Merge pull request #205 from newrelic/develop

Release CSEC Java Agent Version 1.1.2

.github/actions/setup-environment-inst-verifier/action.yml

@@ -17,6 +17,7 @@ runs:
       with:
         distribution: 'temurin'
         java-version: |
+          21
           20
           17
           11
@@ -29,7 +30,8 @@ runs:
         sed -i -e "s|jdk8=8|jdk8=${JAVA_HOME_8_X64}|
         s|jdk11=11|jdk11=${JAVA_HOME_11_X64}|
         s|jdk17=17|jdk17=${JAVA_HOME_17_X64}|
-        s|jdk20=20|jdk20=${JAVA_HOME_20_X64}|" gradle.properties.gha
+        s|jdk20=20|jdk20=${JAVA_HOME_20_X64}|
+        s|jdk21=21|jdk20=${JAVA_HOME_21_X64}|" gradle.properties.gha
         cat gradle.properties.gha >> gradle.properties
 
     - name: Setup Gradle

.github/actions/setup-environment/action.yml

@@ -36,6 +36,7 @@ runs:
       with:
         distribution: 'temurin'
         java-version: |
+          21
           20
           17
           11
@@ -48,7 +49,8 @@ runs:
         sed -i -e "s|jdk8=8|jdk8=${JAVA_HOME_8_X64}|
         s|jdk11=11|jdk11=${JAVA_HOME_11_X64}|
         s|jdk17=17|jdk17=${JAVA_HOME_17_X64}|
-        s|jdk20=20|jdk20=${JAVA_HOME_20_X64}|" gradle.properties.gha
+        s|jdk20=20|jdk20=${JAVA_HOME_20_X64}|
+        s|jdk21=21|jdk21=${JAVA_HOME_21_X64}|" gradle.properties.gha
         cat gradle.properties.gha >> gradle.properties
 
     - name: Setup Gradle

.github/actions/unit-test/action.yml

@@ -1,10 +1,45 @@
 name: Instrumentation unit tests
 description: Run all the instrumentation unit test.
+inputs:
+  java-version:
+    description: 'The JVM Version to use'
+    required: true
+    default: '8'
 
 runs:
   using: composite
 
   steps:
-    - name: Run instrumentation unit tests
+    - name: Run instrumentation unit tests on Java ${{ inputs.java-version }} attempt 1
+      id: run_tests_1
       shell: bash
-      run: ./gradlew ${GRADLE_OPTIONS} --info test
+      continue-on-error: true
+      run: |
+        echo "Running attempt 1"
+        ./gradlew ${GRADLE_OPTIONS} --info test -Ptest${{ inputs.java-version }} --continue
+
+    - name: Run instrumentation unit tests on Java ${{ inputs.java-version }} attempt 2
+      id: run_tests_2
+      shell: bash
+      continue-on-error: true
+      if: steps.run_tests_1.outcome == 'failure'
+      run: |
+        echo "Running attempt 2"
+        ./gradlew ${GRADLE_OPTIONS} --info test -Ptest${{ inputs.java-version }} --continue
+
+    - name: Run instrumentation unit tests on Java ${{ inputs.java-version }} attempt 3
+      id: run_tests_3
+      shell: bash
+      continue-on-error: true
+      if: steps.run_tests_2.outcome == 'failure'
+      run: |
+        echo "Running attempt 3"
+        ./gradlew ${GRADLE_OPTIONS} --info test -Ptest${{ inputs.java-version }} --continue
+
+    - name: Run instrumentation unit tests on Java ${{ inputs.java-version }} attempt 4
+      id: run_tests_4
+      shell: bash
+      if: steps.run_tests_3.outcome == 'failure'
+      run: |
+        echo "Running attempt 4"
+        ./gradlew ${GRADLE_OPTIONS} --info test -Ptest${{ inputs.java-version }} --continue

.github/workflows/X-Reusable-Build-Security-Agent.yml

@@ -59,6 +59,10 @@ jobs:
   # this list is paginated and will be used in the verify-module job.
   build-agent:
     runs-on: ubuntu-20.04
+    strategy:
+      matrix:
+        java-version: [ 8, 11, 17 ]
+
     steps:
       - name: Checkout CSEC Repo
         uses: actions/checkout@v3
@@ -79,4 +83,6 @@ jobs:
 
       - name: Run CSEC unit tests
         if: ${{ inputs.run-unit-test == 'true' }}
-        uses: ./.github/actions/unit-test
+        uses: ./.github/actions/unit-test
+        with:
+          java-version: ${{ matrix.java-version }}

Changelog.md

@@ -3,6 +3,18 @@ Noteworthy changes to the agent are documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+## [1.1.2] - 2024-3-11
+### Changes
+- [NR-174177](https://new-relic.atlassian.net/browse/NR-174177) Ning Async HTTP client Support: The security agent now also supports com.ning:async-http-client 1.0.0 and above [PR-152](https://github.com/newrelic/csec-java-agent/pull/152), [PR-118](https://github.com/newrelic/csec-java-agent/pull/118), [PR-116](https://github.com/newrelic/csec-java-agent/pull/116)
+- [NR-181375](https://new-relic.atlassian.net/browse/NR-181375) Jersey Support: The security agent now also supports Jersey 2.0 and above [PR-150](https://github.com/newrelic/csec-java-agent/pull/150), [PR-149](https://github.com/newrelic/csec-java-agent/pull/149) 
+- [NR-187224](https://new-relic.atlassian.net/browse/NR-187224) Mule Support: The security agent now also supports Mule server version 3.6 to 3.9.x [PR-144](https://github.com/newrelic/csec-java-agent/pull/144), [PR-143](https://github.com/newrelic/csec-java-agent/pull/143)
+- Jetty v12 Support: The security agent now also support Jetty version 12 and above [PR-106](https://github.com/newrelic/csec-java-agent/pull/106)
+- [NR-174175](https://new-relic.atlassian.net/browse/NR-174175) Lettuce Support: The security agent now also supports Lettuce 4.4.0.Final and above [PR-125](https://github.com/newrelic/csec-java-agent/pull/125)
+- [NR-234869](https://new-relic.atlassian.net/browse/NR-234869) GHA Update Unit Test Action for Testing Unit tests with different java-version with re-tries on failure [PR-204](https://github.com/newrelic/csec-java-agent/pull/204)
+
+### Fixes
+- [NR-223811](https://new-relic.atlassian.net/browse/NR-223811) Extract Server Configuration to resolve IAST localhost connection with application for wildfly server [PR-192](https://github.com/newrelic/csec-java-agent/pull/192)
+- [NR-234903](https://new-relic.atlassian.net/browse/NR-234903) Trustboundary events now will have list of string as parameter schema
 
 ## [1.1.1] - 2024-2-16
 ### Changes

README.md

@@ -34,6 +34,7 @@ The agent automatically instruments the following frameworks.
 - Jetty 9.3.0.M1 to latest
 - Mule ESB 3.6 to 3.9.x
 - gRPC 1.4.0 to latest**
+- Jersey 2.0 to latest
 
 ** IAST for **gRPC** requires the dependency [protobuf-java-util](https://mvnrepository.com/artifact/com.google.protobuf/protobuf-java-util) for IAST request replay.
 
@@ -64,6 +65,7 @@ The agent automatically instruments the following HTTP clients and messaging ser
 - Saxpath 1.0
 - Xalan XPATH 2.1.0 to latest
 - Async Http Client from 2.0 to latest
+- Ning Async HTTP Client 1.0.0 to latest
 
 ### Datastores
 

gradle.properties

@@ -1,5 +1,5 @@
 # The agent version.
-agentVersion=1.1.1
+agentVersion=1.1.2
 jsonVersion=1.1.1
 # Updated exposed NR APM API version.
 nrAPIVersion=8.4.0

instrumentation-security-test/src/main/java/com/newrelic/agent/security/introspec/internal/SecurityIntrospectorImpl.java

@@ -19,6 +19,7 @@
 import java.io.IOException;
 import java.net.ServerSocket;
 import java.sql.Statement;
+import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
 import java.util.Set;
@@ -134,22 +135,9 @@ public void setRequestInputStreamHash(int hashCode) {
 
     @Override
     public void clear() {
-        NewRelicSecurity.getAgent().getSecurityMetaData().addCustomAttribute(JDBCVendor.META_CONST_JDBC_VENDOR, null);
-        NewRelicSecurity.getAgent().getSecurityMetaData().addCustomAttribute(R2DBCVendor.META_CONST_R2DBC_VENDOR, null);
-        NewRelicSecurity.getAgent().getSecurityMetaData().getCustomAttribute(Agent.OPERATIONS, List.class).clear();
-        NewRelicSecurity.getAgent().getSecurityMetaData().getCustomAttribute(Agent.EXIT_OPERATIONS, List.class).clear();
-        NewRelicSecurity.getAgent().getSecurityMetaData().addCustomAttribute(REQUEST_READER_HASH, null);
-        NewRelicSecurity.getAgent().getSecurityMetaData().addCustomAttribute(REQUEST_INPUTSTREAM_HASH, null);
-        NewRelicSecurity.getAgent().getSecurityMetaData().addCustomAttribute(RESPONSE_WRITER_HASH, null);
-        NewRelicSecurity.getAgent().getSecurityMetaData().addCustomAttribute(RESPONSE_OUTPUTSTREAM_HASH, null);
-        NewRelicSecurity.getAgent().getSecurityMetaData().addCustomAttribute(UserDataTranslationHelper.getAttributeName(Log4JStrSubstitutor.class.getName()), null);
-
-        // used internally by some methods before saving hash code hence cleanup required
-        NewRelicSecurity.getAgent().getSecurityMetaData().addCustomAttribute(REQUEST_STREAM_OR_READER_CALLED, null);
-        NewRelicSecurity.getAgent().getSecurityMetaData().addCustomAttribute(RESPONSE_STREAM_OR_WRITER_CALLED, null);
-
-        NewRelicSecurity.getAgent().getSecurityMetaData().addCustomAttribute(GrpcHelper.NR_SEC_GRPC_REQUEST_DATA, null);
-        NewRelicSecurity.getAgent().getSecurityMetaData().addCustomAttribute(GrpcHelper.NR_SEC_GRPC_RESPONSE_DATA, null);
+        NewRelicSecurity.getAgent().getSecurityMetaData().clearCustomAttr();
+        NewRelicSecurity.getAgent().getSecurityMetaData().addCustomAttribute(Agent.OPERATIONS, new ArrayList<>());
+        NewRelicSecurity.getAgent().getSecurityMetaData().addCustomAttribute(Agent.EXIT_OPERATIONS, new ArrayList<>());
 
         SecurityMetaData meta = NewRelicSecurity.getAgent().getSecurityMetaData();
         meta.setRequest(new HttpRequest());

instrumentation-security/apache-log4j-3.0.0/build.gradle

@@ -23,3 +23,10 @@ java {
         languageVersion.set(JavaLanguageVersion.of(11))
     }
 }
+
+test {
+    // These instrumentation tests only run on Java 11+ regardless of the -PtestN gradle property that is set.
+    onlyIf {
+        !project.hasProperty('test8')
+    }
+}

instrumentation-security/dynamodb-2.1.2/src/test/java/com/nr/agent/security/instrumentation/dynamodb_212/DynamodbTest.java

@@ -193,7 +193,7 @@ public void testTransactGetItems() {
             else if (i==1) {
                 Assert.assertEquals("Invalid payload value.", "Red",query.get("artist").s());
             }
-            Assert.assertEquals("Invalid payload value.", "artist",request.getQuery().getProjectionExpression());
+            Assert.assertEquals("Invalid payload value.", "artist,Genre",request.getQuery().getProjectionExpression());
             Assert.assertEquals("Invalid query-type.", "read", request.getQueryType());
             i++;
         }
@@ -855,8 +855,8 @@ public void transactGetItems() {
         key2.put("artist", AttributeValue.builder().s("Red").build());
 
         TransactGetItemsRequest queryRequest = TransactGetItemsRequest.builder().transactItems(
-                TransactGetItem.builder().get(Get.builder().tableName(DynamoUtil.TABLE).key(key).projectionExpression("artist").build()).build(),
-                TransactGetItem.builder().get(Get.builder().tableName(DynamoUtil.TABLE).key(key2).projectionExpression("artist").build()).build()).build();
+                TransactGetItem.builder().get(Get.builder().tableName(DynamoUtil.TABLE).key(key).projectionExpression("artist,Genre").build()).build(),
+                TransactGetItem.builder().get(Get.builder().tableName(DynamoUtil.TABLE).key(key2).projectionExpression("artist,Genre").build()).build()).build();
 
         client.transactGetItems(queryRequest);
     }

instrumentation-security/httpclient-jdk11/build.gradle

@@ -21,11 +21,13 @@ java {
 }
 
 test {
+    // These instrumentation tests only run on Java 11+ regardless of the -PtestN gradle property that is set.
     onlyIf {
-        inputs.getProperties()["test.jdk"]!="jdk8"
+        !project.hasProperty('test8')
     }
 }
 
+
 compileJava {
     options.fork = true
     options.bootstrapClasspath = null

instrumentation-security/java-io-inputstream-jdk8/src/test/java/com/nr/agent/security/instrumentation/javaio/InputStreamJdk8Test.java

@@ -5,13 +5,15 @@
 import com.newrelic.agent.security.introspec.SecurityInstrumentationTestRunner;
 import com.newrelic.agent.security.introspec.SecurityIntrospector;
 import com.newrelic.api.agent.security.schema.SecurityMetaData;
+import com.newrelic.security.test.marker.Java17IncompatibleTest;
 import org.junit.AfterClass;
 import org.junit.Assert;
 import org.junit.Before;
 import org.junit.BeforeClass;
 import org.junit.FixMethodOrder;
 import org.junit.Ignore;
 import org.junit.Test;
+import org.junit.experimental.categories.Category;
 import org.junit.runner.RunWith;
 import org.junit.runners.MethodSorters;
 
@@ -31,6 +33,7 @@
 @RunWith(SecurityInstrumentationTestRunner.class)
 @InstrumentationTestConfig(includePrefixes = {"java.io","com.newrelic.agent.security.instrumentation.javaio"})
 @FixMethodOrder(MethodSorters.NAME_ASCENDING)
+@Category({Java17IncompatibleTest.class})
 public class InputStreamJdk8Test {
     private static String FILE;
     private static String FILE_TEMP;

instrumentation-security/java-io-inputstream-jdk9/build.gradle

@@ -21,8 +21,8 @@ java {
 }
 
 test {
-//     These instrumentation tests only run on Java 9+ regardless of the -PtestN gradle property that is set.
+    // These instrumentation tests only run on Java 11+ regardless of the -PtestN gradle property that is set.
     onlyIf {
-        java.toolchain.getLanguageVersion().get().asInt() > 10
+        !project.hasProperty('test8')
     }
-}
+}

instrumentation-security/java-io-inputstream-jdk9/src/test/java/com/nr/instrumentation/security/inputstream/jdk9/InputStreamJdk9Test.java

@@ -5,6 +5,7 @@
 import com.newrelic.agent.security.introspec.SecurityIntrospector;
 import com.newrelic.api.agent.security.schema.SecurityMetaData;
 import com.newrelic.security.test.marker.Java11IncompatibleTest;
+import com.newrelic.security.test.marker.Java17IncompatibleTest;
 import com.newrelic.security.test.marker.Java8IncompatibleTest;
 import org.junit.AfterClass;
 import org.junit.Assert;
@@ -30,7 +31,7 @@
 import java.util.List;
 import java.util.UUID;
 
-@Category({ Java8IncompatibleTest.class, Java11IncompatibleTest.class })
+@Category({ Java8IncompatibleTest.class, Java11IncompatibleTest.class, Java17IncompatibleTest.class })
 @RunWith(SecurityInstrumentationTestRunner.class)
 @InstrumentationTestConfig(includePrefixes = {"com.newrelic.agent.security.instrumentation.javaio.io","com.newrelic.agent.security.instrumentation.javaio"})
 @FixMethodOrder(MethodSorters.NAME_ASCENDING)

instrumentation-security/javax-xpath/src/test/java/com/nr/agent/security/instrumentation/xpath/javax/XPathTest.java

@@ -7,10 +7,12 @@
 import com.newrelic.api.agent.security.schema.VulnerabilityCaseType;
 import com.newrelic.api.agent.security.schema.operation.XPathOperation;
 import com.newrelic.agent.security.instrumentation.xpath.javax.XPATHUtils;
+import com.newrelic.security.test.marker.Java17IncompatibleTest;
 import org.junit.Assert;
 import org.junit.FixMethodOrder;
 import org.junit.Ignore;
 import org.junit.Test;
+import org.junit.experimental.categories.Category;
 import org.junit.runner.RunWith;
 import org.junit.runners.MethodSorters;
 import org.w3c.dom.Document;
@@ -25,6 +27,7 @@
 @FixMethodOrder(MethodSorters.NAME_ASCENDING)
 @RunWith(SecurityInstrumentationTestRunner.class)
 @InstrumentationTestConfig(includePrefixes = { "javax.xml.xpath", "com.sun.org.apache.xpath.internal" })
+@Category({ Java17IncompatibleTest.class})
 public class XPathTest {
 
     private final String XML_DOC = "src/test/resources/Customer.xml";

instrumentation-security/javax-xpath/src/test/java/com/nr/agent/security/instrumentation/xpath/javax/internal/XPathInternalTest.java

@@ -6,6 +6,7 @@
 import com.newrelic.api.agent.security.schema.AbstractOperation;
 import com.newrelic.api.agent.security.schema.VulnerabilityCaseType;
 import com.newrelic.api.agent.security.schema.operation.XPathOperation;
+import com.newrelic.security.test.marker.Java17IncompatibleTest;
 import com.sun.org.apache.xml.internal.utils.DefaultErrorHandler;
 import com.sun.org.apache.xml.internal.utils.PrefixResolver;
 import com.sun.org.apache.xml.internal.utils.PrefixResolverDefault;
@@ -16,6 +17,7 @@
 import org.junit.Assert;
 import org.junit.FixMethodOrder;
 import org.junit.Test;
+import org.junit.experimental.categories.Category;
 import org.junit.runner.RunWith;
 import org.junit.runners.MethodSorters;
 import org.w3c.dom.Document;
@@ -32,6 +34,7 @@
 @RunWith(SecurityInstrumentationTestRunner.class)
 @FixMethodOrder(MethodSorters.NAME_ASCENDING)
 @InstrumentationTestConfig(includePrefixes = { "javax.xml.xpath", "com.sun.org.apache.xpath.internal" })
+@Category({ Java17IncompatibleTest.class})
 public class XPathInternalTest {
     private final String XML_DOC = "src/test/resources/Customer.xml";
     private final String EXPRESSION = "/Customers/Customer";

instrumentation-security/jersey-2.16/build.gradle

@@ -4,6 +4,9 @@ dependencies {
     implementation("com.newrelic.agent.java:newrelic-api:${nrAPIVersion}")
     implementation("org.glassfish.jersey.core:jersey-server:2.16")
 
+    testImplementation("org.glassfish.jersey.containers:jersey-container-grizzly2-http:2.28")
+    testImplementation("org.glassfish.jersey.containers:jersey-container-servlet:2.28")
+    testImplementation('org.glassfish.jersey.inject:jersey-hk2:2.28')
 }
 
 jar {

instrumentation-security/jersey-2.16/src/test/java/com/nr/agent/security/instrumentation/jersey2/JerseyTests.java

@@ -18,6 +18,9 @@
 import com.newrelic.api.agent.security.schema.HttpResponse;
 import com.newrelic.api.agent.security.schema.VulnerabilityCaseType;
 import com.newrelic.api.agent.security.schema.operation.RXSSOperation;
+import com.newrelic.security.test.marker.Java11IncompatibleTest;
+import com.newrelic.security.test.marker.Java17IncompatibleTest;
+import com.newrelic.security.test.marker.Java9IncompatibleTest;
 import org.glassfish.grizzly.http.server.HttpServer;
 import org.glassfish.grizzly.http.util.Header;
 import org.glassfish.jersey.grizzly2.httpserver.GrizzlyHttpServerFactory;
@@ -26,6 +29,7 @@
 import org.junit.AfterClass;
 import org.junit.BeforeClass;
 import org.junit.Test;
+import org.junit.experimental.categories.Category;
 import org.junit.runner.RunWith;
 
 import javax.ws.rs.client.Client;
@@ -53,6 +57,7 @@
 
 @RunWith(SecurityInstrumentationTestRunner.class)
 @InstrumentationTestConfig(includePrefixes = {"com.newrelic.agent.security.instrumentation.jersey2", "org.glassfish.jersey"})
+@Category({ Java9IncompatibleTest.class, Java11IncompatibleTest.class, Java17IncompatibleTest.class })
 public class JerseyTests {
 
     private static HttpServer server;

instrumentation-security/jersey-2/build.gradle

@@ -4,6 +4,9 @@ dependencies {
     implementation("com.newrelic.agent.java:newrelic-api:${nrAPIVersion}")
     implementation("org.glassfish.jersey.core:jersey-server:2.0")
 
+    testImplementation("org.glassfish.jersey.containers:jersey-container-grizzly2-http:2.0")
+    testImplementation("org.glassfish.jersey.containers:jersey-container-servlet:2.0")
+    testImplementation('org.glassfish.hk2:hk2-api:2.1.88')
 }
 
 jar {

instrumentation-security/jersey-2/src/test/java/com/nr/agent/security/instrumentation/jersey2/JerseyTests.java

@@ -18,6 +18,9 @@
 import com.newrelic.api.agent.security.schema.HttpResponse;
 import com.newrelic.api.agent.security.schema.VulnerabilityCaseType;
 import com.newrelic.api.agent.security.schema.operation.RXSSOperation;
+import com.newrelic.security.test.marker.Java11IncompatibleTest;
+import com.newrelic.security.test.marker.Java17IncompatibleTest;
+import com.newrelic.security.test.marker.Java9IncompatibleTest;
 import org.glassfish.grizzly.http.server.HttpServer;
 import org.glassfish.grizzly.http.util.Header;
 import org.glassfish.jersey.grizzly2.httpserver.GrizzlyHttpServerFactory;
@@ -26,6 +29,7 @@
 import org.junit.AfterClass;
 import org.junit.BeforeClass;
 import org.junit.Test;
+import org.junit.experimental.categories.Category;
 import org.junit.runner.RunWith;
 
 import javax.ws.rs.client.Client;
@@ -53,6 +57,7 @@
 
 @RunWith(SecurityInstrumentationTestRunner.class)
 @InstrumentationTestConfig(includePrefixes = {"com.newrelic.agent.security.instrumentation.jersey2", "org.glassfish.jersey"})
+@Category({ Java9IncompatibleTest.class, Java11IncompatibleTest.class, Java17IncompatibleTest.class })
 public class JerseyTests {
 
     private static HttpServer server;