-
Notifications
You must be signed in to change notification settings - Fork 283
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Apply appsec rate limiter on event instead of when request end #7221
Apply appsec rate limiter on event instead of when request end #7221
Conversation
BenchmarksStartupParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 51 metrics, 12 unstable metrics. Startup time reports for petclinicgantt
title petclinic - global startup overhead: candidate=1.36.0-SNAPSHOT~354ccb526a, baseline=1.36.0-SNAPSHOT~d19ceac03e
dateFormat X
axisFormat %s
section tracing
Agent [baseline] (1.073 s) : 0, 1073184
Total [baseline] (10.368 s) : 0, 10368315
Agent [candidate] (1.07 s) : 0, 1070443
Total [candidate] (10.366 s) : 0, 10365564
section appsec
Agent [baseline] (1.194 s) : 0, 1194263
Total [baseline] (10.526 s) : 0, 10526013
Agent [candidate] (1.193 s) : 0, 1193382
Total [candidate] (10.518 s) : 0, 10517625
section iast
Agent [baseline] (1.171 s) : 0, 1171097
Total [baseline] (10.673 s) : 0, 10673139
Agent [candidate] (1.181 s) : 0, 1181422
Total [candidate] (10.795 s) : 0, 10795051
section profiling
Agent [baseline] (1.263 s) : 0, 1263327
Total [baseline] (10.64 s) : 0, 10640367
Agent [candidate] (1.262 s) : 0, 1262120
Total [candidate] (10.642 s) : 0, 10642384
gantt
title petclinic - break down per module: candidate=1.36.0-SNAPSHOT~354ccb526a, baseline=1.36.0-SNAPSHOT~d19ceac03e
dateFormat X
axisFormat %s
section tracing
BytebuddyAgent [baseline] (671.192 ms) : 0, 671192
BytebuddyAgent [candidate] (671.444 ms) : 0, 671444
GlobalTracer [baseline] (308.193 ms) : 0, 308193
GlobalTracer [candidate] (305.86 ms) : 0, 305860
AppSec [baseline] (50.696 ms) : 0, 50696
AppSec [candidate] (50.105 ms) : 0, 50105
Remote Config [baseline] (693.014 µs) : 0, 693
Remote Config [candidate] (687.035 µs) : 0, 687
Telemetry [baseline] (7.741 ms) : 0, 7741
Telemetry [candidate] (7.555 ms) : 0, 7555
section appsec
BytebuddyAgent [baseline] (683.393 ms) : 0, 683393
BytebuddyAgent [candidate] (682.942 ms) : 0, 682942
GlobalTracer [baseline] (300.541 ms) : 0, 300541
GlobalTracer [candidate] (300.444 ms) : 0, 300444
AppSec [baseline] (154.175 ms) : 0, 154175
AppSec [candidate] (154.854 ms) : 0, 154854
Remote Config [baseline] (645.285 µs) : 0, 645
Remote Config [candidate] (648.133 µs) : 0, 648
Telemetry [baseline] (9.538 ms) : 0, 9538
Telemetry [candidate] (8.915 ms) : 0, 8915
IAST [baseline] (22.425 ms) : 0, 22425
IAST [candidate] (21.342 ms) : 0, 21342
section iast
BytebuddyAgent [baseline] (780.262 ms) : 0, 780262
BytebuddyAgent [candidate] (790.667 ms) : 0, 790667
GlobalTracer [baseline] (293.344 ms) : 0, 293344
GlobalTracer [candidate] (295.959 ms) : 0, 295959
AppSec [baseline] (47.153 ms) : 0, 47153
AppSec [candidate] (47.447 ms) : 0, 47447
Remote Config [baseline] (598.015 µs) : 0, 598
Remote Config [candidate] (632.824 µs) : 0, 633
Telemetry [baseline] (7.625 ms) : 0, 7625
Telemetry [candidate] (7.046 ms) : 0, 7046
IAST [baseline] (28.791 ms) : 0, 28791
IAST [candidate] (26.157 ms) : 0, 26157
section profiling
ProfilingAgent [baseline] (96.911 ms) : 0, 96911
ProfilingAgent [candidate] (96.002 ms) : 0, 96002
BytebuddyAgent [baseline] (663.517 ms) : 0, 663517
BytebuddyAgent [candidate] (663.237 ms) : 0, 663237
GlobalTracer [baseline] (386.091 ms) : 0, 386091
GlobalTracer [candidate] (386.435 ms) : 0, 386435
AppSec [baseline] (51.711 ms) : 0, 51711
AppSec [candidate] (51.353 ms) : 0, 51353
Remote Config [baseline] (741.554 µs) : 0, 742
Remote Config [candidate] (728.147 µs) : 0, 728
Telemetry [baseline] (7.419 ms) : 0, 7419
Telemetry [candidate] (7.361 ms) : 0, 7361
Profiling [baseline] (96.936 ms) : 0, 96936
Profiling [candidate] (96.028 ms) : 0, 96028
Startup time reports for insecure-bankgantt
title insecure-bank - global startup overhead: candidate=1.36.0-SNAPSHOT~354ccb526a, baseline=1.36.0-SNAPSHOT~d19ceac03e
dateFormat X
axisFormat %s
section tracing
Agent [baseline] (1.064 s) : 0, 1063741
Total [baseline] (8.548 s) : 0, 8547827
Agent [candidate] (1.061 s) : 0, 1060639
Total [candidate] (8.535 s) : 0, 8534868
section iast
Agent [baseline] (1.17 s) : 0, 1170416
Total [baseline] (8.995 s) : 0, 8995013
Agent [candidate] (1.182 s) : 0, 1182060
Total [candidate] (9.049 s) : 0, 9049374
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.182 s) : 0, 1181745
Total [baseline] (9.032 s) : 0, 9032191
Agent [candidate] (1.18 s) : 0, 1180058
Total [candidate] (8.989 s) : 0, 8988870
section iast_TELEMETRY_OFF
Agent [baseline] (1.165 s) : 0, 1164843
Total [baseline] (9.029 s) : 0, 9029354
Agent [candidate] (1.17 s) : 0, 1169516
Total [candidate] (9.018 s) : 0, 9017905
gantt
title insecure-bank - break down per module: candidate=1.36.0-SNAPSHOT~354ccb526a, baseline=1.36.0-SNAPSHOT~d19ceac03e
dateFormat X
axisFormat %s
section tracing
BytebuddyAgent [baseline] (666.753 ms) : 0, 666753
BytebuddyAgent [candidate] (664.701 ms) : 0, 664701
GlobalTracer [baseline] (304.172 ms) : 0, 304172
GlobalTracer [candidate] (303.378 ms) : 0, 303378
AppSec [baseline] (50.126 ms) : 0, 50126
AppSec [candidate] (49.944 ms) : 0, 49944
Remote Config [baseline] (690.813 µs) : 0, 691
Remote Config [candidate] (685.231 µs) : 0, 685
Telemetry [baseline] (7.569 ms) : 0, 7569
Telemetry [candidate] (7.651 ms) : 0, 7651
section iast
BytebuddyAgent [baseline] (782.184 ms) : 0, 782184
BytebuddyAgent [candidate] (787.697 ms) : 0, 787697
GlobalTracer [baseline] (293.142 ms) : 0, 293142
GlobalTracer [candidate] (296.958 ms) : 0, 296958
AppSec [baseline] (46.943 ms) : 0, 46943
AppSec [candidate] (47.541 ms) : 0, 47541
Remote Config [baseline] (644.7 µs) : 0, 645
Remote Config [candidate] (658.274 µs) : 0, 658
Telemetry [baseline] (6.983 ms) : 0, 6983
Telemetry [candidate] (6.897 ms) : 0, 6897
IAST [baseline] (27.234 ms) : 0, 27234
IAST [candidate] (28.911 ms) : 0, 28911
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (788.439 ms) : 0, 788439
BytebuddyAgent [candidate] (786.884 ms) : 0, 786884
GlobalTracer [baseline] (296.519 ms) : 0, 296519
GlobalTracer [candidate] (296.525 ms) : 0, 296525
AppSec [baseline] (47.86 ms) : 0, 47860
AppSec [candidate] (47.554 ms) : 0, 47554
Remote Config [baseline] (640.283 µs) : 0, 640
Remote Config [candidate] (607.442 µs) : 0, 607
Telemetry [baseline] (7.143 ms) : 0, 7143
Telemetry [candidate] (7.622 ms) : 0, 7622
IAST [baseline] (27.688 ms) : 0, 27688
IAST [candidate] (27.415 ms) : 0, 27415
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (776.205 ms) : 0, 776205
BytebuddyAgent [candidate] (779.344 ms) : 0, 779344
GlobalTracer [baseline] (292.991 ms) : 0, 292991
GlobalTracer [candidate] (294.111 ms) : 0, 294111
AppSec [baseline] (47.253 ms) : 0, 47253
AppSec [candidate] (47.052 ms) : 0, 47052
Remote Config [baseline] (592.45 µs) : 0, 592
Remote Config [candidate] (596.018 µs) : 0, 596
Telemetry [baseline] (7.579 ms) : 0, 7579
Telemetry [candidate] (9.192 ms) : 0, 9192
IAST [baseline] (26.886 ms) : 0, 26886
IAST [candidate] (25.848 ms) : 0, 25848
LoadParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 17 unstable metrics. Request duration reports for petclinicgantt
title petclinic - request duration [CI 0.99] : candidate=1.36.0-SNAPSHOT~354ccb526a, baseline=1.36.0-SNAPSHOT~d19ceac03e
dateFormat X
axisFormat %s
section baseline
no_agent (1.341 ms) : 1322, 1360
. : milestone, 1341,
appsec (1.713 ms) : 1688, 1738
. : milestone, 1713,
appsec_no_iast (1.721 ms) : 1696, 1746
. : milestone, 1721,
iast (1.493 ms) : 1470, 1516
. : milestone, 1493,
profiling (1.532 ms) : 1506, 1557
. : milestone, 1532,
tracing (1.481 ms) : 1457, 1504
. : milestone, 1481,
section candidate
no_agent (1.352 ms) : 1333, 1371
. : milestone, 1352,
appsec (1.72 ms) : 1696, 1743
. : milestone, 1720,
appsec_no_iast (1.708 ms) : 1683, 1733
. : milestone, 1708,
iast (1.491 ms) : 1469, 1513
. : milestone, 1491,
profiling (1.484 ms) : 1459, 1509
. : milestone, 1484,
tracing (1.465 ms) : 1441, 1489
. : milestone, 1465,
Request duration reports for insecure-bankgantt
title insecure-bank - request duration [CI 0.99] : candidate=1.36.0-SNAPSHOT~354ccb526a, baseline=1.36.0-SNAPSHOT~d19ceac03e
dateFormat X
axisFormat %s
section baseline
no_agent (367.33 µs) : 347, 387
. : milestone, 367,
iast (488.603 µs) : 467, 510
. : milestone, 489,
iast_FULL (557.507 µs) : 536, 579
. : milestone, 558,
iast_GLOBAL (507.542 µs) : 485, 530
. : milestone, 508,
iast_HARDCODED_SECRET_DISABLED (481.183 µs) : 460, 503
. : milestone, 481,
iast_INACTIVE (453.92 µs) : 433, 475
. : milestone, 454,
iast_TELEMETRY_OFF (469.775 µs) : 449, 491
. : milestone, 470,
tracing (443.775 µs) : 423, 465
. : milestone, 444,
section candidate
no_agent (376.018 µs) : 355, 397
. : milestone, 376,
iast (481.07 µs) : 460, 503
. : milestone, 481,
iast_FULL (551.829 µs) : 530, 573
. : milestone, 552,
iast_GLOBAL (508.196 µs) : 486, 530
. : milestone, 508,
iast_HARDCODED_SECRET_DISABLED (479.964 µs) : 458, 502
. : milestone, 480,
iast_INACTIVE (456.041 µs) : 434, 478
. : milestone, 456,
iast_TELEMETRY_OFF (470.525 µs) : 449, 492
. : milestone, 471,
tracing (439.607 µs) : 419, 460
. : milestone, 440,
DacapoParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics. Execution time for biojavagantt
title biojava - execution time [CI 0.99] : candidate=1.36.0-SNAPSHOT~354ccb526a, baseline=1.36.0-SNAPSHOT~d19ceac03e
dateFormat X
axisFormat %s
section baseline
no_agent (15.641 s) : 15641000, 15641000
. : milestone, 15641000,
appsec (15.14 s) : 15140000, 15140000
. : milestone, 15140000,
iast (18.485 s) : 18485000, 18485000
. : milestone, 18485000,
iast_GLOBAL (18.01 s) : 18010000, 18010000
. : milestone, 18010000,
profiling (15.161 s) : 15161000, 15161000
. : milestone, 15161000,
tracing (15.207 s) : 15207000, 15207000
. : milestone, 15207000,
section candidate
no_agent (15.154 s) : 15154000, 15154000
. : milestone, 15154000,
appsec (14.955 s) : 14955000, 14955000
. : milestone, 14955000,
iast (19.049 s) : 19049000, 19049000
. : milestone, 19049000,
iast_GLOBAL (18.001 s) : 18001000, 18001000
. : milestone, 18001000,
profiling (14.806 s) : 14806000, 14806000
. : milestone, 14806000,
tracing (15.276 s) : 15276000, 15276000
. : milestone, 15276000,
Execution time for tomcatgantt
title tomcat - execution time [CI 0.99] : candidate=1.36.0-SNAPSHOT~354ccb526a, baseline=1.36.0-SNAPSHOT~d19ceac03e
dateFormat X
axisFormat %s
section baseline
no_agent (1.46 ms) : 1448, 1471
. : milestone, 1460,
appsec (2.202 ms) : 2168, 2236
. : milestone, 2202,
iast (1.978 ms) : 1936, 2020
. : milestone, 1978,
iast_GLOBAL (1.997 ms) : 1956, 2038
. : milestone, 1997,
profiling (1.859 ms) : 1825, 1893
. : milestone, 1859,
tracing (1.833 ms) : 1801, 1865
. : milestone, 1833,
section candidate
no_agent (1.466 ms) : 1454, 1477
. : milestone, 1466,
appsec (2.225 ms) : 2190, 2259
. : milestone, 2225,
iast (1.971 ms) : 1930, 2013
. : milestone, 1971,
iast_GLOBAL (2.005 ms) : 1964, 2046
. : milestone, 2005,
profiling (1.855 ms) : 1820, 1889
. : milestone, 1855,
tracing (1.833 ms) : 1801, 1865
. : milestone, 1833,
|
fa07efa
to
f0ce538
Compare
dd-java-agent/appsec/src/main/java/com/datadog/appsec/AppSecSystem.java
Outdated
Show resolved
Hide resolved
dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/AppSecRequestContext.java
Outdated
Show resolved
Hide resolved
dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/GatewayBridge.java
Outdated
Show resolved
Hide resolved
dd-java-agent/appsec/src/main/java/com/datadog/appsec/powerwaf/PowerWAFModule.java
Show resolved
Hide resolved
...t/appsec/src/test/groovy/com/datadog/appsec/gateway/AppSecRequestContextSpecification.groovy
Outdated
Show resolved
Hide resolved
612a1d0
to
4960298
Compare
dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/GatewayBridge.java
Show resolved
Hide resolved
dd-java-agent/appsec/src/main/java/com/datadog/appsec/powerwaf/PowerWAFModule.java
Outdated
Show resolved
Hide resolved
Can we rename |
@@ -41,6 +41,7 @@ public class AppSecSystem { | |||
private static AppSecConfigServiceImpl APP_SEC_CONFIG_SERVICE; | |||
private static ReplaceableEventProducerService REPLACEABLE_EVENT_PRODUCER; // testing | |||
private static Runnable RESET_SUBSCRIPTION_SERVICE; | |||
private static RateLimiter RATE_LIMITER; // static for testing purpose |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there any particular reason to keep RateLimiter
in AppSecSystem
?
I'd rather move it into PowerWAFModule
🤔
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've moved the RateLimiter to PowerWafModule
What Does This Do
Motivation
We need to propagate sampling decision on appsec event, not on request end
Additional Notes
Jira ticket: [PROJ-IDENT]