From 13293263fced372f25cdb6a84f822ddadbf221fa Mon Sep 17 00:00:00 2001
From: Florentin Labelle <florentin.labelle@datadoghq.com>
Date: Tue, 9 Jun 2026 11:29:01 +0200
Subject: [PATCH 1/3] fix(appsec): remove http method from 'http.route' span
 tag

---
 bottlecap/src/appsec/processor/mod.rs    | 26 +++++++++---------------
 bottlecap/tests/appsec_processor_test.rs |  2 +-
 2 files changed, 11 insertions(+), 17 deletions(-)

diff --git a/bottlecap/src/appsec/processor/mod.rs b/bottlecap/src/appsec/processor/mod.rs
index 11d532a2d..d976ce8b9 100644
--- a/bottlecap/src/appsec/processor/mod.rs
+++ b/bottlecap/src/appsec/processor/mod.rs
@@ -455,23 +455,17 @@ impl InvocationPayload for IdentifiedTrigger {
     }
     fn route(&self) -> Option<String> {
         match self {
-            Self::APIGatewayHttpEvent(t) => Some(t.route_key.clone()),
-            Self::APIGatewayRestEvent(t) => Some(format!(
-                "{method} {resource}",
-                method = t.request_context.method,
-                resource = t.request_context.resource_path
-            )),
+            Self::APIGatewayHttpEvent(t) => Some(
+                t.route_key
+                    .split_whitespace()
+                    .last()
+                    .unwrap_or(t.route_key.as_str())
+                    .to_string(),
+            ),
+            Self::APIGatewayRestEvent(t) => Some(t.request_context.resource_path.clone()),
             Self::APIGatewayWebSocketEvent(t) => Some(t.request_context.route_key.clone()),
-            Self::ALBEvent(t) => Some(format!(
-                "{method} {path}",
-                method = t.http_method,
-                path = t.path.as_ref().map_or("", |s| s.as_str()),
-            )),
-            Self::LambdaFunctionUrlEvent(t) => Some(format!(
-                "{method} {path}",
-                method = t.request_context.http.method,
-                path = t.request_context.http.path
-            )),
+            Self::ALBEvent(t) => Some(t.path.as_ref().map_or("", |s| s.as_str()).to_string()),
+            Self::LambdaFunctionUrlEvent(t) => Some(t.request_context.http.path.clone()),
             // Events that are not relevant to App & API Protection
             Self::MSKEvent(_)
             | Self::SqsRecord(_)
diff --git a/bottlecap/tests/appsec_processor_test.rs b/bottlecap/tests/appsec_processor_test.rs
index c7b0f7b56..ab44382fa 100644
--- a/bottlecap/tests/appsec_processor_test.rs
+++ b/bottlecap/tests/appsec_processor_test.rs
@@ -322,7 +322,7 @@ async fn test_processor() {
                 "http.request.headers.user-agent": "Arachni/v2",
                 "http.request.headers.x-amzn-trace-id": "Root=1-613a52fb-4c43cfc95e0241c1471bfa05",
                 "http.request.headers.x-forwarded-for": "38.122.226.210",
-                "http.route": "POST /httpapi/post",
+                "http.route": "/httpapi/post",
                 "http.url": "x02yirxc7a.execute-api.sa-east-1.amazonaws.com/httpapi/post",
                 "http.status_code": "200",
                 "network.client.ip": "38.122.226.210",

From c4a3cc0f6e208852e50ce3ee5ded0177093acd27 Mon Sep 17 00:00:00 2001
From: Florentin Labelle <florentin.labelle@datadoghq.com>
Date: Thu, 11 Jun 2026 18:02:20 +0200
Subject: [PATCH 2/3] Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
---
 bottlecap/src/appsec/processor/mod.rs | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/bottlecap/src/appsec/processor/mod.rs b/bottlecap/src/appsec/processor/mod.rs
index d976ce8b9..5a412059d 100644
--- a/bottlecap/src/appsec/processor/mod.rs
+++ b/bottlecap/src/appsec/processor/mod.rs
@@ -455,13 +455,19 @@ impl InvocationPayload for IdentifiedTrigger {
     }
     fn route(&self) -> Option<String> {
         match self {
-            Self::APIGatewayHttpEvent(t) => Some(
-                t.route_key
-                    .split_whitespace()
-                    .last()
-                    .unwrap_or(t.route_key.as_str())
-                    .to_string(),
-            ),
+            Self::APIGatewayHttpEvent(t) => {
+                if t.route_key.is_empty() {
+                    None
+                } else {
+                    Some(
+                        t.route_key
+                            .split_whitespace()
+                            .last()
+                            .unwrap_or(t.route_key.as_str())
+                            .to_string(),
+                    )
+                }
+            }
             Self::APIGatewayRestEvent(t) => Some(t.request_context.resource_path.clone()),
             Self::APIGatewayWebSocketEvent(t) => Some(t.request_context.route_key.clone()),
             Self::ALBEvent(t) => Some(t.path.as_ref().map_or("", |s| s.as_str()).to_string()),

From daa2d737c857431464af26b98070c3ffa8ce3375 Mon Sep 17 00:00:00 2001
From: Florentin Labelle <florentin.labelle@datadoghq.com>
Date: Thu, 11 Jun 2026 18:02:38 +0200
Subject: [PATCH 3/3] Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
---
 bottlecap/src/appsec/processor/mod.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bottlecap/src/appsec/processor/mod.rs b/bottlecap/src/appsec/processor/mod.rs
index 5a412059d..4b09acad4 100644
--- a/bottlecap/src/appsec/processor/mod.rs
+++ b/bottlecap/src/appsec/processor/mod.rs
@@ -470,7 +470,7 @@ impl InvocationPayload for IdentifiedTrigger {
             }
             Self::APIGatewayRestEvent(t) => Some(t.request_context.resource_path.clone()),
             Self::APIGatewayWebSocketEvent(t) => Some(t.request_context.route_key.clone()),
-            Self::ALBEvent(t) => Some(t.path.as_ref().map_or("", |s| s.as_str()).to_string()),
+            Self::ALBEvent(t) => t.path.clone().filter(|p| !p.is_empty()),
             Self::LambdaFunctionUrlEvent(t) => Some(t.request_context.http.path.clone()),
             // Events that are not relevant to App & API Protection
             Self::MSKEvent(_)