Skip to content

Fix semaphore permit leak in API Security span post-processor #10010

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 15 commits into
base: master
Choose a base branch
from
Draft

Fix semaphore permit leak in API Security span post-processor #10010

wants to merge 15 commits into from

Conversation

@jandro996
Copy link
Member

@jandro996 jandro996 commented Nov 21, 2025
edited by atlassian bot
Loading

What Does This Do

Fixed three issues causing API Security sampling to fail intermittently in standalone mode:

1. Semaphore permit leak in AppSecSpanPostProcessor

  • When preSampleRequest() acquired a permit but early returns occurred before the try-finally block, releaseOne() was never called
  • After 4+ leaked permits, the semaphore was exhausted, preventing subsequent sampling
  • Fix: Wrapped entire process() method in try-finally, ensuring releaseOne() is always called when a permit was acquired
  • Added 3 unit tests verifying permit release under various failure scenarios

2. Race condition in ApiSecuritySamplerImpl

  • Multiple concurrent requests to the same endpoint could all see isExpired=true before any updated the accessMap
  • Fix: preSampleRequest() now updates map immediately after acquiring semaphore, preventing concurrent requests from seeing stale expiration
    state
  • Updated 2 unit tests to match new flow

Motivation

API Security standalone system tests were failing intermittently in CI with _sampling_priority_v1 not being set to 2, causing traces to not be retained as expected.

Related with APPSEC-57815

Additional Notes

Contributor Checklist

Jira ticket: [PROJ-IDENT]

@jandro996 jandro996 added type: bug Bug report and fix comp: asm waf Application Security Management (WAF) labels Nov 21, 2025
@pr-commenter
Copy link

pr-commenter bot commented Nov 21, 2025
edited
Loading

Benchmarks

Startup

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/APPSEC-57815
git_commit_date 1763992896 1763995595
git_commit_sha c8bb444 69a96c9
release_version 1.57.0-SNAPSHOT~c8bb44440b 1.57.0-SNAPSHOT~69a96c9c6a
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1763997362 1763997362
ci_job_id 1253622047 1253622047
ci_pipeline_id 83807723 83807723
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-0-xvi17o7y 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-0-xvi17o7y 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
module Agent Agent
parent None None

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 59 metrics, 6 unstable metrics.

Startup time reports for petclinic 
gantt
    title petclinic - global startup overhead: candidate=1.57.0-SNAPSHOT~69a96c9c6a, baseline=1.57.0-SNAPSHOT~c8bb44440b

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.107 s) : 0, 1106711
Total [baseline] (10.832 s) : 0, 10831560
Agent [candidate] (1.103 s) : 0, 1102507
Total [candidate] (10.851 s) : 0, 10850723
section appsec
Agent [baseline] (1.283 s) : 0, 1282878
Total [baseline] (11.124 s) : 0, 11124351
Agent [candidate] (1.286 s) : 0, 1285641
Total [candidate] (11.242 s) : 0, 11242095
section iast
Agent [baseline] (1.242 s) : 0, 1242283
Total [baseline] (11.228 s) : 0, 11227977
Agent [candidate] (1.239 s) : 0, 1239075
Total [candidate] (11.25 s) : 0, 11249686
section profiling
Agent [baseline] (1.233 s) : 0, 1232954
Total [baseline] (11.099 s) : 0, 11099292
Agent [candidate] (1.245 s) : 0, 1244767
Total [candidate] (11.075 s) : 0, 11075073
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.107 s -
Agent appsec 1.283 s 176.167 ms (15.9%)
Agent iast 1.242 s 135.572 ms (12.2%)
Agent profiling 1.233 s 126.242 ms (11.4%)
Total tracing 10.832 s -
Total appsec 11.124 s 292.791 ms (2.7%)
Total iast 11.228 s 396.417 ms (3.7%)
Total profiling 11.099 s 267.732 ms (2.5%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.103 s -
Agent appsec 1.286 s 183.133 ms (16.6%)
Agent iast 1.239 s 136.567 ms (12.4%)
Agent profiling 1.245 s 142.26 ms (12.9%)
Total tracing 10.851 s -
Total appsec 11.242 s 391.372 ms (3.6%)
Total iast 11.25 s 398.963 ms (3.7%)
Total profiling 11.075 s 224.35 ms (2.1%) 
gantt
    title petclinic - break down per module: candidate=1.57.0-SNAPSHOT~69a96c9c6a, baseline=1.57.0-SNAPSHOT~c8bb44440b

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.497 ms) : 0, 1497
crashtracking [candidate] (1.479 ms) : 0, 1479
BytebuddyAgent [baseline] (711.556 ms) : 0, 711556
BytebuddyAgent [candidate] (708.6 ms) : 0, 708600
GlobalTracer [baseline] (249.537 ms) : 0, 249537
GlobalTracer [candidate] (249.109 ms) : 0, 249109
AppSec [baseline] (32.157 ms) : 0, 32157
AppSec [candidate] (31.871 ms) : 0, 31871
Debugger [baseline] (64.387 ms) : 0, 64387
Debugger [candidate] (64.166 ms) : 0, 64166
Remote Config [baseline] (629.811 µs) : 0, 630
Remote Config [candidate] (628.656 µs) : 0, 629
Telemetry [baseline] (8.3 ms) : 0, 8300
Telemetry [candidate] (8.202 ms) : 0, 8202
Flare Poller [baseline] (3.71 ms) : 0, 3710
Flare Poller [candidate] (3.654 ms) : 0, 3654
section appsec
crashtracking [baseline] (1.478 ms) : 0, 1478
crashtracking [candidate] (1.491 ms) : 0, 1491
BytebuddyAgent [baseline] (731.769 ms) : 0, 731769
BytebuddyAgent [candidate] (732.05 ms) : 0, 732050
GlobalTracer [baseline] (240.995 ms) : 0, 240995
GlobalTracer [candidate] (242.02 ms) : 0, 242020
AppSec [baseline] (173.581 ms) : 0, 173581
AppSec [candidate] (175.306 ms) : 0, 175306
Debugger [baseline] (62.572 ms) : 0, 62572
Debugger [candidate] (62.027 ms) : 0, 62027
Remote Config [baseline] (682.018 µs) : 0, 682
Remote Config [candidate] (667.912 µs) : 0, 668
Telemetry [baseline] (8.246 ms) : 0, 8246
Telemetry [candidate] (8.289 ms) : 0, 8289
Flare Poller [baseline] (3.924 ms) : 0, 3924
Flare Poller [candidate] (3.831 ms) : 0, 3831
IAST [baseline] (24.699 ms) : 0, 24699
IAST [candidate] (24.958 ms) : 0, 24958
section iast
crashtracking [baseline] (1.506 ms) : 0, 1506
crashtracking [candidate] (1.486 ms) : 0, 1486
BytebuddyAgent [baseline] (834.208 ms) : 0, 834208
BytebuddyAgent [candidate] (831.989 ms) : 0, 831989
GlobalTracer [baseline] (238.243 ms) : 0, 238243
GlobalTracer [candidate] (237.558 ms) : 0, 237558
AppSec [baseline] (31.999 ms) : 0, 31999
AppSec [candidate] (31.911 ms) : 0, 31911
Debugger [baseline] (60.776 ms) : 0, 60776
Debugger [candidate] (60.394 ms) : 0, 60394
Remote Config [baseline] (540.728 µs) : 0, 541
Remote Config [candidate] (541.461 µs) : 0, 541
Telemetry [baseline] (7.589 ms) : 0, 7589
Telemetry [candidate] (7.562 ms) : 0, 7562
Flare Poller [baseline] (3.514 ms) : 0, 3514
Flare Poller [candidate] (3.439 ms) : 0, 3439
IAST [baseline] (28.989 ms) : 0, 28989
IAST [candidate] (29.342 ms) : 0, 29342
section profiling
crashtracking [baseline] (1.459 ms) : 0, 1459
crashtracking [candidate] (1.457 ms) : 0, 1457
BytebuddyAgent [baseline] (735.069 ms) : 0, 735069
BytebuddyAgent [candidate] (743.813 ms) : 0, 743813
GlobalTracer [baseline] (222.729 ms) : 0, 222729
GlobalTracer [candidate] (224.662 ms) : 0, 224662
AppSec [baseline] (32.29 ms) : 0, 32290
AppSec [candidate] (32.474 ms) : 0, 32474
Debugger [baseline] (63.232 ms) : 0, 63232
Debugger [candidate] (63.103 ms) : 0, 63103
Remote Config [baseline] (631.665 µs) : 0, 632
Remote Config [candidate] (673.138 µs) : 0, 673
Telemetry [baseline] (7.98 ms) : 0, 7980
Telemetry [candidate] (7.942 ms) : 0, 7942
Flare Poller [baseline] (3.79 ms) : 0, 3790
Flare Poller [candidate] (3.844 ms) : 0, 3844
ProfilingAgent [baseline] (96.615 ms) : 0, 96615
ProfilingAgent [candidate] (97.005 ms) : 0, 97005
Profiling [baseline] (97.206 ms) : 0, 97206
Profiling [candidate] (97.586 ms) : 0, 97586
Loading
Startup time reports for insecure-bank 
gantt
    title insecure-bank - global startup overhead: candidate=1.57.0-SNAPSHOT~69a96c9c6a, baseline=1.57.0-SNAPSHOT~c8bb44440b

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.1 s) : 0, 1099547
Total [baseline] (8.834 s) : 0, 8834323
Agent [candidate] (1.102 s) : 0, 1101640
Total [candidate] (8.892 s) : 0, 8891995
section iast
Agent [baseline] (1.253 s) : 0, 1252611
Total [baseline] (9.592 s) : 0, 9591896
Agent [candidate] (1.249 s) : 0, 1248825
Total [candidate] (9.587 s) : 0, 9587064
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.1 s -
Agent iast 1.253 s 153.065 ms (13.9%)
Total tracing 8.834 s -
Total iast 9.592 s 757.573 ms (8.6%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.102 s -
Agent iast 1.249 s 147.185 ms (13.4%)
Total tracing 8.892 s -
Total iast 9.587 s 695.069 ms (7.8%) 
gantt
    title insecure-bank - break down per module: candidate=1.57.0-SNAPSHOT~69a96c9c6a, baseline=1.57.0-SNAPSHOT~c8bb44440b

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.487 ms) : 0, 1487
crashtracking [candidate] (1.484 ms) : 0, 1484
BytebuddyAgent [baseline] (706.532 ms) : 0, 706532
BytebuddyAgent [candidate] (708.29 ms) : 0, 708290
GlobalTracer [baseline] (248.926 ms) : 0, 248926
GlobalTracer [candidate] (249.094 ms) : 0, 249094
AppSec [baseline] (31.949 ms) : 0, 31949
AppSec [candidate] (31.798 ms) : 0, 31798
Debugger [baseline] (63.47 ms) : 0, 63470
Debugger [candidate] (63.587 ms) : 0, 63587
Remote Config [baseline] (623.557 µs) : 0, 624
Remote Config [candidate] (641.907 µs) : 0, 642
Telemetry [baseline] (8.123 ms) : 0, 8123
Telemetry [candidate] (8.222 ms) : 0, 8222
Flare Poller [baseline] (3.635 ms) : 0, 3635
Flare Poller [candidate] (3.707 ms) : 0, 3707
section iast
crashtracking [baseline] (1.519 ms) : 0, 1519
crashtracking [candidate] (1.489 ms) : 0, 1489
BytebuddyAgent [baseline] (842.838 ms) : 0, 842838
BytebuddyAgent [candidate] (838.831 ms) : 0, 838831
GlobalTracer [baseline] (238.887 ms) : 0, 238887
GlobalTracer [candidate] (238.842 ms) : 0, 238842
AppSec [baseline] (31.76 ms) : 0, 31760
AppSec [candidate] (33.216 ms) : 0, 33216
Debugger [baseline] (60.412 ms) : 0, 60412
Debugger [candidate] (60.722 ms) : 0, 60722
Remote Config [baseline] (552.932 µs) : 0, 553
Remote Config [candidate] (570.393 µs) : 0, 570
Telemetry [baseline] (7.605 ms) : 0, 7605
Telemetry [candidate] (7.739 ms) : 0, 7739
Flare Poller [baseline] (3.468 ms) : 0, 3468
Flare Poller [candidate] (3.545 ms) : 0, 3545
IAST [baseline] (30.372 ms) : 0, 30372
IAST [candidate] (28.827 ms) : 0, 28827
Loading

Load

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/APPSEC-57815
git_commit_date 1763992896 1763995595
git_commit_sha c8bb444 69a96c9
release_version 1.57.0-SNAPSHOT~c8bb44440b 1.57.0-SNAPSHOT~69a96c9c6a
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1763997912 1763997912
ci_job_id 1253622048 1253622048
ci_pipeline_id 83807723 83807723
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-0-achvtc37 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-0-achvtc37 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 2 performance improvements and 2 performance regressions! Performance is the same for 15 metrics, 17 unstable metrics.

scenario Δ mean agg_http_req_duration_p50 Δ mean agg_http_req_duration_p95 Δ mean throughput candidate mean agg_http_req_duration_p50 candidate mean agg_http_req_duration_p95 candidate mean throughput baseline mean agg_http_req_duration_p50 baseline mean agg_http_req_duration_p95 baseline mean throughput
scenario:load:insecure-bank:no_agent:high_load worse
[+28.245µs; +117.915µs] or [+2.878%; +12.015%]		 unstable
[+50.465µs; +831.127µs] or [+1.875%; +30.884%]		 unstable
[-659.379op/s; +182.004op/s] or [-17.875%; +4.934%]		 1054.472µs 3.132ms 3450.188op/s 981.392µs 2.691ms 3688.875op/s
scenario:load:insecure-bank:iast:high_load worse
[+157.651µs; +373.136µs] or [+6.481%; +15.340%]		 unstable
[+215.627µs; +955.495µs] or [+2.995%; +13.272%]		 unstable
[-243.033op/s; +62.095op/s] or [-16.788%; +4.289%]		 2.698ms 7.785ms 1357.219op/s 2.433ms 7.199ms 1447.688op/s
scenario:load:insecure-bank:iast_GLOBAL:high_load better
[-217.815µs; -133.427µs] or [-7.350%; -4.502%]		 unsure
[-476.988µs; -101.334µs] or [-5.829%; -1.238%]		 unstable
[-90.785op/s; +179.472op/s] or [-7.288%; +14.408%]		 2.788ms 7.894ms 1290.000op/s 2.964ms 8.183ms 1245.656op/s
scenario:load:insecure-bank:iast_FULL:high_load better
[-358.776µs; -145.657µs] or [-6.902%; -2.802%]		 unsure
[-764.758µs; -195.262µs] or [-6.199%; -1.583%]		 unstable
[-45.825op/s; +116.888op/s] or [-5.807%; +14.813%]		 4.946ms 11.857ms 824.625op/s 5.198ms 12.337ms 789.094op/s
Request duration reports for petclinic 
gantt
    title petclinic - request duration [CI 0.99] : candidate=1.57.0-SNAPSHOT~69a96c9c6a, baseline=1.57.0-SNAPSHOT~c8bb44440b
    dateFormat X
    axisFormat %s
section baseline
no_agent (17.319 ms) : 17147, 17491
.   : milestone, 17319,
appsec (18.847 ms) : 18657, 19037
.   : milestone, 18847,
code_origins (17.727 ms) : 17549, 17904
.   : milestone, 17727,
iast (17.963 ms) : 17788, 18138
.   : milestone, 17963,
profiling (18.77 ms) : 18579, 18962
.   : milestone, 18770,
tracing (17.903 ms) : 17722, 18085
.   : milestone, 17903,
section candidate
no_agent (18.094 ms) : 17910, 18278
.   : milestone, 18094,
appsec (18.987 ms) : 18795, 19179
.   : milestone, 18987,
code_origins (17.798 ms) : 17620, 17976
.   : milestone, 17798,
iast (17.547 ms) : 17370, 17724
.   : milestone, 17547,
profiling (18.781 ms) : 18589, 18974
.   : milestone, 18781,
tracing (17.795 ms) : 17613, 17976
.   : milestone, 17795,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 17.319 ms [17.147 ms, 17.491 ms] -
appsec 18.847 ms [18.657 ms, 19.037 ms] 1.528 ms (8.8%)
code_origins 17.727 ms [17.549 ms, 17.904 ms] 407.921 µs (2.4%)
iast 17.963 ms [17.788 ms, 18.138 ms] 644.164 µs (3.7%)
profiling 18.77 ms [18.579 ms, 18.962 ms] 1.451 ms (8.4%)
tracing 17.903 ms [17.722 ms, 18.085 ms] 584.497 µs (3.4%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 18.094 ms [17.91 ms, 18.278 ms] -
appsec 18.987 ms [18.795 ms, 19.179 ms] 893.209 µs (4.9%)
code_origins 17.798 ms [17.62 ms, 17.976 ms] -295.609 µs (-1.6%)
iast 17.547 ms [17.37 ms, 17.724 ms] -546.817 µs (-3.0%)
profiling 18.781 ms [18.589 ms, 18.974 ms] 687.291 µs (3.8%)
tracing 17.795 ms [17.613 ms, 17.976 ms] -299.322 µs (-1.7%)
Request duration reports for insecure-bank 
gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.57.0-SNAPSHOT~69a96c9c6a, baseline=1.57.0-SNAPSHOT~c8bb44440b
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.195 ms) : 1183, 1206
.   : milestone, 1195,
iast (3.16 ms) : 3113, 3207
.   : milestone, 3160,
iast_FULL (5.86 ms) : 5802, 5919
.   : milestone, 5860,
iast_GLOBAL (3.684 ms) : 3633, 3735
.   : milestone, 3684,
profiling (2.161 ms) : 2141, 2181
.   : milestone, 2161,
tracing (1.817 ms) : 1801, 1832
.   : milestone, 1817,
section candidate
no_agent (1.283 ms) : 1270, 1295
.   : milestone, 1283,
iast (3.375 ms) : 3330, 3419
.   : milestone, 3375,
iast_FULL (5.604 ms) : 5549, 5658
.   : milestone, 5604,
iast_GLOBAL (3.554 ms) : 3499, 3610
.   : milestone, 3554,
profiling (2.06 ms) : 2042, 2078
.   : milestone, 2060,
tracing (1.841 ms) : 1824, 1857
.   : milestone, 1841,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.195 ms [1.183 ms, 1.206 ms] -
iast 3.16 ms [3.113 ms, 3.207 ms] 1.965 ms (164.5%)
iast_FULL 5.86 ms [5.802 ms, 5.919 ms] 4.666 ms (390.5%)
iast_GLOBAL 3.684 ms [3.633 ms, 3.735 ms] 2.489 ms (208.4%)
profiling 2.161 ms [2.141 ms, 2.181 ms] 966.296 µs (80.9%)
tracing 1.817 ms [1.801 ms, 1.832 ms] 622.109 µs (52.1%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.283 ms [1.27 ms, 1.295 ms] -
iast 3.375 ms [3.33 ms, 3.419 ms] 2.092 ms (163.1%)
iast_FULL 5.604 ms [5.549 ms, 5.658 ms] 4.321 ms (336.9%)
iast_GLOBAL 3.554 ms [3.499 ms, 3.61 ms] 2.272 ms (177.1%)
profiling 2.06 ms [2.042 ms, 2.078 ms] 777.128 µs (60.6%)
tracing 1.841 ms [1.824 ms, 1.857 ms] 558.275 µs (43.5%)

Dacapo

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/APPSEC-57815
git_commit_date 1763992896 1763995595
git_commit_sha c8bb444 69a96c9
release_version 1.57.0-SNAPSHOT~c8bb44440b 1.57.0-SNAPSHOT~69a96c9c6a
See matching parameters
Baseline Candidate
application biojava biojava
ci_job_date 1763997575 1763997575
ci_job_id 1253622049 1253622049
ci_pipeline_id 83807723 83807723
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-1-oc31f4vn 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-1-oc31f4vn 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics.

Execution time for tomcat 
gantt
    title tomcat - execution time [CI 0.99] : candidate=1.57.0-SNAPSHOT~69a96c9c6a, baseline=1.57.0-SNAPSHOT~c8bb44440b
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.476 ms) : 1465, 1488
.   : milestone, 1476,
appsec (2.46 ms) : 2407, 2512
.   : milestone, 2460,
iast (2.231 ms) : 2165, 2297
.   : milestone, 2231,
iast_GLOBAL (2.269 ms) : 2203, 2335
.   : milestone, 2269,
profiling (2.078 ms) : 2024, 2131
.   : milestone, 2078,
tracing (2.053 ms) : 2001, 2105
.   : milestone, 2053,
section candidate
no_agent (1.481 ms) : 1469, 1493
.   : milestone, 1481,
appsec (2.48 ms) : 2427, 2533
.   : milestone, 2480,
iast (2.225 ms) : 2160, 2291
.   : milestone, 2225,
iast_GLOBAL (2.276 ms) : 2210, 2342
.   : milestone, 2276,
profiling (2.092 ms) : 2037, 2146
.   : milestone, 2092,
tracing (2.058 ms) : 2006, 2110
.   : milestone, 2058,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.476 ms [1.465 ms, 1.488 ms] -
appsec 2.46 ms [2.407 ms, 2.512 ms] 983.694 µs (66.6%)
iast 2.231 ms [2.165 ms, 2.297 ms] 755.085 µs (51.2%)
iast_GLOBAL 2.269 ms [2.203 ms, 2.335 ms] 792.78 µs (53.7%)
profiling 2.078 ms [2.024 ms, 2.131 ms] 601.628 µs (40.8%)
tracing 2.053 ms [2.001 ms, 2.105 ms] 577.231 µs (39.1%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.481 ms [1.469 ms, 1.493 ms] -
appsec 2.48 ms [2.427 ms, 2.533 ms] 998.98 µs (67.5%)
iast 2.225 ms [2.16 ms, 2.291 ms] 744.606 µs (50.3%)
iast_GLOBAL 2.276 ms [2.21 ms, 2.342 ms] 795.131 µs (53.7%)
profiling 2.092 ms [2.037 ms, 2.146 ms] 610.922 µs (41.3%)
tracing 2.058 ms [2.006 ms, 2.11 ms] 576.868 µs (39.0%)
Execution time for biojava 
gantt
    title biojava - execution time [CI 0.99] : candidate=1.57.0-SNAPSHOT~69a96c9c6a, baseline=1.57.0-SNAPSHOT~c8bb44440b
    dateFormat X
    axisFormat %s
section baseline
no_agent (15.28 s) : 15280000, 15280000
.   : milestone, 15280000,
appsec (14.994 s) : 14994000, 14994000
.   : milestone, 14994000,
iast (18.443 s) : 18443000, 18443000
.   : milestone, 18443000,
iast_GLOBAL (17.889 s) : 17889000, 17889000
.   : milestone, 17889000,
profiling (14.904 s) : 14904000, 14904000
.   : milestone, 14904000,
tracing (15.018 s) : 15018000, 15018000
.   : milestone, 15018000,
section candidate
no_agent (15.311 s) : 15311000, 15311000
.   : milestone, 15311000,
appsec (14.784 s) : 14784000, 14784000
.   : milestone, 14784000,
iast (18.708 s) : 18708000, 18708000
.   : milestone, 18708000,
iast_GLOBAL (17.962 s) : 17962000, 17962000
.   : milestone, 17962000,
profiling (15.281 s) : 15281000, 15281000
.   : milestone, 15281000,
tracing (14.842 s) : 14842000, 14842000
.   : milestone, 14842000,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.28 s [15.28 s, 15.28 s] -
appsec 14.994 s [14.994 s, 14.994 s] -286.0 ms (-1.9%)
iast 18.443 s [18.443 s, 18.443 s] 3.163 s (20.7%)
iast_GLOBAL 17.889 s [17.889 s, 17.889 s] 2.609 s (17.1%)
profiling 14.904 s [14.904 s, 14.904 s] -376.0 ms (-2.5%)
tracing 15.018 s [15.018 s, 15.018 s] -262.0 ms (-1.7%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.311 s [15.311 s, 15.311 s] -
appsec 14.784 s [14.784 s, 14.784 s] -527.0 ms (-3.4%)
iast 18.708 s [18.708 s, 18.708 s] 3.397 s (22.2%)
iast_GLOBAL 17.962 s [17.962 s, 17.962 s] 2.651 s (17.3%)
profiling 15.281 s [15.281 s, 15.281 s] -30.0 ms (-0.2%)
tracing 14.842 s [14.842 s, 14.842 s] -469.0 ms (-3.1%)

jandro996
jandro996 commented Nov 24, 2025
View reviewed changes
dd-java-agent/appsec/src/main/java/com/datadog/appsec/api/security/ApiSecuritySamplerImpl.java
* This method only serves as a final confirmation gate before schema extraction.
*/
@Override
public boolean sampleRequest(AppSecRequestContext ctx) {
Copy link
Member Author

@jandro996 jandro996 Nov 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This method seems useless with the new approach but, I decided to maintain it to keep the checks although updateApiAccessIfExpired is not necessary anymore

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

comp: asm waf Application Security Management (WAF) type: bug Bug report and fix

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jandro996