Merge pull request #1515 from newrelic/pr-1470

Pr 1470
newrelic · Sep 29, 2023 · 52e4151 · 52e4151
2 parents 2c57f56 + 2687f08
commit 52e4151
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 1 deletion.
diff --git a/newrelic-agent/src/main/java/com/newrelic/agent/config/SecurityAgentConfig.java b/newrelic-agent/src/main/java/com/newrelic/agent/config/SecurityAgentConfig.java
@@ -14,6 +14,8 @@
  *
  * security:
  *   enabled: false
+ *   low-priority-instrumentation:
+ *     enabled: false
  *   mode: IAST
  *   validator_service_url: wss://csec.nr-data.net
  *   agent:
@@ -31,6 +33,8 @@ public class SecurityAgentConfig {
     public static final boolean SECURITY_AGENT_ENABLED_DEFAULT = false;
     public static final String SECURITY_ENABLED = "security.enabled";
     public static final boolean SECURITY_ENABLED_DEFAULT = false;
+    public static final String SECURITY_LOW_PRIORITY_INSTRUMENTATION_ENABLED = "security.low-priority-instrumentation.enabled";
+    public static final boolean SECURITY_LOW_PRIORITY_INSTRUMENTATION_ENABLED_DEFAULT = false;
     public static final String SECURITY_MODE = "security.mode";
     public static final String SECURITY_MODE_DEFAULT = "IAST";
     public static final String SECURITY_VALIDATOR_SERVICE_URL = "security.validator_service_url";
@@ -130,4 +134,14 @@ public static String getSecurityAgentValidatorServiceUrl() {
     public static String getSecurityAgentMode() {
         return config.getValue(SECURITY_MODE, SECURITY_MODE_DEFAULT);
     }
+
+    /**
+     * Determines whether the security agent low priority attack/vulnerability modules will instrument or not.
+     *
+     * @return True if security agent should instrument low priority attack/vulnerability modules, false if it should not
+     */
+    public static boolean isSecurityLowPriorityInstrumentationEnabled() {
+        return config.getValue(SECURITY_LOW_PRIORITY_INSTRUMENTATION_ENABLED, SECURITY_LOW_PRIORITY_INSTRUMENTATION_ENABLED_DEFAULT);
+    }
+
 }
diff --git a/newrelic-agent/src/main/resources/newrelic.yml b/newrelic-agent/src/main/resources/newrelic.yml
@@ -385,6 +385,11 @@ common: &default_settings
     # true, the security module will run but data will not be sent. Default is false.
     enabled: false
 
+    # Determines whether the low priority attack/vulnerability modules will instrument or not.
+    # When this is disabled instrumentation of such modules will be skipped and vice versa, default is false.
+    low-priority-instrumentation:
+      enabled: false
+
     # New Relic Security provides two modes: IAST and RASP
     # Default is IAST. Due to the invasive nature of IAST scanning, DO NOT enable this mode in either a
     # production environment or an environment where production data is processed.

diff --git a/newrelic-agent/src/test/java/com/newrelic/agent/config/SecurityAgentConfigTest.java b/newrelic-agent/src/test/java/com/newrelic/agent/config/SecurityAgentConfigTest.java
@@ -3,7 +3,6 @@
 import com.newrelic.api.agent.Agent;
 import com.newrelic.api.agent.NewRelic;
 import org.junit.AfterClass;
-import org.junit.Before;
 import org.junit.BeforeClass;
 import org.junit.Test;
 import org.mockito.MockedStatic;
@@ -18,6 +17,8 @@
 import static com.newrelic.agent.config.SecurityAgentConfig.SECURITY_DETECTION_RXSS_ENABLED_DEFAULT;
 import static com.newrelic.agent.config.SecurityAgentConfig.SECURITY_ENABLED;
 import static com.newrelic.agent.config.SecurityAgentConfig.SECURITY_ENABLED_DEFAULT;
+import static com.newrelic.agent.config.SecurityAgentConfig.SECURITY_LOW_PRIORITY_INSTRUMENTATION_ENABLED;
+import static com.newrelic.agent.config.SecurityAgentConfig.SECURITY_LOW_PRIORITY_INSTRUMENTATION_ENABLED_DEFAULT;
 import static com.newrelic.agent.config.SecurityAgentConfig.SECURITY_MODE;
 import static com.newrelic.agent.config.SecurityAgentConfig.SECURITY_MODE_DEFAULT;
 import static com.newrelic.agent.config.SecurityAgentConfig.SECURITY_VALIDATOR_SERVICE_URL;
@@ -152,4 +153,14 @@ public void getSecurityAgentMode_returnsCorrectMode() {
         when(mockConfig.getValue(SECURITY_MODE, SECURITY_MODE_DEFAULT)).thenReturn("mode");
         assertEquals("mode", SecurityAgentConfig.getSecurityAgentMode());
     }
+
+    @Test
+    public void isSecurityLowPriorityInstrumentationEnabled_returnsCorrectEnabledFlag() {
+        when(mockConfig.getValue(SECURITY_LOW_PRIORITY_INSTRUMENTATION_ENABLED, SECURITY_LOW_PRIORITY_INSTRUMENTATION_ENABLED_DEFAULT)).thenReturn(true);
+        assertTrue(SecurityAgentConfig.isSecurityLowPriorityInstrumentationEnabled());
+
+        when(mockConfig.getValue(SECURITY_LOW_PRIORITY_INSTRUMENTATION_ENABLED, SECURITY_LOW_PRIORITY_INSTRUMENTATION_ENABLED_DEFAULT)).thenReturn(false);
+        assertFalse(SecurityAgentConfig.isSecurityLowPriorityInstrumentationEnabled());
+    }
+
 }