Skip to content

Extract Play json body response schemas#8995

Merged
manuel-alvarez-alvarez merged 1 commit intomasterfrom
malvarez/play-response-extraction
Jun 25, 2025
Merged

Extract Play json body response schemas#8995
manuel-alvarez-alvarez merged 1 commit intomasterfrom
malvarez/play-response-extraction

Conversation

@manuel-alvarez-alvarez
Copy link
Member

@manuel-alvarez-alvarez manuel-alvarez-alvarez commented Jun 16, 2025
edited by atlassian bot
Loading

What Does This Do

Adds response body extraction for Play JSON endpoints to enable automatic API schema discovery and protection by the Web Application Firewall (WAF). Support is for Play >= 2.4+ (leverages new JSON response API)

Motivation

Additional Notes

Contributor Checklist

Jira ticket: APPSEC-57914

@manuel-alvarez-alvarez manuel-alvarez-alvarez added type: enhancement Enhancements and improvements comp: asm waf Application Security Management (WAF) inst: play framework Play Framework instrumentation labels Jun 16, 2025
@manuel-alvarez-alvarez manuel-alvarez-alvarez changed the base branch from malvarez/vertx-response-extraction to malvarez/http-route-play June 16, 2025 17:28
@pr-commenter
Copy link

pr-commenter bot commented Jun 16, 2025
edited
Loading

Benchmarks

Startup

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master malvarez/play-response-extraction
git_commit_date 1750839907 1750844429
git_commit_sha c5581ea ebaa338
release_version 1.51.0-SNAPSHOT~c5581eae59 1.51.0-SNAPSHOT~ebaa3381ce
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1750846716 1750846716
ci_job_id 997521926 997521926
ci_pipeline_id 68707772 68707772
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-a1vxyzsw-project-304-concurrent-0-e53zf534 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-a1vxyzsw-project-304-concurrent-0-e53zf534 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
module Agent Agent
parent None None

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 44 metrics, 9 unstable metrics.

Startup time reports for insecure-bank 
gantt
    title insecure-bank - global startup overhead: candidate=1.51.0-SNAPSHOT~ebaa3381ce, baseline=1.51.0-SNAPSHOT~c5581eae59

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (992.863 ms) : 0, 992863
Total [baseline] (8.548 s) : 0, 8547669
Agent [candidate] (992.654 ms) : 0, 992654
Total [candidate] (8.546 s) : 0, 8545751
section iast
Agent [baseline] (1.135 s) : 0, 1134763
Total [baseline] (9.295 s) : 0, 9294742
Agent [candidate] (1.13 s) : 0, 1129983
Total [candidate] (9.297 s) : 0, 9297375
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 992.863 ms -
Agent iast 1.135 s 141.9 ms (14.3%)
Total tracing 8.548 s -
Total iast 9.295 s 747.072 ms (8.7%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 992.654 ms -
Agent iast 1.13 s 137.329 ms (13.8%)
Total tracing 8.546 s -
Total iast 9.297 s 751.623 ms (8.8%) 
gantt
    title insecure-bank - break down per module: candidate=1.51.0-SNAPSHOT~ebaa3381ce, baseline=1.51.0-SNAPSHOT~c5581eae59

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (685.69 ms) : 0, 685690
BytebuddyAgent [candidate] (685.231 ms) : 0, 685231
GlobalTracer [baseline] (241.424 ms) : 0, 241424
GlobalTracer [candidate] (241.639 ms) : 0, 241639
AppSec [baseline] (30.019 ms) : 0, 30019
AppSec [candidate] (30.164 ms) : 0, 30164
Debugger [baseline] (6.063 ms) : 0, 6063
Debugger [candidate] (5.989 ms) : 0, 5989
Remote Config [baseline] (654.85 µs) : 0, 655
Remote Config [candidate] (664.26 µs) : 0, 664
Telemetry [baseline] (8.14 ms) : 0, 8140
Telemetry [candidate] (8.14 ms) : 0, 8140
section iast
BytebuddyAgent [baseline] (811.435 ms) : 0, 811435
BytebuddyAgent [candidate] (807.596 ms) : 0, 807596
GlobalTracer [baseline] (233.515 ms) : 0, 233515
GlobalTracer [candidate] (231.813 ms) : 0, 231813
AppSec [baseline] (26.43 ms) : 0, 26430
AppSec [candidate] (27.769 ms) : 0, 27769
Debugger [baseline] (5.745 ms) : 0, 5745
Debugger [candidate] (5.816 ms) : 0, 5816
Remote Config [baseline] (582.908 µs) : 0, 583
Remote Config [candidate] (576.241 µs) : 0, 576
Telemetry [baseline] (7.851 ms) : 0, 7851
Telemetry [candidate] (7.894 ms) : 0, 7894
IAST [baseline] (28.348 ms) : 0, 28348
IAST [candidate] (27.717 ms) : 0, 27717
Loading
Startup time reports for petclinic 
gantt
    title petclinic - global startup overhead: candidate=1.51.0-SNAPSHOT~ebaa3381ce, baseline=1.51.0-SNAPSHOT~c5581eae59

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (996.818 ms) : 0, 996818
Total [baseline] (10.724 s) : 0, 10723546
Agent [candidate] (995.956 ms) : 0, 995956
Total [candidate] (10.741 s) : 0, 10741437
section appsec
Agent [baseline] (1.174 s) : 0, 1174118
Total [baseline] (10.73 s) : 0, 10730439
Agent [candidate] (1.173 s) : 0, 1172687
Total [candidate] (10.754 s) : 0, 10754165
section iast
Agent [baseline] (1.137 s) : 0, 1137222
Total [baseline] (10.838 s) : 0, 10837914
Agent [candidate] (1.137 s) : 0, 1136777
Total [candidate] (10.798 s) : 0, 10798364
section profiling
Agent [baseline] (1.255 s) : 0, 1254809
Total [baseline] (11.14 s) : 0, 11139677
Agent [candidate] (1.249 s) : 0, 1248513
Total [candidate] (11.053 s) : 0, 11052900
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 996.818 ms -
Agent appsec 1.174 s 177.3 ms (17.8%)
Agent iast 1.137 s 140.404 ms (14.1%)
Agent profiling 1.255 s 257.991 ms (25.9%)
Total tracing 10.724 s -
Total appsec 10.73 s 6.894 ms (0.1%)
Total iast 10.838 s 114.368 ms (1.1%)
Total profiling 11.14 s 416.132 ms (3.9%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 995.956 ms -
Agent appsec 1.173 s 176.731 ms (17.7%)
Agent iast 1.137 s 140.821 ms (14.1%)
Agent profiling 1.249 s 252.557 ms (25.4%)
Total tracing 10.741 s -
Total appsec 10.754 s 12.728 ms (0.1%)
Total iast 10.798 s 56.927 ms (0.5%)
Total profiling 11.053 s 311.463 ms (2.9%) 
gantt
    title petclinic - break down per module: candidate=1.51.0-SNAPSHOT~ebaa3381ce, baseline=1.51.0-SNAPSHOT~c5581eae59

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (686.953 ms) : 0, 686953
BytebuddyAgent [candidate] (686.675 ms) : 0, 686675
GlobalTracer [baseline] (243.623 ms) : 0, 243623
GlobalTracer [candidate] (242.539 ms) : 0, 242539
AppSec [baseline] (30.477 ms) : 0, 30477
AppSec [candidate] (30.127 ms) : 0, 30127
Debugger [baseline] (6.099 ms) : 0, 6099
Debugger [candidate] (6.057 ms) : 0, 6057
Remote Config [baseline] (663.945 µs) : 0, 664
Remote Config [candidate] (666.207 µs) : 0, 666
Telemetry [baseline] (8.206 ms) : 0, 8206
Telemetry [candidate] (8.889 ms) : 0, 8889
section appsec
BytebuddyAgent [baseline] (710.094 ms) : 0, 710094
BytebuddyAgent [candidate] (709.328 ms) : 0, 709328
GlobalTracer [baseline] (236.676 ms) : 0, 236676
GlobalTracer [candidate] (235.948 ms) : 0, 235948
AppSec [baseline] (169.631 ms) : 0, 169631
AppSec [candidate] (170.187 ms) : 0, 170187
Debugger [baseline] (5.864 ms) : 0, 5864
Debugger [candidate] (5.811 ms) : 0, 5811
Remote Config [baseline] (600.634 µs) : 0, 601
Remote Config [candidate] (607.503 µs) : 0, 608
Telemetry [baseline] (8.256 ms) : 0, 8256
Telemetry [candidate] (8.058 ms) : 0, 8058
IAST [baseline] (22.118 ms) : 0, 22118
IAST [candidate] (22.01 ms) : 0, 22010
section iast
BytebuddyAgent [baseline] (812.798 ms) : 0, 812798
BytebuddyAgent [candidate] (812.905 ms) : 0, 812905
GlobalTracer [baseline] (233.537 ms) : 0, 233537
GlobalTracer [candidate] (233.003 ms) : 0, 233003
AppSec [baseline] (26.951 ms) : 0, 26951
AppSec [candidate] (27.74 ms) : 0, 27740
Debugger [baseline] (5.862 ms) : 0, 5862
Debugger [candidate] (5.795 ms) : 0, 5795
Remote Config [baseline] (585.619 µs) : 0, 586
Remote Config [candidate] (584.688 µs) : 0, 585
Telemetry [baseline] (7.984 ms) : 0, 7984
Telemetry [candidate] (7.957 ms) : 0, 7957
IAST [baseline] (28.533 ms) : 0, 28533
IAST [candidate] (27.792 ms) : 0, 27792
section profiling
BytebuddyAgent [baseline] (684.391 ms) : 0, 684391
BytebuddyAgent [candidate] (681.18 ms) : 0, 681180
GlobalTracer [baseline] (364.278 ms) : 0, 364278
GlobalTracer [candidate] (362.644 ms) : 0, 362644
AppSec [baseline] (31.736 ms) : 0, 31736
AppSec [candidate] (33.572 ms) : 0, 33572
Debugger [baseline] (9.61 ms) : 0, 9610
Debugger [candidate] (10.433 ms) : 0, 10433
Remote Config [baseline] (664.565 µs) : 0, 665
Remote Config [candidate] (672.594 µs) : 0, 673
Telemetry [baseline] (10.347 ms) : 0, 10347
Telemetry [candidate] (8.076 ms) : 0, 8076
ProfilingAgent [baseline] (104.699 ms) : 0, 104699
ProfilingAgent [candidate] (103.168 ms) : 0, 103168
Profiling [baseline] (104.725 ms) : 0, 104725
Profiling [candidate] (103.193 ms) : 0, 103193
Loading

Load

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master malvarez/play-response-extraction
git_commit_date 1750839907 1750844429
git_commit_sha c5581ea ebaa338
release_version 1.51.0-SNAPSHOT~c5581eae59 1.51.0-SNAPSHOT~ebaa3381ce
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1750846402 1750846402
ci_job_id 997521927 997521927
ci_pipeline_id 68707772 68707772
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-a1vxyzsw-project-304-concurrent-1-th4g6hg0 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-a1vxyzsw-project-304-concurrent-1-th4g6hg0 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 3 performance improvements and 1 performance regressions! Performance is the same for 8 metrics, 12 unstable metrics.

scenario Δ mean http_req_duration Δ mean throughput candidate mean http_req_duration candidate mean throughput baseline mean http_req_duration baseline mean throughput
scenario:load:petclinic:iast:high_load better
[-2.441ms; -1.612ms] or [-5.326%; -3.517%]		 unstable
[-2.192op/s; +11.642op/s] or [-2.146%; +11.401%]		 43.797ms 106.838op/s 45.823ms 102.112op/s
scenario:load:petclinic:appsec:high_load better
[-3.070ms; -2.138ms] or [-6.225%; -4.335%]		 unstable
[-1.628op/s; +12.203op/s] or [-1.715%; +12.858%]		 46.716ms 100.188op/s 49.320ms 94.900op/s
scenario:load:petclinic:profiling:high_load worse
[+1.756ms; +2.675ms] or [+3.743%; +5.703%]		 unstable
[-11.041op/s; +2.066op/s] or [-11.068%; +2.071%]		 49.127ms 95.263op/s 46.911ms 99.750op/s
scenario:load:petclinic:code_origins:high_load better
[-1.995ms; -1.152ms] or [-4.250%; -2.455%]		 unstable
[-3.272op/s; +10.122op/s] or [-3.280%; +10.146%]		 45.357ms 103.188op/s 46.930ms 99.763op/s
Request duration reports for petclinic 
gantt
    title petclinic - request duration [CI 0.99] : candidate=1.51.0-SNAPSHOT~ebaa3381ce, baseline=1.51.0-SNAPSHOT~c5581eae59
    dateFormat X
    axisFormat %s
section baseline
no_agent (36.27 ms) : 35980, 36561
.   : milestone, 36270,
appsec (49.32 ms) : 48864, 49776
.   : milestone, 49320,
code_origins (46.93 ms) : 46528, 47332
.   : milestone, 46930,
iast (45.823 ms) : 45426, 46219
.   : milestone, 45823,
profiling (46.911 ms) : 46501, 47321
.   : milestone, 46911,
tracing (44.119 ms) : 43763, 44475
.   : milestone, 44119,
section candidate
no_agent (36.8 ms) : 36504, 37097
.   : milestone, 36800,
appsec (46.716 ms) : 46307, 47124
.   : milestone, 46716,
code_origins (45.357 ms) : 44976, 45737
.   : milestone, 45357,
iast (43.797 ms) : 43423, 44170
.   : milestone, 43797,
profiling (49.127 ms) : 48683, 49570
.   : milestone, 49127,
tracing (43.636 ms) : 43281, 43990
.   : milestone, 43636,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 36.27 ms [35.98 ms, 36.561 ms] -
appsec 49.32 ms [48.864 ms, 49.776 ms] 13.05 ms (36.0%)
code_origins 46.93 ms [46.528 ms, 47.332 ms] 10.659 ms (29.4%)
iast 45.823 ms [45.426 ms, 46.219 ms] 9.552 ms (26.3%)
profiling 46.911 ms [46.501 ms, 47.321 ms] 10.641 ms (29.3%)
tracing 44.119 ms [43.763 ms, 44.475 ms] 7.848 ms (21.6%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 36.8 ms [36.504 ms, 37.097 ms] -
appsec 46.716 ms [46.307 ms, 47.124 ms] 9.915 ms (26.9%)
code_origins 45.357 ms [44.976 ms, 45.737 ms] 8.556 ms (23.3%)
iast 43.797 ms [43.423 ms, 44.17 ms] 6.996 ms (19.0%)
profiling 49.127 ms [48.683 ms, 49.57 ms] 12.326 ms (33.5%)
tracing 43.636 ms [43.281 ms, 43.99 ms] 6.835 ms (18.6%)
Request duration reports for insecure-bank 
gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.51.0-SNAPSHOT~ebaa3381ce, baseline=1.51.0-SNAPSHOT~c5581eae59
    dateFormat X
    axisFormat %s
section baseline
no_agent (4.354 ms) : 4305, 4403
.   : milestone, 4354,
iast (9.024 ms) : 8872, 9177
.   : milestone, 9024,
iast_FULL (13.683 ms) : 13412, 13954
.   : milestone, 13683,
iast_GLOBAL (10.376 ms) : 10192, 10561
.   : milestone, 10376,
profiling (8.631 ms) : 8488, 8773
.   : milestone, 8631,
tracing (7.809 ms) : 7687, 7931
.   : milestone, 7809,
section candidate
no_agent (4.312 ms) : 4262, 4361
.   : milestone, 4312,
iast (9.202 ms) : 9052, 9351
.   : milestone, 9202,
iast_FULL (14.197 ms) : 13918, 14475
.   : milestone, 14197,
iast_GLOBAL (10.037 ms) : 9858, 10216
.   : milestone, 10037,
profiling (8.44 ms) : 8304, 8577
.   : milestone, 8440,
tracing (7.859 ms) : 7738, 7981
.   : milestone, 7859,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 4.354 ms [4.305 ms, 4.403 ms] -
iast 9.024 ms [8.872 ms, 9.177 ms] 4.67 ms (107.3%)
iast_FULL 13.683 ms [13.412 ms, 13.954 ms] 9.329 ms (214.3%)
iast_GLOBAL 10.376 ms [10.192 ms, 10.561 ms] 6.023 ms (138.3%)
profiling 8.631 ms [8.488 ms, 8.773 ms] 4.277 ms (98.2%)
tracing 7.809 ms [7.687 ms, 7.931 ms] 3.455 ms (79.4%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 4.312 ms [4.262 ms, 4.361 ms] -
iast 9.202 ms [9.052 ms, 9.351 ms] 4.89 ms (113.4%)
iast_FULL 14.197 ms [13.918 ms, 14.475 ms] 9.885 ms (229.3%)
iast_GLOBAL 10.037 ms [9.858 ms, 10.216 ms] 5.726 ms (132.8%)
profiling 8.44 ms [8.304 ms, 8.577 ms] 4.129 ms (95.8%)
tracing 7.859 ms [7.738 ms, 7.981 ms] 3.548 ms (82.3%)

Dacapo

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master malvarez/play-response-extraction
git_commit_date 1750839907 1750844429
git_commit_sha c5581ea ebaa338
release_version 1.51.0-SNAPSHOT~c5581eae59 1.51.0-SNAPSHOT~ebaa3381ce
See matching parameters
Baseline Candidate
application biojava biojava
ci_job_date 1750846901 1750846901
ci_job_id 997521930 997521930
ci_pipeline_id 68707772 68707772
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-a1vxyzsw-project-304-concurrent-2-o7s4ww9o 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-a1vxyzsw-project-304-concurrent-2-o7s4ww9o 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics.

Execution time for biojava 
gantt
    title biojava - execution time [CI 0.99] : candidate=1.51.0-SNAPSHOT~ebaa3381ce, baseline=1.51.0-SNAPSHOT~c5581eae59
    dateFormat X
    axisFormat %s
section baseline
no_agent (15.064 s) : 15064000, 15064000
.   : milestone, 15064000,
appsec (14.603 s) : 14603000, 14603000
.   : milestone, 14603000,
iast (18.751 s) : 18751000, 18751000
.   : milestone, 18751000,
iast_GLOBAL (17.729 s) : 17729000, 17729000
.   : milestone, 17729000,
profiling (15.378 s) : 15378000, 15378000
.   : milestone, 15378000,
tracing (14.867 s) : 14867000, 14867000
.   : milestone, 14867000,
section candidate
no_agent (15.011 s) : 15011000, 15011000
.   : milestone, 15011000,
appsec (14.969 s) : 14969000, 14969000
.   : milestone, 14969000,
iast (18.425 s) : 18425000, 18425000
.   : milestone, 18425000,
iast_GLOBAL (17.986 s) : 17986000, 17986000
.   : milestone, 17986000,
profiling (15.033 s) : 15033000, 15033000
.   : milestone, 15033000,
tracing (14.856 s) : 14856000, 14856000
.   : milestone, 14856000,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.064 s [15.064 s, 15.064 s] -
appsec 14.603 s [14.603 s, 14.603 s] -461.0 ms (-3.1%)
iast 18.751 s [18.751 s, 18.751 s] 3.687 s (24.5%)
iast_GLOBAL 17.729 s [17.729 s, 17.729 s] 2.665 s (17.7%)
profiling 15.378 s [15.378 s, 15.378 s] 314.0 ms (2.1%)
tracing 14.867 s [14.867 s, 14.867 s] -197.0 ms (-1.3%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.011 s [15.011 s, 15.011 s] -
appsec 14.969 s [14.969 s, 14.969 s] -42.0 ms (-0.3%)
iast 18.425 s [18.425 s, 18.425 s] 3.414 s (22.7%)
iast_GLOBAL 17.986 s [17.986 s, 17.986 s] 2.975 s (19.8%)
profiling 15.033 s [15.033 s, 15.033 s] 22.0 ms (0.1%)
tracing 14.856 s [14.856 s, 14.856 s] -155.0 ms (-1.0%)
Execution time for tomcat 
gantt
    title tomcat - execution time [CI 0.99] : candidate=1.51.0-SNAPSHOT~ebaa3381ce, baseline=1.51.0-SNAPSHOT~c5581eae59
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.474 ms) : 1462, 1485
.   : milestone, 1474,
appsec (2.402 ms) : 2353, 2451
.   : milestone, 2402,
iast (2.182 ms) : 2120, 2243
.   : milestone, 2182,
iast_GLOBAL (2.238 ms) : 2176, 2300
.   : milestone, 2238,
profiling (2.049 ms) : 1998, 2099
.   : milestone, 2049,
tracing (2.006 ms) : 1959, 2054
.   : milestone, 2006,
section candidate
no_agent (1.475 ms) : 1463, 1486
.   : milestone, 1475,
appsec (2.404 ms) : 2355, 2453
.   : milestone, 2404,
iast (2.18 ms) : 2119, 2241
.   : milestone, 2180,
iast_GLOBAL (2.224 ms) : 2162, 2286
.   : milestone, 2224,
profiling (2.039 ms) : 1989, 2089
.   : milestone, 2039,
tracing (2.016 ms) : 1968, 2064
.   : milestone, 2016,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.474 ms [1.462 ms, 1.485 ms] -
appsec 2.402 ms [2.353 ms, 2.451 ms] 928.072 µs (63.0%)
iast 2.182 ms [2.12 ms, 2.243 ms] 707.904 µs (48.0%)
iast_GLOBAL 2.238 ms [2.176 ms, 2.3 ms] 763.702 µs (51.8%)
profiling 2.049 ms [1.998 ms, 2.099 ms] 574.771 µs (39.0%)
tracing 2.006 ms [1.959 ms, 2.054 ms] 532.392 µs (36.1%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.475 ms [1.463 ms, 1.486 ms] -
appsec 2.404 ms [2.355 ms, 2.453 ms] 929.612 µs (63.0%)
iast 2.18 ms [2.119 ms, 2.241 ms] 705.333 µs (47.8%)
iast_GLOBAL 2.224 ms [2.162 ms, 2.286 ms] 749.18 µs (50.8%)
profiling 2.039 ms [1.989 ms, 2.089 ms] 564.378 µs (38.3%)
tracing 2.016 ms [1.968 ms, 2.064 ms] 541.119 µs (36.7%)

@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/http-route-play branch 4 times, most recently from 956faea to 0078896 Compare June 17, 2025 13:45
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/play-response-extraction branch from 7d13dbd to cb58b47 Compare June 17, 2025 13:46
@manuel-alvarez-alvarez manuel-alvarez-alvarez changed the base branch from malvarez/http-route-play to malvarez/vertx-response-extraction June 17, 2025 17:30
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/play-response-extraction branch from cb58b47 to 0078896 Compare June 17, 2025 17:30
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/play-response-extraction branch from 0078896 to e6d0da9 Compare June 17, 2025 17:39
@manuel-alvarez-alvarez manuel-alvarez-alvarez marked this pull request as ready for review June 17, 2025 17:52
@manuel-alvarez-alvarez manuel-alvarez-alvarez requested review from a team as code owners June 17, 2025 17:52
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/vertx-response-extraction branch from e6d0da9 to bf5e01e Compare June 19, 2025 08:39
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/play-response-extraction branch from 23f52bc to f7b1451 Compare June 19, 2025 08:40
@manuel-alvarez-alvarez manuel-alvarez-alvarez changed the title Extract JSON body responses in Play Extract Play json body response schemas Jun 19, 2025
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/play-response-extraction branch 2 times, most recently from cf8d5bc to 135e0f0 Compare June 19, 2025 12:18
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/vertx-response-extraction branch from 37afc9b to 3fabdcd Compare June 23, 2025 07:39
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/play-response-extraction branch from 135e0f0 to f5b9e7b Compare June 23, 2025 07:42
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/play-response-extraction branch from f5b9e7b to 3fabdcd Compare June 23, 2025 07:48
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/vertx-response-extraction branch from 3fabdcd to fe0c272 Compare June 23, 2025 09:53
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/play-response-extraction branch from fe3ba88 to 22b45ef Compare June 23, 2025 09:54
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/vertx-response-extraction branch from fe0c272 to 25ab23e Compare June 23, 2025 10:35
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/play-response-extraction branch from 22b45ef to ea1aa76 Compare June 23, 2025 10:37
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/vertx-response-extraction branch from 25ab23e to 24b6231 Compare June 23, 2025 12:00
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/play-response-extraction branch from ea1aa76 to 909e714 Compare June 23, 2025 16:05
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/vertx-response-extraction branch 2 times, most recently from d9fd6aa to 5194553 Compare June 24, 2025 08:39
smola
smola reviewed Jun 24, 2025
View reviewed changes
dd-java-agent/appsec/src/main/java/com/datadog/appsec/event/data/ObjectIntrospection.java
state.listMapTooLarge = true;
break;
List<Object> newList;
if (obj instanceof Collection) {
Copy link
Member

@smola smola Jun 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A Collection is always an Iterable, this case should be first?

Copy link
Member Author

@manuel-alvarez-alvarez manuel-alvarez-alvarez Jun 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In this part of the code we are dealing with Iterable objects that might or might not implement Collection, this is just a perf improvement to be able to allocate a list of the proper size (not sure if I asked your question properly).

Copy link
Member Author

@manuel-alvarez-alvarez manuel-alvarez-alvarez Jun 24, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you want to follow up with the discussion this is now part of the initial PR of the stack

@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/vertx-response-extraction branch from 5194553 to 3a7d412 Compare June 24, 2025 12:28
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/play-response-extraction branch from 909e714 to 6bbdb08 Compare June 24, 2025 12:41
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/vertx-response-extraction branch 2 times, most recently from ac7c355 to bd96ea3 Compare June 25, 2025 07:15
Base automatically changed from malvarez/vertx-response-extraction to master June 25, 2025 08:25
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/play-response-extraction branch from 6bbdb08 to ed355c7 Compare June 25, 2025 08:28
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/play-response-extraction branch from ed355c7 to ebaa338 Compare June 25, 2025 09:48
@manuel-alvarez-alvarez manuel-alvarez-alvarez merged commit e2710ff into master Jun 25, 2025
485 checks passed
@manuel-alvarez-alvarez manuel-alvarez-alvarez deleted the malvarez/play-response-extraction branch June 25, 2025 10:55
@github-actions github-actions bot added this to the 1.51.0 milestone Jun 25, 2025
svc-squareup-copybara pushed a commit to cashapp/misk that referenced this pull request Jul 10, 2025
@github-cash-renovate-jvm-2 @svc-squareup-copybara
This PR contains the following updates:
48e635d 
| Package | Type | Package file | Manager | Update | Change |
|---|---|---|---|---|---|
|
[com.google.errorprone:error_prone_annotations](https://errorprone.info)
([source](https://github.com/google/error-prone)) | dependencies |
misk/gradle/libs.versions.toml | gradle | minor | `2.39.0` -> `2.40.0` |
|
[org.apache.commons:commons-lang3](https://commons.apache.org/proper/commons-lang/)
([source](https://gitbox.apache.org/repos/asf/commons-lang.git)) |
dependencies | misk/gradle/libs.versions.toml | gradle | minor |
`3.17.0` -> `3.18.0` |
|
[org.jetbrains.kotlinx.binary-compatibility-validator](https://github.com/Kotlin/binary-compatibility-validator)
| plugin | misk/gradle/libs.versions.toml | gradle | patch | `0.18.0` ->
`0.18.1` |
| [com.datadoghq:dd-trace-api](https://github.com/datadog/dd-trace-java)
| dependencies | misk/gradle/libs.versions.toml | gradle | minor |
`1.50.1` -> `1.51.0` |
| [software.amazon.awssdk:sdk-core](https://aws.amazon.com/sdkforjava) |
dependencies | misk/gradle/libs.versions.toml | gradle | patch |
`2.31.77` -> `2.31.78` |
| [software.amazon.awssdk:sqs](https://aws.amazon.com/sdkforjava) |
dependencies | misk/gradle/libs.versions.toml | gradle | patch |
`2.31.77` -> `2.31.78` |
|
[software.amazon.awssdk:dynamodb-enhanced](https://aws.amazon.com/sdkforjava)
| dependencies | misk/gradle/libs.versions.toml | gradle | patch |
`2.31.77` -> `2.31.78` |
| [software.amazon.awssdk:dynamodb](https://aws.amazon.com/sdkforjava) |
dependencies | misk/gradle/libs.versions.toml | gradle | patch |
`2.31.77` -> `2.31.78` |
| [software.amazon.awssdk:aws-core](https://aws.amazon.com/sdkforjava) |
dependencies | misk/gradle/libs.versions.toml | gradle | patch |
`2.31.77` -> `2.31.78` |
| [software.amazon.awssdk:bom](https://aws.amazon.com/sdkforjava) |
dependencies | misk/gradle/libs.versions.toml | gradle | patch |
`2.31.77` -> `2.31.78` |
| [software.amazon.awssdk:auth](https://aws.amazon.com/sdkforjava) |
dependencies | misk/gradle/libs.versions.toml | gradle | patch |
`2.31.77` -> `2.31.78` |

---

### Release Notes

<details>
<summary>google/error-prone
(com.google.errorprone:error_prone_annotations)</summary>

###
[`v2.40.0`](https://github.com/google/error-prone/releases/tag/v2.40.0):
Error Prone 2.40.0

Changes:

- Bug fixes and improvements
- Releases (including snapshots) have migrated from [OSSRH to the
Central Publisher
Portal](https://central.sonatype.org/pages/ossrh-eol/#process-to-migrate)

Full changelog:
google/error-prone@v2.39.0...v2.40.0

</details>

<details>
<summary>Kotlin/binary-compatibility-validator
(org.jetbrains.kotlinx.binary-compatibility-validator)</summary>

###
[`v0.18.1`](https://github.com/Kotlin/binary-compatibility-validator/releases/tag/0.18.1)

[Compare
Source](Kotlin/binary-compatibility-validator@0.18.0...0.18.1)

#### What's Changed

- Fixed a bug preventing use of cross-compilation support during KLIB
dump validation
\[[#&#8203;304](https://github.com/Kotlin/binary-compatibility-validator/issues/304)]\[[#&#8203;306](https://github.com/Kotlin/binary-compatibility-validator/issues/306)]

</details>

<details>
<summary>datadog/dd-trace-java (com.datadoghq:dd-trace-api)</summary>

###
[`v1.51.0`](https://github.com/DataDog/dd-trace-java/releases/tag/v1.51.0):
1.51.0

### Components

#### Application Security Management (IAST)

- 🐛 Fix verify error when ctor params are used after a call site
([#&#8203;9083](DataDog/dd-trace-java#9083) -
[@&#8203;manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez))
- 🐛 Limit the maximum size of the location path in IAST
vulnerabilities
([#&#8203;9028](DataDog/dd-trace-java#9028) -
[@&#8203;jandro996](https://github.com/jandro996))
- 🐛 Fix IAST gRPC handler with null superclass
([#&#8203;8984](DataDog/dd-trace-java#8984) -
[@&#8203;smola](https://github.com/smola))
- ✨ Optimize IAST Vulnerability Detection
([#&#8203;8885](DataDog/dd-trace-java#8885) -
[@&#8203;jandro996](https://github.com/jandro996))

#### Application Security Management (WAF)

- ✨ Upgrade libddwaf-java to 15.0.0
([#&#8203;9022](DataDog/dd-trace-java#9022) -
[@&#8203;sezen-datadog](https://github.com/sezen-datadog))
- ✨ Extract RestEasy json body response schemas
([#&#8203;9015](DataDog/dd-trace-java#9015) -
[@&#8203;jandro996](https://github.com/jandro996))
- ✨ Extract Jersey json body response schemas
([#&#8203;9014](DataDog/dd-trace-java#9014) -
[@&#8203;jandro996](https://github.com/jandro996))
- ✨ Extract Ratpack json body response schemas
([#&#8203;9013](DataDog/dd-trace-java#9013) -
[@&#8203;manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez))
- ✨ Enable API Security by default and make it lazy loading
([#&#8203;9009](DataDog/dd-trace-java#9009) -
[@&#8203;smola](https://github.com/smola))
- ✨ Extract Vert.x json body response schemas
([#&#8203;9001](DataDog/dd-trace-java#9001) -
[@&#8203;manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez))
- ✨ Extract Play json body response schemas
([#&#8203;8995](DataDog/dd-trace-java#8995) -
[@&#8203;manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez))
- 🐛 Fix Jackson nodes introspection for request/response schema
extraction
([#&#8203;8980](DataDog/dd-trace-java#8980) -
[@&#8203;manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez))
- ✨ Extract Spring json body response schemas
([#&#8203;8938](DataDog/dd-trace-java#8938) -
[@&#8203;sezen-datadog](https://github.com/sezen-datadog))
- ✨ Default obfuscation regexp update
([#&#8203;8937](DataDog/dd-trace-java#8937) -
[@&#8203;sezen-datadog](https://github.com/sezen-datadog))

#### Build & Tooling

- ✨ Cancel GitLab running pipeline on new PR push
([#&#8203;9023](DataDog/dd-trace-java#9023) -
[@&#8203;PerfectSlayer](https://github.com/PerfectSlayer))
- ✨ Migrate publishing to Maven Central Portal
([#&#8203;8807](DataDog/dd-trace-java#8807) -
[@&#8203;sarahchen6](https://github.com/sarahchen6))

#### Continuous Integration Visibility

- 🐛 Fix Test Optimization to work with JDK 24
([#&#8203;9114](DataDog/dd-trace-java#9114) -
[@&#8203;nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog))
- ✨ Add repo root as safe directory on git client creation
([#&#8203;9033](DataDog/dd-trace-java#9033) -
[@&#8203;daniel-mohedano](https://github.com/daniel-mohedano))
- ✨ Add PR number tag and improve PR information building
([#&#8203;8990](DataDog/dd-trace-java#8990) -
[@&#8203;daniel-mohedano](https://github.com/daniel-mohedano))
- ✨ Update impacted tests logic
([#&#8203;8923](DataDog/dd-trace-java#8923) -
[@&#8203;daniel-mohedano](https://github.com/daniel-mohedano))

#### Data Streams Monitoring

- 🧹 Clean up DSM context injection
([#&#8203;8776](DataDog/dd-trace-java#8776) -
[@&#8203;PerfectSlayer](https://github.com/PerfectSlayer))

#### Database Monitoring

- 🐛 Set trace\_injected in try block
([#&#8203;9025](DataDog/dd-trace-java#9025) -
[@&#8203;natashadada](https://github.com/natashadada))

#### Dynamic Instrumentation

- 🐛 Add source file tracking enable option
([#&#8203;9115](DataDog/dd-trace-java#9115) -
[@&#8203;jpbempel](https://github.com/jpbempel))
- ✨ Add java.util.Date support
([#&#8203;9111](DataDog/dd-trace-java#9111) -
[@&#8203;jpbempel](https://github.com/jpbempel))
- ✨ Update file probe format
([#&#8203;9047](DataDog/dd-trace-java#9047) -
[@&#8203;jpbempel](https://github.com/jpbempel))
- ✨ add safe local var hoisting
([#&#8203;9034](DataDog/dd-trace-java#9034) -
[@&#8203;jpbempel](https://github.com/jpbempel))
- 🧹 Add new config for debugger upload interval
([#&#8203;8959](DataDog/dd-trace-java#8959) -
[@&#8203;jpbempel](https://github.com/jpbempel))
- ✨ Enable Code Origin with Dynamic instrumentation
([#&#8203;8940](DataDog/dd-trace-java#8940) -
[@&#8203;jpbempel](https://github.com/jpbempel))

#### ML Observability (LLMObs)

- 💡 LLM Observability SDK
([#&#8203;8781](DataDog/dd-trace-java#8781) -
[@&#8203;gary-huang](https://github.com/gary-huang),
[@&#8203;nayeem-kamal](https://github.com/nayeem-kamal))

#### Metrics

- 🐛 Ensure client stat reporter is started when the agent is not
available at bootstrap
([#&#8203;9082](DataDog/dd-trace-java#9082) -
[@&#8203;amarziali](https://github.com/amarziali))
- ✨ Create metric: appsec.waf.config\_errors
([#&#8203;8394](DataDog/dd-trace-java#8394) -
[@&#8203;sezen-datadog](https://github.com/sezen-datadog))

#### Platform components

- ✨ Introduce environment component
([#&#8203;9071](DataDog/dd-trace-java#9071) -
[@&#8203;PerfectSlayer](https://github.com/PerfectSlayer))

#### Profiling

- 🐛 Remove annoying warning for smap event parsing
([#&#8203;9119](DataDog/dd-trace-java#9119) -
[@&#8203;jbachorik](https://github.com/jbachorik))
- 🐛 Fix ByteCountingInputStream when reading past EOF
([#&#8203;8988](DataDog/dd-trace-java#8988) -
[@&#8203;manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez))

#### Realtime User Monitoring

- ✨ Add RUM SDK injection for servlet based web servers
([#&#8203;9110](DataDog/dd-trace-java#9110) -
[@&#8203;PerfectSlayer](https://github.com/PerfectSlayer)
[@&#8203;amarziali](https://github.com/amarziali))

#### Telemetry

- ✨ Update the config origin metric to match what it's mapping
([#&#8203;9045](DataDog/dd-trace-java#9045) -
[@&#8203;sezen-datadog](https://github.com/sezen-datadog))

#### Testing

- ✨ Add testing for latest stable version (JDK 24)
([#&#8203;8875](DataDog/dd-trace-java#8875) -
[@&#8203;sarahchen6](https://github.com/sarahchen6))

#### Trace context propagation

- 🐛 Fix bug with dropping baggage when
`TracePropagationBehaviorExtract=IGNORE`
([#&#8203;9037](DataDog/dd-trace-java#9037) -
[@&#8203;mhlidd](https://github.com/mhlidd))
- 🐛 Fix ArrayIndexOutOfBoundsException in PercentEscaper
([#&#8203;9032](DataDog/dd-trace-java#9032) -
[@&#8203;mhlidd](https://github.com/mhlidd))

#### Tracer core

- 🐛 Fix `Error` handling for trace interceptors
([#&#8203;9097](DataDog/dd-trace-java#9097) -
[@&#8203;AlexeyKuznetsov-DD](https://github.com/AlexeyKuznetsov-DD))
- 💡 Add wildcard feature for `DD_TRACE_HEADER_TAGS` and enabling
for Http Response headers
([#&#8203;9067](DataDog/dd-trace-java#9067) -
[@&#8203;mhlidd](https://github.com/mhlidd))

#### Tracer public API

- 💡 Add LLM Observability SDK
([#&#8203;8781](DataDog/dd-trace-java#8781) -
[@&#8203;gary-huang](https://github.com/gary-huang))

### Instrumentations

#### Akka instrumentation

- 🐛 Fix NPE in akka-http and pekko-http integrations
([#&#8203;9019](DataDog/dd-trace-java#9019) -
[@&#8203;mcculls](https://github.com/mcculls))

#### Eclipse Vert.x instrumentation

- ✨ Extract Vert.x json body response schemas
([#&#8203;9001](DataDog/dd-trace-java#9001) -
[@&#8203;manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez))
- ✨ Write http.route tag as soon as possible in vert.x
([#&#8203;8952](DataDog/dd-trace-java#8952) -
[@&#8203;manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez))

#### JAX-WS instrumentation

- 💡⚠️ Enable jax-ws integration by default
([#&#8203;9030](DataDog/dd-trace-java#9030) -
[@&#8203;bm1549](https://github.com/bm1549))
- ✨ Extract Jersey json body response schemas
([#&#8203;9014](DataDog/dd-trace-java#9014) -
[@&#8203;jandro996](https://github.com/jandro996))

#### Mule instrumentation

- 🐛 Propagate grizzly http span in filters if nothing is active
([#&#8203;9016](DataDog/dd-trace-java#9016) -
[@&#8203;amarziali](https://github.com/amarziali))

#### Play Framework instrumentation

- ✨ Extract Play json body response schemas
([#&#8203;8995](DataDog/dd-trace-java#8995) -
[@&#8203;manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez))

#### Ratpack instrumentation

- ✨ Extract Ratpack json body response schemas
([#&#8203;9013](DataDog/dd-trace-java#9013) -
[@&#8203;manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez))

#### Spring instrumentation

- ✨ Extract Spring json body response schemas
([#&#8203;8938](DataDog/dd-trace-java#8938) -
[@&#8203;sezen-datadog](https://github.com/sezen-datadog))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "after 6pm every weekday,before 2am
every weekday" in timezone Australia/Melbourne, Automerge - At any time
(no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Never, or you tick the rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Renovate
Bot](https://github.com/renovatebot/renovate).

GitOrigin-RevId: 649b690d4c9d7dcb572c457f0802b42b8e3e682e
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@smola smola smola left review comments

@jandro996 jandro996 jandro996 approved these changes

Assignees

No one assigned

Labels

comp: asm waf Application Security Management (WAF) inst: play framework Play Framework instrumentation type: enhancement Enhancements and improvements

Projects

None yet

Milestone

1.51.0

Development

Successfully merging this pull request may close these issues.

3 participants

@manuel-alvarez-alvarez @smola @jandro996