Skip to content

Fix IllegalFormatConversionException StringModuleImpl#onStringFormat #9907

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 8 commits into
base: master
Choose a base branch
from
Open

Fix IllegalFormatConversionException StringModuleImpl#onStringFormat #9907

wants to merge 8 commits into from
+355 −5

Conversation

@jandro996
Copy link
Member

@jandro996 jandro996 commented Nov 6, 2025
edited
Loading

What Does This Do

Fixes IllegalFormatConversionException in IAST when Scala's BigDecimal/BigInt are used with String.format().

Added unwrapScalaNumbers() in StringOpsCallSite that:

  • Detects scala.math.ScalaNumber instances via reflection
  • Calls underlying() method to extract Java numeric types (java.math.BigDecimal, java.math.BigInteger)
  • Applies unwrapping before passing arguments to onStringFormat

This ensures type compatibility while preserving IAST taint tracking.

Enhanced formatValue() error handling to catch IllegalFormatException and log telemetry with parameter type information. This provides context for detecting similar format conversion bugs in the future while maintaining existing exception behavior.

Motivation

Error tracking report

stack trace

java.util.IllegalFormatConversionException
  at java.base/java.util.Formatter$FormatSpecifier.failConversion(Unknown Source)
  at java.base/java.util.Formatter$FormatSpecifier.printFloat(Unknown Source)
  at java.base/java.util.Formatter$FormatSpecifier.print(Unknown Source)
  at java.base/java.util.Formatter.format(Unknown Source)
  at java.base/java.util.Formatter.format(Unknown Source)
  at java.base/java.lang.String.format(Unknown Source)
  at com.datadog.iast.propagation.StringModuleImpl.onStringFormat(StringModuleImpl.java:537)
  at com.datadog.iast.propagation.StringModuleImpl.onStringFormat(StringModuleImpl.java:487)
  at datadog.trace.instrumentation.scala.StringOpsCallSite.afterInterpolation(StringOpsCallSite.java:50)
  at (redacted: 22 frames)
  at java.base/java.util.concurrent.ForkJoinTask.doExec(Unknown Source)
  at java.base/java.util.concurrent.ForkJoinPool$WorkQueue.topLevelExec(Unknown Source)
  at java.base/java.util.concurrent.ForkJoinPool.scan(Unknown Source)
  at java.base/java.util.concurrent.ForkJoinPool.runWorker(Unknown Source)
  at java.base/java.util.concurrent.ForkJoinWorkerThread.run(Unknown Source)

Additional Notes

Scala's String.format() internally calls unwrapArg() to convert scala.math.BigDecimal → java.math.BigDecimal before formatting. However, IAST's @CallSite.After interceptor captures arguments after Scala execution completes, receiving the original Scala types. This causes IllegalFormatConversionException when StringModuleImpl#formatValue attempts to format with incompatible types.

Contributor Checklist

Jira ticket: APPSEC-59883

@jandro996 jandro996 added type: bug Bug report and fix comp: asm iast Application Security Management (IAST) labels Nov 6, 2025
@datadog-datadog-prod-us1
Copy link
Contributor

datadog-datadog-prod-us1 bot commented Nov 6, 2025
edited by datadog-official bot
Loading

🎯 Code Coverage
Patch Coverage: 37.50%
Total Coverage: 78.86% (+19.19%)

View detailed report

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: e0cf863 | Docs | Datadog PR Page | Was this helpful? Give us feedback!

@pr-commenter
Copy link

pr-commenter bot commented Nov 6, 2025
edited
Loading

Benchmarks

Startup

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/IllegalFormatConversionException-StringModuleImpl#onStringFormat
git_commit_date 1763110569 1763110804
git_commit_sha 37a6360 e0cf863
release_version 1.56.0-SNAPSHOT~37a6360670 1.56.0-SNAPSHOT~e0cf863f61
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1763112706 1763112706
ci_job_id 1234661388 1234661388
ci_pipeline_id 82379493 82379493
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-0-clg7cb1l 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-0-clg7cb1l 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
module Agent Agent
parent None None

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 59 metrics, 6 unstable metrics.

Startup time reports for petclinic 
gantt
    title petclinic - global startup overhead: candidate=1.56.0-SNAPSHOT~e0cf863f61, baseline=1.56.0-SNAPSHOT~37a6360670

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.101 s) : 0, 1101495
Total [baseline] (10.891 s) : 0, 10890501
Agent [candidate] (1.1 s) : 0, 1099665
Total [candidate] (10.734 s) : 0, 10733838
section appsec
Agent [baseline] (1.278 s) : 0, 1277600
Total [baseline] (11.023 s) : 0, 11022546
Agent [candidate] (1.278 s) : 0, 1278376
Total [candidate] (11.025 s) : 0, 11024758
section iast
Agent [baseline] (1.236 s) : 0, 1236080
Total [baseline] (11.242 s) : 0, 11241889
Agent [candidate] (1.242 s) : 0, 1242344
Total [candidate] (11.244 s) : 0, 11244227
section profiling
Agent [baseline] (1.224 s) : 0, 1223649
Total [baseline] (11.005 s) : 0, 11005325
Agent [candidate] (1.227 s) : 0, 1227073
Total [candidate] (11.054 s) : 0, 11053862
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.101 s -
Agent appsec 1.278 s 176.105 ms (16.0%)
Agent iast 1.236 s 134.585 ms (12.2%)
Agent profiling 1.224 s 122.154 ms (11.1%)
Total tracing 10.891 s -
Total appsec 11.023 s 132.044 ms (1.2%)
Total iast 11.242 s 351.388 ms (3.2%)
Total profiling 11.005 s 114.824 ms (1.1%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.1 s -
Agent appsec 1.278 s 178.711 ms (16.3%)
Agent iast 1.242 s 142.679 ms (13.0%)
Agent profiling 1.227 s 127.408 ms (11.6%)
Total tracing 10.734 s -
Total appsec 11.025 s 290.919 ms (2.7%)
Total iast 11.244 s 510.388 ms (4.8%)
Total profiling 11.054 s 320.024 ms (3.0%) 
gantt
    title petclinic - break down per module: candidate=1.56.0-SNAPSHOT~e0cf863f61, baseline=1.56.0-SNAPSHOT~37a6360670

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.464 ms) : 0, 1464
crashtracking [candidate] (1.455 ms) : 0, 1455
BytebuddyAgent [baseline] (708.181 ms) : 0, 708181
BytebuddyAgent [candidate] (706.597 ms) : 0, 706597
GlobalTracer [baseline] (248.107 ms) : 0, 248107
GlobalTracer [candidate] (248.107 ms) : 0, 248107
AppSec [baseline] (32.156 ms) : 0, 32156
AppSec [candidate] (32.033 ms) : 0, 32033
Debugger [baseline] (64.399 ms) : 0, 64399
Debugger [candidate] (64.294 ms) : 0, 64294
Remote Config [baseline] (632.838 µs) : 0, 633
Remote Config [candidate] (621.969 µs) : 0, 622
Telemetry [baseline] (8.149 ms) : 0, 8149
Telemetry [candidate] (8.213 ms) : 0, 8213
Flare Poller [baseline] (3.637 ms) : 0, 3637
Flare Poller [candidate] (3.668 ms) : 0, 3668
section appsec
crashtracking [baseline] (1.453 ms) : 0, 1453
crashtracking [candidate] (1.454 ms) : 0, 1454
BytebuddyAgent [baseline] (727.908 ms) : 0, 727908
BytebuddyAgent [candidate] (729.695 ms) : 0, 729695
GlobalTracer [baseline] (239.954 ms) : 0, 239954
GlobalTracer [candidate] (240.207 ms) : 0, 240207
AppSec [baseline] (174.765 ms) : 0, 174765
AppSec [candidate] (173.742 ms) : 0, 173742
Debugger [baseline] (61.108 ms) : 0, 61108
Debugger [candidate] (60.939 ms) : 0, 60939
Remote Config [baseline] (730.478 µs) : 0, 730
Remote Config [candidate] (692.255 µs) : 0, 692
Telemetry [baseline] (8.298 ms) : 0, 8298
Telemetry [candidate] (8.28 ms) : 0, 8280
Flare Poller [baseline] (3.851 ms) : 0, 3851
Flare Poller [candidate] (3.828 ms) : 0, 3828
IAST [baseline] (24.697 ms) : 0, 24697
IAST [candidate] (24.713 ms) : 0, 24713
section iast
crashtracking [baseline] (1.451 ms) : 0, 1451
crashtracking [candidate] (1.454 ms) : 0, 1454
BytebuddyAgent [baseline] (828.571 ms) : 0, 828571
BytebuddyAgent [candidate] (834.236 ms) : 0, 834236
GlobalTracer [baseline] (237.986 ms) : 0, 237986
GlobalTracer [candidate] (238.32 ms) : 0, 238320
AppSec [baseline] (29.77 ms) : 0, 29770
AppSec [candidate] (29.599 ms) : 0, 29599
Debugger [baseline] (60.342 ms) : 0, 60342
Debugger [candidate] (60.587 ms) : 0, 60587
Remote Config [baseline] (541.188 µs) : 0, 541
Remote Config [candidate] (534.007 µs) : 0, 534
Telemetry [baseline] (7.637 ms) : 0, 7637
Telemetry [candidate] (7.615 ms) : 0, 7615
Flare Poller [baseline] (3.466 ms) : 0, 3466
Flare Poller [candidate] (3.434 ms) : 0, 3434
IAST [baseline] (31.61 ms) : 0, 31610
IAST [candidate] (31.694 ms) : 0, 31694
section profiling
crashtracking [baseline] (1.44 ms) : 0, 1440
crashtracking [candidate] (1.428 ms) : 0, 1428
BytebuddyAgent [baseline] (727.314 ms) : 0, 727314
BytebuddyAgent [candidate] (729.422 ms) : 0, 729422
GlobalTracer [baseline] (221.099 ms) : 0, 221099
GlobalTracer [candidate] (221.878 ms) : 0, 221878
AppSec [baseline] (32.083 ms) : 0, 32083
AppSec [candidate] (32.26 ms) : 0, 32260
Debugger [baseline] (62.859 ms) : 0, 62859
Debugger [candidate] (62.596 ms) : 0, 62596
Remote Config [baseline] (652.87 µs) : 0, 653
Remote Config [candidate] (655.953 µs) : 0, 656
Telemetry [baseline] (7.931 ms) : 0, 7931
Telemetry [candidate] (7.917 ms) : 0, 7917
Flare Poller [baseline] (3.812 ms) : 0, 3812
Flare Poller [candidate] (3.775 ms) : 0, 3775
ProfilingAgent [baseline] (96.977 ms) : 0, 96977
ProfilingAgent [candidate] (97.626 ms) : 0, 97626
Profiling [baseline] (97.562 ms) : 0, 97562
Profiling [candidate] (98.206 ms) : 0, 98206
Loading
Startup time reports for insecure-bank 
gantt
    title insecure-bank - global startup overhead: candidate=1.56.0-SNAPSHOT~e0cf863f61, baseline=1.56.0-SNAPSHOT~37a6360670

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.105 s) : 0, 1105387
Total [baseline] (8.818 s) : 0, 8817869
Agent [candidate] (1.097 s) : 0, 1096611
Total [candidate] (8.816 s) : 0, 8815549
section iast
Agent [baseline] (1.234 s) : 0, 1233505
Total [baseline] (9.551 s) : 0, 9550954
Agent [candidate] (1.235 s) : 0, 1235334
Total [candidate] (9.527 s) : 0, 9526988
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.105 s -
Agent iast 1.234 s 128.118 ms (11.6%)
Total tracing 8.818 s -
Total iast 9.551 s 733.085 ms (8.3%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.097 s -
Agent iast 1.235 s 138.723 ms (12.7%)
Total tracing 8.816 s -
Total iast 9.527 s 711.439 ms (8.1%) 
gantt
    title insecure-bank - break down per module: candidate=1.56.0-SNAPSHOT~e0cf863f61, baseline=1.56.0-SNAPSHOT~37a6360670

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.507 ms) : 0, 1507
crashtracking [candidate] (1.448 ms) : 0, 1448
BytebuddyAgent [baseline] (710.988 ms) : 0, 710988
BytebuddyAgent [candidate] (705.076 ms) : 0, 705076
GlobalTracer [baseline] (249.15 ms) : 0, 249150
GlobalTracer [candidate] (247.675 ms) : 0, 247675
AppSec [baseline] (32.499 ms) : 0, 32499
AppSec [candidate] (32.251 ms) : 0, 32251
Debugger [baseline] (63.721 ms) : 0, 63721
Debugger [candidate] (63.136 ms) : 0, 63136
Remote Config [baseline] (645.074 µs) : 0, 645
Remote Config [candidate] (634.913 µs) : 0, 635
Telemetry [baseline] (8.241 ms) : 0, 8241
Telemetry [candidate] (8.079 ms) : 0, 8079
Flare Poller [baseline] (3.694 ms) : 0, 3694
Flare Poller [candidate] (3.669 ms) : 0, 3669
section iast
crashtracking [baseline] (1.466 ms) : 0, 1466
crashtracking [candidate] (1.454 ms) : 0, 1454
BytebuddyAgent [baseline] (826.945 ms) : 0, 826945
BytebuddyAgent [candidate] (828.345 ms) : 0, 828345
GlobalTracer [baseline] (236.907 ms) : 0, 236907
GlobalTracer [candidate] (237.393 ms) : 0, 237393
AppSec [baseline] (33.158 ms) : 0, 33158
AppSec [candidate] (34.205 ms) : 0, 34205
Debugger [baseline] (60.163 ms) : 0, 60163
Debugger [candidate] (60.143 ms) : 0, 60143
Remote Config [baseline] (546.192 µs) : 0, 546
Remote Config [candidate] (537.466 µs) : 0, 537
Telemetry [baseline] (7.659 ms) : 0, 7659
Telemetry [candidate] (7.66 ms) : 0, 7660
Flare Poller [baseline] (3.451 ms) : 0, 3451
Flare Poller [candidate] (3.458 ms) : 0, 3458
IAST [baseline] (28.428 ms) : 0, 28428
IAST [candidate] (27.367 ms) : 0, 27367
Loading

Load

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/IllegalFormatConversionException-StringModuleImpl#onStringFormat
git_commit_date 1763110569 1763110804
git_commit_sha 37a6360 e0cf863
release_version 1.56.0-SNAPSHOT~37a6360670 1.56.0-SNAPSHOT~e0cf863f61
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1763113199 1763113199
ci_job_id 1234661390 1234661390
ci_pipeline_id 82379493 82379493
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-0-e8szsj1k 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-0-e8szsj1k 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 3 performance improvements and 0 performance regressions! Performance is the same for 16 metrics, 17 unstable metrics.

scenario Δ mean agg_http_req_duration_p50 Δ mean agg_http_req_duration_p95 Δ mean throughput candidate mean agg_http_req_duration_p50 candidate mean agg_http_req_duration_p95 candidate mean throughput baseline mean agg_http_req_duration_p50 baseline mean agg_http_req_duration_p95 baseline mean throughput
scenario:load:insecure-bank:iast_FULL:high_load better
[-443.286µs; -128.422µs] or [-8.361%; -2.422%]		 same
[-1118.322µs; +101.315µs] or [-8.828%; +0.800%]		 unstable
[-33.479op/s; +137.166op/s] or [-4.342%; +17.789%]		 5.016ms 12.159ms 822.938op/s 5.302ms 12.668ms 771.094op/s
scenario:load:petclinic:profiling:high_load better
[-2.057ms; -0.846ms] or [-10.439%; -4.292%]		 better
[-3.311ms; -1.779ms] or [-10.360%; -5.568%]		 unstable
[-10.592op/s; +45.405op/s] or [-4.525%; +19.399%]		 18.255ms 29.414ms 251.469op/s 19.706ms 31.959ms 234.062op/s
Request duration reports for insecure-bank 
gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.56.0-SNAPSHOT~e0cf863f61, baseline=1.56.0-SNAPSHOT~37a6360670
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.182 ms) : 1171, 1194
.   : milestone, 1182,
iast (3.256 ms) : 3207, 3304
.   : milestone, 3256,
iast_FULL (6.0 ms) : 5938, 6061
.   : milestone, 6000,
iast_GLOBAL (3.569 ms) : 3509, 3629
.   : milestone, 3569,
profiling (2.005 ms) : 1987, 2023
.   : milestone, 2005,
tracing (1.831 ms) : 1816, 1847
.   : milestone, 1831,
section candidate
no_agent (1.175 ms) : 1164, 1186
.   : milestone, 1175,
iast (3.325 ms) : 3279, 3371
.   : milestone, 3325,
iast_FULL (5.615 ms) : 5558, 5671
.   : milestone, 5615,
iast_GLOBAL (3.427 ms) : 3378, 3476
.   : milestone, 3427,
profiling (2.031 ms) : 2013, 2050
.   : milestone, 2031,
tracing (1.821 ms) : 1806, 1836
.   : milestone, 1821,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.182 ms [1.171 ms, 1.194 ms] -
iast 3.256 ms [3.207 ms, 3.304 ms] 2.073 ms (175.4%)
iast_FULL 6.0 ms [5.938 ms, 6.061 ms] 4.817 ms (407.4%)
iast_GLOBAL 3.569 ms [3.509 ms, 3.629 ms] 2.387 ms (201.9%)
profiling 2.005 ms [1.987 ms, 2.023 ms] 822.577 µs (69.6%)
tracing 1.831 ms [1.816 ms, 1.847 ms] 649.166 µs (54.9%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.175 ms [1.164 ms, 1.186 ms] -
iast 3.325 ms [3.279 ms, 3.371 ms] 2.149 ms (182.9%)
iast_FULL 5.615 ms [5.558 ms, 5.671 ms] 4.44 ms (377.8%)
iast_GLOBAL 3.427 ms [3.378 ms, 3.476 ms] 2.251 ms (191.6%)
profiling 2.031 ms [2.013 ms, 2.05 ms] 856.118 µs (72.9%)
tracing 1.821 ms [1.806 ms, 1.836 ms] 646.152 µs (55.0%)
Request duration reports for petclinic 
gantt
    title petclinic - request duration [CI 0.99] : candidate=1.56.0-SNAPSHOT~e0cf863f61, baseline=1.56.0-SNAPSHOT~37a6360670
    dateFormat X
    axisFormat %s
section baseline
no_agent (18.135 ms) : 17950, 18320
.   : milestone, 18135,
appsec (19.067 ms) : 18874, 19260
.   : milestone, 19067,
code_origins (18.09 ms) : 17909, 18271
.   : milestone, 18090,
iast (17.967 ms) : 17785, 18148
.   : milestone, 17967,
profiling (19.942 ms) : 19733, 20151
.   : milestone, 19942,
tracing (17.645 ms) : 17469, 17820
.   : milestone, 17645,
section candidate
no_agent (19.409 ms) : 19208, 19610
.   : milestone, 19409,
appsec (18.838 ms) : 18646, 19030
.   : milestone, 18838,
code_origins (17.959 ms) : 17779, 18139
.   : milestone, 17959,
iast (17.814 ms) : 17637, 17991
.   : milestone, 17814,
profiling (18.56 ms) : 18378, 18741
.   : milestone, 18560,
tracing (17.497 ms) : 17325, 17669
.   : milestone, 17497,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 18.135 ms [17.95 ms, 18.32 ms] -
appsec 19.067 ms [18.874 ms, 19.26 ms] 932.049 µs (5.1%)
code_origins 18.09 ms [17.909 ms, 18.271 ms] -44.565 µs (-0.2%)
iast 17.967 ms [17.785 ms, 18.148 ms] -167.964 µs (-0.9%)
profiling 19.942 ms [19.733 ms, 20.151 ms] 1.807 ms (10.0%)
tracing 17.645 ms [17.469 ms, 17.82 ms] -490.187 µs (-2.7%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 19.409 ms [19.208 ms, 19.61 ms] -
appsec 18.838 ms [18.646 ms, 19.03 ms] -570.883 µs (-2.9%)
code_origins 17.959 ms [17.779 ms, 18.139 ms] -1.45 ms (-7.5%)
iast 17.814 ms [17.637 ms, 17.991 ms] -1.595 ms (-8.2%)
profiling 18.56 ms [18.378 ms, 18.741 ms] -849.34 µs (-4.4%)
tracing 17.497 ms [17.325 ms, 17.669 ms] -1.912 ms (-9.9%)

Dacapo

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/IllegalFormatConversionException-StringModuleImpl#onStringFormat
git_commit_date 1763110569 1763110804
git_commit_sha 37a6360 e0cf863
release_version 1.56.0-SNAPSHOT~37a6360670 1.56.0-SNAPSHOT~e0cf863f61
See matching parameters
Baseline Candidate
application biojava biojava
ci_job_date 1763112778 1763112778
ci_job_id 1234661392 1234661392
ci_pipeline_id 82379493 82379493
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-0-22kdd1hd 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-0-22kdd1hd 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 1 unstable metrics.

Execution time for biojava 
gantt
    title biojava - execution time [CI 0.99] : candidate=1.56.0-SNAPSHOT~e0cf863f61, baseline=1.56.0-SNAPSHOT~37a6360670
    dateFormat X
    axisFormat %s
section baseline
no_agent (15.283 s) : 15283000, 15283000
.   : milestone, 15283000,
appsec (15.012 s) : 15012000, 15012000
.   : milestone, 15012000,
iast (18.428 s) : 18428000, 18428000
.   : milestone, 18428000,
iast_GLOBAL (17.996 s) : 17996000, 17996000
.   : milestone, 17996000,
profiling (15.064 s) : 15064000, 15064000
.   : milestone, 15064000,
tracing (14.817 s) : 14817000, 14817000
.   : milestone, 14817000,
section candidate
no_agent (15.243 s) : 15243000, 15243000
.   : milestone, 15243000,
appsec (14.673 s) : 14673000, 14673000
.   : milestone, 14673000,
iast (17.969 s) : 17969000, 17969000
.   : milestone, 17969000,
iast_GLOBAL (18.051 s) : 18051000, 18051000
.   : milestone, 18051000,
profiling (15.015 s) : 15015000, 15015000
.   : milestone, 15015000,
tracing (14.547 s) : 14547000, 14547000
.   : milestone, 14547000,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.283 s [15.283 s, 15.283 s] -
appsec 15.012 s [15.012 s, 15.012 s] -271.0 ms (-1.8%)
iast 18.428 s [18.428 s, 18.428 s] 3.145 s (20.6%)
iast_GLOBAL 17.996 s [17.996 s, 17.996 s] 2.713 s (17.8%)
profiling 15.064 s [15.064 s, 15.064 s] -219.0 ms (-1.4%)
tracing 14.817 s [14.817 s, 14.817 s] -466.0 ms (-3.0%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.243 s [15.243 s, 15.243 s] -
appsec 14.673 s [14.673 s, 14.673 s] -570.0 ms (-3.7%)
iast 17.969 s [17.969 s, 17.969 s] 2.726 s (17.9%)
iast_GLOBAL 18.051 s [18.051 s, 18.051 s] 2.808 s (18.4%)
profiling 15.015 s [15.015 s, 15.015 s] -228.0 ms (-1.5%)
tracing 14.547 s [14.547 s, 14.547 s] -696.0 ms (-4.6%)
Execution time for tomcat 
gantt
    title tomcat - execution time [CI 0.99] : candidate=1.56.0-SNAPSHOT~e0cf863f61, baseline=1.56.0-SNAPSHOT~37a6360670
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.473 ms) : 1462, 1485
.   : milestone, 1473,
appsec (3.728 ms) : 3508, 3949
.   : milestone, 3728,
iast (2.212 ms) : 2148, 2277
.   : milestone, 2212,
iast_GLOBAL (2.257 ms) : 2192, 2322
.   : milestone, 2257,
profiling (2.062 ms) : 2009, 2115
.   : milestone, 2062,
tracing (2.032 ms) : 1981, 2083
.   : milestone, 2032,
section candidate
no_agent (1.472 ms) : 1461, 1484
.   : milestone, 1472,
appsec (3.662 ms) : 3446, 3879
.   : milestone, 3662,
iast (2.213 ms) : 2148, 2278
.   : milestone, 2213,
iast_GLOBAL (2.257 ms) : 2192, 2322
.   : milestone, 2257,
profiling (2.053 ms) : 2001, 2106
.   : milestone, 2053,
tracing (2.027 ms) : 1976, 2077
.   : milestone, 2027,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.473 ms [1.462 ms, 1.485 ms] -
appsec 3.728 ms [3.508 ms, 3.949 ms] 2.255 ms (153.1%)
iast 2.212 ms [2.148 ms, 2.277 ms] 739.402 µs (50.2%)
iast_GLOBAL 2.257 ms [2.192 ms, 2.322 ms] 783.845 µs (53.2%)
profiling 2.062 ms [2.009 ms, 2.115 ms] 589.007 µs (40.0%)
tracing 2.032 ms [1.981 ms, 2.083 ms] 559.009 µs (37.9%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.472 ms [1.461 ms, 1.484 ms] -
appsec 3.662 ms [3.446 ms, 3.879 ms] 2.19 ms (148.8%)
iast 2.213 ms [2.148 ms, 2.278 ms] 741.084 µs (50.3%)
iast_GLOBAL 2.257 ms [2.192 ms, 2.322 ms] 784.721 µs (53.3%)
profiling 2.053 ms [2.001 ms, 2.106 ms] 580.964 µs (39.5%)
tracing 2.027 ms [1.976 ms, 2.077 ms] 554.543 µs (37.7%)

jandro996
jandro996 commented Nov 13, 2025
View reviewed changes
dd-smoke-tests/iast-propagation/build.gradle
implementation project(':dd-trace-api')
implementation group: 'org.springframework.boot', name: 'spring-boot-starter-web', version: '2.5.4'
implementation libs.scala
implementation libs.scala213
Copy link
Member Author

@jandro996 jandro996 Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've changed scala version just to reproduce the same stacktrace reported in the issue tracker. I feel that is not necessary to duplicate this test as is also covered by unit testing

@jandro996 jandro996 marked this pull request as ready for review November 13, 2025 14:07
@jandro996 jandro996 requested review from a team as code owners November 13, 2025 14:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@robertpi robertpi Awaiting requested review from robertpi robertpi is a code owner automatically assigned from DataDog/asm-java

@manuel-alvarez-alvarez manuel-alvarez-alvarez Awaiting requested review from manuel-alvarez-alvarez

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

comp: asm iast Application Security Management (IAST) type: bug Bug report and fix

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jandro996 @manuel-alvarez-alvarez