What Does This Do

Adds AppSec response analysis for AWS Lambda: LambdaAppSecHandler.processResponseData
parses the Lambda response object and fires the WAF gateway events (responseStarted,
responseHeader, responseHeaderDone, responseBody) with the extracted status code,
headers, and body.

Trigger-type detection (API Gateway v1/v2, ALB, Lambda URL, WebSocket) is added to
processRequestStart and stored in a ThreadLocal. processResponseData uses it to
decide whether to parse the response as an API-GW envelope or fall back to treating the
whole payload as a plain response body, matching how non-envelope HTTP triggers behave.

CoreTracer.notifyAppSecEnd is extended to receive the raw result object so it can be
forwarded to processResponseData from the Lambda handler instrumentation.

Additional extraction improvements:

• Response header keys are lowercased (Locale.ROOT) to normalise casing across API GW / ALB variants
• isBase64Encoded accepts "true" (string) in addition to Boolean.TRUE

LambdaHandlerInstrumentationTest and LambdaAppSecHandlerTest migrated from Spock/Groovy
to JUnit 5 Java, with new test cases for response analysis and trigger-type gating.

Motivation

Allows the WAF to inspect Lambda HTTP responses for threats.

Additional Notes

Contributor Checklist

• Format the title according to the contribution guidelines
• Assign the type: and (comp: or inst:) labels in addition to any other useful labels
• Avoid using close, fix, or any linking keywords when referencing an issue
  Use solves instead, and assign the PR milestone to the issue
• Update the CODEOWNERS file on source file addition, migration, or deletion
• Update public documentation with any new configuration flags or behaviors
• Add your completed PR to the merge queue by commenting /merge.

Jira ticket: APPSEC-60532