Optimize IAST Vulnerability Detection

[jandro996]

What Does This Do

Implements the new algorithm for detecting IAST vulnerabilities, where vulnerabilities that were already explored in previous runs for a given endpoint are skipped, ensuring that all remaining ones are eventually explored.

This addresses the current limitation where only the first matching vulnerabilities are consistently reported, causing others to remain hidden.

Changes to OverheadContext

The OverheadContext class has been extended to support three separate tracking maps:

1. globalMap

• Used to track vulnerability detection counts per endpoint across all requests.
• Keys are strings combining the request method and route (GET /login, POST /submit, etc.).
• Values are maps from vulnerabilityType → int (count of occurrences).
• Capped at 4,096 entries using a clear‐on‐overflow strategy, to ensure bounded memory usage.
• Oldest entries are cleared once the limit is reached.

2. copyMap

• Created per request to copy the global counts at the start of the request, ensuring a consistent baseline to compare against throughout the lifecycle of the request.

3. requestMap

• Tracks vulnerability type counts within the request.

An additional field, isGlobal, has been added to indicate whether the context is global or request-scoped. If isGlobal is true, the maps are not used, and quota checks proceed using the global strategy only.

A new method, resetMaps(), has been added to update globalMap when the request ends and vulnerability data has been reported. Two scenarios are supported:

• Case 1: Budget not fully used → The entry for the endpoint in globalMap is cleared, since the request stayed within budget.
• Case 2: Budget fully used → The counts from requestMap are compared to those in copyMap. For each vulnerability type, if the value in requestMap is greater, it is used to update the corresponding entry in globalMap.

Changes to OverheadController

The method consumeQuota() has been extended to receive a vulnerabilityType and modified to support the new logic:

If an OverheadContext is present and not global, and there is remaining quota and a valid span, the controller now invokes a new method maybeSkipVulnerability() to determine whether quota should actually be consumed or not, based on endpoint-specific history.

It's better to check the Algorithm execution example flow diagram to understand how this should work

Changes to IastRequestContext

In releaseRequestContext(), the request now calls resetMaps() on the associated OverheadContext, ensuring globalMap is updated at the end of each request.

Motivation

[RFC-1029] Optimizing IAST Vulnerability Detection implementation

Additional Notes

java tracer needs to implement also [RFC-1029-A1] Solution for dynamic http routes

Contributor Checklist

• Format the title according the contribution guidelines
• Assign the type: and (comp: or inst:) labels in addition to any usefull labels
• Don't use close, fix or any linking keywords when referencing an issue.
  Use solves instead, and assign the PR milestone to the issue
• Update the CODEOWNERS file on source file addition, move, or deletion
• Update the public documentation in case of new configuration flag or behavior

Jira ticket: APPSEC-57267

[pr-commenter]

Benchmarks

Startup

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	alejandro.gonzalez/Optimize-IAST-Vulnerability-Detection
git_commit_date	1751531069	1751534692
git_commit_sha	1666056	cde392dc87
release_version	1.51.0-SNAPSHOT~1666056a38	1.51.0-SNAPSHOT~9cde392dc87

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1751535943	1751535943
ci_job_id	1011704689	1011704689
ci_pipeline_id	69533740	69533740
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-zfyrx7zua-project-304-concurrent-3-gqnkbnh5 6.8.0-1030-aws #32~22.04.1-Ubuntu SMP Thu Jun 5 08:38:24 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-zfyrx7zua-project-304-concurrent-3-gqnkbnh5 6.8.0-1030-aws #32~22.04.1-Ubuntu SMP Thu Jun 5 08:38:24 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
module	Agent	Agent
parent	None	None

Summary

Found 0 performance improvements and 1 performance regressions! Performance is the same for 43 metrics, 9 unstable metrics.

scenario	Δ mean execution_time	candidate mean execution_time	baseline mean execution_time
scenario:startup:petclinic:appsec:IAST	worse [+1.006ms; +1.277ms] or [+4.569%; +5.799%]	23.160ms	22.018ms

Startup time reports for petclinic

gantt
    title petclinic - global startup overhead: candidate=1.51.0-SNAPSHOT~9cde392dc87, baseline=1.51.0-SNAPSHOT~1666056a38

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (995.132 ms) : 0, 995132
Total [baseline] (10.57 s) : 0, 10569593
Agent [candidate] (995.173 ms) : 0, 995173
Total [candidate] (10.573 s) : 0, 10572916
section appsec
Agent [baseline] (1.173 s) : 0, 1173264
Total [baseline] (10.713 s) : 0, 10712828
Agent [candidate] (1.173 s) : 0, 1173131
Total [candidate] (10.733 s) : 0, 10732898
section iast
Agent [baseline] (1.13 s) : 0, 1129802
Total [baseline] (10.795 s) : 0, 10794530
Agent [candidate] (1.134 s) : 0, 1133843
Total [candidate] (10.908 s) : 0, 10908050
section profiling
Agent [baseline] (1.244 s) : 0, 1244379
Total [baseline] (10.955 s) : 0, 10955220
Agent [candidate] (1.248 s) : 0, 1247791
Total [candidate] (10.956 s) : 0, 10955585

Loading

• baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	995.132 ms	-
Agent	appsec	1.173 s	178.132 ms (17.9%)
Agent	iast	1.13 s	134.671 ms (13.5%)
Agent	profiling	1.244 s	249.248 ms (25.0%)
Total	tracing	10.57 s	-
Total	appsec	10.713 s	143.235 ms (1.4%)
Total	iast	10.795 s	224.937 ms (2.1%)
Total	profiling	10.955 s	385.627 ms (3.6%)

• candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	995.173 ms	-
Agent	appsec	1.173 s	177.958 ms (17.9%)
Agent	iast	1.134 s	138.669 ms (13.9%)
Agent	profiling	1.248 s	252.617 ms (25.4%)
Total	tracing	10.573 s	-
Total	appsec	10.733 s	159.983 ms (1.5%)
Total	iast	10.908 s	335.135 ms (3.2%)
Total	profiling	10.956 s	382.669 ms (3.6%)

gantt
    title petclinic - break down per module: candidate=1.51.0-SNAPSHOT~9cde392dc87, baseline=1.51.0-SNAPSHOT~1666056a38

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (687.638 ms) : 0, 687638
BytebuddyAgent [candidate] (687.436 ms) : 0, 687436
GlobalTracer [baseline] (241.668 ms) : 0, 241668
GlobalTracer [candidate] (241.849 ms) : 0, 241849
AppSec [baseline] (30.213 ms) : 0, 30213
AppSec [candidate] (30.279 ms) : 0, 30279
Debugger [baseline] (6.025 ms) : 0, 6025
Debugger [candidate] (6.046 ms) : 0, 6046
Remote Config [baseline] (679.358 µs) : 0, 679
Remote Config [candidate] (685.568 µs) : 0, 686
Telemetry [baseline] (8.199 ms) : 0, 8199
Telemetry [candidate] (8.135 ms) : 0, 8135
section appsec
BytebuddyAgent [baseline] (709.926 ms) : 0, 709926
BytebuddyAgent [candidate] (709.232 ms) : 0, 709232
GlobalTracer [baseline] (235.335 ms) : 0, 235335
GlobalTracer [candidate] (234.881 ms) : 0, 234881
IAST [baseline] (22.018 ms) : 0, 22018
IAST [candidate] (23.16 ms) : 0, 23160
AppSec [baseline] (170.783 ms) : 0, 170783
AppSec [candidate] (170.634 ms) : 0, 170634
Debugger [baseline] (5.781 ms) : 0, 5781
Debugger [candidate] (5.774 ms) : 0, 5774
Remote Config [baseline] (600.004 µs) : 0, 600
Remote Config [candidate] (597.803 µs) : 0, 598
Telemetry [baseline] (8.06 ms) : 0, 8060
Telemetry [candidate] (8.105 ms) : 0, 8105
section iast
BytebuddyAgent [baseline] (806.542 ms) : 0, 806542
BytebuddyAgent [candidate] (808.312 ms) : 0, 808312
GlobalTracer [baseline] (232.536 ms) : 0, 232536
GlobalTracer [candidate] (233.028 ms) : 0, 233028
IAST [baseline] (28.743 ms) : 0, 28743
IAST [candidate] (29.366 ms) : 0, 29366
AppSec [baseline] (26.778 ms) : 0, 26778
AppSec [candidate] (27.873 ms) : 0, 27873
Debugger [baseline] (5.825 ms) : 0, 5825
Debugger [candidate] (5.892 ms) : 0, 5892
Remote Config [baseline] (599.117 µs) : 0, 599
Remote Config [candidate] (591.786 µs) : 0, 592
Telemetry [baseline] (7.954 ms) : 0, 7954
Telemetry [candidate] (8.074 ms) : 0, 8074
section profiling
BytebuddyAgent [baseline] (678.808 ms) : 0, 678808
BytebuddyAgent [candidate] (680.679 ms) : 0, 680679
GlobalTracer [baseline] (360.812 ms) : 0, 360812
GlobalTracer [candidate] (361.387 ms) : 0, 361387
AppSec [baseline] (32.196 ms) : 0, 32196
AppSec [candidate] (33.013 ms) : 0, 33013
Debugger [baseline] (10.648 ms) : 0, 10648
Debugger [candidate] (9.076 ms) : 0, 9076
Remote Config [baseline] (1.353 ms) : 0, 1353
Remote Config [candidate] (664.974 µs) : 0, 665
Telemetry [baseline] (8.025 ms) : 0, 8025
Telemetry [candidate] (8.789 ms) : 0, 8789
ProfilingAgent [baseline] (103.377 ms) : 0, 103377
ProfilingAgent [candidate] (103.902 ms) : 0, 103902
Profiling [baseline] (103.401 ms) : 0, 103401
Profiling [candidate] (103.927 ms) : 0, 103927

Loading

Startup time reports for insecure-bank

gantt
    title insecure-bank - global startup overhead: candidate=1.51.0-SNAPSHOT~9cde392dc87, baseline=1.51.0-SNAPSHOT~1666056a38

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (994.682 ms) : 0, 994682
Total [baseline] (8.566 s) : 0, 8566186
Agent [candidate] (996.759 ms) : 0, 996759
Total [candidate] (8.54 s) : 0, 8539558
section iast
Agent [baseline] (1.14 s) : 0, 1139702
Total [baseline] (9.277 s) : 0, 9277466
Agent [candidate] (1.144 s) : 0, 1143997
Total [candidate] (9.323 s) : 0, 9323280

Loading

• baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	994.682 ms	-
Agent	iast	1.14 s	145.02 ms (14.6%)
Total	tracing	8.566 s	-
Total	iast	9.277 s	711.279 ms (8.3%)

• candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	996.759 ms	-
Agent	iast	1.144 s	147.238 ms (14.8%)
Total	tracing	8.54 s	-
Total	iast	9.323 s	783.722 ms (9.2%)

gantt
    title insecure-bank - break down per module: candidate=1.51.0-SNAPSHOT~9cde392dc87, baseline=1.51.0-SNAPSHOT~1666056a38

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (687.471 ms) : 0, 687471
BytebuddyAgent [candidate] (688.605 ms) : 0, 688605
GlobalTracer [baseline] (241.352 ms) : 0, 241352
GlobalTracer [candidate] (242.168 ms) : 0, 242168
AppSec [baseline] (30.242 ms) : 0, 30242
AppSec [candidate] (30.33 ms) : 0, 30330
Debugger [baseline] (6.03 ms) : 0, 6030
Debugger [candidate] (6.017 ms) : 0, 6017
Remote Config [baseline] (672.268 µs) : 0, 672
Remote Config [candidate] (682.224 µs) : 0, 682
Telemetry [baseline] (8.19 ms) : 0, 8190
Telemetry [candidate] (8.206 ms) : 0, 8206
section iast
BytebuddyAgent [baseline] (814.282 ms) : 0, 814282
BytebuddyAgent [candidate] (815.895 ms) : 0, 815895
GlobalTracer [baseline] (234.27 ms) : 0, 234270
GlobalTracer [candidate] (234.752 ms) : 0, 234752
IAST [baseline] (28.199 ms) : 0, 28199
IAST [candidate] (29.017 ms) : 0, 29017
AppSec [baseline] (27.722 ms) : 0, 27722
AppSec [candidate] (28.847 ms) : 0, 28847
Debugger [baseline] (5.83 ms) : 0, 5830
Debugger [candidate] (5.906 ms) : 0, 5906
Remote Config [baseline] (576.617 µs) : 0, 577
Remote Config [candidate] (584.193 µs) : 0, 584
Telemetry [baseline] (7.983 ms) : 0, 7983
Telemetry [candidate] (8.204 ms) : 0, 8204

Loading

Load

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	alejandro.gonzalez/Optimize-IAST-Vulnerability-Detection
git_commit_date	1751531069	1751534811
git_commit_sha	1666056	cde392dc87
release_version	1.51.0-SNAPSHOT~1666056a38	1.51.0-SNAPSHOT~9cde392dc87

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1751535751	1751535751
ci_job_id	1011704691	1011704691
ci_pipeline_id	69533740	69533740
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-zfyrx7zua-project-304-concurrent-4-ysajhrjm 6.8.0-1030-aws #32~22.04.1-Ubuntu SMP Thu Jun 5 08:38:24 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-zfyrx7zua-project-304-concurrent-4-ysajhrjm 6.8.0-1030-aws #32~22.04.1-Ubuntu SMP Thu Jun 5 08:38:24 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 2 performance improvements and 2 performance regressions! Performance is the same for 8 metrics, 12 unstable metrics.

scenario	Δ mean http_req_duration	Δ mean throughput	candidate mean http_req_duration	candidate mean throughput	baseline mean http_req_duration	baseline mean throughput
scenario:load:insecure-bank:no_agent:high_load	worse [+137.240µs; +248.228µs] or [+3.238%; +5.856%]	unstable [-159.350op/s; +67.850op/s] or [-14.726%; +6.270%]	4.431ms	1036.312op/s	4.239ms	1082.062op/s
scenario:load:insecure-bank:iast_FULL:high_load	worse [+0.817ms; +1.427ms] or [+5.971%; +10.428%]	unstable [-59.933op/s; +8.933op/s] or [-17.606%; +2.624%]	14.807ms	314.906op/s	13.684ms	340.406op/s
scenario:load:insecure-bank:tracing:high_load	better [-602.947µs; -360.693µs] or [-7.511%; -4.493%]	unstable [-35.043op/s; +107.230op/s] or [-6.069%; +18.571%]	7.546ms	613.500op/s	8.028ms	577.406op/s
scenario:load:petclinic:tracing:high_load	better [-1.984ms; -1.185ms] or [-4.427%; -2.645%]	unstable [-3.551op/s; +11.151op/s] or [-3.400%; +10.676%]	43.225ms	108.250op/s	44.810ms	104.450op/s

Request duration reports for insecure-bank

gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.51.0-SNAPSHOT~9cde392dc87, baseline=1.51.0-SNAPSHOT~1666056a38
    dateFormat X
    axisFormat %s
section baseline
no_agent (4.239 ms) : 4185, 4292
.   : milestone, 4239,
iast (9.264 ms) : 9109, 9419
.   : milestone, 9264,
iast_FULL (13.684 ms) : 13411, 13958
.   : milestone, 13684,
iast_GLOBAL (10.214 ms) : 10032, 10396
.   : milestone, 10214,
profiling (8.706 ms) : 8561, 8852
.   : milestone, 8706,
tracing (8.028 ms) : 7909, 8146
.   : milestone, 8028,
section candidate
no_agent (4.431 ms) : 4382, 4481
.   : milestone, 4431,
iast (9.266 ms) : 9116, 9416
.   : milestone, 9266,
iast_FULL (14.807 ms) : 14513, 15100
.   : milestone, 14807,
iast_GLOBAL (10.38 ms) : 10198, 10562
.   : milestone, 10380,
profiling (8.937 ms) : 8799, 9075
.   : milestone, 8937,
tracing (7.546 ms) : 7440, 7652
.   : milestone, 7546,

Loading

• baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	4.239 ms [4.185 ms, 4.292 ms]	-
iast	9.264 ms [9.109 ms, 9.419 ms]	5.025 ms (118.6%)
iast_FULL	13.684 ms [13.411 ms, 13.958 ms]	9.446 ms (222.9%)
iast_GLOBAL	10.214 ms [10.032 ms, 10.396 ms]	5.976 ms (141.0%)
profiling	8.706 ms [8.561 ms, 8.852 ms]	4.468 ms (105.4%)
tracing	8.028 ms [7.909 ms, 8.146 ms]	3.789 ms (89.4%)

• candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	4.431 ms [4.382 ms, 4.481 ms]	-
iast	9.266 ms [9.116 ms, 9.416 ms]	4.835 ms (109.1%)
iast_FULL	14.807 ms [14.513 ms, 15.1 ms]	10.375 ms (234.1%)
iast_GLOBAL	10.38 ms [10.198 ms, 10.562 ms]	5.949 ms (134.2%)
profiling	8.937 ms [8.799 ms, 9.075 ms]	4.506 ms (101.7%)
tracing	7.546 ms [7.44 ms, 7.652 ms]	3.115 ms (70.3%)

Request duration reports for petclinic

gantt
    title petclinic - request duration [CI 0.99] : candidate=1.51.0-SNAPSHOT~9cde392dc87, baseline=1.51.0-SNAPSHOT~1666056a38
    dateFormat X
    axisFormat %s
section baseline
no_agent (37.416 ms) : 37108, 37723
.   : milestone, 37416,
appsec (48.292 ms) : 47849, 48734
.   : milestone, 48292,
code_origins (44.777 ms) : 44394, 45159
.   : milestone, 44777,
iast (43.814 ms) : 43438, 44190
.   : milestone, 43814,
profiling (47.847 ms) : 47398, 48295
.   : milestone, 47847,
tracing (44.81 ms) : 44436, 45183
.   : milestone, 44810,
section candidate
no_agent (38.417 ms) : 38107, 38726
.   : milestone, 38417,
appsec (49.229 ms) : 48786, 49671
.   : milestone, 49229,
code_origins (44.818 ms) : 44440, 45196
.   : milestone, 44818,
iast (44.904 ms) : 44515, 45294
.   : milestone, 44904,
profiling (48.154 ms) : 47691, 48618
.   : milestone, 48154,
tracing (43.225 ms) : 42856, 43594
.   : milestone, 43225,

Loading

• baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	37.416 ms [37.108 ms, 37.723 ms]	-
appsec	48.292 ms [47.849 ms, 48.734 ms]	10.876 ms (29.1%)
code_origins	44.777 ms [44.394 ms, 45.159 ms]	7.361 ms (19.7%)
iast	43.814 ms [43.438 ms, 44.19 ms]	6.399 ms (17.1%)
profiling	47.847 ms [47.398 ms, 48.295 ms]	10.431 ms (27.9%)
tracing	44.81 ms [44.436 ms, 45.183 ms]	7.394 ms (19.8%)

• candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	38.417 ms [38.107 ms, 38.726 ms]	-
appsec	49.229 ms [48.786 ms, 49.671 ms]	10.812 ms (28.1%)
code_origins	44.818 ms [44.44 ms, 45.196 ms]	6.402 ms (16.7%)
iast	44.904 ms [44.515 ms, 45.294 ms]	6.488 ms (16.9%)
profiling	48.154 ms [47.691 ms, 48.618 ms]	9.738 ms (25.3%)
tracing	43.225 ms [42.856 ms, 43.594 ms]	4.809 ms (12.5%)

Dacapo

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	alejandro.gonzalez/Optimize-IAST-Vulnerability-Detection
git_commit_date	1751531069	1751534741
git_commit_sha	1666056	cde392dc87
release_version	1.51.0-SNAPSHOT~1666056a38	1.51.0-SNAPSHOT~9cde392dc87

See matching parameters

	Baseline	Candidate
application	biojava	biojava
ci_job_date	1751536185	1751536185
ci_job_id	1011704693	1011704693
ci_pipeline_id	69533740	69533740
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-zfyrx7zua-project-304-concurrent-5-jmoqmp0l 6.8.0-1030-aws #32~22.04.1-Ubuntu SMP Thu Jun 5 08:38:24 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-zfyrx7zua-project-304-concurrent-5-jmoqmp0l 6.8.0-1030-aws #32~22.04.1-Ubuntu SMP Thu Jun 5 08:38:24 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics.

Execution time for biojava

gantt
    title biojava - execution time [CI 0.99] : candidate=1.51.0-SNAPSHOT~9cde392dc87, baseline=1.51.0-SNAPSHOT~1666056a38
    dateFormat X
    axisFormat %s
section baseline
no_agent (14.927 s) : 14927000, 14927000
.   : milestone, 14927000,
appsec (14.819 s) : 14819000, 14819000
.   : milestone, 14819000,
iast (18.513 s) : 18513000, 18513000
.   : milestone, 18513000,
iast_GLOBAL (18.133 s) : 18133000, 18133000
.   : milestone, 18133000,
profiling (15.322 s) : 15322000, 15322000
.   : milestone, 15322000,
tracing (14.908 s) : 14908000, 14908000
.   : milestone, 14908000,
section candidate
no_agent (15.635 s) : 15635000, 15635000
.   : milestone, 15635000,
appsec (15.011 s) : 15011000, 15011000
.   : milestone, 15011000,
iast (18.583 s) : 18583000, 18583000
.   : milestone, 18583000,
iast_GLOBAL (17.844 s) : 17844000, 17844000
.   : milestone, 17844000,
profiling (15.248 s) : 15248000, 15248000
.   : milestone, 15248000,
tracing (14.941 s) : 14941000, 14941000
.   : milestone, 14941000,

Loading

• baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	14.927 s [14.927 s, 14.927 s]	-
appsec	14.819 s [14.819 s, 14.819 s]	-108.0 ms (-0.7%)
iast	18.513 s [18.513 s, 18.513 s]	3.586 s (24.0%)
iast_GLOBAL	18.133 s [18.133 s, 18.133 s]	3.206 s (21.5%)
profiling	15.322 s [15.322 s, 15.322 s]	395.0 ms (2.6%)
tracing	14.908 s [14.908 s, 14.908 s]	-19.0 ms (-0.1%)

• candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	15.635 s [15.635 s, 15.635 s]	-
appsec	15.011 s [15.011 s, 15.011 s]	-624.0 ms (-4.0%)
iast	18.583 s [18.583 s, 18.583 s]	2.948 s (18.9%)
iast_GLOBAL	17.844 s [17.844 s, 17.844 s]	2.209 s (14.1%)
profiling	15.248 s [15.248 s, 15.248 s]	-387.0 ms (-2.5%)
tracing	14.941 s [14.941 s, 14.941 s]	-694.0 ms (-4.4%)

Execution time for tomcat

gantt
    title tomcat - execution time [CI 0.99] : candidate=1.51.0-SNAPSHOT~9cde392dc87, baseline=1.51.0-SNAPSHOT~1666056a38
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.481 ms) : 1469, 1492
.   : milestone, 1481,
appsec (2.419 ms) : 2370, 2469
.   : milestone, 2419,
iast (2.21 ms) : 2147, 2273
.   : milestone, 2210,
iast_GLOBAL (2.258 ms) : 2195, 2321
.   : milestone, 2258,
profiling (2.065 ms) : 2014, 2117
.   : milestone, 2065,
tracing (2.035 ms) : 1986, 2084
.   : milestone, 2035,
section candidate
no_agent (1.482 ms) : 1471, 1494
.   : milestone, 1482,
appsec (2.421 ms) : 2371, 2471
.   : milestone, 2421,
iast (2.205 ms) : 2142, 2268
.   : milestone, 2205,
iast_GLOBAL (2.255 ms) : 2192, 2318
.   : milestone, 2255,
profiling (2.064 ms) : 2013, 2116
.   : milestone, 2064,
tracing (2.033 ms) : 1984, 2082
.   : milestone, 2033,

Loading

• baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.481 ms [1.469 ms, 1.492 ms]	-
appsec	2.419 ms [2.37 ms, 2.469 ms]	938.858 µs (63.4%)
iast	2.21 ms [2.147 ms, 2.273 ms]	729.013 µs (49.2%)
iast_GLOBAL	2.258 ms [2.195 ms, 2.321 ms]	777.103 µs (52.5%)
profiling	2.065 ms [2.014 ms, 2.117 ms]	584.737 µs (39.5%)
tracing	2.035 ms [1.986 ms, 2.084 ms]	554.592 µs (37.5%)

• candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.482 ms [1.471 ms, 1.494 ms]	-
appsec	2.421 ms [2.371 ms, 2.471 ms]	938.962 µs (63.3%)
iast	2.205 ms [2.142 ms, 2.268 ms]	722.555 µs (48.7%)
iast_GLOBAL	2.255 ms [2.192 ms, 2.318 ms]	772.202 µs (52.1%)
profiling	2.064 ms [2.013 ms, 2.116 ms]	581.875 µs (39.3%)
tracing	2.033 ms [1.984 ms, 2.082 ms]	550.484 µs (37.1%)

[github-actions]

Hi! 👋 Thanks for your pull request! 🎉

To help us review it, please make sure to:

• Add at least one type, and one component or instrumentation label to the pull request

If you need help, please check our contributing guidelines.

[manuel-alvarez-alvarez]

Can we introduce a test with different code paths that can be controlled though query/path parameters?, the order in which we trigger vulns is always deterministic and it would be nice to also test with some variability.

[smola]

I'd like an extra reviewer on this.
On the startup time regression: I think we can accept the 1ms startup regression for IAST in pet clinic. It does not affect scenarios other than DD_IAST_ENABLED=true, and the improved detection rate here is worth it.

[manuel-alvarez-alvarez]

Can you improve the name of the test?

[manuel-alvarez-alvarez]

Was this discussed in the working group?, I did wonder if the same behavior happens in other tracers or its just our implementation.

[jandro996]

Yes, there is a discussion in the working group slack channel and also was mentioned in the last meeting. It should happen in al the tracer as is an algorithm issue not an implementation one.

[manuel-alvarez-alvarez]

LGTM, but we have to discuss in the working group the issue about the algorithm degrading when the codepaths can change.