Release target 1.0.6 Public Preview

Changelog.md

@@ -4,8 +4,20 @@ Noteworthy changes to the agent are documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## [1.0.6-public-preview] - TO BE DISCLOSED
+## [1.0.6-public-preview] - 2023-10-17
 ### Changes
+- Cassandra DB v3.0+ Support: The Security agent now supports Cassandra DB version 3.0 and above
+- HttpClient v5.0+ Support: The Security agent now also supports HttpClient version 5.0 and above
+- Support for std-out logging
+- Added feature for Daily log rollover
+- Support for logger config: log_file_count and log_limit_in_kbytes
+- Relocating all our instrumentation packages under the package com.newrelic.agent.security.instrumentation.*
+- Package Refactoring for Unit Tests: Move packaging for all UTs to com.nr.agent.security.instrumentation.*
+- Set default value for low severity instrumentation to false
+
+### Fixes
+- Fixed ClassNotFoundException for IOStreamHelper class with Glassfish
+- Updated PostgreSQL UTs with Embedded Server instead of test container
 
 ## [1.0.5-public-preview] - 2023-08-29
 ### Changes

instrumentation-security-test/src/main/java/com/newrelic/agent/security/introspec/SecurityIntrospector.java

@@ -41,5 +41,7 @@ public interface SecurityIntrospector {
 
     void setK2TracingData(String value);
 
+    void setK2ParentId(String value);
+
     void clear();
 }

instrumentation-security-test/src/main/java/com/newrelic/agent/security/introspec/internal/HttpServerRule.java

@@ -30,6 +30,12 @@ protected void after() {
 
     @Override
     public void shutdown() {
+        try {
+            // to prevent socket.io: broken pipe error for async calls
+            Thread.sleep(1000);
+        } catch (InterruptedException e) {
+            throw new RuntimeException(e);
+        }
         server.shutdown();
     }
 

instrumentation-security-test/src/main/java/com/newrelic/agent/security/introspec/internal/HttpTestServerImpl.java

@@ -32,7 +32,7 @@
 class HttpTestServerImpl extends NanoHTTPD implements HttpTestServer {
     private final int port;
 
-    private Map<String, String> headers = new HashMap<>();
+    private static Map<String, String> headers = new HashMap<>();
 
     public HttpTestServerImpl() throws IOException {
         this(getRandomPort());
@@ -83,7 +83,7 @@ private Response serveNonDispatcher(IHTTPSession session) {
     private Response serveInternal(IHTTPSession session) {
         NewRelic.addCustomParameter("server.port", this.port);
         final Map<String, String> incomingHeaders = session.getHeaders();
-        headers = incomingHeaders;
+        headers.putAll(incomingHeaders);
 
         if (incomingHeaders.containsKey(SLEEP_MS_HEADER_KEY)) {
             try {

instrumentation-security-test/src/main/java/com/newrelic/agent/security/introspec/internal/IntrospectorServiceManager.java

@@ -125,6 +125,7 @@ public static IntrospectorServiceManager createAndInitialize(Map<String, Object>
         Map<String, Object> sec = new HashMap<>();
         sec.put("enable", true);
         sec.put("validator_service_url", "ws://192.168.5.138:54321");
+        sec.put("low-priority-instrumentation", Collections.singletonMap("enabled", true));
         config.put("security", sec);
 
         if (configOverrides != null) {

instrumentation-security-test/src/main/java/com/newrelic/agent/security/introspec/internal/SecurityIntrospectorImpl.java

@@ -3,6 +3,7 @@
 import com.newrelic.agent.security.introspec.SecurityIntrospector;
 import com.newrelic.api.agent.security.Agent;
 import com.newrelic.api.agent.security.NewRelicSecurity;
+import com.newrelic.api.agent.security.instrumentation.helpers.GenericHelper;
 import com.newrelic.api.agent.security.instrumentation.helpers.JdbcHelper;
 import com.newrelic.api.agent.security.schema.AbstractOperation;
 import com.newrelic.api.agent.security.schema.HttpRequest;
@@ -108,6 +109,11 @@ public void setK2TracingData(String value) {
         NewRelicSecurity.getAgent().getSecurityMetaData().setTracingHeaderValue(value);
     }
 
+    @Override
+    public void setK2ParentId(String value) {
+        NewRelicSecurity.getAgent().getSecurityMetaData().addCustomAttribute(GenericHelper.CSEC_PARENT_ID, value);
+    }
+
     @Override
     public void setRequestInputStreamHash(int hashCode) {
         NewRelicSecurity.getAgent().getSecurityMetaData().addCustomAttribute(REQUEST_INPUTSTREAM_HASH, Collections.singleton(hashCode));

instrumentation-security-test/src/main/java/com/newrelic/agent/security/introspec/internal/TransformingClassLoader.java

@@ -22,7 +22,7 @@ class TransformingClassLoader extends URLClassLoader {
             "java.lang.ProcessImpl", "java.io", "java.nio", "javax.servlet"
     };
     private static final String[] PROTECTED_PREFIXES = new String[]{"java.", "javax.", "com.sun.", "sun.",
-            "org.junit.", "junit.framework", "com.newrelic", "org.xml", "org.w3c"};
+            "org.junit.", "junit.framework", "com.newrelic.agent", "com.newrelic.api", "org.xml", "org.w3c"};
 
     private static final String[] INTROSPECTOR_MUST_LOADS = new String[]{
             // This class needs to be woven.

instrumentation-security/akka-http-core-10.0/src/main/scala/akka/http/scaladsl/HttpExt_Instrumentation.java

@@ -25,7 +25,7 @@
 import com.newrelic.api.agent.weaver.MatchType;
 import com.newrelic.api.agent.weaver.Weave;
 import com.newrelic.api.agent.weaver.Weaver;
-import com.nr.agent.security.akka.core.AkkaCoreUtils;
+import com.newrelic.agent.security.instrumentation.akka.core.AkkaCoreUtils;
 import scala.concurrent.Future;
 
 import java.net.URI;

instrumentation-security/akka-http-core-10.0/src/main/scala/com/nr/agent/security/akka/core/AkkaCoreUtils.java → instrumentation-security/akka-http-core-10.0/src/main/scala/com/newrelic/agent/security/instrumentation/akka/core/AkkaCoreUtils.java

@@ -1,4 +1,4 @@
-package com.nr.agent.security.akka.core;
+package com.newrelic.agent.security.instrumentation.akka.core;
 
 public class AkkaCoreUtils {
 

instrumentation-security/akka-http-core-10.0/src/test/scala/com/agent/instrumentation/akka/http/core_10/AkkaHttpCoreTest.scala → instrumentation-security/akka-http-core-10.0/src/test/scala/com/nr/agent/security/instrumentation/akka/http/core_10/AkkaHttpCoreTest.scala

@@ -5,18 +5,18 @@
  *
  */
 
-package com.agent.instrumentation.akka.http.core_10
+package com.nr.agent.security.instrumentation.akka.http.core_10
 
 import akka.actor.ActorSystem
 import akka.http.scaladsl.Http
 import akka.http.scaladsl.model.{HttpHeader, HttpRequest, HttpResponse}
 import akka.stream.ActorMaterializer
+import com.newrelic.agent.security.instrumentation.akka.core.AkkaCoreUtils
 import com.newrelic.agent.security.introspec.{InstrumentationTestConfig, SecurityInstrumentationTestRunner, SecurityIntrospector}
 import com.newrelic.api.agent.Trace
 import com.newrelic.api.agent.security.instrumentation.helpers.ServletHelper
 import com.newrelic.api.agent.security.schema.VulnerabilityCaseType
 import com.newrelic.api.agent.security.schema.operation.SSRFOperation
-import com.nr.agent.security.akka.core.AkkaCoreUtils
 import org.junit.runner.RunWith
 import org.junit.{After, Assert, Test}
 
@@ -77,14 +77,14 @@ class AkkaHttpCoreTest {
     Assert.assertEquals("Invalid executed method name.", AkkaCoreUtils.METHOD_SINGLE_REQUEST_IMPL, operations.getMethodName)
     Assert.assertEquals("Invalid executed parameters.", baseUrl + "/ping", operations.getArg)
     Assert.assertEquals("Invalid protocol.", introspector.getSecurityMetaData.getRequest.getProtocol, "http")
-    Assert.assertTrue(String.format("Missing K2 header: %s", ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID), headers.exists(header => header.name().contains(ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID)))
-    Assert.assertTrue(String.format("Missing K2 header: %s", ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER), headers.exists(header => header.name().contains(ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER)))
+    Assert.assertTrue(String.format("Missing CSEC header: %s", ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID), headers.exists(header => header.name().contains(ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID)))
+    Assert.assertTrue(String.format("Missing CSEC header: %s", ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER), headers.exists(header => header.name().contains(ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER)))
     for (header <- headers) {
       if(header.name().contains(ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID)) {
-        Assert.assertEquals(String.format("Invalid K2 header value for: %s", ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID), headerValue, header.value())
+        Assert.assertEquals(String.format("Invalid CSEC header value for: %s", ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID), headerValue, header.value())
       }
       if (header.name().contains(ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER)) {
-        Assert.assertEquals(String.format("Invalid K2 header value for: %s", ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER), String.format("%s;DUMMY_UUID/dummy-api-id/dummy-exec-id;", headerValue), header.value())
+        Assert.assertEquals(String.format("Invalid CSEC header value for: %s", ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER), String.format("%s;DUMMY_UUID/dummy-api-id/dummy-exec-id;", headerValue), header.value())
       }
     }
   }
@@ -106,14 +106,14 @@ class AkkaHttpCoreTest {
     Assert.assertEquals("Invalid executed method name.", AkkaCoreUtils.METHOD_SINGLE_REQUEST_IMPL, operations.getMethodName)
     Assert.assertEquals("Invalid executed parameters.", baseUrl + "/asyncPing", operations.getArg)
     Assert.assertEquals("Invalid protocol.", introspector.getSecurityMetaData.getRequest.getProtocol, "http")
-    Assert.assertTrue(String.format("Missing K2 header: %s", ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID), headers.exists(header => header.name().contains(ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID)))
-    Assert.assertTrue(String.format("Missing K2 header: %s", ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER), headers.exists(header => header.name().contains(ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER)))
+    Assert.assertTrue(String.format("Missing CSEC header: %s", ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID), headers.exists(header => header.name().contains(ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID)))
+    Assert.assertTrue(String.format("Missing CSEC header: %s", ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER), headers.exists(header => header.name().contains(ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER)))
     for (header <- headers) {
       if (header.name().contains(ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID)) {
-        Assert.assertEquals(String.format("Invalid K2 header value for: %s", ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID), headerValue, header.value())
+        Assert.assertEquals(String.format("Invalid CSEC header value for: %s", ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID), headerValue, header.value())
       }
       if (header.name().contains(ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER)) {
-        Assert.assertEquals(String.format("Invalid K2 header value for: %s", ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER), String.format("%s;DUMMY_UUID/dummy-api-id/dummy-exec-id;", headerValue), header.value())
+        Assert.assertEquals(String.format("Invalid CSEC header value for: %s", ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER), String.format("%s;DUMMY_UUID/dummy-api-id/dummy-exec-id;", headerValue), header.value())
       }
     }
   }
@@ -135,14 +135,14 @@ class AkkaHttpCoreTest {
     Assert.assertEquals("Invalid executed method name.", AkkaCoreUtils.METHOD_SINGLE_REQUEST_IMPL, operations.getMethodName)
     Assert.assertEquals("Invalid executed parameters.", baseUrl + "/ping", operations.getArg)
     Assert.assertEquals("Invalid protocol.", introspector.getSecurityMetaData.getRequest.getProtocol, "http")
-    Assert.assertTrue(String.format("Missing K2 header: %s", ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID), headers.exists(header => header.name().contains(ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID)))
-    Assert.assertTrue(String.format("Missing K2 header: %s", ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER), headers.exists(header => header.name().contains(ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER)))
+    Assert.assertTrue(String.format("Missing CSEC header: %s", ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID), headers.exists(header => header.name().contains(ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID)))
+    Assert.assertTrue(String.format("Missing CSEC header: %s", ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER), headers.exists(header => header.name().contains(ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER)))
     for (header <- headers) {
       if (header.name().contains(ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID)) {
-        Assert.assertEquals(String.format("Invalid K2 header value for: %s", ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID), headerValue, header.value())
+        Assert.assertEquals(String.format("Invalid CSEC header value for: %s", ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID), headerValue, header.value())
       }
       if (header.name().contains(ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER)) {
-        Assert.assertEquals(String.format("Invalid K2 header value for: %s", ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER), String.format("%s;DUMMY_UUID/dummy-api-id/dummy-exec-id;", headerValue), header.value())
+        Assert.assertEquals(String.format("Invalid CSEC header value for: %s", ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER), String.format("%s;DUMMY_UUID/dummy-api-id/dummy-exec-id;", headerValue), header.value())
       }
     }
   }
@@ -164,14 +164,14 @@ class AkkaHttpCoreTest {
     Assert.assertEquals("Invalid executed method name.", AkkaCoreUtils.METHOD_SINGLE_REQUEST_IMPL, operations.getMethodName)
     Assert.assertEquals("Invalid executed parameters.", baseUrl + "/asyncPing", operations.getArg)
     Assert.assertEquals("Invalid protocol.", introspector.getSecurityMetaData.getRequest.getProtocol, "http")
-    Assert.assertTrue(String.format("Missing K2 header: %s", ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID), headers.exists(header => header.name().contains(ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID)))
-    Assert.assertTrue(String.format("Missing K2 header: %s", ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER), headers.exists(header => header.name().contains(ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER)))
+    Assert.assertTrue(String.format("Missing CSEC header: %s", ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID), headers.exists(header => header.name().contains(ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID)))
+    Assert.assertTrue(String.format("Missing CSEC header: %s", ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER), headers.exists(header => header.name().contains(ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER)))
     for (header <- headers) {
       if (header.name().contains(ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID)) {
-        Assert.assertEquals(String.format("Invalid K2 header value for: %s", ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID), headerValue, header.value())
+        Assert.assertEquals(String.format("Invalid CSEC header value for: %s", ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID), headerValue, header.value())
       }
       if (header.name().contains(ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER)) {
-        Assert.assertEquals(String.format("Invalid K2 header value for: %s", ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER), String.format("%s;DUMMY_UUID/dummy-api-id/dummy-exec-id;", headerValue), header.value())
+        Assert.assertEquals(String.format("Invalid CSEC header value for: %s", ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER), String.format("%s;DUMMY_UUID/dummy-api-id/dummy-exec-id;", headerValue), header.value())
       }
     }
   }

instrumentation-security/akka-http-core-2.11_10.0.11/src/test/scala/com/agent/instrumentation/akka/http/core_211_10011/AkkaServer.scala → instrumentation-security/akka-http-core-10.0/src/test/scala/com/nr/agent/security/instrumentation/akka/http/core_10/AkkaServer.scala

@@ -5,7 +5,7 @@
  *
  */
 
-package com.agent.instrumentation.akka.http.core_211_10011
+package com.nr.agent.security.instrumentation.akka.http.core_10
 
 import akka.actor.ActorSystem
 import akka.event.Logging

instrumentation-security/akka-http-core-10.0/src/test/scala/com/agent/instrumentation/akka/http/core_10/PlayServer.scala → instrumentation-security/akka-http-core-10.0/src/test/scala/com/nr/agent/security/instrumentation/akka/http/core_10/PlayServer.scala

@@ -5,7 +5,7 @@
  *
  */
 
-package com.agent.instrumentation.akka.http.core_10
+package com.nr.agent.security.instrumentation.akka.http.core_10
 
 import akka.actor.ActorSystem
 import akka.event.Logging

instrumentation-security/akka-http-core-2.11_10.0.11/src/main/scala/akka/http/scaladsl/HttpExt_Instrumentation.java

@@ -24,7 +24,7 @@
 import com.newrelic.api.agent.weaver.MatchType;
 import com.newrelic.api.agent.weaver.Weave;
 import com.newrelic.api.agent.weaver.Weaver;
-import com.nr.agent.security.akka.core.AkkaCoreUtils;
+import com.newrelic.agent.security.instrumentation.akka.core.AkkaCoreUtils;
 import scala.concurrent.Future;
 
 import java.net.URI;

instrumentation-security/akka-http-core-2.11_10.0.11/src/main/scala/com/nr/agent/security/akka/core/AkkaCoreUtils.java → instrumentation-security/akka-http-core-2.11_10.0.11/src/main/scala/com/newrelic/agent/security/instrumentation/akka/core/AkkaCoreUtils.java

@@ -1,4 +1,4 @@
-package com.nr.agent.security.akka.core;
+package com.newrelic.agent.security.instrumentation.akka.core;
 
 public class AkkaCoreUtils {