Skip to content

feat(appsec): extend RASP callsite coverage to File-argument constructors of FileOutputStream and FileInputStream#11113

Open
jandro996 wants to merge 8 commits intomasterfrom
alejandro.gonzalez/APPSEC-61874_2
Open

feat(appsec): extend RASP callsite coverage to File-argument constructors of FileOutputStream and FileInputStream#11113
jandro996 wants to merge 8 commits intomasterfrom
alejandro.gonzalez/APPSEC-61874_2

Conversation

@jandro996
Copy link
Copy Markdown
Member

@jandro996 jandro996 commented Apr 14, 2026
edited
Loading

What Does This Do

Extends RASP callsite coverage for Java file I/O APIs. All new callsites are RASP-only — no IAST changes, since File-based and Path-based constructors delegate path resolution to the JVM, and IAST taint
tracking via the String constructors already covers those code paths.

New callsites

FileReaderCallSitebeforeFileLoaded

  • FileReader(String), FileReader(File)
  • FileReader(String, Charset), FileReader(File, Charset) (Java 11+)

FileWriterCallSitebeforeFileWritten

  • FileWriter(String), FileWriter(String, boolean), FileWriter(File), FileWriter(File, boolean)
  • FileWriter(String, Charset), FileWriter(String, Charset, boolean), FileWriter(File, Charset), FileWriter(File, Charset, boolean) (Java 11+)

RandomAccessFileCallSitebeforeFileLoaded for mode "r"; both beforeFileLoaded + beforeFileWritten for "rw" / "rws" / "rwd"

  • RandomAccessFile(String, String), RandomAccessFile(File, String)

FilesCallSite

  • Write → beforeFileWritten: Files.newOutputStream, Files.write(bytes), Files.write(lines, charset), Files.write(lines), Files.newBufferedWriter(path, charset), Files.newBufferedWriter(path),
    Files.copy(InputStream, Path, ...), Files.move
  • Write (Java 11+): Files.writeString(path, seq), Files.writeString(path, seq, charset)
  • Read → beforeFileLoaded: Files.newInputStream, Files.readAllBytes, Files.readAllLines(path, charset), Files.readAllLines(path), Files.newBufferedReader(path, charset),
    Files.newBufferedReader(path), Files.lines(path, charset), Files.lines(path)
  • Read (Java 11+): Files.readString(path), Files.readString(path, charset)

FileChannelCallSite → both beforeFileLoaded + beforeFileWritten (channel mode is determined at runtime, not statically)

  • FileChannel.open(Path, OpenOption[]), FileChannel.open(Path, Set<OpenOption>, FileAttribute[])

Extended callsites

FileInputStreamCallSite (extends #11084) — added FileInputStream(File)beforeFileLoaded

FileOutputStreamCallSite (extends #11084) — added FileOutputStream(File), FileOutputStream(File, boolean)beforeFileWritten

PathCallSite — added Path.resolve(Path), Path.resolveSibling(Path)beforeFileLoaded

PathsCallSite — added Path.of(String, String[]), Path.of(URI) (Java 11+)beforeFileLoaded

Additional Notes

Contributor Checklist

Jira Ticket: APPSEC-61874

@jandro996
feat(rasp): instrument FileOutputStream/FileInputStream(File) constru…
b63c7e2 
…ctors

Add RASP callsite coverage for File-argument constructors that were
previously not instrumented:

- FileOutputStream(File) and FileOutputStream(File, boolean): call
  FileIORaspHelper.INSTANCE.beforeFileWritten(file.getPath())
- FileInputStream(File): call
  FileIORaspHelper.INSTANCE.beforeFileLoaded(file.getPath())

No IAST changes — the File-based constructors delegate path resolution
to the JVM, so IAST taint tracking via the String constructor already
covers those code paths at a higher level.

Tests added following the existing RASP test pattern.
@jandro996 jandro996 requested review from a team as code owners April 14, 2026 13:29
@jandro996 jandro996 requested review from PerfectSlayer, claponcet and manuel-alvarez-alvarez and removed request for a team April 14, 2026 13:29
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 14, 2026

Hi! 👋 Thanks for your pull request! 🎉

To help us review it, please make sure to:

  • Add at least one type, and one component or instrumentation label to the pull request

If you need help, please check our contributing guidelines.

@jandro996 jandro996 added type: enhancement Enhancements and improvements comp: asm waf Application Security Management (WAF) labels Apr 14, 2026
@jandro996 jandro996 marked this pull request as draft April 14, 2026 13:32
@pr-commenter
Copy link
Copy Markdown

pr-commenter bot commented Apr 14, 2026
edited
Loading

Benchmarks

Startup

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/APPSEC-61874_2
git_commit_date 1776268328 1776267864
git_commit_sha 93449b6f0f a66eb33
release_version 1.62.0-SNAPSHOT~693449b6f0f 1.62.0-SNAPSHOT~a66eb337bf
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1776269623 1776269623
ci_job_id 1598273548 1598273548
ci_pipeline_id 107852165 107852165
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-0-og0ryvr1 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-0-og0ryvr1 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
module Agent Agent
parent None None

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 59 metrics, 12 unstable metrics.

Startup time reports for insecure-bank 
gantt
    title insecure-bank - global startup overhead: candidate=1.62.0-SNAPSHOT~a66eb337bf, baseline=1.62.0-SNAPSHOT~693449b6f0f

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.064 s) : 0, 1064226
Total [baseline] (8.897 s) : 0, 8896899
Agent [candidate] (1.057 s) : 0, 1056689
Total [candidate] (8.822 s) : 0, 8822422
section iast
Agent [baseline] (1.225 s) : 0, 1224926
Total [baseline] (9.566 s) : 0, 9565561
Agent [candidate] (1.227 s) : 0, 1226784
Total [candidate] (9.584 s) : 0, 9584333
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.064 s -
Agent iast 1.225 s 160.699 ms (15.1%)
Total tracing 8.897 s -
Total iast 9.566 s 668.662 ms (7.5%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.057 s -
Agent iast 1.227 s 170.094 ms (16.1%)
Total tracing 8.822 s -
Total iast 9.584 s 761.911 ms (8.6%) 
gantt
    title insecure-bank - break down per module: candidate=1.62.0-SNAPSHOT~a66eb337bf, baseline=1.62.0-SNAPSHOT~693449b6f0f

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.253 ms) : 0, 1253
crashtracking [candidate] (1.24 ms) : 0, 1240
BytebuddyAgent [baseline] (640.648 ms) : 0, 640648
BytebuddyAgent [candidate] (632.88 ms) : 0, 632880
AgentMeter [baseline] (29.845 ms) : 0, 29845
AgentMeter [candidate] (29.299 ms) : 0, 29299
GlobalTracer [baseline] (250.463 ms) : 0, 250463
GlobalTracer [candidate] (248.327 ms) : 0, 248327
AppSec [baseline] (32.493 ms) : 0, 32493
AppSec [candidate] (32.328 ms) : 0, 32328
Debugger [baseline] (59.348 ms) : 0, 59348
Debugger [candidate] (58.907 ms) : 0, 58907
Remote Config [baseline] (601.09 µs) : 0, 601
Remote Config [candidate] (589.078 µs) : 0, 589
Telemetry [baseline] (8.088 ms) : 0, 8088
Telemetry [candidate] (8.011 ms) : 0, 8011
Flare Poller [baseline] (5.124 ms) : 0, 5124
Flare Poller [candidate] (8.956 ms) : 0, 8956
section iast
crashtracking [baseline] (1.237 ms) : 0, 1237
crashtracking [candidate] (1.221 ms) : 0, 1221
BytebuddyAgent [baseline] (803.789 ms) : 0, 803789
BytebuddyAgent [candidate] (806.602 ms) : 0, 806602
AgentMeter [baseline] (11.489 ms) : 0, 11489
AgentMeter [candidate] (11.232 ms) : 0, 11232
GlobalTracer [baseline] (238.739 ms) : 0, 238739
GlobalTracer [candidate] (238.172 ms) : 0, 238172
AppSec [baseline] (31.075 ms) : 0, 31075
AppSec [candidate] (26.718 ms) : 0, 26718
Debugger [baseline] (58.673 ms) : 0, 58673
Debugger [candidate] (64.308 ms) : 0, 64308
Remote Config [baseline] (531.53 µs) : 0, 532
Remote Config [candidate] (515.289 µs) : 0, 515
Telemetry [baseline] (13.61 ms) : 0, 13610
Telemetry [candidate] (7.831 ms) : 0, 7831
Flare Poller [baseline] (3.771 ms) : 0, 3771
Flare Poller [candidate] (3.447 ms) : 0, 3447
IAST [baseline] (25.694 ms) : 0, 25694
IAST [candidate] (30.001 ms) : 0, 30001
Loading
Startup time reports for petclinic 
gantt
    title petclinic - global startup overhead: candidate=1.62.0-SNAPSHOT~a66eb337bf, baseline=1.62.0-SNAPSHOT~693449b6f0f

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.056 s) : 0, 1055966
Total [baseline] (11.114 s) : 0, 11114410
Agent [candidate] (1.056 s) : 0, 1055680
Total [candidate] (11.077 s) : 0, 11076603
section appsec
Agent [baseline] (1.247 s) : 0, 1247258
Total [baseline] (11.205 s) : 0, 11204685
Agent [candidate] (1.267 s) : 0, 1266749
Total [candidate] (11.03 s) : 0, 11029638
section iast
Agent [baseline] (1.222 s) : 0, 1222363
Total [baseline] (11.397 s) : 0, 11397241
Agent [candidate] (1.239 s) : 0, 1239173
Total [candidate] (11.351 s) : 0, 11351181
section profiling
Agent [baseline] (1.183 s) : 0, 1182821
Total [baseline] (11.0 s) : 0, 10999937
Agent [candidate] (1.185 s) : 0, 1184839
Total [candidate] (11.086 s) : 0, 11085801
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.056 s -
Agent appsec 1.247 s 191.292 ms (18.1%)
Agent iast 1.222 s 166.396 ms (15.8%)
Agent profiling 1.183 s 126.855 ms (12.0%)
Total tracing 11.114 s -
Total appsec 11.205 s 90.275 ms (0.8%)
Total iast 11.397 s 282.831 ms (2.5%)
Total profiling 11.0 s -114.474 ms (-1.0%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.056 s -
Agent appsec 1.267 s 211.069 ms (20.0%)
Agent iast 1.239 s 183.493 ms (17.4%)
Agent profiling 1.185 s 129.159 ms (12.2%)
Total tracing 11.077 s -
Total appsec 11.03 s -46.965 ms (-0.4%)
Total iast 11.351 s 274.578 ms (2.5%)
Total profiling 11.086 s 9.198 ms (0.1%) 
gantt
    title petclinic - break down per module: candidate=1.62.0-SNAPSHOT~a66eb337bf, baseline=1.62.0-SNAPSHOT~693449b6f0f

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.22 ms) : 0, 1220
crashtracking [candidate] (1.218 ms) : 0, 1218
BytebuddyAgent [baseline] (631.048 ms) : 0, 631048
BytebuddyAgent [candidate] (631.807 ms) : 0, 631807
AgentMeter [baseline] (29.308 ms) : 0, 29308
AgentMeter [candidate] (29.317 ms) : 0, 29317
GlobalTracer [baseline] (248.351 ms) : 0, 248351
GlobalTracer [candidate] (248.204 ms) : 0, 248204
AppSec [baseline] (32.275 ms) : 0, 32275
AppSec [candidate] (32.211 ms) : 0, 32211
Debugger [baseline] (60.04 ms) : 0, 60040
Debugger [candidate] (59.943 ms) : 0, 59943
Remote Config [baseline] (589.99 µs) : 0, 590
Remote Config [candidate] (586.11 µs) : 0, 586
Telemetry [baseline] (8.078 ms) : 0, 8078
Telemetry [candidate] (8.083 ms) : 0, 8083
Flare Poller [baseline] (8.961 ms) : 0, 8961
Flare Poller [candidate] (8.303 ms) : 0, 8303
section appsec
crashtracking [baseline] (1.223 ms) : 0, 1223
crashtracking [candidate] (1.218 ms) : 0, 1218
BytebuddyAgent [baseline] (661.221 ms) : 0, 661221
BytebuddyAgent [candidate] (676.616 ms) : 0, 676616
AgentMeter [baseline] (12.082 ms) : 0, 12082
AgentMeter [candidate] (12.023 ms) : 0, 12023
GlobalTracer [baseline] (248.798 ms) : 0, 248798
GlobalTracer [candidate] (250.463 ms) : 0, 250463
AppSec [baseline] (184.882 ms) : 0, 184882
AppSec [candidate] (186.448 ms) : 0, 186448
Debugger [baseline] (65.676 ms) : 0, 65676
Debugger [candidate] (67.073 ms) : 0, 67073
Remote Config [baseline] (605.726 µs) : 0, 606
Remote Config [candidate] (589.234 µs) : 0, 589
Telemetry [baseline] (8.31 ms) : 0, 8310
Telemetry [candidate] (7.938 ms) : 0, 7938
Flare Poller [baseline] (3.505 ms) : 0, 3505
Flare Poller [candidate] (3.502 ms) : 0, 3502
IAST [baseline] (24.592 ms) : 0, 24592
IAST [candidate] (24.432 ms) : 0, 24432
section iast
crashtracking [baseline] (1.22 ms) : 0, 1220
crashtracking [candidate] (1.232 ms) : 0, 1232
BytebuddyAgent [baseline] (799.042 ms) : 0, 799042
BytebuddyAgent [candidate] (815.193 ms) : 0, 815193
AgentMeter [baseline] (11.419 ms) : 0, 11419
AgentMeter [candidate] (11.385 ms) : 0, 11385
GlobalTracer [baseline] (238.738 ms) : 0, 238738
GlobalTracer [candidate] (239.833 ms) : 0, 239833
AppSec [baseline] (32.006 ms) : 0, 32006
AppSec [candidate] (27.59 ms) : 0, 27590
Debugger [baseline] (62.15 ms) : 0, 62150
Debugger [candidate] (65.59 ms) : 0, 65590
Remote Config [baseline] (534.657 µs) : 0, 535
Remote Config [candidate] (538.421 µs) : 0, 538
Telemetry [baseline] (11.775 ms) : 0, 11775
Telemetry [candidate] (8.007 ms) : 0, 8007
Flare Poller [baseline] (3.477 ms) : 0, 3477
Flare Poller [candidate] (3.47 ms) : 0, 3470
IAST [baseline] (25.804 ms) : 0, 25804
IAST [candidate] (29.437 ms) : 0, 29437
section profiling
crashtracking [baseline] (1.175 ms) : 0, 1175
crashtracking [candidate] (1.171 ms) : 0, 1171
BytebuddyAgent [baseline] (690.465 ms) : 0, 690465
BytebuddyAgent [candidate] (691.521 ms) : 0, 691521
AgentMeter [baseline] (9.078 ms) : 0, 9078
AgentMeter [candidate] (9.124 ms) : 0, 9124
GlobalTracer [baseline] (206.819 ms) : 0, 206819
GlobalTracer [candidate] (207.448 ms) : 0, 207448
AppSec [baseline] (32.736 ms) : 0, 32736
AppSec [candidate] (32.883 ms) : 0, 32883
Debugger [baseline] (65.536 ms) : 0, 65536
Debugger [candidate] (65.5 ms) : 0, 65500
Remote Config [baseline] (574.34 µs) : 0, 574
Remote Config [candidate] (575.689 µs) : 0, 576
Telemetry [baseline] (7.779 ms) : 0, 7779
Telemetry [candidate] (7.766 ms) : 0, 7766
Flare Poller [baseline] (3.528 ms) : 0, 3528
Flare Poller [candidate] (3.517 ms) : 0, 3517
ProfilingAgent [baseline] (94.132 ms) : 0, 94132
ProfilingAgent [candidate] (94.218 ms) : 0, 94218
Profiling [baseline] (94.711 ms) : 0, 94711
Profiling [candidate] (94.81 ms) : 0, 94810
Loading

Load

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/APPSEC-61874_2
git_commit_date 1776268331 1776267864
git_commit_sha 93449b6f0f a66eb33
release_version 1.62.0-SNAPSHOT~693449b6f0f 1.62.0-SNAPSHOT~a66eb337bf
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1776270104 1776270104
ci_job_id 1598273553 1598273553
ci_pipeline_id 107852165 107852165
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-1-4eabtw3b 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-1-4eabtw3b 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 1 performance improvements and 3 performance regressions! Performance is the same for 16 metrics, 16 unstable metrics.

scenario Δ mean agg_http_req_duration_p50 Δ mean agg_http_req_duration_p95 Δ mean throughput candidate mean agg_http_req_duration_p50 candidate mean agg_http_req_duration_p95 candidate mean throughput baseline mean agg_http_req_duration_p50 baseline mean agg_http_req_duration_p95 baseline mean throughput
scenario:load:insecure-bank:iast_FULL:high_load unsure
[-439.978µs; -110.109µs] or [-7.632%; -1.910%]		 better
[-1291.447µs; -375.535µs] or [-9.372%; -2.725%]		 unstable
[-40.888op/s; +125.075op/s] or [-5.715%; +17.481%]		 5.490ms 12.946ms 757.594op/s 5.765ms 13.780ms 715.500op/s
scenario:load:petclinic:profiling:high_load worse
[+1.404ms; +2.333ms] or [+7.491%; +12.449%]		 worse
[+0.900ms; +2.499ms] or [+2.943%; +8.170%]		 unstable
[-43.580op/s; +4.267op/s] or [-17.810%; +1.744%]		 20.608ms 32.290ms 225.031op/s 18.739ms 30.591ms 244.688op/s
scenario:load:petclinic:appsec:high_load worse
[+464.445µs; +1209.643µs] or [+2.474%; +6.443%]		 same
[-427.429µs; +942.190µs] or [-1.393%; +3.071%]		 unstable
[-31.550op/s; +16.863op/s] or [-12.987%; +6.941%]		 19.613ms 30.934ms 235.594op/s 18.776ms 30.676ms 242.938op/s
Request duration reports for insecure-bank 
gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.62.0-SNAPSHOT~a66eb337bf, baseline=1.62.0-SNAPSHOT~693449b6f0f
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.25 ms) : 1239, 1262
.   : milestone, 1250,
iast (3.339 ms) : 3292, 3385
.   : milestone, 3339,
iast_FULL (6.469 ms) : 6401, 6537
.   : milestone, 6469,
iast_GLOBAL (3.679 ms) : 3624, 3734
.   : milestone, 3679,
profiling (2.06 ms) : 2042, 2077
.   : milestone, 2060,
tracing (1.925 ms) : 1909, 1942
.   : milestone, 1925,
section candidate
no_agent (1.259 ms) : 1248, 1270
.   : milestone, 1259,
iast (3.361 ms) : 3307, 3416
.   : milestone, 3361,
iast_FULL (6.104 ms) : 6042, 6165
.   : milestone, 6104,
iast_GLOBAL (3.583 ms) : 3526, 3639
.   : milestone, 3583,
profiling (2.099 ms) : 2079, 2118
.   : milestone, 2099,
tracing (1.828 ms) : 1813, 1842
.   : milestone, 1828,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.25 ms [1.239 ms, 1.262 ms] -
iast 3.339 ms [3.292 ms, 3.385 ms] 2.088 ms (167.0%)
iast_FULL 6.469 ms [6.401 ms, 6.537 ms] 5.218 ms (417.3%)
iast_GLOBAL 3.679 ms [3.624 ms, 3.734 ms] 2.428 ms (194.2%)
profiling 2.06 ms [2.042 ms, 2.077 ms] 809.334 µs (64.7%)
tracing 1.925 ms [1.909 ms, 1.942 ms] 674.813 µs (54.0%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.259 ms [1.248 ms, 1.27 ms] -
iast 3.361 ms [3.307 ms, 3.416 ms] 2.102 ms (166.9%)
iast_FULL 6.104 ms [6.042 ms, 6.165 ms] 4.845 ms (384.7%)
iast_GLOBAL 3.583 ms [3.526 ms, 3.639 ms] 2.323 ms (184.5%)
profiling 2.099 ms [2.079 ms, 2.118 ms] 839.415 µs (66.7%)
tracing 1.828 ms [1.813 ms, 1.842 ms] 568.499 µs (45.1%)
Request duration reports for petclinic 
gantt
    title petclinic - request duration [CI 0.99] : candidate=1.62.0-SNAPSHOT~a66eb337bf, baseline=1.62.0-SNAPSHOT~693449b6f0f
    dateFormat X
    axisFormat %s
section baseline
no_agent (19.32 ms) : 19124, 19517
.   : milestone, 19320,
appsec (19.212 ms) : 19015, 19409
.   : milestone, 19212,
code_origins (18.072 ms) : 17893, 18250
.   : milestone, 18072,
iast (17.918 ms) : 17737, 18098
.   : milestone, 17918,
profiling (19.075 ms) : 18883, 19267
.   : milestone, 19075,
tracing (18.178 ms) : 18000, 18355
.   : milestone, 18178,
section candidate
no_agent (18.46 ms) : 18266, 18654
.   : milestone, 18460,
appsec (19.807 ms) : 19610, 20003
.   : milestone, 19807,
code_origins (18.01 ms) : 17832, 18188
.   : milestone, 18010,
iast (17.948 ms) : 17770, 18125
.   : milestone, 17948,
profiling (20.745 ms) : 20534, 20955
.   : milestone, 20745,
tracing (17.79 ms) : 17613, 17966
.   : milestone, 17790,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 19.32 ms [19.124 ms, 19.517 ms] -
appsec 19.212 ms [19.015 ms, 19.409 ms] -108.054 µs (-0.6%)
code_origins 18.072 ms [17.893 ms, 18.25 ms] -1.248 ms (-6.5%)
iast 17.918 ms [17.737 ms, 18.098 ms] -1.403 ms (-7.3%)
profiling 19.075 ms [18.883 ms, 19.267 ms] -245.284 µs (-1.3%)
tracing 18.178 ms [18.0 ms, 18.355 ms] -1.143 ms (-5.9%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 18.46 ms [18.266 ms, 18.654 ms] -
appsec 19.807 ms [19.61 ms, 20.003 ms] 1.346 ms (7.3%)
code_origins 18.01 ms [17.832 ms, 18.188 ms] -450.354 µs (-2.4%)
iast 17.948 ms [17.77 ms, 18.125 ms] -512.768 µs (-2.8%)
profiling 20.745 ms [20.534 ms, 20.955 ms] 2.284 ms (12.4%)
tracing 17.79 ms [17.613 ms, 17.966 ms] -670.335 µs (-3.6%)

Dacapo

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/APPSEC-61874_2
git_commit_date 1776268330 1776267864
git_commit_sha 93449b6f0f a66eb33
release_version 1.62.0-SNAPSHOT~693449b6f0f 1.62.0-SNAPSHOT~a66eb337bf
See matching parameters
Baseline Candidate
application biojava biojava
ci_job_date 1776269814 1776269814
ci_job_id 1598273555 1598273555
ci_pipeline_id 107852165 107852165
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-0-or5tr8xo 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-0-or5tr8xo 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 1 unstable metrics.

Execution time for tomcat 
gantt
    title tomcat - execution time [CI 0.99] : candidate=1.62.0-SNAPSHOT~a66eb337bf, baseline=1.62.0-SNAPSHOT~693449b6f0f
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.487 ms) : 1476, 1499
.   : milestone, 1487,
appsec (3.817 ms) : 3596, 4039
.   : milestone, 3817,
iast (2.264 ms) : 2194, 2333
.   : milestone, 2264,
iast_GLOBAL (2.311 ms) : 2241, 2381
.   : milestone, 2311,
profiling (2.088 ms) : 2033, 2142
.   : milestone, 2088,
tracing (2.075 ms) : 2022, 2129
.   : milestone, 2075,
section candidate
no_agent (1.489 ms) : 1477, 1501
.   : milestone, 1489,
appsec (3.83 ms) : 3607, 4052
.   : milestone, 3830,
iast (2.278 ms) : 2208, 2347
.   : milestone, 2278,
iast_GLOBAL (2.31 ms) : 2240, 2381
.   : milestone, 2310,
profiling (2.099 ms) : 2044, 2155
.   : milestone, 2099,
tracing (2.07 ms) : 2016, 2123
.   : milestone, 2070,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.487 ms [1.476 ms, 1.499 ms] -
appsec 3.817 ms [3.596 ms, 4.039 ms] 2.33 ms (156.7%)
iast 2.264 ms [2.194 ms, 2.333 ms] 776.458 µs (52.2%)
iast_GLOBAL 2.311 ms [2.241 ms, 2.381 ms] 823.911 µs (55.4%)
profiling 2.088 ms [2.033 ms, 2.142 ms] 600.506 µs (40.4%)
tracing 2.075 ms [2.022 ms, 2.129 ms] 587.924 µs (39.5%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.489 ms [1.477 ms, 1.501 ms] -
appsec 3.83 ms [3.607 ms, 4.052 ms] 2.341 ms (157.2%)
iast 2.278 ms [2.208 ms, 2.347 ms] 788.666 µs (53.0%)
iast_GLOBAL 2.31 ms [2.24 ms, 2.381 ms] 821.432 µs (55.2%)
profiling 2.099 ms [2.044 ms, 2.155 ms] 610.393 µs (41.0%)
tracing 2.07 ms [2.016 ms, 2.123 ms] 580.83 µs (39.0%)
Execution time for biojava 
gantt
    title biojava - execution time [CI 0.99] : candidate=1.62.0-SNAPSHOT~a66eb337bf, baseline=1.62.0-SNAPSHOT~693449b6f0f
    dateFormat X
    axisFormat %s
section baseline
no_agent (14.964 s) : 14964000, 14964000
.   : milestone, 14964000,
appsec (14.814 s) : 14814000, 14814000
.   : milestone, 14814000,
iast (18.232 s) : 18232000, 18232000
.   : milestone, 18232000,
iast_GLOBAL (18.092 s) : 18092000, 18092000
.   : milestone, 18092000,
profiling (14.934 s) : 14934000, 14934000
.   : milestone, 14934000,
tracing (15.091 s) : 15091000, 15091000
.   : milestone, 15091000,
section candidate
no_agent (15.547 s) : 15547000, 15547000
.   : milestone, 15547000,
appsec (14.902 s) : 14902000, 14902000
.   : milestone, 14902000,
iast (18.355 s) : 18355000, 18355000
.   : milestone, 18355000,
iast_GLOBAL (18.116 s) : 18116000, 18116000
.   : milestone, 18116000,
profiling (14.983 s) : 14983000, 14983000
.   : milestone, 14983000,
tracing (15.104 s) : 15104000, 15104000
.   : milestone, 15104000,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 14.964 s [14.964 s, 14.964 s] -
appsec 14.814 s [14.814 s, 14.814 s] -150.0 ms (-1.0%)
iast 18.232 s [18.232 s, 18.232 s] 3.268 s (21.8%)
iast_GLOBAL 18.092 s [18.092 s, 18.092 s] 3.128 s (20.9%)
profiling 14.934 s [14.934 s, 14.934 s] -30.0 ms (-0.2%)
tracing 15.091 s [15.091 s, 15.091 s] 127.0 ms (0.8%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.547 s [15.547 s, 15.547 s] -
appsec 14.902 s [14.902 s, 14.902 s] -645.0 ms (-4.1%)
iast 18.355 s [18.355 s, 18.355 s] 2.808 s (18.1%)
iast_GLOBAL 18.116 s [18.116 s, 18.116 s] 2.569 s (16.5%)
profiling 14.983 s [14.983 s, 14.983 s] -564.0 ms (-3.6%)
tracing 15.104 s [15.104 s, 15.104 s] -443.0 ms (-2.8%)

@jandro996
feat(appsec): extend RASP file I/O coverage to FileReader, FileWriter…
b1e991e 
…, RandomAccessFile, Files.* and FileChannel

Extends RASP callsite instrumentation (APPSEC-61874) beyond FileInputStream/FileOutputStream
to all remaining Java file I/O APIs that were not covered. No IAST changes.

New callsites:
- FileReaderCallSite: FileReader(String/File) + Java 11+ Charset variants → beforeFileLoaded
- FileWriterCallSite: FileWriter(String/File/boolean) + Java 11+ Charset variants → beforeFileWritten
- RandomAccessFileCallSite: RandomAccessFile(String/File, mode) → beforeFileLoaded for "r",
  both beforeFileLoaded + beforeFileWritten for "rw"/"rws"/"rwd"
- FilesCallSite: all Files.* read and write methods (newOutputStream, copy(IS,Path),
  write, writeString, newBufferedWriter, move, newInputStream, readAllBytes, readAllLines,
  readString, newBufferedReader, lines)
- FileChannelCallSite: FileChannel.open(Path, ...) → fires both read and write callbacks

Extended callsites:
- PathCallSite: add resolve(Path) and resolveSibling(Path) → beforeFileLoaded
- PathsCallSite: add Path.of(String[], URI) (Java 11+) → beforeFileLoaded

FileIORaspHelper: add beforeRandomAccessFileOpened(path, mode) helper

Relates to #11084 and #11113
@jandro996
Apply spotless formatting
6a35cf4
@jandro996
Merge branch 'master' into alejandro.gonzalez/APPSEC-61874_2
55523c6
@jandro996
Add Java 11 test suite for RASP coverage of Java 11 file I/O APIs
2623f47 
Adds a java11Test source set that compiles with --release 11 and runs
only on JDK 11+. Tests cover the Java 11-only overloads that were
instrumented but previously untestable from Java 8 sources:

- FileReader(String/File, Charset) constructors
- FileWriter(String/File, Charset[, boolean]) constructors
- Files.writeString(Path, CharSequence, [Charset,] OpenOption...)
- Files.readString(Path[, Charset])
- Path.of(String, String[]) and Path.of(URI) static methods

Build configuration uses ext.java11TestMinJavaVersionForTests so the
testJvmConstraints plugin skips the suite on pre-11 JVMs.
@jandro996
Remove unused StandardCopyOption import from FilesCallSiteTest
468e83f
@jandro996 jandro996 marked this pull request as ready for review April 15, 2026 11:15
chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Apr 15, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 468e83facb

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread ...a/java-io-1.8/src/main/java/datadog/trace/instrumentation/java/lang/FileChannelCallSite.java Outdated
@jandro996
fix(appsec): gate FileChannel write callback on write-capable open op…
a66eb33 
…tions

FileChannel.open() with READ-only options was incorrectly triggering the
fileWritten callback, which could cause false positives in the zipslip
rule (dog-920-110) when a read-only channel open with a traversal path
coincided with a multipart zip upload in the same request.

Split beforeOpen into two overload-specific methods so the OpenOption
arguments can be inspected at the call site, mirroring the existing
pattern in beforeRandomAccessFileOpened.

Also fix a latent bug in AdviceGeneratorImpl: .sorted() without a
comparator on ArgumentSpecification (which does not implement Comparable)
would ClassCastException when an advice method captures a strict subset
of a target method's arguments. Fixed with Comparator.comparingInt.
jandro996
jandro996 commented Apr 15, 2026
View reviewed changes
Comment thread ...-instrumentation-plugin/src/main/java/datadog/trace/plugin/csi/impl/AdviceGeneratorImpl.java
Copy link
Copy Markdown
Member Author

@jandro996 jandro996 Apr 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@manuel-alvarez-alvarez I'm going to move this to a separated PR but I want your thoughts about this before do it

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@manuel-alvarez-alvarez manuel-alvarez-alvarez Awaiting requested review from manuel-alvarez-alvarez manuel-alvarez-alvarez is a code owner automatically assigned from DataDog/asm-java

@claponcet claponcet Awaiting requested review from claponcet claponcet is a code owner automatically assigned from DataDog/asm-java

@PerfectSlayer PerfectSlayer Awaiting requested review from PerfectSlayer PerfectSlayer is a code owner automatically assigned from DataDog/apm-lang-platform-java

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

comp: asm waf Application Security Management (WAF) type: enhancement Enhancements and improvements

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jandro996