Skip to content

Public Release 1.5.0
Compare
Choose a tag to compare
@lovesh-ap lovesh-ap released this 25 Sep 16:23
· 164 commits to main since this release
1.5.0
5d0d385
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.

New features

  • Json Version bump to 1.2.9.
  • PR-327 Application endpoint detection for gRPC Server NR-303616
  • PR-326 Add IAST Scan start time and Traffic Start Time in Health Check NR-308822
  • PR-320 Add feature to allow IAST Scan Scheduling. NR-301534
    Configuration via yaml: 
    security:
    scan_schedule:
      # The delay field specifies the delay in minutes before the IAST scan starts. This allows to schedule the scan to start at a later time.
      delay: 0        #In minutes, default is 0 min
  
      # The duration field specifies the duration of the IAST scan in minutes. This determines how long the scan will run.
      duration: 0      #In minutes, default is forever

      # The schedule field specifies a cron expression that defines when the IAST scan should start.
      #schedule: ""   #By default, schedule is inactive

      # Allow continuously sample collection of IAST events
      always_sample_traces: false # Default is false
  • PR-320 Add feature to ignore IAST Scan of certain APIs, categories, or parameters. NR-301856
    Configuration via yaml: 
    security:
   # The exclude_from_iast_scan configuration allows to specify APIs, parameters, and categories that should not be scanned by Security Agents.
  exclude_from_iast_scan:
    # The api field specifies list of APIs using regular expression (regex) patterns that follow the syntax of Perl 5. The regex pattern should provide a complete match for the URL without the endpoint.
    # Example:
    #   api:
    #    - .*account.*
    #    - .*/\api\/v1\/.*?\/login
    api: []

    # The parameters configuration allows users to specify headers, query parameters, and body keys that should be excluded from IAST scans.
    # Example:
    #   http_request_parameters:
    #    header:
    #      - X-Forwarded-For
    #    query:
    #      - username
    #      - password
    #    body:
    #      - account.email
    #      - account.contact
    http_request_parameters:
      # A list of HTTP header keys. If a request includes any headers with these keys, the corresponding IAST scan will be skipped.
      header: []
      # A list of query parameter keys. The presence of these parameters in the request's query string will lead to skipping the IAST scan.
      query: []
      # A list of keys within the request body. If these keys are found in the body content, the IAST scan will be omitted.
      body: []

    # The iast_detection_category configuration allows to specify which categories of vulnerabilities should not be detected by Security Agents.
    # If any of these categories are set to true, Security Agents will not generate events or flag vulnerabilities for that category.
    iast_detection_category:
      insecure_settings: false
      invalid_file_access: false
      sql_injection: false
      nosql_injection: false
      ldap_injection: false
      javascript_injection: false
      command_injection: false
      xpath_injection: false
      ssrf: false
      rxss: false
  • PR-321 Add feature to rate limit the IAST replay requests. NR-304574 
    security:
  scan_controllers:
    # The scan_request_rate_limit configuration allows to specify maximum number of replay request played per minute.
    iast_scan_request_rate_limit: 3600 # Number of IAST replay request played per minute, Default is 3600
  • PR-315 GraphQL Support : The security agent now also supports GraphQL Version 16.0.0 and above, default is disabled. NR-299885

Fixes

  • PR-322 Report Application endpoints immediately upon detecting new endpoints. NR-287324
  • PR-323 Extract Server Configuration to resolve IAST localhost connection with application for WebSphere Liberty server NR-303483
  • PR-327 Fix for User Class Detection in gRPC Server NR-303616
  • PR-328 Fix for multiple Reflected Events observed in Jersey Framework NR-307644
  • PR-325 Fix for incorrect Application endpoints detected for Servlet Framework NR-303615
  • PR-320 Report only uncaught exceptions in IAST Error inbox. NR-313412

Deprecations

  • Status File Used for Debugging: This feature has been deprecated. All debugging capabilities have been moved to either Init Logging or Error Inbox and will be removed in a future agent release. NR-293966
Assets 2
Loading