Store the http.route tag value inside the appsec request context in Play

[manuel-alvarez-alvarez]

What Does This Do

Store the http.route tag value inside the appsec request context in Play framework instrumentation

Motivation

AppSec API protection requires the http.route span tag to be set on the local root span so it can be used for its sampling decision. Since Play does not use the local root span for the http.route we have to store it in the appsec request context before the sampling decision is made.

Additional Notes

Contributor Checklist

• Format the title according the contribution guidelines
• Assign the type: and (comp: or inst:) labels in addition to any usefull labels
• Don't use close, fix or any linking keywords when referencing an issue.
  Use solves instead, and assign the PR milestone to the issue
• Update the CODEOWNERS file on source file addition, move, or deletion
• Update the public documentation in case of new configuration flag or behavior

Jira ticket: APPSEC-56869

[pr-commenter]

Benchmarks

Startup

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	malvarez/http-route-play
git_commit_date	1750318132	1750322311
git_commit_sha	2f4c864	5ae3d48
release_version	1.50.0-SNAPSHOT~2f4c864fa4	1.50.0-SNAPSHOT~5ae3d4881d

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1750324073	1750324073
ci_job_id	989627998	989627998
ci_pipeline_id	68208654	68208654
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-zazkytx-project-304-concurrent-0-wqkgfojc 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-zazkytx-project-304-concurrent-0-wqkgfojc 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
module	Agent	Agent
parent	None	None
variant	iast	iast

Summary

Found 2 performance improvements and 1 performance regressions! Performance is the same for 40 metrics, 10 unstable metrics.

scenario	Δ mean execution_time	candidate mean execution_time	baseline mean execution_time
scenario:startup:insecure-bank:tracing:Remote Config	better [-99.593µs; -34.514µs] or [-13.355%; -4.628%]	678.676µs	745.729µs
scenario:startup:petclinic:profiling:AppSec	worse [+3.220ms; +4.721ms] or [+5.237%; +7.679%]	65.448ms	61.478ms
scenario:startup:petclinic:tracing:Remote Config	better [-82.542µs; -27.729µs] or [-11.039%; -3.708%]	692.609µs	747.745µs

Startup time reports for petclinic

gantt
    title petclinic - global startup overhead: candidate=1.50.0-SNAPSHOT~5ae3d4881d, baseline=1.50.0-SNAPSHOT~2f4c864fa4

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.032 s) : 0, 1032473
Total [baseline] (10.613 s) : 0, 10612661
Agent [candidate] (1.03 s) : 0, 1029561
Total [candidate] (10.653 s) : 0, 10652718
section appsec
Agent [baseline] (1.179 s) : 0, 1178742
Total [baseline] (10.754 s) : 0, 10754147
Agent [candidate] (1.182 s) : 0, 1182443
Total [candidate] (10.745 s) : 0, 10745041
section iast
Agent [baseline] (1.155 s) : 0, 1154629
Total [baseline] (10.942 s) : 0, 10941523
Agent [candidate] (1.156 s) : 0, 1156456
Total [candidate] (10.848 s) : 0, 10848264
section profiling
Agent [baseline] (1.267 s) : 0, 1266918
Total [baseline] (10.989 s) : 0, 10989222
Agent [candidate] (1.284 s) : 0, 1284460
Total [candidate] (11.029 s) : 0, 11029232

Loading

• baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.032 s	-
Agent	appsec	1.179 s	146.268 ms (14.2%)
Agent	iast	1.155 s	122.156 ms (11.8%)
Agent	profiling	1.267 s	234.445 ms (22.7%)
Total	tracing	10.613 s	-
Total	appsec	10.754 s	141.486 ms (1.3%)
Total	iast	10.942 s	328.862 ms (3.1%)
Total	profiling	10.989 s	376.561 ms (3.5%)

• candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.03 s	-
Agent	appsec	1.182 s	152.882 ms (14.8%)
Agent	iast	1.156 s	126.895 ms (12.3%)
Agent	profiling	1.284 s	254.899 ms (24.8%)
Total	tracing	10.653 s	-
Total	appsec	10.745 s	92.324 ms (0.9%)
Total	iast	10.848 s	195.547 ms (1.8%)
Total	profiling	11.029 s	376.515 ms (3.5%)

gantt
    title petclinic - break down per module: candidate=1.50.0-SNAPSHOT~5ae3d4881d, baseline=1.50.0-SNAPSHOT~2f4c864fa4

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (690.415 ms) : 0, 690415
BytebuddyAgent [candidate] (684.348 ms) : 0, 684348
GlobalTracer [baseline] (242.894 ms) : 0, 242894
GlobalTracer [candidate] (241.629 ms) : 0, 241629
AppSec [baseline] (58.791 ms) : 0, 58791
AppSec [candidate] (60.771 ms) : 0, 60771
Debugger [baseline] (6.947 ms) : 0, 6947
Debugger [candidate] (7.737 ms) : 0, 7737
Remote Config [baseline] (747.745 µs) : 0, 748
Remote Config [candidate] (692.609 µs) : 0, 693
Telemetry [baseline] (9.028 ms) : 0, 9028
Telemetry [candidate] (10.969 ms) : 0, 10969
section appsec
BytebuddyAgent [baseline] (708.205 ms) : 0, 708205
BytebuddyAgent [candidate] (708.715 ms) : 0, 708715
GlobalTracer [baseline] (234.909 ms) : 0, 234909
GlobalTracer [candidate] (235.416 ms) : 0, 235416
AppSec [baseline] (176.455 ms) : 0, 176455
AppSec [candidate] (179.366 ms) : 0, 179366
Debugger [baseline] (5.955 ms) : 0, 5955
Debugger [candidate] (5.86 ms) : 0, 5860
Remote Config [baseline] (623.794 µs) : 0, 624
Remote Config [candidate] (610.35 µs) : 0, 610
Telemetry [baseline] (7.31 ms) : 0, 7310
Telemetry [candidate] (7.231 ms) : 0, 7231
IAST [baseline] (21.797 ms) : 0, 21797
IAST [candidate] (21.759 ms) : 0, 21759
section iast
BytebuddyAgent [baseline] (805.542 ms) : 0, 805542
BytebuddyAgent [candidate] (804.781 ms) : 0, 804781
GlobalTracer [baseline] (231.854 ms) : 0, 231854
GlobalTracer [candidate] (231.466 ms) : 0, 231466
AppSec [baseline] (51.329 ms) : 0, 51329
AppSec [candidate] (54.363 ms) : 0, 54363
Debugger [baseline] (5.97 ms) : 0, 5970
Debugger [candidate] (6.096 ms) : 0, 6096
Remote Config [baseline] (600.016 µs) : 0, 600
Remote Config [candidate] (594.393 µs) : 0, 594
Telemetry [baseline] (7.972 ms) : 0, 7972
Telemetry [candidate] (8.039 ms) : 0, 8039
IAST [baseline] (27.81 ms) : 0, 27810
IAST [candidate] (26.942 ms) : 0, 26942
section profiling
ProfilingAgent [baseline] (103.112 ms) : 0, 103112
ProfilingAgent [candidate] (107.733 ms) : 0, 107733
BytebuddyAgent [baseline] (675.665 ms) : 0, 675665
BytebuddyAgent [candidate] (681.538 ms) : 0, 681538
GlobalTracer [baseline] (360.806 ms) : 0, 360806
GlobalTracer [candidate] (363.289 ms) : 0, 363289
AppSec [baseline] (61.478 ms) : 0, 61478
AppSec [candidate] (65.448 ms) : 0, 65448
Debugger [baseline] (6.116 ms) : 0, 6116
Debugger [candidate] (6.283 ms) : 0, 6283
Remote Config [baseline] (659.625 µs) : 0, 660
Remote Config [candidate] (660.343 µs) : 0, 660
Telemetry [baseline] (8.2 ms) : 0, 8200
Telemetry [candidate] (8.237 ms) : 0, 8237
Profiling [baseline] (103.135 ms) : 0, 103135
Profiling [candidate] (107.758 ms) : 0, 107758

Loading

Startup time reports for insecure-bank

gantt
    title insecure-bank - global startup overhead: candidate=1.50.0-SNAPSHOT~5ae3d4881d, baseline=1.50.0-SNAPSHOT~2f4c864fa4

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.032 s) : 0, 1031920
Total [baseline] (8.558 s) : 0, 8557807
Agent [candidate] (1.038 s) : 0, 1038035
Total [candidate] (8.585 s) : 0, 8585230
section iast
Agent [baseline] (1.154 s) : 0, 1154496
Total [baseline] (9.234 s) : 0, 9233659
Agent [candidate] (1.163 s) : 0, 1162888
Total [candidate] (9.239 s) : 0, 9239348

Loading

• baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.032 s	-
Agent	iast	1.154 s	122.576 ms (11.9%)
Total	tracing	8.558 s	-
Total	iast	9.234 s	675.853 ms (7.9%)

• candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.038 s	-
Agent	iast	1.163 s	124.853 ms (12.0%)
Total	tracing	8.585 s	-
Total	iast	9.239 s	654.119 ms (7.6%)

gantt
    title insecure-bank - break down per module: candidate=1.50.0-SNAPSHOT~5ae3d4881d, baseline=1.50.0-SNAPSHOT~2f4c864fa4

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (689.267 ms) : 0, 689267
BytebuddyAgent [candidate] (690.087 ms) : 0, 690087
GlobalTracer [baseline] (242.713 ms) : 0, 242713
GlobalTracer [candidate] (243.511 ms) : 0, 243511
AppSec [baseline] (56.635 ms) : 0, 56635
AppSec [candidate] (63.154 ms) : 0, 63154
Debugger [baseline] (7.58 ms) : 0, 7580
Debugger [candidate] (6.194 ms) : 0, 6194
Remote Config [baseline] (745.729 µs) : 0, 746
Remote Config [candidate] (678.676 µs) : 0, 679
Telemetry [baseline] (11.352 ms) : 0, 11352
Telemetry [candidate] (10.817 ms) : 0, 10817
section iast
BytebuddyAgent [baseline] (804.523 ms) : 0, 804523
BytebuddyAgent [candidate] (809.164 ms) : 0, 809164
GlobalTracer [baseline] (232.375 ms) : 0, 232375
GlobalTracer [candidate] (232.205 ms) : 0, 232205
AppSec [baseline] (50.767 ms) : 0, 50767
AppSec [candidate] (56.849 ms) : 0, 56849
Debugger [baseline] (6.001 ms) : 0, 6001
Debugger [candidate] (6.125 ms) : 0, 6125
Remote Config [baseline] (608.16 µs) : 0, 608
Remote Config [candidate] (607.05 µs) : 0, 607
Telemetry [baseline] (8.046 ms) : 0, 8046
Telemetry [candidate] (8.031 ms) : 0, 8031
IAST [baseline] (28.66 ms) : 0, 28660
IAST [candidate] (26.332 ms) : 0, 26332

Loading

Load

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
end_time	2025-06-19T08:49:02	2025-06-19T08:53:32
git_branch	master	malvarez/http-route-play
git_commit_date	1750318132	1750322311
git_commit_sha	2f4c864	5ae3d48
release_version	1.50.0-SNAPSHOT~2f4c864fa4	1.50.0-SNAPSHOT~5ae3d4881d
start_time	2025-06-19T08:48:42	2025-06-19T08:53:07

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1750323809	1750323809
ci_job_id	989627999	989627999
ci_pipeline_id	68208654	68208654
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-zazkytx-project-304-concurrent-1-h14v9a6g 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-zazkytx-project-304-concurrent-1-h14v9a6g 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
thresholds_or_results	results	results
variant	iast_FULL	iast_FULL

Summary

Found 6 performance improvements and 1 performance regressions! Performance is the same for 0 metrics, 11 unstable metrics.

scenario	Δ mean http_req_duration	Δ mean throughput	candidate mean http_req_duration	candidate mean throughput	baseline mean http_req_duration	baseline mean throughput
scenario:load:insecure-bank:iast_FULL	worse [+183.576µs; +235.232µs] or [+24.690%; +31.637%]	unstable [-2214.479op/s; +16.677op/s] or [-38.753%; +0.292%]	952.935µs	4615.385op/s	743.531µs	5714.286op/s
scenario:load:petclinic:appsec	better [-61.457ms; -59.977ms] or [-86.711%; -84.624%]	unstable [+396.347op/s; +443.239op/s] or [+574.668%; +642.658%]	10.158ms	488.762op/s	70.876ms	68.970op/s
scenario:load:petclinic:code_origins	better [-41.525ms; -38.904ms] or [-48.116%; -45.079%]	unstable [+24.175op/s; +65.710op/s] or [+48.053%; +130.616%]	46.088ms	95.250op/s	86.302ms	50.308op/s
scenario:load:petclinic:iast	better [-41.595ms; -39.593ms] or [-53.158%; -50.598%]	unstable [+43.019op/s; +79.242op/s] or [+70.826%; +130.462%]	37.655ms	121.870op/s	78.249ms	60.739op/s
scenario:load:petclinic:no_agent	better [-4.860ms; -4.688ms] or [-39.244%; -37.859%]	unstable [+221.550op/s; +279.131op/s] or [+55.378%; +69.771%]	7.610ms	650.407op/s	12.384ms	400.066op/s
scenario:load:petclinic:profiling	better [-53.890ms; -52.633ms] or [-87.641%; -85.597%]	unstable [+509.699op/s; +537.042op/s] or [+652.345%; +687.340%]	8.228ms	601.504op/s	61.489ms	78.133op/s
scenario:load:petclinic:tracing	better [-43.784ms; -42.613ms] or [-84.755%; -82.488%]	unstable [+473.519op/s; +502.957op/s] or [+494.776%; +525.535%]	8.461ms	583.942op/s	51.660ms	95.704op/s

Dacapo

[amarziali]

The change looks OK. However this is a breaking change since the route will change the resource hence the RED metrics. Please do not forget to mention in the release note. You can also leave a notice in the PR that, to disable this behaviour, the user can disable the route based resource naming.

[manuel-alvarez-alvarez]

The change looks OK. However this is a breaking change since the route will change the resource hence the RED metrics. Please do not forget to mention in the release note. You can also leave a notice in the PR that, to disable this behaviour, the user can disable the route based resource naming.

Thanks for the review @amarziali, I did update the PR so we don´t break any customer. The change is not clean as before but it works fine for us. Thanks again!