Total [baseline] (9.349 s) : 0, 9348730
Agent [candidate] (1.147 s) : 0, 1146764
Total [candidate] (9.254 s) : 0, 9254274

baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	994.126 ms	-
Agent	iast	1.144 s	149.946 ms (15.1%)
Total	tracing	8.536 s	-
Total	iast	9.349 s	813.191 ms (9.5%)

candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	994.702 ms	-
Agent	iast	1.147 s	152.063 ms (15.3%)
Total	tracing	8.515 s	-
Total	iast	9.254 s	738.816 ms (8.7%)

gantt
    title insecure-bank - break down per module: candidate=1.51.0-SNAPSHOT~bd96ea3c17, baseline=1.51.0-SNAPSHOT~c0659266e2

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (686.143 ms) : 0, 686143
BytebuddyAgent [candidate] (686.132 ms) : 0, 686132
GlobalTracer [baseline] (242.212 ms) : 0, 242212
GlobalTracer [candidate] (242.095 ms) : 0, 242095
AppSec [baseline] (30.05 ms) : 0, 30050
AppSec [candidate] (30.037 ms) : 0, 30037
Debugger [baseline] (6.056 ms) : 0, 6056
Debugger [candidate] (6.097 ms) : 0, 6097
Remote Config [baseline] (650.152 µs) : 0, 650
Remote Config [candidate] (660.364 µs) : 0, 660
Telemetry [baseline] (8.214 ms) : 0, 8214
Telemetry [candidate] (8.812 ms) : 0, 8812
section iast
BytebuddyAgent [baseline] (818.16 ms) : 0, 818160
BytebuddyAgent [candidate] (819.609 ms) : 0, 819609
GlobalTracer [baseline] (234.466 ms) : 0, 234466
GlobalTracer [candidate] (235.459 ms) : 0, 235459
AppSec [baseline] (27.207 ms) : 0, 27207
AppSec [candidate] (26.261 ms) : 0, 26261
Debugger [baseline] (5.929 ms) : 0, 5929
Debugger [candidate] (5.915 ms) : 0, 5915
Remote Config [baseline] (593.224 µs) : 0, 593
Remote Config [candidate] (598.121 µs) : 0, 598
Telemetry [baseline] (8.083 ms) : 0, 8083
Telemetry [candidate] (8.945 ms) : 0, 8945
IAST [baseline] (28.626 ms) : 0, 28626
IAST [candidate] (28.914 ms) : 0, 28914

Startup time reports for petclinic

gantt
    title petclinic - global startup overhead: candidate=1.51.0-SNAPSHOT~bd96ea3c17, baseline=1.51.0-SNAPSHOT~c0659266e2

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (994.002 ms) : 0, 994002
Total [baseline] (10.641 s) : 0, 10641351
Agent [candidate] (992.05 ms) : 0, 992050
Total [candidate] (10.646 s) : 0, 10646449
section appsec
Agent [baseline] (1.17 s) : 0, 1169663
Total [baseline] (10.685 s) : 0, 10685253
Agent [candidate] (1.183 s) : 0, 1182625
Total [candidate] (10.779 s) : 0, 10779350
section iast
Agent [baseline] (1.127 s) : 0, 1127300
Total [baseline] (10.854 s) : 0, 10853831
Agent [candidate] (1.137 s) : 0, 1136526
Total [candidate] (10.866 s) : 0, 10865714
section profiling
Agent [baseline] (1.239 s) : 0, 1239313
Total [baseline] (11.055 s) : 0, 11055120
Agent [candidate] (1.244 s) : 0, 1243615
Total [candidate] (11.102 s) : 0, 11102328

baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	994.002 ms	-
Agent	appsec	1.17 s	175.661 ms (17.7%)
Agent	iast	1.127 s	133.299 ms (13.4%)
Agent	profiling	1.239 s	245.312 ms (24.7%)
Total	tracing	10.641 s	-
Total	appsec	10.685 s	43.902 ms (0.4%)
Total	iast	10.854 s	212.48 ms (2.0%)
Total	profiling	11.055 s	413.769 ms (3.9%)

candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	992.05 ms	-
Agent	appsec	1.183 s	190.575 ms (19.2%)
Agent	iast	1.137 s	144.476 ms (14.6%)
Agent	profiling	1.244 s	251.565 ms (25.4%)
Total	tracing	10.646 s	-
Total	appsec	10.779 s	132.901 ms (1.2%)
Total	iast	10.866 s	219.265 ms (2.1%)
Total	profiling	11.102 s	455.878 ms (4.3%)

gantt
    title petclinic - break down per module: candidate=1.51.0-SNAPSHOT~bd96ea3c17, baseline=1.51.0-SNAPSHOT~c0659266e2

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (685.804 ms) : 0, 685804
BytebuddyAgent [candidate] (684.815 ms) : 0, 684815
GlobalTracer [baseline] (242.708 ms) : 0, 242708
GlobalTracer [candidate] (241.655 ms) : 0, 241655
AppSec [baseline] (29.767 ms) : 0, 29767
AppSec [candidate] (29.861 ms) : 0, 29861
Debugger [baseline] (6.026 ms) : 0, 6026
Debugger [candidate] (6.059 ms) : 0, 6059
Remote Config [baseline] (642.662 µs) : 0, 643
Remote Config [candidate] (654.877 µs) : 0, 655
Telemetry [baseline] (8.126 ms) : 0, 8126
Telemetry [candidate] (8.088 ms) : 0, 8088
section appsec
BytebuddyAgent [baseline] (707.829 ms) : 0, 707829
BytebuddyAgent [candidate] (717.155 ms) : 0, 717155
GlobalTracer [baseline] (234.956 ms) : 0, 234956
GlobalTracer [candidate] (237.696 ms) : 0, 237696
AppSec [baseline] (169.545 ms) : 0, 169545
AppSec [candidate] (169.839 ms) : 0, 169839
Debugger [baseline] (5.883 ms) : 0, 5883
Debugger [candidate] (5.926 ms) : 0, 5926
Remote Config [baseline] (598.721 µs) : 0, 599
Remote Config [candidate] (616.317 µs) : 0, 616
Telemetry [baseline] (8.127 ms) : 0, 8127
Telemetry [candidate] (8.311 ms) : 0, 8311
IAST [baseline] (21.932 ms) : 0, 21932
IAST [candidate] (22.132 ms) : 0, 22132
section iast
BytebuddyAgent [baseline] (805.121 ms) : 0, 805121
BytebuddyAgent [candidate] (811.84 ms) : 0, 811840
GlobalTracer [baseline] (232.15 ms) : 0, 232150
GlobalTracer [candidate] (234.147 ms) : 0, 234147
AppSec [baseline] (27.441 ms) : 0, 27441
AppSec [candidate] (26.676 ms) : 0, 26676
Debugger [baseline] (5.797 ms) : 0, 5797
Debugger [candidate] (5.825 ms) : 0, 5825
Remote Config [baseline] (578.318 µs) : 0, 578
Remote Config [candidate] (601.587 µs) : 0, 602
Telemetry [baseline] (7.796 ms) : 0, 7796
Telemetry [candidate] (7.869 ms) : 0, 7869
IAST [baseline] (27.648 ms) : 0, 27648
IAST [candidate] (28.647 ms) : 0, 28647
section profiling
BytebuddyAgent [baseline] (675.602 ms) : 0, 675602
BytebuddyAgent [candidate] (677.627 ms) : 0, 677627
GlobalTracer [baseline] (360.772 ms) : 0, 360772
GlobalTracer [candidate] (360.967 ms) : 0, 360967
AppSec [baseline] (30.876 ms) : 0, 30876
AppSec [candidate] (31.234 ms) : 0, 31234
Debugger [baseline] (11.77 ms) : 0, 11770
Debugger [candidate] (11.202 ms) : 0, 11202
Remote Config [baseline] (708.507 µs) : 0, 709
Remote Config [candidate] (657.076 µs) : 0, 657
Telemetry [baseline] (8.658 ms) : 0, 8658
Telemetry [candidate] (9.59 ms) : 0, 9590
ProfilingAgent [baseline] (102.309 ms) : 0, 102309
ProfilingAgent [candidate] (103.641 ms) : 0, 103641
Profiling [baseline] (102.335 ms) : 0, 102335
Profiling [candidate] (103.666 ms) : 0, 103666

Load

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	malvarez/vertx-response-extraction
git_commit_date	1750835724	1750835738
git_commit_sha	`c065926`	`bd96ea3`
release_version	1.51.0-SNAPSHOT~c0659266e2	1.51.0-SNAPSHOT~bd96ea3c17

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1750837237	1750837237
ci_job_id	997274120	997274120
ci_pipeline_id	68693975	68693975
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-vaym2f8s-project-304-concurrent-0-t95sgjje 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-vaym2f8s-project-304-concurrent-0-t95sgjje 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 0 performance improvements and 2 performance regressions! Performance is the same for 10 metrics, 12 unstable metrics.

scenario	Δ mean http_req_duration	Δ mean throughput	candidate mean http_req_duration	candidate mean throughput	baseline mean http_req_duration	baseline mean throughput
scenario:load:insecure-bank:no_agent:high_load	worse [+101.228µs; +220.553µs] or [+2.297%; +5.006%]	unstable [-140.910op/s; +69.660op/s] or [-13.531%; +6.689%]	4.567ms	1005.750op/s	4.406ms	1041.375op/s
scenario:load:petclinic:profiling:high_load	worse [+2.182ms; +3.183ms] or [+4.555%; +6.643%]	unstable [-11.939op/s; +1.664op/s] or [-12.225%; +1.704%]	50.590ms	92.525op/s	47.908ms	97.662op/s

Request duration reports for insecure-bank

gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.51.0-SNAPSHOT~bd96ea3c17, baseline=1.51.0-SNAPSHOT~c0659266e2
    dateFormat X
    axisFormat %s
section baseline
no_agent (4.406 ms) : 4347, 4465
.   : milestone, 4406,
iast (8.979 ms) : 8836, 9123
.   : milestone, 8979,
iast_FULL (13.91 ms) : 13638, 14181
.   : milestone, 13910,
iast_GLOBAL (9.8 ms) : 9614, 9987
.   : milestone, 9800,
profiling (8.313 ms) : 8173, 8454
.   : milestone, 8313,
tracing (7.783 ms) : 7670, 7896
.   : milestone, 7783,
section candidate
no_agent (4.567 ms) : 4515, 4619
.   : milestone, 4567,
iast (9.06 ms) : 8910, 9210
.   : milestone, 9060,
iast_FULL (13.623 ms) : 13355, 13890
.   : milestone, 13623,
iast_GLOBAL (9.831 ms) : 9662, 10000
.   : milestone, 9831,
profiling (8.526 ms) : 8392, 8661
.   : milestone, 8526,
tracing (7.59 ms) : 7476, 7704
.   : milestone, 7590,

baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	4.406 ms [4.347 ms, 4.465 ms]	-
iast	8.979 ms [8.836 ms, 9.123 ms]	4.573 ms (103.8%)
iast_FULL	13.91 ms [13.638 ms, 14.181 ms]	9.504 ms (215.7%)
iast_GLOBAL	9.8 ms [9.614 ms, 9.987 ms]	5.394 ms (122.4%)
profiling	8.313 ms [8.173 ms, 8.454 ms]	3.907 ms (88.7%)
tracing	7.783 ms [7.67 ms, 7.896 ms]	3.377 ms (76.6%)

candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	4.567 ms [4.515 ms, 4.619 ms]	-
iast	9.06 ms [8.91 ms, 9.21 ms]	4.493 ms (98.4%)
iast_FULL	13.623 ms [13.355 ms, 13.89 ms]	9.056 ms (198.3%)
iast_GLOBAL	9.831 ms [9.662 ms, 10.0 ms]	5.264 ms (115.3%)
profiling	8.526 ms [8.392 ms, 8.661 ms]	3.96 ms (86.7%)
tracing	7.59 ms [7.476 ms, 7.704 ms]	3.023 ms (66.2%)

Request duration reports for petclinic

gantt
    title petclinic - request duration [CI 0.99] : candidate=1.51.0-SNAPSHOT~bd96ea3c17, baseline=1.51.0-SNAPSHOT~c0659266e2
    dateFormat X
    axisFormat %s
section baseline
no_agent (36.579 ms) : 36283, 36875
.   : milestone, 36579,
appsec (47.264 ms) : 46835, 47692
.   : milestone, 47264,
code_origins (45.701 ms) : 45314, 46088
.   : milestone, 45701,
iast (43.208 ms) : 42838, 43577
.   : milestone, 43208,
profiling (47.908 ms) : 47455, 48360
.   : milestone, 47908,
tracing (43.866 ms) : 43482, 44251
.   : milestone, 43866,
section candidate
no_agent (37.118 ms) : 36820, 37416
.   : milestone, 37118,
appsec (46.73 ms) : 46309, 47151
.   : milestone, 46730,
code_origins (45.146 ms) : 44763, 45529
.   : milestone, 45146,
iast (42.842 ms) : 42466, 43219
.   : milestone, 42842,
profiling (50.59 ms) : 50114, 51067
.   : milestone, 50590,
tracing (43.974 ms) : 43611, 44337
.   : milestone, 43974,

baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	36.579 ms [36.283 ms, 36.875 ms]	-
appsec	47.264 ms [46.835 ms, 47.692 ms]	10.685 ms (29.2%)
code_origins	45.701 ms [45.314 ms, 46.088 ms]	9.122 ms (24.9%)
iast	43.208 ms [42.838 ms, 43.577 ms]	6.628 ms (18.1%)
profiling	47.908 ms [47.455 ms, 48.36 ms]	11.329 ms (31.0%)
tracing	43.866 ms [43.482 ms, 44.251 ms]	7.287 ms (19.9%)

candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	37.118 ms [36.82 ms, 37.416 ms]	-
appsec	46.73 ms [46.309 ms, 47.151 ms]	9.612 ms (25.9%)
code_origins	45.146 ms [44.763 ms, 45.529 ms]	8.028 ms (21.6%)
iast	42.842 ms [42.466 ms, 43.219 ms]	5.725 ms (15.4%)
profiling	50.59 ms [50.114 ms, 51.067 ms]	13.473 ms (36.3%)
tracing	43.974 ms [43.611 ms, 44.337 ms]	6.856 ms (18.5%)

Dacapo

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	malvarez/vertx-response-extraction
git_commit_date	1750835724	1750835738
git_commit_sha	`c065926`	`bd96ea3`
release_version	1.51.0-SNAPSHOT~c0659266e2	1.51.0-SNAPSHOT~bd96ea3c17

See matching parameters

	Baseline	Candidate
application	biojava	biojava
ci_job_date	1750837747	1750837747
ci_job_id	997274121	997274121
ci_pipeline_id	68693975	68693975
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-6z7wq9aq-project-304-concurrent-0-a4h098bf 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-6z7wq9aq-project-304-concurrent-0-a4h098bf 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics.

Execution time for biojava

gantt
    title biojava - execution time [CI 0.99] : candidate=1.51.0-SNAPSHOT~bd96ea3c17, baseline=1.51.0-SNAPSHOT~c0659266e2
    dateFormat X
    axisFormat %s
section baseline
no_agent (14.883 s) : 14883000, 14883000
.   : milestone, 14883000,
appsec (14.617 s) : 14617000, 14617000
.   : milestone, 14617000,
iast (18.319 s) : 18319000, 18319000
.   : milestone, 18319000,
iast_GLOBAL (17.867 s) : 17867000, 17867000
.   : milestone, 17867000,
profiling (15.205 s) : 15205000, 15205000
.   : milestone, 15205000,
tracing (15.054 s) : 15054000, 15054000
.   : milestone, 15054000,
section candidate
no_agent (15.529 s) : 15529000, 15529000
.   : milestone, 15529000,
appsec (14.95 s) : 14950000, 14950000
.   : milestone, 14950000,
iast (18.283 s) : 18283000, 18283000
.   : milestone, 18283000,
iast_GLOBAL (17.863 s) : 17863000, 17863000
.   : milestone, 17863000,
profiling (15.915 s) : 15915000, 15915000
.   : milestone, 15915000,
tracing (14.601 s) : 14601000, 14601000
.   : milestone, 14601000,

baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	14.883 s [14.883 s, 14.883 s]	-
appsec	14.617 s [14.617 s, 14.617 s]	-266.0 ms (-1.8%)
iast	18.319 s [18.319 s, 18.319 s]	3.436 s (23.1%)
iast_GLOBAL	17.867 s [17.867 s, 17.867 s]	2.984 s (20.0%)
profiling	15.205 s [15.205 s, 15.205 s]	322.0 ms (2.2%)
tracing	15.054 s [15.054 s, 15.054 s]	171.0 ms (1.1%)

candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	15.529 s [15.529 s, 15.529 s]	-
appsec	14.95 s [14.95 s, 14.95 s]	-579.0 ms (-3.7%)
iast	18.283 s [18.283 s, 18.283 s]	2.754 s (17.7%)
iast_GLOBAL	17.863 s [17.863 s, 17.863 s]	2.334 s (15.0%)
profiling	15.915 s [15.915 s, 15.915 s]	386.0 ms (2.5%)
tracing	14.601 s [14.601 s, 14.601 s]	-928.0 ms (-6.0%)

Execution time for tomcat

gantt
    title tomcat - execution time [CI 0.99] : candidate=1.51.0-SNAPSHOT~bd96ea3c17, baseline=1.51.0-SNAPSHOT~c0659266e2
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.483 ms) : 1471, 1495
.   : milestone, 1483,
appsec (2.408 ms) : 2359, 2456
.   : milestone, 2408,
iast (2.192 ms) : 2131, 2253
.   : milestone, 2192,
iast_GLOBAL (2.234 ms) : 2172, 2295
.   : milestone, 2234,
profiling (2.039 ms) : 1990, 2089
.   : milestone, 2039,
tracing (2.002 ms) : 1954, 2049
.   : milestone, 2002,
section candidate
no_agent (1.479 ms) : 1468, 1491
.   : milestone, 1479,
appsec (2.406 ms) : 2358, 2455
.   : milestone, 2406,
iast (2.189 ms) : 2128, 2250
.   : milestone, 2189,
iast_GLOBAL (2.239 ms) : 2178, 2301
.   : milestone, 2239,
profiling (2.029 ms) : 1980, 2078
.   : milestone, 2029,
tracing (2.021 ms) : 1974, 2069
.   : milestone, 2021,

baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.483 ms [1.471 ms, 1.495 ms]	-
appsec	2.408 ms [2.359 ms, 2.456 ms]	924.685 µs (62.4%)
iast	2.192 ms [2.131 ms, 2.253 ms]	709.086 µs (47.8%)
iast_GLOBAL	2.234 ms [2.172 ms, 2.295 ms]	750.686 µs (50.6%)
profiling	2.039 ms [1.99 ms, 2.089 ms]	556.266 µs (37.5%)
tracing	2.002 ms [1.954 ms, 2.049 ms]	518.647 µs (35.0%)

candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.479 ms [1.468 ms, 1.491 ms]	-
appsec	2.406 ms [2.358 ms, 2.455 ms]	927.144 µs (62.7%)
iast	2.189 ms [2.128 ms, 2.25 ms]	709.651 µs (48.0%)
iast_GLOBAL	2.239 ms [2.178 ms, 2.301 ms]	760.029 µs (51.4%)
profiling	2.029 ms [1.98 ms, 2.078 ms]	550.047 µs (37.2%)
tracing	2.021 ms [1.974 ms, 2.069 ms]	541.891 µs (36.6%)

jandro996

Correct me if I'm wrong but I feel that we are missing this part of the RFC

DD_API_SECURITY_PARSE_RESPONSE_BODY: this is a configuration option which libraries with the ability to parse the response body must implement to allow the user to disable this feature. With a true, or equivalent value, response body parsing should be enabled. If implemented, the default value of this configuration option must be true.

There is also a system test that validates this
tests/appsec/api_security/test_schemas.py::Test_Schema_Response_Body_env_var::test_request_method

manuel-alvarez-alvarez · 2025-06-19T10:53:22Z

jandro996

LGTM! just a bunch of questions

| Package | Type | Package file | Manager | Update | Change | |---|---|---|---|---|---| | [com.google.errorprone:error_prone_annotations](https://errorprone.info) ([source](https://github.com/google/error-prone)) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `2.39.0` -> `2.40.0` | | [org.apache.commons:commons-lang3](https://commons.apache.org/proper/commons-lang/) ([source](https://gitbox.apache.org/repos/asf/commons-lang.git)) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `3.17.0` -> `3.18.0` | | [org.jetbrains.kotlinx.binary-compatibility-validator](https://github.com/Kotlin/binary-compatibility-validator) | plugin | misk/gradle/libs.versions.toml | gradle | patch | `0.18.0` -> `0.18.1` | | [com.datadoghq:dd-trace-api](https://github.com/datadog/dd-trace-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `1.50.1` -> `1.51.0` | | [software.amazon.awssdk:sdk-core](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.31.77` -> `2.31.78` | | [software.amazon.awssdk:sqs](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.31.77` -> `2.31.78` | | [software.amazon.awssdk:dynamodb-enhanced](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.31.77` -> `2.31.78` | | [software.amazon.awssdk:dynamodb](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.31.77` -> `2.31.78` | | [software.amazon.awssdk:aws-core](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.31.77` -> `2.31.78` | | [software.amazon.awssdk:bom](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.31.77` -> `2.31.78` | | [software.amazon.awssdk:auth](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.31.77` -> `2.31.78` | --- ### Release Notes <details> <summary>google/error-prone (com.google.errorprone:error_prone_annotations)</summary> ### [`v2.40.0`](https://github.com/google/error-prone/releases/tag/v2.40.0): Error Prone 2.40.0 Changes: - Bug fixes and improvements - Releases (including snapshots) have migrated from [OSSRH to the Central Publisher Portal](https://central.sonatype.org/pages/ossrh-eol/#process-to-migrate) Full changelog: google/error-prone@v2.39.0...v2.40.0 </details> <details> <summary>Kotlin/binary-compatibility-validator (org.jetbrains.kotlinx.binary-compatibility-validator)</summary> ### [`v0.18.1`](https://github.com/Kotlin/binary-compatibility-validator/releases/tag/0.18.1) [Compare Source](Kotlin/binary-compatibility-validator@0.18.0...0.18.1) #### What's Changed - Fixed a bug preventing use of cross-compilation support during KLIB dump validation \[[#304](https://github.com/Kotlin/binary-compatibility-validator/issues/304)]\[[#306](https://github.com/Kotlin/binary-compatibility-validator/issues/306)] </details> <details> <summary>datadog/dd-trace-java (com.datadoghq:dd-trace-api)</summary> ### [`v1.51.0`](https://github.com/DataDog/dd-trace-java/releases/tag/v1.51.0): 1.51.0 ### Components #### Application Security Management (IAST) - 🐛 Fix verify error when ctor params are used after a call site ([#9083](DataDog/dd-trace-java#9083) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - 🐛 Limit the maximum size of the location path in IAST vulnerabilities ([#9028](DataDog/dd-trace-java#9028) - [@jandro996](https://github.com/jandro996)) - 🐛 Fix IAST gRPC handler with null superclass ([#8984](DataDog/dd-trace-java#8984) - [@smola](https://github.com/smola)) - ✨ Optimize IAST Vulnerability Detection ([#8885](DataDog/dd-trace-java#8885) - [@jandro996](https://github.com/jandro996)) #### Application Security Management (WAF) - ✨ Upgrade libddwaf-java to 15.0.0 ([#9022](DataDog/dd-trace-java#9022) - [@sezen-datadog](https://github.com/sezen-datadog)) - ✨ Extract RestEasy json body response schemas ([#9015](DataDog/dd-trace-java#9015) - [@jandro996](https://github.com/jandro996)) - ✨ Extract Jersey json body response schemas ([#9014](DataDog/dd-trace-java#9014) - [@jandro996](https://github.com/jandro996)) - ✨ Extract Ratpack json body response schemas ([#9013](DataDog/dd-trace-java#9013) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - ✨ Enable API Security by default and make it lazy loading ([#9009](DataDog/dd-trace-java#9009) - [@smola](https://github.com/smola)) - ✨ Extract Vert.x json body response schemas ([#9001](DataDog/dd-trace-java#9001) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - ✨ Extract Play json body response schemas ([#8995](DataDog/dd-trace-java#8995) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - 🐛 Fix Jackson nodes introspection for request/response schema extraction ([#8980](DataDog/dd-trace-java#8980) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - ✨ Extract Spring json body response schemas ([#8938](DataDog/dd-trace-java#8938) - [@sezen-datadog](https://github.com/sezen-datadog)) - ✨ Default obfuscation regexp update ([#8937](DataDog/dd-trace-java#8937) - [@sezen-datadog](https://github.com/sezen-datadog)) #### Build & Tooling - ✨ Cancel GitLab running pipeline on new PR push ([#9023](DataDog/dd-trace-java#9023) - [@PerfectSlayer](https://github.com/PerfectSlayer)) - ✨ Migrate publishing to Maven Central Portal ([#8807](DataDog/dd-trace-java#8807) - [@sarahchen6](https://github.com/sarahchen6)) #### Continuous Integration Visibility - 🐛 Fix Test Optimization to work with JDK 24 ([#9114](DataDog/dd-trace-java#9114) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Add repo root as safe directory on git client creation ([#9033](DataDog/dd-trace-java#9033) - [@daniel-mohedano](https://github.com/daniel-mohedano)) - ✨ Add PR number tag and improve PR information building ([#8990](DataDog/dd-trace-java#8990) - [@daniel-mohedano](https://github.com/daniel-mohedano)) - ✨ Update impacted tests logic ([#8923](DataDog/dd-trace-java#8923) - [@daniel-mohedano](https://github.com/daniel-mohedano)) #### Data Streams Monitoring - 🧹 Clean up DSM context injection ([#8776](DataDog/dd-trace-java#8776) - [@PerfectSlayer](https://github.com/PerfectSlayer)) #### Database Monitoring - 🐛 Set trace\_injected in try block ([#9025](DataDog/dd-trace-java#9025) - [@natashadada](https://github.com/natashadada)) #### Dynamic Instrumentation - 🐛 Add source file tracking enable option ([#9115](DataDog/dd-trace-java#9115) - [@jpbempel](https://github.com/jpbempel)) - ✨ Add java.util.Date support ([#9111](DataDog/dd-trace-java#9111) - [@jpbempel](https://github.com/jpbempel)) - ✨ Update file probe format ([#9047](DataDog/dd-trace-java#9047) - [@jpbempel](https://github.com/jpbempel)) - ✨ add safe local var hoisting ([#9034](DataDog/dd-trace-java#9034) - [@jpbempel](https://github.com/jpbempel)) - 🧹 Add new config for debugger upload interval ([#8959](DataDog/dd-trace-java#8959) - [@jpbempel](https://github.com/jpbempel)) - ✨ Enable Code Origin with Dynamic instrumentation ([#8940](DataDog/dd-trace-java#8940) - [@jpbempel](https://github.com/jpbempel)) #### ML Observability (LLMObs) - 💡 LLM Observability SDK ([#8781](DataDog/dd-trace-java#8781) - [@gary-huang](https://github.com/gary-huang), [@nayeem-kamal](https://github.com/nayeem-kamal)) #### Metrics - 🐛 Ensure client stat reporter is started when the agent is not available at bootstrap ([#9082](DataDog/dd-trace-java#9082) - [@amarziali](https://github.com/amarziali)) - ✨ Create metric: appsec.waf.config\_errors ([#8394](DataDog/dd-trace-java#8394) - [@sezen-datadog](https://github.com/sezen-datadog)) #### Platform components - ✨ Introduce environment component ([#9071](DataDog/dd-trace-java#9071) - [@PerfectSlayer](https://github.com/PerfectSlayer)) #### Profiling - 🐛 Remove annoying warning for smap event parsing ([#9119](DataDog/dd-trace-java#9119) - [@jbachorik](https://github.com/jbachorik)) - 🐛 Fix ByteCountingInputStream when reading past EOF ([#8988](DataDog/dd-trace-java#8988) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) #### Realtime User Monitoring - ✨ Add RUM SDK injection for servlet based web servers ([#9110](DataDog/dd-trace-java#9110) - [@PerfectSlayer](https://github.com/PerfectSlayer) [@amarziali](https://github.com/amarziali)) #### Telemetry - ✨ Update the config origin metric to match what it's mapping ([#9045](DataDog/dd-trace-java#9045) - [@sezen-datadog](https://github.com/sezen-datadog)) #### Testing - ✨ Add testing for latest stable version (JDK 24) ([#8875](DataDog/dd-trace-java#8875) - [@sarahchen6](https://github.com/sarahchen6)) #### Trace context propagation - 🐛 Fix bug with dropping baggage when `TracePropagationBehaviorExtract=IGNORE` ([#9037](DataDog/dd-trace-java#9037) - [@mhlidd](https://github.com/mhlidd)) - 🐛 Fix ArrayIndexOutOfBoundsException in PercentEscaper ([#9032](DataDog/dd-trace-java#9032) - [@mhlidd](https://github.com/mhlidd)) #### Tracer core - 🐛 Fix `Error` handling for trace interceptors ([#9097](DataDog/dd-trace-java#9097) - [@AlexeyKuznetsov-DD](https://github.com/AlexeyKuznetsov-DD)) - 💡 Add wildcard feature for `DD_TRACE_HEADER_TAGS` and enabling for Http Response headers ([#9067](DataDog/dd-trace-java#9067) - [@mhlidd](https://github.com/mhlidd)) #### Tracer public API - 💡 Add LLM Observability SDK ([#8781](DataDog/dd-trace-java#8781) - [@gary-huang](https://github.com/gary-huang)) ### Instrumentations #### Akka instrumentation - 🐛 Fix NPE in akka-http and pekko-http integrations ([#9019](DataDog/dd-trace-java#9019) - [@mcculls](https://github.com/mcculls)) #### Eclipse Vert.x instrumentation - ✨ Extract Vert.x json body response schemas ([#9001](DataDog/dd-trace-java#9001) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - ✨ Write http.route tag as soon as possible in vert.x ([#8952](DataDog/dd-trace-java#8952) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) #### JAX-WS instrumentation - 💡⚠️ Enable jax-ws integration by default ([#9030](DataDog/dd-trace-java#9030) - [@bm1549](https://github.com/bm1549)) - ✨ Extract Jersey json body response schemas ([#9014](DataDog/dd-trace-java#9014) - [@jandro996](https://github.com/jandro996)) #### Mule instrumentation - 🐛 Propagate grizzly http span in filters if nothing is active ([#9016](DataDog/dd-trace-java#9016) - [@amarziali](https://github.com/amarziali)) #### Play Framework instrumentation - ✨ Extract Play json body response schemas ([#8995](DataDog/dd-trace-java#8995) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) #### Ratpack instrumentation - ✨ Extract Ratpack json body response schemas ([#9013](DataDog/dd-trace-java#9013) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) #### Spring instrumentation - ✨ Extract Spring json body response schemas ([#8938](DataDog/dd-trace-java#8938) - [@sezen-datadog](https://github.com/sezen-datadog)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "after 6pm every weekday,before 2am every weekday" in timezone Australia/Melbourne, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). GitOrigin-RevId: 649b690d4c9d7dcb572c457f0802b42b8e3e682e

manuel-alvarez-alvarez added comp: asm waf Application Security Management (WAF) inst: vertx Eclipse Vert.x instrumentation type: enhancement Enhancements and improvements labels Jun 17, 2025

manuel-alvarez-alvarez marked this pull request as ready for review June 17, 2025 17:28

manuel-alvarez-alvarez requested review from a team as code owners June 17, 2025 17:28

manuel-alvarez-alvarez requested review from dougqh, robertpi and sezen-datadog June 17, 2025 17:28

manuel-alvarez-alvarez force-pushed the malvarez/vertx-response-extraction branch from e6d0da9 to bf5e01e Compare June 19, 2025 08:39

jandro996 reviewed Jun 19, 2025

View reviewed changes

manuel-alvarez-alvarez force-pushed the malvarez/http-route-play branch from 5ae3d48 to aac9883 Compare June 23, 2025 07:17

manuel-alvarez-alvarez force-pushed the malvarez/vertx-response-extraction branch from 37afc9b to 3fabdcd Compare June 23, 2025 07:39

manuel-alvarez-alvarez requested a review from jandro996 June 23, 2025 07:40

jandro996 reviewed Jun 23, 2025

View reviewed changes

Comment thread dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/GatewayBridge.java Outdated

jandro996 reviewed Jun 23, 2025

View reviewed changes

Comment thread dd-java-agent/testing/src/main/groovy/datadog/trace/agent/test/base/HttpServerTest.groovy Outdated

jandro996 reviewed Jun 23, 2025

View reviewed changes

Comment thread internal-api/src/main/java/datadog/trace/api/gateway/Events.java Outdated

jandro996 approved these changes Jun 23, 2025

View reviewed changes

manuel-alvarez-alvarez force-pushed the malvarez/vertx-response-extraction branch from 3fabdcd to fe0c272 Compare June 23, 2025 09:53

manuel-alvarez-alvarez force-pushed the malvarez/http-route-play branch from aac9883 to ad5e01d Compare June 23, 2025 10:35

manuel-alvarez-alvarez force-pushed the malvarez/vertx-response-extraction branch 2 times, most recently from 25ab23e to 24b6231 Compare June 23, 2025 12:00

manuel-alvarez-alvarez force-pushed the malvarez/http-route-play branch from ad5e01d to cf0f8aa Compare June 23, 2025 19:06

Base automatically changed from malvarez/http-route-play to master June 24, 2025 07:55

manuel-alvarez-alvarez force-pushed the malvarez/vertx-response-extraction branch 3 times, most recently from 5194553 to 3a7d412 Compare June 24, 2025 12:28

sezen-datadog approved these changes Jun 24, 2025

View reviewed changes

manuel-alvarez-alvarez force-pushed the malvarez/vertx-response-extraction branch from 3a7d412 to ac7c355 Compare June 25, 2025 07:14

Extract Vert.x json body response schemas

bd96ea3

manuel-alvarez-alvarez force-pushed the malvarez/vertx-response-extraction branch from ac7c355 to bd96ea3 Compare June 25, 2025 07:15

manuel-alvarez-alvarez merged commit c5581ea into master Jun 25, 2025
485 checks passed

manuel-alvarez-alvarez deleted the malvarez/vertx-response-extraction branch June 25, 2025 08:25

github-actions Bot added this to the 1.51.0 milestone Jun 25, 2025

Sunbelt Computer Software

PL/B Language Development and Support

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Extract Vert.x json body response schemas#9001

Extract Vert.x json body response schemas#9001
manuel-alvarez-alvarez merged 1 commit into
masterfrom
malvarez/vertx-response-extraction

manuel-alvarez-alvarez commented Jun 17, 2025 •

edited

Loading

Uh oh!

pr-commenter Bot commented Jun 17, 2025 •

edited

Loading

Uh oh!

jandro996 left a comment

Uh oh!

manuel-alvarez-alvarez commented Jun 19, 2025

Uh oh!

Uh oh!

Uh oh!

Uh oh!

jandro996 left a comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Sunbelt Computer Software

PL/B Language Development and Support

Uh oh!

Conversation

manuel-alvarez-alvarez commented Jun 17, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

What Does This Do

Motivation

Additional Notes

Contributor Checklist

Uh oh!

pr-commenter Bot commented Jun 17, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Benchmarks

Startup

Parameters

Summary

Load

Parameters

Summary

Dacapo

Parameters

Summary

Uh oh!

jandro996 left a comment

Choose a reason for hiding this comment

Uh oh!

manuel-alvarez-alvarez commented Jun 19, 2025

Uh oh!

Uh oh!

Uh oh!

Uh oh!

jandro996 left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

manuel-alvarez-alvarez commented Jun 17, 2025 •

edited

Loading

pr-commenter Bot commented Jun 17, 2025 •

edited

Loading