Skip to content

Releases: newrelic/csec-java-agent

Public Release 1.5.1

09 Nov 11:48
4b5b84c
Compare
Choose a tag to compare
  • PR-350 IAST support for CI/CD.
    Configuration via yaml:
    security:
      # This configuration allows users to specify a unique test identifier when running IAST Scan with CI/CD
      iast_test_identifier: 'run-id'
    
      scan_controllers:
        # This configuration allows users to the number of application instances for a specific entity where IAST analysis is performed.
        scan_instance_count:  0 # Values are 1 or 0, 0 signifies run on all application instances
  • PR-297, PR-294, PR-337 Detect route of an incoming request for Sun-Net-Httpserver, Netty Reactor, Apache Struts2 and Grails Framework. NR-277771, NR-283914, NR-313390, NR-313392
  • PR-297, PR-298 HTTP Response Detection in sun-net-httpserver and mule server NR-277771, NR-277770
  • PR-335 Added request URI to application runtime error event, enhancing error logging and debugging capabilities. NR-315194
  • PR-342 Report APM's trace.id and span.id in all outgoing events. NR-321827
  • PR-347 Limiting the supported version range for GraalVM.JS, due to the new version release on Sep 17, 2024. NR-332546
  • PR-347 Limiting the supported version range for Lettuce, due to the new version release on Oct 31, 2024. NR-332546

Fixes

Deprecations

  • Status File Used for Debugging: This feature has been deprecated. All debugging capabilities have been moved to either Init Logging or Error Inbox and will be removed in a future agent release. NR-293966

Public Release 1.5.0

25 Sep 16:23
5d0d385
Compare
Choose a tag to compare

New features

  • Json Version bump to 1.2.9.
  • PR-327 Application endpoint detection for gRPC Server NR-303616
  • PR-326 Add IAST Scan start time and Traffic Start Time in Health Check NR-308822
  • PR-320 Add feature to allow IAST Scan Scheduling. NR-301534
    Configuration via yaml:
    security:
        scan_schedule:
          # The delay field specifies the delay in minutes before the IAST scan starts. This allows to schedule the scan to start at a later time.
          delay: 0        #In minutes, default is 0 min
      
          # The duration field specifies the duration of the IAST scan in minutes. This determines how long the scan will run.
          duration: 0      #In minutes, default is forever
    
          # The schedule field specifies a cron expression that defines when the IAST scan should start.
          #schedule: ""   #By default, schedule is inactive
    
          # Allow continuously sample collection of IAST events
          always_sample_traces: false # Default is false
  • PR-320 Add feature to ignore IAST Scan of certain APIs, categories, or parameters. NR-301856
    Configuration via yaml:
    security:
       # The exclude_from_iast_scan configuration allows to specify APIs, parameters, and categories that should not be scanned by Security Agents.
      exclude_from_iast_scan:
        # The api field specifies list of APIs using regular expression (regex) patterns that follow the syntax of Perl 5. The regex pattern should provide a complete match for the URL without the endpoint.
        # Example:
        #   api:
        #    - .*account.*
        #    - .*/\api\/v1\/.*?\/login
        api: []
    
        # The parameters configuration allows users to specify headers, query parameters, and body keys that should be excluded from IAST scans.
        # Example:
        #   http_request_parameters:
        #    header:
        #      - X-Forwarded-For
        #    query:
        #      - username
        #      - password
        #    body:
        #      - account.email
        #      - account.contact
        http_request_parameters:
          # A list of HTTP header keys. If a request includes any headers with these keys, the corresponding IAST scan will be skipped.
          header: []
          # A list of query parameter keys. The presence of these parameters in the request's query string will lead to skipping the IAST scan.
          query: []
          # A list of keys within the request body. If these keys are found in the body content, the IAST scan will be omitted.
          body: []
    
        # The iast_detection_category configuration allows to specify which categories of vulnerabilities should not be detected by Security Agents.
        # If any of these categories are set to true, Security Agents will not generate events or flag vulnerabilities for that category.
        iast_detection_category:
          insecure_settings: false
          invalid_file_access: false
          sql_injection: false
          nosql_injection: false
          ldap_injection: false
          javascript_injection: false
          command_injection: false
          xpath_injection: false
          ssrf: false
          rxss: false
  • PR-321 Add feature to rate limit the IAST replay requests. NR-304574
    security:
      scan_controllers:
        # The scan_request_rate_limit configuration allows to specify maximum number of replay request played per minute.
        iast_scan_request_rate_limit: 3600 # Number of IAST replay request played per minute, Default is 3600
  • PR-315 GraphQL Support : The security agent now also supports GraphQL Version 16.0.0 and above, default is disabled. NR-299885

Fixes

  • PR-322 Report Application endpoints immediately upon detecting new endpoints. NR-287324
  • PR-323 Extract Server Configuration to resolve IAST localhost connection with application for WebSphere Liberty server NR-303483
  • PR-327 Fix for User Class Detection in gRPC Server NR-303616
  • PR-328 Fix for multiple Reflected Events observed in Jersey Framework NR-307644
  • PR-325 Fix for incorrect Application endpoints detected for Servlet Framework NR-303615
  • PR-320 Report only uncaught exceptions in IAST Error inbox. NR-313412

Deprecations

  • Status File Used for Debugging: This feature has been deprecated. All debugging capabilities have been moved to either Init Logging or Error Inbox and will be removed in a future agent release. NR-293966

Public Release 1.4.1

14 Aug 10:03
4b64b6a
Compare
Choose a tag to compare

Adds

  • PR-296 Apache Solr Support: The security agent now also supports Apache Solr Version 4.0.0 and above. NR-288599
  • PR-275 The maximum permissible size for a request body for scan will be set at 500KB. NR-174195
  • PR-306 Add csec prefix to all instrumentation Jar, this resolves CVE flagged by third party scanners on our instrumentation JARs. NR-289249
  • PR-303 Honour OFF Flag, Handle Boolean values for config log_level. NR-293102
  • PR-299 Support Authentication capabilities for Proxy Settings. NR-283945
  • PR-313 Processing of the security agent will persist even if the creation of the security home directory encounters an issue. NR-297206
  • PR-277 Improve Management of Log file size and its count. NR-272900
  • PR-314 Report error to Error Inbox upon connection failure to Security Engine. NR-299700
  • PR-316 Detailed IAST Scan metric reporting via HealthCheck. NR-267166
  • PR-302 Detect API Endpoint of the Application for Vertx Framework. NR-287771
  • PR-293, PR-284, PR-302 Detect route of an incoming request for mule server, play framework and Vertx Framework. NR-283915, NR-265915, NR-287771

Changes

Fixes

  • PR-292 Fix for ClassNotFoundException observed in glassfish server NR-262453
  • PR-286 Detect correct user class in Netty Reactor Server NR-253551
  • PR-317 Add a workaround for an issue where New Relic Security Agent breaks the gRPC endpoints #130. NR-299709

Deprecations

  • Status File Used for Debugging: This feature has been deprecated. All debugging capabilities have been moved to either Init Logging or Error Inbox and will be removed in a future agent release. NR-293966

Public Release 1.4.0

24 Jun 09:50
76aeff3
Compare
Choose a tag to compare

Changes

Fixes

  • PR-255 Handle InvalidPathException thrown by Paths.get method NR-262452
  • PR-216 Extract Server Configuration to resolve IAST localhost connection with application for Glassfish Server. NR-223808
  • PR-214 Extract Server Configuration to resolve IAST localhost connection with application for Weblogic Server. NR-223809
  • PR-242 Fix for User Class detection in Play Framework NR-264101
  • PR-268 Fix for Play Framework Application Crash. NR-273623
  • PR-271 Remove hard dependency of Newrelic API. NR-278213
  • PR-272 Fix for missing File Vulnerability as Event was not generated by CSEC Java Agent. NR-278211

Public Release 1.3.0

17 May 09:50
132cf79
Compare
Choose a tag to compare

Changes

  • PR-186 Feature to detect API Endpoint of the Application NR-222163
  • PR-132 JCache Support : The security agent now also supports jCache 1.0.0 and above NR-175383
  • PR-193 Spray HTTP Server Support : The security agent now also supports Spray HTTP Server version 1.3.1 and above (with scala 2.11 and above) NR-230246, NR-230248
  • PR-195 Spray Can Server Support : The security agent now also supports Spray Can Server version 1.3.1 and above (with scala 2.11 and above) NR-230246, NR-230248
  • PR-194 Spray Client Support : The security agent now also supports Spray Client version 1.3.1 and above (with scala 2.11 and above) NR-230243, NR-230245
  • PR-202 Netty Server support : The security agent now also supports Netty Server version 4.0.0.Final and above. NR-234864
  • PR-220 Netty Reactor Server support : The security agent now also supports Netty Reactor Server version 0.7.0.RELEASE and above. NR-249812
  • PR-239 Spring WebClient Support : The security agent now also supports Spring WebClient version 5.0.0.RELEASE and above. NR-258894, NR-258895
  • PR-219 Enable functionality to scan NewRelic applications using security.is_home_app config, default value is false
  • PR-217 Revamp user class detection technique, use server level endpoints. NR-211161
  • Resin Support : The security agent now also supports resin server NR-171577
  • Anorm Support : The security agent now also supports Anorm Datastore version 2.0 to 2.5 NR-171575

Fixes

  • PR-202 Extract Server Configuration to resolve IAST localhost connection with application for Netty server. NR-238324
  • PR-237 Fix for Correct User Class Detection in Sun-Net-HttpServer NR-254564
  • PR-243 Improvement in fallback mechanism for NR_CSEC_HOME NR-260723
  • PR-248 Fix for Regression in File Integrity Event Generation NR-267172
  • PR-249, PR-244 Improvements in IAST Replay NR-267169, NR-265208
  • PR-235 Fix for NullPointerException observed in JDBC-GENERIC NR-232657
  • PR-226 Fix for NoClassDefFoundError observed in JAVAX-JNDI Instrumentation NR-254566
  • PR-225 Fix for FileAlreadyExistException observed in IAST Replay NR-254565
  • PR-222 Exclude Milestone Release for Jax-RS, due to release of version 4.0.0-M2 on 9th March 2024 NR-256459
  • PR-232 Exclude Latest Release version 12.7.0 for mssql-jdbc released on 08th April 2024 NR-256461
  • PR-247 Exclude Latest Release version 1.7.14 for Rhino-JS-Engine released on 29th April 2024 NR-265206
  • PR-219 Fixed an issue where lambda functions were causing class circularity errors NR-239192

Public Release 1.2.1

19 Apr 06:40
65371c7
Compare
Choose a tag to compare

Fixes

  • NR-259467 Fix issue of nested event generation from CSEC's agent itself PR-230

Changes

  • NR-256459 Exclude JAX RS 4.0.0-M2 version from Instrumentation PR-231
  • NR-256461 Exclude mssql-jdbc version 12.7.0 from Instrumentation PR-232
  • NR-260369 Dependency version bump of commons-compress:1.21 to commons-compress:1.26.0

Public Release 1.2.0

28 Mar 10:50
26438d1
Compare
Choose a tag to compare

Changes

  • Json Version bump to 1.2.0 due to NR-235776 implementation.
  • NR-234886 IAST replay header decryption due to Security Findings PR-207

Fixes

  • NR-253538 Fix issue related to the instrumentation of the Rhino JavaScript Engine that occurred while reading the script. PR-211

Public Release 1.1.2

11 Mar 11:58
c9b7742
Compare
Choose a tag to compare

Changes

  • NR-174177 Ning Async HTTP client Support: The security agent now also supports com.ning:async-http-client 1.0.0 and above PR-152, PR-118, PR-116
  • NR-181375 Jersey Support: The security agent now also supports Jersey 2.0 and above PR-150, PR-149
  • NR-187224 Mule Support: The security agent now also supports Mule server version 3.6 to 3.9.x PR-144, PR-143
  • Jetty v12 Support: The security agent now also support Jetty version 12 and above PR-106
  • NR-174175 Lettuce Support: The security agent now also supports Lettuce 4.4.0.Final and above PR-125
  • NR-234869 GHA Update Unit Test Action for Testing Unit tests with different java-version with re-tries on failure PR-204

Fixes

  • NR-223811 Extract Server Configuration to resolve IAST localhost connection with application for wildfly server PR-192
  • NR-234903 Trustboundary events now will have list of string as parameter schema

Public Release 1.1.1

16 Feb 07:09
4e71ee3
Compare
Choose a tag to compare

Changes

  • NR-223414 Enable Low Priority Instrumentation by default PR-179
  • NR-219439 Akka server v10.0+ Support: The security agent now supports Akka server version 10.0 and above (with scala 2.11 and above) PR-175

Fixes

  • NR-222151 Extract Server Configuration to resolve IAST localhost connection with application PR-183
  • NR-223852 Retry IAST request with different endpoint, if failure reason is SSLException or 301 PR-182
  • NR-218729 Add instrumentation of java.nio.file.Files#setPosixFilePermissions PR-178

Public Release 1.1.0

29 Jan 17:27
6e6dccd
Compare
Choose a tag to compare

Changes

  • gRPC client v1.4.0+ Support: The security agent now supports gRPC client version 1.4.0 and above (with protobuf-java-utils version 3.0.0 and above)
  • gRPC server v1.4.0+ Support: The security agent now supports gRPC server version 1.4.0 and above (with protobuf-java-utils version 3.0.0 and above)
  • Add a Logger and Cloud Reporting API for instrumentation modules
  • Glassfish Support: The security agent now also supports Glassfish server
  • FileIntegrity is marked if any of following is changed - existence, length, permissions, last modified
  • Drop RXSS events on the basis of Content-Type Exclusion List
  • Akka server v10.0+ Support: The security agent now supports Akka server version 10.0 and above (with scala 2.11 and above)
  • Separate out File.exists instrumentation from low-priority instrumentation module
  • Removed Schema validation dependency everit-json-schema:1.14.2
  • Introduced new dependency commons-collections4:4.4
  • Update software license to New Relic Software License Version 1.0

Fixes

  • NR-212335 : support lower case stdout for log_file_name
  • NR-215332 : Add java working temp directory to server info for exclusion
  • NR-216474 : fix for Null Pointer exception for FILE_OPERATION
  • NR-216456 : Fix for Class Cast Exception
  • NR-215452 : Added the CC#_id to the completed list empty if absent in case of 2xx or 4xx response
  • NR-213477 : Added missing instrumentation for servlet service method
  • NR-214326 : Fix class circluarity error generated for BadPaddingException