Email Injection detection in IAST

[sezen-datadog]

What Does This Do

Controls the mails to detect tainted content for javax mail methods, in particular, Transport.send

Motivation

Email HTML injection is a vulnerability where user input is included in the content of an email without proper validation and sanitization. This vulnerability can have severe consequences as it opens the door for various attacks, including phishing, social engineering exploits, and the exploitation of email client vulnerabilities.

This modification provides a control of the body of the email that is meant to be sent. If an injection occurred in the mail body and no sanitization has taken place, the sink will raise an alert.

Jira ticket: APPSEC-56330

[jandro996]

Nice work @sezen-datadog! you are in the right direction, we can discuss offline the caveats if you want 😃

My comments related to the new iast module can be extended if we need an Object instead of an String

Just in case no one had shared with you before, this is an interesting document when we need to implement new iast vulnerabilities

https://datadoghq.atlassian.net/wiki/spaces/APS/pages/3643539583/Adding+New+Vulnerability+Types+A+Practical+Guide

[sezen-datadog]

setContext and setText of Part
mimebodypart

StringEscapeUtilsCallsite

[pr-commenter]

Benchmarks

Startup

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	sezen.leblay/APPSEC-56330-email-injection
git_commit_date	1737124507	1737129305
git_commit_sha	fbb36f9	460737d
release_version	1.46.0-SNAPSHOT~fbb36f9b5b	1.46.0-SNAPSHOT~460737dc10

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1737131773	1737131773
ci_job_id	771006705	771006705
ci_pipeline_id	53328185	53328185
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
module	Agent	Agent
parent	None	None
variant	iast	iast

Summary

Found 0 performance improvements and 1 performance regressions! Performance is the same for 56 metrics, 6 unstable metrics.

scenario	Δ mean execution_time	candidate mean execution_time	baseline mean execution_time
scenario:startup:petclinic:profiling:GlobalTracer	worse [+17.236ms; +22.156ms] or [+4.936%; +6.345%]	368.893ms	349.197ms

Startup time reports for petclinic

gantt
    title petclinic - global startup overhead: candidate=1.46.0-SNAPSHOT~460737dc10, baseline=1.46.0-SNAPSHOT~fbb36f9b5b

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.053 s) : 0, 1053244
Total [baseline] (10.545 s) : 0, 10545444
Agent [candidate] (1.054 s) : 0, 1053650
Total [candidate] (10.43 s) : 0, 10430031
section appsec
Agent [baseline] (1.19 s) : 0, 1190489
Total [baseline] (10.761 s) : 0, 10760922
Agent [candidate] (1.189 s) : 0, 1189106
Total [candidate] (10.701 s) : 0, 10700542
section iast
Agent [baseline] (1.193 s) : 0, 1192665
Total [baseline] (11.026 s) : 0, 11025968
Agent [candidate] (1.187 s) : 0, 1186568
Total [candidate] (10.963 s) : 0, 10963119
section profiling
Agent [baseline] (1.253 s) : 0, 1252891
Total [baseline] (10.798 s) : 0, 10798009
Agent [candidate] (1.273 s) : 0, 1272881
Total [candidate] (10.89 s) : 0, 10890247

Loading

• baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.053 s	-
Agent	appsec	1.19 s	137.245 ms (13.0%)
Agent	iast	1.193 s	139.421 ms (13.2%)
Agent	profiling	1.253 s	199.647 ms (19.0%)
Total	tracing	10.545 s	-
Total	appsec	10.761 s	215.478 ms (2.0%)
Total	iast	11.026 s	480.524 ms (4.6%)
Total	profiling	10.798 s	252.566 ms (2.4%)

• candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.054 s	-
Agent	appsec	1.189 s	135.456 ms (12.9%)
Agent	iast	1.187 s	132.919 ms (12.6%)
Agent	profiling	1.273 s	219.231 ms (20.8%)
Total	tracing	10.43 s	-
Total	appsec	10.701 s	270.51 ms (2.6%)
Total	iast	10.963 s	533.088 ms (5.1%)
Total	profiling	10.89 s	460.216 ms (4.4%)

gantt
    title petclinic - break down per module: candidate=1.46.0-SNAPSHOT~460737dc10, baseline=1.46.0-SNAPSHOT~fbb36f9b5b

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (712.559 ms) : 0, 712559
BytebuddyAgent [candidate] (713.995 ms) : 0, 713995
GlobalTracer [baseline] (254.982 ms) : 0, 254982
GlobalTracer [candidate] (255.6 ms) : 0, 255600
AppSec [baseline] (56.427 ms) : 0, 56427
AppSec [candidate] (55.34 ms) : 0, 55340
Remote Config [baseline] (740.518 µs) : 0, 741
Remote Config [candidate] (713.39 µs) : 0, 713
Telemetry [baseline] (13.651 ms) : 0, 13651
Telemetry [candidate] (12.95 ms) : 0, 12950
section appsec
BytebuddyAgent [baseline] (732.539 ms) : 0, 732539
BytebuddyAgent [candidate] (731.74 ms) : 0, 731740
GlobalTracer [baseline] (253.012 ms) : 0, 253012
GlobalTracer [candidate] (252.695 ms) : 0, 252695
AppSec [baseline] (171.37 ms) : 0, 171370
AppSec [candidate] (170.562 ms) : 0, 170562
IAST [baseline] (19.5 ms) : 0, 19500
IAST [candidate] (19.56 ms) : 0, 19560
Remote Config [baseline] (677.02 µs) : 0, 677
Remote Config [candidate] (656.145 µs) : 0, 656
Telemetry [baseline] (8.196 ms) : 0, 8196
Telemetry [candidate] (8.61 ms) : 0, 8610
section iast
BytebuddyAgent [baseline] (839.457 ms) : 0, 839457
BytebuddyAgent [candidate] (836.329 ms) : 0, 836329
GlobalTracer [baseline] (247.832 ms) : 0, 247832
GlobalTracer [candidate] (246.012 ms) : 0, 246012
AppSec [baseline] (58.567 ms) : 0, 58567
AppSec [candidate] (57.953 ms) : 0, 57953
IAST [baseline] (21.977 ms) : 0, 21977
IAST [candidate] (21.628 ms) : 0, 21628
Remote Config [baseline] (680.426 µs) : 0, 680
Remote Config [candidate] (678.126 µs) : 0, 678
Telemetry [baseline] (8.937 ms) : 0, 8937
Telemetry [candidate] (8.806 ms) : 0, 8806
section profiling
BytebuddyAgent [baseline] (702.309 ms) : 0, 702309
BytebuddyAgent [candidate] (703.504 ms) : 0, 703504
GlobalTracer [baseline] (349.197 ms) : 0, 349197
GlobalTracer [candidate] (368.893 ms) : 0, 368893
AppSec [baseline] (54.634 ms) : 0, 54634
AppSec [candidate] (54.026 ms) : 0, 54026
Remote Config [baseline] (711.009 µs) : 0, 711
Remote Config [candidate] (708.045 µs) : 0, 708
Telemetry [baseline] (8.747 ms) : 0, 8747
Telemetry [candidate] (8.862 ms) : 0, 8862
ProfilingAgent [baseline] (95.292 ms) : 0, 95292
ProfilingAgent [candidate] (94.991 ms) : 0, 94991
Profiling [baseline] (95.316 ms) : 0, 95316
Profiling [candidate] (95.017 ms) : 0, 95017

Loading

Startup time reports for insecure-bank

gantt
    title insecure-bank - global startup overhead: candidate=1.46.0-SNAPSHOT~460737dc10, baseline=1.46.0-SNAPSHOT~fbb36f9b5b

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.069 s) : 0, 1068928
Total [baseline] (8.66 s) : 0, 8660427
Agent [candidate] (1.063 s) : 0, 1063167
Total [candidate] (8.619 s) : 0, 8618547
section iast
Agent [baseline] (1.183 s) : 0, 1182720
Total [baseline] (9.218 s) : 0, 9218316
Agent [candidate] (1.19 s) : 0, 1189712
Total [candidate] (9.224 s) : 0, 9224043
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.183 s) : 0, 1182880
Total [baseline] (9.156 s) : 0, 9155903
Agent [candidate] (1.183 s) : 0, 1183078
Total [candidate] (9.205 s) : 0, 9204576
section iast_TELEMETRY_OFF
Agent [baseline] (1.175 s) : 0, 1175472
Total [baseline] (9.161 s) : 0, 9161404
Agent [candidate] (1.187 s) : 0, 1186534
Total [candidate] (9.206 s) : 0, 9205657

Loading

• baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.069 s	-
Agent	iast	1.183 s	113.792 ms (10.6%)
Agent	iast_HARDCODED_SECRET_DISABLED	1.183 s	113.952 ms (10.7%)
Agent	iast_TELEMETRY_OFF	1.175 s	106.544 ms (10.0%)
Total	tracing	8.66 s	-
Total	iast	9.218 s	557.889 ms (6.4%)
Total	iast_HARDCODED_SECRET_DISABLED	9.156 s	495.475 ms (5.7%)
Total	iast_TELEMETRY_OFF	9.161 s	500.977 ms (5.8%)

• candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.063 s	-
Agent	iast	1.19 s	126.545 ms (11.9%)
Agent	iast_HARDCODED_SECRET_DISABLED	1.183 s	119.912 ms (11.3%)
Agent	iast_TELEMETRY_OFF	1.187 s	123.368 ms (11.6%)
Total	tracing	8.619 s	-
Total	iast	9.224 s	605.496 ms (7.0%)
Total	iast_HARDCODED_SECRET_DISABLED	9.205 s	586.029 ms (6.8%)
Total	iast_TELEMETRY_OFF	9.206 s	587.11 ms (6.8%)

gantt
    title insecure-bank - break down per module: candidate=1.46.0-SNAPSHOT~460737dc10, baseline=1.46.0-SNAPSHOT~fbb36f9b5b

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (724.354 ms) : 0, 724354
BytebuddyAgent [candidate] (719.749 ms) : 0, 719749
GlobalTracer [baseline] (258.235 ms) : 0, 258235
GlobalTracer [candidate] (257.605 ms) : 0, 257605
AppSec [baseline] (56.512 ms) : 0, 56512
AppSec [candidate] (56.202 ms) : 0, 56202
Remote Config [baseline] (756.568 µs) : 0, 757
Remote Config [candidate] (721.568 µs) : 0, 722
Telemetry [baseline] (13.853 ms) : 0, 13853
Telemetry [candidate] (13.656 ms) : 0, 13656
section iast
BytebuddyAgent [baseline] (831.975 ms) : 0, 831975
BytebuddyAgent [candidate] (837.254 ms) : 0, 837254
GlobalTracer [baseline] (246.598 ms) : 0, 246598
GlobalTracer [candidate] (247.699 ms) : 0, 247699
AppSec [baseline] (57.927 ms) : 0, 57927
AppSec [candidate] (58.258 ms) : 0, 58258
IAST [baseline] (21.731 ms) : 0, 21731
IAST [candidate] (21.749 ms) : 0, 21749
Remote Config [baseline] (670.837 µs) : 0, 671
Remote Config [candidate] (684.974 µs) : 0, 685
Telemetry [baseline] (8.883 ms) : 0, 8883
Telemetry [candidate] (8.9 ms) : 0, 8900
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (831.701 ms) : 0, 831701
BytebuddyAgent [candidate] (831.956 ms) : 0, 831956
GlobalTracer [baseline] (246.778 ms) : 0, 246778
GlobalTracer [candidate] (246.894 ms) : 0, 246894
AppSec [baseline] (58.268 ms) : 0, 58268
AppSec [candidate] (58.131 ms) : 0, 58131
IAST [baseline] (21.605 ms) : 0, 21605
IAST [candidate] (21.621 ms) : 0, 21621
Remote Config [baseline] (669.999 µs) : 0, 670
Remote Config [candidate] (675.496 µs) : 0, 675
Telemetry [baseline] (8.826 ms) : 0, 8826
Telemetry [candidate] (8.819 ms) : 0, 8819
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (826.541 ms) : 0, 826541
BytebuddyAgent [candidate] (834.512 ms) : 0, 834512
GlobalTracer [baseline] (246.002 ms) : 0, 246002
GlobalTracer [candidate] (248.131 ms) : 0, 248131
AppSec [baseline] (57.692 ms) : 0, 57692
AppSec [candidate] (58.163 ms) : 0, 58163
IAST [baseline] (20.947 ms) : 0, 20947
IAST [candidate] (21.249 ms) : 0, 21249
Remote Config [baseline] (666.653 µs) : 0, 667
Remote Config [candidate] (673.04 µs) : 0, 673
Telemetry [baseline] (8.635 ms) : 0, 8635
Telemetry [candidate] (8.686 ms) : 0, 8686

Loading

Load

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
end_time	2025-01-17T16:04:03	2025-01-17T16:11:07
git_branch	master	sezen.leblay/APPSEC-56330-email-injection
git_commit_date	1737124507	1737129305
git_commit_sha	fbb36f9	460737d
release_version	1.46.0-SNAPSHOT~fbb36f9b5b	1.46.0-SNAPSHOT~460737dc10
start_time	2025-01-17T16:03:49	2025-01-17T16:10:53

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1737130622	1737130622
ci_job_id	771006706	771006706
ci_pipeline_id	53328185	53328185
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant	iast	iast

Summary

Found 2 performance improvements and 0 performance regressions! Performance is the same for 10 metrics, 16 unstable metrics.

scenario	Δ mean http_req_duration	Δ mean throughput	candidate mean http_req_duration	candidate mean throughput	baseline mean http_req_duration	baseline mean throughput
scenario:load:insecure-bank:iast_FULL	better [-112.615µs; -65.340µs] or [-15.049%; -8.731%]	unstable [-358.239op/s; +2263.001op/s] or [-6.269%; +39.603%]	659.354µs	6666.667op/s	748.332µs	5714.286op/s
scenario:load:insecure-bank:iast_GLOBAL	better [-61.177µs; -12.981µs] or [-10.905%; -2.314%]	unstable [-1175.425op/s; +3057.778op/s] or [-16.652%; +43.319%]	523.915µs	8000.000op/s	560.994µs	7058.824op/s

Request duration reports for insecure-bank

gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.46.0-SNAPSHOT~460737dc10, baseline=1.46.0-SNAPSHOT~fbb36f9b5b
    dateFormat X
    axisFormat %s
section baseline
no_agent (377.659 µs) : 356, 399
.   : milestone, 378,
iast (506.169 µs) : 484, 528
.   : milestone, 506,
iast_FULL (748.332 µs) : 726, 770
.   : milestone, 748,
iast_GLOBAL (560.994 µs) : 538, 584
.   : milestone, 561,
iast_HARDCODED_SECRET_DISABLED (512.659 µs) : 490, 535
.   : milestone, 513,
iast_INACTIVE (456.657 µs) : 435, 478
.   : milestone, 457,
iast_TELEMETRY_OFF (497.379 µs) : 475, 519
.   : milestone, 497,
tracing (449.566 µs) : 429, 470
.   : milestone, 450,
section candidate
no_agent (378.071 µs) : 358, 398
.   : milestone, 378,
iast (499.384 µs) : 478, 521
.   : milestone, 499,
iast_FULL (659.354 µs) : 638, 681
.   : milestone, 659,
iast_GLOBAL (523.915 µs) : 503, 545
.   : milestone, 524,
iast_HARDCODED_SECRET_DISABLED (496.532 µs) : 475, 518
.   : milestone, 497,
iast_INACTIVE (461.481 µs) : 439, 484
.   : milestone, 461,
iast_TELEMETRY_OFF (482.199 µs) : 461, 504
.   : milestone, 482,
tracing (451.015 µs) : 430, 472
.   : milestone, 451,

Loading

• baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	377.659 µs [356.486 µs, 398.832 µs]	-
iast	506.169 µs [483.87 µs, 528.468 µs]	128.51 µs (34.0%)
iast_FULL	748.332 µs [726.193 µs, 770.471 µs]	370.673 µs (98.2%)
iast_GLOBAL	560.994 µs [537.561 µs, 584.426 µs]	183.335 µs (48.5%)
iast_HARDCODED_SECRET_DISABLED	512.659 µs [490.23 µs, 535.088 µs]	135.0 µs (35.7%)
iast_INACTIVE	456.657 µs [435.459 µs, 477.855 µs]	78.998 µs (20.9%)
iast_TELEMETRY_OFF	497.379 µs [475.489 µs, 519.268 µs]	119.72 µs (31.7%)
tracing	449.566 µs [428.982 µs, 470.149 µs]	71.907 µs (19.0%)

• candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	378.071 µs [358.446 µs, 397.696 µs]	-
iast	499.384 µs [477.796 µs, 520.971 µs]	121.313 µs (32.1%)
iast_FULL	659.354 µs [637.562 µs, 681.146 µs]	281.284 µs (74.4%)
iast_GLOBAL	523.915 µs [502.61 µs, 545.219 µs]	145.844 µs (38.6%)
iast_HARDCODED_SECRET_DISABLED	496.532 µs [475.156 µs, 517.908 µs]	118.461 µs (31.3%)
iast_INACTIVE	461.481 µs [438.731 µs, 484.231 µs]	83.411 µs (22.1%)
iast_TELEMETRY_OFF	482.199 µs [460.793 µs, 503.605 µs]	104.128 µs (27.5%)
tracing	451.015 µs [430.417 µs, 471.612 µs]	72.944 µs (19.3%)

Request duration reports for petclinic

gantt
    title petclinic - request duration [CI 0.99] : candidate=1.46.0-SNAPSHOT~460737dc10, baseline=1.46.0-SNAPSHOT~fbb36f9b5b
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.351 ms) : 1331, 1371
.   : milestone, 1351,
appsec (1.732 ms) : 1708, 1756
.   : milestone, 1732,
appsec_no_iast (1.769 ms) : 1746, 1792
.   : milestone, 1769,
iast (1.503 ms) : 1478, 1527
.   : milestone, 1503,
profiling (1.52 ms) : 1497, 1543
.   : milestone, 1520,
tracing (1.495 ms) : 1471, 1518
.   : milestone, 1495,
section candidate
no_agent (1.352 ms) : 1332, 1371
.   : milestone, 1352,
appsec (1.746 ms) : 1722, 1770
.   : milestone, 1746,
appsec_no_iast (1.744 ms) : 1720, 1767
.   : milestone, 1744,
iast (1.5 ms) : 1477, 1523
.   : milestone, 1500,
profiling (1.548 ms) : 1523, 1573
.   : milestone, 1548,
tracing (1.476 ms) : 1450, 1502
.   : milestone, 1476,

Loading

• baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.351 ms [1.331 ms, 1.371 ms]	-
appsec	1.732 ms [1.708 ms, 1.756 ms]	380.824 µs (28.2%)
appsec_no_iast	1.769 ms [1.746 ms, 1.792 ms]	417.915 µs (30.9%)
iast	1.503 ms [1.478 ms, 1.527 ms]	151.475 µs (11.2%)
profiling	1.52 ms [1.497 ms, 1.543 ms]	168.765 µs (12.5%)
tracing	1.495 ms [1.471 ms, 1.518 ms]	143.462 µs (10.6%)

• candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.352 ms [1.332 ms, 1.371 ms]	-
appsec	1.746 ms [1.722 ms, 1.77 ms]	394.533 µs (29.2%)
appsec_no_iast	1.744 ms [1.72 ms, 1.767 ms]	391.691 µs (29.0%)
iast	1.5 ms [1.477 ms, 1.523 ms]	147.954 µs (10.9%)
profiling	1.548 ms [1.523 ms, 1.573 ms]	195.708 µs (14.5%)
tracing	1.476 ms [1.45 ms, 1.502 ms]	124.428 µs (9.2%)

Dacapo

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	sezen.leblay/APPSEC-56330-email-injection
git_commit_date	1737124507	1737129305
git_commit_sha	fbb36f9	460737d
release_version	1.46.0-SNAPSHOT~fbb36f9b5b	1.46.0-SNAPSHOT~460737dc10

See matching parameters

	Baseline	Candidate
application	biojava	biojava
ci_job_date	1737131351	1737131351
ci_job_id	771006707	771006707
ci_pipeline_id	53328185	53328185
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant	appsec	appsec

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics.

Execution time for tomcat

gantt
    title tomcat - execution time [CI 0.99] : candidate=1.46.0-SNAPSHOT~460737dc10, baseline=1.46.0-SNAPSHOT~fbb36f9b5b
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.474 ms) : 1462, 1485
.   : milestone, 1474,
appsec (2.372 ms) : 2329, 2415
.   : milestone, 2372,
iast (2.115 ms) : 2060, 2169
.   : milestone, 2115,
iast_GLOBAL (2.163 ms) : 2109, 2218
.   : milestone, 2163,
profiling (1.974 ms) : 1931, 2017
.   : milestone, 1974,
tracing (1.958 ms) : 1917, 2000
.   : milestone, 1958,
section candidate
no_agent (1.479 ms) : 1467, 1491
.   : milestone, 1479,
appsec (2.374 ms) : 2331, 2417
.   : milestone, 2374,
iast (2.113 ms) : 2059, 2167
.   : milestone, 2113,
iast_GLOBAL (2.165 ms) : 2110, 2220
.   : milestone, 2165,
profiling (1.993 ms) : 1948, 2038
.   : milestone, 1993,
tracing (1.968 ms) : 1926, 2010
.   : milestone, 1968,

Loading

• baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.474 ms [1.462 ms, 1.485 ms]	-
appsec	2.372 ms [2.329 ms, 2.415 ms]	898.32 µs (61.0%)
iast	2.115 ms [2.06 ms, 2.169 ms]	640.952 µs (43.5%)
iast_GLOBAL	2.163 ms [2.109 ms, 2.218 ms]	689.825 µs (46.8%)
profiling	1.974 ms [1.931 ms, 2.017 ms]	500.563 µs (34.0%)
tracing	1.958 ms [1.917 ms, 2.0 ms]	484.708 µs (32.9%)

• candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.479 ms [1.467 ms, 1.491 ms]	-
appsec	2.374 ms [2.331 ms, 2.417 ms]	895.163 µs (60.5%)
iast	2.113 ms [2.059 ms, 2.167 ms]	634.187 µs (42.9%)
iast_GLOBAL	2.165 ms [2.11 ms, 2.22 ms]	686.152 µs (46.4%)
profiling	1.993 ms [1.948 ms, 2.038 ms]	514.165 µs (34.8%)
tracing	1.968 ms [1.926 ms, 2.01 ms]	489.138 µs (33.1%)

Execution time for biojava

gantt
    title biojava - execution time [CI 0.99] : candidate=1.46.0-SNAPSHOT~460737dc10, baseline=1.46.0-SNAPSHOT~fbb36f9b5b
    dateFormat X
    axisFormat %s
section baseline
no_agent (15.524 s) : 15524000, 15524000
.   : milestone, 15524000,
appsec (15.004 s) : 15004000, 15004000
.   : milestone, 15004000,
iast (18.547 s) : 18547000, 18547000
.   : milestone, 18547000,
iast_GLOBAL (18.159 s) : 18159000, 18159000
.   : milestone, 18159000,
profiling (15.063 s) : 15063000, 15063000
.   : milestone, 15063000,
tracing (14.785 s) : 14785000, 14785000
.   : milestone, 14785000,
section candidate
no_agent (14.697 s) : 14697000, 14697000
.   : milestone, 14697000,
appsec (15.025 s) : 15025000, 15025000
.   : milestone, 15025000,
iast (18.624 s) : 18624000, 18624000
.   : milestone, 18624000,
iast_GLOBAL (18.322 s) : 18322000, 18322000
.   : milestone, 18322000,
profiling (15.139 s) : 15139000, 15139000
.   : milestone, 15139000,
tracing (14.843 s) : 14843000, 14843000
.   : milestone, 14843000,

Loading

• baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	15.524 s [15.524 s, 15.524 s]	-
appsec	15.004 s [15.004 s, 15.004 s]	-520.0 ms (-3.3%)
iast	18.547 s [18.547 s, 18.547 s]	3.023 s (19.5%)
iast_GLOBAL	18.159 s [18.159 s, 18.159 s]	2.635 s (17.0%)
profiling	15.063 s [15.063 s, 15.063 s]	-461.0 ms (-3.0%)
tracing	14.785 s [14.785 s, 14.785 s]	-739.0 ms (-4.8%)

• candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	14.697 s [14.697 s, 14.697 s]	-
appsec	15.025 s [15.025 s, 15.025 s]	328.0 ms (2.2%)
iast	18.624 s [18.624 s, 18.624 s]	3.927 s (26.7%)
iast_GLOBAL	18.322 s [18.322 s, 18.322 s]	3.625 s (24.7%)
profiling	15.139 s [15.139 s, 15.139 s]	442.0 ms (3.0%)
tracing	14.843 s [14.843 s, 14.843 s]	146.0 ms (1.0%)