Releases: newrelic/csec-java-agent
Releases · newrelic/csec-java-agent
Public Release 1.5.1
- PR-350 IAST support for CI/CD.
Configuration via yaml:security: # This configuration allows users to specify a unique test identifier when running IAST Scan with CI/CD iast_test_identifier: 'run-id' scan_controllers: # This configuration allows users to the number of application instances for a specific entity where IAST analysis is performed. scan_instance_count: 0 # Values are 1 or 0, 0 signifies run on all application instances
- PR-297, PR-294, PR-337 Detect route of an incoming request for Sun-Net-Httpserver, Netty Reactor, Apache Struts2 and Grails Framework. NR-277771, NR-283914, NR-313390, NR-313392
- PR-297, PR-298 HTTP Response Detection in sun-net-httpserver and mule server NR-277771, NR-277770
- PR-335 Added request URI to application runtime error event, enhancing error logging and debugging capabilities. NR-315194
- PR-342 Report APM's trace.id and span.id in all outgoing events. NR-321827
- PR-347 Limiting the supported version range for GraalVM.JS, due to the new version release on Sep 17, 2024. NR-332546
- PR-347 Limiting the supported version range for Lettuce, due to the new version release on Oct 31, 2024. NR-332546
Fixes
- PR-340 Detect correct user class in GraphQL NR-319863
- PR-339 Fix minor bug with exclude_from_iast_scan.header while parsing of header. NR-319858
Deprecations
- Status File Used for Debugging: This feature has been deprecated. All debugging capabilities have been moved to either Init Logging or Error Inbox and will be removed in a future agent release. NR-293966
Public Release 1.5.0
New features
- Json Version bump to 1.2.9.
- PR-327 Application endpoint detection for gRPC Server NR-303616
- PR-326 Add IAST Scan start time and Traffic Start Time in Health Check NR-308822
- PR-320 Add feature to allow IAST Scan Scheduling. NR-301534
Configuration via yaml:security: scan_schedule: # The delay field specifies the delay in minutes before the IAST scan starts. This allows to schedule the scan to start at a later time. delay: 0 #In minutes, default is 0 min # The duration field specifies the duration of the IAST scan in minutes. This determines how long the scan will run. duration: 0 #In minutes, default is forever # The schedule field specifies a cron expression that defines when the IAST scan should start. #schedule: "" #By default, schedule is inactive # Allow continuously sample collection of IAST events always_sample_traces: false # Default is false
- PR-320 Add feature to ignore IAST Scan of certain APIs, categories, or parameters. NR-301856
Configuration via yaml:security: # The exclude_from_iast_scan configuration allows to specify APIs, parameters, and categories that should not be scanned by Security Agents. exclude_from_iast_scan: # The api field specifies list of APIs using regular expression (regex) patterns that follow the syntax of Perl 5. The regex pattern should provide a complete match for the URL without the endpoint. # Example: # api: # - .*account.* # - .*/\api\/v1\/.*?\/login api: [] # The parameters configuration allows users to specify headers, query parameters, and body keys that should be excluded from IAST scans. # Example: # http_request_parameters: # header: # - X-Forwarded-For # query: # - username # - password # body: # - account.email # - account.contact http_request_parameters: # A list of HTTP header keys. If a request includes any headers with these keys, the corresponding IAST scan will be skipped. header: [] # A list of query parameter keys. The presence of these parameters in the request's query string will lead to skipping the IAST scan. query: [] # A list of keys within the request body. If these keys are found in the body content, the IAST scan will be omitted. body: [] # The iast_detection_category configuration allows to specify which categories of vulnerabilities should not be detected by Security Agents. # If any of these categories are set to true, Security Agents will not generate events or flag vulnerabilities for that category. iast_detection_category: insecure_settings: false invalid_file_access: false sql_injection: false nosql_injection: false ldap_injection: false javascript_injection: false command_injection: false xpath_injection: false ssrf: false rxss: false
- PR-321 Add feature to rate limit the IAST replay requests. NR-304574
security: scan_controllers: # The scan_request_rate_limit configuration allows to specify maximum number of replay request played per minute. iast_scan_request_rate_limit: 3600 # Number of IAST replay request played per minute, Default is 3600
- PR-315 GraphQL Support : The security agent now also supports GraphQL Version 16.0.0 and above, default is disabled. NR-299885
Fixes
- PR-322 Report Application endpoints immediately upon detecting new endpoints. NR-287324
- PR-323 Extract Server Configuration to resolve IAST localhost connection with application for WebSphere Liberty server NR-303483
- PR-327 Fix for User Class Detection in gRPC Server NR-303616
- PR-328 Fix for multiple Reflected Events observed in Jersey Framework NR-307644
- PR-325 Fix for incorrect Application endpoints detected for Servlet Framework NR-303615
- PR-320 Report only uncaught exceptions in IAST Error inbox. NR-313412
Deprecations
- Status File Used for Debugging: This feature has been deprecated. All debugging capabilities have been moved to either Init Logging or Error Inbox and will be removed in a future agent release. NR-293966
Public Release 1.4.1
Adds
- PR-296 Apache Solr Support: The security agent now also supports Apache Solr Version 4.0.0 and above. NR-288599
- PR-275 The maximum permissible size for a request body for scan will be set at 500KB. NR-174195
- PR-306 Add csec prefix to all instrumentation Jar, this resolves CVE flagged by third party scanners on our instrumentation JARs. NR-289249
- PR-303 Honour OFF Flag, Handle Boolean values for config log_level. NR-293102
- PR-299 Support Authentication capabilities for Proxy Settings. NR-283945
- PR-313 Processing of the security agent will persist even if the creation of the security home directory encounters an issue. NR-297206
- PR-277 Improve Management of Log file size and its count. NR-272900
- PR-314 Report error to Error Inbox upon connection failure to Security Engine. NR-299700
- PR-316 Detailed IAST Scan metric reporting via HealthCheck. NR-267166
- PR-302 Detect API Endpoint of the Application for Vertx Framework. NR-287771
- PR-293, PR-284, PR-302 Detect route of an incoming request for mule server, play framework and Vertx Framework. NR-283915, NR-265915, NR-287771
Changes
- PR-265 Improve Secure Cookie event reporting to provide detailed vulnerability. NR-273609
- PR-283 Update IAST Header Parsing Minimum Expected Length Set to 8. NR-282647
- PR-308 Remove jackson-dataformat-properties to address CVE-2023-3894 and exclude transitive dependency junit to address CVE-2020-15250 NR-295033
Fixes
- PR-292 Fix for ClassNotFoundException observed in glassfish server NR-262453
- PR-286 Detect correct user class in Netty Reactor Server NR-253551
- PR-317 Add a workaround for an issue where New Relic Security Agent breaks the gRPC endpoints #130. NR-299709
Deprecations
- Status File Used for Debugging: This feature has been deprecated. All debugging capabilities have been moved to either Init Logging or Error Inbox and will be removed in a future agent release. NR-293966
Public Release 1.4.0
Changes
- Json Version bump to 1.2.3 due to NR-254157 implementation.
- PR-260 SpyMemcached Support : The security agent now also supports SpyMemcached Version 2.12.0 and above. NR-171576
- PR-241 Vertx-Web Support : The security agent now also supports Vertx-Web Version 3.2.0 and above. NR-254180, NR-254181, NR-254182
- PR-245 Vert.x-Core Support : The security agent now also supports Vert.x-Core Version 3.3.0 and above. NR-254146, NR-254156
- PR-254 API Endpoint detection support for Netty Reactor Server. NR-267158
- PR-269, PR-261 Functionality to report NPE, Uncaught exceptions And 5xx Errors. NR-273711, NR-277763
- PR-267 Implement Fallback mechanism for route detection of an incoming request NR-273607
- PR-256, PR-259, PR-258 Feature to detect route of an incoming request for Jax-RS and Spring Framework. NR-265913, NR-261653, NR-273605
- PR-126, PR-127, PR-128, PR-129 Jedis Support : The security agent now also supports Jedis Version 1.4.0 and above. NR-174176
- PR-287 Support for Proxy Settings for Connecting to the Security Engine, with known limitation of missing Authentication capabilities.
Fixes
- PR-255 Handle InvalidPathException thrown by Paths.get method NR-262452
- PR-216 Extract Server Configuration to resolve IAST localhost connection with application for Glassfish Server. NR-223808
- PR-214 Extract Server Configuration to resolve IAST localhost connection with application for Weblogic Server. NR-223809
- PR-242 Fix for User Class detection in Play Framework NR-264101
- PR-268 Fix for Play Framework Application Crash. NR-273623
- PR-271 Remove hard dependency of Newrelic API. NR-278213
- PR-272 Fix for missing File Vulnerability as Event was not generated by CSEC Java Agent. NR-278211
Public Release 1.3.0
Changes
- PR-186 Feature to detect API Endpoint of the Application NR-222163
- PR-132 JCache Support : The security agent now also supports jCache 1.0.0 and above NR-175383
- PR-193 Spray HTTP Server Support : The security agent now also supports Spray HTTP Server version 1.3.1 and above (with scala 2.11 and above) NR-230246, NR-230248
- PR-195 Spray Can Server Support : The security agent now also supports Spray Can Server version 1.3.1 and above (with scala 2.11 and above) NR-230246, NR-230248
- PR-194 Spray Client Support : The security agent now also supports Spray Client version 1.3.1 and above (with scala 2.11 and above) NR-230243, NR-230245
- PR-202 Netty Server support : The security agent now also supports Netty Server version 4.0.0.Final and above. NR-234864
- PR-220 Netty Reactor Server support : The security agent now also supports Netty Reactor Server version 0.7.0.RELEASE and above. NR-249812
- PR-239 Spring WebClient Support : The security agent now also supports Spring WebClient version 5.0.0.RELEASE and above. NR-258894, NR-258895
- PR-219 Enable functionality to scan NewRelic applications using
security.is_home_app
config, default value is false - PR-217 Revamp user class detection technique, use server level endpoints. NR-211161
- Resin Support : The security agent now also supports resin server NR-171577
- Anorm Support : The security agent now also supports Anorm Datastore version 2.0 to 2.5 NR-171575
Fixes
- PR-202 Extract Server Configuration to resolve IAST localhost connection with application for Netty server. NR-238324
- PR-237 Fix for Correct User Class Detection in Sun-Net-HttpServer NR-254564
- PR-243 Improvement in fallback mechanism for NR_CSEC_HOME NR-260723
- PR-248 Fix for Regression in File Integrity Event Generation NR-267172
- PR-249, PR-244 Improvements in IAST Replay NR-267169, NR-265208
- PR-235 Fix for NullPointerException observed in JDBC-GENERIC NR-232657
- PR-226 Fix for NoClassDefFoundError observed in JAVAX-JNDI Instrumentation NR-254566
- PR-225 Fix for FileAlreadyExistException observed in IAST Replay NR-254565
- PR-222 Exclude Milestone Release for Jax-RS, due to release of version 4.0.0-M2 on 9th March 2024 NR-256459
- PR-232 Exclude Latest Release version 12.7.0 for mssql-jdbc released on 08th April 2024 NR-256461
- PR-247 Exclude Latest Release version 1.7.14 for Rhino-JS-Engine released on 29th April 2024 NR-265206
- PR-219 Fixed an issue where lambda functions were causing class circularity errors NR-239192
Public Release 1.2.1
Fixes
Changes
Public Release 1.2.0
Public Release 1.1.2
Changes
- NR-174177 Ning Async HTTP client Support: The security agent now also supports com.ning:async-http-client 1.0.0 and above PR-152, PR-118, PR-116
- NR-181375 Jersey Support: The security agent now also supports Jersey 2.0 and above PR-150, PR-149
- NR-187224 Mule Support: The security agent now also supports Mule server version 3.6 to 3.9.x PR-144, PR-143
- Jetty v12 Support: The security agent now also support Jetty version 12 and above PR-106
- NR-174175 Lettuce Support: The security agent now also supports Lettuce 4.4.0.Final and above PR-125
- NR-234869 GHA Update Unit Test Action for Testing Unit tests with different java-version with re-tries on failure PR-204
Fixes
Public Release 1.1.1
Public Release 1.1.0
Changes
- gRPC client v1.4.0+ Support: The security agent now supports gRPC client version 1.4.0 and above (with protobuf-java-utils version 3.0.0 and above)
- gRPC server v1.4.0+ Support: The security agent now supports gRPC server version 1.4.0 and above (with protobuf-java-utils version 3.0.0 and above)
- Add a Logger and Cloud Reporting API for instrumentation modules
- Glassfish Support: The security agent now also supports Glassfish server
- FileIntegrity is marked if any of following is changed - existence, length, permissions, last modified
- Drop RXSS events on the basis of Content-Type Exclusion List
- Akka server v10.0+ Support: The security agent now supports Akka server version 10.0 and above (with scala 2.11 and above)
- Separate out File.exists instrumentation from low-priority instrumentation module
- Removed Schema validation dependency everit-json-schema:1.14.2
- Introduced new dependency commons-collections4:4.4
- Update software license to New Relic Software License Version 1.0
Fixes
- NR-212335 : support lower case stdout for log_file_name
- NR-215332 : Add java working temp directory to server info for exclusion
- NR-216474 : fix for Null Pointer exception for FILE_OPERATION
- NR-216456 : Fix for Class Cast Exception
- NR-215452 : Added the CC#_id to the completed list empty if absent in case of 2xx or 4xx response
- NR-213477 : Added missing instrumentation for servlet service method
- NR-214326 : Fix class circluarity error generated for BadPaddingException