Implemented New API Security Sampling mechanism

[ValentinZakharov]

What Does This Do

Implemented new endpoint based API Security Sampling mechanism.

• Removed old sampling
• Removed sampling configuration via remote-config
• Introduced API Access Tracker to be used for sampling

Motivation

For API Security we need to compute and send schemas for HTTP requests. A schema contains information about the types of data transmitted in an HTTP request.
The schemas we compute/collect:

• Request headers
• Request body
• Request cookies
• Request path params
• Request query
• Response headers
• Response body

Computing schemas is a resource-consuming task and introduces additional overhead. In the current implementation, schema computation occurs in the same thread that processes the HTTP request. The computation happens after committing the response to the client. This means that even after the response is sent, the thread remains occupied with schema computation. If all threads are busy with such computations, new requests will have to wait for a free thread. This can lead to increased response times or even a denial of service.

Requests to the same endpoint with the same method and parameters generally have a stable data structure. This makes repeated schema computations redundant in most cases. To optimize this, we introduced the Api Security Sampling mechanism, which skips redundant computations for identical schemas. Schema computation is performed only when a new unique request is encountered or when the previously cached schema has expired.

To implement Sampling, we use the ApiAccessTracker, which caches request by recording combinations of route, method, and status. These records are temporarily stored in memory, and Sampling checks them to determine whether a schema for the given combination has already been computed. If the schema is missing or has expired (more than 30 seconds have passed), it triggers a new computation.

Api Security Sampling reduces computational overhead by decreasing the number of unique schema computation operations. This decreases CPU usage and speeds up request processing.

Additional Notes

Contributor Checklist

• Format the title according the contribution guidelines
• Assign the type: and (comp: or inst:) labels in addition to any usefull labels
• Don't use close, fix or any linking keywords when referencing an issue.
  Use solves instead, and assign the PR milestone to the issue
• Update the public documentation in case of new configuration flag or behavior

Jira ticket: [PROJ-IDENT]

[pr-commenter]

Benchmarks

Startup

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	vzakharov/api_sec_sampling_new
git_commit_date	1738082820	1738089165
git_commit_sha	9efa100	bc70627
release_version	1.46.0-SNAPSHOT~9efa100588	1.46.0-SNAPSHOT~bc70627cbd

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1738091457	1738091457
ci_job_id	784182242	784182242
ci_pipeline_id	54229670	54229670
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-xcwqdre5-project-304-concurrent-0-tg0f4d74 6.8.0-1021-aws #23~22.04.1-Ubuntu SMP Tue Dec 10 16:50:46 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-xcwqdre5-project-304-concurrent-0-tg0f4d74 6.8.0-1021-aws #23~22.04.1-Ubuntu SMP Tue Dec 10 16:50:46 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
module	Agent	Agent
parent	None	None
variant	iast	iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 52 metrics, 11 unstable metrics.

Startup time reports for insecure-bank

gantt
    title insecure-bank - global startup overhead: candidate=1.46.0-SNAPSHOT~bc70627cbd, baseline=1.46.0-SNAPSHOT~9efa100588

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.049 s) : 0, 1049450
Total [baseline] (8.683 s) : 0, 8683227
Agent [candidate] (1.04 s) : 0, 1040398
Total [candidate] (8.657 s) : 0, 8656741
section iast
Agent [baseline] (1.179 s) : 0, 1179261
Total [baseline] (9.281 s) : 0, 9281257
Agent [candidate] (1.179 s) : 0, 1178646
Total [candidate] (9.265 s) : 0, 9264785
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.169 s) : 0, 1169243
Total [baseline] (9.223 s) : 0, 9222932
Agent [candidate] (1.177 s) : 0, 1177352
Total [candidate] (9.28 s) : 0, 9279727
section iast_TELEMETRY_OFF
Agent [baseline] (1.167 s) : 0, 1167160
Total [baseline] (9.226 s) : 0, 9226406
Agent [candidate] (1.166 s) : 0, 1165774
Total [candidate] (9.26 s) : 0, 9260408

Loading

• baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.049 s	-
Agent	iast	1.179 s	129.811 ms (12.4%)
Agent	iast_HARDCODED_SECRET_DISABLED	1.169 s	119.793 ms (11.4%)
Agent	iast_TELEMETRY_OFF	1.167 s	117.71 ms (11.2%)
Total	tracing	8.683 s	-
Total	iast	9.281 s	598.03 ms (6.9%)
Total	iast_HARDCODED_SECRET_DISABLED	9.223 s	539.705 ms (6.2%)
Total	iast_TELEMETRY_OFF	9.226 s	543.179 ms (6.3%)

• candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.04 s	-
Agent	iast	1.179 s	138.248 ms (13.3%)
Agent	iast_HARDCODED_SECRET_DISABLED	1.177 s	136.954 ms (13.2%)
Agent	iast_TELEMETRY_OFF	1.166 s	125.375 ms (12.1%)
Total	tracing	8.657 s	-
Total	iast	9.265 s	608.044 ms (7.0%)
Total	iast_HARDCODED_SECRET_DISABLED	9.28 s	622.986 ms (7.2%)
Total	iast_TELEMETRY_OFF	9.26 s	603.667 ms (7.0%)

gantt
    title insecure-bank - break down per module: candidate=1.46.0-SNAPSHOT~bc70627cbd, baseline=1.46.0-SNAPSHOT~9efa100588

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (720.714 ms) : 0, 720714
BytebuddyAgent [candidate] (715.99 ms) : 0, 715990
GlobalTracer [baseline] (242.078 ms) : 0, 242078
GlobalTracer [candidate] (240.16 ms) : 0, 240160
AppSec [baseline] (55.8 ms) : 0, 55800
AppSec [candidate] (56.615 ms) : 0, 56615
Remote Config [baseline] (723.041 µs) : 0, 723
Remote Config [candidate] (720.773 µs) : 0, 721
Telemetry [baseline] (14.731 ms) : 0, 14731
Telemetry [candidate] (11.564 ms) : 0, 11564
section iast
BytebuddyAgent [baseline] (841.715 ms) : 0, 841715
BytebuddyAgent [candidate] (839.954 ms) : 0, 839954
GlobalTracer [baseline] (232.992 ms) : 0, 232992
GlobalTracer [candidate] (232.39 ms) : 0, 232390
IAST [baseline] (25.648 ms) : 0, 25648
IAST [candidate] (25.901 ms) : 0, 25901
AppSec [baseline] (54.177 ms) : 0, 54177
AppSec [candidate] (55.508 ms) : 0, 55508
Remote Config [baseline] (622.393 µs) : 0, 622
Remote Config [candidate] (656.858 µs) : 0, 657
Telemetry [baseline] (8.741 ms) : 0, 8741
Telemetry [candidate] (8.759 ms) : 0, 8759
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (834.525 ms) : 0, 834525
BytebuddyAgent [candidate] (840.018 ms) : 0, 840018
GlobalTracer [baseline] (230.682 ms) : 0, 230682
GlobalTracer [candidate] (232.022 ms) : 0, 232022
IAST [baseline] (27.179 ms) : 0, 27179
IAST [candidate] (27.332 ms) : 0, 27332
AppSec [baseline] (52.254 ms) : 0, 52254
AppSec [candidate] (53.279 ms) : 0, 53279
Remote Config [baseline] (617.95 µs) : 0, 618
Remote Config [candidate] (616.647 µs) : 0, 617
Telemetry [baseline] (8.708 ms) : 0, 8708
Telemetry [candidate] (8.663 ms) : 0, 8663
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (831.572 ms) : 0, 831572
BytebuddyAgent [candidate] (830.701 ms) : 0, 830701
GlobalTracer [baseline] (230.799 ms) : 0, 230799
GlobalTracer [candidate] (230.821 ms) : 0, 230821
IAST [baseline] (23.87 ms) : 0, 23870
IAST [candidate] (24.338 ms) : 0, 24338
AppSec [baseline] (56.276 ms) : 0, 56276
AppSec [candidate] (55.466 ms) : 0, 55466
Remote Config [baseline] (625.939 µs) : 0, 626
Remote Config [candidate] (608.744 µs) : 0, 609
Telemetry [baseline] (8.72 ms) : 0, 8720
Telemetry [candidate] (8.521 ms) : 0, 8521

Loading

Startup time reports for petclinic

gantt
    title petclinic - global startup overhead: candidate=1.46.0-SNAPSHOT~bc70627cbd, baseline=1.46.0-SNAPSHOT~9efa100588

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.043 s) : 0, 1042589
Total [baseline] (10.534 s) : 0, 10534162
Agent [candidate] (1.041 s) : 0, 1041043
Total [candidate] (10.505 s) : 0, 10505175
section appsec
Agent [baseline] (1.186 s) : 0, 1186174
Total [baseline] (10.776 s) : 0, 10776443
Agent [candidate] (1.19 s) : 0, 1189611
Total [candidate] (10.803 s) : 0, 10802686
section iast
Agent [baseline] (1.17 s) : 0, 1169591
Total [baseline] (11.056 s) : 0, 11056292
Agent [candidate] (1.169 s) : 0, 1169060
Total [candidate] (10.962 s) : 0, 10961509
section profiling
Agent [baseline] (1.268 s) : 0, 1268467
Total [baseline] (10.96 s) : 0, 10960445
Agent [candidate] (1.259 s) : 0, 1259066
Total [candidate] (10.838 s) : 0, 10837701

Loading

• baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.043 s	-
Agent	appsec	1.186 s	143.585 ms (13.8%)
Agent	iast	1.17 s	127.002 ms (12.2%)
Agent	profiling	1.268 s	225.878 ms (21.7%)
Total	tracing	10.534 s	-
Total	appsec	10.776 s	242.281 ms (2.3%)
Total	iast	11.056 s	522.13 ms (5.0%)
Total	profiling	10.96 s	426.284 ms (4.0%)

• candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.041 s	-
Agent	appsec	1.19 s	148.568 ms (14.3%)
Agent	iast	1.169 s	128.017 ms (12.3%)
Agent	profiling	1.259 s	218.022 ms (20.9%)
Total	tracing	10.505 s	-
Total	appsec	10.803 s	297.511 ms (2.8%)
Total	iast	10.962 s	456.335 ms (4.3%)
Total	profiling	10.838 s	332.526 ms (3.2%)

gantt
    title petclinic - break down per module: candidate=1.46.0-SNAPSHOT~bc70627cbd, baseline=1.46.0-SNAPSHOT~9efa100588

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (717.481 ms) : 0, 717481
BytebuddyAgent [candidate] (714.608 ms) : 0, 714608
GlobalTracer [baseline] (240.584 ms) : 0, 240584
GlobalTracer [candidate] (240.375 ms) : 0, 240375
AppSec [baseline] (56.025 ms) : 0, 56025
AppSec [candidate] (57.132 ms) : 0, 57132
Remote Config [baseline] (730.986 µs) : 0, 731
Remote Config [candidate] (721.165 µs) : 0, 721
Telemetry [baseline] (12.463 ms) : 0, 12463
Telemetry [candidate] (12.932 ms) : 0, 12932
section appsec
BytebuddyAgent [baseline] (736.004 ms) : 0, 736004
BytebuddyAgent [candidate] (737.61 ms) : 0, 737610
GlobalTracer [baseline] (238.477 ms) : 0, 238477
GlobalTracer [candidate] (239.142 ms) : 0, 239142
AppSec [baseline] (176.556 ms) : 0, 176556
AppSec [candidate] (177.597 ms) : 0, 177597
Remote Config [baseline] (658.336 µs) : 0, 658
Remote Config [candidate] (684.471 µs) : 0, 684
Telemetry [baseline] (8.32 ms) : 0, 8320
Telemetry [candidate] (8.315 ms) : 0, 8315
IAST [baseline] (21.636 ms) : 0, 21636
IAST [candidate] (21.742 ms) : 0, 21742
section iast
BytebuddyAgent [baseline] (833.816 ms) : 0, 833816
BytebuddyAgent [candidate] (833.049 ms) : 0, 833049
GlobalTracer [baseline] (231.346 ms) : 0, 231346
GlobalTracer [candidate] (230.669 ms) : 0, 230669
AppSec [baseline] (53.883 ms) : 0, 53883
AppSec [candidate] (55.061 ms) : 0, 55061
Remote Config [baseline] (619.934 µs) : 0, 620
Remote Config [candidate] (614.745 µs) : 0, 615
Telemetry [baseline] (8.822 ms) : 0, 8822
Telemetry [candidate] (8.749 ms) : 0, 8749
IAST [baseline] (25.743 ms) : 0, 25743
IAST [candidate] (24.865 ms) : 0, 24865
section profiling
ProfilingAgent [baseline] (97.038 ms) : 0, 97038
ProfilingAgent [candidate] (95.403 ms) : 0, 95403
BytebuddyAgent [baseline] (710.465 ms) : 0, 710465
BytebuddyAgent [candidate] (705.181 ms) : 0, 705181
GlobalTracer [baseline] (353.369 ms) : 0, 353369
GlobalTracer [candidate] (351.413 ms) : 0, 351413
AppSec [baseline] (55.449 ms) : 0, 55449
AppSec [candidate] (55.117 ms) : 0, 55117
Remote Config [baseline] (715.128 µs) : 0, 715
Remote Config [candidate] (724.169 µs) : 0, 724
Telemetry [baseline] (8.978 ms) : 0, 8978
Telemetry [candidate] (8.891 ms) : 0, 8891
Profiling [baseline] (97.065 ms) : 0, 97065
Profiling [candidate] (95.429 ms) : 0, 95429

Loading

Load

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
end_time	2025-01-28T18:40:48	2025-01-28T18:47:53
git_branch	master	vzakharov/api_sec_sampling_new
git_commit_date	1738082820	1738089165
git_commit_sha	9efa100	bc70627
release_version	1.46.0-SNAPSHOT~9efa100588	1.46.0-SNAPSHOT~bc70627cbd
start_time	2025-01-28T18:40:34	2025-01-28T18:47:39

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1738090430	1738090430
ci_job_id	784182243	784182243
ci_pipeline_id	54229670	54229670
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-zsvuzntn-project-304-concurrent-0-020yox1q 6.8.0-1021-aws #23~22.04.1-Ubuntu SMP Tue Dec 10 16:50:46 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-zsvuzntn-project-304-concurrent-0-020yox1q 6.8.0-1021-aws #23~22.04.1-Ubuntu SMP Tue Dec 10 16:50:46 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
variant	iast	iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 13 metrics, 15 unstable metrics.

Request duration reports for petclinic

gantt
    title petclinic - request duration [CI 0.99] : candidate=1.46.0-SNAPSHOT~bc70627cbd, baseline=1.46.0-SNAPSHOT~9efa100588
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.35 ms) : 1331, 1368
.   : milestone, 1350,
appsec (1.744 ms) : 1720, 1767
.   : milestone, 1744,
appsec_no_iast (1.754 ms) : 1728, 1779
.   : milestone, 1754,
iast (1.53 ms) : 1506, 1553
.   : milestone, 1530,
profiling (1.49 ms) : 1467, 1514
.   : milestone, 1490,
tracing (1.498 ms) : 1474, 1523
.   : milestone, 1498,
section candidate
no_agent (1.359 ms) : 1340, 1379
.   : milestone, 1359,
appsec (1.742 ms) : 1718, 1765
.   : milestone, 1742,
appsec_no_iast (1.777 ms) : 1753, 1801
.   : milestone, 1777,
iast (1.522 ms) : 1498, 1546
.   : milestone, 1522,
profiling (1.497 ms) : 1473, 1520
.   : milestone, 1497,
tracing (1.484 ms) : 1460, 1509
.   : milestone, 1484,

Loading

• baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.35 ms [1.331 ms, 1.368 ms]	-
appsec	1.744 ms [1.72 ms, 1.767 ms]	394.242 µs (29.2%)
appsec_no_iast	1.754 ms [1.728 ms, 1.779 ms]	404.305 µs (30.0%)
iast	1.53 ms [1.506 ms, 1.553 ms]	180.123 µs (13.3%)
profiling	1.49 ms [1.467 ms, 1.514 ms]	140.829 µs (10.4%)
tracing	1.498 ms [1.474 ms, 1.523 ms]	148.865 µs (11.0%)

• candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.359 ms [1.34 ms, 1.379 ms]	-
appsec	1.742 ms [1.718 ms, 1.765 ms]	382.473 µs (28.1%)
appsec_no_iast	1.777 ms [1.753 ms, 1.801 ms]	418.0 µs (30.8%)
iast	1.522 ms [1.498 ms, 1.546 ms]	163.025 µs (12.0%)
profiling	1.497 ms [1.473 ms, 1.52 ms]	137.402 µs (10.1%)
tracing	1.484 ms [1.46 ms, 1.509 ms]	125.194 µs (9.2%)

Request duration reports for insecure-bank

gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.46.0-SNAPSHOT~bc70627cbd, baseline=1.46.0-SNAPSHOT~9efa100588
    dateFormat X
    axisFormat %s
section baseline
no_agent (378.789 µs) : 359, 399
.   : milestone, 379,
iast (510.432 µs) : 487, 534
.   : milestone, 510,
iast_FULL (743.322 µs) : 721, 765
.   : milestone, 743,
iast_GLOBAL (571.597 µs) : 547, 596
.   : milestone, 572,
iast_HARDCODED_SECRET_DISABLED (507.318 µs) : 485, 530
.   : milestone, 507,
iast_INACTIVE (461.632 µs) : 441, 483
.   : milestone, 462,
iast_TELEMETRY_OFF (508.443 µs) : 485, 532
.   : milestone, 508,
tracing (458.983 µs) : 438, 480
.   : milestone, 459,
section candidate
no_agent (382.204 µs) : 363, 402
.   : milestone, 382,
iast (512.523 µs) : 491, 534
.   : milestone, 513,
iast_FULL (741.742 µs) : 720, 764
.   : milestone, 742,
iast_GLOBAL (550.786 µs) : 528, 573
.   : milestone, 551,
iast_HARDCODED_SECRET_DISABLED (519.471 µs) : 496, 543
.   : milestone, 519,
iast_INACTIVE (460.696 µs) : 440, 481
.   : milestone, 461,
iast_TELEMETRY_OFF (496.775 µs) : 474, 519
.   : milestone, 497,
tracing (457.267 µs) : 436, 479
.   : milestone, 457,

Loading

• baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	378.789 µs [358.9 µs, 398.678 µs]	-
iast	510.432 µs [487.298 µs, 533.565 µs]	131.642 µs (34.8%)
iast_FULL	743.322 µs [721.335 µs, 765.309 µs]	364.533 µs (96.2%)
iast_GLOBAL	571.597 µs [546.721 µs, 596.472 µs]	192.807 µs (50.9%)
iast_HARDCODED_SECRET_DISABLED	507.318 µs [485.12 µs, 529.517 µs]	128.529 µs (33.9%)
iast_INACTIVE	461.632 µs [440.521 µs, 482.743 µs]	82.842 µs (21.9%)
iast_TELEMETRY_OFF	508.443 µs [485.213 µs, 531.674 µs]	129.654 µs (34.2%)
tracing	458.983 µs [437.642 µs, 480.325 µs]	80.194 µs (21.2%)

• candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	382.204 µs [362.637 µs, 401.771 µs]	-
iast	512.523 µs [490.564 µs, 534.483 µs]	130.319 µs (34.1%)
iast_FULL	741.742 µs [719.928 µs, 763.556 µs]	359.538 µs (94.1%)
iast_GLOBAL	550.786 µs [528.352 µs, 573.221 µs]	168.582 µs (44.1%)
iast_HARDCODED_SECRET_DISABLED	519.471 µs [496.129 µs, 542.813 µs]	137.267 µs (35.9%)
iast_INACTIVE	460.696 µs [439.935 µs, 481.457 µs]	78.492 µs (20.5%)
iast_TELEMETRY_OFF	496.775 µs [474.396 µs, 519.155 µs]	114.571 µs (30.0%)
tracing	457.267 µs [436.022 µs, 478.512 µs]	75.063 µs (19.6%)

Dacapo

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	vzakharov/api_sec_sampling_new
git_commit_date	1738082820	1738089165
git_commit_sha	9efa100	bc70627
release_version	1.46.0-SNAPSHOT~9efa100588	1.46.0-SNAPSHOT~bc70627cbd

See matching parameters

	Baseline	Candidate
application	biojava	biojava
ci_job_date	1738091117	1738091117
ci_job_id	784182244	784182244
ci_pipeline_id	54229670	54229670
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-xcwqdre5-project-304-concurrent-1-aqkb93tr 6.8.0-1021-aws #23~22.04.1-Ubuntu SMP Tue Dec 10 16:50:46 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-xcwqdre5-project-304-concurrent-1-aqkb93tr 6.8.0-1021-aws #23~22.04.1-Ubuntu SMP Tue Dec 10 16:50:46 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
variant	appsec	appsec

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics.

Execution time for biojava

gantt
    title biojava - execution time [CI 0.99] : candidate=1.46.0-SNAPSHOT~bc70627cbd, baseline=1.46.0-SNAPSHOT~9efa100588
    dateFormat X
    axisFormat %s
section baseline
no_agent (15.481 s) : 15481000, 15481000
.   : milestone, 15481000,
appsec (15.1 s) : 15100000, 15100000
.   : milestone, 15100000,
iast (18.865 s) : 18865000, 18865000
.   : milestone, 18865000,
iast_GLOBAL (17.86 s) : 17860000, 17860000
.   : milestone, 17860000,
profiling (14.961 s) : 14961000, 14961000
.   : milestone, 14961000,
tracing (14.911 s) : 14911000, 14911000
.   : milestone, 14911000,
section candidate
no_agent (15.262 s) : 15262000, 15262000
.   : milestone, 15262000,
appsec (14.681 s) : 14681000, 14681000
.   : milestone, 14681000,
iast (18.35 s) : 18350000, 18350000
.   : milestone, 18350000,
iast_GLOBAL (18.049 s) : 18049000, 18049000
.   : milestone, 18049000,
profiling (15.582 s) : 15582000, 15582000
.   : milestone, 15582000,
tracing (14.854 s) : 14854000, 14854000
.   : milestone, 14854000,

Loading

• baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	15.481 s [15.481 s, 15.481 s]	-
appsec	15.1 s [15.1 s, 15.1 s]	-381.0 ms (-2.5%)
iast	18.865 s [18.865 s, 18.865 s]	3.384 s (21.9%)
iast_GLOBAL	17.86 s [17.86 s, 17.86 s]	2.379 s (15.4%)
profiling	14.961 s [14.961 s, 14.961 s]	-520.0 ms (-3.4%)
tracing	14.911 s [14.911 s, 14.911 s]	-570.0 ms (-3.7%)

• candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	15.262 s [15.262 s, 15.262 s]	-
appsec	14.681 s [14.681 s, 14.681 s]	-581.0 ms (-3.8%)
iast	18.35 s [18.35 s, 18.35 s]	3.088 s (20.2%)
iast_GLOBAL	18.049 s [18.049 s, 18.049 s]	2.787 s (18.3%)
profiling	15.582 s [15.582 s, 15.582 s]	320.0 ms (2.1%)
tracing	14.854 s [14.854 s, 14.854 s]	-408.0 ms (-2.7%)

Execution time for tomcat

gantt
    title tomcat - execution time [CI 0.99] : candidate=1.46.0-SNAPSHOT~bc70627cbd, baseline=1.46.0-SNAPSHOT~9efa100588
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.467 ms) : 1455, 1478
.   : milestone, 1467,
appsec (2.355 ms) : 2311, 2398
.   : milestone, 2355,
iast (2.098 ms) : 2043, 2153
.   : milestone, 2098,
iast_GLOBAL (2.15 ms) : 2094, 2205
.   : milestone, 2150,
profiling (1.956 ms) : 1912, 2000
.   : milestone, 1956,
tracing (1.933 ms) : 1891, 1975
.   : milestone, 1933,
section candidate
no_agent (1.462 ms) : 1451, 1474
.   : milestone, 1462,
appsec (2.358 ms) : 2315, 2401
.   : milestone, 2358,
iast (2.102 ms) : 2048, 2157
.   : milestone, 2102,
iast_GLOBAL (2.149 ms) : 2094, 2205
.   : milestone, 2149,
profiling (1.968 ms) : 1924, 2011
.   : milestone, 1968,
tracing (1.943 ms) : 1901, 1986
.   : milestone, 1943,

Loading

• baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.467 ms [1.455 ms, 1.478 ms]	-
appsec	2.355 ms [2.311 ms, 2.398 ms]	887.993 µs (60.6%)
iast	2.098 ms [2.043 ms, 2.153 ms]	631.336 µs (43.0%)
iast_GLOBAL	2.15 ms [2.094 ms, 2.205 ms]	683.313 µs (46.6%)
profiling	1.956 ms [1.912 ms, 2.0 ms]	489.221 µs (33.4%)
tracing	1.933 ms [1.891 ms, 1.975 ms]	466.255 µs (31.8%)

• candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.462 ms [1.451 ms, 1.474 ms]	-
appsec	2.358 ms [2.315 ms, 2.401 ms]	895.779 µs (61.3%)
iast	2.102 ms [2.048 ms, 2.157 ms]	639.771 µs (43.7%)
iast_GLOBAL	2.149 ms [2.094 ms, 2.205 ms]	686.76 µs (47.0%)
profiling	1.968 ms [1.924 ms, 2.011 ms]	505.307 µs (34.6%)
tracing	1.943 ms [1.901 ms, 1.986 ms]	481.04 µs (32.9%)

[github-actions]

Hi! 👋 Thanks for your pull request! 🎉

To help us review it, please make sure to:

• Add at least one type, and one component or instrumentation label to the pull request

If you need help, please check our contributing guidelines.

[manuel-alvarez-alvarez]

Does the motivation make sense for this PR?

Motivation
This pull request is driven by the need to implement changes based on a newly issued RFC that consolidates all previous specifications. The RFC introduces several minor modifications, including a crucial distinction between user IDs and user logins. By adhering to this updated specification, we aim to enhance our system's accuracy and consistency in tracking user lifecycle events.

[manuel-alvarez-alvarez]

You can get the same with just Objects.hash(route, method, statusCode)

[smola]

I think the point here is getting a 64bit hash, rather than the default 32bit.

[manuel-alvarez-alvarez]

Probably you can live without the synchronizedMap, since all the access to the map are already behind a synchronized (apiAccessLog) block.

[ValentinZakharov]

Improved implementation

[manuel-alvarez-alvarez]

Nice trick!

[jbachorik]

I am a bit uneasy about introducing a global bottleneck at a place which might be called from many threads and rather frequently, IIUC.
I know that reducing contention here will require a more complex code because you would not be able to use the trick with the LinkedHashMap but if this is going to be called on a hot-path, the extra complexity might be unavoidable.

I wonder, do you need to keep exact capacity limit or it would be ok if the capacity is mostly obeyed (with some fluctuation around the target value due to concurrent updates/cleanups)? If the exact capacity is not required it should help with a simpler implementation.

[ValentinZakharov]

Reworked implementation of ApiAccessTracker to avoid bottleneck