Skip to content

Fix ObjectIntrospection exposing JDK internal toString() to the WAF#10820

Merged
gh-worker-dd-mergequeue-cf854d[bot] merged 9 commits intomasterfrom
alejandro.gonzalez/APPSEC-61693
Mar 17, 2026
Merged

Fix ObjectIntrospection exposing JDK internal toString() to the WAF#10820
gh-worker-dd-mergequeue-cf854d[bot] merged 9 commits intomasterfrom
alejandro.gonzalez/APPSEC-61693

Conversation

@jandro996
Copy link
Member

@jandro996 jandro996 commented Mar 12, 2026
edited
Loading

What Does This Do

  • Ensures ObjectIntrospection continues processing remaining accessible fields instead of falling back to obj.toString().
  • Exclude non-relevant field types from WAF inspection

Field types that introduce deep or cyclic object graphs — and are not relevant for WAF inspection — are now excluded before reflection traversal.

Excluded types

  • Logging framework loggers:
    • SLF4J
    • Log4j
    • JUL
    • Logback
    • Commons Logging
  • groovy.lang.MetaClass

Motivation

Avoid false positive security events and unnecessary CPU spikes caused by internal JDK string representations being analyzed by the WAF.
https://datadoghq.atlassian.net/browse/SCRS-2006

Additional Notes

When setAccessible() failed for a field due to Java 9+ module encapsulation, ObjectIntrospection returned obj.toString() for the entire object.

This caused JDK internal string representations such as "class java.lang.Object" to reach the WAF engine, where they could match phrase_match rules (e.g., crs-944-130 java_code_injection) and generate false positive security events on every request, leading to a CPU spike.

Contributor Checklist

Jira ticket: APPSEC-61693

Note: Once your PR is ready to merge, add it to the merge queue by commenting /merge. /merge -c cancels the queue request. /merge -f --reason "reason" skips all merge queue checks; please use this judiciously, as some checks do not run at the PR-level. For more information, see this doc.

@jandro996 jandro996 added type: bug Bug report and fix comp: asm waf Application Security Management (WAF) labels Mar 12, 2026
@pr-commenter
Copy link

pr-commenter bot commented Mar 12, 2026
edited
Loading

Benchmarks

Startup

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/APPSEC-61693
git_commit_date 1773742606 1773744319
git_commit_sha 311d3bd 9f44814
release_version 1.61.0-SNAPSHOT~311d3bddbb 1.61.0-SNAPSHOT~9f4481493a
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1773745991 1773745991
ci_job_id 1512289159 1512289159
ci_pipeline_id 102913215 102913215
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-1-hifkui02 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-1-hifkui02 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
module Agent Agent
parent None None

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 63 metrics, 8 unstable metrics.

Startup time reports for petclinic 
gantt
    title petclinic - global startup overhead: candidate=1.61.0-SNAPSHOT~9f4481493a, baseline=1.61.0-SNAPSHOT~311d3bddbb

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.058 s) : 0, 1057697
Total [baseline] (11.022 s) : 0, 11021712
Agent [candidate] (1.071 s) : 0, 1071023
Total [candidate] (11.127 s) : 0, 11126868
section appsec
Agent [baseline] (1.254 s) : 0, 1253657
Total [baseline] (11.224 s) : 0, 11223991
Agent [candidate] (1.244 s) : 0, 1244114
Total [candidate] (11.1 s) : 0, 11100150
section iast
Agent [baseline] (1.236 s) : 0, 1235689
Total [baseline] (11.449 s) : 0, 11448683
Agent [candidate] (1.23 s) : 0, 1229667
Total [candidate] (11.366 s) : 0, 11365614
section profiling
Agent [baseline] (1.197 s) : 0, 1196743
Total [baseline] (11.059 s) : 0, 11058932
Agent [candidate] (1.194 s) : 0, 1193725
Total [candidate] (11.034 s) : 0, 11033913
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.058 s -
Agent appsec 1.254 s 195.96 ms (18.5%)
Agent iast 1.236 s 177.992 ms (16.8%)
Agent profiling 1.197 s 139.046 ms (13.1%)
Total tracing 11.022 s -
Total appsec 11.224 s 202.279 ms (1.8%)
Total iast 11.449 s 426.971 ms (3.9%)
Total profiling 11.059 s 37.221 ms (0.3%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.071 s -
Agent appsec 1.244 s 173.092 ms (16.2%)
Agent iast 1.23 s 158.645 ms (14.8%)
Agent profiling 1.194 s 122.702 ms (11.5%)
Total tracing 11.127 s -
Total appsec 11.1 s -26.718 ms (-0.2%)
Total iast 11.366 s 238.746 ms (2.1%)
Total profiling 11.034 s -92.956 ms (-0.8%) 
gantt
    title petclinic - break down per module: candidate=1.61.0-SNAPSHOT~9f4481493a, baseline=1.61.0-SNAPSHOT~311d3bddbb

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.221 ms) : 0, 1221
crashtracking [candidate] (1.22 ms) : 0, 1220
BytebuddyAgent [baseline] (628.049 ms) : 0, 628049
BytebuddyAgent [candidate] (634.932 ms) : 0, 634932
AgentMeter [baseline] (29.061 ms) : 0, 29061
AgentMeter [candidate] (29.401 ms) : 0, 29401
GlobalTracer [baseline] (256.969 ms) : 0, 256969
GlobalTracer [candidate] (258.901 ms) : 0, 258901
AppSec [baseline] (31.703 ms) : 0, 31703
AppSec [candidate] (32.091 ms) : 0, 32091
Debugger [baseline] (60.247 ms) : 0, 60247
Debugger [candidate] (60.838 ms) : 0, 60838
Remote Config [baseline] (597.718 µs) : 0, 598
Remote Config [candidate] (604.442 µs) : 0, 604
Telemetry [baseline] (8.078 ms) : 0, 8078
Telemetry [candidate] (8.182 ms) : 0, 8182
Flare Poller [baseline] (5.795 ms) : 0, 5795
Flare Poller [candidate] (8.72 ms) : 0, 8720
section appsec
crashtracking [baseline] (1.221 ms) : 0, 1221
crashtracking [candidate] (1.184 ms) : 0, 1184
BytebuddyAgent [baseline] (662.062 ms) : 0, 662062
BytebuddyAgent [candidate] (657.148 ms) : 0, 657148
AgentMeter [baseline] (12.09 ms) : 0, 12090
AgentMeter [candidate] (11.959 ms) : 0, 11959
GlobalTracer [baseline] (259.33 ms) : 0, 259330
GlobalTracer [candidate] (257.522 ms) : 0, 257522
IAST [baseline] (24.372 ms) : 0, 24372
IAST [candidate] (24.137 ms) : 0, 24137
AppSec [baseline] (178.675 ms) : 0, 178675
AppSec [candidate] (177.272 ms) : 0, 177272
Debugger [baseline] (66.89 ms) : 0, 66890
Debugger [candidate] (66.261 ms) : 0, 66261
Remote Config [baseline] (636.39 µs) : 0, 636
Remote Config [candidate] (622.862 µs) : 0, 623
Telemetry [baseline] (8.362 ms) : 0, 8362
Telemetry [candidate] (8.247 ms) : 0, 8247
Flare Poller [baseline] (3.635 ms) : 0, 3635
Flare Poller [candidate] (3.566 ms) : 0, 3566
section iast
crashtracking [baseline] (1.194 ms) : 0, 1194
crashtracking [candidate] (1.212 ms) : 0, 1212
BytebuddyAgent [baseline] (801.164 ms) : 0, 801164
BytebuddyAgent [candidate] (795.579 ms) : 0, 795579
AgentMeter [baseline] (11.554 ms) : 0, 11554
AgentMeter [candidate] (11.359 ms) : 0, 11359
GlobalTracer [baseline] (248.549 ms) : 0, 248549
GlobalTracer [candidate] (248.764 ms) : 0, 248764
IAST [baseline] (25.531 ms) : 0, 25531
IAST [candidate] (25.586 ms) : 0, 25586
AppSec [baseline] (27.777 ms) : 0, 27777
AppSec [candidate] (26.846 ms) : 0, 26846
Debugger [baseline] (70.557 ms) : 0, 70557
Debugger [candidate] (71.199 ms) : 0, 71199
Remote Config [baseline] (544.941 µs) : 0, 545
Remote Config [candidate] (530.771 µs) : 0, 531
Telemetry [baseline] (9.234 ms) : 0, 9234
Telemetry [candidate] (9.194 ms) : 0, 9194
Flare Poller [baseline] (3.388 ms) : 0, 3388
Flare Poller [candidate] (3.378 ms) : 0, 3378
section profiling
crashtracking [baseline] (1.182 ms) : 0, 1182
crashtracking [candidate] (1.198 ms) : 0, 1198
BytebuddyAgent [baseline] (691.68 ms) : 0, 691680
BytebuddyAgent [candidate] (690.695 ms) : 0, 690695
AgentMeter [baseline] (8.762 ms) : 0, 8762
AgentMeter [candidate] (8.684 ms) : 0, 8684
GlobalTracer [baseline] (218.16 ms) : 0, 218160
GlobalTracer [candidate] (217.662 ms) : 0, 217662
AppSec [baseline] (32.828 ms) : 0, 32828
AppSec [candidate] (32.528 ms) : 0, 32528
Debugger [baseline] (65.175 ms) : 0, 65175
Debugger [candidate] (66.52 ms) : 0, 66520
Remote Config [baseline] (594.991 µs) : 0, 595
Remote Config [candidate] (576.972 µs) : 0, 577
Telemetry [baseline] (9.383 ms) : 0, 9383
Telemetry [candidate] (7.642 ms) : 0, 7642
Flare Poller [baseline] (3.49 ms) : 0, 3490
Flare Poller [candidate] (3.437 ms) : 0, 3437
ProfilingAgent [baseline] (94.228 ms) : 0, 94228
ProfilingAgent [candidate] (93.415 ms) : 0, 93415
Profiling [baseline] (94.796 ms) : 0, 94796
Profiling [candidate] (93.975 ms) : 0, 93975
Loading
Startup time reports for insecure-bank 
gantt
    title insecure-bank - global startup overhead: candidate=1.61.0-SNAPSHOT~9f4481493a, baseline=1.61.0-SNAPSHOT~311d3bddbb

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.076 s) : 0, 1076257
Total [baseline] (8.84 s) : 0, 8839965
Agent [candidate] (1.058 s) : 0, 1058120
Total [candidate] (8.839 s) : 0, 8839398
section iast
Agent [baseline] (1.226 s) : 0, 1225870
Total [baseline] (9.53 s) : 0, 9529533
Agent [candidate] (1.23 s) : 0, 1229613
Total [candidate] (9.593 s) : 0, 9592765
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.076 s -
Agent iast 1.226 s 149.613 ms (13.9%)
Total tracing 8.84 s -
Total iast 9.53 s 689.568 ms (7.8%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.058 s -
Agent iast 1.23 s 171.493 ms (16.2%)
Total tracing 8.839 s -
Total iast 9.593 s 753.368 ms (8.5%) 
gantt
    title insecure-bank - break down per module: candidate=1.61.0-SNAPSHOT~9f4481493a, baseline=1.61.0-SNAPSHOT~311d3bddbb

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.21 ms) : 0, 1210
crashtracking [candidate] (1.198 ms) : 0, 1198
BytebuddyAgent [baseline] (638.27 ms) : 0, 638270
BytebuddyAgent [candidate] (627.822 ms) : 0, 627822
AgentMeter [baseline] (29.654 ms) : 0, 29654
AgentMeter [candidate] (29.039 ms) : 0, 29039
GlobalTracer [baseline] (260.536 ms) : 0, 260536
GlobalTracer [candidate] (257.293 ms) : 0, 257293
AppSec [baseline] (32.196 ms) : 0, 32196
AppSec [candidate] (31.663 ms) : 0, 31663
Debugger [baseline] (60.503 ms) : 0, 60503
Debugger [candidate] (59.343 ms) : 0, 59343
Remote Config [baseline] (599.433 µs) : 0, 599
Remote Config [candidate] (584.148 µs) : 0, 584
Telemetry [baseline] (8.194 ms) : 0, 8194
Telemetry [candidate] (8.04 ms) : 0, 8040
Flare Poller [baseline] (8.789 ms) : 0, 8789
Flare Poller [candidate] (7.128 ms) : 0, 7128
section iast
crashtracking [baseline] (1.197 ms) : 0, 1197
crashtracking [candidate] (1.193 ms) : 0, 1193
BytebuddyAgent [baseline] (795.137 ms) : 0, 795137
BytebuddyAgent [candidate] (797.879 ms) : 0, 797879
AgentMeter [baseline] (11.319 ms) : 0, 11319
AgentMeter [candidate] (11.334 ms) : 0, 11334
GlobalTracer [baseline] (247.589 ms) : 0, 247589
GlobalTracer [candidate] (247.936 ms) : 0, 247936
IAST [baseline] (25.364 ms) : 0, 25364
IAST [candidate] (25.305 ms) : 0, 25305
AppSec [baseline] (26.553 ms) : 0, 26553
AppSec [candidate] (26.516 ms) : 0, 26516
Debugger [baseline] (67.612 ms) : 0, 67612
Debugger [candidate] (68.882 ms) : 0, 68882
Remote Config [baseline] (521.112 µs) : 0, 521
Remote Config [candidate] (531.342 µs) : 0, 531
Telemetry [baseline] (10.732 ms) : 0, 10732
Telemetry [candidate] (10.302 ms) : 0, 10302
Flare Poller [baseline] (3.781 ms) : 0, 3781
Flare Poller [candidate] (3.717 ms) : 0, 3717
Loading

Load

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/APPSEC-61693
git_commit_date 1773742606 1773744319
git_commit_sha 311d3bd 9f44814
release_version 1.61.0-SNAPSHOT~311d3bddbb 1.61.0-SNAPSHOT~9f4481493a
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1773746552 1773746552
ci_job_id 1512289160 1512289160
ci_pipeline_id 102913215 102913215
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-0-c1mk9kg4 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-0-c1mk9kg4 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 0 performance improvements and 1 performance regressions! Performance is the same for 18 metrics, 17 unstable metrics.

scenario Δ mean agg_http_req_duration_p50 Δ mean agg_http_req_duration_p95 Δ mean throughput candidate mean agg_http_req_duration_p50 candidate mean agg_http_req_duration_p95 candidate mean throughput baseline mean agg_http_req_duration_p50 baseline mean agg_http_req_duration_p95 baseline mean throughput
scenario:load:insecure-bank:iast_GLOBAL:high_load worse
[+71.978µs; +210.631µs] or [+2.679%; +7.841%]		 same
[-126.310µs; +354.062µs] or [-1.609%; +4.511%]		 unstable
[-185.771op/s; +119.396op/s] or [-14.090%; +9.055%]		 2.828ms 7.962ms 1285.312op/s 2.686ms 7.848ms 1318.500op/s
Request duration reports for petclinic 
gantt
    title petclinic - request duration [CI 0.99] : candidate=1.61.0-SNAPSHOT~9f4481493a, baseline=1.61.0-SNAPSHOT~311d3bddbb
    dateFormat X
    axisFormat %s
section baseline
no_agent (18.09 ms) : 17902, 18279
.   : milestone, 18090,
appsec (18.709 ms) : 18519, 18900
.   : milestone, 18709,
code_origins (17.759 ms) : 17583, 17936
.   : milestone, 17759,
iast (17.637 ms) : 17461, 17814
.   : milestone, 17637,
profiling (18.531 ms) : 18348, 18715
.   : milestone, 18531,
tracing (17.476 ms) : 17306, 17646
.   : milestone, 17476,
section candidate
no_agent (19.242 ms) : 19038, 19446
.   : milestone, 19242,
appsec (18.673 ms) : 18483, 18862
.   : milestone, 18673,
code_origins (18.143 ms) : 17963, 18323
.   : milestone, 18143,
iast (17.747 ms) : 17569, 17926
.   : milestone, 17747,
profiling (18.798 ms) : 18603, 18993
.   : milestone, 18798,
tracing (17.627 ms) : 17448, 17806
.   : milestone, 17627,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 18.09 ms [17.902 ms, 18.279 ms] -
appsec 18.709 ms [18.519 ms, 18.9 ms] 618.666 µs (3.4%)
code_origins 17.759 ms [17.583 ms, 17.936 ms] -331.048 µs (-1.8%)
iast 17.637 ms [17.461 ms, 17.814 ms] -453.282 µs (-2.5%)
profiling 18.531 ms [18.348 ms, 18.715 ms] 440.78 µs (2.4%)
tracing 17.476 ms [17.306 ms, 17.646 ms] -614.741 µs (-3.4%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 19.242 ms [19.038 ms, 19.446 ms] -
appsec 18.673 ms [18.483 ms, 18.862 ms] -569.439 µs (-3.0%)
code_origins 18.143 ms [17.963 ms, 18.323 ms] -1.1 ms (-5.7%)
iast 17.747 ms [17.569 ms, 17.926 ms] -1.495 ms (-7.8%)
profiling 18.798 ms [18.603 ms, 18.993 ms] -444.255 µs (-2.3%)
tracing 17.627 ms [17.448 ms, 17.806 ms] -1.615 ms (-8.4%)
Request duration reports for insecure-bank 
gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.61.0-SNAPSHOT~9f4481493a, baseline=1.61.0-SNAPSHOT~311d3bddbb
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.231 ms) : 1218, 1244
.   : milestone, 1231,
iast (3.125 ms) : 3079, 3170
.   : milestone, 3125,
iast_FULL (5.732 ms) : 5676, 5788
.   : milestone, 5732,
iast_GLOBAL (3.477 ms) : 3420, 3534
.   : milestone, 3477,
profiling (2.168 ms) : 2145, 2192
.   : milestone, 2168,
tracing (1.839 ms) : 1823, 1856
.   : milestone, 1839,
section candidate
no_agent (1.172 ms) : 1161, 1184
.   : milestone, 1172,
iast (3.157 ms) : 3118, 3196
.   : milestone, 3157,
iast_FULL (5.905 ms) : 5845, 5964
.   : milestone, 5905,
iast_GLOBAL (3.569 ms) : 3514, 3624
.   : milestone, 3569,
profiling (1.958 ms) : 1942, 1974
.   : milestone, 1958,
tracing (1.784 ms) : 1769, 1800
.   : milestone, 1784,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.231 ms [1.218 ms, 1.244 ms] -
iast 3.125 ms [3.079 ms, 3.17 ms] 1.894 ms (153.9%)
iast_FULL 5.732 ms [5.676 ms, 5.788 ms] 4.501 ms (365.7%)
iast_GLOBAL 3.477 ms [3.42 ms, 3.534 ms] 2.246 ms (182.5%)
profiling 2.168 ms [2.145 ms, 2.192 ms] 937.555 µs (76.2%)
tracing 1.839 ms [1.823 ms, 1.856 ms] 608.386 µs (49.4%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.172 ms [1.161 ms, 1.184 ms] -
iast 3.157 ms [3.118 ms, 3.196 ms] 1.985 ms (169.3%)
iast_FULL 5.905 ms [5.845 ms, 5.964 ms] 4.732 ms (403.7%)
iast_GLOBAL 3.569 ms [3.514 ms, 3.624 ms] 2.397 ms (204.4%)
profiling 1.958 ms [1.942 ms, 1.974 ms] 785.654 µs (67.0%)
tracing 1.784 ms [1.769 ms, 1.8 ms] 612.034 µs (52.2%)

Dacapo

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/APPSEC-61693
git_commit_date 1773742606 1773744319
git_commit_sha 311d3bd 9f44814
release_version 1.61.0-SNAPSHOT~311d3bddbb 1.61.0-SNAPSHOT~9f4481493a
See matching parameters
Baseline Candidate
application biojava biojava
ci_job_date 1773746256 1773746256
ci_job_id 1512289161 1512289161
ci_pipeline_id 102913215 102913215
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-0-wrryxxgp 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-0-wrryxxgp 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 1 unstable metrics.

Execution time for tomcat 
gantt
    title tomcat - execution time [CI 0.99] : candidate=1.61.0-SNAPSHOT~9f4481493a, baseline=1.61.0-SNAPSHOT~311d3bddbb
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.475 ms) : 1464, 1487
.   : milestone, 1475,
appsec (3.784 ms) : 3563, 4005
.   : milestone, 3784,
iast (2.239 ms) : 2171, 2308
.   : milestone, 2239,
iast_GLOBAL (2.296 ms) : 2227, 2366
.   : milestone, 2296,
profiling (2.072 ms) : 2018, 2127
.   : milestone, 2072,
tracing (2.055 ms) : 2001, 2109
.   : milestone, 2055,
section candidate
no_agent (1.47 ms) : 1459, 1482
.   : milestone, 1470,
appsec (3.793 ms) : 3572, 4013
.   : milestone, 3793,
iast (2.247 ms) : 2178, 2316
.   : milestone, 2247,
iast_GLOBAL (2.288 ms) : 2219, 2357
.   : milestone, 2288,
profiling (2.096 ms) : 2040, 2152
.   : milestone, 2096,
tracing (2.059 ms) : 2006, 2112
.   : milestone, 2059,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.475 ms [1.464 ms, 1.487 ms] -
appsec 3.784 ms [3.563 ms, 4.005 ms] 2.309 ms (156.5%)
iast 2.239 ms [2.171 ms, 2.308 ms] 763.991 µs (51.8%)
iast_GLOBAL 2.296 ms [2.227 ms, 2.366 ms] 820.826 µs (55.6%)
profiling 2.072 ms [2.018 ms, 2.127 ms] 596.974 µs (40.5%)
tracing 2.055 ms [2.001 ms, 2.109 ms] 579.595 µs (39.3%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.47 ms [1.459 ms, 1.482 ms] -
appsec 3.793 ms [3.572 ms, 4.013 ms] 2.322 ms (158.0%)
iast 2.247 ms [2.178 ms, 2.316 ms] 776.573 µs (52.8%)
iast_GLOBAL 2.288 ms [2.219 ms, 2.357 ms] 817.756 µs (55.6%)
profiling 2.096 ms [2.04 ms, 2.152 ms] 625.568 µs (42.6%)
tracing 2.059 ms [2.006 ms, 2.112 ms] 588.897 µs (40.1%)
Execution time for biojava 
gantt
    title biojava - execution time [CI 0.99] : candidate=1.61.0-SNAPSHOT~9f4481493a, baseline=1.61.0-SNAPSHOT~311d3bddbb
    dateFormat X
    axisFormat %s
section baseline
no_agent (15.569 s) : 15569000, 15569000
.   : milestone, 15569000,
appsec (15.012 s) : 15012000, 15012000
.   : milestone, 15012000,
iast (18.436 s) : 18436000, 18436000
.   : milestone, 18436000,
iast_GLOBAL (17.836 s) : 17836000, 17836000
.   : milestone, 17836000,
profiling (14.883 s) : 14883000, 14883000
.   : milestone, 14883000,
tracing (14.97 s) : 14970000, 14970000
.   : milestone, 14970000,
section candidate
no_agent (15.729 s) : 15729000, 15729000
.   : milestone, 15729000,
appsec (14.409 s) : 14409000, 14409000
.   : milestone, 14409000,
iast (18.056 s) : 18056000, 18056000
.   : milestone, 18056000,
iast_GLOBAL (17.831 s) : 17831000, 17831000
.   : milestone, 17831000,
profiling (14.959 s) : 14959000, 14959000
.   : milestone, 14959000,
tracing (15.196 s) : 15196000, 15196000
.   : milestone, 15196000,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.569 s [15.569 s, 15.569 s] -
appsec 15.012 s [15.012 s, 15.012 s] -557.0 ms (-3.6%)
iast 18.436 s [18.436 s, 18.436 s] 2.867 s (18.4%)
iast_GLOBAL 17.836 s [17.836 s, 17.836 s] 2.267 s (14.6%)
profiling 14.883 s [14.883 s, 14.883 s] -686.0 ms (-4.4%)
tracing 14.97 s [14.97 s, 14.97 s] -599.0 ms (-3.8%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.729 s [15.729 s, 15.729 s] -
appsec 14.409 s [14.409 s, 14.409 s] -1.32 s (-8.4%)
iast 18.056 s [18.056 s, 18.056 s] 2.327 s (14.8%)
iast_GLOBAL 17.831 s [17.831 s, 17.831 s] 2.102 s (13.4%)
profiling 14.959 s [14.959 s, 14.959 s] -770.0 ms (-4.9%)
tracing 15.196 s [15.196 s, 15.196 s] -533.0 ms (-3.4%)

@jandro996 jandro996 force-pushed the alejandro.gonzalez/APPSEC-61693 branch from 9ded002 to 94d92e0 Compare March 17, 2026 09:24
mcculls
mcculls approved these changes Mar 17, 2026
View reviewed changes
Copy link
Contributor

@mcculls mcculls left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks reasonable to me

@jandro996 jandro996 marked this pull request as ready for review March 17, 2026 10:17
@jandro996 jandro996 requested a review from a team as a code owner March 17, 2026 10:17
manuel-alvarez-alvarez
manuel-alvarez-alvarez approved these changes Mar 17, 2026
View reviewed changes
Copy link
Member

@manuel-alvarez-alvarez manuel-alvarez-alvarez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jandro996 jandro996 requested a review from smola March 17, 2026 10:44
@jandro996 jandro996 enabled auto-merge March 17, 2026 11:25
@jandro996 jandro996 added this pull request to the merge queue Mar 17, 2026
@dd-octo-sts
Copy link
Contributor

dd-octo-sts bot commented Mar 17, 2026

/merge

@gh-worker-devflow-routing-ef8351
Copy link

gh-worker-devflow-routing-ef8351 bot commented Mar 17, 2026
edited
Loading

View all feedbacks in Devflow UI.

2026-03-17 11:49:03 UTC ℹ️ Start processing command /merge

2026-03-17 11:49:09 UTC ℹ️ MergeQueue: pull request added to the queue

The expected merge time in master is approximately 3h (p90).

2026-03-17 12:46:44 UTC ℹ️ MergeQueue: This merge request was merged

@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Mar 17, 2026
@gh-worker-dd-mergequeue-cf854d gh-worker-dd-mergequeue-cf854d bot merged commit 99d47ca into master Mar 17, 2026
575 checks passed
@gh-worker-dd-mergequeue-cf854d gh-worker-dd-mergequeue-cf854d bot deleted the alejandro.gonzalez/APPSEC-61693 branch March 17, 2026 12:46
@github-actions github-actions bot added this to the 1.61.0 milestone Mar 17, 2026
@jandro996 jandro996 mentioned this pull request Mar 18, 2026
Merged
jandro996 added a commit that referenced this pull request Mar 18, 2026
@jandro996
Fix ObjectIntrospection exposing JDK internal toString() to the WAF (#…
314cc25 
…10820)

Fix ObjectIntrospection exposing JDK internal toString() to the WAF

wip

fix test for all jdks

Avoid log classes

new approach test

new approach test

change to .trie

WIP

Merge branch 'master' into alejandro.gonzalez/APPSEC-61693

Co-authored-by: devflow.devflow-routing-intake <devflow.devflow-routing-intake@kubernetes.us1.ddbuild.io>
jandro996 added a commit that referenced this pull request Mar 19, 2026
@jandro996
Fix ObjectIntrospection exposing JDK internal toString() to the WAF (#…
af399f8 
…10820)

Fix ObjectIntrospection exposing JDK internal toString() to the WAF

wip

fix test for all jdks

Avoid log classes

new approach test

new approach test

change to .trie

WIP

Merge branch 'master' into alejandro.gonzalez/APPSEC-61693

Co-authored-by: devflow.devflow-routing-intake <devflow.devflow-routing-intake@kubernetes.us1.ddbuild.io>
jandro996 added a commit that referenced this pull request Mar 19, 2026
@jandro996
Fix ObjectIntrospection exposing JDK internal toString() to the WAF (#…
1a88b33 
…10820) (#10882)

Backport #10820 to release/v1.60.x
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@smola smola smola approved these changes

@mcculls mcculls mcculls approved these changes

@manuel-alvarez-alvarez manuel-alvarez-alvarez manuel-alvarez-alvarez approved these changes

@daniel-romano-DD daniel-romano-DD Awaiting requested review from daniel-romano-DD daniel-romano-DD is a code owner automatically assigned from DataDog/asm-java

Assignees

No one assigned

Labels

comp: asm waf Application Security Management (WAF) type: bug Bug report and fix

Projects

None yet

Milestone

1.61.0

Development

Successfully merging this pull request may close these issues.

4 participants

@jandro996 @smola @mcculls @manuel-alvarez-alvarez