Add String length truncation limit to ObjectIntrospector and update truncation metrics #8825

jandro996 · 2025-05-14T13:47:46Z

What Does This Do

Add a new truncation limit to strings in the ObjectIntrospector (This is the same limit that we apply in the Libddwaf)
Add three flags to the State to know if there is object depth, collection size o String length truncation
Before return the Object check the flags and trigger the metrics if it's necessary

Motivation

WAF truncation metrics were implemented attending the information of truncation done in the libddwaf but in the cases that the object send to the WAF is transformed using ObjectIntrospector there is a truncation that we are not reporting via metrics

Additional Notes

Contributor Checklist

Format the title according the contribution guidelines
Assign the type: and (comp: or inst:) labels in addition to any usefull labels
Don't use close, fix or any linking keywords when referencing an issue.
Use solves instead, and assign the PR milestone to the issue
Update the public documentation in case of new configuration flag or behavior

Jira ticket: [PROJ-IDENT]

pr-commenter · 2025-05-14T14:20:52Z

Benchmarks

Startup

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	alejandro.gonzalez/fix-input-truncated-metrics
git_commit_date	1747423490	1747637253
git_commit_sha	`a33e422`	`51ee641`
release_version	1.50.0-SNAPSHOT~a33e422137	1.50.0-SNAPSHOT~51ee6416d1

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1747639813	1747639813
ci_job_id	943168181	943168181
ci_pipeline_id	65438697	65438697
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-2bm4vw7y-project-304-concurrent-0-kvtje0r5 6.8.0-1028-aws #30~22.04.1-Ubuntu SMP Sun Apr 20 06:03:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-2bm4vw7y-project-304-concurrent-0-kvtje0r5 6.8.0-1028-aws #30~22.04.1-Ubuntu SMP Sun Apr 20 06:03:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
module	Agent	Agent
parent	None	None
variant	iast	iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 57 metrics, 14 unstable metrics.

Startup time reports for petclinic

gantt
    title petclinic - global startup overhead: candidate=1.50.0-SNAPSHOT~51ee6416d1, baseline=1.50.0-SNAPSHOT~a33e422137

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.03 s) : 0, 1029708
Total [baseline] (10.557 s) : 0, 10557343
Agent [candidate] (1.022 s) : 0, 1021837
Total [candidate] (10.497 s) : 0, 10497068
section appsec
Agent [baseline] (1.162 s) : 0, 1161510
Total [baseline] (10.666 s) : 0, 10665510
Agent [candidate] (1.159 s) : 0, 1159095
Total [candidate] (10.662 s) : 0, 10661820
section iast
Agent [baseline] (1.15 s) : 0, 1149941
Total [baseline] (10.896 s) : 0, 10896352
Agent [candidate] (1.146 s) : 0, 1145687
Total [candidate] (10.863 s) : 0, 10862945
section profiling
Agent [baseline] (1.284 s) : 0, 1283758
Total [baseline] (10.875 s) : 0, 10875184
Agent [candidate] (1.28 s) : 0, 1280206
Total [candidate] (10.882 s) : 0, 10881847

baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.03 s	-
Agent	appsec	1.162 s	131.802 ms (12.8%)
Agent	iast	1.15 s	120.233 ms (11.7%)
Agent	profiling	1.284 s	254.051 ms (24.7%)
Total	tracing	10.557 s	-
Total	appsec	10.666 s	108.167 ms (1.0%)
Total	iast	10.896 s	339.009 ms (3.2%)
Total	profiling	10.875 s	317.841 ms (3.0%)

candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.022 s	-
Agent	appsec	1.159 s	137.258 ms (13.4%)
Agent	iast	1.146 s	123.851 ms (12.1%)
Agent	profiling	1.28 s	258.37 ms (25.3%)
Total	tracing	10.497 s	-
Total	appsec	10.662 s	164.752 ms (1.6%)
Total	iast	10.863 s	365.877 ms (3.5%)
Total	profiling	10.882 s	384.779 ms (3.7%)

gantt
    title petclinic - break down per module: candidate=1.50.0-SNAPSHOT~51ee6416d1, baseline=1.50.0-SNAPSHOT~a33e422137

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (690.029 ms) : 0, 690029
BytebuddyAgent [candidate] (683.121 ms) : 0, 683121
GlobalTracer [baseline] (242.701 ms) : 0, 242701
GlobalTracer [candidate] (240.294 ms) : 0, 240294
AppSec [baseline] (55.888 ms) : 0, 55888
AppSec [candidate] (54.44 ms) : 0, 54440
Debugger [baseline] (7.622 ms) : 0, 7622
Debugger [candidate] (11.422 ms) : 0, 11422
Remote Config [baseline] (721.137 µs) : 0, 721
Remote Config [candidate] (702.956 µs) : 0, 703
Telemetry [baseline] (9.217 ms) : 0, 9217
Telemetry [candidate] (8.305 ms) : 0, 8305
section appsec
BytebuddyAgent [baseline] (700.766 ms) : 0, 700766
BytebuddyAgent [candidate] (699.004 ms) : 0, 699004
GlobalTracer [baseline] (236.622 ms) : 0, 236622
GlobalTracer [candidate] (236.244 ms) : 0, 236244
AppSec [baseline] (175.834 ms) : 0, 175834
AppSec [candidate] (175.286 ms) : 0, 175286
Debugger [baseline] (5.936 ms) : 0, 5936
Debugger [candidate] (5.914 ms) : 0, 5914
Remote Config [baseline] (620.192 µs) : 0, 620
Remote Config [candidate] (617.311 µs) : 0, 617
Telemetry [baseline] (7.369 ms) : 0, 7369
Telemetry [candidate] (7.734 ms) : 0, 7734
IAST [baseline] (21.672 ms) : 0, 21672
IAST [candidate] (21.574 ms) : 0, 21574
section iast
BytebuddyAgent [baseline] (802.563 ms) : 0, 802563
BytebuddyAgent [candidate] (799.498 ms) : 0, 799498
GlobalTracer [baseline] (230.622 ms) : 0, 230622
GlobalTracer [candidate] (229.795 ms) : 0, 229795
AppSec [baseline] (52.842 ms) : 0, 52842
AppSec [candidate] (52.042 ms) : 0, 52042
Debugger [baseline] (5.865 ms) : 0, 5865
Debugger [candidate] (5.863 ms) : 0, 5863
Remote Config [baseline] (594.552 µs) : 0, 595
Remote Config [candidate] (584.74 µs) : 0, 585
Telemetry [baseline] (7.879 ms) : 0, 7879
Telemetry [candidate] (7.832 ms) : 0, 7832
IAST [baseline] (26.0 ms) : 0, 26000
IAST [candidate] (26.59 ms) : 0, 26590
section profiling
BytebuddyAgent [baseline] (676.008 ms) : 0, 676008
BytebuddyAgent [candidate] (675.418 ms) : 0, 675418
GlobalTracer [baseline] (375.47 ms) : 0, 375470
GlobalTracer [candidate] (374.045 ms) : 0, 374045
AppSec [baseline] (62.127 ms) : 0, 62127
AppSec [candidate] (61.611 ms) : 0, 61611
Debugger [baseline] (6.31 ms) : 0, 6310
Debugger [candidate] (6.238 ms) : 0, 6238
Remote Config [baseline] (661.228 µs) : 0, 661
Remote Config [candidate] (652.683 µs) : 0, 653
Telemetry [baseline] (8.323 ms) : 0, 8323
Telemetry [candidate] (8.242 ms) : 0, 8242
ProfilingAgent [baseline] (103.895 ms) : 0, 103895
ProfilingAgent [candidate] (102.985 ms) : 0, 102985
Profiling [baseline] (103.919 ms) : 0, 103919
Profiling [candidate] (103.009 ms) : 0, 103009

Startup time reports for insecure-bank

gantt
    title insecure-bank - global startup overhead: candidate=1.50.0-SNAPSHOT~51ee6416d1, baseline=1.50.0-SNAPSHOT~a33e422137

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.026 s) : 0, 1025743
Total [baseline] (8.666 s) : 0, 8666066
Agent [candidate] (1.018 s) : 0, 1017560
Total [candidate] (8.651 s) : 0, 8650844
section iast
Agent [baseline] (1.147 s) : 0, 1146751
Total [baseline] (9.259 s) : 0, 9258740
Agent [candidate] (1.15 s) : 0, 1149562
Total [candidate] (9.256 s) : 0, 9255607
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.157 s) : 0, 1157039
Total [baseline] (9.231 s) : 0, 9231405
Agent [candidate] (1.148 s) : 0, 1148216
Total [candidate] (9.205 s) : 0, 9204788
section iast_TELEMETRY_OFF
Agent [baseline] (1.143 s) : 0, 1143464
Total [baseline] (9.246 s) : 0, 9245917
Agent [candidate] (1.141 s) : 0, 1140924
Total [candidate] (9.216 s) : 0, 9215896

baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.026 s	-
Agent	iast	1.147 s	121.008 ms (11.8%)
Agent	iast_HARDCODED_SECRET_DISABLED	1.157 s	131.296 ms (12.8%)
Agent	iast_TELEMETRY_OFF	1.143 s	117.721 ms (11.5%)
Total	tracing	8.666 s	-
Total	iast	9.259 s	592.674 ms (6.8%)
Total	iast_HARDCODED_SECRET_DISABLED	9.231 s	565.339 ms (6.5%)
Total	iast_TELEMETRY_OFF	9.246 s	579.851 ms (6.7%)

candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.018 s	-
Agent	iast	1.15 s	132.002 ms (13.0%)
Agent	iast_HARDCODED_SECRET_DISABLED	1.148 s	130.655 ms (12.8%)
Agent	iast_TELEMETRY_OFF	1.141 s	123.363 ms (12.1%)
Total	tracing	8.651 s	-
Total	iast	9.256 s	604.763 ms (7.0%)
Total	iast_HARDCODED_SECRET_DISABLED	9.205 s	553.944 ms (6.4%)
Total	iast_TELEMETRY_OFF	9.216 s	565.052 ms (6.5%)

gantt
    title insecure-bank - break down per module: candidate=1.50.0-SNAPSHOT~51ee6416d1, baseline=1.50.0-SNAPSHOT~a33e422137

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (685.661 ms) : 0, 685661
BytebuddyAgent [candidate] (679.315 ms) : 0, 679315
GlobalTracer [baseline] (241.281 ms) : 0, 241281
GlobalTracer [candidate] (239.528 ms) : 0, 239528
AppSec [baseline] (55.432 ms) : 0, 55432
AppSec [candidate] (54.25 ms) : 0, 54250
Debugger [baseline] (9.071 ms) : 0, 9071
Debugger [candidate] (9.705 ms) : 0, 9705
Remote Config [baseline] (711.308 µs) : 0, 711
Remote Config [candidate] (708.17 µs) : 0, 708
Telemetry [baseline] (9.905 ms) : 0, 9905
Telemetry [candidate] (10.577 ms) : 0, 10577
section iast
BytebuddyAgent [baseline] (800.87 ms) : 0, 800870
BytebuddyAgent [candidate] (802.199 ms) : 0, 802199
GlobalTracer [baseline] (229.898 ms) : 0, 229898
GlobalTracer [candidate] (230.574 ms) : 0, 230574
AppSec [baseline] (50.072 ms) : 0, 50072
AppSec [candidate] (49.622 ms) : 0, 49622
Debugger [baseline] (5.847 ms) : 0, 5847
Debugger [candidate] (5.915 ms) : 0, 5915
Remote Config [baseline] (589.614 µs) : 0, 590
Remote Config [candidate] (601.003 µs) : 0, 601
Telemetry [baseline] (7.819 ms) : 0, 7819
Telemetry [candidate] (7.848 ms) : 0, 7848
IAST [baseline] (28.287 ms) : 0, 28287
IAST [candidate] (29.281 ms) : 0, 29281
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (808.007 ms) : 0, 808007
BytebuddyAgent [candidate] (801.288 ms) : 0, 801288
GlobalTracer [baseline] (231.901 ms) : 0, 231901
GlobalTracer [candidate] (230.703 ms) : 0, 230703
AppSec [baseline] (48.006 ms) : 0, 48006
AppSec [candidate] (49.314 ms) : 0, 49314
Debugger [baseline] (5.95 ms) : 0, 5950
Debugger [candidate] (5.826 ms) : 0, 5826
Remote Config [baseline] (616.79 µs) : 0, 617
Remote Config [candidate] (589.794 µs) : 0, 590
Telemetry [baseline] (7.989 ms) : 0, 7989
Telemetry [candidate] (7.913 ms) : 0, 7913
IAST [baseline] (30.992 ms) : 0, 30992
IAST [candidate] (29.082 ms) : 0, 29082
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (797.506 ms) : 0, 797506
BytebuddyAgent [candidate] (795.5 ms) : 0, 795500
GlobalTracer [baseline] (229.999 ms) : 0, 229999
GlobalTracer [candidate] (229.369 ms) : 0, 229369
AppSec [baseline] (54.35 ms) : 0, 54350
AppSec [candidate] (55.339 ms) : 0, 55339
Debugger [baseline] (5.989 ms) : 0, 5989
Debugger [candidate] (5.931 ms) : 0, 5931
Remote Config [baseline] (599.974 µs) : 0, 600
Remote Config [candidate] (592.621 µs) : 0, 593
Telemetry [baseline] (7.798 ms) : 0, 7798
Telemetry [candidate] (7.716 ms) : 0, 7716
IAST [baseline] (22.969 ms) : 0, 22969
IAST [candidate] (23.024 ms) : 0, 23024

Load

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
end_time	2025-05-19T07:00:34	2025-05-19T07:08:23
git_branch	master	alejandro.gonzalez/fix-input-truncated-metrics
git_commit_date	1747423490	1747637253
git_commit_sha	`a33e422`	`51ee641`
release_version	1.50.0-SNAPSHOT~a33e422137	1.50.0-SNAPSHOT~51ee6416d1
start_time	2025-05-19T07:00:20	2025-05-19T07:08:08

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1747638903	1747638903
ci_job_id	943168182	943168182
ci_pipeline_id	65438697	65438697
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-cqkgyxyy-project-304-concurrent-0-fq2r6qh2 6.8.0-1028-aws #30~22.04.1-Ubuntu SMP Sun Apr 20 06:03:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-cqkgyxyy-project-304-concurrent-0-fq2r6qh2 6.8.0-1028-aws #30~22.04.1-Ubuntu SMP Sun Apr 20 06:03:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
variant	iast	iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 18 unstable metrics.

Request duration reports for petclinic

gantt
    title petclinic - request duration [CI 0.99] : candidate=1.50.0-SNAPSHOT~51ee6416d1, baseline=1.50.0-SNAPSHOT~a33e422137
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.394 ms) : 1374, 1414
.   : milestone, 1394,
appsec (1.746 ms) : 1723, 1769
.   : milestone, 1746,
appsec_no_iast (1.743 ms) : 1720, 1767
.   : milestone, 1743,
code_origins (1.675 ms) : 1648, 1702
.   : milestone, 1675,
iast (1.537 ms) : 1512, 1561
.   : milestone, 1537,
profiling (1.562 ms) : 1538, 1587
.   : milestone, 1562,
tracing (1.514 ms) : 1489, 1538
.   : milestone, 1514,
section candidate
no_agent (1.381 ms) : 1361, 1401
.   : milestone, 1381,
appsec (1.748 ms) : 1724, 1771
.   : milestone, 1748,
appsec_no_iast (1.737 ms) : 1714, 1760
.   : milestone, 1737,
code_origins (1.69 ms) : 1663, 1717
.   : milestone, 1690,
iast (1.532 ms) : 1508, 1557
.   : milestone, 1532,
profiling (1.538 ms) : 1514, 1561
.   : milestone, 1538,
tracing (1.492 ms) : 1467, 1517
.   : milestone, 1492,

baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.394 ms [1.374 ms, 1.414 ms]	-
appsec	1.746 ms [1.723 ms, 1.769 ms]	352.249 µs (25.3%)
appsec_no_iast	1.743 ms [1.72 ms, 1.767 ms]	349.507 µs (25.1%)
code_origins	1.675 ms [1.648 ms, 1.702 ms]	280.967 µs (20.2%)
iast	1.537 ms [1.512 ms, 1.561 ms]	142.783 µs (10.2%)
profiling	1.562 ms [1.538 ms, 1.587 ms]	168.357 µs (12.1%)
tracing	1.514 ms [1.489 ms, 1.538 ms]	119.543 µs (8.6%)

candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.381 ms [1.361 ms, 1.401 ms]	-
appsec	1.748 ms [1.724 ms, 1.771 ms]	366.549 µs (26.5%)
appsec_no_iast	1.737 ms [1.714 ms, 1.76 ms]	355.618 µs (25.7%)
code_origins	1.69 ms [1.663 ms, 1.717 ms]	308.718 µs (22.4%)
iast	1.532 ms [1.508 ms, 1.557 ms]	151.342 µs (11.0%)
profiling	1.538 ms [1.514 ms, 1.561 ms]	156.586 µs (11.3%)
tracing	1.492 ms [1.467 ms, 1.517 ms]	110.528 µs (8.0%)

Request duration reports for insecure-bank

gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.50.0-SNAPSHOT~51ee6416d1, baseline=1.50.0-SNAPSHOT~a33e422137
    dateFormat X
    axisFormat %s
section baseline
no_agent (388.067 µs) : 368, 408
.   : milestone, 388,
iast (522.558 µs) : 501, 544
.   : milestone, 523,
iast_FULL (741.631 µs) : 718, 765
.   : milestone, 742,
iast_GLOBAL (580.745 µs) : 558, 603
.   : milestone, 581,
iast_HARDCODED_SECRET_DISABLED (534.023 µs) : 511, 557
.   : milestone, 534,
iast_INACTIVE (475.084 µs) : 453, 497
.   : milestone, 475,
iast_TELEMETRY_OFF (508.37 µs) : 485, 531
.   : milestone, 508,
tracing (466.724 µs) : 445, 489
.   : milestone, 467,
section candidate
no_agent (404.12 µs) : 382, 426
.   : milestone, 404,
iast (534.093 µs) : 512, 556
.   : milestone, 534,
iast_FULL (740.092 µs) : 718, 762
.   : milestone, 740,
iast_GLOBAL (570.464 µs) : 548, 593
.   : milestone, 570,
iast_HARDCODED_SECRET_DISABLED (530.981 µs) : 508, 554
.   : milestone, 531,
iast_INACTIVE (471.829 µs) : 449, 495
.   : milestone, 472,
iast_TELEMETRY_OFF (521.965 µs) : 499, 545
.   : milestone, 522,
tracing (465.154 µs) : 443, 487
.   : milestone, 465,

baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	388.067 µs [367.779 µs, 408.355 µs]	-
iast	522.558 µs [500.837 µs, 544.279 µs]	134.491 µs (34.7%)
iast_FULL	741.631 µs [718.304 µs, 764.958 µs]	353.564 µs (91.1%)
iast_GLOBAL	580.745 µs [558.359 µs, 603.132 µs]	192.678 µs (49.7%)
iast_HARDCODED_SECRET_DISABLED	534.023 µs [511.249 µs, 556.796 µs]	145.955 µs (37.6%)
iast_INACTIVE	475.084 µs [452.831 µs, 497.337 µs]	87.017 µs (22.4%)
iast_TELEMETRY_OFF	508.37 µs [485.479 µs, 531.261 µs]	120.303 µs (31.0%)
tracing	466.724 µs [444.567 µs, 488.882 µs]	78.657 µs (20.3%)

candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	404.12 µs [381.901 µs, 426.339 µs]	-
iast	534.093 µs [512.034 µs, 556.152 µs]	129.974 µs (32.2%)
iast_FULL	740.092 µs [718.021 µs, 762.163 µs]	335.972 µs (83.1%)
iast_GLOBAL	570.464 µs [548.334 µs, 592.594 µs]	166.344 µs (41.2%)
iast_HARDCODED_SECRET_DISABLED	530.981 µs [508.087 µs, 553.875 µs]	126.862 µs (31.4%)
iast_INACTIVE	471.829 µs [449.104 µs, 494.553 µs]	67.709 µs (16.8%)
iast_TELEMETRY_OFF	521.965 µs [498.739 µs, 545.19 µs]	117.845 µs (29.2%)
tracing	465.154 µs [443.272 µs, 487.036 µs]	61.035 µs (15.1%)

Dacapo

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	alejandro.gonzalez/fix-input-truncated-metrics
git_commit_date	1747423490	1747637253
git_commit_sha	`a33e422`	`51ee641`
release_version	1.50.0-SNAPSHOT~a33e422137	1.50.0-SNAPSHOT~51ee6416d1

See matching parameters

	Baseline	Candidate
application	biojava	biojava
ci_job_date	1747639384	1747639384
ci_job_id	943168183	943168183
ci_pipeline_id	65438697	65438697
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-px6-mzwm-project-304-concurrent-0-04onmlix 6.8.0-1028-aws #30~22.04.1-Ubuntu SMP Sun Apr 20 06:03:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-px6-mzwm-project-304-concurrent-0-04onmlix 6.8.0-1028-aws #30~22.04.1-Ubuntu SMP Sun Apr 20 06:03:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
variant	appsec	appsec

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 1 unstable metrics.

Execution time for biojava

gantt
    title biojava - execution time [CI 0.99] : candidate=1.50.0-SNAPSHOT~51ee6416d1, baseline=1.50.0-SNAPSHOT~a33e422137
    dateFormat X
    axisFormat %s
section baseline
no_agent (14.629 s) : 14629000, 14629000
.   : milestone, 14629000,
appsec (15.081 s) : 15081000, 15081000
.   : milestone, 15081000,
iast (18.492 s) : 18492000, 18492000
.   : milestone, 18492000,
iast_GLOBAL (18.089 s) : 18089000, 18089000
.   : milestone, 18089000,
profiling (14.895 s) : 14895000, 14895000
.   : milestone, 14895000,
tracing (14.866 s) : 14866000, 14866000
.   : milestone, 14866000,
section candidate
no_agent (15.189 s) : 15189000, 15189000
.   : milestone, 15189000,
appsec (14.756 s) : 14756000, 14756000
.   : milestone, 14756000,
iast (18.644 s) : 18644000, 18644000
.   : milestone, 18644000,
iast_GLOBAL (18.326 s) : 18326000, 18326000
.   : milestone, 18326000,
profiling (15.133 s) : 15133000, 15133000
.   : milestone, 15133000,
tracing (14.995 s) : 14995000, 14995000
.   : milestone, 14995000,

baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	14.629 s [14.629 s, 14.629 s]	-
appsec	15.081 s [15.081 s, 15.081 s]	452.0 ms (3.1%)
iast	18.492 s [18.492 s, 18.492 s]	3.863 s (26.4%)
iast_GLOBAL	18.089 s [18.089 s, 18.089 s]	3.46 s (23.7%)
profiling	14.895 s [14.895 s, 14.895 s]	266.0 ms (1.8%)
tracing	14.866 s [14.866 s, 14.866 s]	237.0 ms (1.6%)

candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	15.189 s [15.189 s, 15.189 s]	-
appsec	14.756 s [14.756 s, 14.756 s]	-433.0 ms (-2.9%)
iast	18.644 s [18.644 s, 18.644 s]	3.455 s (22.7%)
iast_GLOBAL	18.326 s [18.326 s, 18.326 s]	3.137 s (20.7%)
profiling	15.133 s [15.133 s, 15.133 s]	-56.0 ms (-0.4%)
tracing	14.995 s [14.995 s, 14.995 s]	-194.0 ms (-1.3%)

Execution time for tomcat

gantt
    title tomcat - execution time [CI 0.99] : candidate=1.50.0-SNAPSHOT~51ee6416d1, baseline=1.50.0-SNAPSHOT~a33e422137
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.481 ms) : 1469, 1492
.   : milestone, 1481,
appsec (2.417 ms) : 2368, 2467
.   : milestone, 2417,
iast (2.201 ms) : 2138, 2263
.   : milestone, 2201,
iast_GLOBAL (2.248 ms) : 2186, 2311
.   : milestone, 2248,
profiling (2.046 ms) : 1996, 2096
.   : milestone, 2046,
tracing (2.015 ms) : 1967, 2064
.   : milestone, 2015,
section candidate
no_agent (1.482 ms) : 1471, 1494
.   : milestone, 1482,
appsec (2.426 ms) : 2376, 2476
.   : milestone, 2426,
iast (2.195 ms) : 2133, 2257
.   : milestone, 2195,
iast_GLOBAL (2.245 ms) : 2182, 2308
.   : milestone, 2245,
profiling (2.527 ms) : 2344, 2709
.   : milestone, 2527,
tracing (2.035 ms) : 1987, 2083
.   : milestone, 2035,

baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.481 ms [1.469 ms, 1.492 ms]	-
appsec	2.417 ms [2.368 ms, 2.467 ms]	936.643 µs (63.3%)
iast	2.201 ms [2.138 ms, 2.263 ms]	720.112 µs (48.6%)
iast_GLOBAL	2.248 ms [2.186 ms, 2.311 ms]	767.698 µs (51.8%)
profiling	2.046 ms [1.996 ms, 2.096 ms]	565.548 µs (38.2%)
tracing	2.015 ms [1.967 ms, 2.064 ms]	534.694 µs (36.1%)

candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.482 ms [1.471 ms, 1.494 ms]	-
appsec	2.426 ms [2.376 ms, 2.476 ms]	943.784 µs (63.7%)
iast	2.195 ms [2.133 ms, 2.257 ms]	712.735 µs (48.1%)
iast_GLOBAL	2.245 ms [2.182 ms, 2.308 ms]	762.879 µs (51.5%)
profiling	2.527 ms [2.344 ms, 2.709 ms]	1.044 ms (70.5%)
tracing	2.035 ms [1.987 ms, 2.083 ms]	552.837 µs (37.3%)

…rics

dd-java-agent/appsec/src/main/java/com/datadog/appsec/event/data/ObjectIntrospection.java

smola · 2025-05-20T12:57:30Z

dd-java-agent/appsec/src/main/java/com/datadog/appsec/event/data/ObjectIntrospection.java

@@ -16,6 +18,7 @@
 public final class ObjectIntrospection {
  private static final int MAX_DEPTH = 20;


For a separate PR, we should align these with WAF limits, see dd-java-agent/appsec/src/main/java/com/datadog/appsec/ddwaf/WAFModule.java

dd-java-agent/appsec/src/main/java/com/datadog/appsec/event/data/ObjectIntrospection.java

| Package | Type | Package file | Manager | Update | Change | |---|---|---|---|---|---| | [com.datadoghq:dd-trace-api](https://github.com/datadog/dd-trace-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `1.49.0` -> `1.50.0` | --- ### Release Notes <details> <summary>datadog/dd-trace-java (com.datadoghq:dd-trace-api)</summary> ### [`v1.50.0`](https://github.com/DataDog/dd-trace-java/releases/tag/v1.50.0): 1.50.0 ### Deprecation Notice > \[!NOTE] > `DD_RUNTIME_ID_ENABLED` has been deprecated and will be removed in future releases. Please use `DD_RUNTIME_METRICS_RUNTIME_ID_ENABLED` instead. ### Components #### Application Security Management (WAF) - 🐛 Add String length truncation limit to ObjectIntrospector and update truncation metrics ([#8825](DataDog/dd-trace-java#8825) - [@jandro996](https://github.com/jandro996)) - 🐛 Adapt standalone ASM to support API Security ([#8804](DataDog/dd-trace-java#8804) - [@jandro996](https://github.com/jandro996)) - ✨ Add appsec.waf.input\_truncated metric ([#8791](DataDog/dd-trace-java#8791) - [@jandro996](https://github.com/jandro996)) - ✨ Extended appsec request body collection ([#8748](DataDog/dd-trace-java#8748) - [@jandro996](https://github.com/jandro996)) - ✨ Extended appsec request/response headers collection ([#8724](DataDog/dd-trace-java#8724) - [@jandro996](https://github.com/jandro996)) #### Build & Tooling - ✨ Add artifacts to public s3 bucket ([#8947](DataDog/dd-trace-java#8947) - [@randomanderson](https://github.com/randomanderson)) #### Continuous Integration Visibility - ✨ Improve PR information building ([#8908](DataDog/dd-trace-java#8908) - [@daniel-mohedano](https://github.com/daniel-mohedano)) - ✨ Truncate span stack traces when Test Optimization is enabled ([#8903](DataDog/dd-trace-java#8903) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - 🐛 Ensure auto-detected service name is the same for every process in the same build ([#8902](DataDog/dd-trace-java#8902) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - 🐛 Use tag as fallback in api requests if no branch is available ([#8876](DataDog/dd-trace-java#8876) - [@daniel-mohedano](https://github.com/daniel-mohedano)) - ✨ Add support for JUnit 5.13-RC1 ([#8865](DataDog/dd-trace-java#8865), [#8871](DataDog/dd-trace-java#8871) - [@daniel-mohedano](https://github.com/daniel-mohedano)) - ✨ Implement attempt to fix v3 and v4 and bump capability version ([#8824](DataDog/dd-trace-java#8824) - [@daniel-mohedano](https://github.com/daniel-mohedano)) - 🧹 Align retry logic for all test framework instrumentations ([#8803](DataDog/dd-trace-java#8803) - [@daniel-mohedano](https://github.com/daniel-mohedano)) - 🐛 Always build ci workspace without trailing separator ([#8788](DataDog/dd-trace-java#8788) - [@daniel-mohedano](https://github.com/daniel-mohedano)) - ✨ Add commit discrepancies telemetry when building repository git information ([#8763](DataDog/dd-trace-java#8763) - [@daniel-mohedano](https://github.com/daniel-mohedano)) #### Data Streams Monitoring - 💡 Surface process tags in dsm payloads and use them for base hash calculation ([#8836](DataDog/dd-trace-java#8836) - [@amarziali](https://github.com/amarziali)) #### Dynamic Instrumentation - ✨ Optimized allocations for collection filter functions ([#8896](DataDog/dd-trace-java#8896) - [@jpbempel](https://github.com/jpbempel)) - 🐛 Fix SymDB upload size check ([#8887](DataDog/dd-trace-java#8887) - [@jpbempel](https://github.com/jpbempel)) - 🐛 Add support for Set in filter function ([#8873](DataDog/dd-trace-java#8873) - [@jpbempel](https://github.com/jpbempel)) - 🐛 Add support for isDefined in log template ([#8859](DataDog/dd-trace-java#8859) - [@jpbempel](https://github.com/jpbempel)) - 🐛 Fix Max captured frames for Exception Replay ([#8856](DataDog/dd-trace-java#8856) - [@jpbempel](https://github.com/jpbempel)) - 🐛 Remove static inherited fields collection ([#8832](DataDog/dd-trace-java#8832) - [@jpbempel](https://github.com/jpbempel)) - 💡 Add process tags to dynamic instrumentation intake payload ([#8779](DataDog/dd-trace-java#8779) - [@amarziali](https://github.com/amarziali)) #### GraalVM native-image - ✨ Add support for GraalVM Native GC metrics ([#8913](DataDog/dd-trace-java#8913) - [@ygree](https://github.com/ygree)) - ✨ Add JMXFetch support for GraalVM Native ([#8569](DataDog/dd-trace-java#8569) - [@ygree](https://github.com/ygree)) #### JMX fetch - ✨ Add support for GraalVM Native GC metrics ([#8913](DataDog/dd-trace-java#8913) - [@ygree](https://github.com/ygree)) #### Library Injection - ✨ Deny oracle db jvm based tools ([#8909](DataDog/dd-trace-java#8909) - [@bric3](https://github.com/bric3)) #### OpenTracing - 🐛 Fix OT packaging for exception replay ([#8912](DataDog/dd-trace-java#8912) - [@jpbempel](https://github.com/jpbempel)) #### Profiling - ✨ Bump ddprof to 1.27.0 ([#8893](DataDog/dd-trace-java#8893) - [@jbachorik](https://github.com/jbachorik)) - Properly handle the adaptive sampling interval overflow by [@jbachorik](https://github.com/jbachorik) in DataDog/java-profiler#213 - Fix [#200](DataDog/dd-trace-java#200) Crash related to aligned\_alloc and free in context by [@yanglong1010](https://github.com/yanglong1010) in DataDog/java-profiler#208 - Explicitly initialize empty context page by [@jbachorik](https://github.com/jbachorik) in DataDog/java-profiler#210 - Re-connect crash recursion protection with VM stackwalker by [@jbachorik](https://github.com/jbachorik) in DataDog/java-profiler#214 - ✨ Enable ZSTD compression for profiling ([#8862](DataDog/dd-trace-java#8862) - [@MattAlp](https://github.com/MattAlp)) - ✨ Extend JPS re-implementation to J9 family ([#8813](DataDog/dd-trace-java#8813) - [@MattAlp](https://github.com/MattAlp)) - 💡 Collect process tags for profiling upload requests ([#8780](DataDog/dd-trace-java#8780) - [@amarziali](https://github.com/amarziali)) #### Telemetry - 💡 Surface process tags on telemetry payloads ([#8837](DataDog/dd-trace-java#8837) - [@amarziali](https://github.com/amarziali)) #### Trace context propagation - ✨ Migrating all HttpClient Instrumentations to Inject Full Context ([#8826](DataDog/dd-trace-java#8826) - [@mhlidd](https://github.com/mhlidd)) - ✨ Migrating all HttpServer Instrumentations to Extract full Context ([#8820](DataDog/dd-trace-java#8820) - [@mhlidd](https://github.com/mhlidd)) - ✨ Add context API support OTel propagators ([#8770](DataDog/dd-trace-java#8770) - [@PerfectSlayer](https://github.com/PerfectSlayer)) #### Tracer core - ✨⚡ Skip JAXB generated classes classloader ([#9003](DataDog/dd-trace-java#9003) - [@bric3](https://github.com/bric3)) - ✨ Add DD\_RUNTIME\_METRICS\_RUNTIME\_ID\_ENABLED alias for runtime id generation ([#8981](DataDog/dd-trace-java#8981) - [@amarziali](https://github.com/amarziali)) - 🐛 Use resolved address for peer.hostname when available without hitting the cache ([#8915](DataDog/dd-trace-java#8915) - [@amarziali](https://github.com/amarziali)) - 💡 Surface server name process tag for tomcat ([#8894](DataDog/dd-trace-java#8894) - [@amarziali](https://github.com/amarziali)) - 💡 Surface websphere cell and server name on process tags ([#8880](DataDog/dd-trace-java#8880) - [@amarziali](https://github.com/amarziali)) - ✨ Added special lightweight pre-main class that skips installation on incompatible JVMs. ([#8855](DataDog/dd-trace-java#8855) - [@AlexeyKuznetsov-DD](https://github.com/AlexeyKuznetsov-DD)) - 💡 Add entrypoint type to process tags ([#8839](DataDog/dd-trace-java#8839) - [@amarziali](https://github.com/amarziali)) - ✨ Extend JPS re-implementation to J9 family ([#8813](DataDog/dd-trace-java#8813) - [@MattAlp](https://github.com/MattAlp)) - ✨ Notify listeners when the scope top changes after switching scope stacks ([#8797](DataDog/dd-trace-java#8797) - [@mcculls](https://github.com/mcculls)) - ✨ Read hsperfdata for Java PIDs if jvmstat is unavailable ([#8792](DataDog/dd-trace-java#8792) - [@MattAlp](https://github.com/MattAlp)) - 🐛 Turn JDK socket support on by default ([#8752](DataDog/dd-trace-java#8752) - [@sarahchen6](https://github.com/sarahchen6)) - ✨ Simplify context propagation ([#8719](DataDog/dd-trace-java#8719) - [@PerfectSlayer](https://github.com/PerfectSlayer)) - ✨ Add JSON parsing support ([#8579](DataDog/dd-trace-java#8579) - [@PerfectSlayer](https://github.com/PerfectSlayer)) #### Tracer internal logging - ✨ Fix printing format of span identifiers ([#8897](DataDog/dd-trace-java#8897) - [@vandonr](https://github.com/vandonr)) #### Tracer public API - 💡 Track the source of installation ([#8956](DataDog/dd-trace-java#8956) - [@mabdinur](https://github.com/mabdinur)) - ✨ Enforce size limit on application\_monitoring.yaml files ([#8789](DataDog/dd-trace-java#8789) - [@mtoffl01](https://github.com/mtoffl01)) - ✨ Enabling baggage cache to support limits and non-ascii characters ([#8713](DataDog/dd-trace-java#8713) - [@mhlidd](https://github.com/mhlidd)) ### Instrumentations #### AWS Lambda instrumentation - ✨ Pass Lambda Request ID to Extension ([#8814](DataDog/dd-trace-java#8814) - [@nhulston](https://github.com/nhulston)) #### Core Java language instrumentation - ✨ Ensure ClassloadingInstrumentation is always applied even with `DD_TRACE_ENABLED=false` ([#8863](DataDog/dd-trace-java#8863) - [@mcculls](https://github.com/mcculls)) #### Eclipse Vert.x instrumentation - 🐛 Do not override route with / in vertx instrumentation ([#8881](DataDog/dd-trace-java#8881) - [@vandonr](https://github.com/vandonr)) #### IBM Liberty - 🐛 Fix error mark on http status for IBM liberty ([#8822](DataDog/dd-trace-java#8822) - [@amarziali](https://github.com/amarziali)) #### JDBC instrumentation - 🐛 Do not prepend DBM <> APM trace comment in SQLCommenter if there is a pg plan hint ([#8864](DataDog/dd-trace-java#8864) - [@edengorevoy](https://github.com/edengorevoy)) #### JMS instrumentation - ✨ Add jms as an extra integration name where there is JMS involved ([#8933](DataDog/dd-trace-java#8933) - [@vandonr](https://github.com/vandonr)) #### Kotlin instrumentation - ✨ Enable kotlin\_coroutine integration by default ([#8848](DataDog/dd-trace-java#8848) - [@mcculls](https://github.com/mcculls)) - 🧹 Rework Kotlin coroutines instrumentation around coroutine context ([#8774](DataDog/dd-trace-java#8774) - [@mcculls](https://github.com/mcculls)) #### OpenTelemetry instrumentation - 🐛 Support WithSpan inheritContext attribute ([#8858](DataDog/dd-trace-java#8858) - [@amarziali](https://github.com/amarziali)) - ✨ Add context API support OTel propagators ([#8770](DataDog/dd-trace-java#8770) - [@PerfectSlayer](https://github.com/PerfectSlayer)) #### Play Framework instrumentation - 🐛 Fix the Play Framework's span resource name priority so that the client JAX-RS 404 cannot override it ([#8591](DataDog/dd-trace-java#8591) - [@ygree](https://github.com/ygree)) #### Quarkus Instrumentation - 🐛 Ignore quarkus jaxrs stubs and cdi wrapper proxies ([#8891](DataDog/dd-trace-java#8891) - [@amarziali](https://github.com/amarziali)) #### ServiceTalk - ✨ Improve ServiceTalk Captured Context API Instrumentation for v0.42.56+ ([#8821](DataDog/dd-trace-java#8821) - [@ygree](https://github.com/ygree)) #### Spring instrumentation - ✨ Supporting Baggage for Instrumentations used in Weblog Tests ([#8773](DataDog/dd-trace-java#8773) - [@mhlidd](https://github.com/mhlidd)) #### WebSocket Instrumentation - 💡 Trace websocket for spring webflux reactive handlers ([#8831](DataDog/dd-trace-java#8831) - [@amarziali](https://github.com/amarziali)) - 💡:test\_tube: WebSocket support for Netty ([#8632](DataDog/dd-trace-java#8632) - [@ValentinZakharov](https://github.com/ValentinZakharov)) #### Zio Instrumentation - 🧹 Cleanup Zio fiber instrumentation to avoid repeated activation of continuation ([#8798](DataDog/dd-trace-java#8798) - [@mcculls](https://github.com/mcculls)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "after 6pm every weekday,before 2am every weekday" in timezone Australia/Melbourne, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). GitOrigin-RevId: 9207366cdb6a1bd098082305d354a0a3c4622d7a

wip

e5d420f

jandro996 added type: bug comp: asm waf Application Security Management (WAF) comp: telemetry Telemetry labels May 14, 2025

wip

1f37e49

jandro996 added 3 commits May 14, 2025 17:33

Merge branch 'master' into alejandro.gonzalez/fix-input-truncated-met…

7ef4ade

…rics

Merge branch 'master' into alejandro.gonzalez/fix-input-truncated-met…

aeb3bad

…rics

Merge branch 'master' into alejandro.gonzalez/fix-input-truncated-met…

51ee641

…rics

jandro996 marked this pull request as ready for review May 19, 2025 08:26

jandro996 requested a review from a team as a code owner May 19, 2025 08:26

jandro996 requested review from robertpi, manuel-alvarez-alvarez, smola and sezen-datadog May 19, 2025 08:26

smola removed the comp: telemetry Telemetry label May 19, 2025

jandro996 changed the title ~~Increment waf truncation metrics when the object is truncated in the tracer before send it to the WAF~~ Add String length truncation limit to ObjectIntrospector and update truncation metrics May 19, 2025

bric3 reviewed May 19, 2025

View reviewed changes

dd-java-agent/appsec/src/main/java/com/datadog/appsec/event/data/ObjectIntrospection.java Show resolved Hide resolved

smola reviewed May 20, 2025

View reviewed changes

dd-java-agent/appsec/src/main/java/com/datadog/appsec/event/data/ObjectIntrospection.java Show resolved Hide resolved

smola approved these changes May 20, 2025

View reviewed changes

jandro996 merged commit 0f42e0a into master May 21, 2025
582 of 591 checks passed

jandro996 deleted the alejandro.gonzalez/fix-input-truncated-metrics branch May 21, 2025 06:22

github-actions bot added this to the 1.50.0 milestone May 21, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Add String length truncation limit to ObjectIntrospector and update truncation metrics #8825

Add String length truncation limit to ObjectIntrospector and update truncation metrics #8825

Uh oh!

jandro996 commented May 14, 2025 •

edited

Loading

Uh oh!

pr-commenter bot commented May 14, 2025 •

edited

Loading

Uh oh!

Uh oh!

smola May 20, 2025

Uh oh!

Uh oh!

Uh oh!

Uh oh!

		@@ -16,6 +18,7 @@
		public final class ObjectIntrospection {
		private static final int MAX_DEPTH = 20;

Add String length truncation limit to ObjectIntrospector and update truncation metrics #8825

Add String length truncation limit to ObjectIntrospector and update truncation metrics #8825

Uh oh!

Conversation

jandro996 commented May 14, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

What Does This Do

Motivation

Additional Notes

Contributor Checklist

Uh oh!

pr-commenter bot commented May 14, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Benchmarks

Startup

Parameters

Summary

Load

Parameters

Summary

Dacapo

Parameters

Summary

Uh oh!

Uh oh!

smola May 20, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

jandro996 commented May 14, 2025 •

edited

Loading

pr-commenter bot commented May 14, 2025 •

edited

Loading