Add server.request.body.filenames support for Jersey and RESTEasy

[jandro996]

What Does This Do

Instruments Jersey 2.x, Jersey 3.x, and RESTEasy 3.x multipart request handling to fire the requestFilesFilenames AppSec gateway event, enabling WAF rules that act on uploaded file names.

Module	Framework	Changes
jersey-appsec-2.0	Jersey 2.x	Added exit advice on MultiPartReaderServerSide.readMultiPart() to iterate FormDataBodyPart instances and extract filenames via FormDataContentDisposition.getFileName()
jersey-appsec-3.0	Jersey 3.x	Identical to 2.x but compiled against jakarta.* imports
resteasy-appsec-3.0	RESTEasy 3.x	Added filename extraction to the existing readFrom() advice; parses Content-Disposition header manually (split on ;, looks for filename=) since RESTEasy's InputPart API does not expose filenames directly

Motivation

Part of APPSEC-61873 — server.request.body.filenames implementation across server frameworks.

Additional Notes

Depends on #10949 and #10973 (both merged).

Contributor Checklist

• Format the title according to the contribution guidelines
• Assign the type: and (comp: or inst:) labels in addition to any other useful labels
• Avoid using close, fix, or any linking keywords when referencing an issue
  Use solves instead, and assign the PR milestone to the issue
• Update the CODEOWNERS file on source file addition, migration, or deletion
• Update public documentation with any new configuration flags or behaviors

[jandro996]

@codex review

[pr-commenter]

Benchmarks

Startup

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	alejandro.gonzalez/APPSEC-61873-5-jersey-resteasy
git_commit_date	1776642285	1776778603
git_commit_sha	081af53	510fca6
release_version	1.62.0-SNAPSHOT~081af53226	1.62.0-SNAPSHOT~510fca6013

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1776780432	1776780432
ci_job_id	1615273762	1615273762
ci_pipeline_id	108787037	108787037
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-zfyrx7zua-project-304-concurrent-0-9lneumfw 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-zfyrx7zua-project-304-concurrent-0-9lneumfw 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
module	Agent	Agent
parent	None	None

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 65 metrics, 6 unstable metrics.

Startup time reports for petclinic

gantt
    title petclinic - global startup overhead: candidate=1.62.0-SNAPSHOT~510fca6013, baseline=1.62.0-SNAPSHOT~081af53226

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.057 s) : 0, 1056934
Total [baseline] (11.097 s) : 0, 11096652
Agent [candidate] (1.057 s) : 0, 1057293
Total [candidate] (11.087 s) : 0, 11086839
section appsec
Agent [baseline] (1.255 s) : 0, 1255136
Total [baseline] (11.108 s) : 0, 11107736
Agent [candidate] (1.249 s) : 0, 1249277
Total [candidate] (11.081 s) : 0, 11081447
section iast
Agent [baseline] (1.226 s) : 0, 1226112
Total [baseline] (11.395 s) : 0, 11394957
Agent [candidate] (1.226 s) : 0, 1226252
Total [candidate] (11.32 s) : 0, 11320330
section profiling
Agent [baseline] (1.192 s) : 0, 1191804
Total [baseline] (11.059 s) : 0, 11059416
Agent [candidate] (1.194 s) : 0, 1193741
Total [candidate] (11.057 s) : 0, 11057060

Loading

• baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.057 s	-
Agent	appsec	1.255 s	198.201 ms (18.8%)
Agent	iast	1.226 s	169.178 ms (16.0%)
Agent	profiling	1.192 s	134.87 ms (12.8%)
Total	tracing	11.097 s	-
Total	appsec	11.108 s	11.085 ms (0.1%)
Total	iast	11.395 s	298.305 ms (2.7%)
Total	profiling	11.059 s	-37.236 ms (-0.3%)

• candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.057 s	-
Agent	appsec	1.249 s	191.984 ms (18.2%)
Agent	iast	1.226 s	168.959 ms (16.0%)
Agent	profiling	1.194 s	136.448 ms (12.9%)
Total	tracing	11.087 s	-
Total	appsec	11.081 s	-5.392 ms (-0.0%)
Total	iast	11.32 s	233.49 ms (2.1%)
Total	profiling	11.057 s	-29.779 ms (-0.3%)

gantt
    title petclinic - break down per module: candidate=1.62.0-SNAPSHOT~510fca6013, baseline=1.62.0-SNAPSHOT~081af53226

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.237 ms) : 0, 1237
crashtracking [candidate] (1.222 ms) : 0, 1222
BytebuddyAgent [baseline] (632.366 ms) : 0, 632366
BytebuddyAgent [candidate] (631.977 ms) : 0, 631977
AgentMeter [baseline] (29.505 ms) : 0, 29505
AgentMeter [candidate] (29.688 ms) : 0, 29688
GlobalTracer [baseline] (248.617 ms) : 0, 248617
GlobalTracer [candidate] (249.454 ms) : 0, 249454
AppSec [baseline] (32.312 ms) : 0, 32312
AppSec [candidate] (32.493 ms) : 0, 32493
Debugger [baseline] (59.823 ms) : 0, 59823
Debugger [candidate] (60.138 ms) : 0, 60138
Remote Config [baseline] (591.795 µs) : 0, 592
Remote Config [candidate] (602.458 µs) : 0, 602
Telemetry [baseline] (7.989 ms) : 0, 7989
Telemetry [candidate] (8.05 ms) : 0, 8050
Flare Poller [baseline] (8.287 ms) : 0, 8287
Flare Poller [candidate] (7.422 ms) : 0, 7422
section appsec
crashtracking [baseline] (1.237 ms) : 0, 1237
crashtracking [candidate] (1.228 ms) : 0, 1228
BytebuddyAgent [baseline] (663.779 ms) : 0, 663779
BytebuddyAgent [candidate] (662.571 ms) : 0, 662571
AgentMeter [baseline] (12.273 ms) : 0, 12273
AgentMeter [candidate] (12.297 ms) : 0, 12297
GlobalTracer [baseline] (250.536 ms) : 0, 250536
GlobalTracer [candidate] (249.156 ms) : 0, 249156
IAST [baseline] (24.69 ms) : 0, 24690
IAST [candidate] (24.483 ms) : 0, 24483
AppSec [baseline] (186.756 ms) : 0, 186756
AppSec [candidate] (185.065 ms) : 0, 185065
Debugger [baseline] (66.573 ms) : 0, 66573
Debugger [candidate] (65.601 ms) : 0, 65601
Remote Config [baseline] (622.901 µs) : 0, 623
Remote Config [candidate] (612.363 µs) : 0, 612
Telemetry [baseline] (8.589 ms) : 0, 8589
Telemetry [candidate] (8.365 ms) : 0, 8365
Flare Poller [baseline] (3.606 ms) : 0, 3606
Flare Poller [candidate] (3.492 ms) : 0, 3492
section iast
crashtracking [baseline] (1.247 ms) : 0, 1247
crashtracking [candidate] (1.226 ms) : 0, 1226
BytebuddyAgent [baseline] (801.162 ms) : 0, 801162
BytebuddyAgent [candidate] (802.238 ms) : 0, 802238
AgentMeter [baseline] (11.566 ms) : 0, 11566
AgentMeter [candidate] (11.624 ms) : 0, 11624
GlobalTracer [baseline] (239.497 ms) : 0, 239497
GlobalTracer [candidate] (239.943 ms) : 0, 239943
IAST [baseline] (25.785 ms) : 0, 25785
IAST [candidate] (25.827 ms) : 0, 25827
AppSec [baseline] (30.672 ms) : 0, 30672
AppSec [candidate] (31.202 ms) : 0, 31202
Debugger [baseline] (66.432 ms) : 0, 66432
Debugger [candidate] (64.61 ms) : 0, 64610
Remote Config [baseline] (544.465 µs) : 0, 544
Remote Config [candidate] (522.861 µs) : 0, 523
Telemetry [baseline] (9.377 ms) : 0, 9377
Telemetry [candidate] (9.271 ms) : 0, 9271
Flare Poller [baseline] (3.634 ms) : 0, 3634
Flare Poller [candidate] (3.596 ms) : 0, 3596
section profiling
crashtracking [baseline] (1.197 ms) : 0, 1197
crashtracking [candidate] (1.196 ms) : 0, 1196
BytebuddyAgent [baseline] (696.188 ms) : 0, 696188
BytebuddyAgent [candidate] (696.443 ms) : 0, 696443
AgentMeter [baseline] (9.21 ms) : 0, 9210
AgentMeter [candidate] (9.233 ms) : 0, 9233
GlobalTracer [baseline] (208.322 ms) : 0, 208322
GlobalTracer [candidate] (208.256 ms) : 0, 208256
AppSec [baseline] (32.934 ms) : 0, 32934
AppSec [candidate] (33.155 ms) : 0, 33155
Debugger [baseline] (66.015 ms) : 0, 66015
Debugger [candidate] (66.516 ms) : 0, 66516
Remote Config [baseline] (576.868 µs) : 0, 577
Remote Config [candidate] (589.825 µs) : 0, 590
Telemetry [baseline] (7.796 ms) : 0, 7796
Telemetry [candidate] (7.936 ms) : 0, 7936
Flare Poller [baseline] (3.563 ms) : 0, 3563
Flare Poller [candidate] (3.629 ms) : 0, 3629
ProfilingAgent [baseline] (94.404 ms) : 0, 94404
ProfilingAgent [candidate] (95.257 ms) : 0, 95257
Profiling [baseline] (94.963 ms) : 0, 94963
Profiling [candidate] (95.829 ms) : 0, 95829

Loading

Startup time reports for insecure-bank

gantt
    title insecure-bank - global startup overhead: candidate=1.62.0-SNAPSHOT~510fca6013, baseline=1.62.0-SNAPSHOT~081af53226

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.065 s) : 0, 1064741
Total [baseline] (8.846 s) : 0, 8846039
Agent [candidate] (1.055 s) : 0, 1054901
Total [candidate] (8.85 s) : 0, 8849933
section iast
Agent [baseline] (1.232 s) : 0, 1231686
Total [baseline] (9.611 s) : 0, 9610929
Agent [candidate] (1.222 s) : 0, 1222066
Total [candidate] (9.583 s) : 0, 9583293

Loading

• baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.065 s	-
Agent	iast	1.232 s	166.945 ms (15.7%)
Total	tracing	8.846 s	-
Total	iast	9.611 s	764.89 ms (8.6%)

• candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.055 s	-
Agent	iast	1.222 s	167.165 ms (15.8%)
Total	tracing	8.85 s	-
Total	iast	9.583 s	733.359 ms (8.3%)

gantt
    title insecure-bank - break down per module: candidate=1.62.0-SNAPSHOT~510fca6013, baseline=1.62.0-SNAPSHOT~081af53226

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.254 ms) : 0, 1254
crashtracking [candidate] (1.216 ms) : 0, 1216
BytebuddyAgent [baseline] (637.101 ms) : 0, 637101
BytebuddyAgent [candidate] (630.726 ms) : 0, 630726
AgentMeter [baseline] (29.761 ms) : 0, 29761
AgentMeter [candidate] (29.563 ms) : 0, 29563
GlobalTracer [baseline] (250.575 ms) : 0, 250575
GlobalTracer [candidate] (248.425 ms) : 0, 248425
AppSec [baseline] (32.692 ms) : 0, 32692
AppSec [candidate] (32.344 ms) : 0, 32344
Debugger [baseline] (59.39 ms) : 0, 59390
Debugger [candidate] (59.071 ms) : 0, 59071
Remote Config [baseline] (588.277 µs) : 0, 588
Remote Config [candidate] (594.235 µs) : 0, 594
Telemetry [baseline] (8.07 ms) : 0, 8070
Telemetry [candidate] (7.974 ms) : 0, 7974
Flare Poller [baseline] (8.994 ms) : 0, 8994
Flare Poller [candidate] (9.072 ms) : 0, 9072
section iast
crashtracking [baseline] (1.255 ms) : 0, 1255
crashtracking [candidate] (1.234 ms) : 0, 1234
BytebuddyAgent [baseline] (806.407 ms) : 0, 806407
BytebuddyAgent [candidate] (799.94 ms) : 0, 799940
AgentMeter [baseline] (11.803 ms) : 0, 11803
AgentMeter [candidate] (11.534 ms) : 0, 11534
GlobalTracer [baseline] (240.384 ms) : 0, 240384
GlobalTracer [candidate] (238.76 ms) : 0, 238760
IAST [baseline] (25.931 ms) : 0, 25931
IAST [candidate] (25.799 ms) : 0, 25799
AppSec [baseline] (33.01 ms) : 0, 33010
AppSec [candidate] (31.849 ms) : 0, 31849
Debugger [baseline] (63.039 ms) : 0, 63039
Debugger [candidate] (63.288 ms) : 0, 63288
Remote Config [baseline] (545.692 µs) : 0, 546
Remote Config [candidate] (533.245 µs) : 0, 533
Telemetry [baseline] (9.375 ms) : 0, 9375
Telemetry [candidate] (9.309 ms) : 0, 9309
Flare Poller [baseline] (3.622 ms) : 0, 3622
Flare Poller [candidate] (3.569 ms) : 0, 3569

Loading

Load

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	alejandro.gonzalez/APPSEC-61873-5-jersey-resteasy
git_commit_date	1776642285	1776778603
git_commit_sha	081af53	510fca6
release_version	1.62.0-SNAPSHOT~081af53226	1.62.0-SNAPSHOT~510fca6013

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1776780918	1776780918
ci_job_id	1615273763	1615273763
ci_pipeline_id	108787037	108787037
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-zfyrx7zua-project-304-concurrent-0-uqmpbens 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-zfyrx7zua-project-304-concurrent-0-uqmpbens 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 5 performance improvements and 0 performance regressions! Performance is the same for 15 metrics, 16 unstable metrics.

scenario	Δ mean agg_http_req_duration_p50	Δ mean agg_http_req_duration_p95	Δ mean throughput	candidate mean agg_http_req_duration_p50	candidate mean agg_http_req_duration_p95	candidate mean throughput	baseline mean agg_http_req_duration_p50	baseline mean agg_http_req_duration_p95	baseline mean throughput
scenario:load:insecure-bank:iast_GLOBAL:high_load	better [-205.374µs; -73.276µs] or [-6.741%; -2.405%]	same [-420.068µs; +103.424µs] or [-5.023%; +1.237%]	unstable [-92.779op/s; +172.091op/s] or [-7.693%; +14.270%]	2.907ms	8.204ms	1245.656op/s	3.047ms	8.362ms	1206.000op/s
scenario:load:petclinic:code_origins:high_load	better [-1.645ms; -0.754ms] or [-9.036%; -4.138%]	better [-1.868ms; -0.762ms] or [-6.329%; -2.583%]	unstable [-10.515op/s; +42.202op/s] or [-4.163%; +16.710%]	17.011ms	28.198ms	268.406op/s	18.210ms	29.513ms	252.562op/s
scenario:load:petclinic:profiling:high_load	better [-2.312ms; -1.500ms] or [-11.710%; -7.597%]	better [-2.196ms; -0.838ms] or [-7.090%; -2.707%]	unstable [-3.748op/s; +46.248op/s] or [-1.595%; +19.677%]	17.838ms	29.460ms	256.281op/s	19.744ms	30.978ms	235.031op/s

Request duration reports for insecure-bank

gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.62.0-SNAPSHOT~510fca6013, baseline=1.62.0-SNAPSHOT~081af53226
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.256 ms) : 1244, 1268
.   : milestone, 1256,
iast (3.425 ms) : 3375, 3474
.   : milestone, 3425,
iast_FULL (6.072 ms) : 6010, 6135
.   : milestone, 6072,
iast_GLOBAL (3.807 ms) : 3747, 3868
.   : milestone, 3807,
profiling (2.035 ms) : 2018, 2052
.   : milestone, 2035,
tracing (1.906 ms) : 1890, 1922
.   : milestone, 1906,
section candidate
no_agent (1.248 ms) : 1237, 1260
.   : milestone, 1248,
iast (3.411 ms) : 3361, 3460
.   : milestone, 3411,
iast_FULL (6.207 ms) : 6143, 6271
.   : milestone, 6207,
iast_GLOBAL (3.681 ms) : 3626, 3737
.   : milestone, 3681,
profiling (2.2 ms) : 2178, 2222
.   : milestone, 2200,
tracing (1.954 ms) : 1937, 1970
.   : milestone, 1954,

Loading

• baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.256 ms [1.244 ms, 1.268 ms]	-
iast	3.425 ms [3.375 ms, 3.474 ms]	2.169 ms (172.7%)
iast_FULL	6.072 ms [6.01 ms, 6.135 ms]	4.817 ms (383.5%)
iast_GLOBAL	3.807 ms [3.747 ms, 3.868 ms]	2.551 ms (203.2%)
profiling	2.035 ms [2.018 ms, 2.052 ms]	779.415 µs (62.1%)
tracing	1.906 ms [1.89 ms, 1.922 ms]	650.098 µs (51.8%)

• candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.248 ms [1.237 ms, 1.26 ms]	-
iast	3.411 ms [3.361 ms, 3.46 ms]	2.162 ms (173.2%)
iast_FULL	6.207 ms [6.143 ms, 6.271 ms]	4.958 ms (397.2%)
iast_GLOBAL	3.681 ms [3.626 ms, 3.737 ms]	2.433 ms (194.9%)
profiling	2.2 ms [2.178 ms, 2.222 ms]	951.968 µs (76.3%)
tracing	1.954 ms [1.937 ms, 1.97 ms]	705.382 µs (56.5%)

Request duration reports for petclinic

gantt
    title petclinic - request duration [CI 0.99] : candidate=1.62.0-SNAPSHOT~510fca6013, baseline=1.62.0-SNAPSHOT~081af53226
    dateFormat X
    axisFormat %s
section baseline
no_agent (17.288 ms) : 17117, 17460
.   : milestone, 17288,
appsec (19.435 ms) : 19239, 19631
.   : milestone, 19435,
code_origins (18.483 ms) : 18297, 18669
.   : milestone, 18483,
iast (18.299 ms) : 18117, 18481
.   : milestone, 18299,
profiling (19.862 ms) : 19663, 20061
.   : milestone, 19862,
tracing (18.736 ms) : 18550, 18922
.   : milestone, 18736,
section candidate
no_agent (17.049 ms) : 16883, 17216
.   : milestone, 17049,
appsec (18.736 ms) : 18544, 18927
.   : milestone, 18736,
code_origins (17.383 ms) : 17212, 17554
.   : milestone, 17383,
iast (18.101 ms) : 17922, 18281
.   : milestone, 18101,
profiling (18.208 ms) : 18025, 18390
.   : milestone, 18208,
tracing (18.919 ms) : 18729, 19110
.   : milestone, 18919,

Loading

• baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	17.288 ms [17.117 ms, 17.46 ms]	-
appsec	19.435 ms [19.239 ms, 19.631 ms]	2.147 ms (12.4%)
code_origins	18.483 ms [18.297 ms, 18.669 ms]	1.195 ms (6.9%)
iast	18.299 ms [18.117 ms, 18.481 ms]	1.011 ms (5.8%)
profiling	19.862 ms [19.663 ms, 20.061 ms]	2.574 ms (14.9%)
tracing	18.736 ms [18.55 ms, 18.922 ms]	1.447 ms (8.4%)

• candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	17.049 ms [16.883 ms, 17.216 ms]	-
appsec	18.736 ms [18.544 ms, 18.927 ms]	1.686 ms (9.9%)
code_origins	17.383 ms [17.212 ms, 17.554 ms]	333.707 µs (2.0%)
iast	18.101 ms [17.922 ms, 18.281 ms]	1.052 ms (6.2%)
profiling	18.208 ms [18.025 ms, 18.39 ms]	1.158 ms (6.8%)
tracing	18.919 ms [18.729 ms, 19.11 ms]	1.87 ms (11.0%)

Dacapo

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	alejandro.gonzalez/APPSEC-61873-5-jersey-resteasy
git_commit_date	1776642285	1776778603
git_commit_sha	081af53	510fca6
release_version	1.62.0-SNAPSHOT~081af53226	1.62.0-SNAPSHOT~510fca6013

See matching parameters

	Baseline	Candidate
application	biojava	biojava
ci_job_date	1776780675	1776780675
ci_job_id	1615273764	1615273764
ci_pipeline_id	108787037	108787037
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-zfyrx7zua-project-304-concurrent-1-h0v132l9 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-zfyrx7zua-project-304-concurrent-1-h0v132l9 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 1 unstable metrics.

Execution time for tomcat

gantt
    title tomcat - execution time [CI 0.99] : candidate=1.62.0-SNAPSHOT~510fca6013, baseline=1.62.0-SNAPSHOT~081af53226
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.493 ms) : 1481, 1505
.   : milestone, 1493,
appsec (3.788 ms) : 3568, 4008
.   : milestone, 3788,
iast (2.277 ms) : 2208, 2346
.   : milestone, 2277,
iast_GLOBAL (2.323 ms) : 2254, 2393
.   : milestone, 2323,
profiling (2.113 ms) : 2058, 2169
.   : milestone, 2113,
tracing (2.104 ms) : 2050, 2158
.   : milestone, 2104,
section candidate
no_agent (1.49 ms) : 1478, 1501
.   : milestone, 1490,
appsec (3.761 ms) : 3543, 3980
.   : milestone, 3761,
iast (2.279 ms) : 2210, 2349
.   : milestone, 2279,
iast_GLOBAL (2.323 ms) : 2253, 2392
.   : milestone, 2323,
profiling (2.1 ms) : 2045, 2156
.   : milestone, 2100,
tracing (2.096 ms) : 2042, 2150
.   : milestone, 2096,

Loading

• baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.493 ms [1.481 ms, 1.505 ms]	-
appsec	3.788 ms [3.568 ms, 4.008 ms]	2.295 ms (153.7%)
iast	2.277 ms [2.208 ms, 2.346 ms]	783.813 µs (52.5%)
iast_GLOBAL	2.323 ms [2.254 ms, 2.393 ms]	830.354 µs (55.6%)
profiling	2.113 ms [2.058 ms, 2.169 ms]	620.4 µs (41.6%)
tracing	2.104 ms [2.05 ms, 2.158 ms]	611.07 µs (40.9%)

• candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.49 ms [1.478 ms, 1.501 ms]	-
appsec	3.761 ms [3.543 ms, 3.98 ms]	2.272 ms (152.5%)
iast	2.279 ms [2.21 ms, 2.349 ms]	789.641 µs (53.0%)
iast_GLOBAL	2.323 ms [2.253 ms, 2.392 ms]	832.851 µs (55.9%)
profiling	2.1 ms [2.045 ms, 2.156 ms]	610.764 µs (41.0%)
tracing	2.096 ms [2.042 ms, 2.15 ms]	606.061 µs (40.7%)

Execution time for biojava

gantt
    title biojava - execution time [CI 0.99] : candidate=1.62.0-SNAPSHOT~510fca6013, baseline=1.62.0-SNAPSHOT~081af53226
    dateFormat X
    axisFormat %s
section baseline
no_agent (15.433 s) : 15433000, 15433000
.   : milestone, 15433000,
appsec (14.821 s) : 14821000, 14821000
.   : milestone, 14821000,
iast (18.442 s) : 18442000, 18442000
.   : milestone, 18442000,
iast_GLOBAL (18.109 s) : 18109000, 18109000
.   : milestone, 18109000,
profiling (15.708 s) : 15708000, 15708000
.   : milestone, 15708000,
tracing (14.626 s) : 14626000, 14626000
.   : milestone, 14626000,
section candidate
no_agent (15.15 s) : 15150000, 15150000
.   : milestone, 15150000,
appsec (15.059 s) : 15059000, 15059000
.   : milestone, 15059000,
iast (18.019 s) : 18019000, 18019000
.   : milestone, 18019000,
iast_GLOBAL (18.078 s) : 18078000, 18078000
.   : milestone, 18078000,
profiling (14.828 s) : 14828000, 14828000
.   : milestone, 14828000,
tracing (14.803 s) : 14803000, 14803000
.   : milestone, 14803000,

Loading

• baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	15.433 s [15.433 s, 15.433 s]	-
appsec	14.821 s [14.821 s, 14.821 s]	-612.0 ms (-4.0%)
iast	18.442 s [18.442 s, 18.442 s]	3.009 s (19.5%)
iast_GLOBAL	18.109 s [18.109 s, 18.109 s]	2.676 s (17.3%)
profiling	15.708 s [15.708 s, 15.708 s]	275.0 ms (1.8%)
tracing	14.626 s [14.626 s, 14.626 s]	-807.0 ms (-5.2%)

• candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	15.15 s [15.15 s, 15.15 s]	-
appsec	15.059 s [15.059 s, 15.059 s]	-91.0 ms (-0.6%)
iast	18.019 s [18.019 s, 18.019 s]	2.869 s (18.9%)
iast_GLOBAL	18.078 s [18.078 s, 18.078 s]	2.928 s (19.3%)
profiling	14.828 s [14.828 s, 14.828 s]	-322.0 ms (-2.1%)
tracing	14.803 s [14.803 s, 14.803 s]	-347.0 ms (-2.3%)

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 510fca6013

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Preserve RESTEasy 6 multipart advice

This new direct call to InputPart.getHeaders() is compiled against RESTEasy 3's javax.ws.rs.core.MultivaluedMap return type, but RESTEasy 6 changed the same API to return jakarta.ws.rs.core.MultivaluedMap. Because muzzle records that binary method reference, RESTEasy 6 classloaders will no longer match the multipart advice, disabling the existing multipart requestBodyProcessed AppSec handling for RESTEasy 6 uploads as well as the new filename event. Please split a 6.x/jakarta variant or avoid the binary getHeaders() reference for the 3.x instrumentation.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Invoke filename callbacks without body subscribers

When AppSec is configured with rules that subscribe only to server.request.body.filenames, GatewayBridge registers requestFilesFilenames() independently of requestBodyProcessed(). In that configuration the earlier callback == null return exits before this new block, so filename-only rules never receive Jersey multipart filenames. Please collect and invoke the filename callback independently of the body-object callback; the same ordering pattern appears in the Jersey 3 and RESTEasy additions.

Useful? React with 👍 / 👎.