Skip to content

Fix AppSec/IAST context dropped when trace.propagation.behavior.extract=ignore/restart#11666

Merged
gh-worker-dd-mergequeue-cf854d[bot] merged 3 commits into
masterfrom
dougqh/fix-appsec-context-extract-ignore
Jul 1, 2026
Merged

Fix AppSec/IAST context dropped when trace.propagation.behavior.extract=ignore/restart#11666
gh-worker-dd-mergequeue-cf854d[bot] merged 3 commits into
masterfrom
dougqh/fix-appsec-context-extract-ignore

Conversation

@dougqh

@dougqh dougqh commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

What This Does

Preserves request context regardless of trace propagation configuration

Motivation

When trace.propagation.behavior.extract is set to ignore or restart, AppSec and IAST request context was not being propagated to the root span.

  • With trace.propagation.behavior.extract=ignore or restart, CoreSpanBuilder.start nulls the remote TagContext parent before buildSpanContext reaches the instanceof TagContext branch that copies requestContextDataAppSec/requestContextDataIast into the DDSpanContext.
  • The DDSpanContext ends up with null AppSec context, causing every GatewayBridge callback to return NoopFlow.INSTANCE — silently bypassing WAF/RASP for all inbound requests in AppSec-enabled services configured to ignore distributed tracing extraction. IAST is similarly affected.
  • Fix: before the IGNORE/RESTART switch, promote AppSec/IAST data from the TagContext into the builder fields (builderRequestContextDataAppSec/builderRequestContextDataIast), which buildSpanContext applies after the parent is gone. Trace identifiers and sampling priority are still correctly dropped.

Test plan

  • CoreSpanBuilderTest.appSecContextPreservedFromTagContextWithIgnoreBehavior — asserts AppSec/IAST context survives extract=ignore
  • CoreSpanBuilderTest.appSecContextPreservedFromTagContextWithRestartBehavior — same for extract=restart
  • Run ./gradlew :dd-trace-core:test --tests "datadog.trace.core.CoreSpanBuilderTest.appSecContext*"

Fixes: APMSP-3198

tag: no release note
tag: ai generated

🤖 Generated with Claude Code

@datadog-datadog-prod-us1-2

This comment has been minimized.

@dougqh dougqh added comp: asm iast Application Security Management (IAST) comp: asm waf Application Security Management (WAF) comp: context propagation Trace context propagation comp: core Tracer core tag: security Security related changes type: bug fix Bug fix labels Jun 17, 2026
@dougqh dougqh requested a review from cataphract June 17, 2026 15:16
@dd-octo-sts

dd-octo-sts Bot commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

🟡 Java Benchmark SLOs — Performance SLO warning (near threshold)

Suite Status
Startup 🟡 warning

SLO thresholds are defined here based on automatically generated metrics. A warning is raised when results are within 5% of the threshold.

PR vs. master results
Scenario Candidate master Δ (95% CI of mean)
startup:insecure-bank:iast:Agent 13.96 s 13.94 s [-0.6%; +0.7%] (no difference)
startup:insecure-bank:tracing:Agent 12.91 s 12.97 s [-1.3%; +0.4%] (no difference)
startup:petclinic:appsec:Agent 17.47 s 17.08 s [+1.4%; +3.2%] (significantly worse)
startup:petclinic:iast:Agent 17.45 s 17.57 s [-1.9%; +0.5%] (no difference)
startup:petclinic:profiling:Agent 17.54 s 17.45 s [-0.6%; +1.6%] (no difference)
startup:petclinic:sca:Agent 17.51 s 17.39 s [-0.2%; +1.6%] (no difference)
startup:petclinic:tracing:Agent 16.57 s 16.75 s [-2.1%; +0.1%] (no difference)

Commit: 111dc5cb · CI Pipeline · Benchmarking Platform UI


Load and DaCapo benchmarks can be triggered manually in the GitLab pipeline. Results will appear in the Benchmarking Platform UI after completion.

@dougqh dougqh force-pushed the dougqh/fix-appsec-context-extract-ignore branch 2 times, most recently from 7480c60 to c6b6424 Compare June 22, 2026 16:01
@dougqh dougqh marked this pull request as ready for review June 24, 2026 15:14
@dougqh dougqh requested a review from a team as a code owner June 24, 2026 15:14
dougqh and others added 2 commits June 24, 2026 11:18
…ct=ignore/restart

With IGNORE or RESTART, CoreSpanBuilder nulls the remote TagContext parent before
buildSpanContext reaches the instanceof TagContext branch that copies
requestContextDataAppSec/requestContextDataIast. The AppSec context is lost and
GatewayBridge callbacks no-op, silently bypassing WAF/RASP for all inbound requests
in AppSec-enabled services configured to ignore distributed tracing extraction.

Fix: promote the AppSec/IAST data from the TagContext into the builder fields before
nulling the parent. The builder-field path in buildSpanContext applies these after
the parent is gone, preserving the request context while still correctly dropping
trace identifiers and sampling priority.

Fixes: APMSP-3198

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@dougqh dougqh force-pushed the dougqh/fix-appsec-context-extract-ignore branch from 0f19c5c to 10a4ded Compare June 24, 2026 15:19
@dd-octo-sts dd-octo-sts Bot added the tag: ai generated Largely based on code generated by an AI or LLM label Jun 24, 2026

@mhlidd mhlidd left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Small note: is it worth it to also handle ciVisibilityContextData here and remove the block handling this data in buildSpanContext? (ref)

@dougqh dougqh added this pull request to the merge queue Jun 30, 2026
@dd-octo-sts

dd-octo-sts Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

/merge

@gh-worker-devflow-routing-ef8351

gh-worker-devflow-routing-ef8351 Bot commented Jun 30, 2026

Copy link
Copy Markdown

View all feedbacks in Devflow UI.

2026-06-30 23:47:24 UTC ℹ️ Start processing command /merge


2026-06-30 23:47:28 UTC ℹ️ MergeQueue: pull request added to the queue

The expected merge time in master is approximately 2h (p90).


2026-07-01 01:21:12 UTC ℹ️ MergeQueue: This merge request was merged

@github-merge-queue github-merge-queue Bot removed this pull request from the merge queue due to failed status checks Jun 30, 2026
@gh-worker-dd-mergequeue-cf854d gh-worker-dd-mergequeue-cf854d Bot merged commit 019fecb into master Jul 1, 2026
583 checks passed
@gh-worker-dd-mergequeue-cf854d gh-worker-dd-mergequeue-cf854d Bot deleted the dougqh/fix-appsec-context-extract-ignore branch July 1, 2026 01:21
@github-actions github-actions Bot added this to the 1.64.0 milestone Jul 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

comp: asm iast Application Security Management (IAST) comp: asm waf Application Security Management (WAF) comp: context propagation Trace context propagation comp: core Tracer core tag: ai generated Largely based on code generated by an AI or LLM tag: security Security related changes type: bug fix Bug fix

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants