Merge branch 'NR-336200' into NR-294559-graphql

Changelog.md

@@ -1,5 +1,18 @@
 # Changelog
 
+## [v1.5.0] - 2024-10-29
+### Features:
+* Json Version bump to 1.2.9.
+* Add IAST Scan start time and Traffic Start Time in Health Check
+* Add feature to allow IAST Scan Scheduling.
+* Add feature to ignore IAST Scan of certain APIs, categories, or parameters.
+* Add feature to rate limit the IAST replay requests.
+* Add trace.id in event json.
+* Add request uri in application runtime error event.
+
+### Fixes
+* Fix for wrong user file name for RXSS event in windows environment.
+
 ## [v1.4.0] - 2024-08-27
 ### Features:
 * Added new key identifiers to all event JSONs.

go.mod

@@ -3,9 +3,10 @@ module github.com/newrelic/csec-go-agent
 go 1.18
 
 require (
+	github.com/adhocore/gronx v1.19.1
 	github.com/dlclark/regexp2 v1.9.0
 	github.com/gorilla/websocket v1.5.0
-	github.com/k2io/hookingo v1.0.5
+	github.com/k2io/hookingo v1.0.6
 	golang.org/x/crypto v0.22.0
 )
 

go.sum

@@ -1,33 +1,16 @@
-github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/adhocore/gronx v1.19.1 h1:S4c3uVp5jPjnk00De0lslyTenGJ4nA3Ydbkj1SbdPVc=
+github.com/adhocore/gronx v1.19.1/go.mod h1:7oUY1WAU8rEJWmAxXR2DN0JaO4gi9khSgKjiRypqteg=
 github.com/dlclark/regexp2 v1.9.0 h1:pTK/l/3qYIKaRXuHnEnIf7Y5NxfRPfpb7dis6/gdlVI=
 github.com/dlclark/regexp2 v1.9.0/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
 github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWmnc=
 github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
-github.com/k2io/hookingo v1.0.3 h1:9rJMlAKzhBLTEn3jmpmt6AsyHmXONPvRgCRxzvxS89Y=
-github.com/k2io/hookingo v1.0.3/go.mod h1:GfmXAKuiFd8/UafviDs8nnciGQ89QvHIzQQUaAmvRJ4=
-github.com/k2io/hookingo v1.0.5 h1:MAuYIjpOf2IFs7UqEDrHntNBswWg7z7/I2XMQHogEio=
-github.com/k2io/hookingo v1.0.5/go.mod h1:2L1jdNjdB3NkbzSVv9Q5fq7SJhRkWyAhe65XsAp5iXk=
-github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
-github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
-github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
-github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
-github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
-github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
-github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-golang.org/x/arch v0.0.0-20190927153633-4e8777c89be4/go.mod h1:flIaEI6LNU6xOCD5PaJvn9wGP0agmIOqjrtsKGRguv4=
-golang.org/x/arch v0.3.0 h1:02VY4/ZcO/gBOH6PUaoiptASxtXU10jazRCP865E97k=
-golang.org/x/arch v0.3.0/go.mod h1:5om86z9Hs0C8fWVUuoMHwpExlXzs5Tkyp9hOrfG7pp8=
+github.com/k2io/hookingo v1.0.6 h1:HBSKd1tNbW5BCj8VLNqemyBKjrQ8g0HkXcbC/DEHODE=
+github.com/k2io/hookingo v1.0.6/go.mod h1:2L1jdNjdB3NkbzSVv9Q5fq7SJhRkWyAhe65XsAp5iXk=
 golang.org/x/arch v0.4.0 h1:A8WCeEWhLwPBKNbFi5Wv5UTCBx5zzubnXDlMOFAzFMc=
 golang.org/x/arch v0.4.0/go.mod h1:5om86z9Hs0C8fWVUuoMHwpExlXzs5Tkyp9hOrfG7pp8=
 golang.org/x/crypto v0.22.0 h1:g1v0xeRhjcugydODzvb3mEM9SQ0HGp9s/nh3COQ/C30=
 golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M=
-golang.org/x/sys v0.7.0 h1:3jlCCIQZPdOYu1h8BkNvLz8Kgwtae2cagcG/VamtZRU=
-golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o=
 golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
-gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 rsc.io/pdf v0.1.1/go.mod h1:n8OzWcQ6Sp37PL01nO98y4iUCRdTGarVfzxY20ICaU4=

internal/security_logs/logger.go

@@ -29,7 +29,7 @@ type Logger interface {
 
 // New creates a basic Logger.
 func UpdateLogger(w io.Writer, mode string, pid int, logF *logFile, rotateFileHook *RotateFileHook, isDefault bool) {
-	logF.logger = log.New(w, fmt.Sprintf("%d", pid), log.Ldate|log.Ltime|log.Lmsgprefix|log.LstdFlags|log.LUTC|log.Lshortfile)
+	logF.logger = log.New(w, fmt.Sprintf("%d", pid), log.Ldate|log.LUTC|log.Lmsgprefix|log.LstdFlags|log.LUTC|log.Lshortfile)
 	logF.isActive = true
 	logF.iscache = false
 	logF.rotateFileHook = rotateFileHook

internal/security_utils/config.go

@@ -4,8 +4,8 @@
 package security_utils
 
 const (
-	CollectorVersion = "1.4.0"
+	CollectorVersion = "1.5.0"
 	JsonVersion      = "1.2.9"
 	CollectorType    = "GOLANG"
-	BuildNumber      = "160"
+	BuildNumber      = "161"
 )

internal/security_utils/global_utils.go

@@ -19,6 +19,7 @@ type Info_req struct {
 	ReflectedMetaData    ReflectedMetaData
 	ParentID             string
 	BodyLimit            int
+	TraceId              string
 }
 
 type ReflectedMetaData struct {
@@ -50,6 +51,7 @@ type RequestInfo struct {
 	DataTruncated  bool                `json:"dataTruncated"`
 	BodyReader     SecWriter           `json:"-"`
 	Route          string              `json:"route"`
+	URI            string              `json:"requestURI"`
 	CustomDataType map[string]string   `json:"customDataType"`
 }
 

security_config/global_config.go

@@ -37,6 +37,7 @@ type Info_struct struct {
 	IastReplayRequest        IastReplayRequest
 	EventStats               EventStats
 	DroppedEvent             DroppedEvent
+	dealyAgentTill           time.Time
 }
 
 func (info *Info_struct) GetCurrentPolicy() Policy {
@@ -102,10 +103,92 @@ func (info *Info_struct) SetSecurity(security Security) {
 	info.security = security
 }
 
-func (info *Info_struct) IsRxssEnabled() bool {
+func (info *Info_struct) IsInsecureSettingsDisabled() bool {
 	info.securityMutex.Lock()
 	defer info.securityMutex.Unlock()
-	return info.security.Detection.Rxss.Enabled
+	return info.security.ExcludeFromIastScan.IastDetectionCategory.InsecureSettings
+}
+func (info *Info_struct) IsInvalidFileAccessDisabled() bool {
+	info.securityMutex.Lock()
+	defer info.securityMutex.Unlock()
+	return info.security.ExcludeFromIastScan.IastDetectionCategory.InvalidFileAccess
+}
+
+func (info *Info_struct) IsSQLInjectionDisabled() bool {
+	info.securityMutex.Lock()
+	defer info.securityMutex.Unlock()
+	return info.security.ExcludeFromIastScan.IastDetectionCategory.SQLInjection
+}
+func (info *Info_struct) IsNosqlInjectionDisabled() bool {
+	info.securityMutex.Lock()
+	defer info.securityMutex.Unlock()
+	return info.security.ExcludeFromIastScan.IastDetectionCategory.NosqlInjection
+}
+func (info *Info_struct) IsLdapInjectionDisabled() bool {
+	info.securityMutex.Lock()
+	defer info.securityMutex.Unlock()
+	return info.security.ExcludeFromIastScan.IastDetectionCategory.LdapInjection
+}
+func (info *Info_struct) IsJavascriptInjectionDisabled() bool {
+	info.securityMutex.Lock()
+	defer info.securityMutex.Unlock()
+	return info.security.ExcludeFromIastScan.IastDetectionCategory.JavascriptInjection
+}
+func (info *Info_struct) IsCommandInjectionDisabled() bool {
+	info.securityMutex.Lock()
+	defer info.securityMutex.Unlock()
+	return info.security.ExcludeFromIastScan.IastDetectionCategory.CommandInjection
+}
+func (info *Info_struct) IsXpathInjectionDisabled() bool {
+	info.securityMutex.Lock()
+	defer info.securityMutex.Unlock()
+	return info.security.ExcludeFromIastScan.IastDetectionCategory.XpathInjection
+}
+func (info *Info_struct) IsSsrfDisabled() bool {
+	info.securityMutex.Lock()
+	defer info.securityMutex.Unlock()
+	return info.security.ExcludeFromIastScan.IastDetectionCategory.Ssrf
+}
+func (info *Info_struct) IsRxssDisabled() bool {
+	info.securityMutex.Lock()
+	defer info.securityMutex.Unlock()
+	return info.security.ExcludeFromIastScan.IastDetectionCategory.Rxss
+}
+
+func (info *Info_struct) SkipIastScanParameters() interface{} {
+	info.securityMutex.Lock()
+	defer info.securityMutex.Unlock()
+	return info.security.ExcludeFromIastScan.HttpRequestParameters
+}
+
+func (info *Info_struct) SkipIastScanApi() []string {
+	info.securityMutex.Lock()
+	defer info.securityMutex.Unlock()
+	return info.security.ExcludeFromIastScan.API
+}
+
+func (info *Info_struct) ScanScheduleDuration() int {
+	info.securityMutex.Lock()
+	defer info.securityMutex.Unlock()
+	return info.security.ScanSchedule.Duration
+}
+
+func (info *Info_struct) ScanScheduleDelay() int {
+	info.securityMutex.Lock()
+	defer info.securityMutex.Unlock()
+	return info.security.ScanSchedule.Delay
+}
+
+func (info *Info_struct) ScanScheduleAllowIastSampleCollection() bool {
+	info.securityMutex.Lock()
+	defer info.securityMutex.Unlock()
+	return info.security.ScanSchedule.AllowIastSampleCollection
+}
+
+func (info *Info_struct) ScanScheduleSchedule() string {
+	info.securityMutex.Lock()
+	defer info.securityMutex.Unlock()
+	return info.security.ScanSchedule.Schedule
 }
 
 func (info *Info_struct) SecurityHomePath() string {
@@ -128,14 +211,24 @@ func (info *Info_struct) SetValidatorServiceUrl(path string) {
 func (info *Info_struct) SecurityMode() string {
 	return info.security.Mode
 }
+func (info *Info_struct) IsIastMode() bool {
+	return secUtils.CaseInsensitiveEquals(info.security.Mode, "IAST")
+}
 
 func (info *Info_struct) BodyLimit() int {
 	return info.security.Request.BodyLimit * 1000
 }
 
 func (info *Info_struct) SetBodyLimit(bodyLimit int) {
 	info.security.Request.BodyLimit = bodyLimit
-	return
+}
+
+func (info *Info_struct) ScanControllersIastLoadInterval() int {
+	return info.security.ScanControllers.IastScanRequestRateLimit
+}
+
+func (info *Info_struct) SetscanControllersIastLoadInterval(iastLoadInterval int) {
+	info.security.ScanControllers.IastScanRequestRateLimit = iastLoadInterval
 }
 
 func (info *Info_struct) GetApiData() []any {
@@ -174,7 +267,7 @@ func (info *Info_struct) IastProbingInterval() int {
 }
 
 type metaData struct {
-	linkingMetadata interface{}
+	linkingMetadata map[string]string
 	accountID       string
 	agentRunId      string
 	entityGuid      string
@@ -230,13 +323,13 @@ func (m *metaData) SetAgentRunId(value string) {
 	m.agentRunId = value
 }
 
-func (m *metaData) GetLinkingMetadata() interface{} {
+func (m *metaData) GetLinkingMetadata() map[string]string {
 	m.Lock()
 	defer m.Unlock()
 	return m.linkingMetadata
 }
 
-func (m *metaData) SetLinkingMetadata(value interface{}) {
+func (m *metaData) SetLinkingMetadata(value map[string]string) {
 	m.Lock()
 	defer m.Unlock()
 	m.linkingMetadata = value
@@ -321,21 +414,23 @@ type EnvironmentInfo struct {
 
 type runningApplicationInfo struct {
 	sync.Mutex
-	appName          string
-	apiAccessorToken string
-	protectedServer  string
-	appUUID          string
-	sha256           string
-	size             string
-	contextPath      string
-	pid              string
-	Cmd              string
-	cmdline          []string
-	ports            []int
-	ServerIp         string
-	starttimestr     time.Time
-	binaryPath       string
-	serverName       []string
+	appName            string
+	apiAccessorToken   string
+	protectedServer    string
+	appUUID            string
+	sha256             string
+	size               string
+	contextPath        string
+	pid                string
+	Cmd                string
+	cmdline            []string
+	ports              []int
+	ServerIp           string
+	starttimestr       time.Time
+	trafficStartedTime time.Time
+	scanStartTime      time.Time
+	binaryPath         string
+	serverName         []string
 }
 
 func (r *runningApplicationInfo) GetAppName() string {
@@ -466,6 +561,32 @@ func (r *runningApplicationInfo) SetServerName(value string) {
 	r.serverName = append(r.serverName, value)
 }
 
+func (r *runningApplicationInfo) GetTrafficStartedTime() int64 {
+
+	if r.trafficStartedTime.IsZero() {
+		return 0
+	} else {
+		return r.trafficStartedTime.Unix() * 1000
+	}
+}
+
+func (r *runningApplicationInfo) SetTrafficStartedTime(value time.Time) {
+	r.trafficStartedTime = value
+}
+
+func (r *runningApplicationInfo) GetScanStartTime() int64 {
+
+	if r.trafficStartedTime.IsZero() {
+		return 0
+	} else {
+		return r.scanStartTime.Unix() * 1000
+	}
+}
+
+func (r *runningApplicationInfo) SetScanStartTime(value time.Time) {
+	r.scanStartTime = value
+}
+
 type Instrumentation struct {
 	HookCalledCount   uint64
 	Hooked            bool

security_config/secure_config.go

@@ -25,6 +25,35 @@ type Security struct {
 	Request          struct {
 		BodyLimit int `yaml:"body_limit"`
 	} `yaml:"request"`
+	ExcludeFromIastScan struct {
+		API                   []string `yaml:"api"`
+		HttpRequestParameters struct {
+			Header []string `yaml:"header" json:"header"`
+			Query  []string `yaml:"query" json:"query"`
+			Body   []string `yaml:"body" json:"body"`
+		} `yaml:"http_request_parameters"`
+		IastDetectionCategory struct {
+			InsecureSettings    bool `yaml:"insecure_settings"`
+			InvalidFileAccess   bool `yaml:"invalid_file_access"`
+			SQLInjection        bool `yaml:"sql_injection"`
+			NosqlInjection      bool `yaml:"nosql_injection"`
+			LdapInjection       bool `yaml:"ldap_injection"`
+			JavascriptInjection bool `yaml:"javascript_injection"`
+			CommandInjection    bool `yaml:"command_injection"`
+			XpathInjection      bool `yaml:"xpath_injection"`
+			Ssrf                bool `yaml:"ssrf"`
+			Rxss                bool `yaml:"rxss"`
+		} `yaml:"iast_detection_category"`
+	} `yaml:"exclude_from_iast_scan"`
+	ScanSchedule struct {
+		Delay                     int    `yaml:"delay"`
+		Duration                  int    `yaml:"duration"`
+		Schedule                  string `yaml:"schedule"`
+		AllowIastSampleCollection bool   `yaml:"always_sample_traces"`
+	} `yaml:"scan_schedule"`
+	ScanControllers struct {
+		IastScanRequestRateLimit int `yaml:"iast_scan_request_rate_limit"`
+	} `yaml:"scan_controllers"`
 }
 
 type Policy struct {