Extract Vert.x json body response schemas

[manuel-alvarez-alvarez]

What Does This Do

Adds response body extraction for Vert.x JSON endpoints to enable automatic API schema discovery and protection by the Web Application Firewall (WAF). Support is for Vert.x >= 4.x (leverages new JSON response API introduced in v4.x)

Motivation

Additional Notes

Contributor Checklist

• Format the title according the contribution guidelines
• Assign the type: and (comp: or inst:) labels in addition to any usefull labels
• Don't use close, fix or any linking keywords when referencing an issue.
  Use solves instead, and assign the PR milestone to the issue
• Update the CODEOWNERS file on source file addition, move, or deletion
• Update the public documentation in case of new configuration flag or behavior

Jira ticket: APPSEC-57920

[pr-commenter]

Benchmarks

Startup

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	malvarez/vertx-response-extraction
git_commit_date	1750323428	1750335149
git_commit_sha	a7ce6e7	37afc9b
release_version	1.50.0-SNAPSHOT~a7ce6e7f58	1.50.0-SNAPSHOT~37afc9b0b3

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1750337015	1750337015
ci_job_id	989983585	989983585
ci_pipeline_id	68231453	68231453
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-bziamzy-project-304-concurrent-0-90im63tw 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-bziamzy-project-304-concurrent-0-90im63tw 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
module	Agent	Agent
parent	None	None
variant	iast	iast

Summary

Found 2 performance improvements and 1 performance regressions! Performance is the same for 40 metrics, 10 unstable metrics.

scenario	Δ mean execution_time	candidate mean execution_time	baseline mean execution_time
scenario:startup:insecure-bank:tracing:Remote Config	better [-78.452µs; -25.929µs] or [-10.890%; -3.599%]	668.190µs	720.381µs
scenario:startup:petclinic:profiling:AppSec	worse [+2.824ms; +4.043ms] or [+4.575%; +6.551%]	65.158ms	61.724ms
scenario:startup:petclinic:tracing:Remote Config	better [-92.445µs; -26.441µs] or [-12.719%; -3.638%]	667.376µs	726.819µs

Startup time reports for petclinic

gantt
    title petclinic - global startup overhead: candidate=1.50.0-SNAPSHOT~37afc9b0b3, baseline=1.50.0-SNAPSHOT~a7ce6e7f58

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.04 s) : 0, 1040038
Total [baseline] (10.542 s) : 0, 10541883
Agent [candidate] (1.031 s) : 0, 1030684
Total [candidate] (10.575 s) : 0, 10574647
section appsec
Agent [baseline] (1.185 s) : 0, 1185354
Total [baseline] (10.777 s) : 0, 10776876
Agent [candidate] (1.183 s) : 0, 1183498
Total [candidate] (10.721 s) : 0, 10721162
section iast
Agent [baseline] (1.153 s) : 0, 1152634
Total [baseline] (10.835 s) : 0, 10835300
Agent [candidate] (1.155 s) : 0, 1154793
Total [candidate] (10.857 s) : 0, 10856862
section profiling
Agent [baseline] (1.266 s) : 0, 1265961
Total [baseline] (10.916 s) : 0, 10915581
Agent [candidate] (1.275 s) : 0, 1274718
Total [candidate] (10.913 s) : 0, 10913392

Loading

• baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.04 s	-
Agent	appsec	1.185 s	145.317 ms (14.0%)
Agent	iast	1.153 s	112.596 ms (10.8%)
Agent	profiling	1.266 s	225.924 ms (21.7%)
Total	tracing	10.542 s	-
Total	appsec	10.777 s	234.993 ms (2.2%)
Total	iast	10.835 s	293.417 ms (2.8%)
Total	profiling	10.916 s	373.698 ms (3.5%)

• candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.031 s	-
Agent	appsec	1.183 s	152.814 ms (14.8%)
Agent	iast	1.155 s	124.108 ms (12.0%)
Agent	profiling	1.275 s	244.033 ms (23.7%)
Total	tracing	10.575 s	-
Total	appsec	10.721 s	146.514 ms (1.4%)
Total	iast	10.857 s	282.215 ms (2.7%)
Total	profiling	10.913 s	338.745 ms (3.2%)

gantt
    title petclinic - break down per module: candidate=1.50.0-SNAPSHOT~37afc9b0b3, baseline=1.50.0-SNAPSHOT~a7ce6e7f58

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (694.586 ms) : 0, 694586
BytebuddyAgent [candidate] (685.515 ms) : 0, 685515
GlobalTracer [baseline] (244.499 ms) : 0, 244499
GlobalTracer [candidate] (242.225 ms) : 0, 242225
AppSec [baseline] (59.705 ms) : 0, 59705
AppSec [candidate] (62.273 ms) : 0, 62273
Debugger [baseline] (7.75 ms) : 0, 7750
Debugger [candidate] (6.898 ms) : 0, 6898
Remote Config [baseline] (726.819 µs) : 0, 727
Remote Config [candidate] (667.376 µs) : 0, 667
Telemetry [baseline] (9.019 ms) : 0, 9019
Telemetry [candidate] (9.642 ms) : 0, 9642
section appsec
BytebuddyAgent [baseline] (712.364 ms) : 0, 712364
BytebuddyAgent [candidate] (708.596 ms) : 0, 708596
GlobalTracer [baseline] (236.862 ms) : 0, 236862
GlobalTracer [candidate] (235.476 ms) : 0, 235476
IAST [baseline] (22.058 ms) : 0, 22058
IAST [candidate] (21.833 ms) : 0, 21833
AppSec [baseline] (176.463 ms) : 0, 176463
AppSec [candidate] (180.245 ms) : 0, 180245
Debugger [baseline] (5.978 ms) : 0, 5978
Debugger [candidate] (5.913 ms) : 0, 5913
Remote Config [baseline] (620.473 µs) : 0, 620
Remote Config [candidate] (641.874 µs) : 0, 642
Telemetry [baseline] (7.359 ms) : 0, 7359
Telemetry [candidate] (7.356 ms) : 0, 7356
section iast
BytebuddyAgent [baseline] (804.523 ms) : 0, 804523
BytebuddyAgent [candidate] (803.421 ms) : 0, 803421
GlobalTracer [baseline] (231.517 ms) : 0, 231517
GlobalTracer [candidate] (231.593 ms) : 0, 231593
IAST [baseline] (25.233 ms) : 0, 25233
IAST [candidate] (28.323 ms) : 0, 28323
AppSec [baseline] (52.703 ms) : 0, 52703
AppSec [candidate] (53.577 ms) : 0, 53577
Debugger [baseline] (5.903 ms) : 0, 5903
Debugger [candidate] (5.979 ms) : 0, 5979
Remote Config [baseline] (583.061 µs) : 0, 583
Remote Config [candidate] (611.92 µs) : 0, 612
Telemetry [baseline] (7.917 ms) : 0, 7917
Telemetry [candidate] (7.903 ms) : 0, 7903
section profiling
BytebuddyAgent [baseline] (675.606 ms) : 0, 675606
BytebuddyAgent [candidate] (676.913 ms) : 0, 676913
GlobalTracer [baseline] (360.088 ms) : 0, 360088
GlobalTracer [candidate] (360.045 ms) : 0, 360045
AppSec [baseline] (61.724 ms) : 0, 61724
AppSec [candidate] (65.158 ms) : 0, 65158
Debugger [baseline] (6.098 ms) : 0, 6098
Debugger [candidate] (6.161 ms) : 0, 6161
Remote Config [baseline] (643.909 µs) : 0, 644
Remote Config [candidate] (650.885 µs) : 0, 651
Telemetry [baseline] (8.219 ms) : 0, 8219
Telemetry [candidate] (8.258 ms) : 0, 8258
ProfilingAgent [baseline] (102.699 ms) : 0, 102699
ProfilingAgent [candidate] (106.689 ms) : 0, 106689
Profiling [baseline] (102.724 ms) : 0, 102724
Profiling [candidate] (106.715 ms) : 0, 106715

Loading

Startup time reports for insecure-bank

gantt
    title insecure-bank - global startup overhead: candidate=1.50.0-SNAPSHOT~37afc9b0b3, baseline=1.50.0-SNAPSHOT~a7ce6e7f58

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.021 s) : 0, 1021260
Total [baseline] (8.565 s) : 0, 8564552
Agent [candidate] (1.035 s) : 0, 1035451
Total [candidate] (8.538 s) : 0, 8537980
section iast
Agent [baseline] (1.154 s) : 0, 1153562
Total [baseline] (9.2 s) : 0, 9199667
Agent [candidate] (1.16 s) : 0, 1160116
Total [candidate] (9.225 s) : 0, 9224983

Loading

• baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.021 s	-
Agent	iast	1.154 s	132.302 ms (13.0%)
Total	tracing	8.565 s	-
Total	iast	9.2 s	635.115 ms (7.4%)

• candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.035 s	-
Agent	iast	1.16 s	124.664 ms (12.0%)
Total	tracing	8.538 s	-
Total	iast	9.225 s	687.003 ms (8.0%)

gantt
    title insecure-bank - break down per module: candidate=1.50.0-SNAPSHOT~37afc9b0b3, baseline=1.50.0-SNAPSHOT~a7ce6e7f58

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (683.451 ms) : 0, 683451
BytebuddyAgent [candidate] (688.959 ms) : 0, 688959
GlobalTracer [baseline] (240.402 ms) : 0, 240402
GlobalTracer [candidate] (242.671 ms) : 0, 242671
AppSec [baseline] (56.805 ms) : 0, 56805
AppSec [candidate] (61.901 ms) : 0, 61901
Debugger [baseline] (7.517 ms) : 0, 7517
Debugger [candidate] (6.989 ms) : 0, 6989
Remote Config [baseline] (720.381 µs) : 0, 720
Remote Config [candidate] (668.19 µs) : 0, 668
Telemetry [baseline] (8.847 ms) : 0, 8847
Telemetry [candidate] (10.667 ms) : 0, 10667
section iast
BytebuddyAgent [baseline] (805.757 ms) : 0, 805757
BytebuddyAgent [candidate] (806.186 ms) : 0, 806186
GlobalTracer [baseline] (231.5 ms) : 0, 231500
GlobalTracer [candidate] (232.972 ms) : 0, 232972
IAST [baseline] (29.207 ms) : 0, 29207
IAST [candidate] (28.946 ms) : 0, 28946
AppSec [baseline] (49.308 ms) : 0, 49308
AppSec [candidate] (53.13 ms) : 0, 53130
Debugger [baseline] (5.847 ms) : 0, 5847
Debugger [candidate] (6.072 ms) : 0, 6072
Remote Config [baseline] (599.438 µs) : 0, 599
Remote Config [candidate] (602.611 µs) : 0, 603
Telemetry [baseline] (7.868 ms) : 0, 7868
Telemetry [candidate] (8.008 ms) : 0, 8008

Loading

Load

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
end_time	2025-06-19T12:28:19	2025-06-19T12:29:58
git_branch	master	malvarez/vertx-response-extraction
git_commit_date	1750323428	1750335149
git_commit_sha	a7ce6e7	37afc9b
release_version	1.50.0-SNAPSHOT~a7ce6e7f58	1.50.0-SNAPSHOT~37afc9b0b3
start_time	2025-06-19T12:27:46	2025-06-19T12:29:26

See matching parameters

	Baseline	Candidate
application	petclinic	petclinic
ci_job_date	1750336198	1750336198
ci_job_id	989983586	989983586
ci_pipeline_id	68231453	68231453
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-bziamzy-project-304-concurrent-1-y16hn9sh 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-bziamzy-project-304-concurrent-1-y16hn9sh 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
thresholds_or_results	results	results
variant	appsec	appsec

Summary

Found 0 performance improvements and 3 performance regressions! Performance is the same for 0 metrics, 9 unstable metrics.

scenario	Δ mean http_req_duration	Δ mean throughput	candidate mean http_req_duration	candidate mean throughput	baseline mean http_req_duration	baseline mean throughput
scenario:load:petclinic:appsec	worse [+80.611ms; +87.582ms] or [+112.216%; +121.920%]	unstable [-41.224op/s; -30.239op/s] or [-61.664%; -45.232%]	155.932ms	31.121op/s	71.836ms	66.853op/s
scenario:load:petclinic:profiling	worse [+81.896ms; +87.715ms] or [+131.788%; +141.153%]	unstable [-51.522op/s; -37.131op/s] or [-66.376%; -47.836%]	146.948ms	33.295op/s	62.142ms	77.622op/s
scenario:load:petclinic:tracing	worse [+84.632ms; +89.469ms] or [+162.928%; +172.239%]	unstable [-69.311op/s; -49.307op/s] or [-73.324%; -52.162%]	138.995ms	35.218op/s	51.945ms	94.527op/s

Request duration reports for petclinic

gantt
    title petclinic - request duration [CI 0.99] : candidate=1.50.0-SNAPSHOT~37afc9b0b3, baseline=1.50.0-SNAPSHOT~a7ce6e7f58
    dateFormat X
    axisFormat %s
section baseline
no_agent (13.23 ms) : 13113, 13347
.   : milestone, 13230,
appsec (71.836 ms) : 70903, 72768
.   : milestone, 71836,
code_origins (87.835 ms) : 86138, 89531
.   : milestone, 87835,
iast (78.84 ms) : 77614, 80065
.   : milestone, 78840,
profiling (62.142 ms) : 61302, 62982
.   : milestone, 62142,
tracing (51.945 ms) : 51169, 52721
.   : milestone, 51945,
section candidate
no_agent (133.555 ms) : 130720, 136391
.   : milestone, 133555,
appsec (155.932 ms) : 151447, 160417
.   : milestone, 155932,
code_origins (169.617 ms) : 159938, 179296
.   : milestone, 169617,
iast (161.864 ms) : 155902, 167826
.   : milestone, 161864,
profiling (146.948 ms) : 143217, 150678
.   : milestone, 146948,
tracing (138.995 ms) : 135913, 142077
.   : milestone, 138995,

Loading

• baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	13.23 ms [13.113 ms, 13.347 ms]	-
appsec	71.836 ms [70.903 ms, 72.768 ms]	58.606 ms (443.0%)
code_origins	87.835 ms [86.138 ms, 89.531 ms]	74.605 ms (563.9%)
iast	78.84 ms [77.614 ms, 80.065 ms]	65.61 ms (495.9%)
profiling	62.142 ms [61.302 ms, 62.982 ms]	48.912 ms (369.7%)
tracing	51.945 ms [51.169 ms, 52.721 ms]	38.715 ms (292.6%)

• candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	133.555 ms [130.72 ms, 136.391 ms]	-
appsec	155.932 ms [151.447 ms, 160.417 ms]	22.377 ms (16.8%)
code_origins	169.617 ms [159.938 ms, 179.296 ms]	36.062 ms (27.0%)
iast	161.864 ms [155.902 ms, 167.826 ms]	28.309 ms (21.2%)
profiling	146.948 ms [143.217 ms, 150.678 ms]	13.392 ms (10.0%)
tracing	138.995 ms [135.913 ms, 142.077 ms]	5.44 ms (4.1%)

Dacapo

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	malvarez/vertx-response-extraction
git_commit_date	1750323428	1750335149
git_commit_sha	a7ce6e7	37afc9b
release_version	1.50.0-SNAPSHOT~a7ce6e7f58	1.50.0-SNAPSHOT~37afc9b0b3

See matching parameters

	Baseline	Candidate
application	biojava	biojava
ci_job_date	1750337241	1750337241
ci_job_id	989983587	989983587
ci_pipeline_id	68231453	68231453
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-emldojjo-project-304-concurrent-0-pjla6t8r 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-emldojjo-project-304-concurrent-0-pjla6t8r 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
variant	appsec	appsec

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics.

Execution time for biojava

gantt
    title biojava - execution time [CI 0.99] : candidate=1.50.0-SNAPSHOT~37afc9b0b3, baseline=1.50.0-SNAPSHOT~a7ce6e7f58
    dateFormat X
    axisFormat %s
section baseline
no_agent (15.017 s) : 15017000, 15017000
.   : milestone, 15017000,
appsec (15.011 s) : 15011000, 15011000
.   : milestone, 15011000,
iast (18.755 s) : 18755000, 18755000
.   : milestone, 18755000,
iast_GLOBAL (18.208 s) : 18208000, 18208000
.   : milestone, 18208000,
profiling (15.387 s) : 15387000, 15387000
.   : milestone, 15387000,
tracing (14.873 s) : 14873000, 14873000
.   : milestone, 14873000,
section candidate
no_agent (14.831 s) : 14831000, 14831000
.   : milestone, 14831000,
appsec (14.962 s) : 14962000, 14962000
.   : milestone, 14962000,
iast (18.986 s) : 18986000, 18986000
.   : milestone, 18986000,
iast_GLOBAL (17.673 s) : 17673000, 17673000
.   : milestone, 17673000,
profiling (15.027 s) : 15027000, 15027000
.   : milestone, 15027000,
tracing (14.853 s) : 14853000, 14853000
.   : milestone, 14853000,

Loading

• baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	15.017 s [15.017 s, 15.017 s]	-
appsec	15.011 s [15.011 s, 15.011 s]	-6.0 ms (-0.0%)
iast	18.755 s [18.755 s, 18.755 s]	3.738 s (24.9%)
iast_GLOBAL	18.208 s [18.208 s, 18.208 s]	3.191 s (21.2%)
profiling	15.387 s [15.387 s, 15.387 s]	370.0 ms (2.5%)
tracing	14.873 s [14.873 s, 14.873 s]	-144.0 ms (-1.0%)

• candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	14.831 s [14.831 s, 14.831 s]	-
appsec	14.962 s [14.962 s, 14.962 s]	131.0 ms (0.9%)
iast	18.986 s [18.986 s, 18.986 s]	4.155 s (28.0%)
iast_GLOBAL	17.673 s [17.673 s, 17.673 s]	2.842 s (19.2%)
profiling	15.027 s [15.027 s, 15.027 s]	196.0 ms (1.3%)
tracing	14.853 s [14.853 s, 14.853 s]	22.0 ms (0.1%)

Execution time for tomcat

gantt
    title tomcat - execution time [CI 0.99] : candidate=1.50.0-SNAPSHOT~37afc9b0b3, baseline=1.50.0-SNAPSHOT~a7ce6e7f58
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.475 ms) : 1463, 1486
.   : milestone, 1475,
appsec (2.398 ms) : 2349, 2446
.   : milestone, 2398,
iast (2.179 ms) : 2118, 2241
.   : milestone, 2179,
iast_GLOBAL (2.221 ms) : 2160, 2283
.   : milestone, 2221,
profiling (2.028 ms) : 1979, 2078
.   : milestone, 2028,
tracing (2.005 ms) : 1958, 2053
.   : milestone, 2005,
section candidate
no_agent (1.473 ms) : 1461, 1484
.   : milestone, 1473,
appsec (2.4 ms) : 2351, 2449
.   : milestone, 2400,
iast (2.181 ms) : 2119, 2242
.   : milestone, 2181,
iast_GLOBAL (2.228 ms) : 2166, 2290
.   : milestone, 2228,
profiling (2.023 ms) : 1973, 2072
.   : milestone, 2023,
tracing (1.992 ms) : 1944, 2039
.   : milestone, 1992,

Loading

• baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.475 ms [1.463 ms, 1.486 ms]	-
appsec	2.398 ms [2.349 ms, 2.446 ms]	922.66 µs (62.6%)
iast	2.179 ms [2.118 ms, 2.241 ms]	704.581 µs (47.8%)
iast_GLOBAL	2.221 ms [2.16 ms, 2.283 ms]	746.593 µs (50.6%)
profiling	2.028 ms [1.979 ms, 2.078 ms]	553.549 µs (37.5%)
tracing	2.005 ms [1.958 ms, 2.053 ms]	530.511 µs (36.0%)

• candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.473 ms [1.461 ms, 1.484 ms]	-
appsec	2.4 ms [2.351 ms, 2.449 ms]	927.239 µs (63.0%)
iast	2.181 ms [2.119 ms, 2.242 ms]	707.578 µs (48.0%)
iast_GLOBAL	2.228 ms [2.166 ms, 2.29 ms]	754.679 µs (51.2%)
profiling	2.023 ms [1.973 ms, 2.072 ms]	549.753 µs (37.3%)
tracing	1.992 ms [1.944 ms, 2.039 ms]	518.808 µs (35.2%)

[jandro996]

Correct me if I'm wrong but I feel that we are missing this part of the RFC

DD_API_SECURITY_PARSE_RESPONSE_BODY: this is a configuration option which libraries with the ability to parse the response body must implement to allow the user to disable this feature. With a true, or equivalent value, response body parsing should be enabled. If implemented, the default value of this configuration option must be true.

There is also a system test that validates this
tests/appsec/api_security/test_schemas.py::Test_Schema_Response_Body_env_var::test_request_method

[manuel-alvarez-alvarez]

Correct me if I'm wrong but I feel that we are missing this part of the RFC

DD_API_SECURITY_PARSE_RESPONSE_BODY: this is a configuration option which libraries with the ability to parse the response body must implement to allow the user to disable this feature. With a true, or equivalent value, response body parsing should be enabled. If implemented, the default value of this configuration option must be true.

There is also a system test that validates this tests/appsec/api_security/test_schemas.py::Test_Schema_Response_Body_env_var::test_request_method

Yep, parsing the body is not going to be implemented in the library at the moment.