Skip to content

feat(appsec): extend RASP callsite coverage to File-argument constructors of FileOutputStream and FileInputStream#11113

Draft
jandro996 wants to merge 3 commits intomasterfrom
alejandro.gonzalez/APPSEC-61874_2
Draft

feat(appsec): extend RASP callsite coverage to File-argument constructors of FileOutputStream and FileInputStream#11113
jandro996 wants to merge 3 commits intomasterfrom
alejandro.gonzalez/APPSEC-61874_2

Conversation

@jandro996
Copy link
Copy Markdown
Member

@jandro996 jandro996 commented Apr 14, 2026

What Does This Do

Extends the RASP callsite coverage introduced in #11084 to include constructors that take a java.io.File argument, which were previously not instrumented:

  • FileOutputStream(File) and FileOutputStream(File, boolean) — now publish server.io.fs.file_write via FileIORaspHelper.INSTANCE.beforeFileWritten(file.getPath())
  • FileInputStream(File) — now publishes server.io.fs.file via FileIORaspHelper.INSTANCE.beforeFileLoaded(file.getPath())

No IAST changes — the File-based constructors delegate path resolution to the JVM, so IAST taint tracking via the String constructors already covers those code paths at a higher level.

Coverage gap closed

Constructor Before After
FileOutputStream(String) ✓ RASP ✓ RASP
FileOutputStream(String, boolean) ✓ RASP ✓ RASP
FileOutputStream(File) ✓ RASP
FileOutputStream(File, boolean) ✓ RASP
FileInputStream(String) ✓ RASP ✓ RASP
FileInputStream(File) ✓ RASP

Contributor Checklist

Jira Ticket: APPSEC-61874

@jandro996
feat(rasp): instrument FileOutputStream/FileInputStream(File) constru…
b63c7e2 
…ctors

Add RASP callsite coverage for File-argument constructors that were
previously not instrumented:

- FileOutputStream(File) and FileOutputStream(File, boolean): call
  FileIORaspHelper.INSTANCE.beforeFileWritten(file.getPath())
- FileInputStream(File): call
  FileIORaspHelper.INSTANCE.beforeFileLoaded(file.getPath())

No IAST changes — the File-based constructors delegate path resolution
to the JVM, so IAST taint tracking via the String constructor already
covers those code paths at a higher level.

Tests added following the existing RASP test pattern.
@jandro996 jandro996 requested review from a team as code owners April 14, 2026 13:29
@jandro996 jandro996 requested review from PerfectSlayer, claponcet and manuel-alvarez-alvarez and removed request for a team April 14, 2026 13:29
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 14, 2026

Hi! 👋 Thanks for your pull request! 🎉

To help us review it, please make sure to:

  • Add at least one type, and one component or instrumentation label to the pull request

If you need help, please check our contributing guidelines.

@jandro996 jandro996 added type: enhancement Enhancements and improvements comp: asm waf Application Security Management (WAF) labels Apr 14, 2026
@jandro996 jandro996 marked this pull request as draft April 14, 2026 13:32
@pr-commenter
Copy link
Copy Markdown

pr-commenter bot commented Apr 14, 2026
edited
Loading

Benchmarks

Startup

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/APPSEC-61874_2
git_commit_date 1776174044 1776177372
git_commit_sha 61091f0 b1e991e
release_version 1.62.0-SNAPSHOT~61091f0e79 1.62.0-SNAPSHOT~b1e991e371
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1776179277 1776179277
ci_job_id 1593751847 1593751847
ci_pipeline_id 107605234 107605234
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-0-r1ik9y2b 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-0-r1ik9y2b 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
module Agent Agent
parent None None

Summary

Found 2 performance improvements and 0 performance regressions! Performance is the same for 56 metrics, 13 unstable metrics.

scenario Δ mean execution_time candidate mean execution_time baseline mean execution_time
scenario:startup:petclinic:appsec:Remote Config better
[-53.030µs; -17.054µs] or [-8.739%; -2.810%]		 571.806µs 606.848µs
scenario:startup:petclinic:appsec:Telemetry better
[-707.974µs; -410.935µs] or [-8.370%; -4.858%]		 7.899ms 8.458ms
Startup time reports for insecure-bank 
gantt
    title insecure-bank - global startup overhead: candidate=1.62.0-SNAPSHOT~b1e991e371, baseline=1.62.0-SNAPSHOT~61091f0e79

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.062 s) : 0, 1061614
Total [baseline] (8.832 s) : 0, 8832280
Agent [candidate] (1.056 s) : 0, 1056419
Total [candidate] (8.852 s) : 0, 8851886
section iast
Agent [baseline] (1.226 s) : 0, 1226082
Total [baseline] (9.545 s) : 0, 9544532
Agent [candidate] (1.229 s) : 0, 1229440
Total [candidate] (9.591 s) : 0, 9590746
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.062 s -
Agent iast 1.226 s 164.468 ms (15.5%)
Total tracing 8.832 s -
Total iast 9.545 s 712.252 ms (8.1%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.056 s -
Agent iast 1.229 s 173.022 ms (16.4%)
Total tracing 8.852 s -
Total iast 9.591 s 738.86 ms (8.3%) 
gantt
    title insecure-bank - break down per module: candidate=1.62.0-SNAPSHOT~b1e991e371, baseline=1.62.0-SNAPSHOT~61091f0e79

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.236 ms) : 0, 1236
crashtracking [candidate] (1.217 ms) : 0, 1217
BytebuddyAgent [baseline] (636.704 ms) : 0, 636704
BytebuddyAgent [candidate] (630.492 ms) : 0, 630492
AgentMeter [baseline] (29.734 ms) : 0, 29734
AgentMeter [candidate] (29.372 ms) : 0, 29372
GlobalTracer [baseline] (250.481 ms) : 0, 250481
GlobalTracer [candidate] (248.633 ms) : 0, 248633
AppSec [baseline] (32.536 ms) : 0, 32536
AppSec [candidate] (32.574 ms) : 0, 32574
Debugger [baseline] (59.277 ms) : 0, 59277
Debugger [candidate] (59.45 ms) : 0, 59450
Remote Config [baseline] (612.873 µs) : 0, 613
Remote Config [candidate] (590.017 µs) : 0, 590
Telemetry [baseline] (8.013 ms) : 0, 8013
Telemetry [candidate] (8.049 ms) : 0, 8049
Flare Poller [baseline] (6.766 ms) : 0, 6766
Flare Poller [candidate] (9.828 ms) : 0, 9828
section iast
crashtracking [baseline] (1.233 ms) : 0, 1233
crashtracking [candidate] (1.225 ms) : 0, 1225
BytebuddyAgent [baseline] (804.251 ms) : 0, 804251
BytebuddyAgent [candidate] (808.487 ms) : 0, 808487
AgentMeter [baseline] (11.497 ms) : 0, 11497
AgentMeter [candidate] (11.245 ms) : 0, 11245
GlobalTracer [baseline] (238.683 ms) : 0, 238683
GlobalTracer [candidate] (238.205 ms) : 0, 238205
IAST [baseline] (27.563 ms) : 0, 27563
IAST [candidate] (26.644 ms) : 0, 26644
AppSec [baseline] (28.744 ms) : 0, 28744
AppSec [candidate] (30.291 ms) : 0, 30291
Debugger [baseline] (61.706 ms) : 0, 61706
Debugger [candidate] (64.542 ms) : 0, 64542
Remote Config [baseline] (1.755 ms) : 0, 1755
Remote Config [candidate] (559.107 µs) : 0, 559
Telemetry [baseline] (11.106 ms) : 0, 11106
Telemetry [candidate] (7.876 ms) : 0, 7876
Flare Poller [baseline] (3.391 ms) : 0, 3391
Flare Poller [candidate] (3.412 ms) : 0, 3412
Loading
Startup time reports for petclinic 
gantt
    title petclinic - global startup overhead: candidate=1.62.0-SNAPSHOT~b1e991e371, baseline=1.62.0-SNAPSHOT~61091f0e79

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.059 s) : 0, 1058918
Total [baseline] (11.056 s) : 0, 11055730
Agent [candidate] (1.058 s) : 0, 1058000
Total [candidate] (11.014 s) : 0, 11014292
section appsec
Agent [baseline] (1.249 s) : 0, 1249094
Total [baseline] (11.14 s) : 0, 11140313
Agent [candidate] (1.262 s) : 0, 1262078
Total [candidate] (10.918 s) : 0, 10917651
section iast
Agent [baseline] (1.225 s) : 0, 1224925
Total [baseline] (11.289 s) : 0, 11289320
Agent [candidate] (1.226 s) : 0, 1226458
Total [candidate] (11.286 s) : 0, 11286277
section profiling
Agent [baseline] (1.191 s) : 0, 1190668
Total [baseline] (11.097 s) : 0, 11097095
Agent [candidate] (1.184 s) : 0, 1184160
Total [candidate] (11.057 s) : 0, 11057046
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.059 s -
Agent appsec 1.249 s 190.176 ms (18.0%)
Agent iast 1.225 s 166.007 ms (15.7%)
Agent profiling 1.191 s 131.75 ms (12.4%)
Total tracing 11.056 s -
Total appsec 11.14 s 84.582 ms (0.8%)
Total iast 11.289 s 233.589 ms (2.1%)
Total profiling 11.097 s 41.365 ms (0.4%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.058 s -
Agent appsec 1.262 s 204.078 ms (19.3%)
Agent iast 1.226 s 168.459 ms (15.9%)
Agent profiling 1.184 s 126.161 ms (11.9%)
Total tracing 11.014 s -
Total appsec 10.918 s -96.641 ms (-0.9%)
Total iast 11.286 s 271.984 ms (2.5%)
Total profiling 11.057 s 42.753 ms (0.4%) 
gantt
    title petclinic - break down per module: candidate=1.62.0-SNAPSHOT~b1e991e371, baseline=1.62.0-SNAPSHOT~61091f0e79

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.229 ms) : 0, 1229
crashtracking [candidate] (1.22 ms) : 0, 1220
BytebuddyAgent [baseline] (633.415 ms) : 0, 633415
BytebuddyAgent [candidate] (633.103 ms) : 0, 633103
AgentMeter [baseline] (29.339 ms) : 0, 29339
AgentMeter [candidate] (29.46 ms) : 0, 29460
GlobalTracer [baseline] (248.781 ms) : 0, 248781
GlobalTracer [candidate] (249.305 ms) : 0, 249305
AppSec [baseline] (32.342 ms) : 0, 32342
AppSec [candidate] (32.49 ms) : 0, 32490
Debugger [baseline] (59.968 ms) : 0, 59968
Debugger [candidate] (60.237 ms) : 0, 60237
Remote Config [baseline] (609.045 µs) : 0, 609
Remote Config [candidate] (601.547 µs) : 0, 602
Telemetry [baseline] (8.037 ms) : 0, 8037
Telemetry [candidate] (8.045 ms) : 0, 8045
Flare Poller [baseline] (9.014 ms) : 0, 9014
Flare Poller [candidate] (7.438 ms) : 0, 7438
section appsec
crashtracking [baseline] (1.214 ms) : 0, 1214
crashtracking [candidate] (1.218 ms) : 0, 1218
BytebuddyAgent [baseline] (661.918 ms) : 0, 661918
BytebuddyAgent [candidate] (676.53 ms) : 0, 676530
AgentMeter [baseline] (12.024 ms) : 0, 12024
AgentMeter [candidate] (11.968 ms) : 0, 11968
GlobalTracer [baseline] (249.688 ms) : 0, 249688
GlobalTracer [candidate] (248.365 ms) : 0, 248365
AppSec [baseline] (185.249 ms) : 0, 185249
AppSec [candidate] (185.253 ms) : 0, 185253
Debugger [baseline] (65.721 ms) : 0, 65721
Debugger [candidate] (66.336 ms) : 0, 66336
Remote Config [baseline] (606.848 µs) : 0, 607
Remote Config [candidate] (571.806 µs) : 0, 572
Telemetry [baseline] (8.458 ms) : 0, 8458
Telemetry [candidate] (7.899 ms) : 0, 7899
Flare Poller [baseline] (3.491 ms) : 0, 3491
Flare Poller [candidate] (3.45 ms) : 0, 3450
IAST [baseline] (24.554 ms) : 0, 24554
IAST [candidate] (24.128 ms) : 0, 24128
section iast
crashtracking [baseline] (1.226 ms) : 0, 1226
crashtracking [candidate] (1.215 ms) : 0, 1215
BytebuddyAgent [baseline] (801.7 ms) : 0, 801700
BytebuddyAgent [candidate] (805.903 ms) : 0, 805903
AgentMeter [baseline] (11.368 ms) : 0, 11368
AgentMeter [candidate] (11.206 ms) : 0, 11206
GlobalTracer [baseline] (239.298 ms) : 0, 239298
GlobalTracer [candidate] (238.171 ms) : 0, 238171
AppSec [baseline] (31.217 ms) : 0, 31217
AppSec [candidate] (26.517 ms) : 0, 26517
Debugger [baseline] (63.089 ms) : 0, 63089
Debugger [candidate] (65.253 ms) : 0, 65253
Remote Config [baseline] (1.734 ms) : 0, 1734
Remote Config [candidate] (534.416 µs) : 0, 534
Telemetry [baseline] (10.079 ms) : 0, 10079
Telemetry [candidate] (7.843 ms) : 0, 7843
Flare Poller [baseline] (3.464 ms) : 0, 3464
Flare Poller [candidate] (3.383 ms) : 0, 3383
IAST [baseline] (25.714 ms) : 0, 25714
IAST [candidate] (27.351 ms) : 0, 27351
section profiling
ProfilingAgent [baseline] (94.793 ms) : 0, 94793
ProfilingAgent [candidate] (94.682 ms) : 0, 94682
crashtracking [baseline] (1.179 ms) : 0, 1179
crashtracking [candidate] (1.177 ms) : 0, 1177
BytebuddyAgent [baseline] (694.327 ms) : 0, 694327
BytebuddyAgent [candidate] (689.926 ms) : 0, 689926
AgentMeter [baseline] (9.158 ms) : 0, 9158
AgentMeter [candidate] (9.068 ms) : 0, 9068
GlobalTracer [baseline] (208.324 ms) : 0, 208324
GlobalTracer [candidate] (207.198 ms) : 0, 207198
AppSec [baseline] (32.909 ms) : 0, 32909
AppSec [candidate] (32.861 ms) : 0, 32861
Debugger [baseline] (66.363 ms) : 0, 66363
Debugger [candidate] (65.813 ms) : 0, 65813
Remote Config [baseline] (589.602 µs) : 0, 590
Remote Config [candidate] (576.735 µs) : 0, 577
Telemetry [baseline] (7.847 ms) : 0, 7847
Telemetry [candidate] (7.832 ms) : 0, 7832
Flare Poller [baseline] (3.581 ms) : 0, 3581
Flare Poller [candidate] (3.562 ms) : 0, 3562
Profiling [baseline] (95.366 ms) : 0, 95366
Profiling [candidate] (95.259 ms) : 0, 95259
Loading

Load

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/APPSEC-61874_2
git_commit_date 1776174044 1776177372
git_commit_sha 61091f0 b1e991e
release_version 1.62.0-SNAPSHOT~61091f0e79 1.62.0-SNAPSHOT~b1e991e371
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1776179760 1776179760
ci_job_id 1593751851 1593751851
ci_pipeline_id 107605234 107605234
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-1-5jeug95k 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-1-5jeug95k 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 2 performance improvements and 1 performance regressions! Performance is the same for 15 metrics, 18 unstable metrics.

scenario Δ mean agg_http_req_duration_p50 Δ mean agg_http_req_duration_p95 Δ mean throughput candidate mean agg_http_req_duration_p50 candidate mean agg_http_req_duration_p95 candidate mean throughput baseline mean agg_http_req_duration_p50 baseline mean agg_http_req_duration_p95 baseline mean throughput
scenario:load:petclinic:iast:high_load better
[-1.636ms; -0.856ms] or [-8.728%; -4.565%]		 better
[-2.264ms; -0.889ms] or [-7.553%; -2.965%]		 unstable
[-8.396op/s; +42.709op/s] or [-3.431%; +17.454%]		 17.498ms 28.399ms 261.844op/s 18.744ms 29.975ms 244.688op/s
scenario:load:petclinic:profiling:high_load worse
[+0.633ms; +1.672ms] or [+3.493%; +9.221%]		 same
[-55.812µs; +1989.997µs] or [-0.190%; +6.765%]		 unstable
[-36.741op/s; +12.366op/s] or [-14.578%; +4.906%]		 19.282ms 30.382ms 239.844op/s 18.130ms 29.415ms 252.031op/s
Request duration reports for petclinic 
gantt
    title petclinic - request duration [CI 0.99] : candidate=1.62.0-SNAPSHOT~b1e991e371, baseline=1.62.0-SNAPSHOT~61091f0e79
    dateFormat X
    axisFormat %s
section baseline
no_agent (17.516 ms) : 17339, 17693
.   : milestone, 17516,
appsec (18.806 ms) : 18618, 18994
.   : milestone, 18806,
code_origins (17.851 ms) : 17676, 18026
.   : milestone, 17851,
iast (19.073 ms) : 18885, 19261
.   : milestone, 19073,
profiling (18.515 ms) : 18331, 18698
.   : milestone, 18515,
tracing (17.964 ms) : 17792, 18137
.   : milestone, 17964,
section candidate
no_agent (17.948 ms) : 17767, 18128
.   : milestone, 17948,
appsec (18.666 ms) : 18479, 18853
.   : milestone, 18666,
code_origins (18.081 ms) : 17902, 18260
.   : milestone, 18081,
iast (17.82 ms) : 17645, 17994
.   : milestone, 17820,
profiling (19.464 ms) : 19265, 19663
.   : milestone, 19464,
tracing (18.152 ms) : 17971, 18333
.   : milestone, 18152,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 17.516 ms [17.339 ms, 17.693 ms] -
appsec 18.806 ms [18.618 ms, 18.994 ms] 1.29 ms (7.4%)
code_origins 17.851 ms [17.676 ms, 18.026 ms] 334.757 µs (1.9%)
iast 19.073 ms [18.885 ms, 19.261 ms] 1.557 ms (8.9%)
profiling 18.515 ms [18.331 ms, 18.698 ms] 998.392 µs (5.7%)
tracing 17.964 ms [17.792 ms, 18.137 ms] 448.147 µs (2.6%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 17.948 ms [17.767 ms, 18.128 ms] -
appsec 18.666 ms [18.479 ms, 18.853 ms] 717.977 µs (4.0%)
code_origins 18.081 ms [17.902 ms, 18.26 ms] 133.164 µs (0.7%)
iast 17.82 ms [17.645 ms, 17.994 ms] -128.024 µs (-0.7%)
profiling 19.464 ms [19.265 ms, 19.663 ms] 1.516 ms (8.4%)
tracing 18.152 ms [17.971 ms, 18.333 ms] 204.239 µs (1.1%)
Request duration reports for insecure-bank 
gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.62.0-SNAPSHOT~b1e991e371, baseline=1.62.0-SNAPSHOT~61091f0e79
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.257 ms) : 1245, 1269
.   : milestone, 1257,
iast (3.305 ms) : 3258, 3352
.   : milestone, 3305,
iast_FULL (5.892 ms) : 5832, 5952
.   : milestone, 5892,
iast_GLOBAL (3.68 ms) : 3615, 3745
.   : milestone, 3680,
profiling (2.082 ms) : 2062, 2103
.   : milestone, 2082,
tracing (1.835 ms) : 1820, 1850
.   : milestone, 1835,
section candidate
no_agent (1.279 ms) : 1266, 1292
.   : milestone, 1279,
iast (3.235 ms) : 3186, 3284
.   : milestone, 3235,
iast_FULL (5.827 ms) : 5769, 5885
.   : milestone, 5827,
iast_GLOBAL (3.652 ms) : 3588, 3715
.   : milestone, 3652,
profiling (2.073 ms) : 2054, 2093
.   : milestone, 2073,
tracing (1.875 ms) : 1860, 1891
.   : milestone, 1875,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.257 ms [1.245 ms, 1.269 ms] -
iast 3.305 ms [3.258 ms, 3.352 ms] 2.048 ms (162.9%)
iast_FULL 5.892 ms [5.832 ms, 5.952 ms] 4.635 ms (368.6%)
iast_GLOBAL 3.68 ms [3.615 ms, 3.745 ms] 2.423 ms (192.7%)
profiling 2.082 ms [2.062 ms, 2.103 ms] 825.157 µs (65.6%)
tracing 1.835 ms [1.82 ms, 1.85 ms] 577.921 µs (46.0%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.279 ms [1.266 ms, 1.292 ms] -
iast 3.235 ms [3.186 ms, 3.284 ms] 1.956 ms (152.9%)
iast_FULL 5.827 ms [5.769 ms, 5.885 ms] 4.548 ms (355.5%)
iast_GLOBAL 3.652 ms [3.588 ms, 3.715 ms] 2.372 ms (185.4%)
profiling 2.073 ms [2.054 ms, 2.093 ms] 793.74 µs (62.0%)
tracing 1.875 ms [1.86 ms, 1.891 ms] 596.142 µs (46.6%)

Dacapo

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/APPSEC-61874_2
git_commit_date 1776174044 1776177372
git_commit_sha 61091f0 b1e991e
release_version 1.62.0-SNAPSHOT~61091f0e79 1.62.0-SNAPSHOT~b1e991e371
See matching parameters
Baseline Candidate
application biojava biojava
ci_job_date 1776179399 1776179399
ci_job_id 1593751854 1593751854
ci_pipeline_id 107605234 107605234
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-1-t3mmstm3 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-1-t3mmstm3 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 1 performance improvements and 0 performance regressions! Performance is the same for 10 metrics, 1 unstable metrics.

scenario Δ mean execution_time candidate mean execution_time baseline mean execution_time
scenario:dacapo:tomcat:appsec better
[-1.476ms; -1.126ms] or [-38.240%; -29.162%]		 2.560ms 3.861ms
Execution time for tomcat 
gantt
    title tomcat - execution time [CI 0.99] : candidate=1.62.0-SNAPSHOT~b1e991e371, baseline=1.62.0-SNAPSHOT~61091f0e79
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.492 ms) : 1480, 1503
.   : milestone, 1492,
appsec (3.861 ms) : 3637, 4084
.   : milestone, 3861,
iast (2.288 ms) : 2218, 2358
.   : milestone, 2288,
iast_GLOBAL (2.326 ms) : 2256, 2396
.   : milestone, 2326,
profiling (2.109 ms) : 2053, 2165
.   : milestone, 2109,
tracing (2.09 ms) : 2036, 2144
.   : milestone, 2090,
section candidate
no_agent (1.495 ms) : 1484, 1507
.   : milestone, 1495,
appsec (2.56 ms) : 2504, 2615
.   : milestone, 2560,
iast (2.296 ms) : 2225, 2366
.   : milestone, 2296,
iast_GLOBAL (2.332 ms) : 2261, 2402
.   : milestone, 2332,
profiling (2.537 ms) : 2370, 2703
.   : milestone, 2537,
tracing (2.083 ms) : 2029, 2138
.   : milestone, 2083,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.492 ms [1.48 ms, 1.503 ms] -
appsec 3.861 ms [3.637 ms, 4.084 ms] 2.369 ms (158.8%)
iast 2.288 ms [2.218 ms, 2.358 ms] 796.476 µs (53.4%)
iast_GLOBAL 2.326 ms [2.256 ms, 2.396 ms] 834.372 µs (55.9%)
profiling 2.109 ms [2.053 ms, 2.165 ms] 616.96 µs (41.4%)
tracing 2.09 ms [2.036 ms, 2.144 ms] 597.934 µs (40.1%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.495 ms [1.484 ms, 1.507 ms] -
appsec 2.56 ms [2.504 ms, 2.615 ms] 1.064 ms (71.2%)
iast 2.296 ms [2.225 ms, 2.366 ms] 800.228 µs (53.5%)
iast_GLOBAL 2.332 ms [2.261 ms, 2.402 ms] 836.441 µs (55.9%)
profiling 2.537 ms [2.37 ms, 2.703 ms] 1.041 ms (69.6%)
tracing 2.083 ms [2.029 ms, 2.138 ms] 588.102 µs (39.3%)
Execution time for biojava 
gantt
    title biojava - execution time [CI 0.99] : candidate=1.62.0-SNAPSHOT~b1e991e371, baseline=1.62.0-SNAPSHOT~61091f0e79
    dateFormat X
    axisFormat %s
section baseline
no_agent (14.895 s) : 14895000, 14895000
.   : milestone, 14895000,
appsec (14.775 s) : 14775000, 14775000
.   : milestone, 14775000,
iast (18.492 s) : 18492000, 18492000
.   : milestone, 18492000,
iast_GLOBAL (18.115 s) : 18115000, 18115000
.   : milestone, 18115000,
profiling (14.761 s) : 14761000, 14761000
.   : milestone, 14761000,
tracing (15.275 s) : 15275000, 15275000
.   : milestone, 15275000,
section candidate
no_agent (15.461 s) : 15461000, 15461000
.   : milestone, 15461000,
appsec (14.81 s) : 14810000, 14810000
.   : milestone, 14810000,
iast (18.624 s) : 18624000, 18624000
.   : milestone, 18624000,
iast_GLOBAL (17.955 s) : 17955000, 17955000
.   : milestone, 17955000,
profiling (14.881 s) : 14881000, 14881000
.   : milestone, 14881000,
tracing (14.674 s) : 14674000, 14674000
.   : milestone, 14674000,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 14.895 s [14.895 s, 14.895 s] -
appsec 14.775 s [14.775 s, 14.775 s] -120.0 ms (-0.8%)
iast 18.492 s [18.492 s, 18.492 s] 3.597 s (24.1%)
iast_GLOBAL 18.115 s [18.115 s, 18.115 s] 3.22 s (21.6%)
profiling 14.761 s [14.761 s, 14.761 s] -134.0 ms (-0.9%)
tracing 15.275 s [15.275 s, 15.275 s] 380.0 ms (2.6%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.461 s [15.461 s, 15.461 s] -
appsec 14.81 s [14.81 s, 14.81 s] -651.0 ms (-4.2%)
iast 18.624 s [18.624 s, 18.624 s] 3.163 s (20.5%)
iast_GLOBAL 17.955 s [17.955 s, 17.955 s] 2.494 s (16.1%)
profiling 14.881 s [14.881 s, 14.881 s] -580.0 ms (-3.8%)
tracing 14.674 s [14.674 s, 14.674 s] -787.0 ms (-5.1%)

@jandro996
feat(appsec): extend RASP file I/O coverage to FileReader, FileWriter…
b1e991e 
…, RandomAccessFile, Files.* and FileChannel

Extends RASP callsite instrumentation (APPSEC-61874) beyond FileInputStream/FileOutputStream
to all remaining Java file I/O APIs that were not covered. No IAST changes.

New callsites:
- FileReaderCallSite: FileReader(String/File) + Java 11+ Charset variants → beforeFileLoaded
- FileWriterCallSite: FileWriter(String/File/boolean) + Java 11+ Charset variants → beforeFileWritten
- RandomAccessFileCallSite: RandomAccessFile(String/File, mode) → beforeFileLoaded for "r",
  both beforeFileLoaded + beforeFileWritten for "rw"/"rws"/"rwd"
- FilesCallSite: all Files.* read and write methods (newOutputStream, copy(IS,Path),
  write, writeString, newBufferedWriter, move, newInputStream, readAllBytes, readAllLines,
  readString, newBufferedReader, lines)
- FileChannelCallSite: FileChannel.open(Path, ...) → fires both read and write callbacks

Extended callsites:
- PathCallSite: add resolve(Path) and resolveSibling(Path) → beforeFileLoaded
- PathsCallSite: add Path.of(String[], URI) (Java 11+) → beforeFileLoaded

FileIORaspHelper: add beforeRandomAccessFileOpened(path, mode) helper

Relates to #11084 and #11113
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@manuel-alvarez-alvarez manuel-alvarez-alvarez Awaiting requested review from manuel-alvarez-alvarez manuel-alvarez-alvarez is a code owner automatically assigned from DataDog/asm-java

@claponcet claponcet Awaiting requested review from claponcet claponcet is a code owner automatically assigned from DataDog/asm-java

@PerfectSlayer PerfectSlayer Awaiting requested review from PerfectSlayer PerfectSlayer is a code owner automatically assigned from DataDog/apm-lang-platform-java

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

comp: asm waf Application Security Management (WAF) type: enhancement Enhancements and improvements

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jandro996