Add server.request.body.filenames AppSec address for Jersey and RESTEasy

[jandro996]

What Does This Do

Adds server.request.body.filenames AppSec gateway event support for Jersey 2.x, Jersey 3.x, and RESTEasy.

Jersey 2.x and 3.x

• New MultiPartHelper class (one per namespace module) with:
  • collectBodyPart(FormDataBodyPart, Map, List<String>) — populates the body map and/or filenames list for a single body part, replacing the inline logic in the advice
  • filenameFromBodyPart(FormDataBodyPart) — extracts the filename from FormDataContentDisposition
• MultiPartReaderServerSideInstrumentation now subscribes to EVENTS.requestFilesFilenames(), collects filenames via the helper, and fires the blocking flow if needed
• helperClassNames() declared to inject MultiPartHelper into the app classloader

RESTEasy

• New MultipartHelper class with:
  • collectFilenames(MultipartFormDataInput) — iterates parts, reads Content-Disposition headers via reflection, and delegates to filenameFromContentDisposition
  • filenameFromContentDisposition(String) — quote-aware parser that handles semicolons inside quoted filenames (e.g. filename="a;b.php")
• MultipartFormDataReaderInstrumentation now subscribes to EVENTS.requestFilesFilenames(), calls MultipartHelper.collectFilenames(), and fires the blocking flow if needed
• helperClassNames() declared to inject MultipartHelper

Tests

• Unit tests for each helper class: MultiPartHelperTest (Jersey 2 and 3) and MultipartHelperTest (RESTEasy)
• testBodyFilenames() { true } opted in for GrizzlyTest, Jersey2JettyTest, and Jersey3JettyTest

Motivation

Implements the server.request.body.filenames AppSec address for Jersey and RESTEasy as part of APPSEC-61873.

Additional Notes

Reflection in MultipartHelper (RESTEasy)

InputPart.getHeaders() returns javax.ws.rs.core.MultivaluedMap in RESTEasy 3.x and jakarta.ws.rs.core.MultivaluedMap in RESTEasy 6.x. A direct bytecode reference to either type fails muzzle for the other version.

To avoid this, MultipartHelper resolves the method once at class-load time via reflection and caches it in a static final field:

private static final Method GET_HEADERS;

static {
  Method m = null;
  try { m = InputPart.class.getMethod("getHeaders"); }
  catch (NoSuchMethodException ignored) {}
  GET_HEADERS = m;
}

The static initializer runs once in the app classloader (where the library is already present), so the reflection cost is zero per request and there is no bytecode reference to the problematic return type — muzzle passes across all RESTEasy versions.

This approach was preferred over the alternatives — duplicating the module by version, bounding the muzzle range, or restructuring the call site — which have historically caused cascading changes across multiple modules.

Contributor Checklist

• Format the title according to the contribution guidelines
• Assign the type: and (comp: or inst:) labels in addition to any other useful labels
• Avoid using close, fix, or any linking keywords when referencing an issue
  Use solves instead, and assign the PR milestone to the issue
• Update the CODEOWNERS file on source file addition, migration, or deletion
• Update public documentation with any new configuration flags or behaviors

Jira ticket: APPSEC-61873

Note: Once your PR is ready to merge, add it to the merge queue by commenting /merge. /merge -c cancels the queue request. /merge -f --reason "reason" skips all merge queue checks; please use this judiciously, as some checks do not run at the PR-level. For more information, see this doc.

[jandro996]

@codex review

[pr-commenter]

Benchmarks

Startup

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	alejandro.gonzalez/APPSEC-61873-5-jersey-resteasy
git_commit_date	1777376638	1777379350
git_commit_sha	5609365	93f7907
release_version	1.62.0-SNAPSHOT~5609365061	1.62.0-SNAPSHOT~93f7907f46

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1777381157	1777381157
ci_job_id	1637430844	1637430844
ci_pipeline_id	110125429	110125429
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-zfyrx7zua-project-304-concurrent-0-e5afzmvd 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-zfyrx7zua-project-304-concurrent-0-e5afzmvd 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
module	Agent	Agent
parent	None	None

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 61 metrics, 10 unstable metrics.

Startup time reports for insecure-bank

gantt
    title insecure-bank - global startup overhead: candidate=1.62.0-SNAPSHOT~93f7907f46, baseline=1.62.0-SNAPSHOT~5609365061

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.06 s) : 0, 1059922
Total [baseline] (8.841 s) : 0, 8841443
Agent [candidate] (1.072 s) : 0, 1071751
Total [candidate] (8.847 s) : 0, 8846805
section iast
Agent [baseline] (1.24 s) : 0, 1240402
Total [baseline] (9.516 s) : 0, 9515654
Agent [candidate] (1.24 s) : 0, 1239950
Total [candidate] (9.526 s) : 0, 9526424

Loading

• baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.06 s	-
Agent	iast	1.24 s	180.48 ms (17.0%)
Total	tracing	8.841 s	-
Total	iast	9.516 s	674.211 ms (7.6%)

• candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.072 s	-
Agent	iast	1.24 s	168.199 ms (15.7%)
Total	tracing	8.847 s	-
Total	iast	9.526 s	679.619 ms (7.7%)

gantt
    title insecure-bank - break down per module: candidate=1.62.0-SNAPSHOT~93f7907f46, baseline=1.62.0-SNAPSHOT~5609365061

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.22 ms) : 0, 1220
crashtracking [candidate] (1.236 ms) : 0, 1236
BytebuddyAgent [baseline] (633.32 ms) : 0, 633320
BytebuddyAgent [candidate] (641.666 ms) : 0, 641666
AgentMeter [baseline] (29.382 ms) : 0, 29382
AgentMeter [candidate] (29.773 ms) : 0, 29773
GlobalTracer [baseline] (248.017 ms) : 0, 248017
GlobalTracer [candidate] (249.675 ms) : 0, 249675
AppSec [baseline] (32.764 ms) : 0, 32764
AppSec [candidate] (32.884 ms) : 0, 32884
Debugger [baseline] (59.7 ms) : 0, 59700
Debugger [candidate] (60.047 ms) : 0, 60047
Remote Config [baseline] (600.664 µs) : 0, 601
Remote Config [candidate] (603.329 µs) : 0, 603
Telemetry [baseline] (9.163 ms) : 0, 9163
Telemetry [candidate] (8.398 ms) : 0, 8398
Flare Poller [baseline] (9.799 ms) : 0, 9799
Flare Poller [candidate] (11.285 ms) : 0, 11285
section iast
crashtracking [baseline] (1.233 ms) : 0, 1233
crashtracking [candidate] (1.222 ms) : 0, 1222
BytebuddyAgent [baseline] (821.187 ms) : 0, 821187
BytebuddyAgent [candidate] (821.391 ms) : 0, 821391
AgentMeter [baseline] (11.279 ms) : 0, 11279
AgentMeter [candidate] (11.244 ms) : 0, 11244
GlobalTracer [baseline] (237.947 ms) : 0, 237947
GlobalTracer [candidate] (236.299 ms) : 0, 236299
IAST [baseline] (26.423 ms) : 0, 26423
IAST [candidate] (27.451 ms) : 0, 27451
AppSec [baseline] (32.302 ms) : 0, 32302
AppSec [candidate] (30.405 ms) : 0, 30405
Debugger [baseline] (62.278 ms) : 0, 62278
Debugger [candidate] (64.062 ms) : 0, 64062
Remote Config [baseline] (521.716 µs) : 0, 522
Remote Config [candidate] (531.257 µs) : 0, 531
Telemetry [baseline] (7.943 ms) : 0, 7943
Telemetry [candidate] (7.953 ms) : 0, 7953
Flare Poller [baseline] (3.304 ms) : 0, 3304
Flare Poller [candidate] (3.359 ms) : 0, 3359

Loading

Startup time reports for petclinic

gantt
    title petclinic - global startup overhead: candidate=1.62.0-SNAPSHOT~93f7907f46, baseline=1.62.0-SNAPSHOT~5609365061

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.074 s) : 0, 1074191
Total [baseline] (11.086 s) : 0, 11086225
Agent [candidate] (1.063 s) : 0, 1062629
Total [candidate] (10.939 s) : 0, 10938770
section appsec
Agent [baseline] (1.271 s) : 0, 1270825
Total [baseline] (11.097 s) : 0, 11097487
Agent [candidate] (1.274 s) : 0, 1274220
Total [candidate] (11.085 s) : 0, 11084790
section iast
Agent [baseline] (1.242 s) : 0, 1242288
Total [baseline] (11.317 s) : 0, 11317414
Agent [candidate] (1.24 s) : 0, 1239812
Total [candidate] (11.284 s) : 0, 11283980
section profiling
Agent [baseline] (1.186 s) : 0, 1186333
Total [baseline] (10.995 s) : 0, 10994620
Agent [candidate] (1.194 s) : 0, 1194214
Total [candidate] (10.983 s) : 0, 10983464

Loading

• baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.074 s	-
Agent	appsec	1.271 s	196.634 ms (18.3%)
Agent	iast	1.242 s	168.097 ms (15.6%)
Agent	profiling	1.186 s	112.142 ms (10.4%)
Total	tracing	11.086 s	-
Total	appsec	11.097 s	11.262 ms (0.1%)
Total	iast	11.317 s	231.189 ms (2.1%)
Total	profiling	10.995 s	-91.605 ms (-0.8%)

• candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.063 s	-
Agent	appsec	1.274 s	211.591 ms (19.9%)
Agent	iast	1.24 s	177.184 ms (16.7%)
Agent	profiling	1.194 s	131.585 ms (12.4%)
Total	tracing	10.939 s	-
Total	appsec	11.085 s	146.02 ms (1.3%)
Total	iast	11.284 s	345.21 ms (3.2%)
Total	profiling	10.983 s	44.694 ms (0.4%)

gantt
    title petclinic - break down per module: candidate=1.62.0-SNAPSHOT~93f7907f46, baseline=1.62.0-SNAPSHOT~5609365061

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.242 ms) : 0, 1242
crashtracking [candidate] (1.218 ms) : 0, 1218
BytebuddyAgent [baseline] (640.447 ms) : 0, 640447
BytebuddyAgent [candidate] (634.269 ms) : 0, 634269
AgentMeter [baseline] (29.827 ms) : 0, 29827
AgentMeter [candidate] (29.388 ms) : 0, 29388
GlobalTracer [baseline] (251.758 ms) : 0, 251758
GlobalTracer [candidate] (248.781 ms) : 0, 248781
AppSec [baseline] (33.377 ms) : 0, 33377
AppSec [candidate] (32.747 ms) : 0, 32747
Debugger [baseline] (62.428 ms) : 0, 62428
Debugger [candidate] (60.725 ms) : 0, 60725
Remote Config [baseline] (607.632 µs) : 0, 608
Remote Config [candidate] (613.607 µs) : 0, 614
Telemetry [baseline] (10.007 ms) : 0, 10007
Telemetry [candidate] (9.842 ms) : 0, 9842
Flare Poller [baseline] (8.283 ms) : 0, 8283
Flare Poller [candidate] (9.111 ms) : 0, 9111
section appsec
crashtracking [baseline] (1.243 ms) : 0, 1243
crashtracking [candidate] (1.222 ms) : 0, 1222
BytebuddyAgent [baseline] (679.176 ms) : 0, 679176
BytebuddyAgent [candidate] (680.972 ms) : 0, 680972
AgentMeter [baseline] (12.246 ms) : 0, 12246
AgentMeter [candidate] (12.366 ms) : 0, 12366
GlobalTracer [baseline] (249.948 ms) : 0, 249948
GlobalTracer [candidate] (251.54 ms) : 0, 251540
IAST [baseline] (24.922 ms) : 0, 24922
IAST [candidate] (24.986 ms) : 0, 24986
AppSec [baseline] (185.659 ms) : 0, 185659
AppSec [candidate] (185.77 ms) : 0, 185770
Debugger [baseline] (65.174 ms) : 0, 65174
Debugger [candidate] (64.859 ms) : 0, 64859
Remote Config [baseline] (559.987 µs) : 0, 560
Remote Config [candidate] (570.323 µs) : 0, 570
Telemetry [baseline] (7.874 ms) : 0, 7874
Telemetry [candidate] (7.925 ms) : 0, 7925
Flare Poller [baseline] (6.775 ms) : 0, 6775
Flare Poller [candidate] (6.207 ms) : 0, 6207
section iast
crashtracking [baseline] (1.223 ms) : 0, 1223
crashtracking [candidate] (1.236 ms) : 0, 1236
BytebuddyAgent [baseline] (821.146 ms) : 0, 821146
BytebuddyAgent [candidate] (820.271 ms) : 0, 820271
AgentMeter [baseline] (11.241 ms) : 0, 11241
AgentMeter [candidate] (11.259 ms) : 0, 11259
GlobalTracer [baseline] (238.701 ms) : 0, 238701
GlobalTracer [candidate] (236.752 ms) : 0, 236752
IAST [baseline] (27.387 ms) : 0, 27387
IAST [candidate] (27.271 ms) : 0, 27271
AppSec [baseline] (30.652 ms) : 0, 30652
AppSec [candidate] (31.216 ms) : 0, 31216
Debugger [baseline] (63.948 ms) : 0, 63948
Debugger [candidate] (63.854 ms) : 0, 63854
Remote Config [baseline] (527.209 µs) : 0, 527
Remote Config [candidate] (517.587 µs) : 0, 518
Telemetry [baseline] (7.921 ms) : 0, 7921
Telemetry [candidate] (8.018 ms) : 0, 8018
Flare Poller [baseline] (3.461 ms) : 0, 3461
Flare Poller [candidate] (3.368 ms) : 0, 3368
section profiling
crashtracking [baseline] (1.187 ms) : 0, 1187
crashtracking [candidate] (1.196 ms) : 0, 1196
BytebuddyAgent [baseline] (691.714 ms) : 0, 691714
BytebuddyAgent [candidate] (696.897 ms) : 0, 696897
AgentMeter [baseline] (8.9 ms) : 0, 8900
AgentMeter [candidate] (8.983 ms) : 0, 8983
GlobalTracer [baseline] (207.606 ms) : 0, 207606
GlobalTracer [candidate] (209.369 ms) : 0, 209369
AppSec [baseline] (32.688 ms) : 0, 32688
AppSec [candidate] (32.973 ms) : 0, 32973
Debugger [baseline] (66.149 ms) : 0, 66149
Debugger [candidate] (66.155 ms) : 0, 66155
Remote Config [baseline] (587.552 µs) : 0, 588
Remote Config [candidate] (575.093 µs) : 0, 575
Telemetry [baseline] (8.102 ms) : 0, 8102
Telemetry [candidate] (8.122 ms) : 0, 8122
Flare Poller [baseline] (3.567 ms) : 0, 3567
Flare Poller [candidate] (3.532 ms) : 0, 3532
ProfilingAgent [baseline] (94.289 ms) : 0, 94289
ProfilingAgent [candidate] (94.497 ms) : 0, 94497
Profiling [baseline] (94.838 ms) : 0, 94838
Profiling [candidate] (95.056 ms) : 0, 95056

Loading

Load

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	alejandro.gonzalez/APPSEC-61873-5-jersey-resteasy
git_commit_date	1777376638	1777379350
git_commit_sha	5609365	93f7907
release_version	1.62.0-SNAPSHOT~5609365061	1.62.0-SNAPSHOT~93f7907f46

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1777381526	1777381526
ci_job_id	1637430845	1637430845
ci_pipeline_id	110125429	110125429
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-zfyrx7zua-project-304-concurrent-0-hb0h3df6 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-zfyrx7zua-project-304-concurrent-0-hb0h3df6 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 3 performance improvements and 0 performance regressions! Performance is the same for 16 metrics, 17 unstable metrics.

scenario	Δ mean agg_http_req_duration_p50	Δ mean agg_http_req_duration_p95	Δ mean throughput	candidate mean agg_http_req_duration_p50	candidate mean agg_http_req_duration_p95	candidate mean throughput	baseline mean agg_http_req_duration_p50	baseline mean agg_http_req_duration_p95	baseline mean throughput
scenario:load:petclinic:code_origins:high_load	better [-1.608ms; -0.759ms] or [-8.675%; -4.096%]	unsure [-1296.526µs; -134.742µs] or [-4.366%; -0.454%]	unstable [-14.005op/s; +39.568op/s] or [-5.637%; +15.927%]	17.350ms	28.980ms	261.219op/s	18.534ms	29.695ms	248.438op/s
scenario:load:petclinic:tracing:high_load	better [-1.942ms; -1.259ms] or [-10.323%; -6.695%]	better [-2.154ms; -1.312ms] or [-7.196%; -4.385%]	unstable [-7.515op/s; +45.515op/s] or [-3.059%; +18.523%]	17.213ms	28.194ms	264.719op/s	18.813ms	29.927ms	245.719op/s

Request duration reports for petclinic

gantt
    title petclinic - request duration [CI 0.99] : candidate=1.62.0-SNAPSHOT~93f7907f46, baseline=1.62.0-SNAPSHOT~5609365061
    dateFormat X
    axisFormat %s
section baseline
no_agent (17.378 ms) : 17204, 17553
.   : milestone, 17378,
appsec (18.809 ms) : 18620, 18999
.   : milestone, 18809,
code_origins (18.783 ms) : 18596, 18970
.   : milestone, 18783,
iast (17.829 ms) : 17652, 18005
.   : milestone, 17829,
profiling (18.265 ms) : 18088, 18443
.   : milestone, 18265,
tracing (18.993 ms) : 18806, 19180
.   : milestone, 18993,
section candidate
no_agent (18.112 ms) : 17929, 18294
.   : milestone, 18112,
appsec (18.6 ms) : 18410, 18790
.   : milestone, 18600,
code_origins (17.861 ms) : 17684, 18038
.   : milestone, 17861,
iast (17.788 ms) : 17613, 17963
.   : milestone, 17788,
profiling (18.4 ms) : 18218, 18583
.   : milestone, 18400,
tracing (17.622 ms) : 17451, 17794
.   : milestone, 17622,

Loading

• baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	17.378 ms [17.204 ms, 17.553 ms]	-
appsec	18.809 ms [18.62 ms, 18.999 ms]	1.431 ms (8.2%)
code_origins	18.783 ms [18.596 ms, 18.97 ms]	1.405 ms (8.1%)
iast	17.829 ms [17.652 ms, 18.005 ms]	450.469 µs (2.6%)
profiling	18.265 ms [18.088 ms, 18.443 ms]	886.779 µs (5.1%)
tracing	18.993 ms [18.806 ms, 19.18 ms]	1.614 ms (9.3%)

• candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	18.112 ms [17.929 ms, 18.294 ms]	-
appsec	18.6 ms [18.41 ms, 18.79 ms]	488.348 µs (2.7%)
code_origins	17.861 ms [17.684 ms, 18.038 ms]	-250.83 µs (-1.4%)
iast	17.788 ms [17.613 ms, 17.963 ms]	-323.733 µs (-1.8%)
profiling	18.4 ms [18.218 ms, 18.583 ms]	288.826 µs (1.6%)
tracing	17.622 ms [17.451 ms, 17.794 ms]	-489.582 µs (-2.7%)

Request duration reports for insecure-bank

gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.62.0-SNAPSHOT~93f7907f46, baseline=1.62.0-SNAPSHOT~5609365061
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.285 ms) : 1272, 1298
.   : milestone, 1285,
iast (3.327 ms) : 3277, 3377
.   : milestone, 3327,
iast_FULL (5.896 ms) : 5838, 5954
.   : milestone, 5896,
iast_GLOBAL (3.708 ms) : 3649, 3766
.   : milestone, 3708,
profiling (2.199 ms) : 2178, 2221
.   : milestone, 2199,
tracing (1.894 ms) : 1879, 1910
.   : milestone, 1894,
section candidate
no_agent (1.243 ms) : 1231, 1255
.   : milestone, 1243,
iast (3.331 ms) : 3281, 3382
.   : milestone, 3331,
iast_FULL (5.902 ms) : 5842, 5962
.   : milestone, 5902,
iast_GLOBAL (3.544 ms) : 3485, 3602
.   : milestone, 3544,
profiling (2.307 ms) : 2287, 2328
.   : milestone, 2307,
tracing (1.904 ms) : 1888, 1919
.   : milestone, 1904,

Loading

• baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.285 ms [1.272 ms, 1.298 ms]	-
iast	3.327 ms [3.277 ms, 3.377 ms]	2.042 ms (159.0%)
iast_FULL	5.896 ms [5.838 ms, 5.954 ms]	4.611 ms (358.9%)
iast_GLOBAL	3.708 ms [3.649 ms, 3.766 ms]	2.423 ms (188.6%)
profiling	2.199 ms [2.178 ms, 2.221 ms]	914.298 µs (71.2%)
tracing	1.894 ms [1.879 ms, 1.91 ms]	609.337 µs (47.4%)

• candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.243 ms [1.231 ms, 1.255 ms]	-
iast	3.331 ms [3.281 ms, 3.382 ms]	2.088 ms (168.0%)
iast_FULL	5.902 ms [5.842 ms, 5.962 ms]	4.659 ms (374.8%)
iast_GLOBAL	3.544 ms [3.485 ms, 3.602 ms]	2.301 ms (185.1%)
profiling	2.307 ms [2.287 ms, 2.328 ms]	1.064 ms (85.6%)
tracing	1.904 ms [1.888 ms, 1.919 ms]	660.891 µs (53.2%)

Dacapo

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	alejandro.gonzalez/APPSEC-61873-5-jersey-resteasy
git_commit_date	1777376638	1777379350
git_commit_sha	5609365	93f7907
release_version	1.62.0-SNAPSHOT~5609365061	1.62.0-SNAPSHOT~93f7907f46

See matching parameters

	Baseline	Candidate
application	biojava	biojava
ci_job_date	1777381260	1777381260
ci_job_id	1637430846	1637430846
ci_pipeline_id	110125429	110125429
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-zfyrx7zua-project-304-concurrent-0-raep7wes 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-zfyrx7zua-project-304-concurrent-0-raep7wes 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics.

Execution time for biojava

gantt
    title biojava - execution time [CI 0.99] : candidate=1.62.0-SNAPSHOT~93f7907f46, baseline=1.62.0-SNAPSHOT~5609365061
    dateFormat X
    axisFormat %s
section baseline
no_agent (15.602 s) : 15602000, 15602000
.   : milestone, 15602000,
appsec (14.948 s) : 14948000, 14948000
.   : milestone, 14948000,
iast (18.579 s) : 18579000, 18579000
.   : milestone, 18579000,
iast_GLOBAL (17.97 s) : 17970000, 17970000
.   : milestone, 17970000,
profiling (15.096 s) : 15096000, 15096000
.   : milestone, 15096000,
tracing (14.769 s) : 14769000, 14769000
.   : milestone, 14769000,
section candidate
no_agent (15.491 s) : 15491000, 15491000
.   : milestone, 15491000,
appsec (14.684 s) : 14684000, 14684000
.   : milestone, 14684000,
iast (18.446 s) : 18446000, 18446000
.   : milestone, 18446000,
iast_GLOBAL (17.745 s) : 17745000, 17745000
.   : milestone, 17745000,
profiling (15.019 s) : 15019000, 15019000
.   : milestone, 15019000,
tracing (14.822 s) : 14822000, 14822000
.   : milestone, 14822000,

Loading

• baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	15.602 s [15.602 s, 15.602 s]	-
appsec	14.948 s [14.948 s, 14.948 s]	-654.0 ms (-4.2%)
iast	18.579 s [18.579 s, 18.579 s]	2.977 s (19.1%)
iast_GLOBAL	17.97 s [17.97 s, 17.97 s]	2.368 s (15.2%)
profiling	15.096 s [15.096 s, 15.096 s]	-506.0 ms (-3.2%)
tracing	14.769 s [14.769 s, 14.769 s]	-833.0 ms (-5.3%)

• candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	15.491 s [15.491 s, 15.491 s]	-
appsec	14.684 s [14.684 s, 14.684 s]	-807.0 ms (-5.2%)
iast	18.446 s [18.446 s, 18.446 s]	2.955 s (19.1%)
iast_GLOBAL	17.745 s [17.745 s, 17.745 s]	2.254 s (14.6%)
profiling	15.019 s [15.019 s, 15.019 s]	-472.0 ms (-3.0%)
tracing	14.822 s [14.822 s, 14.822 s]	-669.0 ms (-4.3%)

Execution time for tomcat

gantt
    title tomcat - execution time [CI 0.99] : candidate=1.62.0-SNAPSHOT~93f7907f46, baseline=1.62.0-SNAPSHOT~5609365061
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.489 ms) : 1477, 1500
.   : milestone, 1489,
appsec (2.541 ms) : 2485, 2596
.   : milestone, 2541,
iast (2.287 ms) : 2216, 2357
.   : milestone, 2287,
iast_GLOBAL (2.33 ms) : 2259, 2401
.   : milestone, 2330,
profiling (2.117 ms) : 2061, 2173
.   : milestone, 2117,
tracing (2.081 ms) : 2027, 2134
.   : milestone, 2081,
section candidate
no_agent (1.49 ms) : 1478, 1502
.   : milestone, 1490,
appsec (2.56 ms) : 2504, 2615
.   : milestone, 2560,
iast (2.285 ms) : 2214, 2356
.   : milestone, 2285,
iast_GLOBAL (2.339 ms) : 2268, 2410
.   : milestone, 2339,
profiling (2.129 ms) : 2073, 2186
.   : milestone, 2129,
tracing (2.082 ms) : 2028, 2136
.   : milestone, 2082,

Loading

• baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.489 ms [1.477 ms, 1.5 ms]	-
appsec	2.541 ms [2.485 ms, 2.596 ms]	1.052 ms (70.7%)
iast	2.287 ms [2.216 ms, 2.357 ms]	797.931 µs (53.6%)
iast_GLOBAL	2.33 ms [2.259 ms, 2.401 ms]	841.476 µs (56.5%)
profiling	2.117 ms [2.061 ms, 2.173 ms]	628.523 µs (42.2%)
tracing	2.081 ms [2.027 ms, 2.134 ms]	591.803 µs (39.8%)

• candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.49 ms [1.478 ms, 1.502 ms]	-
appsec	2.56 ms [2.504 ms, 2.615 ms]	1.07 ms (71.8%)
iast	2.285 ms [2.214 ms, 2.356 ms]	794.87 µs (53.3%)
iast_GLOBAL	2.339 ms [2.268 ms, 2.41 ms]	848.687 µs (57.0%)
profiling	2.129 ms [2.073 ms, 2.186 ms]	639.427 µs (42.9%)
tracing	2.082 ms [2.028 ms, 2.136 ms]	592.288 µs (39.8%)

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 510fca6013

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 21a57776c3

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[jandro996]

@codex review

[jandro996]

Please have a look to Reflection in MultipartHelper (RESTEasy) I think is a good approach to avoid more modules and code duplication, love to hear your thoughts 😃

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 4f53294c1c

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[jandro996]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Keep it up!

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[jandro996]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Keep them coming!

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[dd-octo-sts]

/merge

[gh-worker-devflow-routing-ef8351]

View all feedbacks in Devflow UI.

2026-04-28 13:23:18 UTC ℹ️ Start processing command /merge

---

2026-04-28 13:23:23 UTC ℹ️ MergeQueue: pull request added to the queue

The expected merge time in master is approximately 2h (p90).

---

2026-04-28 14:34:03 UTC ℹ️ MergeQueue: This merge request was merged

[jandro996]

Thanks for your comments @ValentinZakharov, I'm going to fix the issues in a new PR that I need to do for file content supports and reuse the instrumentation