newrelic · IshikaDawda · Mar 17, 2025 · Mar 17, 2025 · Mar 25, 2025 · Mar 25, 2025
diff --git a/.github/actions/setup-environment-inst-verifier/action.yml b/.github/actions/setup-environment-inst-verifier/action.yml
@@ -17,8 +17,8 @@ runs:
       with:
         distribution: 'temurin'
         java-version: |
+          23
           21
-          20
           17
           11
           8    
@@ -30,8 +30,8 @@ runs:
         sed -i -e "s|jdk8=8|jdk8=${JAVA_HOME_8_X64}|
         s|jdk11=11|jdk11=${JAVA_HOME_11_X64}|
         s|jdk17=17|jdk17=${JAVA_HOME_17_X64}|
-        s|jdk20=20|jdk20=${JAVA_HOME_20_X64}|
-        s|jdk21=21|jdk20=${JAVA_HOME_21_X64}|" gradle.properties.gha
+        s|jdk21=21|jdk21=${JAVA_HOME_21_X64}|
+        s|jdk23=23|jdk23=${JAVA_HOME_23_X64}|" gradle.properties.gha
         cat gradle.properties.gha >> gradle.properties
 
     - name: Setup Gradle

diff --git a/.github/actions/setup-environment/action.yml b/.github/actions/setup-environment/action.yml
@@ -32,12 +32,12 @@ runs:
 
   steps:
     - name: Set up Javas
-      uses: actions/setup-java@v3
+      uses: actions/setup-java@v4
       with:
         distribution: 'temurin'
         java-version: |
+          23
           21
-          20
           17
           11
           8
@@ -49,16 +49,16 @@ runs:
         sed -i -e "s|jdk8=8|jdk8=${JAVA_HOME_8_X64}|
         s|jdk11=11|jdk11=${JAVA_HOME_11_X64}|
         s|jdk17=17|jdk17=${JAVA_HOME_17_X64}|
-        s|jdk20=20|jdk20=${JAVA_HOME_20_X64}|
-        s|jdk21=21|jdk21=${JAVA_HOME_21_X64}|" gradle.properties.gha
+        s|jdk21=21|jdk21=${JAVA_HOME_21_X64}|
+        s|jdk23=23|jdk23=${JAVA_HOME_23_X64}|" gradle.properties.gha
         cat gradle.properties.gha >> gradle.properties
 
     - name: Setup Gradle
       uses: gradle/gradle-build-action@v2
 
     - name: Setup Gradle options
       shell: bash
-      run: echo "GRADLE_OPTIONS=-Porg.gradle.java.installations.auto-detect=false -Porg.gradle.java.installations.fromEnv=JAVA_HOME_8_X64,JAVA_HOME_11_X64,JAVA_HOME_17_X64,JAVA_HOME_19_X64,JAVA_HOME_20_X64 -Prelease=${{ inputs.is-release }} -Prelease-suffix=${{ inputs.version-suffix }} " >> $GITHUB_ENV
+      run: echo "GRADLE_OPTIONS=-Porg.gradle.java.installations.auto-detect=false -Porg.gradle.java.installations.fromEnv=JAVA_HOME_8_X64,JAVA_HOME_11_X64,JAVA_HOME_17_X64,JAVA_HOME_19_X64,JAVA_HOME_21_X64,JAVA_HOME_23_X64 -Prelease=${{ inputs.is-release }} -Prelease-suffix=${{ inputs.version-suffix }} " >> $GITHUB_ENV
 
     # Restore the maven cache
     - name: Cache local Maven repository

diff --git a/.github/actions/unit-test/action.yml b/.github/actions/unit-test/action.yml
@@ -5,41 +5,55 @@ inputs:
     description: 'The JVM Version to use'
     required: true
     default: '8'
+  csec-run-scala-unittest:
+    description: 'Whether to run CSEC scala instrumentation unit tests'
+    required: true
+    default: 'false'
 
 runs:
   using: composite
 
   steps:
+    #    Run Scala unit tests if java version is 8 and csec-run-scala-unittest is enabled.
+    - name: Run scala instrumentation unit tests
+      id: run_scala_unit_tests
+      shell: bash
+      continue-on-error: true
+      if: (inputs.csec-run-scala-unittest == 'true' && inputs.java-version == '8')
+      run: |
+        ./gradlew $GRADLE_OPTIONS test -PincludeScala --continue
+
     - name: Run instrumentation unit tests on Java ${{ inputs.java-version }} attempt 1
       id: run_tests_1
       shell: bash
       continue-on-error: true
+      if: ( steps.run_scala_unit_tests.outcome == 'skipped' || steps.run_scala_unit_tests.outcome == 'failure' )
       run: |
-        echo "Running attempt 1"
-        ./gradlew ${GRADLE_OPTIONS} --info test -Ptest${{ inputs.java-version }} --continue
+        echo "Running attempt 1 with ${{ inputs.java-version }}"
+        ./gradlew ${GRADLE_OPTIONS} test -Ptest${{ inputs.java-version }} --continue
 
     - name: Run instrumentation unit tests on Java ${{ inputs.java-version }} attempt 2
       id: run_tests_2
       shell: bash
       continue-on-error: true
       if: steps.run_tests_1.outcome == 'failure'
       run: |
-        echo "Running attempt 2"
-        ./gradlew ${GRADLE_OPTIONS} --info test -Ptest${{ inputs.java-version }} --continue
+        echo "Running attempt 2 with ${{ inputs.java-version }}"
+        ./gradlew ${GRADLE_OPTIONS} test -Ptest${{ inputs.java-version }} --continue
 
     - name: Run instrumentation unit tests on Java ${{ inputs.java-version }} attempt 3
       id: run_tests_3
       shell: bash
       continue-on-error: true
       if: steps.run_tests_2.outcome == 'failure'
       run: |
-        echo "Running attempt 3"
-        ./gradlew ${GRADLE_OPTIONS} --info test -Ptest${{ inputs.java-version }} --continue
+        echo "Running attempt 3 with ${{ inputs.java-version }}"
+        ./gradlew ${GRADLE_OPTIONS} test -Ptest${{ inputs.java-version }} --continue
 
     - name: Run instrumentation unit tests on Java ${{ inputs.java-version }} attempt 4
       id: run_tests_4
       shell: bash
       if: steps.run_tests_3.outcome == 'failure'
       run: |
-        echo "Running attempt 4"
+        echo "Running attempt 4 with ${{ inputs.java-version }}"
         ./gradlew ${GRADLE_OPTIONS} --info test -Ptest${{ inputs.java-version }} --continue
diff --git a/...flows/X-Reusable-Build-Security-Agent.yml → .github/workflows/GHA-Unit-Tests.yml b/...flows/X-Reusable-Build-Security-Agent.yml → .github/workflows/GHA-Unit-Tests.yml
@@ -1,4 +1,7 @@
-name: X - Reusable Build Security Agent
+# Workflow: Run Unit tests
+#
+# Trigger: This workflow runs on every merge to the main branch and on pull request.
+name: Unit Tests
 on:
   workflow_call:
     inputs:
@@ -26,6 +29,16 @@ on:
         description: 'version suffix to be added, if any'
         default: ''
         type: string
+      csec-run-scala-unittest:
+        description: 'Whether to run CSEC scala instrumentation unit tests'
+        required: false
+        default: false
+        type: boolean
+      unit-test-java-version:
+        description: 'Run Unit test on java version, default java versions are [ 8 ] '
+        required: false
+        default: '[ 8 ]'
+        type: string
 
   workflow_dispatch:
     inputs:
@@ -42,8 +55,8 @@ on:
       run-unit-test:
         description: 'Run instrumentation unit tests ?'
         required: true
-        type: string
-        default: 'true'
+        type: boolean
+        default: true
       is-release:
         description: 'Is this a release run'
         required: true
@@ -53,6 +66,16 @@ on:
         description: 'version suffix to be added, if any'
         default: ''
         type: string
+      csec-run-scala-unittest:
+        description: 'Run scala instrumentation unit tests ?'
+        required: true
+        type: boolean
+        default: true
+      unit-test-java-version:
+        description: 'Run Unit test on java version, default java versions are [ 8, 11, 17, 21 ] '
+        required: true
+        default: '[ 8, 11, 17, 21 ]'
+        type: string
 
 jobs:
   # this job reads the directories in csec-java-agent/instrumentation-security and creates a JSON with the list of the modules
@@ -61,8 +84,7 @@ jobs:
     runs-on: ubuntu-24.04
     strategy:
       matrix:
-        java-version: [ 8 ]
-#        java-version: [ 8, 11, 17 ]
+        java-version: ${{ fromJson(inputs.unit-test-java-version) }}
 
     steps:
       - name: Checkout CSEC Repo
@@ -85,5 +107,7 @@ jobs:
       - name: Run CSEC unit tests
         if: ${{ inputs.run-unit-test == 'true' }}
         uses: ./.github/actions/unit-test
+        continue-on-error: true
         with:
+          csec-run-scala-unittest: ${{ inputs.csec-run-scala-unittest }}
           java-version: ${{ matrix.java-version }}
diff --git a/.github/workflows/TestSuite-PR.yml b/.github/workflows/TestSuite-PR.yml
@@ -0,0 +1,39 @@
+# Workflow: Run Unit tests
+#
+# Trigger: This workflow runs on every merge to the main branch and on pull request.
+name: Unit Tests
+on:
+
+  pull_request:
+    branches: [ main ]
+
+jobs:
+  # this job reads the directories in csec-java-agent/instrumentation-security and creates a JSON with the list of the modules
+  # this list is paginated and will be used in the verify-module job.
+  build-agent:
+    runs-on: ubuntu-24.04
+    strategy:
+      matrix:
+        java-version: [ 8, 11, 17, 21 ]
+
+    steps:
+      - name: Checkout CSEC Repo
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ github.ref }}
+
+      - name: Setup environment
+        uses: ./.github/actions/setup-environment
+        with:
+          apm-aws-access-key-id: ${{ secrets.APM_AWS_ACCESS_KEY_ID }}
+          apm-aws-secret-access-key: ${{ secrets.APM_AWS_SECRET_ACCESS_KEY }}
+          apm-aws-region: us-east-2
+
+      - name: Publish CSEC to local
+        uses: ./.github/actions/publish-csec-local
+
+      - name: Run CSEC unit tests
+        uses: ./.github/actions/unit-test
+        with:
+          csec-run-scala-unittest: true
+          java-version: ${{ matrix.java-version }}
diff --git a/.github/workflows/build-integrated-jar.yml b/.github/workflows/build-integrated-jar.yml
@@ -14,14 +14,22 @@ on:
         description: 'Whether to run CSEC instrumentation unit tests'
         required: true
         default: true
+        type: boolean
+      csec-run-scala-unittest:
+        description: 'Whether to run CSEC scala instrumentation unit tests ?'
+        required: true
+        type: boolean
+        default: false
       csec-run-instrumentation-verify:
         description: 'Whether to run CSEC instrumentation verifier'
         required: true
         default: true
+        type: boolean
       slack-notify:
         description: 'Whether to notify build status on slack'
         required: true
         default: true
+        type: boolean
       description:
         description: "A description for the custom jar that will be generated. It will appear in the summary."
         required: true
@@ -34,12 +42,13 @@ permissions:
 jobs:
   build-csec-agent:
     name: Build CSEC agent artifacts
-    uses: ./.github/workflows/X-Reusable-Build-Security-Agent.yml
+    uses: ./.github/workflows/GHA-Unit-Tests.yml
     with:
       apm-repo: ${{ inputs.apm-repo }}
       apm-source-ref: ${{ inputs.apm-source-ref }}
       run-unit-test: ${{ inputs.csec-run-unittest }}
       is-release: false
+      csec-run-scala-unittest: ${{ inputs.csec-run-scala-unittest }}
     secrets: inherit
 
   verify-instrumentation:

diff --git a/.github/workflows/dependency-submission.yml b/.github/workflows/dependency-submission.yml
@@ -1,8 +1,16 @@
+# Workflow: Dependency Graph Submission and Vulnerability Reporting
+#
+# Trigger: This workflow runs on every merge to the main branch and on pull request.
+#
+# Purpose: It generates and submits a dependency graph to the GitHub Dependency Submission API. The graph is used to
+# trigger Dependabot Alerts for vulnerable dependencies, and to populate the Dependency Graph insights view in GitHub.
+
 name: Dependency Submission
 
 on:
   push:
     branches: ['main']
+  pull_request:
 
 permissions:
   contents: write
@@ -12,9 +20,9 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout sources
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
       - name: Setup Java
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@v3
         with:
           distribution: 'temurin'
           java-version: 8

diff --git a/.github/workflows/repolinter.yml b/.github/workflows/repolinter.yml
@@ -22,7 +22,7 @@ jobs:
             return data.data && data.data.default_branch === context.ref.split('/').slice(-1)[0]
       - name: Checkout Self
         if: ${{ steps.default-branch.outputs.result == 'true' }}
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       - name: Run Repolinter
         if: ${{ steps.default-branch.outputs.result == 'true' }}
         uses: newrelic/repolinter-action@v1

diff --git a/gradle.properties.gha b/gradle.properties.gha
@@ -2,5 +2,5 @@ jdk8=8
 jdk11=11
 jdk17=17
 jdk19=19
-jdk20=20
-
+jdk21=21
+jdk23=23
diff --git a/gradle/script/java.gradle b/gradle/script/java.gradle
@@ -81,6 +81,24 @@ compileJava.options.bootstrapClasspath = files("${jdkPath}/jre/lib/rt.jar", "${j
 // their own build.gradle to force the use of a specific version of Java (e.g. instrumentation/async-http-client-2.0.0).
 // This could lead to an "Unrecognized option" with the failure "Could not create the Java Virtual Machine".
 test {
+
+    // To keep test times reasonable we only test against supported LTS Java releases as well as the latest non-LTS release of Java.
+    // This method determines if we should run tests with the Java version configured by the -PtestN gradle property.
+    ext.configuredWithValidTestJDK = {
+        if (project.hasProperty("test9") || project.hasProperty("test10") || project.hasProperty("test12") || project.hasProperty("test13") ||
+                project.hasProperty("test14") || project.hasProperty("test15") || project.hasProperty("test16") || project.hasProperty("test18") ||
+                project.hasProperty("test19") || project.hasProperty("test20") || project.hasProperty("test22")) {
+            logger.lifecycle("The csec-java-agent project does not support testing with the Java version configured by the -PtestN gradle property.")
+            return false
+        }
+        // The -PtestN gradle property was configured with a valid test JDK or not provided at all.
+        return true
+    }
+
+    onlyIf {
+        configuredWithValidTestJDK()
+    }
+
     ext.configureTest = { String jdkName, Closure configuration ->
         // Add an input property so that we differentiate between JDKs with the same version
         inputs.property("test.jdk", jdkName)
@@ -89,6 +107,38 @@ test {
         executable = project.property(jdkName) + '/bin/java'
         configuration.call()
     }
+    if (project.hasProperty("test23")) {
+        configureTest("jdk23") {
+            jvmArgs '--add-opens=java.base/java.lang=ALL-UNNAMED',
+                    '--add-opens=java.base/java.util=ALL-UNNAMED',
+                    '--add-opens=java.base/java.net=ALL-UNNAMED',
+                    '--add-opens=java.base/java.io=ALL-UNNAMED',
+                    '--add-opens=java.base/sun.net.spi=ALL-UNNAMED',
+                    '--add-exports=java.base/sun.net.spi=ALL-UNNAMED',
+                    '--add-exports=java.xml/com.sun.org.apache.xalan.internal.xsltc.trax=ALL-UNNAMED'
+            useJUnit {
+                excludeCategories 'com.newrelic.security.test.marker.Java23IncompatibleTest'
+            }
+        }
+        // mockito uses a version of bytebuddy that has experimental support for Java 21
+        systemProperty("net.bytebuddy.experimental", "true")
+    }
+    if (project.hasProperty("test21")) {
+        configureTest("jdk21") {
+            jvmArgs '--add-opens=java.base/java.lang=ALL-UNNAMED',
+                    '--add-opens=java.base/java.util=ALL-UNNAMED',
+                    '--add-opens=java.base/java.net=ALL-UNNAMED',
+                    '--add-opens=java.base/java.io=ALL-UNNAMED',
+                    '--add-opens=java.base/sun.net.spi=ALL-UNNAMED',
+                    '--add-exports=java.base/sun.net.spi=ALL-UNNAMED',
+                    '--add-exports=java.xml/com.sun.org.apache.xalan.internal.xsltc.trax=ALL-UNNAMED'
+            useJUnit {
+                excludeCategories 'com.newrelic.security.test.marker.Java21IncompatibleTest'
+            }
+        }
+        // mockito uses a version of bytebuddy that has experimental support for Java 21
+        systemProperty("net.bytebuddy.experimental", "true")
+    }
     if (project.hasProperty("test19")) {
         configureTest("jdk19") {
             jvmArgs '--add-opens=java.base/java.lang=ALL-UNNAMED',

diff --git a/instrumentation-security/apache-tomcat-7/build.gradle b/instrumentation-security/apache-tomcat-7/build.gradle
@@ -16,6 +16,13 @@ verifyInstrumentation {
     excludeRegex '.*-(b|gfa|beta|RC)[0-9]*'
 }
 
+test {
+    onlyIf {
+        // test is incompatible with version of java greater than 1.8
+        project.hasProperty("test8")
+    }
+}
+
 site {
     title 'Tomcat'
     type 'Appserver'