Skip to content

Fix race condition in ApiSecuritySamplerImpl #10010

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jandro996 wants to merge 16 commits into
base: master
Choose a base branch
from
Open

Fix race condition in ApiSecuritySamplerImpl #10010

jandro996 wants to merge 16 commits into from
+130 −27

Conversation

@jandro996
Copy link
Member

@jandro996 jandro996 commented Nov 21, 2025
edited
Loading

What Does This Do

Fixed race condition in ApiSecuritySamplerImpl in standalone mode:

  • Multiple concurrent requests to the same endpoint could all see isExpired=true before any updated the accessMap
  • Fix: preSampleRequest() now updates map immediately after acquiring semaphore, preventing concurrent requests from seeing stale expiration
    state

Motivation

API Security standalone system tests were failing intermittently in CI with _sampling_priority_v1 not being set to 2, causing traces to not be retained as expected.

Related with APPSEC-57815

Additional Notes

Contributor Checklist

Jira ticket: [PROJ-IDENT]

@jandro996 jandro996 added type: bug Bug report and fix comp: asm waf Application Security Management (WAF) labels Nov 21, 2025
@pr-commenter
Copy link

pr-commenter bot commented Nov 21, 2025
edited
Loading

Benchmarks

Startup

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/APPSEC-57815
git_commit_date 1763992896 1764320533
git_commit_sha c8bb444 a49f1b2
release_version 1.57.0-SNAPSHOT~c8bb44440b 1.57.0-SNAPSHOT~a49f1b2289
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1764322588 1764322588
ci_job_id 1261284835 1261284835
ci_pipeline_id 84321952 84321952
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-0-4eniitxn 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-0-4eniitxn 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
module Agent Agent
parent None None

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 59 metrics, 6 unstable metrics.

Startup time reports for petclinic 
gantt
    title petclinic - global startup overhead: candidate=1.57.0-SNAPSHOT~a49f1b2289, baseline=1.57.0-SNAPSHOT~c8bb44440b

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.103 s) : 0, 1102763
Total [baseline] (10.811 s) : 0, 10810728
Agent [candidate] (1.114 s) : 0, 1113960
Total [candidate] (10.961 s) : 0, 10960768
section appsec
Agent [baseline] (1.281 s) : 0, 1281182
Total [baseline] (11.156 s) : 0, 11155848
Agent [candidate] (1.29 s) : 0, 1289806
Total [candidate] (11.209 s) : 0, 11208550
section iast
Agent [baseline] (1.238 s) : 0, 1237573
Total [baseline] (11.235 s) : 0, 11234667
Agent [candidate] (1.25 s) : 0, 1250147
Total [candidate] (11.433 s) : 0, 11432890
section profiling
Agent [baseline] (1.236 s) : 0, 1236319
Total [baseline] (11.159 s) : 0, 11158836
Agent [candidate] (1.247 s) : 0, 1246584
Total [candidate] (11.018 s) : 0, 11017709
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.103 s -
Agent appsec 1.281 s 178.419 ms (16.2%)
Agent iast 1.238 s 134.811 ms (12.2%)
Agent profiling 1.236 s 133.556 ms (12.1%)
Total tracing 10.811 s -
Total appsec 11.156 s 345.12 ms (3.2%)
Total iast 11.235 s 423.939 ms (3.9%)
Total profiling 11.159 s 348.108 ms (3.2%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.114 s -
Agent appsec 1.29 s 175.846 ms (15.8%)
Agent iast 1.25 s 136.187 ms (12.2%)
Agent profiling 1.247 s 132.624 ms (11.9%)
Total tracing 10.961 s -
Total appsec 11.209 s 247.782 ms (2.3%)
Total iast 11.433 s 472.122 ms (4.3%)
Total profiling 11.018 s 56.941 ms (0.5%) 
gantt
    title petclinic - break down per module: candidate=1.57.0-SNAPSHOT~a49f1b2289, baseline=1.57.0-SNAPSHOT~c8bb44440b

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.483 ms) : 0, 1483
crashtracking [candidate] (1.51 ms) : 0, 1510
BytebuddyAgent [baseline] (708.611 ms) : 0, 708611
BytebuddyAgent [candidate] (716.685 ms) : 0, 716685
GlobalTracer [baseline] (249.195 ms) : 0, 249195
GlobalTracer [candidate] (251.524 ms) : 0, 251524
AppSec [baseline] (31.971 ms) : 0, 31971
AppSec [candidate] (32.291 ms) : 0, 32291
Debugger [baseline] (64.171 ms) : 0, 64171
Debugger [candidate] (64.211 ms) : 0, 64211
Remote Config [baseline] (629.398 µs) : 0, 629
Remote Config [candidate] (622.596 µs) : 0, 623
Telemetry [baseline] (8.305 ms) : 0, 8305
Telemetry [candidate] (8.319 ms) : 0, 8319
Flare Poller [baseline] (3.675 ms) : 0, 3675
Flare Poller [candidate] (3.769 ms) : 0, 3769
section appsec
crashtracking [baseline] (1.473 ms) : 0, 1473
crashtracking [candidate] (1.494 ms) : 0, 1494
BytebuddyAgent [baseline] (731.252 ms) : 0, 731252
BytebuddyAgent [candidate] (736.657 ms) : 0, 736657
GlobalTracer [baseline] (240.487 ms) : 0, 240487
GlobalTracer [candidate] (241.957 ms) : 0, 241957
AppSec [baseline] (174.065 ms) : 0, 174065
AppSec [candidate] (174.802 ms) : 0, 174802
Debugger [baseline] (61.424 ms) : 0, 61424
Debugger [candidate] (61.896 ms) : 0, 61896
Remote Config [baseline] (681.803 µs) : 0, 682
Remote Config [candidate] (682.806 µs) : 0, 683
Telemetry [baseline] (8.203 ms) : 0, 8203
Telemetry [candidate] (8.353 ms) : 0, 8353
Flare Poller [baseline] (3.927 ms) : 0, 3927
Flare Poller [candidate] (3.997 ms) : 0, 3997
IAST [baseline] (24.806 ms) : 0, 24806
IAST [candidate] (24.963 ms) : 0, 24963
section iast
crashtracking [baseline] (1.468 ms) : 0, 1468
crashtracking [candidate] (1.514 ms) : 0, 1514
BytebuddyAgent [baseline] (830.885 ms) : 0, 830885
BytebuddyAgent [candidate] (839.074 ms) : 0, 839074
GlobalTracer [baseline] (237.171 ms) : 0, 237171
GlobalTracer [candidate] (239.016 ms) : 0, 239016
AppSec [baseline] (32.939 ms) : 0, 32939
AppSec [candidate] (34.383 ms) : 0, 34383
Debugger [baseline] (60.399 ms) : 0, 60399
Debugger [candidate] (61.659 ms) : 0, 61659
Remote Config [baseline] (531.295 µs) : 0, 531
Remote Config [candidate] (551.372 µs) : 0, 551
Telemetry [baseline] (7.585 ms) : 0, 7585
Telemetry [candidate] (7.711 ms) : 0, 7711
Flare Poller [baseline] (3.483 ms) : 0, 3483
Flare Poller [candidate] (3.537 ms) : 0, 3537
IAST [baseline] (28.354 ms) : 0, 28354
IAST [candidate] (27.789 ms) : 0, 27789
section profiling
crashtracking [baseline] (1.442 ms) : 0, 1442
crashtracking [candidate] (1.457 ms) : 0, 1457
BytebuddyAgent [baseline] (735.482 ms) : 0, 735482
BytebuddyAgent [candidate] (744.322 ms) : 0, 744322
GlobalTracer [baseline] (223.206 ms) : 0, 223206
GlobalTracer [candidate] (224.566 ms) : 0, 224566
AppSec [baseline] (32.429 ms) : 0, 32429
AppSec [candidate] (32.897 ms) : 0, 32897
Debugger [baseline] (63.909 ms) : 0, 63909
Debugger [candidate] (63.979 ms) : 0, 63979
Remote Config [baseline] (654.813 µs) : 0, 655
Remote Config [candidate] (652.783 µs) : 0, 653
Telemetry [baseline] (8.093 ms) : 0, 8093
Telemetry [candidate] (8.101 ms) : 0, 8101
Flare Poller [baseline] (3.918 ms) : 0, 3918
Flare Poller [candidate] (3.858 ms) : 0, 3858
ProfilingAgent [baseline] (98.238 ms) : 0, 98238
ProfilingAgent [candidate] (97.074 ms) : 0, 97074
Profiling [baseline] (98.824 ms) : 0, 98824
Profiling [candidate] (97.652 ms) : 0, 97652
Loading
Startup time reports for insecure-bank 
gantt
    title insecure-bank - global startup overhead: candidate=1.57.0-SNAPSHOT~a49f1b2289, baseline=1.57.0-SNAPSHOT~c8bb44440b

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.109 s) : 0, 1108923
Total [baseline] (8.888 s) : 0, 8888416
Agent [candidate] (1.097 s) : 0, 1096848
Total [candidate] (8.827 s) : 0, 8826795
section iast
Agent [baseline] (1.243 s) : 0, 1242864
Total [baseline] (9.529 s) : 0, 9528779
Agent [candidate] (1.241 s) : 0, 1240590
Total [candidate] (9.562 s) : 0, 9562143
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.109 s -
Agent iast 1.243 s 133.941 ms (12.1%)
Total tracing 8.888 s -
Total iast 9.529 s 640.363 ms (7.2%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.097 s -
Agent iast 1.241 s 143.742 ms (13.1%)
Total tracing 8.827 s -
Total iast 9.562 s 735.348 ms (8.3%) 
gantt
    title insecure-bank - break down per module: candidate=1.57.0-SNAPSHOT~a49f1b2289, baseline=1.57.0-SNAPSHOT~c8bb44440b

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.498 ms) : 0, 1498
crashtracking [candidate] (1.473 ms) : 0, 1473
BytebuddyAgent [baseline] (713.752 ms) : 0, 713752
BytebuddyAgent [candidate] (705.65 ms) : 0, 705650
GlobalTracer [baseline] (249.981 ms) : 0, 249981
GlobalTracer [candidate] (248.212 ms) : 0, 248212
AppSec [baseline] (32.347 ms) : 0, 32347
AppSec [candidate] (31.805 ms) : 0, 31805
Debugger [baseline] (63.685 ms) : 0, 63685
Debugger [candidate] (62.692 ms) : 0, 62692
Remote Config [baseline] (631.671 µs) : 0, 632
Remote Config [candidate] (610.23 µs) : 0, 610
Telemetry [baseline] (8.298 ms) : 0, 8298
Telemetry [candidate] (8.095 ms) : 0, 8095
Flare Poller [baseline] (3.707 ms) : 0, 3707
Flare Poller [candidate] (3.627 ms) : 0, 3627
section iast
crashtracking [baseline] (1.486 ms) : 0, 1486
crashtracking [candidate] (1.49 ms) : 0, 1490
BytebuddyAgent [baseline] (836.946 ms) : 0, 836946
BytebuddyAgent [candidate] (832.919 ms) : 0, 832919
GlobalTracer [baseline] (237.63 ms) : 0, 237630
GlobalTracer [candidate] (237.654 ms) : 0, 237654
AppSec [baseline] (32.034 ms) : 0, 32034
AppSec [candidate] (35.072 ms) : 0, 35072
Debugger [baseline] (59.13 ms) : 0, 59130
Debugger [candidate] (60.285 ms) : 0, 60285
Remote Config [baseline] (543.451 µs) : 0, 543
Remote Config [candidate] (535.799 µs) : 0, 536
Telemetry [baseline] (7.632 ms) : 0, 7632
Telemetry [candidate] (7.573 ms) : 0, 7573
Flare Poller [baseline] (3.474 ms) : 0, 3474
Flare Poller [candidate] (3.455 ms) : 0, 3455
IAST [baseline] (29.129 ms) : 0, 29129
IAST [candidate] (26.726 ms) : 0, 26726
Loading

Load

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/APPSEC-57815
git_commit_date 1763992896 1764320533
git_commit_sha c8bb444 a49f1b2
release_version 1.57.0-SNAPSHOT~c8bb44440b 1.57.0-SNAPSHOT~a49f1b2289
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1764323067 1764323067
ci_job_id 1261284836 1261284836
ci_pipeline_id 84321952 84321952
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-0-3v6o74rm 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-0-3v6o74rm 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 2 performance improvements and 2 performance regressions! Performance is the same for 17 metrics, 15 unstable metrics.

scenario Δ mean agg_http_req_duration_p50 Δ mean agg_http_req_duration_p95 Δ mean throughput candidate mean agg_http_req_duration_p50 candidate mean agg_http_req_duration_p95 candidate mean throughput baseline mean agg_http_req_duration_p50 baseline mean agg_http_req_duration_p95 baseline mean throughput
scenario:load:insecure-bank:iast_GLOBAL:high_load better
[-350.613µs; -216.396µs] or [-11.625%; -7.175%]		 better
[-932.289µs; -491.904µs] or [-11.014%; -5.812%]		 unstable
[-32.279op/s; +255.592op/s] or [-2.663%; +21.084%]		 2.732ms 7.752ms 1323.938op/s 3.016ms 8.464ms 1212.281op/s
scenario:load:petclinic:appsec:high_load worse
[+458.211µs; +1421.447µs] or [+2.471%; +7.664%]		 unsure
[+0.563ms; +1.802ms] or [+1.861%; +5.960%]		 unstable
[-33.648op/s; +15.335op/s] or [-13.628%; +6.211%]		 19.486ms 31.413ms 237.750op/s 18.546ms 30.230ms 246.906op/s
scenario:load:petclinic:profiling:high_load worse
[+1.020ms; +2.001ms] or [+5.628%; +11.037%]		 unsure
[+0.535ms; +2.189ms] or [+1.805%; +7.381%]		 unstable
[-42.213op/s; +7.151op/s] or [-16.693%; +2.828%]		 19.641ms 31.020ms 235.344op/s 18.130ms 29.658ms 252.875op/s
Request duration reports for petclinic 
gantt
    title petclinic - request duration [CI 0.99] : candidate=1.57.0-SNAPSHOT~a49f1b2289, baseline=1.57.0-SNAPSHOT~c8bb44440b
    dateFormat X
    axisFormat %s
section baseline
no_agent (19.281 ms) : 19088, 19474
.   : milestone, 19281,
appsec (18.9 ms) : 18709, 19091
.   : milestone, 18900,
code_origins (17.815 ms) : 17641, 17988
.   : milestone, 17815,
iast (17.384 ms) : 17209, 17558
.   : milestone, 17384,
profiling (18.457 ms) : 18274, 18641
.   : milestone, 18457,
tracing (17.472 ms) : 17300, 17644
.   : milestone, 17472,
section candidate
no_agent (19.316 ms) : 19119, 19513
.   : milestone, 19316,
appsec (19.633 ms) : 19430, 19836
.   : milestone, 19633,
code_origins (17.481 ms) : 17306, 17655
.   : milestone, 17481,
iast (17.611 ms) : 17438, 17783
.   : milestone, 17611,
profiling (19.835 ms) : 19638, 20032
.   : milestone, 19835,
tracing (17.908 ms) : 17729, 18087
.   : milestone, 17908,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 19.281 ms [19.088 ms, 19.474 ms] -
appsec 18.9 ms [18.709 ms, 19.091 ms] -380.859 µs (-2.0%)
code_origins 17.815 ms [17.641 ms, 17.988 ms] -1.467 ms (-7.6%)
iast 17.384 ms [17.209 ms, 17.558 ms] -1.897 ms (-9.8%)
profiling 18.457 ms [18.274 ms, 18.641 ms] -823.615 µs (-4.3%)
tracing 17.472 ms [17.3 ms, 17.644 ms] -1.809 ms (-9.4%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 19.316 ms [19.119 ms, 19.513 ms] -
appsec 19.633 ms [19.43 ms, 19.836 ms] 317.428 µs (1.6%)
code_origins 17.481 ms [17.306 ms, 17.655 ms] -1.835 ms (-9.5%)
iast 17.611 ms [17.438 ms, 17.783 ms] -1.705 ms (-8.8%)
profiling 19.835 ms [19.638 ms, 20.032 ms] 519.226 µs (2.7%)
tracing 17.908 ms [17.729 ms, 18.087 ms] -1.408 ms (-7.3%)
Request duration reports for insecure-bank 
gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.57.0-SNAPSHOT~a49f1b2289, baseline=1.57.0-SNAPSHOT~c8bb44440b
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.219 ms) : 1208, 1231
.   : milestone, 1219,
iast (3.184 ms) : 3146, 3222
.   : milestone, 3184,
iast_FULL (5.872 ms) : 5813, 5931
.   : milestone, 5872,
iast_GLOBAL (3.786 ms) : 3725, 3847
.   : milestone, 3786,
profiling (2.141 ms) : 2121, 2161
.   : milestone, 2141,
tracing (1.796 ms) : 1781, 1811
.   : milestone, 1796,
section candidate
no_agent (1.226 ms) : 1213, 1238
.   : milestone, 1226,
iast (3.278 ms) : 3231, 3326
.   : milestone, 3278,
iast_FULL (5.803 ms) : 5746, 5861
.   : milestone, 5803,
iast_GLOBAL (3.461 ms) : 3416, 3506
.   : milestone, 3461,
profiling (2.177 ms) : 2156, 2197
.   : milestone, 2177,
tracing (1.863 ms) : 1848, 1879
.   : milestone, 1863,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.219 ms [1.208 ms, 1.231 ms] -
iast 3.184 ms [3.146 ms, 3.222 ms] 1.965 ms (161.1%)
iast_FULL 5.872 ms [5.813 ms, 5.931 ms] 4.652 ms (381.5%)
iast_GLOBAL 3.786 ms [3.725 ms, 3.847 ms] 2.566 ms (210.5%)
profiling 2.141 ms [2.121 ms, 2.161 ms] 921.575 µs (75.6%)
tracing 1.796 ms [1.781 ms, 1.811 ms] 576.933 µs (47.3%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.226 ms [1.213 ms, 1.238 ms] -
iast 3.278 ms [3.231 ms, 3.326 ms] 2.053 ms (167.5%)
iast_FULL 5.803 ms [5.746 ms, 5.861 ms] 4.578 ms (373.5%)
iast_GLOBAL 3.461 ms [3.416 ms, 3.506 ms] 2.235 ms (182.3%)
profiling 2.177 ms [2.156 ms, 2.197 ms] 951.026 µs (77.6%)
tracing 1.863 ms [1.848 ms, 1.879 ms] 637.387 µs (52.0%)

Dacapo

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/APPSEC-57815
git_commit_date 1763992896 1764320533
git_commit_sha c8bb444 a49f1b2
release_version 1.57.0-SNAPSHOT~c8bb44440b 1.57.0-SNAPSHOT~a49f1b2289
See matching parameters
Baseline Candidate
application biojava biojava
ci_job_date 1764322961 1764322961
ci_job_id 1261284837 1261284837
ci_pipeline_id 84321952 84321952
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-1-0uttibz0 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-1-0uttibz0 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 10 metrics, 2 unstable metrics.

Execution time for tomcat 
gantt
    title tomcat - execution time [CI 0.99] : candidate=1.57.0-SNAPSHOT~a49f1b2289, baseline=1.57.0-SNAPSHOT~c8bb44440b
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.479 ms) : 1467, 1490
.   : milestone, 1479,
appsec (3.724 ms) : 3505, 3943
.   : milestone, 3724,
iast (2.227 ms) : 2162, 2292
.   : milestone, 2227,
iast_GLOBAL (2.264 ms) : 2199, 2329
.   : milestone, 2264,
profiling (2.483 ms) : 2323, 2644
.   : milestone, 2483,
tracing (2.042 ms) : 1991, 2093
.   : milestone, 2042,
section candidate
no_agent (1.478 ms) : 1467, 1490
.   : milestone, 1478,
appsec (3.719 ms) : 3500, 3938
.   : milestone, 3719,
iast (2.216 ms) : 2152, 2281
.   : milestone, 2216,
iast_GLOBAL (2.266 ms) : 2201, 2331
.   : milestone, 2266,
profiling (2.088 ms) : 2034, 2142
.   : milestone, 2088,
tracing (2.057 ms) : 2005, 2108
.   : milestone, 2057,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.479 ms [1.467 ms, 1.49 ms] -
appsec 3.724 ms [3.505 ms, 3.943 ms] 2.245 ms (151.8%)
iast 2.227 ms [2.162 ms, 2.292 ms] 748.316 µs (50.6%)
iast_GLOBAL 2.264 ms [2.199 ms, 2.329 ms] 785.352 µs (53.1%)
profiling 2.483 ms [2.323 ms, 2.644 ms] 1.005 ms (67.9%)
tracing 2.042 ms [1.991 ms, 2.093 ms] 563.053 µs (38.1%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.478 ms [1.467 ms, 1.49 ms] -
appsec 3.719 ms [3.5 ms, 3.938 ms] 2.24 ms (151.5%)
iast 2.216 ms [2.152 ms, 2.281 ms] 738.057 µs (49.9%)
iast_GLOBAL 2.266 ms [2.201 ms, 2.331 ms] 788.138 µs (53.3%)
profiling 2.088 ms [2.034 ms, 2.142 ms] 610.077 µs (41.3%)
tracing 2.057 ms [2.005 ms, 2.108 ms] 578.235 µs (39.1%)
Execution time for biojava 
gantt
    title biojava - execution time [CI 0.99] : candidate=1.57.0-SNAPSHOT~a49f1b2289, baseline=1.57.0-SNAPSHOT~c8bb44440b
    dateFormat X
    axisFormat %s
section baseline
no_agent (15.045 s) : 15045000, 15045000
.   : milestone, 15045000,
appsec (14.922 s) : 14922000, 14922000
.   : milestone, 14922000,
iast (18.64 s) : 18640000, 18640000
.   : milestone, 18640000,
iast_GLOBAL (17.748 s) : 17748000, 17748000
.   : milestone, 17748000,
profiling (14.687 s) : 14687000, 14687000
.   : milestone, 14687000,
tracing (14.691 s) : 14691000, 14691000
.   : milestone, 14691000,
section candidate
no_agent (15.299 s) : 15299000, 15299000
.   : milestone, 15299000,
appsec (15.068 s) : 15068000, 15068000
.   : milestone, 15068000,
iast (18.569 s) : 18569000, 18569000
.   : milestone, 18569000,
iast_GLOBAL (18.114 s) : 18114000, 18114000
.   : milestone, 18114000,
profiling (15.133 s) : 15133000, 15133000
.   : milestone, 15133000,
tracing (14.801 s) : 14801000, 14801000
.   : milestone, 14801000,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.045 s [15.045 s, 15.045 s] -
appsec 14.922 s [14.922 s, 14.922 s] -123.0 ms (-0.8%)
iast 18.64 s [18.64 s, 18.64 s] 3.595 s (23.9%)
iast_GLOBAL 17.748 s [17.748 s, 17.748 s] 2.703 s (18.0%)
profiling 14.687 s [14.687 s, 14.687 s] -358.0 ms (-2.4%)
tracing 14.691 s [14.691 s, 14.691 s] -354.0 ms (-2.4%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.299 s [15.299 s, 15.299 s] -
appsec 15.068 s [15.068 s, 15.068 s] -231.0 ms (-1.5%)
iast 18.569 s [18.569 s, 18.569 s] 3.27 s (21.4%)
iast_GLOBAL 18.114 s [18.114 s, 18.114 s] 2.815 s (18.4%)
profiling 15.133 s [15.133 s, 15.133 s] -166.0 ms (-1.1%)
tracing 14.801 s [14.801 s, 14.801 s] -498.0 ms (-3.3%)

jandro996
jandro996 commented Nov 24, 2025
View reviewed changes
dd-java-agent/appsec/src/main/java/com/datadog/appsec/api/security/ApiSecuritySamplerImpl.java
* This method only serves as a final confirmation gate before schema extraction.
*/
@Override
public boolean sampleRequest(AppSecRequestContext ctx) {
Copy link
Member Author

@jandro996 jandro996 Nov 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This method seems useless with the new approach but, I decided to maintain it to keep the checks although updateApiAccessIfExpired is not necessary anymore

@jandro996 jandro996 marked this pull request as ready for review November 27, 2025 10:01
@jandro996 jandro996 requested a review from a team as a code owner November 27, 2025 10:01
@jandro996 jandro996 changed the title Fix semaphore permit leak in API Security span post-processor Fix race condition in ApiSecuritySamplerImpl Nov 28, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@daniel-romano-DD daniel-romano-DD Awaiting requested review from daniel-romano-DD daniel-romano-DD is a code owner automatically assigned from DataDog/asm-java

@smola smola Awaiting requested review from smola

@manuel-alvarez-alvarez manuel-alvarez-alvarez Awaiting requested review from manuel-alvarez-alvarez

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

comp: asm waf Application Security Management (WAF) type: bug Bug report and fix

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jandro996 @manuel-alvarez-alvarez