Skip to content

Add ObjectInputStream.readObject to forbidden apis#10952

Open
dougqh wants to merge 2 commits intomasterfrom
dd/prevent-objectinputstream-deserialization
Open

Add ObjectInputStream.readObject to forbidden apis#10952
dougqh wants to merge 2 commits intomasterfrom
dd/prevent-objectinputstream-deserialization

Conversation

@dougqh
Copy link
Copy Markdown
Contributor

@dougqh dougqh commented Mar 24, 2026
edited by atlassian bot
Loading

What Does This Do

Adds a forbidden API filter to prevent the use of ObjectInputStream.readObject()

Motivation

Restrict future use of ObjectInputStream

Additional Notes

The filter includes a descriptive error message to guide developers on the proper way to handle exceptions when deserialization is required. This follows the same pattern as other reflection-based forbidden APIs already configured in the project.

Contributor Checklist

Jira ticket: APMLP-1135

PR by Bits - View session in Datadog

Comment @DataDog to request changes

@datadog-datadog-prod-us1 @dougqh
Add ObjectInputStream.readObject to forbidden apis
bdd877e 
Co-authored-by: dougqh <dougqh@gmail.com>
@datadog-datadog-prod-us1
Copy link
Copy Markdown
Contributor

datadog-datadog-prod-us1 bot commented Mar 24, 2026

View session in Datadog

Bits Dev status: ✅ Done

CI Auto-fix: Disabled | Enable

Comment @DataDog to request changes

@datadog-official
Copy link
Copy Markdown
Contributor

datadog-official bot commented Mar 24, 2026

I can only run on private repositories.

@dougqh dougqh added comp: core Tracer core tag: ai generated Largely based on code generated by an AI or LLM tag: diagnostics Diagnostics related changes type: bug Bug report and fix and removed Bits AI labels Mar 24, 2026
@dougqh dougqh marked this pull request as ready for review March 24, 2026 17:24
@dougqh dougqh requested a review from a team as a code owner March 24, 2026 17:24
@dougqh dougqh requested a review from mhlidd March 24, 2026 17:24
@dougqh dougqh enabled auto-merge March 24, 2026 17:37
@pr-commenter
Copy link
Copy Markdown

pr-commenter bot commented Mar 24, 2026

Benchmarks

⚠️ Warning: Baseline build not found for merge-base commit. Comparing against the latest commit on master instead.

Startup

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master dd/prevent-objectinputstream-deserialization
git_commit_date 1774307356 1774372899
git_commit_sha 68aa369 5bedd92
release_version 1.61.0-SNAPSHOT~68aa369a4f 1.61.0-SNAPSHOT~5bedd92d80
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1774374966 1774374966
ci_job_id 1534199394 1534199394
ci_pipeline_id 104171773 104171773
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-2-t7r4i2ys 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-2-t7r4i2ys 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
module Agent Agent
parent None None

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 61 metrics, 10 unstable metrics.

Startup time reports for insecure-bank 
gantt
    title insecure-bank - global startup overhead: candidate=1.61.0-SNAPSHOT~5bedd92d80, baseline=1.61.0-SNAPSHOT~68aa369a4f

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.065 s) : 0, 1064663
Total [baseline] (8.876 s) : 0, 8875537
Agent [candidate] (1.057 s) : 0, 1056714
Total [candidate] (8.874 s) : 0, 8873654
section iast
Agent [baseline] (1.229 s) : 0, 1228896
Total [baseline] (9.577 s) : 0, 9576730
Agent [candidate] (1.226 s) : 0, 1225503
Total [candidate] (9.545 s) : 0, 9544740
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.065 s -
Agent iast 1.229 s 164.233 ms (15.4%)
Total tracing 8.876 s -
Total iast 9.577 s 701.193 ms (7.9%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.057 s -
Agent iast 1.226 s 168.79 ms (16.0%)
Total tracing 8.874 s -
Total iast 9.545 s 671.085 ms (7.6%) 
gantt
    title insecure-bank - break down per module: candidate=1.61.0-SNAPSHOT~5bedd92d80, baseline=1.61.0-SNAPSHOT~68aa369a4f

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.217 ms) : 0, 1217
crashtracking [candidate] (1.2 ms) : 0, 1200
BytebuddyAgent [baseline] (634.211 ms) : 0, 634211
BytebuddyAgent [candidate] (626.53 ms) : 0, 626530
AgentMeter [baseline] (29.649 ms) : 0, 29649
AgentMeter [candidate] (29.555 ms) : 0, 29555
GlobalTracer [baseline] (258.818 ms) : 0, 258818
GlobalTracer [candidate] (257.97 ms) : 0, 257970
AppSec [baseline] (32.073 ms) : 0, 32073
AppSec [candidate] (31.791 ms) : 0, 31791
Debugger [baseline] (60.15 ms) : 0, 60150
Debugger [candidate] (60.003 ms) : 0, 60003
Remote Config [baseline] (594.771 µs) : 0, 595
Remote Config [candidate] (591.425 µs) : 0, 591
Telemetry [baseline] (8.088 ms) : 0, 8088
Telemetry [candidate] (8.09 ms) : 0, 8090
Flare Poller [baseline] (3.585 ms) : 0, 3585
Flare Poller [candidate] (5.065 ms) : 0, 5065
section iast
crashtracking [baseline] (1.218 ms) : 0, 1218
crashtracking [candidate] (1.2 ms) : 0, 1200
BytebuddyAgent [baseline] (797.37 ms) : 0, 797370
BytebuddyAgent [candidate] (794.674 ms) : 0, 794674
AgentMeter [baseline] (11.447 ms) : 0, 11447
AgentMeter [candidate] (11.391 ms) : 0, 11391
GlobalTracer [baseline] (247.857 ms) : 0, 247857
GlobalTracer [candidate] (247.619 ms) : 0, 247619
IAST [baseline] (25.364 ms) : 0, 25364
IAST [candidate] (25.275 ms) : 0, 25275
AppSec [baseline] (26.507 ms) : 0, 26507
AppSec [candidate] (26.449 ms) : 0, 26449
Debugger [baseline] (69.819 ms) : 0, 69819
Debugger [candidate] (67.169 ms) : 0, 67169
Remote Config [baseline] (534.954 µs) : 0, 535
Remote Config [candidate] (527.402 µs) : 0, 527
Telemetry [baseline] (9.242 ms) : 0, 9242
Telemetry [candidate] (11.21 ms) : 0, 11210
Flare Poller [baseline] (3.379 ms) : 0, 3379
Flare Poller [candidate] (3.964 ms) : 0, 3964
Loading
Startup time reports for petclinic 
gantt
    title petclinic - global startup overhead: candidate=1.61.0-SNAPSHOT~5bedd92d80, baseline=1.61.0-SNAPSHOT~68aa369a4f

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.059 s) : 0, 1058951
Total [baseline] (11.063 s) : 0, 11062648
Agent [candidate] (1.057 s) : 0, 1057365
Total [candidate] (11.1 s) : 0, 11099712
section appsec
Agent [baseline] (1.269 s) : 0, 1268733
Total [baseline] (11.265 s) : 0, 11265065
Agent [candidate] (1.247 s) : 0, 1247152
Total [candidate] (11.183 s) : 0, 11183022
section iast
Agent [baseline] (1.228 s) : 0, 1227590
Total [baseline] (11.344 s) : 0, 11344160
Agent [candidate] (1.242 s) : 0, 1242290
Total [candidate] (11.315 s) : 0, 11315444
section profiling
Agent [baseline] (1.19 s) : 0, 1190381
Total [baseline] (11.016 s) : 0, 11016244
Agent [candidate] (1.192 s) : 0, 1191571
Total [candidate] (11.097 s) : 0, 11096869
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.059 s -
Agent appsec 1.269 s 209.782 ms (19.8%)
Agent iast 1.228 s 168.639 ms (15.9%)
Agent profiling 1.19 s 131.43 ms (12.4%)
Total tracing 11.063 s -
Total appsec 11.265 s 202.417 ms (1.8%)
Total iast 11.344 s 281.512 ms (2.5%)
Total profiling 11.016 s -46.405 ms (-0.4%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.057 s -
Agent appsec 1.247 s 189.787 ms (17.9%)
Agent iast 1.242 s 184.925 ms (17.5%)
Agent profiling 1.192 s 134.206 ms (12.7%)
Total tracing 11.1 s -
Total appsec 11.183 s 83.309 ms (0.8%)
Total iast 11.315 s 215.732 ms (1.9%)
Total profiling 11.097 s -2.843 ms (-0.0%) 
gantt
    title petclinic - break down per module: candidate=1.61.0-SNAPSHOT~5bedd92d80, baseline=1.61.0-SNAPSHOT~68aa369a4f

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.203 ms) : 0, 1203
crashtracking [candidate] (1.185 ms) : 0, 1185
BytebuddyAgent [baseline] (629.699 ms) : 0, 629699
BytebuddyAgent [candidate] (628.917 ms) : 0, 628917
AgentMeter [baseline] (29.421 ms) : 0, 29421
AgentMeter [candidate] (29.379 ms) : 0, 29379
GlobalTracer [baseline] (258.156 ms) : 0, 258156
GlobalTracer [candidate] (257.342 ms) : 0, 257342
AppSec [baseline] (31.769 ms) : 0, 31769
AppSec [candidate] (31.714 ms) : 0, 31714
Debugger [baseline] (60.507 ms) : 0, 60507
Debugger [candidate] (60.626 ms) : 0, 60626
Remote Config [baseline] (587.656 µs) : 0, 588
Remote Config [candidate] (583.788 µs) : 0, 584
Telemetry [baseline] (8.024 ms) : 0, 8024
Telemetry [candidate] (8.047 ms) : 0, 8047
Flare Poller [baseline] (3.526 ms) : 0, 3526
Flare Poller [candidate] (3.573 ms) : 0, 3573
section appsec
crashtracking [baseline] (1.226 ms) : 0, 1226
crashtracking [candidate] (1.204 ms) : 0, 1204
BytebuddyAgent [baseline] (669.933 ms) : 0, 669933
BytebuddyAgent [candidate] (657.952 ms) : 0, 657952
AgentMeter [baseline] (12.383 ms) : 0, 12383
AgentMeter [candidate] (12.07 ms) : 0, 12070
GlobalTracer [baseline] (263.024 ms) : 0, 263024
GlobalTracer [candidate] (258.586 ms) : 0, 258586
IAST [baseline] (24.747 ms) : 0, 24747
IAST [candidate] (24.188 ms) : 0, 24188
AppSec [baseline] (180.611 ms) : 0, 180611
AppSec [candidate] (177.868 ms) : 0, 177868
Debugger [baseline] (66.691 ms) : 0, 66691
Debugger [candidate] (66.42 ms) : 0, 66420
Remote Config [baseline] (648.936 µs) : 0, 649
Remote Config [candidate] (624.137 µs) : 0, 624
Telemetry [baseline] (8.426 ms) : 0, 8426
Telemetry [candidate] (8.347 ms) : 0, 8347
Flare Poller [baseline] (4.384 ms) : 0, 4384
Flare Poller [candidate] (3.577 ms) : 0, 3577
section iast
crashtracking [baseline] (1.196 ms) : 0, 1196
crashtracking [candidate] (1.223 ms) : 0, 1223
BytebuddyAgent [baseline] (796.175 ms) : 0, 796175
BytebuddyAgent [candidate] (806.099 ms) : 0, 806099
AgentMeter [baseline] (11.417 ms) : 0, 11417
AgentMeter [candidate] (11.533 ms) : 0, 11533
GlobalTracer [baseline] (247.484 ms) : 0, 247484
GlobalTracer [candidate] (249.953 ms) : 0, 249953
IAST [baseline] (25.198 ms) : 0, 25198
IAST [candidate] (25.586 ms) : 0, 25586
AppSec [baseline] (26.319 ms) : 0, 26319
AppSec [candidate] (27.539 ms) : 0, 27539
Debugger [baseline] (69.824 ms) : 0, 69824
Debugger [candidate] (70.18 ms) : 0, 70180
Remote Config [baseline] (532.249 µs) : 0, 532
Remote Config [candidate] (531.808 µs) : 0, 532
Telemetry [baseline] (9.797 ms) : 0, 9797
Telemetry [candidate] (9.745 ms) : 0, 9745
Flare Poller [baseline] (3.518 ms) : 0, 3518
Flare Poller [candidate] (3.507 ms) : 0, 3507
section profiling
crashtracking [baseline] (1.47 ms) : 0, 1470
crashtracking [candidate] (1.176 ms) : 0, 1176
BytebuddyAgent [baseline] (686.627 ms) : 0, 686627
BytebuddyAgent [candidate] (688.14 ms) : 0, 688140
AgentMeter [baseline] (9.065 ms) : 0, 9065
AgentMeter [candidate] (9.034 ms) : 0, 9034
GlobalTracer [baseline] (217.222 ms) : 0, 217222
GlobalTracer [candidate] (217.034 ms) : 0, 217034
AppSec [baseline] (32.251 ms) : 0, 32251
AppSec [candidate] (32.369 ms) : 0, 32369
Debugger [baseline] (64.935 ms) : 0, 64935
Debugger [candidate] (66.154 ms) : 0, 66154
Remote Config [baseline] (563.86 µs) : 0, 564
Remote Config [candidate] (563.897 µs) : 0, 564
Telemetry [baseline] (8.57 ms) : 0, 8570
Telemetry [candidate] (7.784 ms) : 0, 7784
Flare Poller [baseline] (4.262 ms) : 0, 4262
Flare Poller [candidate] (3.545 ms) : 0, 3545
ProfilingAgent [baseline] (94.136 ms) : 0, 94136
ProfilingAgent [candidate] (94.52 ms) : 0, 94520
Profiling [baseline] (94.694 ms) : 0, 94694
Profiling [candidate] (95.081 ms) : 0, 95081
Loading

Load

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master dd/prevent-objectinputstream-deserialization
git_commit_date 1774307356 1774372899
git_commit_sha 68aa369 5bedd92
release_version 1.61.0-SNAPSHOT~68aa369a4f 1.61.0-SNAPSHOT~5bedd92d80
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1774375442 1774375442
ci_job_id 1534199397 1534199397
ci_pipeline_id 104171773 104171773
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-0-jcc8c6zo 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-0-jcc8c6zo 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 5 performance improvements and 0 performance regressions! Performance is the same for 15 metrics, 16 unstable metrics.

scenario Δ mean agg_http_req_duration_p50 Δ mean agg_http_req_duration_p95 Δ mean throughput candidate mean agg_http_req_duration_p50 candidate mean agg_http_req_duration_p95 candidate mean throughput baseline mean agg_http_req_duration_p50 baseline mean agg_http_req_duration_p95 baseline mean throughput
scenario:load:insecure-bank:iast_GLOBAL:high_load better
[-199.394µs; -92.865µs] or [-6.951%; -3.237%]		 unsure
[-466.862µs; -66.618µs] or [-5.845%; -0.834%]		 unstable
[-86.341op/s; +182.716op/s] or [-6.802%; +14.395%]		 2.722ms 7.721ms 1317.469op/s 2.869ms 7.987ms 1269.281op/s
scenario:load:insecure-bank:iast:high_load better
[-385.574µs; -282.241µs] or [-14.267%; -10.444%]		 better
[-944.734µs; -562.434µs] or [-12.031%; -7.162%]		 unstable
[+0.354op/s; +295.708op/s] or [+0.027%; +22.213%]		 2.369ms 7.099ms 1479.281op/s 2.702ms 7.853ms 1331.250op/s
scenario:load:petclinic:profiling:high_load better
[-2.193ms; -1.760ms] or [-10.578%; -8.488%]		 better
[-3.327ms; -2.177ms] or [-10.120%; -6.621%]		 unstable
[+0.563op/s; +44.687op/s] or [+0.254%; +20.152%]		 18.755ms 30.128ms 244.375op/s 20.731ms 32.880ms 221.750op/s
Request duration reports for petclinic 
gantt
    title petclinic - request duration [CI 0.99] : candidate=1.61.0-SNAPSHOT~5bedd92d80, baseline=1.61.0-SNAPSHOT~68aa369a4f
    dateFormat X
    axisFormat %s
section baseline
no_agent (18.469 ms) : 18279, 18659
.   : milestone, 18469,
appsec (18.406 ms) : 18217, 18595
.   : milestone, 18406,
code_origins (17.792 ms) : 17610, 17974
.   : milestone, 17792,
iast (18.019 ms) : 17841, 18197
.   : milestone, 18019,
profiling (21.059 ms) : 20845, 21272
.   : milestone, 21059,
tracing (17.799 ms) : 17621, 17977
.   : milestone, 17799,
section candidate
no_agent (18.274 ms) : 18088, 18460
.   : milestone, 18274,
appsec (18.303 ms) : 18121, 18486
.   : milestone, 18303,
code_origins (17.535 ms) : 17358, 17712
.   : milestone, 17535,
iast (17.821 ms) : 17642, 18000
.   : milestone, 17821,
profiling (19.103 ms) : 18913, 19294
.   : milestone, 19103,
tracing (17.326 ms) : 17154, 17497
.   : milestone, 17326,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 18.469 ms [18.279 ms, 18.659 ms] -
appsec 18.406 ms [18.217 ms, 18.595 ms] -63.184 µs (-0.3%)
code_origins 17.792 ms [17.61 ms, 17.974 ms] -677.087 µs (-3.7%)
iast 18.019 ms [17.841 ms, 18.197 ms] -449.906 µs (-2.4%)
profiling 21.059 ms [20.845 ms, 21.272 ms] 2.589 ms (14.0%)
tracing 17.799 ms [17.621 ms, 17.977 ms] -670.139 µs (-3.6%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 18.274 ms [18.088 ms, 18.46 ms] -
appsec 18.303 ms [18.121 ms, 18.486 ms] 29.33 µs (0.2%)
code_origins 17.535 ms [17.358 ms, 17.712 ms] -739.026 µs (-4.0%)
iast 17.821 ms [17.642 ms, 18.0 ms] -452.636 µs (-2.5%)
profiling 19.103 ms [18.913 ms, 19.294 ms] 829.553 µs (4.5%)
tracing 17.326 ms [17.154 ms, 17.497 ms] -948.253 µs (-5.2%)
Request duration reports for insecure-bank 
gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.61.0-SNAPSHOT~5bedd92d80, baseline=1.61.0-SNAPSHOT~68aa369a4f
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.185 ms) : 1174, 1197
.   : milestone, 1185,
iast (3.441 ms) : 3395, 3487
.   : milestone, 3441,
iast_FULL (5.867 ms) : 5809, 5925
.   : milestone, 5867,
iast_GLOBAL (3.613 ms) : 3554, 3672
.   : milestone, 3613,
profiling (2.263 ms) : 2239, 2286
.   : milestone, 2263,
tracing (1.779 ms) : 1765, 1793
.   : milestone, 1779,
section candidate
no_agent (1.192 ms) : 1180, 1204
.   : milestone, 1192,
iast (3.092 ms) : 3049, 3134
.   : milestone, 3092,
iast_FULL (5.784 ms) : 5727, 5842
.   : milestone, 5784,
iast_GLOBAL (3.479 ms) : 3424, 3533
.   : milestone, 3479,
profiling (2.106 ms) : 2087, 2125
.   : milestone, 2106,
tracing (1.785 ms) : 1770, 1800
.   : milestone, 1785,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.185 ms [1.174 ms, 1.197 ms] -
iast 3.441 ms [3.395 ms, 3.487 ms] 2.256 ms (190.3%)
iast_FULL 5.867 ms [5.809 ms, 5.925 ms] 4.682 ms (394.9%)
iast_GLOBAL 3.613 ms [3.554 ms, 3.672 ms] 2.428 ms (204.8%)
profiling 2.263 ms [2.239 ms, 2.286 ms] 1.078 ms (90.9%)
tracing 1.779 ms [1.765 ms, 1.793 ms] 593.396 µs (50.1%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.192 ms [1.18 ms, 1.204 ms] -
iast 3.092 ms [3.049 ms, 3.134 ms] 1.899 ms (159.3%)
iast_FULL 5.784 ms [5.727 ms, 5.842 ms] 4.592 ms (385.2%)
iast_GLOBAL 3.479 ms [3.424 ms, 3.533 ms] 2.286 ms (191.8%)
profiling 2.106 ms [2.087 ms, 2.125 ms] 913.983 µs (76.7%)
tracing 1.785 ms [1.77 ms, 1.8 ms] 592.645 µs (49.7%)

Dacapo

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master dd/prevent-objectinputstream-deserialization
git_commit_date 1774307356 1774372899
git_commit_sha 68aa369 5bedd92
release_version 1.61.0-SNAPSHOT~68aa369a4f 1.61.0-SNAPSHOT~5bedd92d80
See matching parameters
Baseline Candidate
application biojava biojava
ci_job_date 1774375107 1774375107
ci_job_id 1534199398 1534199398
ci_pipeline_id 104171773 104171773
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-0-w347wf0r 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-0-w347wf0r 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 1 unstable metrics.

Execution time for biojava 
gantt
    title biojava - execution time [CI 0.99] : candidate=1.61.0-SNAPSHOT~5bedd92d80, baseline=1.61.0-SNAPSHOT~68aa369a4f
    dateFormat X
    axisFormat %s
section baseline
no_agent (14.81 s) : 14810000, 14810000
.   : milestone, 14810000,
appsec (14.671 s) : 14671000, 14671000
.   : milestone, 14671000,
iast (18.604 s) : 18604000, 18604000
.   : milestone, 18604000,
iast_GLOBAL (17.837 s) : 17837000, 17837000
.   : milestone, 17837000,
profiling (15.004 s) : 15004000, 15004000
.   : milestone, 15004000,
tracing (14.748 s) : 14748000, 14748000
.   : milestone, 14748000,
section candidate
no_agent (15.046 s) : 15046000, 15046000
.   : milestone, 15046000,
appsec (15.002 s) : 15002000, 15002000
.   : milestone, 15002000,
iast (19.061 s) : 19061000, 19061000
.   : milestone, 19061000,
iast_GLOBAL (18.073 s) : 18073000, 18073000
.   : milestone, 18073000,
profiling (15.068 s) : 15068000, 15068000
.   : milestone, 15068000,
tracing (15.078 s) : 15078000, 15078000
.   : milestone, 15078000,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 14.81 s [14.81 s, 14.81 s] -
appsec 14.671 s [14.671 s, 14.671 s] -139.0 ms (-0.9%)
iast 18.604 s [18.604 s, 18.604 s] 3.794 s (25.6%)
iast_GLOBAL 17.837 s [17.837 s, 17.837 s] 3.027 s (20.4%)
profiling 15.004 s [15.004 s, 15.004 s] 194.0 ms (1.3%)
tracing 14.748 s [14.748 s, 14.748 s] -62.0 ms (-0.4%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.046 s [15.046 s, 15.046 s] -
appsec 15.002 s [15.002 s, 15.002 s] -44.0 ms (-0.3%)
iast 19.061 s [19.061 s, 19.061 s] 4.015 s (26.7%)
iast_GLOBAL 18.073 s [18.073 s, 18.073 s] 3.027 s (20.1%)
profiling 15.068 s [15.068 s, 15.068 s] 22.0 ms (0.1%)
tracing 15.078 s [15.078 s, 15.078 s] 32.0 ms (0.2%)
Execution time for tomcat 
gantt
    title tomcat - execution time [CI 0.99] : candidate=1.61.0-SNAPSHOT~5bedd92d80, baseline=1.61.0-SNAPSHOT~68aa369a4f
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.473 ms) : 1462, 1485
.   : milestone, 1473,
appsec (3.83 ms) : 3607, 4054
.   : milestone, 3830,
iast (2.26 ms) : 2191, 2330
.   : milestone, 2260,
iast_GLOBAL (2.297 ms) : 2228, 2366
.   : milestone, 2297,
profiling (2.089 ms) : 2034, 2144
.   : milestone, 2089,
tracing (2.063 ms) : 2009, 2116
.   : milestone, 2063,
section candidate
no_agent (1.477 ms) : 1465, 1488
.   : milestone, 1477,
appsec (3.791 ms) : 3569, 4013
.   : milestone, 3791,
iast (2.257 ms) : 2187, 2326
.   : milestone, 2257,
iast_GLOBAL (2.308 ms) : 2239, 2378
.   : milestone, 2308,
profiling (2.075 ms) : 2021, 2130
.   : milestone, 2075,
tracing (2.057 ms) : 2004, 2111
.   : milestone, 2057,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.473 ms [1.462 ms, 1.485 ms] -
appsec 3.83 ms [3.607 ms, 4.054 ms] 2.357 ms (160.0%)
iast 2.26 ms [2.191 ms, 2.33 ms] 786.779 µs (53.4%)
iast_GLOBAL 2.297 ms [2.228 ms, 2.366 ms] 823.875 µs (55.9%)
profiling 2.089 ms [2.034 ms, 2.144 ms] 615.394 µs (41.8%)
tracing 2.063 ms [2.009 ms, 2.116 ms] 589.499 µs (40.0%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.477 ms [1.465 ms, 1.488 ms] -
appsec 3.791 ms [3.569 ms, 4.013 ms] 2.314 ms (156.7%)
iast 2.257 ms [2.187 ms, 2.326 ms] 780.002 µs (52.8%)
iast_GLOBAL 2.308 ms [2.239 ms, 2.378 ms] 831.644 µs (56.3%)
profiling 2.075 ms [2.021 ms, 2.13 ms] 598.828 µs (40.6%)
tracing 2.057 ms [2.004 ms, 2.111 ms] 580.676 µs (39.3%)

PerfectSlayer
PerfectSlayer approved these changes Mar 25, 2026
View reviewed changes
gradle/forbiddenApiFilters/main.txt
java.lang.reflect.Field#setDouble(java.lang.Object,double)
java.lang.invoke.MethodHandles.Lookup#unreflectSetter(java.lang.reflect.Field)

# avoid Java deserialization entrypoint
Copy link
Copy Markdown
Contributor

@PerfectSlayer PerfectSlayer Mar 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 suggestion: ‏What about adding reference to the security concerns expressed from the JDK documentation or even the related secure coding guidelines?

Copy link
Copy Markdown
Contributor Author

@dougqh dougqh Mar 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will do

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@PerfectSlayer PerfectSlayer PerfectSlayer approved these changes

@mhlidd mhlidd mhlidd approved these changes

Assignees

No one assigned

Labels

comp: core Tracer core tag: ai generated Largely based on code generated by an AI or LLM tag: diagnostics Diagnostics related changes type: bug Bug report and fix

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dougqh @PerfectSlayer @mhlidd