Skip to content

RUM: Prevent any Content-Length header from being set upon injection #10081

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
amarziali merged 2 commits into from
Dec 4, 2025
Merged

RUM: Prevent any Content-Length header from being set upon injection #10081

amarziali merged 2 commits into from
Dec 4, 2025

Conversation

@amarziali
Copy link
Contributor

@amarziali amarziali commented Dec 4, 2025
edited
Loading

What Does This Do

Application servers typically set the content length using the response methods setContentLength or setContentLengthLong.
However, some frameworks - Spring Security being one example - also set the content length by explicitly calling addHeader("Content-Length", ...).

This PR ensures that the content length cannot be set using setHeader or addHeader, preventing the content from being accidentally truncated.

It also refines CSP matching (for telemetry) because:

  1. Header names must be compared in a case-insensitive manner.
  2. There’s no need to match CSP when we already know no injection will occur, which avoids unnecessary CPU usage.

Tests have been added to all the spring boot modules we instrument.

Motivation

Additional Notes

Contributor Checklist

Jira ticket: [PROJ-IDENT]

@amarziali amarziali requested a review from a team as a code owner December 4, 2025 09:23
@amarziali amarziali added type: bug Bug report and fix comp: rum Realtime User Monitoring labels Dec 4, 2025
PerfectSlayer
PerfectSlayer approved these changes Dec 4, 2025
View reviewed changes
Copy link
Contributor

@PerfectSlayer PerfectSlayer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good. One minor comment / question

@amarziali amarziali enabled auto-merge (squash) December 4, 2025 09:53
@pr-commenter
Copy link

pr-commenter bot commented Dec 4, 2025

Benchmarks

⚠️ Warning: Baseline build not found for merge-base commit. Comparing against the latest commit on master instead.

Startup

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master andrea.marziali/rum-fix
git_commit_date 1764811148 1764841999
git_commit_sha c426f8c 50c7b67
release_version 1.57.0-SNAPSHOT~c426f8c01f 1.57.0-SNAPSHOT~50c7b67c1e
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1764843854 1764843854
ci_job_id 1269766763 1269766763
ci_pipeline_id 84861566 84861566
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-0-w5q16ron 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-0-w5q16ron 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
module Agent Agent
parent None None

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 52 metrics, 13 unstable metrics.

Startup time reports for petclinic 
gantt
    title petclinic - global startup overhead: candidate=1.57.0-SNAPSHOT~50c7b67c1e, baseline=1.57.0-SNAPSHOT~c426f8c01f

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.06 s) : 0, 1059746
Total [baseline] (10.852 s) : 0, 10852196
Agent [candidate] (1.053 s) : 0, 1052965
Total [candidate] (10.827 s) : 0, 10826500
section appsec
Agent [baseline] (1.236 s) : 0, 1235759
Total [baseline] (10.984 s) : 0, 10983539
Agent [candidate] (1.23 s) : 0, 1229936
Total [candidate] (10.944 s) : 0, 10943773
section iast
Agent [baseline] (1.202 s) : 0, 1202350
Total [baseline] (11.186 s) : 0, 11185538
Agent [candidate] (1.199 s) : 0, 1198676
Total [candidate] (11.179 s) : 0, 11179382
section profiling
Agent [baseline] (1.198 s) : 0, 1197557
Total [baseline] (10.893 s) : 0, 10893286
Agent [candidate] (1.21 s) : 0, 1209626
Total [candidate] (10.981 s) : 0, 10981289
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.06 s -
Agent appsec 1.236 s 176.013 ms (16.6%)
Agent iast 1.202 s 142.605 ms (13.5%)
Agent profiling 1.198 s 137.812 ms (13.0%)
Total tracing 10.852 s -
Total appsec 10.984 s 131.343 ms (1.2%)
Total iast 11.186 s 333.342 ms (3.1%)
Total profiling 10.893 s 41.09 ms (0.4%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.053 s -
Agent appsec 1.23 s 176.97 ms (16.8%)
Agent iast 1.199 s 145.711 ms (13.8%)
Agent profiling 1.21 s 156.661 ms (14.9%)
Total tracing 10.827 s -
Total appsec 10.944 s 117.273 ms (1.1%)
Total iast 11.179 s 352.881 ms (3.3%)
Total profiling 10.981 s 154.789 ms (1.4%) 
gantt
    title petclinic - break down per module: candidate=1.57.0-SNAPSHOT~50c7b67c1e, baseline=1.57.0-SNAPSHOT~c426f8c01f

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.491 ms) : 0, 1491
crashtracking [candidate] (1.479 ms) : 0, 1479
BytebuddyAgent [baseline] (712.548 ms) : 0, 712548
BytebuddyAgent [candidate] (707.595 ms) : 0, 707595
GlobalTracer [baseline] (250.637 ms) : 0, 250637
GlobalTracer [candidate] (249.41 ms) : 0, 249410
AppSec [baseline] (32.386 ms) : 0, 32386
AppSec [candidate] (32.051 ms) : 0, 32051
Debugger [baseline] (6.493 ms) : 0, 6493
Debugger [candidate] (6.424 ms) : 0, 6424
Remote Config [baseline] (698.547 µs) : 0, 699
Remote Config [candidate] (668.084 µs) : 0, 668
Telemetry [baseline] (14.972 ms) : 0, 14972
Telemetry [candidate] (14.155 ms) : 0, 14155
Flare Poller [baseline] (5.522 ms) : 0, 5522
Flare Poller [candidate] (6.391 ms) : 0, 6391
section appsec
crashtracking [baseline] (1.486 ms) : 0, 1486
crashtracking [candidate] (1.478 ms) : 0, 1478
BytebuddyAgent [baseline] (735.743 ms) : 0, 735743
BytebuddyAgent [candidate] (731.948 ms) : 0, 731948
GlobalTracer [baseline] (242.374 ms) : 0, 242374
GlobalTracer [candidate] (242.104 ms) : 0, 242104
AppSec [baseline] (176.458 ms) : 0, 176458
AppSec [candidate] (175.296 ms) : 0, 175296
Debugger [baseline] (6.387 ms) : 0, 6387
Debugger [candidate] (6.304 ms) : 0, 6304
Remote Config [baseline] (710.569 µs) : 0, 711
Remote Config [candidate] (695.485 µs) : 0, 695
Telemetry [baseline] (8.299 ms) : 0, 8299
Telemetry [candidate] (8.224 ms) : 0, 8224
Flare Poller [baseline] (4.052 ms) : 0, 4052
Flare Poller [candidate] (4.013 ms) : 0, 4013
IAST [baseline] (25.206 ms) : 0, 25206
IAST [candidate] (24.831 ms) : 0, 24831
section iast
crashtracking [baseline] (1.491 ms) : 0, 1491
crashtracking [candidate] (1.485 ms) : 0, 1485
BytebuddyAgent [baseline] (839.42 ms) : 0, 839420
BytebuddyAgent [candidate] (836.662 ms) : 0, 836662
GlobalTracer [baseline] (238.962 ms) : 0, 238962
GlobalTracer [candidate] (238.037 ms) : 0, 238037
AppSec [baseline] (29.022 ms) : 0, 29022
AppSec [candidate] (31.544 ms) : 0, 31544
Debugger [baseline] (6.068 ms) : 0, 6068
Debugger [candidate] (6.179 ms) : 0, 6179
Remote Config [baseline] (617.404 µs) : 0, 617
Remote Config [candidate] (619.978 µs) : 0, 620
Telemetry [baseline] (8.095 ms) : 0, 8095
Telemetry [candidate] (8.044 ms) : 0, 8044
Flare Poller [baseline] (10.794 ms) : 0, 10794
Flare Poller [candidate] (10.851 ms) : 0, 10851
IAST [baseline] (32.935 ms) : 0, 32935
IAST [candidate] (30.028 ms) : 0, 30028
section profiling
ProfilingAgent [baseline] (110.533 ms) : 0, 110533
ProfilingAgent [candidate] (112.533 ms) : 0, 112533
crashtracking [baseline] (1.44 ms) : 0, 1440
crashtracking [candidate] (1.45 ms) : 0, 1450
BytebuddyAgent [baseline] (733.931 ms) : 0, 733931
BytebuddyAgent [candidate] (741.089 ms) : 0, 741089
GlobalTracer [baseline] (222.043 ms) : 0, 222043
GlobalTracer [candidate] (223.768 ms) : 0, 223768
AppSec [baseline] (32.251 ms) : 0, 32251
AppSec [candidate] (32.639 ms) : 0, 32639
Debugger [baseline] (8.462 ms) : 0, 8462
Debugger [candidate] (7.01 ms) : 0, 7010
Remote Config [baseline] (688.323 µs) : 0, 688
Remote Config [candidate] (1.465 ms) : 0, 1465
Telemetry [baseline] (14.702 ms) : 0, 14702
Telemetry [candidate] (15.577 ms) : 0, 15577
Flare Poller [baseline] (4.134 ms) : 0, 4134
Flare Poller [candidate] (4.216 ms) : 0, 4216
Profiling [baseline] (111.171 ms) : 0, 111171
Profiling [candidate] (113.191 ms) : 0, 113191
Loading
Startup time reports for insecure-bank 
gantt
    title insecure-bank - global startup overhead: candidate=1.57.0-SNAPSHOT~50c7b67c1e, baseline=1.57.0-SNAPSHOT~c426f8c01f

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.053 s) : 0, 1052613
Total [baseline] (8.687 s) : 0, 8686561
Agent [candidate] (1.06 s) : 0, 1059857
Total [candidate] (8.683 s) : 0, 8682870
section iast
Agent [baseline] (1.193 s) : 0, 1193362
Total [baseline] (9.351 s) : 0, 9350565
Agent [candidate] (1.199 s) : 0, 1199190
Total [candidate] (9.357 s) : 0, 9357166
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.053 s -
Agent iast 1.193 s 140.749 ms (13.4%)
Total tracing 8.687 s -
Total iast 9.351 s 664.005 ms (7.6%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.06 s -
Agent iast 1.199 s 139.333 ms (13.1%)
Total tracing 8.683 s -
Total iast 9.357 s 674.296 ms (7.8%) 
gantt
    title insecure-bank - break down per module: candidate=1.57.0-SNAPSHOT~50c7b67c1e, baseline=1.57.0-SNAPSHOT~c426f8c01f

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.483 ms) : 0, 1483
crashtracking [candidate] (1.497 ms) : 0, 1497
BytebuddyAgent [baseline] (707.821 ms) : 0, 707821
BytebuddyAgent [candidate] (712.756 ms) : 0, 712756
GlobalTracer [baseline] (248.808 ms) : 0, 248808
GlobalTracer [candidate] (250.508 ms) : 0, 250508
AppSec [baseline] (32.035 ms) : 0, 32035
AppSec [candidate] (32.406 ms) : 0, 32406
Debugger [baseline] (6.358 ms) : 0, 6358
Debugger [candidate] (6.484 ms) : 0, 6484
Remote Config [baseline] (678.664 µs) : 0, 679
Remote Config [candidate] (695.164 µs) : 0, 695
Telemetry [baseline] (16.416 ms) : 0, 16416
Telemetry [candidate] (15.409 ms) : 0, 15409
Flare Poller [baseline] (4.106 ms) : 0, 4106
Flare Poller [candidate] (4.961 ms) : 0, 4961
section iast
crashtracking [baseline] (1.488 ms) : 0, 1488
crashtracking [candidate] (1.489 ms) : 0, 1489
BytebuddyAgent [baseline] (832.469 ms) : 0, 832469
BytebuddyAgent [candidate] (836.576 ms) : 0, 836576
GlobalTracer [baseline] (237.697 ms) : 0, 237697
GlobalTracer [candidate] (238.464 ms) : 0, 238464
AppSec [baseline] (28.908 ms) : 0, 28908
AppSec [candidate] (30.917 ms) : 0, 30917
Debugger [baseline] (6.051 ms) : 0, 6051
Debugger [candidate] (6.033 ms) : 0, 6033
Remote Config [baseline] (605.313 µs) : 0, 605
Remote Config [candidate] (610.074 µs) : 0, 610
Telemetry [baseline] (7.992 ms) : 0, 7992
Telemetry [candidate] (8.11 ms) : 0, 8110
Flare Poller [baseline] (10.645 ms) : 0, 10645
Flare Poller [candidate] (10.746 ms) : 0, 10746
IAST [baseline] (32.683 ms) : 0, 32683
IAST [candidate] (31.162 ms) : 0, 31162
Loading

Load

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master andrea.marziali/rum-fix
git_commit_date 1764811148 1764841999
git_commit_sha c426f8c 50c7b67
release_version 1.57.0-SNAPSHOT~c426f8c01f 1.57.0-SNAPSHOT~50c7b67c1e
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1764844440 1764844440
ci_job_id 1269766764 1269766764
ci_pipeline_id 84861566 84861566
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-1-36ctr728 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-1-36ctr728 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 1 performance improvements and 2 performance regressions! Performance is the same for 17 metrics, 16 unstable metrics.

scenario Δ mean agg_http_req_duration_p50 Δ mean agg_http_req_duration_p95 Δ mean throughput candidate mean agg_http_req_duration_p50 candidate mean agg_http_req_duration_p95 candidate mean throughput baseline mean agg_http_req_duration_p50 baseline mean agg_http_req_duration_p95 baseline mean throughput
scenario:load:insecure-bank:profiling:high_load better
[-216.759µs; -109.879µs] or [-12.235%; -6.202%]		 unstable
[-1343.870µs; -515.314µs] or [-24.506%; -9.397%]		 unstable
[+74.072op/s; +564.178op/s] or [+3.758%; +28.621%]		 1.608ms 4.554ms 2290.312op/s 1.772ms 5.484ms 1971.188op/s
scenario:load:insecure-bank:iast_GLOBAL:high_load worse
[+176.581µs; +292.474µs] or [+6.741%; +11.165%]		 worse
[+275.413µs; +818.816µs] or [+3.673%; +10.921%]		 unstable
[-250.171op/s; +28.546op/s] or [-18.305%; +2.089%]		 2.854ms 8.045ms 1255.875op/s 2.619ms 7.498ms 1366.688op/s
Request duration reports for insecure-bank 
gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.57.0-SNAPSHOT~50c7b67c1e, baseline=1.57.0-SNAPSHOT~c426f8c01f
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.28 ms) : 1268, 1293
.   : milestone, 1280,
iast (3.24 ms) : 3195, 3286
.   : milestone, 3240,
iast_FULL (5.948 ms) : 5887, 6008
.   : milestone, 5948,
iast_GLOBAL (3.35 ms) : 3304, 3396
.   : milestone, 3350,
profiling (2.3 ms) : 2275, 2325
.   : milestone, 2300,
tracing (1.829 ms) : 1813, 1846
.   : milestone, 1829,
section candidate
no_agent (1.208 ms) : 1197, 1220
.   : milestone, 1208,
iast (3.211 ms) : 3165, 3256
.   : milestone, 3211,
iast_FULL (5.791 ms) : 5734, 5849
.   : milestone, 5791,
iast_GLOBAL (3.654 ms) : 3590, 3717
.   : milestone, 3654,
profiling (1.969 ms) : 1951, 1987
.   : milestone, 1969,
tracing (1.822 ms) : 1806, 1837
.   : milestone, 1822,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.28 ms [1.268 ms, 1.293 ms] -
iast 3.24 ms [3.195 ms, 3.286 ms] 1.96 ms (153.1%)
iast_FULL 5.948 ms [5.887 ms, 6.008 ms] 4.667 ms (364.5%)
iast_GLOBAL 3.35 ms [3.304 ms, 3.396 ms] 2.069 ms (161.6%)
profiling 2.3 ms [2.275 ms, 2.325 ms] 1.019 ms (79.6%)
tracing 1.829 ms [1.813 ms, 1.846 ms] 549.08 µs (42.9%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.208 ms [1.197 ms, 1.22 ms] -
iast 3.211 ms [3.165 ms, 3.256 ms] 2.002 ms (165.7%)
iast_FULL 5.791 ms [5.734 ms, 5.849 ms] 4.583 ms (379.2%)
iast_GLOBAL 3.654 ms [3.59 ms, 3.717 ms] 2.445 ms (202.3%)
profiling 1.969 ms [1.951 ms, 1.987 ms] 760.584 µs (62.9%)
tracing 1.822 ms [1.806 ms, 1.837 ms] 613.494 µs (50.8%)
Request duration reports for petclinic 
gantt
    title petclinic - request duration [CI 0.99] : candidate=1.57.0-SNAPSHOT~50c7b67c1e, baseline=1.57.0-SNAPSHOT~c426f8c01f
    dateFormat X
    axisFormat %s
section baseline
no_agent (17.377 ms) : 17201, 17552
.   : milestone, 17377,
appsec (18.761 ms) : 18571, 18950
.   : milestone, 18761,
code_origins (17.67 ms) : 17496, 17844
.   : milestone, 17670,
iast (17.804 ms) : 17625, 17982
.   : milestone, 17804,
profiling (18.983 ms) : 18795, 19172
.   : milestone, 18983,
tracing (17.857 ms) : 17681, 18033
.   : milestone, 17857,
section candidate
no_agent (18.415 ms) : 18227, 18603
.   : milestone, 18415,
appsec (18.519 ms) : 18332, 18705
.   : milestone, 18519,
code_origins (17.722 ms) : 17548, 17895
.   : milestone, 17722,
iast (18.019 ms) : 17836, 18202
.   : milestone, 18019,
profiling (18.551 ms) : 18368, 18735
.   : milestone, 18551,
tracing (17.464 ms) : 17295, 17633
.   : milestone, 17464,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 17.377 ms [17.201 ms, 17.552 ms] -
appsec 18.761 ms [18.571 ms, 18.95 ms] 1.384 ms (8.0%)
code_origins 17.67 ms [17.496 ms, 17.844 ms] 292.859 µs (1.7%)
iast 17.804 ms [17.625 ms, 17.982 ms] 426.645 µs (2.5%)
profiling 18.983 ms [18.795 ms, 19.172 ms] 1.607 ms (9.2%)
tracing 17.857 ms [17.681 ms, 18.033 ms] 479.941 µs (2.8%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 18.415 ms [18.227 ms, 18.603 ms] -
appsec 18.519 ms [18.332 ms, 18.705 ms] 103.59 µs (0.6%)
code_origins 17.722 ms [17.548 ms, 17.895 ms] -693.81 µs (-3.8%)
iast 18.019 ms [17.836 ms, 18.202 ms] -396.144 µs (-2.2%)
profiling 18.551 ms [18.368 ms, 18.735 ms] 136.032 µs (0.7%)
tracing 17.464 ms [17.295 ms, 17.633 ms] -951.638 µs (-5.2%)

Dacapo

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master andrea.marziali/rum-fix
git_commit_date 1764811148 1764841999
git_commit_sha c426f8c 50c7b67
release_version 1.57.0-SNAPSHOT~c426f8c01f 1.57.0-SNAPSHOT~50c7b67c1e
See matching parameters
Baseline Candidate
application biojava biojava
ci_job_date 1764844050 1764844050
ci_job_id 1269766765 1269766765
ci_pipeline_id 84861566 84861566
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-1-eds8clhy 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-1-eds8clhy 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 1 unstable metrics.

Execution time for biojava 
gantt
    title biojava - execution time [CI 0.99] : candidate=1.57.0-SNAPSHOT~50c7b67c1e, baseline=1.57.0-SNAPSHOT~c426f8c01f
    dateFormat X
    axisFormat %s
section baseline
no_agent (14.862 s) : 14862000, 14862000
.   : milestone, 14862000,
appsec (14.607 s) : 14607000, 14607000
.   : milestone, 14607000,
iast (18.106 s) : 18106000, 18106000
.   : milestone, 18106000,
iast_GLOBAL (17.843 s) : 17843000, 17843000
.   : milestone, 17843000,
profiling (14.831 s) : 14831000, 14831000
.   : milestone, 14831000,
tracing (14.901 s) : 14901000, 14901000
.   : milestone, 14901000,
section candidate
no_agent (15.644 s) : 15644000, 15644000
.   : milestone, 15644000,
appsec (15.059 s) : 15059000, 15059000
.   : milestone, 15059000,
iast (18.657 s) : 18657000, 18657000
.   : milestone, 18657000,
iast_GLOBAL (18.087 s) : 18087000, 18087000
.   : milestone, 18087000,
profiling (14.819 s) : 14819000, 14819000
.   : milestone, 14819000,
tracing (14.858 s) : 14858000, 14858000
.   : milestone, 14858000,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 14.862 s [14.862 s, 14.862 s] -
appsec 14.607 s [14.607 s, 14.607 s] -255.0 ms (-1.7%)
iast 18.106 s [18.106 s, 18.106 s] 3.244 s (21.8%)
iast_GLOBAL 17.843 s [17.843 s, 17.843 s] 2.981 s (20.1%)
profiling 14.831 s [14.831 s, 14.831 s] -31.0 ms (-0.2%)
tracing 14.901 s [14.901 s, 14.901 s] 39.0 ms (0.3%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.644 s [15.644 s, 15.644 s] -
appsec 15.059 s [15.059 s, 15.059 s] -585.0 ms (-3.7%)
iast 18.657 s [18.657 s, 18.657 s] 3.013 s (19.3%)
iast_GLOBAL 18.087 s [18.087 s, 18.087 s] 2.443 s (15.6%)
profiling 14.819 s [14.819 s, 14.819 s] -825.0 ms (-5.3%)
tracing 14.858 s [14.858 s, 14.858 s] -786.0 ms (-5.0%)
Execution time for tomcat 
gantt
    title tomcat - execution time [CI 0.99] : candidate=1.57.0-SNAPSHOT~50c7b67c1e, baseline=1.57.0-SNAPSHOT~c426f8c01f
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.474 ms) : 1462, 1485
.   : milestone, 1474,
appsec (3.644 ms) : 3430, 3857
.   : milestone, 3644,
iast (2.205 ms) : 2141, 2270
.   : milestone, 2205,
iast_GLOBAL (2.252 ms) : 2187, 2318
.   : milestone, 2252,
profiling (2.06 ms) : 2008, 2113
.   : milestone, 2060,
tracing (2.034 ms) : 1983, 2085
.   : milestone, 2034,
section candidate
no_agent (1.469 ms) : 1458, 1480
.   : milestone, 1469,
appsec (3.688 ms) : 3471, 3904
.   : milestone, 3688,
iast (2.203 ms) : 2138, 2267
.   : milestone, 2203,
iast_GLOBAL (2.254 ms) : 2189, 2319
.   : milestone, 2254,
profiling (2.072 ms) : 2019, 2125
.   : milestone, 2072,
tracing (2.042 ms) : 1990, 2093
.   : milestone, 2042,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.474 ms [1.462 ms, 1.485 ms] -
appsec 3.644 ms [3.43 ms, 3.857 ms] 2.17 ms (147.2%)
iast 2.205 ms [2.141 ms, 2.27 ms] 731.419 µs (49.6%)
iast_GLOBAL 2.252 ms [2.187 ms, 2.318 ms] 778.626 µs (52.8%)
profiling 2.06 ms [2.008 ms, 2.113 ms] 586.54 µs (39.8%)
tracing 2.034 ms [1.983 ms, 2.085 ms] 560.447 µs (38.0%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.469 ms [1.458 ms, 1.48 ms] -
appsec 3.688 ms [3.471 ms, 3.904 ms] 2.219 ms (151.0%)
iast 2.203 ms [2.138 ms, 2.267 ms] 733.961 µs (50.0%)
iast_GLOBAL 2.254 ms [2.189 ms, 2.319 ms] 784.988 µs (53.4%)
profiling 2.072 ms [2.019 ms, 2.125 ms] 603.283 µs (41.1%)
tracing 2.042 ms [1.99 ms, 2.093 ms] 572.707 µs (39.0%)

@amarziali amarziali merged commit 47898ce into master Dec 4, 2025
540 of 542 checks passed
@amarziali amarziali deleted the andrea.marziali/rum-fix branch December 4, 2025 10:49
@github-actions github-actions bot added this to the 1.57.0 milestone Dec 4, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@PerfectSlayer PerfectSlayer PerfectSlayer approved these changes

Assignees

No one assigned

Labels

comp: rum Realtime User Monitoring type: bug Bug report and fix

Projects

None yet

Milestone

1.57.0

Development

Successfully merging this pull request may close these issues.

3 participants

@amarziali @PerfectSlayer