Skip to content

Add Security Response ID #10133

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jandro996 wants to merge 10 commits into
base: master
Choose a base branch
from
Open

Add Security Response ID #10133

jandro996 wants to merge 10 commits into from

Conversation

@jandro996
Copy link
Member

@jandro996 jandro996 commented Dec 9, 2025
edited
Loading

What Does This Do

This PR adds support for extracting and emitting a unique security_response_id (UUIDv4 format) in AppSec blocking responses, generated by libddwaf v17.3.0

Implementation flow:

  1. Extraction (WAFModule.java): When libddwaf triggers a blocking action, extract the security_response_id from actionInfo.parameters and pass it to RequestBlockingAction constructor
  2. Propagation (Flow.java): Add securityResponseId field to RequestBlockingAction class with getter method and update all constructors (including forRedirect() factory method)
  3. Servlet Integration: Update all blocking helper implementations to pass securityResponseId through to template rendering
  4. Template Rendering (BlockingActionHelper.java):
    - Add blockId parameter to getTemplate() method
    - Replace {security_response_id} placeholder in HTML template
    - Add security_response_id field in JSON template
    - Append ?security_response_id=<uuid> to redirect URLs

Result: Blocking responses now include the unique identifier in all response types (JSON, HTML, redirect), enabling customers to track and debug specific blocking events.

Motivation

Per RFC-1070, libddwaf v17.3.0 generates a UUIDv4 as security_response_id in action parameters to provide unique identifiers for each blocking event. This PR implements the required changes:

  • Extract: Retrieve security_response_id from libddwaf action parameters in WAFModule.java
  • Propagate: Add blockId field to Flow.Action.RequestBlockingAction and pass it through all servlet blocking helpers
  • Emit:
    • JSON responses: Include as "security_response_id": "" field
    • HTML responses: Replace {security_response_id} placeholder with actual UUID
    • Redirect responses: Append as URL query parameter ?security_response_id=

This enables customers to uniquely identify and track specific blocking events for debugging and analysis.

Additional Notes

Contributor Checklist

Jira ticket: [APPSEC-60242]

@jandro996 jandro996 added type: enhancement Enhancements and improvements comp: asm waf Application Security Management (WAF) labels Dec 9, 2025
@pr-commenter
Copy link

pr-commenter bot commented Dec 9, 2025
edited
Loading

Benchmarks

Startup

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/security-response-id
git_commit_date 1766071645 1766073541
git_commit_sha 6ccbc06 caa5209
release_version 1.58.0-SNAPSHOT~6ccbc0607e 1.58.0-SNAPSHOT~caa52091a1
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1766075386 1766075386
ci_job_id 1306702495 1306702495
ci_pipeline_id 87587335 87587335
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-0-x6e37usp 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-0-x6e37usp 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
module Agent Agent
parent None None

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 55 metrics, 10 unstable metrics.

Startup time reports for petclinic 
gantt
    title petclinic - global startup overhead: candidate=1.58.0-SNAPSHOT~caa52091a1, baseline=1.58.0-SNAPSHOT~6ccbc0607e

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.086 s) : 0, 1085830
Total [baseline] (10.767 s) : 0, 10767398
Agent [candidate] (1.085 s) : 0, 1084708
Total [candidate] (10.908 s) : 0, 10908305
section appsec
Agent [baseline] (1.264 s) : 0, 1263827
Total [baseline] (10.867 s) : 0, 10866554
Agent [candidate] (1.27 s) : 0, 1270358
Total [candidate] (11.045 s) : 0, 11044553
section iast
Agent [baseline] (1.226 s) : 0, 1225606
Total [baseline] (11.249 s) : 0, 11249451
Agent [candidate] (1.224 s) : 0, 1223935
Total [candidate] (11.215 s) : 0, 11215419
section profiling
Agent [baseline] (1.213 s) : 0, 1213379
Total [baseline] (10.989 s) : 0, 10988754
Agent [candidate] (1.204 s) : 0, 1204245
Total [candidate] (10.86 s) : 0, 10859898
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.086 s -
Agent appsec 1.264 s 177.998 ms (16.4%)
Agent iast 1.226 s 139.776 ms (12.9%)
Agent profiling 1.213 s 127.55 ms (11.7%)
Total tracing 10.767 s -
Total appsec 10.867 s 99.156 ms (0.9%)
Total iast 11.249 s 482.053 ms (4.5%)
Total profiling 10.989 s 221.357 ms (2.1%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.085 s -
Agent appsec 1.27 s 185.65 ms (17.1%)
Agent iast 1.224 s 139.227 ms (12.8%)
Agent profiling 1.204 s 119.537 ms (11.0%)
Total tracing 10.908 s -
Total appsec 11.045 s 136.248 ms (1.2%)
Total iast 11.215 s 307.114 ms (2.8%)
Total profiling 10.86 s -48.407 ms (-0.4%) 
gantt
    title petclinic - break down per module: candidate=1.58.0-SNAPSHOT~caa52091a1, baseline=1.58.0-SNAPSHOT~6ccbc0607e

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.192 ms) : 0, 1192
crashtracking [candidate] (1.191 ms) : 0, 1191
BytebuddyAgent [baseline] (653.12 ms) : 0, 653120
BytebuddyAgent [candidate] (651.702 ms) : 0, 651702
GlobalTracer [baseline] (282.394 ms) : 0, 282394
GlobalTracer [candidate] (282.468 ms) : 0, 282468
AppSec [baseline] (32.228 ms) : 0, 32228
AppSec [candidate] (32.173 ms) : 0, 32173
Debugger [baseline] (67.973 ms) : 0, 67973
Debugger [candidate] (67.284 ms) : 0, 67284
Remote Config [baseline] (609.991 µs) : 0, 610
Remote Config [candidate] (609.116 µs) : 0, 609
Telemetry [baseline] (9.019 ms) : 0, 9019
Telemetry [candidate] (9.122 ms) : 0, 9122
Flare Poller [baseline] (3.728 ms) : 0, 3728
Flare Poller [candidate] (4.614 ms) : 0, 4614
section appsec
crashtracking [baseline] (1.18 ms) : 0, 1180
crashtracking [candidate] (1.184 ms) : 0, 1184
BytebuddyAgent [baseline] (689.3 ms) : 0, 689300
BytebuddyAgent [candidate] (694.697 ms) : 0, 694697
GlobalTracer [baseline] (259.047 ms) : 0, 259047
GlobalTracer [candidate] (260.438 ms) : 0, 260438
IAST [baseline] (24.527 ms) : 0, 24527
IAST [candidate] (24.684 ms) : 0, 24684
AppSec [baseline] (173.685 ms) : 0, 173685
AppSec [candidate] (172.566 ms) : 0, 172566
Debugger [baseline] (66.987 ms) : 0, 66987
Debugger [candidate] (67.744 ms) : 0, 67744
Remote Config [baseline] (693.549 µs) : 0, 694
Remote Config [candidate] (695.284 µs) : 0, 695
Telemetry [baseline] (8.992 ms) : 0, 8992
Telemetry [candidate] (8.963 ms) : 0, 8963
Flare Poller [baseline] (3.852 ms) : 0, 3852
Flare Poller [candidate] (3.811 ms) : 0, 3811
section iast
crashtracking [baseline] (1.182 ms) : 0, 1182
crashtracking [candidate] (1.18 ms) : 0, 1180
BytebuddyAgent [baseline] (792.318 ms) : 0, 792318
BytebuddyAgent [candidate] (791.199 ms) : 0, 791199
GlobalTracer [baseline] (256.671 ms) : 0, 256671
GlobalTracer [candidate] (256.087 ms) : 0, 256087
IAST [baseline] (27.041 ms) : 0, 27041
IAST [candidate] (27.063 ms) : 0, 27063
AppSec [baseline] (34.45 ms) : 0, 34450
AppSec [candidate] (33.704 ms) : 0, 33704
Debugger [baseline] (65.855 ms) : 0, 65855
Debugger [candidate] (66.851 ms) : 0, 66851
Remote Config [baseline] (563.236 µs) : 0, 563
Remote Config [candidate] (556.262 µs) : 0, 556
Telemetry [baseline] (8.521 ms) : 0, 8521
Telemetry [candidate] (8.505 ms) : 0, 8505
Flare Poller [baseline] (3.517 ms) : 0, 3517
Flare Poller [candidate] (3.472 ms) : 0, 3472
section profiling
crashtracking [baseline] (1.223 ms) : 0, 1223
crashtracking [candidate] (1.215 ms) : 0, 1215
BytebuddyAgent [baseline] (707.192 ms) : 0, 707192
BytebuddyAgent [candidate] (702.234 ms) : 0, 702234
GlobalTracer [baseline] (222.08 ms) : 0, 222080
GlobalTracer [candidate] (220.828 ms) : 0, 220828
AppSec [baseline] (32.579 ms) : 0, 32579
AppSec [candidate] (32.114 ms) : 0, 32114
Debugger [baseline] (68.428 ms) : 0, 68428
Debugger [candidate] (67.976 ms) : 0, 67976
Remote Config [baseline] (661.138 µs) : 0, 661
Remote Config [candidate] (642.032 µs) : 0, 642
Telemetry [baseline] (9.004 ms) : 0, 9004
Telemetry [candidate] (8.898 ms) : 0, 8898
Flare Poller [baseline] (3.77 ms) : 0, 3770
Flare Poller [candidate] (3.761 ms) : 0, 3761
ProfilingAgent [baseline] (98.289 ms) : 0, 98289
ProfilingAgent [candidate] (96.933 ms) : 0, 96933
Profiling [baseline] (98.884 ms) : 0, 98884
Profiling [candidate] (97.51 ms) : 0, 97510
Loading
Startup time reports for insecure-bank 
gantt
    title insecure-bank - global startup overhead: candidate=1.58.0-SNAPSHOT~caa52091a1, baseline=1.58.0-SNAPSHOT~6ccbc0607e

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.08 s) : 0, 1079655
Total [baseline] (8.716 s) : 0, 8716294
Agent [candidate] (1.091 s) : 0, 1090888
Total [candidate] (8.742 s) : 0, 8741941
section iast
Agent [baseline] (1.221 s) : 0, 1220580
Total [baseline] (9.332 s) : 0, 9332154
Agent [candidate] (1.222 s) : 0, 1221919
Total [candidate] (9.299 s) : 0, 9298734
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.08 s -
Agent iast 1.221 s 140.924 ms (13.1%)
Total tracing 8.716 s -
Total iast 9.332 s 615.86 ms (7.1%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.091 s -
Agent iast 1.222 s 131.032 ms (12.0%)
Total tracing 8.742 s -
Total iast 9.299 s 556.792 ms (6.4%) 
gantt
    title insecure-bank - break down per module: candidate=1.58.0-SNAPSHOT~caa52091a1, baseline=1.58.0-SNAPSHOT~6ccbc0607e

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.183 ms) : 0, 1183
crashtracking [candidate] (1.204 ms) : 0, 1204
BytebuddyAgent [baseline] (648.356 ms) : 0, 648356
BytebuddyAgent [candidate] (655.127 ms) : 0, 655127
GlobalTracer [baseline] (282.39 ms) : 0, 282390
GlobalTracer [candidate] (285.081 ms) : 0, 285081
AppSec [baseline] (32.068 ms) : 0, 32068
AppSec [candidate] (32.834 ms) : 0, 32834
Debugger [baseline] (66.821 ms) : 0, 66821
Debugger [candidate] (67.457 ms) : 0, 67457
Remote Config [baseline] (609.942 µs) : 0, 610
Remote Config [candidate] (633.362 µs) : 0, 633
Telemetry [baseline] (9.07 ms) : 0, 9070
Telemetry [candidate] (9.127 ms) : 0, 9127
Flare Poller [baseline] (3.701 ms) : 0, 3701
Flare Poller [candidate] (3.755 ms) : 0, 3755
section iast
crashtracking [baseline] (1.195 ms) : 0, 1195
crashtracking [candidate] (1.189 ms) : 0, 1189
BytebuddyAgent [baseline] (788.722 ms) : 0, 788722
BytebuddyAgent [candidate] (790.663 ms) : 0, 790663
GlobalTracer [baseline] (255.318 ms) : 0, 255318
GlobalTracer [candidate] (256.075 ms) : 0, 256075
IAST [baseline] (27.085 ms) : 0, 27085
IAST [candidate] (27.047 ms) : 0, 27047
AppSec [baseline] (33.63 ms) : 0, 33630
AppSec [candidate] (33.491 ms) : 0, 33491
Debugger [baseline] (66.602 ms) : 0, 66602
Debugger [candidate] (65.585 ms) : 0, 65585
Remote Config [baseline] (609.499 µs) : 0, 609
Remote Config [candidate] (619.525 µs) : 0, 620
Telemetry [baseline] (8.498 ms) : 0, 8498
Telemetry [candidate] (8.384 ms) : 0, 8384
Flare Poller [baseline] (3.532 ms) : 0, 3532
Flare Poller [candidate] (3.494 ms) : 0, 3494
Loading

Load

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/security-response-id
git_commit_date 1766071645 1766073541
git_commit_sha 6ccbc06 caa5209
release_version 1.58.0-SNAPSHOT~6ccbc0607e 1.58.0-SNAPSHOT~caa52091a1
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1766075883 1766075883
ci_job_id 1306702497 1306702497
ci_pipeline_id 87587335 87587335
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-0-57p0glcm 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-0-57p0glcm 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 3 performance improvements and 2 performance regressions! Performance is the same for 16 metrics, 15 unstable metrics.

scenario Δ mean agg_http_req_duration_p50 Δ mean agg_http_req_duration_p95 Δ mean throughput candidate mean agg_http_req_duration_p50 candidate mean agg_http_req_duration_p95 candidate mean throughput baseline mean agg_http_req_duration_p50 baseline mean agg_http_req_duration_p95 baseline mean throughput
scenario:load:insecure-bank:tracing:high_load worse
[+33.427µs; +134.208µs] or [+2.219%; +8.908%]		 unstable
[+378.856µs; +1160.645µs] or [+9.233%; +28.285%]		 unstable
[-532.727op/s; +78.039op/s] or [-21.647%; +3.171%]		 1.590ms 4.873ms 2233.594op/s 1.507ms 4.103ms 2460.938op/s
scenario:load:insecure-bank:iast:high_load unsure
[-166.120µs; -50.998µs] or [-6.423%; -1.972%]		 better
[-581.030µs; -169.970µs] or [-7.652%; -2.238%]		 unstable
[-104.239op/s; +239.051op/s] or [-7.560%; +17.338%]		 2.478ms 7.218ms 1446.188op/s 2.586ms 7.593ms 1378.781op/s
scenario:load:insecure-bank:profiling:high_load worse
[+60.064µs; +189.989µs] or [+3.762%; +11.900%]		 unstable
[+222.824µs; +1089.082µs] or [+4.990%; +24.391%]		 unstable
[-499.481op/s; +80.981op/s] or [-21.606%; +3.503%]		 1.722ms 5.121ms 2102.531op/s 1.597ms 4.465ms 2311.781op/s
scenario:load:insecure-bank:iast_FULL:high_load better
[-535.077µs; -249.757µs] or [-10.020%; -4.677%]		 better
[-1311.696µs; -594.781µs] or [-10.301%; -4.671%]		 unstable
[-42.829op/s; +145.954op/s] or [-5.542%; +18.887%]		 4.948ms 11.780ms 824.344op/s 5.340ms 12.734ms 772.781op/s
Request duration reports for petclinic 
gantt
    title petclinic - request duration [CI 0.99] : candidate=1.58.0-SNAPSHOT~caa52091a1, baseline=1.58.0-SNAPSHOT~6ccbc0607e
    dateFormat X
    axisFormat %s
section baseline
no_agent (18.964 ms) : 18774, 19155
.   : milestone, 18964,
appsec (18.482 ms) : 18297, 18667
.   : milestone, 18482,
code_origins (17.716 ms) : 17539, 17892
.   : milestone, 17716,
iast (17.406 ms) : 17232, 17580
.   : milestone, 17406,
profiling (18.672 ms) : 18484, 18860
.   : milestone, 18672,
tracing (17.813 ms) : 17637, 17988
.   : milestone, 17813,
section candidate
no_agent (18.263 ms) : 18078, 18448
.   : milestone, 18263,
appsec (18.513 ms) : 18323, 18702
.   : milestone, 18513,
code_origins (17.894 ms) : 17715, 18074
.   : milestone, 17894,
iast (17.608 ms) : 17430, 17786
.   : milestone, 17608,
profiling (18.582 ms) : 18399, 18766
.   : milestone, 18582,
tracing (17.593 ms) : 17420, 17766
.   : milestone, 17593,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 18.964 ms [18.774 ms, 19.155 ms] -
appsec 18.482 ms [18.297 ms, 18.667 ms] -482.758 µs (-2.5%)
code_origins 17.716 ms [17.539 ms, 17.892 ms] -1.249 ms (-6.6%)
iast 17.406 ms [17.232 ms, 17.58 ms] -1.558 ms (-8.2%)
profiling 18.672 ms [18.484 ms, 18.86 ms] -292.079 µs (-1.5%)
tracing 17.813 ms [17.637 ms, 17.988 ms] -1.152 ms (-6.1%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 18.263 ms [18.078 ms, 18.448 ms] -
appsec 18.513 ms [18.323 ms, 18.702 ms] 249.914 µs (1.4%)
code_origins 17.894 ms [17.715 ms, 18.074 ms] -368.526 µs (-2.0%)
iast 17.608 ms [17.43 ms, 17.786 ms] -654.556 µs (-3.6%)
profiling 18.582 ms [18.399 ms, 18.766 ms] 319.64 µs (1.8%)
tracing 17.593 ms [17.42 ms, 17.766 ms] -669.387 µs (-3.7%)
Request duration reports for insecure-bank 
gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.58.0-SNAPSHOT~caa52091a1, baseline=1.58.0-SNAPSHOT~6ccbc0607e
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.196 ms) : 1184, 1208
.   : milestone, 1196,
iast (3.321 ms) : 3278, 3364
.   : milestone, 3321,
iast_FULL (5.986 ms) : 5924, 6047
.   : milestone, 5986,
iast_GLOBAL (3.75 ms) : 3681, 3818
.   : milestone, 3750,
profiling (1.95 ms) : 1933, 1967
.   : milestone, 1950,
tracing (1.828 ms) : 1812, 1843
.   : milestone, 1828,
section candidate
no_agent (1.2 ms) : 1188, 1212
.   : milestone, 1200,
iast (3.162 ms) : 3125, 3199
.   : milestone, 3162,
iast_FULL (5.605 ms) : 5550, 5660
.   : milestone, 5605,
iast_GLOBAL (3.682 ms) : 3622, 3742
.   : milestone, 3682,
profiling (2.152 ms) : 2133, 2170
.   : milestone, 2152,
tracing (2.022 ms) : 2001, 2043
.   : milestone, 2022,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.196 ms [1.184 ms, 1.208 ms] -
iast 3.321 ms [3.278 ms, 3.364 ms] 2.125 ms (177.6%)
iast_FULL 5.986 ms [5.924 ms, 6.047 ms] 4.79 ms (400.4%)
iast_GLOBAL 3.75 ms [3.681 ms, 3.818 ms] 2.554 ms (213.5%)
profiling 1.95 ms [1.933 ms, 1.967 ms] 753.929 µs (63.0%)
tracing 1.828 ms [1.812 ms, 1.843 ms] 631.77 µs (52.8%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.2 ms [1.188 ms, 1.212 ms] -
iast 3.162 ms [3.125 ms, 3.199 ms] 1.963 ms (163.6%)
iast_FULL 5.605 ms [5.55 ms, 5.66 ms] 4.406 ms (367.2%)
iast_GLOBAL 3.682 ms [3.622 ms, 3.742 ms] 2.482 ms (206.9%)
profiling 2.152 ms [2.133 ms, 2.17 ms] 952.171 µs (79.4%)
tracing 2.022 ms [2.001 ms, 2.043 ms] 822.483 µs (68.6%)

Dacapo

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/security-response-id
git_commit_date 1766071645 1766073541
git_commit_sha 6ccbc06 caa5209
release_version 1.58.0-SNAPSHOT~6ccbc0607e 1.58.0-SNAPSHOT~caa52091a1
See matching parameters
Baseline Candidate
application biojava biojava
ci_job_date 1766075623 1766075623
ci_job_id 1306702499 1306702499
ci_pipeline_id 87587335 87587335
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-1-h5vyyyfc 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-1-h5vyyyfc 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 1 unstable metrics.

Execution time for biojava 
gantt
    title biojava - execution time [CI 0.99] : candidate=1.58.0-SNAPSHOT~caa52091a1, baseline=1.58.0-SNAPSHOT~6ccbc0607e
    dateFormat X
    axisFormat %s
section baseline
no_agent (14.925 s) : 14925000, 14925000
.   : milestone, 14925000,
appsec (14.547 s) : 14547000, 14547000
.   : milestone, 14547000,
iast (18.247 s) : 18247000, 18247000
.   : milestone, 18247000,
iast_GLOBAL (17.716 s) : 17716000, 17716000
.   : milestone, 17716000,
profiling (15.251 s) : 15251000, 15251000
.   : milestone, 15251000,
tracing (14.597 s) : 14597000, 14597000
.   : milestone, 14597000,
section candidate
no_agent (14.783 s) : 14783000, 14783000
.   : milestone, 14783000,
appsec (14.825 s) : 14825000, 14825000
.   : milestone, 14825000,
iast (18.378 s) : 18378000, 18378000
.   : milestone, 18378000,
iast_GLOBAL (17.891 s) : 17891000, 17891000
.   : milestone, 17891000,
profiling (15.383 s) : 15383000, 15383000
.   : milestone, 15383000,
tracing (14.903 s) : 14903000, 14903000
.   : milestone, 14903000,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 14.925 s [14.925 s, 14.925 s] -
appsec 14.547 s [14.547 s, 14.547 s] -378.0 ms (-2.5%)
iast 18.247 s [18.247 s, 18.247 s] 3.322 s (22.3%)
iast_GLOBAL 17.716 s [17.716 s, 17.716 s] 2.791 s (18.7%)
profiling 15.251 s [15.251 s, 15.251 s] 326.0 ms (2.2%)
tracing 14.597 s [14.597 s, 14.597 s] -328.0 ms (-2.2%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 14.783 s [14.783 s, 14.783 s] -
appsec 14.825 s [14.825 s, 14.825 s] 42.0 ms (0.3%)
iast 18.378 s [18.378 s, 18.378 s] 3.595 s (24.3%)
iast_GLOBAL 17.891 s [17.891 s, 17.891 s] 3.108 s (21.0%)
profiling 15.383 s [15.383 s, 15.383 s] 600.0 ms (4.1%)
tracing 14.903 s [14.903 s, 14.903 s] 120.0 ms (0.8%)
Execution time for tomcat 
gantt
    title tomcat - execution time [CI 0.99] : candidate=1.58.0-SNAPSHOT~caa52091a1, baseline=1.58.0-SNAPSHOT~6ccbc0607e
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.473 ms) : 1462, 1485
.   : milestone, 1473,
appsec (3.71 ms) : 3492, 3929
.   : milestone, 3710,
iast (2.215 ms) : 2149, 2280
.   : milestone, 2215,
iast_GLOBAL (2.252 ms) : 2187, 2318
.   : milestone, 2252,
profiling (2.054 ms) : 2001, 2107
.   : milestone, 2054,
tracing (2.042 ms) : 1991, 2093
.   : milestone, 2042,
section candidate
no_agent (1.47 ms) : 1459, 1482
.   : milestone, 1470,
appsec (3.653 ms) : 3436, 3869
.   : milestone, 3653,
iast (2.211 ms) : 2146, 2276
.   : milestone, 2211,
iast_GLOBAL (2.255 ms) : 2189, 2320
.   : milestone, 2255,
profiling (2.111 ms) : 2055, 2168
.   : milestone, 2111,
tracing (2.04 ms) : 1989, 2091
.   : milestone, 2040,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.473 ms [1.462 ms, 1.485 ms] -
appsec 3.71 ms [3.492 ms, 3.929 ms] 2.237 ms (151.8%)
iast 2.215 ms [2.149 ms, 2.28 ms] 741.081 µs (50.3%)
iast_GLOBAL 2.252 ms [2.187 ms, 2.318 ms] 778.834 µs (52.9%)
profiling 2.054 ms [2.001 ms, 2.107 ms] 580.934 µs (39.4%)
tracing 2.042 ms [1.991 ms, 2.093 ms] 568.26 µs (38.6%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.47 ms [1.459 ms, 1.482 ms] -
appsec 3.653 ms [3.436 ms, 3.869 ms] 2.183 ms (148.5%)
iast 2.211 ms [2.146 ms, 2.276 ms] 740.62 µs (50.4%)
iast_GLOBAL 2.255 ms [2.189 ms, 2.32 ms] 784.371 µs (53.4%)
profiling 2.111 ms [2.055 ms, 2.168 ms] 641.051 µs (43.6%)
tracing 2.04 ms [1.989 ms, 2.091 ms] 569.782 µs (38.8%)

Base automatically changed from alejandro.gonzalez/appsec-block-refactor to master December 11, 2025 15:52
@jandro996 jandro996 force-pushed the alejandro.gonzalez/security-response-id branch from 8911a23 to d3c9024 Compare December 11, 2025 16:26
@jandro996 jandro996 marked this pull request as ready for review December 16, 2025 10:56
@jandro996 jandro996 requested review from a team as code owners December 16, 2025 10:56
chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Dec 16, 2025
View reviewed changes
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

internal-api/src/main/java/datadog/trace/api/gateway/Flow.java
Comment on lines 60 to +64
return new RequestBlockingAction(
statusCode, BlockingContentType.NONE, Collections.singletonMap("Location", location));
statusCode,
BlockingContentType.NONE,
Collections.singletonMap("Location", location),
null);
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Propagate security_response_id for redirect actions

Redirect blocking actions drop the security_response_id even though WAFModule extracts it: RequestBlockingAction.forRedirect(...) always builds the action with a null securityResponseId, so BlockResponseFunction implementations later see a null value and cannot add the identifier to redirect responses. When libddwaf 17.3.0 returns a redirect_request with a generated security_response_id but the Location URL has no placeholder, the ID is lost and the redirect sent to the client lacks the unique identifier the feature is meant to surface.

Useful? React with 👍 / 👎.

@jandro996 jandro996 requested a review from a team as a code owner December 16, 2025 15:57
@jandro996 jandro996 requested review from sarahchen6 and removed request for a team December 16, 2025 15:57
manuel-alvarez-alvarez
manuel-alvarez-alvarez reviewed Dec 18, 2025
View reviewed changes
...ent/agent-bootstrap/src/main/java/datadog/trace/bootstrap/blocking/BlockingActionHelper.java Outdated

String templateString = new String(template, java.nio.charset.StandardCharsets.UTF_8);
String replacedTemplate = templateString.replace("[security_response_id]", replacementValue);
return replacedTemplate.getBytes(java.nio.charset.StandardCharsets.UTF_8);
Copy link
Member

@manuel-alvarez-alvarez manuel-alvarez-alvarez Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use imports here please

manuel-alvarez-alvarez
manuel-alvarez-alvarez reviewed Dec 18, 2025
View reviewed changes
...ap/src/test/groovy/datadog/trace/bootstrap/blocking/BlockingActionHelperSpecification.groovy Outdated
def securityResponseId = '12345678-1234-1234-1234-123456789abc'

when:
def template = BlockingActionHelper.getTemplate(HTML, securityResponseId)
Copy link
Member

@manuel-alvarez-alvarez manuel-alvarez-alvarez Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe you can parameterize the tests with a where to reduce the amount of code.

manuel-alvarez-alvarez
manuel-alvarez-alvarez reviewed Dec 18, 2025
View reviewed changes
dd-java-agent/appsec/src/main/java/com/datadog/appsec/blocking/BlockingServiceImpl.java
boolean res =
blockResponseFunction.tryCommitBlockingResponse(
reqCtx.getTraceSegment(), statusCode, templateType, extraHeaders);
reqCtx.getTraceSegment(), statusCode, templateType, extraHeaders, null);
Copy link
Member

@manuel-alvarez-alvarez manuel-alvarez-alvarez Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we expose the block id in the external public API?

Copy link
Member Author

@jandro996 jandro996 Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure, is not specified in the RFC, I'm asking other team for their implementations and aiming to specify it in the RFC.
Right now the answer IMHO is no

Copy link
Member Author

@jandro996 jandro996 Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Confirmed, we don't want to expose that

manuel-alvarez-alvarez
manuel-alvarez-alvarez reviewed Dec 18, 2025
View reviewed changes
...y/grizzly-2.0/src/main/java/datadog/trace/instrumentation/grizzly/GrizzlyBlockingHelper.java Outdated
context);
}

public static boolean block(
Copy link
Member

@manuel-alvarez-alvarez manuel-alvarez-alvarez Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does it make sense to keep the old blocking method without ID?

Copy link
Member Author

@jandro996 jandro996 Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, thanks for the advice!

@jandro996 jandro996 requested review from a team as code owners December 18, 2025 13:19
@jandro996 jandro996 requested review from Mariovido and erikayasuda and removed request for a team December 18, 2025 13:19
@jandro996 jandro996 force-pushed the alejandro.gonzalez/security-response-id branch from 2126d7a to eae929e Compare December 18, 2025 13:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@daniel-romano-DD daniel-romano-DD Awaiting requested review from daniel-romano-DD daniel-romano-DD is a code owner automatically assigned from DataDog/asm-java

@sarahchen6 sarahchen6 Awaiting requested review from sarahchen6 sarahchen6 was automatically assigned from DataDog/apm-lang-platform-java

@Mariovido Mariovido Awaiting requested review from Mariovido Mariovido was automatically assigned from DataDog/ci-app-libraries-java

@erikayasuda erikayasuda Awaiting requested review from erikayasuda erikayasuda was automatically assigned from DataDog/apm-release-platform

@manuel-alvarez-alvarez manuel-alvarez-alvarez Awaiting requested review from manuel-alvarez-alvarez

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

comp: asm waf Application Security Management (WAF) type: enhancement Enhancements and improvements

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jandro996 @manuel-alvarez-alvarez