Merge branch 'develop' into feature/async-httpclient-5

newrelic · Oct 9, 2023 · bb81ba4 · bb81ba4
2 parents c7567bb + 65d6fed
commit bb81ba4
Show file tree

Hide file tree

Showing 489 changed files with 4,279 additions and 1,344 deletions.
diff --git a/.github/actions/setup-environment-inst-verifier/action.yml b/.github/actions/setup-environment-inst-verifier/action.yml
@@ -52,7 +52,7 @@ runs:
     - name: Download S3 instrumentation jar zip
       shell: bash
       run: |
-        aws s3 cp s3://nr-java-agent-s3-instrumentation/proprietary-jars-20220805.zip proprietary-jars.zip && unzip proprietary-jars.zip && cp -rf instrumentation/** instrumentation-security/
+        aws s3 cp s3://nr-java-agent-s3-instrumentation/proprietary-jars-20230623.zip proprietary-jars.zip && unzip proprietary-jars.zip && cp -rf instrumentation/** instrumentation-security/
         if [ $? -ne 0 ]; then
           echo "Instrumentation jar zip unavailable." >> $GITHUB_STEP_SUMMARY
         fi
diff --git a/.github/actions/setup-environment/action.yml b/.github/actions/setup-environment/action.yml
@@ -4,11 +4,11 @@ inputs:
   apm-repo:
     description: 'The repo of APM source code to use'
     required: true
-    default: 'newrelic/newrelic-java-agent'
+    default: 'k2io/newrelic-java-agent'
   apm-branch:
     description: 'The branch of APM source code to use'
     required: true
-    default: 'k2-integration'
+    default: 'csec-dev'
   apm-aws-access-key-id:
     description: 'APM AWS S3 access key id'
   apm-aws-secret-access-key:
@@ -103,7 +103,7 @@ runs:
     - name: Download S3 instrumentation jar zip
       shell: bash
       run: |
-        aws s3 cp s3://nr-java-agent-s3-instrumentation/proprietary-jars-20220805.zip proprietary-jars.zip && unzip proprietary-jars.zip && cp -rf instrumentation/** instrumentation-security/ && unzip -d newrelic-java-agent proprietary-jars.zip
+        aws s3 cp s3://nr-java-agent-s3-instrumentation/proprietary-jars-20230623.zip proprietary-jars.zip && unzip proprietary-jars.zip && cp -rf instrumentation/** instrumentation-security/ && unzip -d newrelic-java-agent proprietary-jars.zip
         if [ $? -ne 0 ]; then
           echo "Instrumentation jar zip unavailable." >> $GITHUB_STEP_SUMMARY
         fi

diff --git a/.github/workflows/X-Reusable-Build-Security-Agent.yml b/.github/workflows/X-Reusable-Build-Security-Agent.yml
@@ -6,12 +6,12 @@ on:
         description: 'The repo of APM source code to use'
         required: true
         type: string
-        default: 'newrelic/newrelic-java-agent'
+        default: 'k2io/newrelic-java-agent'
       apm-source-ref:
         description: 'The source-ref of APM source code to use'
         required: true
         type: string
-        default: 'k2-integration'
+        default: 'csec-dev'
       run-unit-test:
         description: 'Run instrumentation unit tests ?'
         required: true
@@ -33,12 +33,12 @@ on:
         description: 'The repo of APM source code to use'
         required: true
         type: string
-        default: 'newrelic/newrelic-java-agent'
+        default: 'k2io/newrelic-java-agent'
       apm-source-ref:
         description: 'The source-ref of APM source code to use'
         required: true
         type: string
-        default: 'k2-integration'
+        default: 'csec-dev'
       run-unit-test:
         description: 'Run instrumentation unit tests ?'
         required: true
@@ -74,28 +74,6 @@ jobs:
           apm-aws-secret-access-key: ${{ secrets.APM_AWS_SECRET_ACCESS_KEY }}
           apm-aws-region: us-east-2
 
-      - name: Check version compatibility
-        shell: bash
-        run: |
-          APM_CONFIGURED_CSEC_VERSION=$(./gradlew ${GRADLE_OPTIONS} -p newrelic-java-agent/ properties | grep 'csecCollectorVersion:' | awk -F': ' '{print $2}')
-          CSEC_CONFIGURED_APM_VERSION=$(./gradlew ${GRADLE_OPTIONS} properties | grep 'nrAPIVersion:' | awk -F': ' '{print $2}')
-
-          if [[ "${APM_VERSION}" != "${CSEC_CONFIGURED_APM_VERSION}" ]]
-          then
-            printf "${RED}Version mismatch regarding APM: ${NONE}\n"
-            printf "${RED}Version of APM to build: ${APM_VERSION} ${NONE}\n"
-            printf "${RED}Version of APM API used by CSEC: ${CSEC_CONFIGURED_APM_VERSION} ${NONE}\n"
-            exit 1
-          fi
-
-          if [[ "${SECURITY_VERSION}" != "${APM_CONFIGURED_CSEC_VERSION}" ]]
-          then
-            printf "${RED}Version mismatch regarding Security: ${NONE}\n"
-            printf "${RED}Version of CSEC to build: ${SECURITY_VERSION} ${NONE}\n"
-            printf "${RED}Version of CSEC API used by APM: ${APM_CONFIGURED_CSEC_VERSION} ${NONE}\n"
-            exit 2
-          fi
-
       - name: Publish CSEC to local
         uses: ./.github/actions/publish-csec-local
 

diff --git a/.github/workflows/X-Reusable-VerifyInstrumentation.yml b/.github/workflows/X-Reusable-VerifyInstrumentation.yml
@@ -36,7 +36,7 @@ jobs:
           cd instrumentation-security
           tmpfile=$(mktemp /tmp/dirs.XXXXXXXXXX)
           # lists the folders inside instrumentation, and removes the trailing '/'
-          ls -d */build.gradle | cut -d'/' -f 1 > $tmpfile
+          cat ../settings.gradle | grep "^include 'instrumentation:" | cut -d"'" -f 2 | cut -d : -f 2 > $tmpfile
           # creates an envar with the requested page of the instrumentation modules in a JSON format
           modules=$((
             echo '{ "modules" : '

diff --git a/.github/workflows/build-integrated-jar.yml b/.github/workflows/build-integrated-jar.yml
@@ -5,11 +5,11 @@ on:
       apm-repo:
         description: 'The repo of APM source code to use'
         required: true
-        default: 'newrelic/newrelic-java-agent'
+        default: 'k2io/newrelic-java-agent'
       apm-source-ref:
         description: 'The source-ref of APM source code to use'
         required: true
-        default: 'k2-integration'
+        default: 'csec-dev'
       csec-run-unittest:
         description: 'Whether to run CSEC instrumentation unit tests'
         required: true
@@ -71,28 +71,6 @@ jobs:
           apm-aws-secret-access-key: ${{ secrets.APM_AWS_SECRET_ACCESS_KEY }}
           apm-aws-region: us-east-2
 
-      - name: Check version compatibility
-        shell: bash
-        run: |
-          APM_CONFIGURED_CSEC_VERSION=$(./gradlew ${GRADLE_OPTIONS} -p newrelic-java-agent/ properties | grep 'csecCollectorVersion:' | awk -F': ' '{print $2}')
-          CSEC_CONFIGURED_APM_VERSION=$(./gradlew ${GRADLE_OPTIONS} properties | grep 'nrAPIVersion:' | awk -F': ' '{print $2}')
-          
-          if [[ "${APM_VERSION}" != "${CSEC_CONFIGURED_APM_VERSION}" ]]
-          then
-            printf "${RED}Version mismatch regarding APM: ${NONE}\n"
-            printf "${RED}Version of APM to build: ${APM_VERSION} ${NONE}\n"
-            printf "${RED}Version of APM API used by CSEC: ${CSEC_CONFIGURED_APM_VERSION} ${NONE}\n"
-            exit 1
-          fi
-          
-          if [[ "${SECURITY_VERSION}" != "${APM_CONFIGURED_CSEC_VERSION}" ]]
-          then
-            printf "${RED}Version mismatch regarding Security: ${NONE}\n"
-            printf "${RED}Version of CSEC to build: ${SECURITY_VERSION} ${NONE}\n"
-            printf "${RED}Version of CSEC API used by APM: ${APM_CONFIGURED_CSEC_VERSION} ${NONE}\n"
-            exit 2
-          fi
-
       - name: Build Integrated Agent Jar
         uses: ./.github/actions/build-apm-jar
 

diff --git a/.github/workflows/publish-main-snapshot-to-maven.yml b/.github/workflows/publish-main-snapshot-to-maven.yml
@@ -9,8 +9,8 @@ jobs:
     uses: ./.github/workflows/publish-to-maven.yml
     secrets: inherit
     with:
-      apm-repo: 'newrelic/newrelic-java-agent'
-      apm-source-ref: 'k2-integration'
+      apm-repo: 'k2io/newrelic-java-agent'
+      apm-source-ref: 'csec-dev'
       csec-run-unittest: 'true'
       csec-run-instrumentation-verify: 'true'
       is-release: 'false'

diff --git a/.github/workflows/publish-release-to-maven.yml b/.github/workflows/publish-release-to-maven.yml
@@ -10,10 +10,10 @@ jobs:
     uses: ./.github/workflows/publish-to-maven.yml
     secrets: inherit
     with:
-      apm-repo: 'newrelic/newrelic-java-agent'
-      apm-source-ref: 'k2-integration'
+      apm-repo: 'k2io/newrelic-java-agent'
+      apm-source-ref: 'csec-dev'
       csec-run-unittest: 'true'
       csec-run-instrumentation-verify: 'true'
       is-release: 'true'
-      version-suffix: '-limited-preview'
+      version-suffix: '-public-preview'
       slack-notify: 'true'
diff --git a/.github/workflows/publish-to-maven.yml b/.github/workflows/publish-to-maven.yml
@@ -5,11 +5,11 @@ on:
       apm-repo:
         description: 'The repo of APM source code to use'
         required: true
-        default: 'newrelic/newrelic-java-agent'
+        default: 'k2io/newrelic-java-agent'
       apm-source-ref:
         description: 'The source-ref of APM source code to use'
         required: true
-        default: 'k2-integration'
+        default: 'csec-dev'
       csec-run-unittest:
         description: 'Whether to run CSEC instrumentation unit tests'
         required: true
@@ -36,12 +36,12 @@ on:
         description: 'The repo of APM source code to use'
         required: true
         type: string
-        default: 'newrelic/newrelic-java-agent'
+        default: 'k2io/newrelic-java-agent'
       apm-source-ref:
         description: 'The source-ref of APM source code to use'
         required: true
         type: string
-        default: 'k2-integration'
+        default: 'csec-dev'
       csec-run-unittest:
         description: 'Whether to run CSEC instrumentation unit tests'
         required: true
@@ -108,28 +108,6 @@ jobs:
           is-release: ${{ inputs.is-release }}
           version-suffix: ${{ inputs.version-suffix }}
 
-      - name: Check version compatibility
-        shell: bash
-        run: |
-          APM_CONFIGURED_CSEC_VERSION=$(./gradlew ${GRADLE_OPTIONS} -p newrelic-java-agent/ properties | grep 'csecCollectorVersion:' | awk -F': ' '{print $2}')
-          CSEC_CONFIGURED_APM_VERSION=$(./gradlew ${GRADLE_OPTIONS} properties | grep 'nrAPIVersion:' | awk -F': ' '{print $2}')
-
-          if [[ "${APM_VERSION}" != "${CSEC_CONFIGURED_APM_VERSION}" ]]
-          then
-            printf "${RED}Version mismatch regarding APM: ${NONE}\n"
-            printf "${RED}Version of APM to build: ${APM_VERSION} ${NONE}\n"
-            printf "${RED}Version of APM API used by CSEC: ${CSEC_CONFIGURED_APM_VERSION} ${NONE}\n"
-            exit 1
-          fi
-
-          if [[ "${SECURITY_VERSION}" != "${APM_CONFIGURED_CSEC_VERSION}" ]]
-          then
-            printf "${RED}Version mismatch regarding Security: ${NONE}\n"
-            printf "${RED}Version of CSEC to build: ${SECURITY_VERSION} ${NONE}\n"
-            printf "${RED}Version of CSEC API used by APM: ${APM_CONFIGURED_CSEC_VERSION} ${NONE}\n"
-            exit 2
-          fi
-
       - name: Publish CSEC agent API
         shell: bash
         run: ./gradlew ${GRADLE_OPTIONS} :newrelic-security-api:publish -PbuildNumber=${{ github.run_id }}-${{ github.run_number }} -PcommitId=${{ github.sha }} --parallel

diff --git a/.github/workflows/snyk-vulnerability-scan.yml b/.github/workflows/snyk-vulnerability-scan.yml
@@ -0,0 +1,33 @@
+name: Snyk Vulnerability Scan
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '00 15 * * 1'
+  push:
+    branches:
+      - main
+
+jobs:
+  security:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Java Agent
+        uses: actions/checkout@v3
+        with:
+          ref: 'main'
+
+      - name: Set gradle.properties Workaround
+        shell: bash
+        run: |
+          echo "jdk8=/tmp" >> gradle.properties
+          echo "jdk11=/tmp" >> gradle.properties
+          echo "jdk17=/tmp" >> gradle.properties
+
+      - name: Run Snyk to check for vulnerabilities
+        uses: snyk/actions/gradle@master
+        env:
+          SNYK_TOKEN: ${{ secrets.JAVA_AGENT_SNYK_TOKEN }}
+        with:
+          command: monitor
+          args: --all-sub-projects --org=java-agent --configuration-matching='(includeInJar)|(shadowIntoJar)'
diff --git a/Changelog.md b/Changelog.md
@@ -4,6 +4,23 @@ Noteworthy changes to the agent are documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.0.6-public-preview] - TO BE DISCLOSED
+### Changes
+
+## [1.0.5-public-preview] - 2023-08-29
+### Changes
+- [INSTRUMENTATION] Support for Apache log4j 3.0.0-alpha1 (new version released on 21 June 2023)
+- [INSTRUMENTATION] Support for Commons.jxpath
+- Randomization in WS connection delay
+- [FIX] Issue with HealthChecking having empty process stats issue
+- Add agent monitoring details and matrix to health check
+- Limiting the supported version range for Jetty, due to the new version release of Jetty on 7th Aug, 2023
+
+## [1.0.4-public-preview] - 2023-06-20
+### Changes
+- Limiting the supported version range for Apache log4j due to the new version release of Apache log4j on 21 June 2023
+- Support for indication what all API-IDs are scanned or being scanned.
+
 ## [1.0.3-limited-preview] - 2023-05-23
 ### Changes
 - License update
@@ -71,4 +88,4 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Reset CSEC component version to 1.0.0
 - Reset CSEC json version to 1.0.0
 - Set WS TCP connect timeout to 15
-- Update WS header to include correct NR-LICENSE-KEY & NR-AGENT-RUN-TOKEN
+- Update WS header to include correct NR-LICENSE-KEY & NR-AGENT-RUN-TOKEN
diff --git a/README.md b/README.md
@@ -25,7 +25,7 @@ The agent automatically instruments the following frameworks.
 - JAX-RS 1.0 to latest
 - Spring Boot 1.4 to latest
 - Struts 2.0.5 to latest
-- Log4j from 2.0 to latest
+- Log4j from 2.0 to 2.20.0
 - Servlet from 2.4 to latest
 - Spring from 0 to latest
 
@@ -84,6 +84,26 @@ The agent automatically instruments the following HTTP clients and messaging ser
 - DynamoDB-1.11.80 to latest 
 - DyanamoDB-2.1.0 to latest
 
+## **Supported Vulnerabilities**
+* Remote Code Execution
+* SQL Injection
+* NoSQL Injection
+* Stored XSS
+* Reflected XSS
+* Reverse Shell attack
+* File Access
+* SSRF
+* Application Integrity Violation
+* LDAP Injection
+* XPath Injection
+* Weak Cryptographic Algorithm
+* Weak Hash Algorithm
+* Insecure Randomness
+* Trust Boundary Violation
+* Secure Cookie
+* XQuery Injection
+* JavaScript Code Injection
+
 ## **Building**
 
 #### **JDK requirements**
@@ -139,4 +159,4 @@ If you would like to contribute to this project, review [these guidelines](https
 
 New Relic Security Agent for Java is licensed under the New Relic Pre-Release Software Notice.
 
-The New Relic Security Agent for Java also uses source code from third-party libraries. You can find full details on which libraries are used and the terms under which they are licensed in the third-party notices document.
+The New Relic Security Agent for Java also uses source code from third-party libraries. You can find full details on which libraries are used and the terms under which they are licensed in the third-party notices document.
diff --git a/gradle.properties b/gradle.properties
@@ -1,16 +1,16 @@
 # The agent version.
-agentVersion=1.0.3
-jsonVersion=1.0.1
+agentVersion=1.0.6
+jsonVersion=1.1.0
 # Updated exposed NR APM API version.
-nrAPIVersion=8.3.0-SNAPSHOT
+nrAPIVersion=8.3.0
 
 # Actual NR APM Agent version
 # This is intentionally kept to an older NR agent version since it is only used as dependency for unit test framework &
 # verify instrumentation plugin. This will only be updated when either of these functions require the update.
-nrAgentVersion=8.2.0
+nrAgentVersion=8.3.0
 #org.gradle.jvmargs=-Xmx2048m
 org.gradle.jvmargs=-Xmx4g
 org.gradle.caching=true
 file.encoding=utf-8
 commitId=dev
-buildNumber=0
+buildNumber=0
diff --git a/.../main/java/com/newrelic/agent/security/introspec/internal/IntrospectorServiceManager.java b/.../main/java/com/newrelic/agent/security/introspec/internal/IntrospectorServiceManager.java
@@ -125,6 +125,7 @@ public static IntrospectorServiceManager createAndInitialize(Map<String, Object>
         Map<String, Object> sec = new HashMap<>();
         sec.put("enable", true);
         sec.put("validator_service_url", "ws://192.168.5.138:54321");
+        sec.put("low-priority-instrumentation", Collections.singletonMap("enabled", true));
         config.put("security", sec);
 
         if (configOverrides != null) {

diff --git a/...src/main/java/com/newrelic/agent/security/introspec/internal/TransformingClassLoader.java b/...src/main/java/com/newrelic/agent/security/introspec/internal/TransformingClassLoader.java
@@ -22,7 +22,7 @@ class TransformingClassLoader extends URLClassLoader {
             "java.lang.ProcessImpl", "java.io", "java.nio", "javax.servlet"
     };
     private static final String[] PROTECTED_PREFIXES = new String[]{"java.", "javax.", "com.sun.", "sun.",
-            "org.junit.", "junit.framework", "com.newrelic", "org.xml", "org.w3c"};
+            "org.junit.", "junit.framework", "com.newrelic.agent", "com.newrelic.api", "org.xml", "org.w3c"};
 
     private static final String[] INTROSPECTOR_MUST_LOADS = new String[]{
             // This class needs to be woven.