Skip to content

Skip XSS check for freemarker built-in escaping expressions in 2.3.24 instrumentation#10865

Merged
gh-worker-dd-mergequeue-cf854d[bot] merged 4 commits intomasterfrom
alejandro.gonzalez/fix-iast-freemarker
Mar 18, 2026
Merged

Skip XSS check for freemarker built-in escaping expressions in 2.3.24 instrumentation#10865
gh-worker-dd-mergequeue-cf854d[bot] merged 4 commits intomasterfrom
alejandro.gonzalez/fix-iast-freemarker

Conversation

@jandro996
Copy link
Copy Markdown
Member

@jandro996 jandro996 commented Mar 17, 2026

What Does This Do

  • Added an escapedExpression field check in DollarVariable24Helper:
    • If the expression is a BuiltIn, return null and skip the XSS sink
    • This mirrors the existing behaviour in the freemarker-2.3.9 instrumentation
  • Added a null guard in the advice:
    • Ensure onXss is never called with a null value

Motivation

The DollarVariable24 advice only checked the autoEscape flag (set by <#ftl output_format="HTML" auto_esc=true>), but did not account for explicit built-in escaping like ${name?html}. This caused a false positive XSS vulnerability report for templates using ?html, ?xml, etc.

Additional Notes

Contributor Checklist

Jira ticket: [PROJ-IDENT]

Note: Once your PR is ready to merge, add it to the merge queue by commenting /merge. /merge -c cancels the queue request. /merge -f --reason "reason" skips all merge queue checks; please use this judiciously, as some checks do not run at the PR-level. For more information, see this doc.

@jandro996 jandro996 requested a review from a team as a code owner March 17, 2026 09:12
@jandro996 jandro996 added type: bug Bug report and fix comp: asm iast Application Security Management (IAST) labels Mar 17, 2026
chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Mar 17, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 92be78dcf4

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@jandro996
Fixed. Replaced instanceof BuiltIn with instanceof BuiltInForLegacyEs…
f746e26 
…caping, the abstract base class that covers exactly ?html, ?xml, and ?xhtml in freemarker 2.3.24. Non-escaping built-ins like ?upper_case and ?js_string extend different base classes and are unaffected. Added

   parameterized unit tests to cover all cases.
@jandro996
Merge branch 'master' into alejandro.gonzalez/fix-iast-freemarker
d9a12bc
@pr-commenter
Copy link
Copy Markdown

pr-commenter bot commented Mar 17, 2026
edited
Loading

Benchmarks

Startup

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/fix-iast-freemarker
git_commit_date 1773795070 1773825762
git_commit_sha 3275dcc 59186bb
release_version 1.61.0-SNAPSHOT~3275dcc717 1.61.0-SNAPSHOT~59186bb482
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1773827545 1773827545
ci_job_id 1516240915 1516240915
ci_pipeline_id 103217723 103217723
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-1-blhovcnl 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-1-blhovcnl 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
module Agent Agent
parent None None

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 63 metrics, 8 unstable metrics.

Startup time reports for petclinic 
gantt
    title petclinic - global startup overhead: candidate=1.61.0-SNAPSHOT~59186bb482, baseline=1.61.0-SNAPSHOT~3275dcc717

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.059 s) : 0, 1059080
Total [baseline] (11.059 s) : 0, 11059183
Agent [candidate] (1.068 s) : 0, 1068307
Total [candidate] (11.032 s) : 0, 11031527
section appsec
Agent [baseline] (1.247 s) : 0, 1247382
Total [baseline] (11.185 s) : 0, 11185269
Agent [candidate] (1.245 s) : 0, 1245011
Total [candidate] (11.133 s) : 0, 11132740
section iast
Agent [baseline] (1.226 s) : 0, 1225683
Total [baseline] (11.211 s) : 0, 11210669
Agent [candidate] (1.227 s) : 0, 1227463
Total [candidate] (11.284 s) : 0, 11284310
section profiling
Agent [baseline] (1.196 s) : 0, 1195952
Total [baseline] (11.019 s) : 0, 11018602
Agent [candidate] (1.189 s) : 0, 1189276
Total [candidate] (11.06 s) : 0, 11060408
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.059 s -
Agent appsec 1.247 s 188.302 ms (17.8%)
Agent iast 1.226 s 166.603 ms (15.7%)
Agent profiling 1.196 s 136.872 ms (12.9%)
Total tracing 11.059 s -
Total appsec 11.185 s 126.086 ms (1.1%)
Total iast 11.211 s 151.486 ms (1.4%)
Total profiling 11.019 s -40.581 ms (-0.4%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.068 s -
Agent appsec 1.245 s 176.704 ms (16.5%)
Agent iast 1.227 s 159.156 ms (14.9%)
Agent profiling 1.189 s 120.969 ms (11.3%)
Total tracing 11.032 s -
Total appsec 11.133 s 101.213 ms (0.9%)
Total iast 11.284 s 252.783 ms (2.3%)
Total profiling 11.06 s 28.881 ms (0.3%) 
gantt
    title petclinic - break down per module: candidate=1.61.0-SNAPSHOT~59186bb482, baseline=1.61.0-SNAPSHOT~3275dcc717

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.198 ms) : 0, 1198
crashtracking [candidate] (1.208 ms) : 0, 1208
BytebuddyAgent [baseline] (629.149 ms) : 0, 629149
BytebuddyAgent [candidate] (632.507 ms) : 0, 632507
AgentMeter [baseline] (28.985 ms) : 0, 28985
AgentMeter [candidate] (29.299 ms) : 0, 29299
GlobalTracer [baseline] (256.402 ms) : 0, 256402
GlobalTracer [candidate] (258.586 ms) : 0, 258586
AppSec [baseline] (31.568 ms) : 0, 31568
AppSec [candidate] (31.927 ms) : 0, 31927
Debugger [baseline] (59.957 ms) : 0, 59957
Debugger [candidate] (60.506 ms) : 0, 60506
Remote Config [baseline] (579.677 µs) : 0, 580
Remote Config [candidate] (593.868 µs) : 0, 594
Telemetry [baseline] (8.024 ms) : 0, 8024
Telemetry [candidate] (8.09 ms) : 0, 8090
Flare Poller [baseline] (7.243 ms) : 0, 7243
Flare Poller [candidate] (9.502 ms) : 0, 9502
section appsec
crashtracking [baseline] (1.187 ms) : 0, 1187
crashtracking [candidate] (1.184 ms) : 0, 1184
BytebuddyAgent [baseline] (658.875 ms) : 0, 658875
BytebuddyAgent [candidate] (656.982 ms) : 0, 656982
AgentMeter [baseline] (12.019 ms) : 0, 12019
AgentMeter [candidate] (12.093 ms) : 0, 12093
GlobalTracer [baseline] (258.129 ms) : 0, 258129
GlobalTracer [candidate] (257.958 ms) : 0, 257958
IAST [baseline] (24.233 ms) : 0, 24233
IAST [candidate] (24.197 ms) : 0, 24197
AppSec [baseline] (177.884 ms) : 0, 177884
AppSec [candidate] (177.662 ms) : 0, 177662
Debugger [baseline] (66.175 ms) : 0, 66175
Debugger [candidate] (66.118 ms) : 0, 66118
Remote Config [baseline] (625.413 µs) : 0, 625
Remote Config [candidate] (611.214 µs) : 0, 611
Telemetry [baseline] (8.355 ms) : 0, 8355
Telemetry [candidate] (8.267 ms) : 0, 8267
Flare Poller [baseline] (3.581 ms) : 0, 3581
Flare Poller [candidate] (3.621 ms) : 0, 3621
section iast
crashtracking [baseline] (1.199 ms) : 0, 1199
crashtracking [candidate] (1.179 ms) : 0, 1179
BytebuddyAgent [baseline] (794.555 ms) : 0, 794555
BytebuddyAgent [candidate] (795.327 ms) : 0, 795327
AgentMeter [baseline] (11.324 ms) : 0, 11324
AgentMeter [candidate] (11.329 ms) : 0, 11329
GlobalTracer [baseline] (246.91 ms) : 0, 246910
GlobalTracer [candidate] (247.357 ms) : 0, 247357
IAST [baseline] (25.337 ms) : 0, 25337
IAST [candidate] (25.284 ms) : 0, 25284
AppSec [baseline] (26.57 ms) : 0, 26570
AppSec [candidate] (26.512 ms) : 0, 26512
Debugger [baseline] (70.708 ms) : 0, 70708
Debugger [candidate] (71.337 ms) : 0, 71337
Remote Config [baseline] (532.912 µs) : 0, 533
Remote Config [candidate] (543.283 µs) : 0, 543
Telemetry [baseline] (9.235 ms) : 0, 9235
Telemetry [candidate] (9.225 ms) : 0, 9225
Flare Poller [baseline] (3.329 ms) : 0, 3329
Flare Poller [candidate] (3.35 ms) : 0, 3350
section profiling
crashtracking [baseline] (1.188 ms) : 0, 1188
crashtracking [candidate] (1.182 ms) : 0, 1182
BytebuddyAgent [baseline] (691.597 ms) : 0, 691597
BytebuddyAgent [candidate] (687.02 ms) : 0, 687020
AgentMeter [baseline] (8.783 ms) : 0, 8783
AgentMeter [candidate] (8.701 ms) : 0, 8701
GlobalTracer [baseline] (217.75 ms) : 0, 217750
GlobalTracer [candidate] (216.74 ms) : 0, 216740
AppSec [baseline] (32.805 ms) : 0, 32805
AppSec [candidate] (32.653 ms) : 0, 32653
Debugger [baseline] (65.209 ms) : 0, 65209
Debugger [candidate] (65.471 ms) : 0, 65471
Remote Config [baseline] (579.31 µs) : 0, 579
Remote Config [candidate] (571.401 µs) : 0, 571
Telemetry [baseline] (9.329 ms) : 0, 9329
Telemetry [candidate] (8.438 ms) : 0, 8438
Flare Poller [baseline] (3.491 ms) : 0, 3491
Flare Poller [candidate] (3.458 ms) : 0, 3458
ProfilingAgent [baseline] (93.927 ms) : 0, 93927
ProfilingAgent [candidate] (93.929 ms) : 0, 93929
Profiling [baseline] (94.494 ms) : 0, 94494
Profiling [candidate] (94.493 ms) : 0, 94493
Loading
Startup time reports for insecure-bank 
gantt
    title insecure-bank - global startup overhead: candidate=1.61.0-SNAPSHOT~59186bb482, baseline=1.61.0-SNAPSHOT~3275dcc717

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.061 s) : 0, 1060691
Total [baseline] (8.828 s) : 0, 8828319
Agent [candidate] (1.06 s) : 0, 1059696
Total [candidate] (8.825 s) : 0, 8824874
section iast
Agent [baseline] (1.226 s) : 0, 1226116
Total [baseline] (9.525 s) : 0, 9525489
Agent [candidate] (1.245 s) : 0, 1244669
Total [candidate] (9.581 s) : 0, 9581372
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.061 s -
Agent iast 1.226 s 165.424 ms (15.6%)
Total tracing 8.828 s -
Total iast 9.525 s 697.171 ms (7.9%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.06 s -
Agent iast 1.245 s 184.974 ms (17.5%)
Total tracing 8.825 s -
Total iast 9.581 s 756.498 ms (8.6%) 
gantt
    title insecure-bank - break down per module: candidate=1.61.0-SNAPSHOT~59186bb482, baseline=1.61.0-SNAPSHOT~3275dcc717

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.191 ms) : 0, 1191
crashtracking [candidate] (1.199 ms) : 0, 1199
BytebuddyAgent [baseline] (628.837 ms) : 0, 628837
BytebuddyAgent [candidate] (628.67 ms) : 0, 628670
AgentMeter [baseline] (29.151 ms) : 0, 29151
AgentMeter [candidate] (29.054 ms) : 0, 29054
GlobalTracer [baseline] (256.874 ms) : 0, 256874
GlobalTracer [candidate] (257.221 ms) : 0, 257221
AppSec [baseline] (31.707 ms) : 0, 31707
AppSec [candidate] (31.646 ms) : 0, 31646
Debugger [baseline] (59.33 ms) : 0, 59330
Debugger [candidate] (59.386 ms) : 0, 59386
Remote Config [baseline] (601.536 µs) : 0, 602
Remote Config [candidate] (605.214 µs) : 0, 605
Telemetry [baseline] (8.154 ms) : 0, 8154
Telemetry [candidate] (8.064 ms) : 0, 8064
Flare Poller [baseline] (8.778 ms) : 0, 8778
Flare Poller [candidate] (7.863 ms) : 0, 7863
section iast
crashtracking [baseline] (1.195 ms) : 0, 1195
crashtracking [candidate] (1.214 ms) : 0, 1214
BytebuddyAgent [baseline] (793.942 ms) : 0, 793942
BytebuddyAgent [candidate] (809.015 ms) : 0, 809015
AgentMeter [baseline] (11.396 ms) : 0, 11396
AgentMeter [candidate] (11.875 ms) : 0, 11875
GlobalTracer [baseline] (247.954 ms) : 0, 247954
GlobalTracer [candidate] (250.418 ms) : 0, 250418
IAST [baseline] (25.53 ms) : 0, 25530
IAST [candidate] (25.738 ms) : 0, 25738
AppSec [baseline] (26.714 ms) : 0, 26714
AppSec [candidate] (26.994 ms) : 0, 26994
Debugger [baseline] (69.631 ms) : 0, 69631
Debugger [candidate] (69.552 ms) : 0, 69552
Remote Config [baseline] (522.514 µs) : 0, 523
Remote Config [candidate] (522.397 µs) : 0, 522
Telemetry [baseline] (9.649 ms) : 0, 9649
Telemetry [candidate] (9.574 ms) : 0, 9574
Flare Poller [baseline] (3.474 ms) : 0, 3474
Flare Poller [candidate] (3.466 ms) : 0, 3466
Loading

Load

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/fix-iast-freemarker
git_commit_date 1773795070 1773825762
git_commit_sha 3275dcc 59186bb
release_version 1.61.0-SNAPSHOT~3275dcc717 1.61.0-SNAPSHOT~59186bb482
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1773828036 1773828036
ci_job_id 1516240917 1516240917
ci_pipeline_id 103217723 103217723
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-1-ltukrd8p 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-1-ltukrd8p 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 3 performance improvements and 2 performance regressions! Performance is the same for 14 metrics, 17 unstable metrics.

scenario Δ mean agg_http_req_duration_p50 Δ mean agg_http_req_duration_p95 Δ mean throughput candidate mean agg_http_req_duration_p50 candidate mean agg_http_req_duration_p95 candidate mean throughput baseline mean agg_http_req_duration_p50 baseline mean agg_http_req_duration_p95 baseline mean throughput
scenario:load:insecure-bank:no_agent:high_load better
[-49.196µs; -20.434µs] or [-4.969%; -2.064%]		 unstable
[-479.648µs; +47.384µs] or [-17.170%; +1.696%]		 unstable
[-241.117op/s; +538.867op/s] or [-6.614%; +14.781%]		 955.272µs 2.577ms 3794.438op/s 990.087µs 2.793ms 3645.562op/s
scenario:load:insecure-bank:iast_GLOBAL:high_load worse
[+108.157µs; +252.328µs] or [+4.086%; +9.533%]		 unsure
[+74.010µs; +513.158µs] or [+0.970%; +6.724%]		 unstable
[-190.031op/s; +74.718op/s] or [-14.149%; +5.563%]		 2.827ms 7.925ms 1285.406op/s 2.647ms 7.631ms 1343.062op/s
scenario:load:insecure-bank:iast_FULL:high_load better
[-530.354µs; -228.544µs] or [-9.550%; -4.115%]		 better
[-1344.588µs; -646.783µs] or [-10.205%; -4.909%]		 unstable
[-20.931op/s; +130.806op/s] or [-2.820%; +17.621%]		 5.174ms 12.181ms 797.250op/s 5.554ms 13.176ms 742.312op/s
scenario:load:petclinic:iast:high_load unsure
[+327.171µs; +1156.275µs] or [+1.839%; +6.499%]		 worse
[+0.749ms; +2.439ms] or [+2.604%; +8.478%]		 unstable
[-37.071op/s; +16.134op/s] or [-14.383%; +6.259%]		 18.535ms 30.367ms 247.281op/s 17.793ms 28.772ms 257.750op/s
Request duration reports for petclinic 
gantt
    title petclinic - request duration [CI 0.99] : candidate=1.61.0-SNAPSHOT~59186bb482, baseline=1.61.0-SNAPSHOT~3275dcc717
    dateFormat X
    axisFormat %s
section baseline
no_agent (19.209 ms) : 19012, 19406
.   : milestone, 19209,
appsec (19.29 ms) : 19094, 19487
.   : milestone, 19290,
code_origins (17.672 ms) : 17497, 17846
.   : milestone, 17672,
iast (18.106 ms) : 17926, 18285
.   : milestone, 18106,
profiling (18.776 ms) : 18586, 18966
.   : milestone, 18776,
tracing (17.749 ms) : 17574, 17925
.   : milestone, 17749,
section candidate
no_agent (18.102 ms) : 17920, 18283
.   : milestone, 18102,
appsec (18.79 ms) : 18601, 18979
.   : milestone, 18790,
code_origins (17.745 ms) : 17564, 17925
.   : milestone, 17745,
iast (18.874 ms) : 18678, 19069
.   : milestone, 18874,
profiling (18.809 ms) : 18624, 18995
.   : milestone, 18809,
tracing (17.658 ms) : 17484, 17833
.   : milestone, 17658,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 19.209 ms [19.012 ms, 19.406 ms] -
appsec 19.29 ms [19.094 ms, 19.487 ms] 81.462 µs (0.4%)
code_origins 17.672 ms [17.497 ms, 17.846 ms] -1.537 ms (-8.0%)
iast 18.106 ms [17.926 ms, 18.285 ms] -1.103 ms (-5.7%)
profiling 18.776 ms [18.586 ms, 18.966 ms] -432.849 µs (-2.3%)
tracing 17.749 ms [17.574 ms, 17.925 ms] -1.459 ms (-7.6%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 18.102 ms [17.92 ms, 18.283 ms] -
appsec 18.79 ms [18.601 ms, 18.979 ms] 688.223 µs (3.8%)
code_origins 17.745 ms [17.564 ms, 17.925 ms] -357.021 µs (-2.0%)
iast 18.874 ms [18.678 ms, 19.069 ms] 772.123 µs (4.3%)
profiling 18.809 ms [18.624 ms, 18.995 ms] 707.5 µs (3.9%)
tracing 17.658 ms [17.484 ms, 17.833 ms] -443.219 µs (-2.4%)
Request duration reports for insecure-bank 
gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.61.0-SNAPSHOT~59186bb482, baseline=1.61.0-SNAPSHOT~3275dcc717
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.211 ms) : 1199, 1222
.   : milestone, 1211,
iast (3.255 ms) : 3210, 3301
.   : milestone, 3255,
iast_FULL (6.234 ms) : 6169, 6299
.   : milestone, 6234,
iast_GLOBAL (3.409 ms) : 3357, 3462
.   : milestone, 3409,
profiling (2.212 ms) : 2192, 2232
.   : milestone, 2212,
tracing (1.822 ms) : 1806, 1838
.   : milestone, 1822,
section candidate
no_agent (1.161 ms) : 1149, 1172
.   : milestone, 1161,
iast (3.253 ms) : 3206, 3300
.   : milestone, 3253,
iast_FULL (5.798 ms) : 5740, 5856
.   : milestone, 5798,
iast_GLOBAL (3.568 ms) : 3509, 3628
.   : milestone, 3568,
profiling (2.026 ms) : 2008, 2043
.   : milestone, 2026,
tracing (1.82 ms) : 1804, 1836
.   : milestone, 1820,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.211 ms [1.199 ms, 1.222 ms] -
iast 3.255 ms [3.21 ms, 3.301 ms] 2.044 ms (168.9%)
iast_FULL 6.234 ms [6.169 ms, 6.299 ms] 5.023 ms (414.9%)
iast_GLOBAL 3.409 ms [3.357 ms, 3.462 ms] 2.199 ms (181.6%)
profiling 2.212 ms [2.192 ms, 2.232 ms] 1.001 ms (82.7%)
tracing 1.822 ms [1.806 ms, 1.838 ms] 611.098 µs (50.5%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.161 ms [1.149 ms, 1.172 ms] -
iast 3.253 ms [3.206 ms, 3.3 ms] 2.093 ms (180.3%)
iast_FULL 5.798 ms [5.74 ms, 5.856 ms] 4.638 ms (399.6%)
iast_GLOBAL 3.568 ms [3.509 ms, 3.628 ms] 2.408 ms (207.5%)
profiling 2.026 ms [2.008 ms, 2.043 ms] 865.17 µs (74.5%)
tracing 1.82 ms [1.804 ms, 1.836 ms] 659.427 µs (56.8%)

Dacapo

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/fix-iast-freemarker
git_commit_date 1773795070 1773825762
git_commit_sha 3275dcc 59186bb
release_version 1.61.0-SNAPSHOT~3275dcc717 1.61.0-SNAPSHOT~59186bb482
See matching parameters
Baseline Candidate
application biojava biojava
ci_job_date 1773827784 1773827784
ci_job_id 1516240921 1516240921
ci_pipeline_id 103217723 103217723
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-1-cdv66kl0 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-1-cdv66kl0 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 1 unstable metrics.

Execution time for biojava 
gantt
    title biojava - execution time [CI 0.99] : candidate=1.61.0-SNAPSHOT~59186bb482, baseline=1.61.0-SNAPSHOT~3275dcc717
    dateFormat X
    axisFormat %s
section baseline
no_agent (14.942 s) : 14942000, 14942000
.   : milestone, 14942000,
appsec (14.99 s) : 14990000, 14990000
.   : milestone, 14990000,
iast (18.321 s) : 18321000, 18321000
.   : milestone, 18321000,
iast_GLOBAL (17.68 s) : 17680000, 17680000
.   : milestone, 17680000,
profiling (14.917 s) : 14917000, 14917000
.   : milestone, 14917000,
tracing (15.014 s) : 15014000, 15014000
.   : milestone, 15014000,
section candidate
no_agent (15.525 s) : 15525000, 15525000
.   : milestone, 15525000,
appsec (14.758 s) : 14758000, 14758000
.   : milestone, 14758000,
iast (18.381 s) : 18381000, 18381000
.   : milestone, 18381000,
iast_GLOBAL (17.971 s) : 17971000, 17971000
.   : milestone, 17971000,
profiling (15.119 s) : 15119000, 15119000
.   : milestone, 15119000,
tracing (14.69 s) : 14690000, 14690000
.   : milestone, 14690000,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 14.942 s [14.942 s, 14.942 s] -
appsec 14.99 s [14.99 s, 14.99 s] 48.0 ms (0.3%)
iast 18.321 s [18.321 s, 18.321 s] 3.379 s (22.6%)
iast_GLOBAL 17.68 s [17.68 s, 17.68 s] 2.738 s (18.3%)
profiling 14.917 s [14.917 s, 14.917 s] -25.0 ms (-0.2%)
tracing 15.014 s [15.014 s, 15.014 s] 72.0 ms (0.5%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.525 s [15.525 s, 15.525 s] -
appsec 14.758 s [14.758 s, 14.758 s] -767.0 ms (-4.9%)
iast 18.381 s [18.381 s, 18.381 s] 2.856 s (18.4%)
iast_GLOBAL 17.971 s [17.971 s, 17.971 s] 2.446 s (15.8%)
profiling 15.119 s [15.119 s, 15.119 s] -406.0 ms (-2.6%)
tracing 14.69 s [14.69 s, 14.69 s] -835.0 ms (-5.4%)
Execution time for tomcat 
gantt
    title tomcat - execution time [CI 0.99] : candidate=1.61.0-SNAPSHOT~59186bb482, baseline=1.61.0-SNAPSHOT~3275dcc717
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.48 ms) : 1468, 1491
.   : milestone, 1480,
appsec (3.822 ms) : 3600, 4043
.   : milestone, 3822,
iast (2.252 ms) : 2183, 2321
.   : milestone, 2252,
iast_GLOBAL (2.289 ms) : 2220, 2359
.   : milestone, 2289,
profiling (2.112 ms) : 2056, 2169
.   : milestone, 2112,
tracing (2.06 ms) : 2006, 2113
.   : milestone, 2060,
section candidate
no_agent (1.477 ms) : 1465, 1489
.   : milestone, 1477,
appsec (3.779 ms) : 3559, 3999
.   : milestone, 3779,
iast (2.26 ms) : 2191, 2328
.   : milestone, 2260,
iast_GLOBAL (2.307 ms) : 2238, 2377
.   : milestone, 2307,
profiling (2.124 ms) : 2067, 2182
.   : milestone, 2124,
tracing (2.078 ms) : 2024, 2132
.   : milestone, 2078,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.48 ms [1.468 ms, 1.491 ms] -
appsec 3.822 ms [3.6 ms, 4.043 ms] 2.342 ms (158.3%)
iast 2.252 ms [2.183 ms, 2.321 ms] 772.596 µs (52.2%)
iast_GLOBAL 2.289 ms [2.22 ms, 2.359 ms] 809.848 µs (54.7%)
profiling 2.112 ms [2.056 ms, 2.169 ms] 632.681 µs (42.8%)
tracing 2.06 ms [2.006 ms, 2.113 ms] 580.13 µs (39.2%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.477 ms [1.465 ms, 1.489 ms] -
appsec 3.779 ms [3.559 ms, 3.999 ms] 2.302 ms (155.9%)
iast 2.26 ms [2.191 ms, 2.328 ms] 782.59 µs (53.0%)
iast_GLOBAL 2.307 ms [2.238 ms, 2.377 ms] 830.49 µs (56.2%)
profiling 2.124 ms [2.067 ms, 2.182 ms] 647.417 µs (43.8%)
tracing 2.078 ms [2.024 ms, 2.132 ms] 601.293 µs (40.7%)

manuel-alvarez-alvarez
manuel-alvarez-alvarez approved these changes Mar 18, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@manuel-alvarez-alvarez manuel-alvarez-alvarez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jandro996 jandro996 added this pull request to the merge queue Mar 18, 2026
@dd-octo-sts
Copy link
Copy Markdown
Contributor

dd-octo-sts bot commented Mar 18, 2026

/merge

@gh-worker-devflow-routing-ef8351
Copy link
Copy Markdown

gh-worker-devflow-routing-ef8351 bot commented Mar 18, 2026
edited
Loading

View all feedbacks in Devflow UI.

2026-03-18 11:24:11 UTC ℹ️ Start processing command /merge

2026-03-18 11:24:15 UTC ℹ️ MergeQueue: pull request added to the queue

The expected merge time in master is approximately 3h (p90).

2026-03-18 12:21:18 UTC ℹ️ MergeQueue: This merge request was merged

@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Mar 18, 2026
@gh-worker-dd-mergequeue-cf854d gh-worker-dd-mergequeue-cf854d bot merged commit 9f2354e into master Mar 18, 2026
566 checks passed
@gh-worker-dd-mergequeue-cf854d gh-worker-dd-mergequeue-cf854d bot deleted the alejandro.gonzalez/fix-iast-freemarker branch March 18, 2026 12:21
@github-actions github-actions bot added this to the 1.61.0 milestone Mar 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@manuel-alvarez-alvarez manuel-alvarez-alvarez manuel-alvarez-alvarez approved these changes

@claponcet claponcet Awaiting requested review from claponcet claponcet is a code owner automatically assigned from DataDog/asm-java

Assignees

No one assigned

Labels

comp: asm iast Application Security Management (IAST) type: bug Bug report and fix

Projects

None yet

Milestone

1.61.0

Development

Successfully merging this pull request may close these issues.

2 participants

@jandro996 @manuel-alvarez-alvarez