Merge branch 'release/v1.0.7' into feature/jetty-12

.github/workflows/snyk-vulnerability-scan.yml

@@ -0,0 +1,33 @@
+name: Snyk Vulnerability Scan
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '00 15 * * 1'
+  push:
+    branches:
+      - main
+
+jobs:
+  security:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Java Agent
+        uses: actions/checkout@v3
+        with:
+          ref: 'main'
+
+      - name: Set gradle.properties Workaround
+        shell: bash
+        run: |
+          echo "jdk8=/tmp" >> gradle.properties
+          echo "jdk11=/tmp" >> gradle.properties
+          echo "jdk17=/tmp" >> gradle.properties
+
+      - name: Run Snyk to check for vulnerabilities
+        uses: snyk/actions/gradle@master
+        env:
+          SNYK_TOKEN: ${{ secrets.JAVA_AGENT_SNYK_TOKEN }}
+        with:
+          command: monitor
+          args: --all-sub-projects --org=java-agent --configuration-matching='(includeInJar)|(shadowIntoJar)'

Changelog.md

@@ -4,6 +4,21 @@ Noteworthy changes to the agent are documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.0.6-public-preview] - 2023-10-17
+### Changes
+- Cassandra DB v3.0+ Support: The Security agent now supports Cassandra DB version 3.0 and above
+- HttpClient v5.0+ Support: The Security agent now also supports HttpClient version 5.0 and above
+- Support for std-out logging
+- Added feature for Daily log rollover
+- Support for logger config: log_file_count and log_limit_in_kbytes
+- Relocating all our instrumentation packages under the package com.newrelic.agent.security.instrumentation.*
+- Package Refactoring for Unit Tests: Move packaging for all UTs to com.nr.agent.security.instrumentation.*
+- Set default value for low severity instrumentation to false
+
+### Fixes
+- Fixed ClassNotFoundException for IOStreamHelper class with Glassfish
+- Updated PostgreSQL UTs with Embedded Server instead of test container
+
 ## [1.0.5-public-preview] - 2023-08-29
 ### Changes
 - [INSTRUMENTATION] Support for Apache log4j 3.0.0-alpha1 (new version released on 21 June 2023)

gradle.properties

@@ -1,5 +1,5 @@
 # The agent version.
-agentVersion=1.0.5
+agentVersion=1.0.7
 jsonVersion=1.1.0
 # Updated exposed NR APM API version.
 nrAPIVersion=8.3.0

instrumentation-security-test/src/main/java/com/newrelic/agent/security/introspec/SecurityIntrospector.java

@@ -41,5 +41,7 @@ public interface SecurityIntrospector {
 
     void setK2TracingData(String value);
 
+    void setK2ParentId(String value);
+
     void clear();
 }

instrumentation-security-test/src/main/java/com/newrelic/agent/security/introspec/internal/HttpServerRule.java

@@ -30,6 +30,12 @@ protected void after() {
 
     @Override
     public void shutdown() {
+        try {
+            // to prevent socket.io: broken pipe error for async calls
+            Thread.sleep(1000);
+        } catch (InterruptedException e) {
+            throw new RuntimeException(e);
+        }
         server.shutdown();
     }
 

instrumentation-security-test/src/main/java/com/newrelic/agent/security/introspec/internal/HttpTestServerImpl.java

@@ -32,7 +32,7 @@
 class HttpTestServerImpl extends NanoHTTPD implements HttpTestServer {
     private final int port;
 
-    private Map<String, String> headers = new HashMap<>();
+    private static Map<String, String> headers = new HashMap<>();
 
     public HttpTestServerImpl() throws IOException {
         this(getRandomPort());
@@ -83,7 +83,7 @@ private Response serveNonDispatcher(IHTTPSession session) {
     private Response serveInternal(IHTTPSession session) {
         NewRelic.addCustomParameter("server.port", this.port);
         final Map<String, String> incomingHeaders = session.getHeaders();
-        headers = incomingHeaders;
+        headers.putAll(incomingHeaders);
 
         if (incomingHeaders.containsKey(SLEEP_MS_HEADER_KEY)) {
             try {

instrumentation-security-test/src/main/java/com/newrelic/agent/security/introspec/internal/IntrospectorServiceManager.java

@@ -125,6 +125,7 @@ public static IntrospectorServiceManager createAndInitialize(Map<String, Object>
         Map<String, Object> sec = new HashMap<>();
         sec.put("enable", true);
         sec.put("validator_service_url", "ws://192.168.5.138:54321");
+        sec.put("low-priority-instrumentation", Collections.singletonMap("enabled", true));
         config.put("security", sec);
 
         if (configOverrides != null) {

instrumentation-security-test/src/main/java/com/newrelic/agent/security/introspec/internal/SecurityIntrospectorImpl.java

@@ -3,6 +3,7 @@
 import com.newrelic.agent.security.introspec.SecurityIntrospector;
 import com.newrelic.api.agent.security.Agent;
 import com.newrelic.api.agent.security.NewRelicSecurity;
+import com.newrelic.api.agent.security.instrumentation.helpers.GenericHelper;
 import com.newrelic.api.agent.security.instrumentation.helpers.JdbcHelper;
 import com.newrelic.api.agent.security.schema.AbstractOperation;
 import com.newrelic.api.agent.security.schema.HttpRequest;
@@ -108,6 +109,11 @@ public void setK2TracingData(String value) {
         NewRelicSecurity.getAgent().getSecurityMetaData().setTracingHeaderValue(value);
     }
 
+    @Override
+    public void setK2ParentId(String value) {
+        NewRelicSecurity.getAgent().getSecurityMetaData().addCustomAttribute(GenericHelper.CSEC_PARENT_ID, value);
+    }
+
     @Override
     public void setRequestInputStreamHash(int hashCode) {
         NewRelicSecurity.getAgent().getSecurityMetaData().addCustomAttribute(REQUEST_INPUTSTREAM_HASH, Collections.singleton(hashCode));

instrumentation-security-test/src/main/java/com/newrelic/agent/security/introspec/internal/TransformingClassLoader.java

@@ -22,7 +22,7 @@ class TransformingClassLoader extends URLClassLoader {
             "java.lang.ProcessImpl", "java.io", "java.nio", "javax.servlet"
     };
     private static final String[] PROTECTED_PREFIXES = new String[]{"java.", "javax.", "com.sun.", "sun.",
-            "org.junit.", "junit.framework", "com.newrelic", "org.xml", "org.w3c"};
+            "org.junit.", "junit.framework", "com.newrelic.agent", "com.newrelic.api", "org.xml", "org.w3c"};
 
     private static final String[] INTROSPECTOR_MUST_LOADS = new String[]{
             // This class needs to be woven.

instrumentation-security/akka-http-core-10.0/src/main/scala/akka/http/scaladsl/HttpExt_Instrumentation.java

@@ -25,7 +25,7 @@
 import com.newrelic.api.agent.weaver.MatchType;
 import com.newrelic.api.agent.weaver.Weave;
 import com.newrelic.api.agent.weaver.Weaver;
-import com.nr.agent.security.akka.core.AkkaCoreUtils;
+import com.newrelic.agent.security.instrumentation.akka.core.AkkaCoreUtils;
 import scala.concurrent.Future;
 
 import java.net.URI;

instrumentation-security/akka-http-core-10.0/src/main/scala/com/nr/agent/security/akka/core/AkkaCoreUtils.java → instrumentation-security/akka-http-core-10.0/src/main/scala/com/newrelic/agent/security/instrumentation/akka/core/AkkaCoreUtils.java

@@ -1,4 +1,4 @@
-package com.nr.agent.security.akka.core;
+package com.newrelic.agent.security.instrumentation.akka.core;
 
 public class AkkaCoreUtils {
 

instrumentation-security/akka-http-core-10.0/src/test/scala/com/agent/instrumentation/akka/http/core_10/AkkaHttpCoreTest.scala → instrumentation-security/akka-http-core-10.0/src/test/scala/com/nr/agent/security/instrumentation/akka/http/core_10/AkkaHttpCoreTest.scala

@@ -5,18 +5,18 @@
  *
  */
 
-package com.agent.instrumentation.akka.http.core_10
+package com.nr.agent.security.instrumentation.akka.http.core_10
 
 import akka.actor.ActorSystem
 import akka.http.scaladsl.Http
 import akka.http.scaladsl.model.{HttpHeader, HttpRequest, HttpResponse}
 import akka.stream.ActorMaterializer
+import com.newrelic.agent.security.instrumentation.akka.core.AkkaCoreUtils
 import com.newrelic.agent.security.introspec.{InstrumentationTestConfig, SecurityInstrumentationTestRunner, SecurityIntrospector}
 import com.newrelic.api.agent.Trace
 import com.newrelic.api.agent.security.instrumentation.helpers.ServletHelper
 import com.newrelic.api.agent.security.schema.VulnerabilityCaseType
 import com.newrelic.api.agent.security.schema.operation.SSRFOperation
-import com.nr.agent.security.akka.core.AkkaCoreUtils
 import org.junit.runner.RunWith
 import org.junit.{After, Assert, Test}
 

instrumentation-security/akka-http-core-2.11_10.0.11/src/test/scala/com/agent/instrumentation/akka/http/core_211_10011/AkkaServer.scala → instrumentation-security/akka-http-core-10.0/src/test/scala/com/nr/agent/security/instrumentation/akka/http/core_10/AkkaServer.scala

@@ -5,7 +5,7 @@
  *
  */
 
-package com.agent.instrumentation.akka.http.core_211_10011
+package com.nr.agent.security.instrumentation.akka.http.core_10
 
 import akka.actor.ActorSystem
 import akka.event.Logging

instrumentation-security/akka-http-core-10.0/src/test/scala/com/agent/instrumentation/akka/http/core_10/PlayServer.scala → instrumentation-security/akka-http-core-10.0/src/test/scala/com/nr/agent/security/instrumentation/akka/http/core_10/PlayServer.scala

@@ -5,7 +5,7 @@
  *
  */
 
-package com.agent.instrumentation.akka.http.core_10
+package com.nr.agent.security.instrumentation.akka.http.core_10
 
 import akka.actor.ActorSystem
 import akka.event.Logging

instrumentation-security/akka-http-core-2.11_10.0.11/src/main/scala/akka/http/scaladsl/HttpExt_Instrumentation.java

@@ -24,7 +24,7 @@
 import com.newrelic.api.agent.weaver.MatchType;
 import com.newrelic.api.agent.weaver.Weave;
 import com.newrelic.api.agent.weaver.Weaver;
-import com.nr.agent.security.akka.core.AkkaCoreUtils;
+import com.newrelic.agent.security.instrumentation.akka.core.AkkaCoreUtils;
 import scala.concurrent.Future;
 
 import java.net.URI;

instrumentation-security/akka-http-core-2.11_10.0.11/src/main/scala/com/nr/agent/security/akka/core/AkkaCoreUtils.java → instrumentation-security/akka-http-core-2.11_10.0.11/src/main/scala/com/newrelic/agent/security/instrumentation/akka/core/AkkaCoreUtils.java

@@ -1,4 +1,4 @@
-package com.nr.agent.security.akka.core;
+package com.newrelic.agent.security.instrumentation.akka.core;
 
 public class AkkaCoreUtils {
 

instrumentation-security/akka-http-core-2.11_10.0.11/src/test/scala/com/agent/instrumentation/akka/http/core_211_10011/AkkaHttpCoreTest.scala → instrumentation-security/akka-http-core-2.11_10.0.11/src/test/scala/com/nr/agent/security/instrumentation/akka/http/core_10/AkkaHttpCoreTest.scala

@@ -5,19 +5,18 @@
  *
  */
 
-package com.agent.instrumentation.akka.http.core_10
+package com.nr.agent.security.instrumentation.akka.http.core_10
 
 import akka.actor.ActorSystem
 import akka.http.scaladsl.Http
 import akka.http.scaladsl.model.{HttpHeader, HttpRequest, HttpResponse}
 import akka.stream.ActorMaterializer
-import com.agent.instrumentation.akka.http.core_211_10011.{AkkaServer, PlayServer}
+import com.newrelic.agent.security.instrumentation.akka.core.AkkaCoreUtils
 import com.newrelic.agent.security.introspec.{InstrumentationTestConfig, SecurityInstrumentationTestRunner, SecurityIntrospector}
 import com.newrelic.api.agent.Trace
 import com.newrelic.api.agent.security.instrumentation.helpers.ServletHelper
 import com.newrelic.api.agent.security.schema.VulnerabilityCaseType
 import com.newrelic.api.agent.security.schema.operation.SSRFOperation
-import com.nr.agent.security.akka.core.AkkaCoreUtils
 import org.junit.runner.RunWith
 import org.junit.{After, Assert, Test}
 

instrumentation-security/akka-http-core-10.0/src/test/scala/com/agent/instrumentation/akka/http/core_10/AkkaServer.scala → instrumentation-security/akka-http-core-2.11_10.0.11/src/test/scala/com/nr/agent/security/instrumentation/akka/http/core_10/AkkaServer.scala

@@ -5,7 +5,7 @@
  *
  */
 
-package com.agent.instrumentation.akka.http.core_10
+package com.nr.agent.security.instrumentation.akka.http.core_10
 
 import akka.actor.ActorSystem
 import akka.event.Logging

instrumentation-security/akka-http-core-2.11_10.0.11/src/test/scala/com/agent/instrumentation/akka/http/core_211_10011/PlayServer.scala → instrumentation-security/akka-http-core-2.11_10.0.11/src/test/scala/com/nr/agent/security/instrumentation/akka/http/core_10/PlayServer.scala

@@ -5,15 +5,14 @@
  *
  */
 
-package com.agent.instrumentation.akka.http.core_211_10011
+package com.nr.agent.security.instrumentation.akka.http.core_10
 
 import akka.actor.ActorSystem
 import akka.event.Logging
 import akka.http.scaladsl.Http
 import akka.http.scaladsl.model.HttpMethods._
 import akka.http.scaladsl.model._
 import akka.stream.ActorMaterializer
-import akka.stream.scaladsl.{Source, _}
 import akka.util.Timeout
 import com.typesafe.config.ConfigFactory
 

instrumentation-security/apache-ldap/src/main/java/com/nr/instrumentation/security/apache/ldap/LDAPUtils.java → instrumentation-security/apache-ldap/src/main/java/com/newrelic/agent/security/instrumentation/apache/ldap/LDAPUtils.java

@@ -1,4 +1,4 @@
-package com.nr.instrumentation.security.apache.ldap;
+package com.newrelic.agent.security.instrumentation.apache.ldap;
 
 public class LDAPUtils {
 

instrumentation-security/apache-ldap/src/main/java/org/apache/directory/ldap/client/api/LdapAsyncConnection_Instrumentation.java

@@ -9,7 +9,7 @@
 import com.newrelic.api.agent.weaver.MatchType;
 import com.newrelic.api.agent.weaver.Weave;
 import com.newrelic.api.agent.weaver.Weaver;
-import com.nr.instrumentation.security.apache.ldap.LDAPUtils;
+import com.newrelic.agent.security.instrumentation.apache.ldap.LDAPUtils;
 import org.apache.directory.api.ldap.model.exception.LdapException;
 import org.apache.directory.api.ldap.model.message.SearchRequest;
 import org.apache.directory.api.ldap.model.message.SearchScope;

instrumentation-security/apache-ldap/src/main/java/org/apache/directory/ldap/client/api/LdapConnection_Instrumentation.java

@@ -9,7 +9,7 @@
 import com.newrelic.api.agent.weaver.MatchType;
 import com.newrelic.api.agent.weaver.Weave;
 import com.newrelic.api.agent.weaver.Weaver;
-import com.nr.instrumentation.security.apache.ldap.LDAPUtils;
+import com.newrelic.agent.security.instrumentation.apache.ldap.LDAPUtils;
 import org.apache.directory.api.ldap.model.cursor.EntryCursor;
 import org.apache.directory.api.ldap.model.cursor.SearchCursor;
 import org.apache.directory.api.ldap.model.exception.LdapException;

instrumentation-security/apache-ldap/src/test/java/com/nr/instrumentation/security/apache/ldap/LdapAsyncConnectionTest.java → instrumentation-security/apache-ldap/src/test/java/com/nr/agent/security/instrumentation/apache/ldap/LdapAsyncConnectionTest.java

@@ -1,4 +1,4 @@
-package com.nr.instrumentation.security.apache.ldap;
+package com.nr.agent.security.instrumentation.apache.ldap;
 
 import com.newrelic.agent.security.introspec.InstrumentationTestConfig;
 import com.newrelic.agent.security.introspec.SecurityInstrumentationTestRunner;
@@ -25,7 +25,7 @@
 import java.util.List;
 
 @RunWith(SecurityInstrumentationTestRunner.class)
-@InstrumentationTestConfig(includePrefixes = { "org.apache.directory.ldap.client.api", "com.nr.instrumentation.security.apache.ldap" })
+@InstrumentationTestConfig(includePrefixes = { "org.apache.directory.ldap.client.api", "com.newrelic.agent.security.instrumentation.apache.ldap" })
 @FixMethodOrder(MethodSorters.NAME_ASCENDING)
 public class LdapAsyncConnectionTest {
     public static final String DOMAIN_DSN = "dc=example,dc=com";

instrumentation-security/apache-ldap/src/test/java/com/nr/instrumentation/security/apache/ldap/LdapConnectionTest.java → instrumentation-security/apache-ldap/src/test/java/com/nr/agent/security/instrumentation/apache/ldap/LdapConnectionTest.java

@@ -1,4 +1,4 @@
-package com.nr.instrumentation.security.apache.ldap;
+package com.nr.agent.security.instrumentation.apache.ldap;
 
 import com.newrelic.agent.security.introspec.InstrumentationTestConfig;
 import com.newrelic.agent.security.introspec.SecurityInstrumentationTestRunner;
@@ -28,7 +28,7 @@
 import java.util.List;
 
 @RunWith(SecurityInstrumentationTestRunner.class)
-@InstrumentationTestConfig(includePrefixes = { "org.apache.directory.ldap.client.api", "com.nr.instrumentation.security.apache.ldap" })
+@InstrumentationTestConfig(includePrefixes = { "org.apache.directory.ldap.client.api", "com.newrelic.agent.security.instrumentation.apache.ldap" })
 @FixMethodOrder(MethodSorters.NAME_ASCENDING)
 public class LdapConnectionTest {
     public static final String DOMAIN_DSN = "dc=example,dc=com";

instrumentation-security/camel-xpath/src/main/java/com/nr/instrumentation/security/xpath/camel/XPATHUtils.java → instrumentation-security/camel-xpath/src/main/java/com/newrelic/agent/security/instrumentation/xpath/camel/XPATHUtils.java

@@ -1,4 +1,4 @@
-package com.nr.instrumentation.security.xpath.camel;
+package com.newrelic.agent.security.instrumentation.xpath.camel;
 
 public class XPATHUtils {
 

instrumentation-security/camel-xpath/src/main/java/org/apache/camel/builder/BuilderSupport_Instrumentation.java

@@ -9,7 +9,7 @@
 import com.newrelic.api.agent.weaver.MatchType;
 import com.newrelic.api.agent.weaver.Weave;
 import com.newrelic.api.agent.weaver.Weaver;
-import com.nr.instrumentation.security.xpath.camel.XPATHUtils;
+import com.newrelic.agent.security.instrumentation.xpath.camel.XPATHUtils;
 import org.apache.camel.support.builder.Namespaces;
 
 @Weave(type = MatchType.BaseClass, originalName = "org.apache.camel.builder.BuilderSupport")

instrumentation-security/camel-xpath/src/test/java/com/nr/instrumentation/security/camel/xpath/BuilderSupportTest.java → instrumentation-security/camel-xpath/src/test/java/com/nr/agent/security/instrumentation/xpath/camel/BuilderSupportTest.java

@@ -1,4 +1,4 @@
-package com.nr.instrumentation.security.camel.xpath;
+package com.nr.agent.security.instrumentation.xpath.camel;
 
 import com.newrelic.agent.security.introspec.InstrumentationTestConfig;
 import com.newrelic.agent.security.introspec.SecurityInstrumentationTestRunner;

instrumentation-security/cassandra-datastax-3/.gitignore

@@ -0,0 +1 @@
+target/

instrumentation-security/cassandra-datastax-3/build.gradle

@@ -0,0 +1,24 @@
+dependencies {
+    implementation(project(":newrelic-security-api"))
+    implementation("com.newrelic.agent.java:newrelic-api:${nrAPIVersion}")
+    implementation("com.newrelic.agent.java:newrelic-weaver-api:${nrAPIVersion}")
+    implementation("com.datastax.cassandra:cassandra-driver-core:3.2.0")
+
+    testImplementation("org.cassandraunit:cassandra-unit:3.1.1.0")
+    testImplementation("com.github.jbellis:jamm:0.3.2")
+}
+
+jar {
+    manifest { attributes 'Implementation-Title': 'com.newrelic.instrumentation.security.cassandra-datastax-3' }
+}
+
+verifyInstrumentation {
+    passesOnly 'com.datastax.cassandra:cassandra-driver-core:[3.0.0,4.0.0)'
+    excludeRegex ".*(rc|beta|alpha).*"
+    excludeRegex('com.datastax.cassandra:cassandra-driver-core:2.*')
+}
+
+site {
+    title 'Cassandra'
+    type 'Datastore'
+}