Skip to content

Move network.client.ip out of AppSec into HttpServerDecorator#11208

Open
smola wants to merge 1 commit intomasterfrom
smola/network-client-ip
Open

Move network.client.ip out of AppSec into HttpServerDecorator#11208
smola wants to merge 1 commit intomasterfrom
smola/network-client-ip

Conversation

@smola
Copy link
Copy Markdown
Member

@smola smola commented Apr 27, 2026
edited
Loading

What Does This Do

  • network.client.ip now shares the same activation logic as http.client_ip (DD_APPSEC_ENABLED=true or DD_TRACE_CLIENT_IP_ENABLED=true) and is no longer exclusive to AppSec events. Moved it from GatewayBridge (where it was set only when security events fired) into HttpServerDecorator alongside http.client_ip, using the raw peer/socket IP.

Main changes:

  • dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/GatewayBridge.java (older, appsec-only tagging)
  • dd-java-agent/agent-bootstrap/src/main/java/datadog/trace/bootstrap/instrumentation/decorator/HttpServerDecorator.java (new tagging)
  • The rest is just small test updates, where dd-java-agent/instrumentation-testing/src/main/groovy/datadog/trace/agent/test/base/HttpServerTest.groovy is the one needing the most attention.

Motivation

Align with spec upgrades, in which network.client.ip becomes more broadly available, just as http.client_ip.

Additional Notes

  • Updated internal spec
  • New system tests: add test for network.client.ip tag system-tests#6707
  • actor.ip remains in AppSec as a deprecated backward-compatibility tag. It does not make sense to broaden it's support and should be scheduled for removal eventually.
  • This PR adds a few comments documenting incorrect behavior for peer IP address collection in Dropwizard and Play. Fixing that is out of the scope of this PR, but hopefully it is now more clear what's going on.
  • APPSEC-62219

Contributor Checklist

Jira ticket: [PROJ-IDENT]

Note: Once your PR is ready to merge, add it to the merge queue by commenting /merge. /merge -c cancels the queue request. /merge -f --reason "reason" skips all merge queue checks; please use this judiciously, as some checks do not run at the PR-level. For more information, see this doc.

@smola smola added type: enhancement Enhancements and improvements comp: core Tracer core tag: ai generated Largely based on code generated by an AI or LLM labels Apr 27, 2026
@pr-commenter
Copy link
Copy Markdown

pr-commenter Bot commented Apr 27, 2026
edited
Loading

Benchmarks

Startup

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master smola/network-client-ip
git_commit_date 1777413936 1777454267
git_commit_sha da5e7c3 6723adb
release_version 1.62.0-SNAPSHOT~da5e7c3da7 1.62.0-SNAPSHOT~6723adbb09
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1777456075 1777456075
ci_job_id 1641295705 1641295705
ci_pipeline_id 110373484 110373484
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-0-7izzuort 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-0-7izzuort 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
module Agent Agent
parent None None

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 61 metrics, 10 unstable metrics.

Startup time reports for petclinic 
gantt
    title petclinic - global startup overhead: candidate=1.62.0-SNAPSHOT~6723adbb09, baseline=1.62.0-SNAPSHOT~da5e7c3da7

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.068 s) : 0, 1067502
Total [baseline] (10.972 s) : 0, 10971713
Agent [candidate] (1.064 s) : 0, 1064420
Total [candidate] (11.102 s) : 0, 11101749
section appsec
Agent [baseline] (1.28 s) : 0, 1280291
Total [baseline] (11.065 s) : 0, 11064720
Agent [candidate] (1.264 s) : 0, 1264253
Total [candidate] (10.947 s) : 0, 10946812
section iast
Agent [baseline] (1.246 s) : 0, 1245589
Total [baseline] (11.184 s) : 0, 11184496
Agent [candidate] (1.243 s) : 0, 1243307
Total [candidate] (11.33 s) : 0, 11330364
section profiling
Agent [baseline] (1.185 s) : 0, 1185000
Total [baseline] (10.969 s) : 0, 10969059
Agent [candidate] (1.193 s) : 0, 1193460
Total [candidate] (10.923 s) : 0, 10922984
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.068 s -
Agent appsec 1.28 s 212.79 ms (19.9%)
Agent iast 1.246 s 178.088 ms (16.7%)
Agent profiling 1.185 s 117.498 ms (11.0%)
Total tracing 10.972 s -
Total appsec 11.065 s 93.007 ms (0.8%)
Total iast 11.184 s 212.783 ms (1.9%)
Total profiling 10.969 s -2.654 ms (-0.0%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.064 s -
Agent appsec 1.264 s 199.833 ms (18.8%)
Agent iast 1.243 s 178.887 ms (16.8%)
Agent profiling 1.193 s 129.04 ms (12.1%)
Total tracing 11.102 s -
Total appsec 10.947 s -154.937 ms (-1.4%)
Total iast 11.33 s 228.615 ms (2.1%)
Total profiling 10.923 s -178.765 ms (-1.6%) 
gantt
    title petclinic - break down per module: candidate=1.62.0-SNAPSHOT~6723adbb09, baseline=1.62.0-SNAPSHOT~da5e7c3da7

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.242 ms) : 0, 1242
crashtracking [candidate] (1.219 ms) : 0, 1219
BytebuddyAgent [baseline] (637.254 ms) : 0, 637254
BytebuddyAgent [candidate] (635.448 ms) : 0, 635448
AgentMeter [baseline] (29.518 ms) : 0, 29518
AgentMeter [candidate] (29.428 ms) : 0, 29428
GlobalTracer [baseline] (249.363 ms) : 0, 249363
GlobalTracer [candidate] (248.977 ms) : 0, 248977
AppSec [baseline] (32.831 ms) : 0, 32831
AppSec [candidate] (32.71 ms) : 0, 32710
Debugger [baseline] (60.532 ms) : 0, 60532
Debugger [candidate] (60.325 ms) : 0, 60325
Remote Config [baseline] (606.768 µs) : 0, 607
Remote Config [candidate] (599.451 µs) : 0, 599
Telemetry [baseline] (9.203 ms) : 0, 9203
Telemetry [candidate] (9.106 ms) : 0, 9106
Flare Poller [baseline] (10.648 ms) : 0, 10648
Flare Poller [candidate] (10.605 ms) : 0, 10605
section appsec
crashtracking [baseline] (1.23 ms) : 0, 1230
crashtracking [candidate] (1.228 ms) : 0, 1228
BytebuddyAgent [baseline] (684.027 ms) : 0, 684027
BytebuddyAgent [candidate] (674.824 ms) : 0, 674824
AgentMeter [baseline] (12.472 ms) : 0, 12472
AgentMeter [candidate] (12.246 ms) : 0, 12246
GlobalTracer [baseline] (252.489 ms) : 0, 252489
GlobalTracer [candidate] (248.988 ms) : 0, 248988
AppSec [baseline] (186.065 ms) : 0, 186065
AppSec [candidate] (184.853 ms) : 0, 184853
Debugger [baseline] (65.091 ms) : 0, 65091
Debugger [candidate] (64.649 ms) : 0, 64649
Remote Config [baseline] (577.298 µs) : 0, 577
Remote Config [candidate] (558.569 µs) : 0, 559
Telemetry [baseline] (7.887 ms) : 0, 7887
Telemetry [candidate] (7.81 ms) : 0, 7810
Flare Poller [baseline] (8.614 ms) : 0, 8614
Flare Poller [candidate] (5.015 ms) : 0, 5015
IAST [baseline] (24.97 ms) : 0, 24970
IAST [candidate] (24.645 ms) : 0, 24645
section iast
crashtracking [baseline] (1.221 ms) : 0, 1221
crashtracking [candidate] (1.219 ms) : 0, 1219
BytebuddyAgent [baseline] (823.8 ms) : 0, 823800
BytebuddyAgent [candidate] (822.276 ms) : 0, 822276
AgentMeter [baseline] (11.279 ms) : 0, 11279
AgentMeter [candidate] (11.283 ms) : 0, 11283
GlobalTracer [baseline] (237.91 ms) : 0, 237910
GlobalTracer [candidate] (237.497 ms) : 0, 237497
AppSec [baseline] (31.384 ms) : 0, 31384
AppSec [candidate] (29.676 ms) : 0, 29676
Debugger [baseline] (64.519 ms) : 0, 64519
Debugger [candidate] (64.345 ms) : 0, 64345
Remote Config [baseline] (536.611 µs) : 0, 537
Remote Config [candidate] (517.134 µs) : 0, 517
Telemetry [baseline] (8.104 ms) : 0, 8104
Telemetry [candidate] (8.033 ms) : 0, 8033
Flare Poller [baseline] (3.441 ms) : 0, 3441
Flare Poller [candidate] (3.401 ms) : 0, 3401
IAST [baseline] (27.351 ms) : 0, 27351
IAST [candidate] (29.048 ms) : 0, 29048
section profiling
ProfilingAgent [baseline] (93.719 ms) : 0, 93719
ProfilingAgent [candidate] (94.909 ms) : 0, 94909
crashtracking [baseline] (1.166 ms) : 0, 1166
crashtracking [candidate] (1.186 ms) : 0, 1186
BytebuddyAgent [baseline] (691.282 ms) : 0, 691282
BytebuddyAgent [candidate] (696.495 ms) : 0, 696495
AgentMeter [baseline] (8.891 ms) : 0, 8891
AgentMeter [candidate] (8.924 ms) : 0, 8924
GlobalTracer [baseline] (207.888 ms) : 0, 207888
GlobalTracer [candidate] (208.795 ms) : 0, 208795
AppSec [baseline] (32.669 ms) : 0, 32669
AppSec [candidate] (32.956 ms) : 0, 32956
Debugger [baseline] (65.793 ms) : 0, 65793
Debugger [candidate] (66.181 ms) : 0, 66181
Remote Config [baseline] (586.475 µs) : 0, 586
Remote Config [candidate] (579.265 µs) : 0, 579
Telemetry [baseline] (8.08 ms) : 0, 8080
Telemetry [candidate] (8.194 ms) : 0, 8194
Flare Poller [baseline] (3.554 ms) : 0, 3554
Flare Poller [candidate] (3.545 ms) : 0, 3545
Profiling [baseline] (94.27 ms) : 0, 94270
Profiling [candidate] (95.471 ms) : 0, 95471
Loading
Startup time reports for insecure-bank 
gantt
    title insecure-bank - global startup overhead: candidate=1.62.0-SNAPSHOT~6723adbb09, baseline=1.62.0-SNAPSHOT~da5e7c3da7

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.065 s) : 0, 1064810
Total [baseline] (8.882 s) : 0, 8882260
Agent [candidate] (1.063 s) : 0, 1062623
Total [candidate] (8.856 s) : 0, 8856287
section iast
Agent [baseline] (1.247 s) : 0, 1247143
Total [baseline] (9.524 s) : 0, 9524350
Agent [candidate] (1.246 s) : 0, 1245645
Total [candidate] (9.531 s) : 0, 9531215
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.065 s -
Agent iast 1.247 s 182.332 ms (17.1%)
Total tracing 8.882 s -
Total iast 9.524 s 642.089 ms (7.2%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.063 s -
Agent iast 1.246 s 183.022 ms (17.2%)
Total tracing 8.856 s -
Total iast 9.531 s 674.929 ms (7.6%) 
gantt
    title insecure-bank - break down per module: candidate=1.62.0-SNAPSHOT~6723adbb09, baseline=1.62.0-SNAPSHOT~da5e7c3da7

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.244 ms) : 0, 1244
crashtracking [candidate] (1.22 ms) : 0, 1220
BytebuddyAgent [baseline] (636.871 ms) : 0, 636871
BytebuddyAgent [candidate] (634.89 ms) : 0, 634890
AgentMeter [baseline] (29.407 ms) : 0, 29407
AgentMeter [candidate] (29.331 ms) : 0, 29331
GlobalTracer [baseline] (248.937 ms) : 0, 248937
GlobalTracer [candidate] (248.449 ms) : 0, 248449
AppSec [baseline] (32.766 ms) : 0, 32766
AppSec [candidate] (32.746 ms) : 0, 32746
Debugger [baseline] (59.905 ms) : 0, 59905
Debugger [candidate] (59.751 ms) : 0, 59751
Remote Config [baseline] (602.234 µs) : 0, 602
Remote Config [candidate] (592.085 µs) : 0, 592
Telemetry [baseline] (9.932 ms) : 0, 9932
Telemetry [candidate] (8.387 ms) : 0, 8387
Flare Poller [baseline] (9.121 ms) : 0, 9121
Flare Poller [candidate] (11.314 ms) : 0, 11314
section iast
crashtracking [baseline] (1.236 ms) : 0, 1236
crashtracking [candidate] (1.223 ms) : 0, 1223
BytebuddyAgent [baseline] (827.19 ms) : 0, 827190
BytebuddyAgent [candidate] (825.937 ms) : 0, 825937
AgentMeter [baseline] (11.307 ms) : 0, 11307
AgentMeter [candidate] (11.255 ms) : 0, 11255
GlobalTracer [baseline] (237.344 ms) : 0, 237344
GlobalTracer [candidate] (238.346 ms) : 0, 238346
AppSec [baseline] (31.479 ms) : 0, 31479
AppSec [candidate] (28.367 ms) : 0, 28367
Debugger [baseline] (63.088 ms) : 0, 63088
Debugger [candidate] (63.548 ms) : 0, 63548
Remote Config [baseline] (525.089 µs) : 0, 525
Remote Config [candidate] (520.901 µs) : 0, 521
Telemetry [baseline] (7.91 ms) : 0, 7910
Telemetry [candidate] (7.96 ms) : 0, 7960
Flare Poller [baseline] (3.363 ms) : 0, 3363
Flare Poller [candidate] (3.35 ms) : 0, 3350
IAST [baseline] (27.456 ms) : 0, 27456
IAST [candidate] (29.046 ms) : 0, 29046
Loading

Load

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master smola/network-client-ip
git_commit_date 1777413936 1777454267
git_commit_sha da5e7c3 6723adb
release_version 1.62.0-SNAPSHOT~da5e7c3da7 1.62.0-SNAPSHOT~6723adbb09
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1777456546 1777456546
ci_job_id 1641295707 1641295707
ci_pipeline_id 110373484 110373484
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-1-ln4u19kq 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-1-ln4u19kq 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 0 performance improvements and 2 performance regressions! Performance is the same for 18 metrics, 16 unstable metrics.

scenario Δ mean agg_http_req_duration_p50 Δ mean agg_http_req_duration_p95 Δ mean throughput candidate mean agg_http_req_duration_p50 candidate mean agg_http_req_duration_p95 candidate mean throughput baseline mean agg_http_req_duration_p50 baseline mean agg_http_req_duration_p95 baseline mean throughput
scenario:load:petclinic:appsec:high_load worse
[+601.225µs; +1381.419µs] or [+3.276%; +7.528%]		 unsure
[+0.541ms; +2.276ms] or [+1.800%; +7.578%]		 unstable
[-34.758op/s; +10.883op/s] or [-13.971%; +4.374%]		 19.342ms 31.444ms 236.844op/s 18.351ms 30.036ms 248.781op/s
scenario:load:petclinic:no_agent:high_load worse
[+0.467ms; +2.039ms] or [+2.617%; +11.426%]		 unstable
[-0.108ms; +3.074ms] or [-0.362%; +10.298%]		 unstable
[-43.344op/s; +7.656op/s] or [-16.886%; +2.983%]		 19.097ms 31.337ms 238.844op/s 17.844ms 29.854ms 256.688op/s
Request duration reports for insecure-bank 
gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.62.0-SNAPSHOT~6723adbb09, baseline=1.62.0-SNAPSHOT~da5e7c3da7
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.253 ms) : 1241, 1266
.   : milestone, 1253,
iast (3.244 ms) : 3200, 3288
.   : milestone, 3244,
iast_FULL (6.03 ms) : 5969, 6091
.   : milestone, 6030,
iast_GLOBAL (3.706 ms) : 3642, 3770
.   : milestone, 3706,
profiling (2.24 ms) : 2218, 2261
.   : milestone, 2240,
tracing (1.973 ms) : 1954, 1992
.   : milestone, 1973,
section candidate
no_agent (1.261 ms) : 1249, 1274
.   : milestone, 1261,
iast (3.225 ms) : 3183, 3268
.   : milestone, 3225,
iast_FULL (6.002 ms) : 5941, 6062
.   : milestone, 6002,
iast_GLOBAL (3.655 ms) : 3594, 3715
.   : milestone, 3655,
profiling (2.261 ms) : 2240, 2281
.   : milestone, 2261,
tracing (1.877 ms) : 1860, 1893
.   : milestone, 1877,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.253 ms [1.241 ms, 1.266 ms] -
iast 3.244 ms [3.2 ms, 3.288 ms] 1.991 ms (158.9%)
iast_FULL 6.03 ms [5.969 ms, 6.091 ms] 4.777 ms (381.2%)
iast_GLOBAL 3.706 ms [3.642 ms, 3.77 ms] 2.453 ms (195.7%)
profiling 2.24 ms [2.218 ms, 2.261 ms] 986.625 µs (78.7%)
tracing 1.973 ms [1.954 ms, 1.992 ms] 720.294 µs (57.5%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.261 ms [1.249 ms, 1.274 ms] -
iast 3.225 ms [3.183 ms, 3.268 ms] 1.964 ms (155.7%)
iast_FULL 6.002 ms [5.941 ms, 6.062 ms] 4.741 ms (375.9%)
iast_GLOBAL 3.655 ms [3.594 ms, 3.715 ms] 2.394 ms (189.8%)
profiling 2.261 ms [2.24 ms, 2.281 ms] 999.513 µs (79.3%)
tracing 1.877 ms [1.86 ms, 1.893 ms] 615.666 µs (48.8%)
Request duration reports for petclinic 
gantt
    title petclinic - request duration [CI 0.99] : candidate=1.62.0-SNAPSHOT~6723adbb09, baseline=1.62.0-SNAPSHOT~da5e7c3da7
    dateFormat X
    axisFormat %s
section baseline
no_agent (18.178 ms) : 17990, 18365
.   : milestone, 18178,
appsec (18.757 ms) : 18567, 18948
.   : milestone, 18757,
code_origins (17.95 ms) : 17772, 18128
.   : milestone, 17950,
iast (18.036 ms) : 17862, 18210
.   : milestone, 18036,
profiling (18.301 ms) : 18116, 18485
.   : milestone, 18301,
tracing (17.819 ms) : 17642, 17996
.   : milestone, 17819,
section candidate
no_agent (19.546 ms) : 19348, 19744
.   : milestone, 19546,
appsec (19.71 ms) : 19506, 19914
.   : milestone, 19710,
code_origins (18.046 ms) : 17870, 18223
.   : milestone, 18046,
iast (17.919 ms) : 17740, 18097
.   : milestone, 17919,
profiling (18.334 ms) : 18152, 18516
.   : milestone, 18334,
tracing (17.894 ms) : 17718, 18070
.   : milestone, 17894,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 18.178 ms [17.99 ms, 18.365 ms] -
appsec 18.757 ms [18.567 ms, 18.948 ms] 579.484 µs (3.2%)
code_origins 17.95 ms [17.772 ms, 18.128 ms] -228.074 µs (-1.3%)
iast 18.036 ms [17.862 ms, 18.21 ms] -142.037 µs (-0.8%)
profiling 18.301 ms [18.116 ms, 18.485 ms] 122.759 µs (0.7%)
tracing 17.819 ms [17.642 ms, 17.996 ms] -359.106 µs (-2.0%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 19.546 ms [19.348 ms, 19.744 ms] -
appsec 19.71 ms [19.506 ms, 19.914 ms] 164.036 µs (0.8%)
code_origins 18.046 ms [17.87 ms, 18.223 ms] -1.499 ms (-7.7%)
iast 17.919 ms [17.74 ms, 18.097 ms] -1.627 ms (-8.3%)
profiling 18.334 ms [18.152 ms, 18.516 ms] -1.211 ms (-6.2%)
tracing 17.894 ms [17.718 ms, 18.07 ms] -1.652 ms (-8.4%)

Dacapo

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master smola/network-client-ip
git_commit_date 1777413936 1777454267
git_commit_sha da5e7c3 6723adb
release_version 1.62.0-SNAPSHOT~da5e7c3da7 1.62.0-SNAPSHOT~6723adbb09
See matching parameters
Baseline Candidate
application biojava biojava
ci_job_date 1777456280 1777456280
ci_job_id 1641295709 1641295709
ci_pipeline_id 110373484 110373484
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-0-8h1kdv7s 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-0-8h1kdv7s 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 1 unstable metrics.

Execution time for tomcat 
gantt
    title tomcat - execution time [CI 0.99] : candidate=1.62.0-SNAPSHOT~6723adbb09, baseline=1.62.0-SNAPSHOT~da5e7c3da7
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.488 ms) : 1476, 1499
.   : milestone, 1488,
appsec (3.834 ms) : 3610, 4058
.   : milestone, 3834,
iast (2.281 ms) : 2210, 2352
.   : milestone, 2281,
iast_GLOBAL (2.329 ms) : 2258, 2400
.   : milestone, 2329,
profiling (2.109 ms) : 2054, 2164
.   : milestone, 2109,
tracing (2.082 ms) : 2028, 2137
.   : milestone, 2082,
section candidate
no_agent (1.486 ms) : 1474, 1498
.   : milestone, 1486,
appsec (3.808 ms) : 3585, 4031
.   : milestone, 3808,
iast (2.284 ms) : 2213, 2354
.   : milestone, 2284,
iast_GLOBAL (2.332 ms) : 2261, 2403
.   : milestone, 2332,
profiling (2.106 ms) : 2050, 2162
.   : milestone, 2106,
tracing (2.1 ms) : 2046, 2155
.   : milestone, 2100,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.488 ms [1.476 ms, 1.499 ms] -
appsec 3.834 ms [3.61 ms, 4.058 ms] 2.346 ms (157.7%)
iast 2.281 ms [2.21 ms, 2.352 ms] 793.359 µs (53.3%)
iast_GLOBAL 2.329 ms [2.258 ms, 2.4 ms] 841.632 µs (56.6%)
profiling 2.109 ms [2.054 ms, 2.164 ms] 621.217 µs (41.8%)
tracing 2.082 ms [2.028 ms, 2.137 ms] 594.873 µs (40.0%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.486 ms [1.474 ms, 1.498 ms] -
appsec 3.808 ms [3.585 ms, 4.031 ms] 2.322 ms (156.3%)
iast 2.284 ms [2.213 ms, 2.354 ms] 797.694 µs (53.7%)
iast_GLOBAL 2.332 ms [2.261 ms, 2.403 ms] 846.369 µs (57.0%)
profiling 2.106 ms [2.05 ms, 2.162 ms] 620.197 µs (41.7%)
tracing 2.1 ms [2.046 ms, 2.155 ms] 614.121 µs (41.3%)
Execution time for biojava 
gantt
    title biojava - execution time [CI 0.99] : candidate=1.62.0-SNAPSHOT~6723adbb09, baseline=1.62.0-SNAPSHOT~da5e7c3da7
    dateFormat X
    axisFormat %s
section baseline
no_agent (15.638 s) : 15638000, 15638000
.   : milestone, 15638000,
appsec (14.736 s) : 14736000, 14736000
.   : milestone, 14736000,
iast (18.242 s) : 18242000, 18242000
.   : milestone, 18242000,
iast_GLOBAL (17.893 s) : 17893000, 17893000
.   : milestone, 17893000,
profiling (14.964 s) : 14964000, 14964000
.   : milestone, 14964000,
tracing (14.76 s) : 14760000, 14760000
.   : milestone, 14760000,
section candidate
no_agent (15.384 s) : 15384000, 15384000
.   : milestone, 15384000,
appsec (15.061 s) : 15061000, 15061000
.   : milestone, 15061000,
iast (18.421 s) : 18421000, 18421000
.   : milestone, 18421000,
iast_GLOBAL (18.051 s) : 18051000, 18051000
.   : milestone, 18051000,
profiling (15.526 s) : 15526000, 15526000
.   : milestone, 15526000,
tracing (14.835 s) : 14835000, 14835000
.   : milestone, 14835000,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.638 s [15.638 s, 15.638 s] -
appsec 14.736 s [14.736 s, 14.736 s] -902.0 ms (-5.8%)
iast 18.242 s [18.242 s, 18.242 s] 2.604 s (16.7%)
iast_GLOBAL 17.893 s [17.893 s, 17.893 s] 2.255 s (14.4%)
profiling 14.964 s [14.964 s, 14.964 s] -674.0 ms (-4.3%)
tracing 14.76 s [14.76 s, 14.76 s] -878.0 ms (-5.6%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.384 s [15.384 s, 15.384 s] -
appsec 15.061 s [15.061 s, 15.061 s] -323.0 ms (-2.1%)
iast 18.421 s [18.421 s, 18.421 s] 3.037 s (19.7%)
iast_GLOBAL 18.051 s [18.051 s, 18.051 s] 2.667 s (17.3%)
profiling 15.526 s [15.526 s, 15.526 s] 142.0 ms (0.9%)
tracing 14.835 s [14.835 s, 14.835 s] -549.0 ms (-3.6%)

@smola smola force-pushed the smola/network-client-ip branch 5 times, most recently from 21b2fc1 to c716c82 Compare April 28, 2026 14:30
@smola smola marked this pull request as ready for review April 28, 2026 15:38
@smola smola requested review from a team as code owners April 28, 2026 15:38
@smola smola requested review from jandro996, manuel-alvarez-alvarez and mtoffl01 and removed request for a team April 28, 2026 15:38
manuel-alvarez-alvarez
manuel-alvarez-alvarez reviewed Apr 29, 2026
View reviewed changes
Comment thread .../instrumentation-testing/src/main/groovy/datadog/trace/agent/test/base/HttpServerTest.groovy
// remote-address API, so the peer/network IP tags become 1.2.3.4
// instead of the actual TCP peer (loopback). Frameworks with that
// behaviour opt in via `forwardedIpAsPeerInformation()`.
// FIXME(santiago.mola): This is actually a bug, and ideally instrumentation
Copy link
Copy Markdown
Member

@manuel-alvarez-alvarez manuel-alvarez-alvarez Apr 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we can drop a JIRA ticket here

Copy link
Copy Markdown
Member Author

@smola smola Apr 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense, added Jira issue references to more specific locations.

manuel-alvarez-alvarez
manuel-alvarez-alvarez approved these changes Apr 29, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@manuel-alvarez-alvarez manuel-alvarez-alvarez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@smola
Move network.client.ip out of AppSec into HttpServerDecorator
6723adb 
network.client.ip now shares the same activation logic as http.client_ip
(DD_APPSEC_ENABLED or DD_TRACE_CLIENT_IP_ENABLED) and is no longer
exclusive to AppSec events. Move it from GatewayBridge (where it was
set only when security events fired) into HttpServerDecorator alongside
http.client_ip, using the raw peer/socket IP.

actor.ip remains in AppSec as a deprecated backward-compatibility tag.
@smola smola force-pushed the smola/network-client-ip branch from c716c82 to 6723adb Compare April 29, 2026 09:18
@ygree
Copy link
Copy Markdown
Contributor

ygree commented Apr 29, 2026

@codex review

chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed Apr 29, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 6723adbb09

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread ...rap/src/main/java/datadog/trace/bootstrap/instrumentation/decorator/HttpServerDecorator.java
Comment on lines +373 to +374
if (clientIpResolverEnabled) {
span.setTag(Tags.NETWORK_CLIENT_IP, peerIp);
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot Apr 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Do not tag forwarded headers as network.client.ip

When peerHostIP() is backed by a framework API that rewrites the remote address from X-Forwarded-For (the new forwardedIpAsPeerInformation() overrides in Dropwizard and Play document this), this line publishes that header-controlled value as network.client.ip. The PR broadens this tag to all AppSec/client-IP-enabled traces, so a forwarded request like the shared /forwarded test reports 1.2.3.4 as the network peer instead of the actual socket loopback; please fix or suppress those peer sources before emitting the raw network tag.

Useful? React with 👍 / 👎.

Copy link
Copy Markdown
Member Author

@smola smola Apr 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point. Addressed at #11237 which will also simplify tests in the current PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@manuel-alvarez-alvarez manuel-alvarez-alvarez manuel-alvarez-alvarez approved these changes

@mhlidd mhlidd mhlidd approved these changes

@jandro996 jandro996 Awaiting requested review from jandro996 jandro996 is a code owner automatically assigned from DataDog/asm-java

@mtoffl01 mtoffl01 Awaiting requested review from mtoffl01 mtoffl01 is a code owner automatically assigned from DataDog/apm-sdk-capabilities-java

Assignees

No one assigned

Labels

comp: core Tracer core tag: ai generated Largely based on code generated by an AI or LLM type: enhancement Enhancements and improvements

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@smola @ygree @manuel-alvarez-alvarez @mhlidd