Extract Spring json body response schemas #8938

sezen-datadog · 2025-06-06T07:54:25Z

What Does This Do

Adds response body extraction for Spring JSON endpoints to enable automatic API schema discovery and protection by the Web Application Firewall (WAF).

Motivation

Additional Notes

Contributor Checklist

Format the title according the contribution guidelines
Assign the type: and (comp: or inst:) labels in addition to any usefull labels
Don't use close, fix or any linking keywords when referencing an issue.
Use solves instead, and assign the PR milestone to the issue
Update the CODEOWNERS file on source file addition, move, or deletion
Update the public documentation in case of new configuration flag or behavior

Jira ticket: APPSEC-57259

pr-commenter · 2025-06-06T12:53:32Z

Benchmarks

Startup

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	sezen.leblay/APPSEC-57259-extract-schema-spring
git_commit_date	1750931982	1750937736
git_commit_sha	`0f9b46c`	`7df3be0`
release_version	1.51.0-SNAPSHOT~0f9b46c752	1.51.0-SNAPSHOT~7df3be0728

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1750939473	1750939473
ci_job_id	999888410	999888410
ci_pipeline_id	68841316	68841316
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-keqzgwjt-project-304-concurrent-2-ln3489me 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-keqzgwjt-project-304-concurrent-2-ln3489me 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
module	Agent	Agent
parent	None	None

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 46 metrics, 7 unstable metrics.

Startup time reports for petclinic

gantt
    title petclinic - global startup overhead: candidate=1.51.0-SNAPSHOT~7df3be0728, baseline=1.51.0-SNAPSHOT~0f9b46c752

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (995.662 ms) : 0, 995662
Total [baseline] (10.619 s) : 0, 10618747
Agent [candidate] (1.006 s) : 0, 1005788
Total [candidate] (10.618 s) : 0, 10617581
section appsec
Agent [baseline] (1.178 s) : 0, 1178264
Total [baseline] (10.696 s) : 0, 10695848
Agent [candidate] (1.175 s) : 0, 1174699
Total [candidate] (10.709 s) : 0, 10709361
section iast
Agent [baseline] (1.14 s) : 0, 1140154
Total [baseline] (10.857 s) : 0, 10856502
Agent [candidate] (1.13 s) : 0, 1130042
Total [candidate] (10.784 s) : 0, 10784431
section profiling
Agent [baseline] (1.243 s) : 0, 1242801
Total [baseline] (10.943 s) : 0, 10943341
Agent [candidate] (1.241 s) : 0, 1241064
Total [candidate] (10.949 s) : 0, 10948787

baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	995.662 ms	-
Agent	appsec	1.178 s	182.602 ms (18.3%)
Agent	iast	1.14 s	144.492 ms (14.5%)
Agent	profiling	1.243 s	247.139 ms (24.8%)
Total	tracing	10.619 s	-
Total	appsec	10.696 s	77.101 ms (0.7%)
Total	iast	10.857 s	237.755 ms (2.2%)
Total	profiling	10.943 s	324.595 ms (3.1%)

candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.006 s	-
Agent	appsec	1.175 s	168.912 ms (16.8%)
Agent	iast	1.13 s	124.254 ms (12.4%)
Agent	profiling	1.241 s	235.276 ms (23.4%)
Total	tracing	10.618 s	-
Total	appsec	10.709 s	91.78 ms (0.9%)
Total	iast	10.784 s	166.85 ms (1.6%)
Total	profiling	10.949 s	331.205 ms (3.1%)

gantt
    title petclinic - break down per module: candidate=1.51.0-SNAPSHOT~7df3be0728, baseline=1.51.0-SNAPSHOT~0f9b46c752

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (687.38 ms) : 0, 687380
BytebuddyAgent [candidate] (694.212 ms) : 0, 694212
GlobalTracer [baseline] (242.394 ms) : 0, 242394
GlobalTracer [candidate] (244.773 ms) : 0, 244773
AppSec [baseline] (30.141 ms) : 0, 30141
AppSec [candidate] (30.747 ms) : 0, 30747
Debugger [baseline] (6.043 ms) : 0, 6043
Debugger [candidate] (6.089 ms) : 0, 6089
Remote Config [baseline] (670.599 µs) : 0, 671
Remote Config [candidate] (667.848 µs) : 0, 668
Telemetry [baseline] (8.221 ms) : 0, 8221
Telemetry [candidate] (8.29 ms) : 0, 8290
section appsec
BytebuddyAgent [baseline] (714.33 ms) : 0, 714330
BytebuddyAgent [candidate] (710.767 ms) : 0, 710767
GlobalTracer [baseline] (236.678 ms) : 0, 236678
GlobalTracer [candidate] (236.066 ms) : 0, 236066
IAST [baseline] (22.021 ms) : 0, 22021
IAST [candidate] (22.035 ms) : 0, 22035
AppSec [baseline] (169.857 ms) : 0, 169857
AppSec [candidate] (170.43 ms) : 0, 170430
Debugger [baseline] (5.804 ms) : 0, 5804
Debugger [candidate] (5.822 ms) : 0, 5822
Remote Config [baseline] (608.368 µs) : 0, 608
Remote Config [candidate] (605.92 µs) : 0, 606
Telemetry [baseline] (8.103 ms) : 0, 8103
Telemetry [candidate] (8.144 ms) : 0, 8144
section iast
BytebuddyAgent [baseline] (814.666 ms) : 0, 814666
BytebuddyAgent [candidate] (807.459 ms) : 0, 807459
GlobalTracer [baseline] (234.407 ms) : 0, 234407
GlobalTracer [candidate] (231.891 ms) : 0, 231891
IAST [baseline] (25.679 ms) : 0, 25679
IAST [candidate] (27.709 ms) : 0, 27709
AppSec [baseline] (29.46 ms) : 0, 29460
AppSec [candidate] (27.815 ms) : 0, 27815
Debugger [baseline] (5.757 ms) : 0, 5757
Debugger [candidate] (5.858 ms) : 0, 5858
Remote Config [baseline] (578.935 µs) : 0, 579
Remote Config [candidate] (583.253 µs) : 0, 583
Telemetry [baseline] (7.951 ms) : 0, 7951
Telemetry [candidate] (7.984 ms) : 0, 7984
section profiling
BytebuddyAgent [baseline] (677.417 ms) : 0, 677417
BytebuddyAgent [candidate] (677.253 ms) : 0, 677253
GlobalTracer [baseline] (360.942 ms) : 0, 360942
GlobalTracer [candidate] (359.905 ms) : 0, 359905
AppSec [baseline] (31.662 ms) : 0, 31662
AppSec [candidate] (32.193 ms) : 0, 32193
Debugger [baseline] (11.816 ms) : 0, 11816
Debugger [candidate] (11.335 ms) : 0, 11335
Remote Config [baseline] (671.387 µs) : 0, 671
Remote Config [candidate] (666.139 µs) : 0, 666
Telemetry [baseline] (8.859 ms) : 0, 8859
Telemetry [candidate] (8.7 ms) : 0, 8700
ProfilingAgent [baseline] (102.947 ms) : 0, 102947
ProfilingAgent [candidate] (102.646 ms) : 0, 102646
Profiling [baseline] (102.973 ms) : 0, 102973
Profiling [candidate] (102.671 ms) : 0, 102671

Startup time reports for insecure-bank

gantt
    title insecure-bank - global startup overhead: candidate=1.51.0-SNAPSHOT~7df3be0728, baseline=1.51.0-SNAPSHOT~0f9b46c752

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (995.941 ms) : 0, 995941
Total [baseline] (8.515 s) : 0, 8515288
Agent [candidate] (1.005 s) : 0, 1004845
Total [candidate] (8.565 s) : 0, 8564655
section iast
Agent [baseline] (1.138 s) : 0, 1138374
Total [baseline] (9.257 s) : 0, 9257321
Agent [candidate] (1.128 s) : 0, 1128326
Total [candidate] (9.225 s) : 0, 9224812

baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	995.941 ms	-
Agent	iast	1.138 s	142.433 ms (14.3%)
Total	tracing	8.515 s	-
Total	iast	9.257 s	742.033 ms (8.7%)

candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.005 s	-
Agent	iast	1.128 s	123.481 ms (12.3%)
Total	tracing	8.565 s	-
Total	iast	9.225 s	660.157 ms (7.7%)

gantt
    title insecure-bank - break down per module: candidate=1.51.0-SNAPSHOT~7df3be0728, baseline=1.51.0-SNAPSHOT~0f9b46c752

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (687.518 ms) : 0, 687518
BytebuddyAgent [candidate] (695.44 ms) : 0, 695440
GlobalTracer [baseline] (242.387 ms) : 0, 242387
GlobalTracer [candidate] (242.99 ms) : 0, 242990
AppSec [baseline] (30.285 ms) : 0, 30285
AppSec [candidate] (30.549 ms) : 0, 30549
Debugger [baseline] (6.05 ms) : 0, 6050
Debugger [candidate] (6.011 ms) : 0, 6011
Remote Config [baseline] (670.394 µs) : 0, 670
Remote Config [candidate] (664.81 µs) : 0, 665
Telemetry [baseline] (8.196 ms) : 0, 8196
Telemetry [candidate] (8.222 ms) : 0, 8222
section iast
BytebuddyAgent [baseline] (814.54 ms) : 0, 814540
BytebuddyAgent [candidate] (805.549 ms) : 0, 805549
GlobalTracer [baseline] (233.228 ms) : 0, 233228
GlobalTracer [candidate] (232.615 ms) : 0, 232615
IAST [baseline] (27.907 ms) : 0, 27907
IAST [candidate] (28.472 ms) : 0, 28472
AppSec [baseline] (27.538 ms) : 0, 27538
AppSec [candidate] (26.643 ms) : 0, 26643
Debugger [baseline] (5.816 ms) : 0, 5816
Debugger [candidate] (5.792 ms) : 0, 5792
Remote Config [baseline] (579.265 µs) : 0, 579
Remote Config [candidate] (583.482 µs) : 0, 583
Telemetry [baseline] (7.921 ms) : 0, 7921
Telemetry [candidate] (7.979 ms) : 0, 7979

Load

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	sezen.leblay/APPSEC-57259-extract-schema-spring
git_commit_date	1750931982	1750937736
git_commit_sha	`0f9b46c`	`7df3be0`
release_version	1.51.0-SNAPSHOT~0f9b46c752	1.51.0-SNAPSHOT~7df3be0728

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1750939229	1750939229
ci_job_id	999888411	999888411
ci_pipeline_id	68841316	68841316
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-a1vxyzsw-project-304-concurrent-1-b3er8tke 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-a1vxyzsw-project-304-concurrent-1-b3er8tke 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 2 performance improvements and 4 performance regressions! Performance is the same for 6 metrics, 12 unstable metrics.

scenario	Δ mean http_req_duration	Δ mean throughput	candidate mean http_req_duration	candidate mean throughput	baseline mean http_req_duration	baseline mean throughput
scenario:load:insecure-bank:profiling:high_load	better [-725.685µs; -420.696µs] or [-7.965%; -4.617%]	unstable [-32.359op/s; +99.859op/s] or [-6.353%; +19.605%]	8.538ms	543.094op/s	9.111ms	509.344op/s
scenario:load:petclinic:no_agent:high_load	worse [+1.627ms; +2.263ms] or [+4.518%; +6.287%]	unstable [-16.993op/s; +0.430op/s] or [-12.922%; +0.327%]	37.943ms	123.225op/s	35.999ms	131.506op/s
scenario:load:petclinic:iast:high_load	worse [+0.898ms; +1.738ms] or [+2.042%; +3.955%]	unstable [-10.982op/s; +4.807op/s] or [-10.314%; +4.515%]	45.272ms	103.388op/s	43.955ms	106.475op/s
scenario:load:petclinic:tracing:high_load	worse [+1.819ms; +2.629ms] or [+4.222%; +6.103%]	unstable [-13.331op/s; +2.681op/s] or [-12.269%; +2.467%]	45.302ms	103.325op/s	43.078ms	108.650op/s
scenario:load:petclinic:profiling:high_load	worse [+1.334ms; +2.277ms] or [+2.852%; +4.867%]	unstable [-11.370op/s; +4.020op/s] or [-11.367%; +4.019%]	48.582ms	96.350op/s	46.777ms	100.025op/s
scenario:load:petclinic:appsec:high_load	better [-2.950ms; -2.039ms] or [-5.987%; -4.139%]	unstable [-3.011op/s; +10.630op/s] or [-3.128%; +11.042%]	46.770ms	100.075op/s	49.265ms	96.266op/s

Request duration reports for petclinic

gantt
    title petclinic - request duration [CI 0.99] : candidate=1.51.0-SNAPSHOT~7df3be0728, baseline=1.51.0-SNAPSHOT~0f9b46c752
    dateFormat X
    axisFormat %s
section baseline
no_agent (35.999 ms) : 35709, 36288
.   : milestone, 35999,
appsec (49.265 ms) : 48829, 49700
.   : milestone, 49265,
code_origins (44.304 ms) : 43939, 44670
.   : milestone, 44304,
iast (43.955 ms) : 43565, 44344
.   : milestone, 43955,
profiling (46.777 ms) : 46361, 47193
.   : milestone, 46777,
tracing (43.078 ms) : 42716, 43440
.   : milestone, 43078,
section candidate
no_agent (37.943 ms) : 37642, 38245
.   : milestone, 37943,
appsec (46.77 ms) : 46360, 47181
.   : milestone, 46770,
code_origins (45.556 ms) : 45169, 45942
.   : milestone, 45556,
iast (45.272 ms) : 44881, 45664
.   : milestone, 45272,
profiling (48.582 ms) : 48123, 49041
.   : milestone, 48582,
tracing (45.302 ms) : 44912, 45692
.   : milestone, 45302,

baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	35.999 ms [35.709 ms, 36.288 ms]	-
appsec	49.265 ms [48.829 ms, 49.7 ms]	13.266 ms (36.9%)
code_origins	44.304 ms [43.939 ms, 44.67 ms]	8.306 ms (23.1%)
iast	43.955 ms [43.565 ms, 44.344 ms]	7.956 ms (22.1%)
profiling	46.777 ms [46.361 ms, 47.193 ms]	10.778 ms (29.9%)
tracing	43.078 ms [42.716 ms, 43.44 ms]	7.08 ms (19.7%)

candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	37.943 ms [37.642 ms, 38.245 ms]	-
appsec	46.77 ms [46.36 ms, 47.181 ms]	8.827 ms (23.3%)
code_origins	45.556 ms [45.169 ms, 45.942 ms]	7.612 ms (20.1%)
iast	45.272 ms [44.881 ms, 45.664 ms]	7.329 ms (19.3%)
profiling	48.582 ms [48.123 ms, 49.041 ms]	10.639 ms (28.0%)
tracing	45.302 ms [44.912 ms, 45.692 ms]	7.359 ms (19.4%)

Request duration reports for insecure-bank

gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.51.0-SNAPSHOT~7df3be0728, baseline=1.51.0-SNAPSHOT~0f9b46c752
    dateFormat X
    axisFormat %s
section baseline
no_agent (4.435 ms) : 4385, 4486
.   : milestone, 4435,
iast (9.376 ms) : 9209, 9542
.   : milestone, 9376,
iast_FULL (14.306 ms) : 14019, 14593
.   : milestone, 14306,
iast_GLOBAL (10.229 ms) : 10049, 10409
.   : milestone, 10229,
profiling (9.111 ms) : 8961, 9262
.   : milestone, 9111,
tracing (7.613 ms) : 7498, 7728
.   : milestone, 7613,
section candidate
no_agent (4.353 ms) : 4301, 4405
.   : milestone, 4353,
iast (9.178 ms) : 9021, 9334
.   : milestone, 9178,
iast_FULL (13.99 ms) : 13713, 14268
.   : milestone, 13990,
iast_GLOBAL (10.45 ms) : 10266, 10634
.   : milestone, 10450,
profiling (8.538 ms) : 8406, 8670
.   : milestone, 8538,
tracing (7.75 ms) : 7642, 7859
.   : milestone, 7750,

baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	4.435 ms [4.385 ms, 4.486 ms]	-
iast	9.376 ms [9.209 ms, 9.542 ms]	4.94 ms (111.4%)
iast_FULL	14.306 ms [14.019 ms, 14.593 ms]	9.871 ms (222.5%)
iast_GLOBAL	10.229 ms [10.049 ms, 10.409 ms]	5.794 ms (130.6%)
profiling	9.111 ms [8.961 ms, 9.262 ms]	4.676 ms (105.4%)
tracing	7.613 ms [7.498 ms, 7.728 ms]	3.177 ms (71.6%)

candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	4.353 ms [4.301 ms, 4.405 ms]	-
iast	9.178 ms [9.021 ms, 9.334 ms]	4.825 ms (110.8%)
iast_FULL	13.99 ms [13.713 ms, 14.268 ms]	9.638 ms (221.4%)
iast_GLOBAL	10.45 ms [10.266 ms, 10.634 ms]	6.097 ms (140.1%)
profiling	8.538 ms [8.406 ms, 8.67 ms]	4.186 ms (96.2%)
tracing	7.75 ms [7.642 ms, 7.859 ms]	3.398 ms (78.1%)

Dacapo

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	sezen.leblay/APPSEC-57259-extract-schema-spring
git_commit_date	1750931982	1750937736
git_commit_sha	`0f9b46c`	`7df3be0`
release_version	1.51.0-SNAPSHOT~0f9b46c752	1.51.0-SNAPSHOT~7df3be0728

See matching parameters

	Baseline	Candidate
application	biojava	biojava
ci_job_date	1750939741	1750939741
ci_job_id	999888412	999888412
ci_pipeline_id	68841316	68841316
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-keqzgwjt-project-304-concurrent-3-vunfmi8v 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-keqzgwjt-project-304-concurrent-3-vunfmi8v 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 1 unstable metrics.

Execution time for tomcat

gantt
    title tomcat - execution time [CI 0.99] : candidate=1.51.0-SNAPSHOT~7df3be0728, baseline=1.51.0-SNAPSHOT~0f9b46c752
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.481 ms) : 1470, 1493
.   : milestone, 1481,
appsec (2.394 ms) : 2346, 2442
.   : milestone, 2394,
iast (2.185 ms) : 2124, 2246
.   : milestone, 2185,
iast_GLOBAL (2.226 ms) : 2165, 2287
.   : milestone, 2226,
profiling (2.043 ms) : 1993, 2093
.   : milestone, 2043,
tracing (2.011 ms) : 1963, 2058
.   : milestone, 2011,
section candidate
no_agent (1.486 ms) : 1474, 1498
.   : milestone, 1486,
appsec (2.39 ms) : 2342, 2438
.   : milestone, 2390,
iast (2.185 ms) : 2124, 2246
.   : milestone, 2185,
iast_GLOBAL (2.229 ms) : 2168, 2290
.   : milestone, 2229,
profiling (2.457 ms) : 2287, 2627
.   : milestone, 2457,
tracing (2.016 ms) : 1968, 2063
.   : milestone, 2016,

baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.481 ms [1.47 ms, 1.493 ms]	-
appsec	2.394 ms [2.346 ms, 2.442 ms]	912.455 µs (61.6%)
iast	2.185 ms [2.124 ms, 2.246 ms]	703.877 µs (47.5%)
iast_GLOBAL	2.226 ms [2.165 ms, 2.287 ms]	744.875 µs (50.3%)
profiling	2.043 ms [1.993 ms, 2.093 ms]	561.789 µs (37.9%)
tracing	2.011 ms [1.963 ms, 2.058 ms]	529.403 µs (35.7%)

candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.486 ms [1.474 ms, 1.498 ms]	-
appsec	2.39 ms [2.342 ms, 2.438 ms]	904.273 µs (60.9%)
iast	2.185 ms [2.124 ms, 2.246 ms]	699.306 µs (47.1%)
iast_GLOBAL	2.229 ms [2.168 ms, 2.29 ms]	742.904 µs (50.0%)
profiling	2.457 ms [2.287 ms, 2.627 ms]	971.151 µs (65.4%)
tracing	2.016 ms [1.968 ms, 2.063 ms]	529.7 µs (35.6%)

Execution time for biojava

gantt
    title biojava - execution time [CI 0.99] : candidate=1.51.0-SNAPSHOT~7df3be0728, baseline=1.51.0-SNAPSHOT~0f9b46c752
    dateFormat X
    axisFormat %s
section baseline
no_agent (15.457 s) : 15457000, 15457000
.   : milestone, 15457000,
appsec (14.697 s) : 14697000, 14697000
.   : milestone, 14697000,
iast (18.184 s) : 18184000, 18184000
.   : milestone, 18184000,
iast_GLOBAL (17.853 s) : 17853000, 17853000
.   : milestone, 17853000,
profiling (15.113 s) : 15113000, 15113000
.   : milestone, 15113000,
tracing (14.62 s) : 14620000, 14620000
.   : milestone, 14620000,
section candidate
no_agent (15.304 s) : 15304000, 15304000
.   : milestone, 15304000,
appsec (15.083 s) : 15083000, 15083000
.   : milestone, 15083000,
iast (18.774 s) : 18774000, 18774000
.   : milestone, 18774000,
iast_GLOBAL (18.201 s) : 18201000, 18201000
.   : milestone, 18201000,
profiling (15.218 s) : 15218000, 15218000
.   : milestone, 15218000,
tracing (14.827 s) : 14827000, 14827000
.   : milestone, 14827000,

baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	15.457 s [15.457 s, 15.457 s]	-
appsec	14.697 s [14.697 s, 14.697 s]	-760.0 ms (-4.9%)
iast	18.184 s [18.184 s, 18.184 s]	2.727 s (17.6%)
iast_GLOBAL	17.853 s [17.853 s, 17.853 s]	2.396 s (15.5%)
profiling	15.113 s [15.113 s, 15.113 s]	-344.0 ms (-2.2%)
tracing	14.62 s [14.62 s, 14.62 s]	-837.0 ms (-5.4%)

candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	15.304 s [15.304 s, 15.304 s]	-
appsec	15.083 s [15.083 s, 15.083 s]	-221.0 ms (-1.4%)
iast	18.774 s [18.774 s, 18.774 s]	3.47 s (22.7%)
iast_GLOBAL	18.201 s [18.201 s, 18.201 s]	2.897 s (18.9%)
profiling	15.218 s [15.218 s, 15.218 s]	-86.0 ms (-0.6%)
tracing	14.827 s [14.827 s, 14.827 s]	-477.0 ms (-3.1%)

dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/GatewayBridge.java

...c/main/java/datadog/trace/instrumentation/springweb/HttpMessageConverterInstrumentation.java

dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/GatewayBridge.java

internal-api/src/main/java/datadog/trace/api/gateway/Events.java

internal-api/src/main/java/datadog/trace/api/gateway/InstrumentationGateway.java

dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/AppSecRequestContext.java

jandro996 · 2025-06-23T11:43:26Z

We need to change the base branch to malvarez/vertx-response-extraction, since it includes all the shared tooling for response schema collection.

This way, we can focus this PR exclusively on adding support for Spring Boot.

...ringboot/src/test/groovy/datadog/smoketest/appsec/AppSecHttpMessageConverterSmokeTest.groovy

...c/springboot/src/main/java/datadog/smoketest/appsec/springboot/controller/WebController.java

jandro996 · 2025-06-25T10:35:34Z

I've updated the Title and the Description to follow the same pattern that we used for the other response schema collection PRs. Feel free to to improve them if you feel that it's necessary :)

Signed-off-by: sezen.leblay <[email protected]>

…pring

| Package | Type | Package file | Manager | Update | Change | |---|---|---|---|---|---| | [com.google.errorprone:error_prone_annotations](https://errorprone.info) ([source](https://github.com/google/error-prone)) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `2.39.0` -> `2.40.0` | | [org.apache.commons:commons-lang3](https://commons.apache.org/proper/commons-lang/) ([source](https://gitbox.apache.org/repos/asf/commons-lang.git)) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `3.17.0` -> `3.18.0` | | [org.jetbrains.kotlinx.binary-compatibility-validator](https://github.com/Kotlin/binary-compatibility-validator) | plugin | misk/gradle/libs.versions.toml | gradle | patch | `0.18.0` -> `0.18.1` | | [com.datadoghq:dd-trace-api](https://github.com/datadog/dd-trace-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `1.50.1` -> `1.51.0` | | [software.amazon.awssdk:sdk-core](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.31.77` -> `2.31.78` | | [software.amazon.awssdk:sqs](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.31.77` -> `2.31.78` | | [software.amazon.awssdk:dynamodb-enhanced](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.31.77` -> `2.31.78` | | [software.amazon.awssdk:dynamodb](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.31.77` -> `2.31.78` | | [software.amazon.awssdk:aws-core](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.31.77` -> `2.31.78` | | [software.amazon.awssdk:bom](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.31.77` -> `2.31.78` | | [software.amazon.awssdk:auth](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.31.77` -> `2.31.78` | --- ### Release Notes <details> <summary>google/error-prone (com.google.errorprone:error_prone_annotations)</summary> ### [`v2.40.0`](https://github.com/google/error-prone/releases/tag/v2.40.0): Error Prone 2.40.0 Changes: - Bug fixes and improvements - Releases (including snapshots) have migrated from [OSSRH to the Central Publisher Portal](https://central.sonatype.org/pages/ossrh-eol/#process-to-migrate) Full changelog: google/error-prone@v2.39.0...v2.40.0 </details> <details> <summary>Kotlin/binary-compatibility-validator (org.jetbrains.kotlinx.binary-compatibility-validator)</summary> ### [`v0.18.1`](https://github.com/Kotlin/binary-compatibility-validator/releases/tag/0.18.1) [Compare Source](Kotlin/binary-compatibility-validator@0.18.0...0.18.1) #### What's Changed - Fixed a bug preventing use of cross-compilation support during KLIB dump validation \[[#304](https://github.com/Kotlin/binary-compatibility-validator/issues/304)]\[[#306](https://github.com/Kotlin/binary-compatibility-validator/issues/306)] </details> <details> <summary>datadog/dd-trace-java (com.datadoghq:dd-trace-api)</summary> ### [`v1.51.0`](https://github.com/DataDog/dd-trace-java/releases/tag/v1.51.0): 1.51.0 ### Components #### Application Security Management (IAST) - 🐛 Fix verify error when ctor params are used after a call site ([#9083](DataDog/dd-trace-java#9083) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - 🐛 Limit the maximum size of the location path in IAST vulnerabilities ([#9028](DataDog/dd-trace-java#9028) - [@jandro996](https://github.com/jandro996)) - 🐛 Fix IAST gRPC handler with null superclass ([#8984](DataDog/dd-trace-java#8984) - [@smola](https://github.com/smola)) - ✨ Optimize IAST Vulnerability Detection ([#8885](DataDog/dd-trace-java#8885) - [@jandro996](https://github.com/jandro996)) #### Application Security Management (WAF) - ✨ Upgrade libddwaf-java to 15.0.0 ([#9022](DataDog/dd-trace-java#9022) - [@sezen-datadog](https://github.com/sezen-datadog)) - ✨ Extract RestEasy json body response schemas ([#9015](DataDog/dd-trace-java#9015) - [@jandro996](https://github.com/jandro996)) - ✨ Extract Jersey json body response schemas ([#9014](DataDog/dd-trace-java#9014) - [@jandro996](https://github.com/jandro996)) - ✨ Extract Ratpack json body response schemas ([#9013](DataDog/dd-trace-java#9013) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - ✨ Enable API Security by default and make it lazy loading ([#9009](DataDog/dd-trace-java#9009) - [@smola](https://github.com/smola)) - ✨ Extract Vert.x json body response schemas ([#9001](DataDog/dd-trace-java#9001) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - ✨ Extract Play json body response schemas ([#8995](DataDog/dd-trace-java#8995) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - 🐛 Fix Jackson nodes introspection for request/response schema extraction ([#8980](DataDog/dd-trace-java#8980) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - ✨ Extract Spring json body response schemas ([#8938](DataDog/dd-trace-java#8938) - [@sezen-datadog](https://github.com/sezen-datadog)) - ✨ Default obfuscation regexp update ([#8937](DataDog/dd-trace-java#8937) - [@sezen-datadog](https://github.com/sezen-datadog)) #### Build & Tooling - ✨ Cancel GitLab running pipeline on new PR push ([#9023](DataDog/dd-trace-java#9023) - [@PerfectSlayer](https://github.com/PerfectSlayer)) - ✨ Migrate publishing to Maven Central Portal ([#8807](DataDog/dd-trace-java#8807) - [@sarahchen6](https://github.com/sarahchen6)) #### Continuous Integration Visibility - 🐛 Fix Test Optimization to work with JDK 24 ([#9114](DataDog/dd-trace-java#9114) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Add repo root as safe directory on git client creation ([#9033](DataDog/dd-trace-java#9033) - [@daniel-mohedano](https://github.com/daniel-mohedano)) - ✨ Add PR number tag and improve PR information building ([#8990](DataDog/dd-trace-java#8990) - [@daniel-mohedano](https://github.com/daniel-mohedano)) - ✨ Update impacted tests logic ([#8923](DataDog/dd-trace-java#8923) - [@daniel-mohedano](https://github.com/daniel-mohedano)) #### Data Streams Monitoring - 🧹 Clean up DSM context injection ([#8776](DataDog/dd-trace-java#8776) - [@PerfectSlayer](https://github.com/PerfectSlayer)) #### Database Monitoring - 🐛 Set trace\_injected in try block ([#9025](DataDog/dd-trace-java#9025) - [@natashadada](https://github.com/natashadada)) #### Dynamic Instrumentation - 🐛 Add source file tracking enable option ([#9115](DataDog/dd-trace-java#9115) - [@jpbempel](https://github.com/jpbempel)) - ✨ Add java.util.Date support ([#9111](DataDog/dd-trace-java#9111) - [@jpbempel](https://github.com/jpbempel)) - ✨ Update file probe format ([#9047](DataDog/dd-trace-java#9047) - [@jpbempel](https://github.com/jpbempel)) - ✨ add safe local var hoisting ([#9034](DataDog/dd-trace-java#9034) - [@jpbempel](https://github.com/jpbempel)) - 🧹 Add new config for debugger upload interval ([#8959](DataDog/dd-trace-java#8959) - [@jpbempel](https://github.com/jpbempel)) - ✨ Enable Code Origin with Dynamic instrumentation ([#8940](DataDog/dd-trace-java#8940) - [@jpbempel](https://github.com/jpbempel)) #### ML Observability (LLMObs) - 💡 LLM Observability SDK ([#8781](DataDog/dd-trace-java#8781) - [@gary-huang](https://github.com/gary-huang), [@nayeem-kamal](https://github.com/nayeem-kamal)) #### Metrics - 🐛 Ensure client stat reporter is started when the agent is not available at bootstrap ([#9082](DataDog/dd-trace-java#9082) - [@amarziali](https://github.com/amarziali)) - ✨ Create metric: appsec.waf.config\_errors ([#8394](DataDog/dd-trace-java#8394) - [@sezen-datadog](https://github.com/sezen-datadog)) #### Platform components - ✨ Introduce environment component ([#9071](DataDog/dd-trace-java#9071) - [@PerfectSlayer](https://github.com/PerfectSlayer)) #### Profiling - 🐛 Remove annoying warning for smap event parsing ([#9119](DataDog/dd-trace-java#9119) - [@jbachorik](https://github.com/jbachorik)) - 🐛 Fix ByteCountingInputStream when reading past EOF ([#8988](DataDog/dd-trace-java#8988) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) #### Realtime User Monitoring - ✨ Add RUM SDK injection for servlet based web servers ([#9110](DataDog/dd-trace-java#9110) - [@PerfectSlayer](https://github.com/PerfectSlayer) [@amarziali](https://github.com/amarziali)) #### Telemetry - ✨ Update the config origin metric to match what it's mapping ([#9045](DataDog/dd-trace-java#9045) - [@sezen-datadog](https://github.com/sezen-datadog)) #### Testing - ✨ Add testing for latest stable version (JDK 24) ([#8875](DataDog/dd-trace-java#8875) - [@sarahchen6](https://github.com/sarahchen6)) #### Trace context propagation - 🐛 Fix bug with dropping baggage when `TracePropagationBehaviorExtract=IGNORE` ([#9037](DataDog/dd-trace-java#9037) - [@mhlidd](https://github.com/mhlidd)) - 🐛 Fix ArrayIndexOutOfBoundsException in PercentEscaper ([#9032](DataDog/dd-trace-java#9032) - [@mhlidd](https://github.com/mhlidd)) #### Tracer core - 🐛 Fix `Error` handling for trace interceptors ([#9097](DataDog/dd-trace-java#9097) - [@AlexeyKuznetsov-DD](https://github.com/AlexeyKuznetsov-DD)) - 💡 Add wildcard feature for `DD_TRACE_HEADER_TAGS` and enabling for Http Response headers ([#9067](DataDog/dd-trace-java#9067) - [@mhlidd](https://github.com/mhlidd)) #### Tracer public API - 💡 Add LLM Observability SDK ([#8781](DataDog/dd-trace-java#8781) - [@gary-huang](https://github.com/gary-huang)) ### Instrumentations #### Akka instrumentation - 🐛 Fix NPE in akka-http and pekko-http integrations ([#9019](DataDog/dd-trace-java#9019) - [@mcculls](https://github.com/mcculls)) #### Eclipse Vert.x instrumentation - ✨ Extract Vert.x json body response schemas ([#9001](DataDog/dd-trace-java#9001) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - ✨ Write http.route tag as soon as possible in vert.x ([#8952](DataDog/dd-trace-java#8952) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) #### JAX-WS instrumentation - 💡⚠️ Enable jax-ws integration by default ([#9030](DataDog/dd-trace-java#9030) - [@bm1549](https://github.com/bm1549)) - ✨ Extract Jersey json body response schemas ([#9014](DataDog/dd-trace-java#9014) - [@jandro996](https://github.com/jandro996)) #### Mule instrumentation - 🐛 Propagate grizzly http span in filters if nothing is active ([#9016](DataDog/dd-trace-java#9016) - [@amarziali](https://github.com/amarziali)) #### Play Framework instrumentation - ✨ Extract Play json body response schemas ([#8995](DataDog/dd-trace-java#8995) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) #### Ratpack instrumentation - ✨ Extract Ratpack json body response schemas ([#9013](DataDog/dd-trace-java#9013) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) #### Spring instrumentation - ✨ Extract Spring json body response schemas ([#8938](DataDog/dd-trace-java#8938) - [@sezen-datadog](https://github.com/sezen-datadog)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "after 6pm every weekday,before 2am every weekday" in timezone Australia/Melbourne, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). GitOrigin-RevId: 649b690d4c9d7dcb572c457f0802b42b8e3e682e

sezen-datadog force-pushed the sezen.leblay/APPSEC-57259-extract-schema-spring branch from f3bdd40 to 7c044fd Compare June 6, 2025 12:27

jandro996 reviewed Jun 9, 2025

View reviewed changes

dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/GatewayBridge.java Outdated Show resolved Hide resolved