Skip to content

Fix AWS API Gateway endpoints correlation HTTP span tags - Inferred Proxy Spans#10561

Open
jandro996 wants to merge 14 commits intomasterfrom
alejandro.gonzalez/RFC-1081
Open

Fix AWS API Gateway endpoints correlation HTTP span tags - Inferred Proxy Spans#10561
jandro996 wants to merge 14 commits intomasterfrom
alejandro.gonzalez/RFC-1081

Conversation

@jandro996
Copy link
Member

@jandro996 jandro996 commented Feb 10, 2026
edited
Loading

What Does This Do

This PR implements standardized tags for inferred proxy spans produced by the Java tracer when instrumenting AWS API Gateway (v1 REST and v2 HTTP APIs). The changes align proxy spans with the cross-platform contract defined in RFC-1081 for endpoint discovery and correlation.

Mandatory tags implemented:

  • Span naming: Support for aws.httpapi (v2 HTTP API) in addition to aws.apigateway (v1 REST API)
  • span.kind: Set to server for all proxy spans
  • span.type: Already web, maintained for consistency
  • http.url: Fixed to include https:// scheme (prevents backend parsing issues)
  • http.route: New tag populated from x-dd-proxy-resource-path header (resource template path)
  • resource.name: Updated to prefer <Method> <Route> when route available, fallback to <Method> <Path>
  • AppSec integration: Copy _dd.appsec.enabled metric and _dd.appsec.json tag from root span to proxy span in distributed tracing scenarios

Optional tags implemented:

  • account_id: From x-dd-proxy-account-id header
  • apiid: From x-dd-proxy-api-id header
  • region: From x-dd-proxy-region header
  • dd_resource_key: Computed ARN in format arn:aws:apigateway:{region}::/restapis|apis/{api-id}

Motivation

This implementation is required by RFC-1081: Endpoint Discovery & Correlation from Inferred Spans

This PR covers the Inferred Proxy Spans portion of the RFC. The Inferred Lambda Spans portion will be addressed in a separate PR #10576.

Additional Notes

aws_user exclusion: The optional aws_user tag was intentionally excluded per RFC guidance due to PII concerns (assumed-role session names may contain user identifiers). Implementation requires explicit approval.

Contributor Checklist

Jira ticket: APPSEC-61198

Note: Once your PR is ready to merge, add it to the merge queue by commenting /merge. /merge -c cancels the queue request. /merge -f --reason "reason" skips all merge queue checks; please use this judiciously, as some checks do not run at the PR-level. For more information, see this doc.

@jandro996 jandro996 added this to the 1.60.0 milestone Feb 10, 2026
@jandro996 jandro996 added tag: do not merge Do not merge changes comp: asm waf Application Security Management (WAF) labels Feb 10, 2026
@jandro996 jandro996 force-pushed the alejandro.gonzalez/RFC-1081 branch from 7163ef9 to 85a368c Compare February 10, 2026 12:22
@jandro996 jandro996 force-pushed the alejandro.gonzalez/RFC-1081 branch from c681b6c to c8a926f Compare February 10, 2026 13:38
@pr-commenter
Copy link

pr-commenter bot commented Feb 10, 2026
edited
Loading

Benchmarks

Startup

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/RFC-1081
git_commit_date 1770883769 1771415889
git_commit_sha f3e5e5b 762de57
release_version 1.60.0-SNAPSHOT~f3e5e5b89b 1.60.0-SNAPSHOT~762de576c1
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1771417722 1771417722
ci_job_id 1434913943 1434913943
ci_pipeline_id 97181471 97181471
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-0-g643v125 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-0-g643v125 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
module Agent Agent
parent None None

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 63 metrics, 8 unstable metrics.

Startup time reports for insecure-bank 
gantt
    title insecure-bank - global startup overhead: candidate=1.60.0-SNAPSHOT~762de576c1, baseline=1.60.0-SNAPSHOT~f3e5e5b89b

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.079 s) : 0, 1079228
Total [baseline] (8.749 s) : 0, 8749208
Agent [candidate] (1.072 s) : 0, 1071632
Total [candidate] (8.734 s) : 0, 8733964
section iast
Agent [baseline] (1.231 s) : 0, 1230781
Total [baseline] (9.348 s) : 0, 9347539
Agent [candidate] (1.231 s) : 0, 1231459
Total [candidate] (9.358 s) : 0, 9357679
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.079 s -
Agent iast 1.231 s 151.553 ms (14.0%)
Total tracing 8.749 s -
Total iast 9.348 s 598.331 ms (6.8%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.072 s -
Agent iast 1.231 s 159.827 ms (14.9%)
Total tracing 8.734 s -
Total iast 9.358 s 623.715 ms (7.1%) 
gantt
    title insecure-bank - break down per module: candidate=1.60.0-SNAPSHOT~762de576c1, baseline=1.60.0-SNAPSHOT~f3e5e5b89b

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.2 ms) : 0, 1200
crashtracking [candidate] (1.216 ms) : 0, 1216
BytebuddyAgent [baseline] (638.532 ms) : 0, 638532
BytebuddyAgent [candidate] (633.491 ms) : 0, 633491
AgentMeter [baseline] (29.359 ms) : 0, 29359
AgentMeter [candidate] (29.207 ms) : 0, 29207
GlobalTracer [baseline] (260.852 ms) : 0, 260852
GlobalTracer [candidate] (259.217 ms) : 0, 259217
AppSec [baseline] (33.299 ms) : 0, 33299
AppSec [candidate] (33.04 ms) : 0, 33040
Debugger [baseline] (62.819 ms) : 0, 62819
Debugger [candidate] (61.473 ms) : 0, 61473
Remote Config [baseline] (637.346 µs) : 0, 637
Remote Config [candidate] (622.644 µs) : 0, 623
Telemetry [baseline] (10.864 ms) : 0, 10864
Telemetry [candidate] (12.35 ms) : 0, 12350
Flare Poller [baseline] (6.093 ms) : 0, 6093
Flare Poller [candidate] (5.347 ms) : 0, 5347
section iast
crashtracking [baseline] (1.193 ms) : 0, 1193
crashtracking [candidate] (1.174 ms) : 0, 1174
BytebuddyAgent [baseline] (795.628 ms) : 0, 795628
BytebuddyAgent [candidate] (796.74 ms) : 0, 796740
AgentMeter [baseline] (11.238 ms) : 0, 11238
AgentMeter [candidate] (11.251 ms) : 0, 11251
GlobalTracer [baseline] (248.09 ms) : 0, 248090
GlobalTracer [candidate] (248.177 ms) : 0, 248177
AppSec [baseline] (34.902 ms) : 0, 34902
AppSec [candidate] (33.906 ms) : 0, 33906
Debugger [baseline] (64.798 ms) : 0, 64798
Debugger [candidate] (65.446 ms) : 0, 65446
Remote Config [baseline] (537.738 µs) : 0, 538
Remote Config [candidate] (536.024 µs) : 0, 536
Telemetry [baseline] (8.578 ms) : 0, 8578
Telemetry [candidate] (8.572 ms) : 0, 8572
Flare Poller [baseline] (3.476 ms) : 0, 3476
Flare Poller [candidate] (3.477 ms) : 0, 3477
IAST [baseline] (27.023 ms) : 0, 27023
IAST [candidate] (26.959 ms) : 0, 26959
Loading
Startup time reports for petclinic 
gantt
    title petclinic - global startup overhead: candidate=1.60.0-SNAPSHOT~762de576c1, baseline=1.60.0-SNAPSHOT~f3e5e5b89b

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.064 s) : 0, 1063506
Total [baseline] (10.881 s) : 0, 10881419
Agent [candidate] (1.063 s) : 0, 1062877
Total [candidate] (10.95 s) : 0, 10950263
section appsec
Agent [baseline] (1.247 s) : 0, 1246534
Total [baseline] (11.078 s) : 0, 11078219
Agent [candidate] (1.239 s) : 0, 1239360
Total [candidate] (11.024 s) : 0, 11023505
section iast
Agent [baseline] (1.242 s) : 0, 1242349
Total [baseline] (11.177 s) : 0, 11176996
Agent [candidate] (1.234 s) : 0, 1234003
Total [candidate] (11.177 s) : 0, 11177180
section profiling
Agent [baseline] (1.189 s) : 0, 1189075
Total [baseline] (10.885 s) : 0, 10884806
Agent [candidate] (1.198 s) : 0, 1197883
Total [candidate] (10.975 s) : 0, 10975129
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.064 s -
Agent appsec 1.247 s 183.028 ms (17.2%)
Agent iast 1.242 s 178.843 ms (16.8%)
Agent profiling 1.189 s 125.569 ms (11.8%)
Total tracing 10.881 s -
Total appsec 11.078 s 196.8 ms (1.8%)
Total iast 11.177 s 295.577 ms (2.7%)
Total profiling 10.885 s 3.387 ms (0.0%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.063 s -
Agent appsec 1.239 s 176.482 ms (16.6%)
Agent iast 1.234 s 171.126 ms (16.1%)
Agent profiling 1.198 s 135.005 ms (12.7%)
Total tracing 10.95 s -
Total appsec 11.024 s 73.242 ms (0.7%)
Total iast 11.177 s 226.917 ms (2.1%)
Total profiling 10.975 s 24.866 ms (0.2%) 
gantt
    title petclinic - break down per module: candidate=1.60.0-SNAPSHOT~762de576c1, baseline=1.60.0-SNAPSHOT~f3e5e5b89b

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.17 ms) : 0, 1170
crashtracking [candidate] (1.177 ms) : 0, 1177
BytebuddyAgent [baseline] (627.616 ms) : 0, 627616
BytebuddyAgent [candidate] (627.767 ms) : 0, 627767
AgentMeter [baseline] (28.89 ms) : 0, 28890
AgentMeter [candidate] (28.781 ms) : 0, 28781
GlobalTracer [baseline] (256.956 ms) : 0, 256956
GlobalTracer [candidate] (257.049 ms) : 0, 257049
AppSec [baseline] (32.853 ms) : 0, 32853
AppSec [candidate] (32.841 ms) : 0, 32841
Debugger [baseline] (61.901 ms) : 0, 61901
Debugger [candidate] (61.846 ms) : 0, 61846
Remote Config [baseline] (615.416 µs) : 0, 615
Remote Config [candidate] (694.854 µs) : 0, 695
Telemetry [baseline] (12.147 ms) : 0, 12147
Telemetry [candidate] (13.695 ms) : 0, 13695
Flare Poller [baseline] (6.129 ms) : 0, 6129
Flare Poller [candidate] (3.777 ms) : 0, 3777
section appsec
crashtracking [baseline] (1.191 ms) : 0, 1191
crashtracking [candidate] (1.173 ms) : 0, 1173
BytebuddyAgent [baseline] (663.198 ms) : 0, 663198
BytebuddyAgent [candidate] (658.568 ms) : 0, 658568
AgentMeter [baseline] (12.069 ms) : 0, 12069
AgentMeter [candidate] (12.01 ms) : 0, 12010
GlobalTracer [baseline] (259.497 ms) : 0, 259497
GlobalTracer [candidate] (258.169 ms) : 0, 258169
AppSec [baseline] (168.577 ms) : 0, 168577
AppSec [candidate] (167.633 ms) : 0, 167633
Debugger [baseline] (67.1 ms) : 0, 67100
Debugger [candidate] (67.239 ms) : 0, 67239
Remote Config [baseline] (653.991 µs) : 0, 654
Remote Config [candidate] (659.791 µs) : 0, 660
Telemetry [baseline] (9.64 ms) : 0, 9640
Telemetry [candidate] (9.66 ms) : 0, 9660
Flare Poller [baseline] (3.722 ms) : 0, 3722
Flare Poller [candidate] (3.819 ms) : 0, 3819
IAST [baseline] (25.491 ms) : 0, 25491
IAST [candidate] (25.086 ms) : 0, 25086
section iast
crashtracking [baseline] (1.191 ms) : 0, 1191
crashtracking [candidate] (1.182 ms) : 0, 1182
BytebuddyAgent [baseline] (803.778 ms) : 0, 803778
BytebuddyAgent [candidate] (798.239 ms) : 0, 798239
AgentMeter [baseline] (11.544 ms) : 0, 11544
AgentMeter [candidate] (11.297 ms) : 0, 11297
GlobalTracer [baseline] (249.707 ms) : 0, 249707
GlobalTracer [candidate] (248.425 ms) : 0, 248425
AppSec [baseline] (32.433 ms) : 0, 32433
AppSec [candidate] (32.19 ms) : 0, 32190
Debugger [baseline] (68.486 ms) : 0, 68486
Debugger [candidate] (68.14 ms) : 0, 68140
Remote Config [baseline] (532.801 µs) : 0, 533
Remote Config [candidate] (543.116 µs) : 0, 543
Telemetry [baseline] (8.621 ms) : 0, 8621
Telemetry [candidate] (8.545 ms) : 0, 8545
Flare Poller [baseline] (3.456 ms) : 0, 3456
Flare Poller [candidate] (3.425 ms) : 0, 3425
IAST [baseline] (27.156 ms) : 0, 27156
IAST [candidate] (26.78 ms) : 0, 26780
section profiling
crashtracking [baseline] (1.217 ms) : 0, 1217
crashtracking [candidate] (1.221 ms) : 0, 1221
BytebuddyAgent [baseline] (680.656 ms) : 0, 680656
BytebuddyAgent [candidate] (687.296 ms) : 0, 687296
AgentMeter [baseline] (8.593 ms) : 0, 8593
AgentMeter [candidate] (8.676 ms) : 0, 8676
GlobalTracer [baseline] (215.657 ms) : 0, 215657
GlobalTracer [candidate] (217.257 ms) : 0, 217257
AppSec [baseline] (32.272 ms) : 0, 32272
AppSec [candidate] (32.748 ms) : 0, 32748
Debugger [baseline] (67.265 ms) : 0, 67265
Debugger [candidate] (67.39 ms) : 0, 67390
Remote Config [baseline] (616.865 µs) : 0, 617
Remote Config [candidate] (623.233 µs) : 0, 623
Telemetry [baseline] (8.896 ms) : 0, 8896
Telemetry [candidate] (8.995 ms) : 0, 8995
Flare Poller [baseline] (3.742 ms) : 0, 3742
Flare Poller [candidate] (3.741 ms) : 0, 3741
ProfilingAgent [baseline] (100.422 ms) : 0, 100422
ProfilingAgent [candidate] (99.98 ms) : 0, 99980
Profiling [baseline] (101.001 ms) : 0, 101001
Profiling [candidate] (100.567 ms) : 0, 100567
Loading

Load

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/RFC-1081
git_commit_date 1770883769 1771415889
git_commit_sha f3e5e5b 762de57
release_version 1.60.0-SNAPSHOT~f3e5e5b89b 1.60.0-SNAPSHOT~762de576c1
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1771418218 1771418218
ci_job_id 1434913944 1434913944
ci_pipeline_id 97181471 97181471
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-1-e4mq4ynw 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-1-e4mq4ynw 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 3 performance improvements and 8 performance regressions! Performance is the same for 9 metrics, 16 unstable metrics.

scenario Δ mean agg_http_req_duration_p50 Δ mean agg_http_req_duration_p95 Δ mean throughput candidate mean agg_http_req_duration_p50 candidate mean agg_http_req_duration_p95 candidate mean throughput baseline mean agg_http_req_duration_p50 baseline mean agg_http_req_duration_p95 baseline mean throughput
scenario:load:insecure-bank:profiling:high_load worse
[+52.012µs; +198.178µs] or [+3.144%; +11.979%]		 unstable
[-0.799ms; +4.913ms] or [-16.714%; +102.815%]		 unstable
[-461.534op/s; +66.284op/s] or [-20.927%; +3.005%]		 1.779ms 6.836ms 2007.844op/s 1.654ms 4.779ms 2205.469op/s
scenario:load:insecure-bank:iast:high_load worse
[+81.106µs; +160.731µs] or [+3.369%; +6.676%]		 worse
[+148.369µs; +546.132µs] or [+2.086%; +7.679%]		 unstable
[-224.122op/s; +94.372op/s] or [-15.252%; +6.422%]		 2.529ms 7.459ms 1404.562op/s 2.408ms 7.112ms 1469.438op/s
scenario:load:insecure-bank:iast_FULL:high_load worse
[+193.890µs; +414.208µs] or [+3.891%; +8.312%]		 worse
[+263.304µs; +835.789µs] or [+2.197%; +6.973%]		 unstable
[-122.980op/s; +45.730op/s] or [-15.047%; +5.595%]		 5.287ms 12.536ms 778.688op/s 4.983ms 11.986ms 817.312op/s
scenario:load:petclinic:code_origins:high_load worse
[+0.628ms; +1.397ms] or [+3.649%; +8.117%]		 unsure
[+337.653µs; +1647.286µs] or [+1.180%; +5.755%]		 unstable
[-38.775op/s; +14.337op/s] or [-14.675%; +5.426%]		 18.222ms 29.617ms 252.000op/s 17.210ms 28.625ms 264.219op/s
scenario:load:petclinic:iast:high_load worse
[+687.851µs; +1008.856µs] or [+4.031%; +5.912%]		 worse
[+0.884ms; +2.066ms] or [+3.132%; +7.318%]		 unstable
[-40.193op/s; +11.881op/s] or [-14.997%; +4.433%]		 17.912ms 29.713ms 253.844op/s 17.064ms 28.238ms 268.000op/s
scenario:load:petclinic:tracing:high_load better
[-882.775µs; -379.669µs] or [-4.976%; -2.140%]		 unsure
[-1.769ms; -0.342ms] or [-6.083%; -1.177%]		 unstable
[-18.244op/s; +34.807op/s] or [-7.074%; +13.496%]		 17.111ms 28.025ms 266.188op/s 17.742ms 29.080ms 257.906op/s
scenario:load:petclinic:profiling:high_load better
[-1.735ms; -0.901ms] or [-8.837%; -4.592%]		 better
[-3.307ms; -1.684ms] or [-10.450%; -5.323%]		 unstable
[-8.798op/s; +41.548op/s] or [-3.740%; +17.664%]		 18.312ms 29.148ms 251.594op/s 19.630ms 31.644ms 235.219op/s
Request duration reports for insecure-bank 
gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.60.0-SNAPSHOT~762de576c1, baseline=1.60.0-SNAPSHOT~f3e5e5b89b
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.199 ms) : 1187, 1211
.   : milestone, 1199,
iast (3.111 ms) : 3070, 3152
.   : milestone, 3111,
iast_FULL (5.653 ms) : 5597, 5710
.   : milestone, 5653,
iast_GLOBAL (3.629 ms) : 3569, 3689
.   : milestone, 3629,
profiling (2.047 ms) : 2029, 2066
.   : milestone, 2047,
tracing (1.74 ms) : 1725, 1754
.   : milestone, 1740,
section candidate
no_agent (1.177 ms) : 1165, 1188
.   : milestone, 1177,
iast (3.259 ms) : 3214, 3303
.   : milestone, 3259,
iast_FULL (5.939 ms) : 5879, 5999
.   : milestone, 5939,
iast_GLOBAL (3.546 ms) : 3484, 3609
.   : milestone, 3546,
profiling (2.26 ms) : 2239, 2281
.   : milestone, 2260,
tracing (1.814 ms) : 1798, 1831
.   : milestone, 1814,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.199 ms [1.187 ms, 1.211 ms] -
iast 3.111 ms [3.07 ms, 3.152 ms] 1.912 ms (159.5%)
iast_FULL 5.653 ms [5.597 ms, 5.71 ms] 4.454 ms (371.5%)
iast_GLOBAL 3.629 ms [3.569 ms, 3.689 ms] 2.43 ms (202.7%)
profiling 2.047 ms [2.029 ms, 2.066 ms] 848.532 µs (70.8%)
tracing 1.74 ms [1.725 ms, 1.754 ms] 540.748 µs (45.1%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.177 ms [1.165 ms, 1.188 ms] -
iast 3.259 ms [3.214 ms, 3.303 ms] 2.082 ms (176.9%)
iast_FULL 5.939 ms [5.879 ms, 5.999 ms] 4.762 ms (404.6%)
iast_GLOBAL 3.546 ms [3.484 ms, 3.609 ms] 2.37 ms (201.4%)
profiling 2.26 ms [2.239 ms, 2.281 ms] 1.083 ms (92.0%)
tracing 1.814 ms [1.798 ms, 1.831 ms] 637.494 µs (54.2%)
Request duration reports for petclinic 
gantt
    title petclinic - request duration [CI 0.99] : candidate=1.60.0-SNAPSHOT~762de576c1, baseline=1.60.0-SNAPSHOT~f3e5e5b89b
    dateFormat X
    axisFormat %s
section baseline
no_agent (17.206 ms) : 17034, 17377
.   : milestone, 17206,
appsec (18.564 ms) : 18377, 18752
.   : milestone, 18564,
code_origins (17.656 ms) : 17481, 17831
.   : milestone, 17656,
iast (17.406 ms) : 17234, 17578
.   : milestone, 17406,
profiling (19.845 ms) : 19644, 20045
.   : milestone, 19845,
tracing (18.095 ms) : 17914, 18275
.   : milestone, 18095,
section candidate
no_agent (17.234 ms) : 17062, 17406
.   : milestone, 17234,
appsec (19.045 ms) : 18850, 19241
.   : milestone, 19045,
code_origins (18.52 ms) : 18331, 18709
.   : milestone, 18520,
iast (18.385 ms) : 18198, 18571
.   : milestone, 18385,
profiling (18.551 ms) : 18370, 18731
.   : milestone, 18551,
tracing (17.526 ms) : 17352, 17700
.   : milestone, 17526,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 17.206 ms [17.034 ms, 17.377 ms] -
appsec 18.564 ms [18.377 ms, 18.752 ms] 1.358 ms (7.9%)
code_origins 17.656 ms [17.481 ms, 17.831 ms] 449.956 µs (2.6%)
iast 17.406 ms [17.234 ms, 17.578 ms] 200.487 µs (1.2%)
profiling 19.845 ms [19.644 ms, 20.045 ms] 2.639 ms (15.3%)
tracing 18.095 ms [17.914 ms, 18.275 ms] 888.706 µs (5.2%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 17.234 ms [17.062 ms, 17.406 ms] -
appsec 19.045 ms [18.85 ms, 19.241 ms] 1.811 ms (10.5%)
code_origins 18.52 ms [18.331 ms, 18.709 ms] 1.286 ms (7.5%)
iast 18.385 ms [18.198 ms, 18.571 ms] 1.151 ms (6.7%)
profiling 18.551 ms [18.37 ms, 18.731 ms] 1.317 ms (7.6%)
tracing 17.526 ms [17.352 ms, 17.7 ms] 291.795 µs (1.7%)

Dacapo

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/RFC-1081
git_commit_date 1770883769 1771415889
git_commit_sha f3e5e5b 762de57
release_version 1.60.0-SNAPSHOT~f3e5e5b89b 1.60.0-SNAPSHOT~762de576c1
See matching parameters
Baseline Candidate
application biojava biojava
ci_job_date 1771417944 1771417944
ci_job_id 1434913945 1434913945
ci_pipeline_id 97181471 97181471
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-2-eg722xvp 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-2-eg722xvp 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 1 performance improvements and 0 performance regressions! Performance is the same for 10 metrics, 1 unstable metrics.

scenario Δ mean execution_time candidate mean execution_time baseline mean execution_time
scenario:dacapo:tomcat:appsec better
[-1.453ms; -1.105ms] or [-38.250%; -29.100%]		 2.519ms 3.798ms
Execution time for biojava 
gantt
    title biojava - execution time [CI 0.99] : candidate=1.60.0-SNAPSHOT~762de576c1, baseline=1.60.0-SNAPSHOT~f3e5e5b89b
    dateFormat X
    axisFormat %s
section baseline
no_agent (14.918 s) : 14918000, 14918000
.   : milestone, 14918000,
appsec (14.977 s) : 14977000, 14977000
.   : milestone, 14977000,
iast (18.622 s) : 18622000, 18622000
.   : milestone, 18622000,
iast_GLOBAL (17.624 s) : 17624000, 17624000
.   : milestone, 17624000,
profiling (14.794 s) : 14794000, 14794000
.   : milestone, 14794000,
tracing (15.002 s) : 15002000, 15002000
.   : milestone, 15002000,
section candidate
no_agent (15.506 s) : 15506000, 15506000
.   : milestone, 15506000,
appsec (15.011 s) : 15011000, 15011000
.   : milestone, 15011000,
iast (18.282 s) : 18282000, 18282000
.   : milestone, 18282000,
iast_GLOBAL (17.758 s) : 17758000, 17758000
.   : milestone, 17758000,
profiling (14.692 s) : 14692000, 14692000
.   : milestone, 14692000,
tracing (15.142 s) : 15142000, 15142000
.   : milestone, 15142000,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 14.918 s [14.918 s, 14.918 s] -
appsec 14.977 s [14.977 s, 14.977 s] 59.0 ms (0.4%)
iast 18.622 s [18.622 s, 18.622 s] 3.704 s (24.8%)
iast_GLOBAL 17.624 s [17.624 s, 17.624 s] 2.706 s (18.1%)
profiling 14.794 s [14.794 s, 14.794 s] -124.0 ms (-0.8%)
tracing 15.002 s [15.002 s, 15.002 s] 84.0 ms (0.6%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.506 s [15.506 s, 15.506 s] -
appsec 15.011 s [15.011 s, 15.011 s] -495.0 ms (-3.2%)
iast 18.282 s [18.282 s, 18.282 s] 2.776 s (17.9%)
iast_GLOBAL 17.758 s [17.758 s, 17.758 s] 2.252 s (14.5%)
profiling 14.692 s [14.692 s, 14.692 s] -814.0 ms (-5.2%)
tracing 15.142 s [15.142 s, 15.142 s] -364.0 ms (-2.3%)
Execution time for tomcat 
gantt
    title tomcat - execution time [CI 0.99] : candidate=1.60.0-SNAPSHOT~762de576c1, baseline=1.60.0-SNAPSHOT~f3e5e5b89b
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.484 ms) : 1472, 1495
.   : milestone, 1484,
appsec (3.798 ms) : 3577, 4020
.   : milestone, 3798,
iast (2.251 ms) : 2182, 2320
.   : milestone, 2251,
iast_GLOBAL (2.282 ms) : 2213, 2351
.   : milestone, 2282,
profiling (2.073 ms) : 2019, 2128
.   : milestone, 2073,
tracing (2.072 ms) : 2019, 2126
.   : milestone, 2072,
section candidate
no_agent (1.474 ms) : 1462, 1485
.   : milestone, 1474,
appsec (2.519 ms) : 2465, 2574
.   : milestone, 2519,
iast (2.251 ms) : 2182, 2320
.   : milestone, 2251,
iast_GLOBAL (2.299 ms) : 2230, 2369
.   : milestone, 2299,
profiling (2.498 ms) : 2333, 2662
.   : milestone, 2498,
tracing (2.07 ms) : 2017, 2124
.   : milestone, 2070,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.484 ms [1.472 ms, 1.495 ms] -
appsec 3.798 ms [3.577 ms, 4.02 ms] 2.315 ms (156.0%)
iast 2.251 ms [2.182 ms, 2.32 ms] 767.469 µs (51.7%)
iast_GLOBAL 2.282 ms [2.213 ms, 2.351 ms] 798.374 µs (53.8%)
profiling 2.073 ms [2.019 ms, 2.128 ms] 589.769 µs (39.7%)
tracing 2.072 ms [2.019 ms, 2.126 ms] 588.674 µs (39.7%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.474 ms [1.462 ms, 1.485 ms] -
appsec 2.519 ms [2.465 ms, 2.574 ms] 1.046 ms (71.0%)
iast 2.251 ms [2.182 ms, 2.32 ms] 777.845 µs (52.8%)
iast_GLOBAL 2.299 ms [2.23 ms, 2.369 ms] 825.663 µs (56.0%)
profiling 2.498 ms [2.333 ms, 2.662 ms] 1.024 ms (69.5%)
tracing 2.07 ms [2.017 ms, 2.124 ms] 596.815 µs (40.5%)

@jandro996 jandro996 force-pushed the alejandro.gonzalez/rfc-1076 branch from 35abdf1 to 9e4cfe6 Compare February 11, 2026 10:17
Base automatically changed from alejandro.gonzalez/rfc-1076 to master February 12, 2026 08:09
@jandro996 jandro996 marked this pull request as ready for review February 12, 2026 10:29
@jandro996 jandro996 requested review from a team as code owners February 12, 2026 10:29
@github-actions
Copy link
Contributor

github-actions bot commented Feb 12, 2026

Hi! 👋 Thanks for your pull request! 🎉

To help us review it, please make sure to:

  • Add at least one type, and one component or instrumentation label to the pull request

If you need help, please check our contributing guidelines.

chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Feb 12, 2026
View reviewed changes
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 06ba1cf584

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

internal-api/src/main/java/datadog/trace/api/gateway/InferredProxySpan.java Outdated
// Http.url - value of x-dd-proxy-domain-name + x-dd-proxy-path
span.setTag(HTTP_URL, domainName != null ? domainName + path : path);
// Http.url - https:// + x-dd-proxy-domain-name + x-dd-proxy-path
span.setTag(HTTP_URL, domainName != null ? "https://" + domainName + path : path);
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Handle empty proxy domain when composing http.url

This now treats any non-null x-dd-proxy-domain-name as usable, so an empty header value produces http.url like https:///path instead of a valid path-only URL. The code already treats empty domain as missing for service-name fallback, and before this change an empty domain naturally yielded just path; this regression can generate malformed URL tags and hurt endpoint correlation/parsing when gateways forward blank domain headers.

Useful? React with 👍 / 👎.

Copy link
Member Author

@jandro996 jandro996 Feb 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

solved

internal-api/src/main/java/datadog/trace/api/gateway/InferredProxySpan.java
Comment on lines +212 to +213
if (rootSpan != null && rootSpan != this.span) {
// Copy _dd.appsec.enabled metric (always 1 if present)
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Copy AppSec tags without excluding local-root inferred spans

The new AppSec copy path is gated on rootSpan != this.span, but inferred proxy spans are created before the framework server span in HttpServerDecorator.startSpan, so for incoming distributed requests this inferred span is typically the local root and the condition is false. In the exact distributed-tracing scenario this change targets, _dd.appsec.enabled/_dd.appsec.json therefore never get copied, making the new propagation behavior ineffective.

Useful? React with 👍 / 👎.

@jandro996 jandro996 removed the tag: do not merge Do not merge changes label Feb 12, 2026
@jandro996 jandro996 added the type: enhancement Enhancements and improvements label Feb 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@manuel-alvarez-alvarez manuel-alvarez-alvarez Awaiting requested review from manuel-alvarez-alvarez manuel-alvarez-alvarez is a code owner automatically assigned from DataDog/asm-java

@daniel-romano-DD daniel-romano-DD Awaiting requested review from daniel-romano-DD daniel-romano-DD is a code owner automatically assigned from DataDog/asm-java

@smola smola Awaiting requested review from smola

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

comp: asm waf Application Security Management (WAF) type: enhancement Enhancements and improvements

Projects

None yet

Milestone

1.60.0

Development

Successfully merging this pull request may close these issues.

1 participant

@jandro996