Noteworthy changes to the agent are documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
- NR-256459 Exclude JAX RS 4.0.0-M2 version from Instrumentation PR-231
- NR-256461 Exclude mssql-jdbc version 12.7.0 from Instrumentation PR-232
- NR-260369 Dependency version bump of commons-compress:1.21 to commons-compress:1.26.0
- Json Version bump to 1.2.0 due to NR-235776 implementation.
- NR-234886 IAST replay header decryption due to Security Findings PR-207
- NR-253538 Fix issue related to the instrumentation of the Rhino JavaScript Engine that occurred while reading the script. PR-211
- NR-174177 Ning Async HTTP client Support: The security agent now also supports com.ning:async-http-client 1.0.0 and above PR-152, PR-118, PR-116
- NR-181375 Jersey Support: The security agent now also supports Jersey 2.0 and above PR-150, PR-149
- NR-187224 Mule Support: The security agent now also supports Mule server version 3.6 to 3.9.x PR-144, PR-143
- Jetty v12 Support: The security agent now also support Jetty version 12 and above PR-106
- NR-174175 Lettuce Support: The security agent now also supports Lettuce 4.4.0.Final and above PR-125
- NR-234869 GHA Update Unit Test Action for Testing Unit tests with different java-version with re-tries on failure PR-204
- NR-223811 Extract Server Configuration to resolve IAST localhost connection with application for wildfly server PR-192
- NR-234903 Trustboundary events now will have list of string as parameter schema
- NR-223414 Enable Low Priority Instrumentation by default PR-179
- NR-219439 Akka server v10.0+ Support: The security agent now supports Akka server version 10.0 and above (with scala 2.11 and above) PR-175
- NR-222151 Extract Server Configuration to resolve IAST localhost connection with application PR-183
- NR-223852 Retry IAST request with different endpoint, if failure reason is SSLException or 301 PR-182
- NR-218729 Add instrumentation of java.nio.file.Files#setPosixFilePermissions PR-178
- gRPC client v1.4.0+ Support: The security agent now supports gRPC client version 1.4.0 and above (with protobuf-java-utils version 3.0.0 and above)
- gRPC server v1.4.0+ Support: The security agent now supports gRPC server version 1.4.0 and above (with protobuf-java-utils version 3.0.0 and above)
- Add a Logger and Cloud Reporting API for instrumentation modules
- Glassfish Support: The security agent now also supports Glassfish server
- FileIntegrity is marked if any of following is changed - existence, length, permissions, last modified
- Drop RXSS events on the basis of Content-Type Exclusion List
- Akka server v10.0+ Support: The security agent now supports Akka server version 10.0 and above (with scala 2.11 and above)
- Separate out File.exists instrumentation from low-priority instrumentation module
- Removed Schema validation dependency everit-json-schema:1.14.2
- Introduced new dependency commons-collections4:4.4
- Update software license to New Relic Software License Version 1.0
- NR-212335 : support lower case stdout for log_file_name
- NR-215332 : Add java working temp directory to server info for exclusion
- NR-216474 : fix for Null Pointer exception for FILE_OPERATION
- NR-216456 : Fix for Class Cast Exception
- NR-215452 : Added the CC#_id to the completed list empty if absent in case of 2xx or 4xx response
- NR-213477 : Added missing instrumentation for servlet service method
- NR-214326 : Fix class circluarity error generated for BadPaddingException
- Support for stored procedure call detection in SQL events
- Support for extracting environment variables in case of Remote Code Execution events
- Support for executing script file analysis in case of Remote Code Execution events
- Enabled the transformation of the low-priority instrumentation module by default in case of IAST
- SecureCookie schema check has been removed
- Incorrect user file details in the vulnerability details
- Low severity hook event was not generated when the same url can process multiple request methods
- Detection of server app directory to mitigate false positives for File Access vulnerability
- Async HttpClient v2+ Support: The security agent now also supports Async HTTP client version 2 and above
- Sun Net HTTP Server support: The security agent now supports Sun Net HTTP Server
- Add APM trace information population in the event
- WS headers added : NR-CSEC-ENTITY-GUID & NR-CSEC-ENTITY-NAME
- JSON version bump to 1.1.1
- Add critical error logging via LogMessage event
- Insecure cookie attack vulnerability was flagged in secure communication, accounting communication type to mitigate the issue
- DynamoDB v2 issue: missing attribute values for conditionCheck method in case of transactWriteItems operation on DynamoDB
- Never print LicenseKey
- Updated unit test cases for all the outbound request instrumentation modules to include test cases for csec parent id header
- Unit test cases for Async HttpClient v2+
- Unit test cases for Jetty v12+
- Unit test cases for Sun Net HTTP Server
- Unit test cases for Netty Server
- Cassandra DB v3.0+ Support: The Security agent now supports Cassandra DB version 3.0 and above
- HttpClient v5.0+ Support: The Security agent now also supports HttpClient version 5.0 and above
- Support for std-out logging
- Added feature for Daily log rollover
- Support for logger config: log_file_count and log_limit_in_kbytes
- Relocating all our instrumentation packages under the package com.newrelic.agent.security.instrumentation.*
- Package Refactoring for Unit Tests: Move packaging for all UTs to com.nr.agent.security.instrumentation.*
- Set default value for low severity instrumentation to false
- Fixed ClassNotFoundException for IOStreamHelper class with Glassfish
- Updated PostgreSQL UTs with Embedded Server instead of test container
- [INSTRUMENTATION] Support for Apache log4j 3.0.0-alpha1 (new version released on 21 June 2023)
- [INSTRUMENTATION] Support for Commons.jxpath
- Randomization in WS connection delay
- [FIX] Issue with HealthChecking having empty process stats issue
- Add agent monitoring details and matrix to health check
- Limiting the supported version range for Jetty, due to the new version release of Jetty on 7th Aug, 2023
- Limiting the supported version range for Apache log4j due to the new version release of Apache log4j on 21 June 2023
- Support for indication what all API-IDs are scanned or being scanned.
- License update
- Improved Logging
- [LOGGER] Update init logger : maintain consistncy with all security agents
- [INSTRUMENTATION] Support for Embedded Jetty 9 & 11
- Added low priority instrumentations, turned off by default.
- Set WS thread names to start with NR-CSEC-
- Migrated build & release pipeline to GHA
- Added instrumentation and unit test cases for SQL batch operations
- Low severity event filter cleanup with 30 min interval.
- Added unit test cases for following:
- Servlet 2.4, 5.0, 6.0
- Applied instrumentation priority changes
- Scheduler for FileCleaner
- NPE fix in unit test of R2DBC
- Amazon DynamoDB unit test
- Make Amazon dynamodb unit test aarch64 comaptible
- Change hash int to set in introspector API of instrumentation unit tests.
- NR-118286 : case 1 : snapshot dir should be created always inside logs of nr-security-home
- Compatibility fix for file-operation instrumentation modules unit test in linux env.
- Move File exist hook to low priority instrumentation module
- Skip hook processing on Servlet low priority instrumentations modules
- Skip hook processing on internal threads
- Changes for IAST data pull (on demand #CC request)
- Removal of tmp file created for IAST scanning.
- First HC to be sent after 30 sec of thread launch
- Removed @NewField from Nashorn Instrumentation with Transaction map logic to avoid OOM issue
- More instrumentations added wrt to APM
- Thread Name Changes from K2 to NR-CSEC
- Non-Blocking initial WS connection to address NR-107536 : APM Integration test failure due to WS
- Add handling for passing the license key in quotes
- NR-103217 Events for jetty 9 not getting generated.
- NR-103233, removed dependency of java.lang.management by oshi library.
- Minor fix to URLConnection_Instrumentation regarding empty url.
- NR-93687, add excludes of Specific InputStream classes, invoke getTransaction for preload of Transaction classes
- Xpath update incorrect return types of inst methods
- Removed java.io.FileSystem Hooks since those are covered in java.io.File inst. Works around NR-98829
- NR-106418, update JSON converter to include null values also.
- Add debug level env variables for log file size and count manipulations NR_CSEC_DEBUG_LOGFILE_SIZE & NR_CSEC_DEBUG_LOGFILE_MAX_COUNT
- Rename healthcheck field from stat to stats
- Websocket connection now support custom ca certificate
- Added data member isIASTRequest in base of JavaAgentEventBean
- Changes to APM code: now only loading CSEC components if agent config has ‘security.enable’ value defined.
- Changes to user code detection hooks in CSEC. Now able to point servlet annotated classes and extension of HttpServlet do* methods.
- Fixed verify error with all mongo version, added instrumentation for mongo 3.1.x
- Added Let's Encrypt CA to trust store for prod clusters.
- Added options to provide custom trust CA via agent config('security.ca_bundle_path') and env parameter('NEW_RELIC_SECURITY_CA_BUNDLE_PATH'). This var takes path accessible to collector and expects a pem file.
- Reset CSEC component version to 1.0.0
- Reset CSEC json version to 1.0.0
- Set WS TCP connect timeout to 15
- Update WS header to include correct NR-LICENSE-KEY & NR-AGENT-RUN-TOKEN