Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump CSEC Java Agent Version 1.5.0 #2075

Closed
wants to merge 6 commits into from
Closed

Bump CSEC Java Agent Version 1.5.0 #2075

wants to merge 6 commits into from

Conversation

lovesh-ap
Copy link
Contributor

@lovesh-ap lovesh-ap commented Sep 26, 2024
edited by jira bot
Loading

New features

  • Json Version bump to 1.2.9.
  • PR-327 Application endpoint detection for gRPC Server NR-303616
  • PR-326 Add IAST Scan start time and Traffic Start Time in Health Check NR-308822
  • PR-320 Add feature to allow IAST Scan Scheduling. NR-301534
    Configuration via yaml: 
    security:
    scan_schedule:
      # The delay field specifies the delay in minutes before the IAST scan starts. This allows to schedule the scan to start at a later time.
      delay: 0        #In minutes, default is 0 min
  
      # The duration field specifies the duration of the IAST scan in minutes. This determines how long the scan will run.
      duration: 0      #In minutes, default is forever

      # The schedule field specifies a cron expression that defines when the IAST scan should start.
      #schedule: ""   #By default, schedule is inactive

      # Allow continuously sample collection of IAST events
      always_sample_traces: false # Default is false
  • PR-320 Add feature to ignore IAST Scan of certain APIs, categories, or parameters. NR-301856
    Configuration via yaml: 
    security:
   # The exclude_from_iast_scan configuration allows to specify APIs, parameters, and categories that should not be scanned by Security Agents.
  exclude_from_iast_scan:
    # The api field specifies list of APIs using regular expression (regex) patterns that follow the syntax of Perl 5. The regex pattern should provide a complete match for the URL without the endpoint.
    # Example:
    #   api:
    #    - .*account.*
    #    - .*/\api\/v1\/.*?\/login
    api: []

    # The parameters configuration allows users to specify headers, query parameters, and body keys that should be excluded from IAST scans.
    # Example:
    #   http_request_parameters:
    #    header:
    #      - X-Forwarded-For
    #    query:
    #      - username
    #      - password
    #    body:
    #      - account.email
    #      - account.contact
    http_request_parameters:
      # A list of HTTP header keys. If a request includes any headers with these keys, the corresponding IAST scan will be skipped.
      header: []
      # A list of query parameter keys. The presence of these parameters in the request's query string will lead to skipping the IAST scan.
      query: []
      # A list of keys within the request body. If these keys are found in the body content, the IAST scan will be omitted.
      body: []

    # The iast_detection_category configuration allows to specify which categories of vulnerabilities should not be detected by Security Agents.
    # If any of these categories are set to true, Security Agents will not generate events or flag vulnerabilities for that category.
    iast_detection_category:
      insecure_settings: false
      invalid_file_access: false
      sql_injection: false
      nosql_injection: false
      ldap_injection: false
      javascript_injection: false
      command_injection: false
      xpath_injection: false
      ssrf: false
      rxss: false
  • PR-321 Add feature to rate limit the IAST replay requests. NR-304574 
    security:
  scan_controllers:
    # The scan_request_rate_limit configuration allows to specify maximum number of replay request played per minute.
    iast_scan_request_rate_limit: 3600 # Number of IAST replay request played per minute, Default is 3600
  • PR-315 GraphQL Support : The security agent now also supports GraphQL Version 16.0.0 and above, default is disabled. NR-299885

Fixes

  • PR-322 Report Application endpoints immediately upon detecting new endpoints. NR-287324
  • PR-323 Extract Server Configuration to resolve IAST localhost connection with application for WebSphere Liberty server NR-303483
  • PR-327 Fix for User Class Detection in gRPC Server NR-303616
  • PR-328 Fix for multiple Reflected Events observed in Jersey Framework NR-307644
  • PR-325 Fix for incorrect Application endpoints detected for Servlet Framework NR-303615
  • PR-320 Report only uncaught exceptions in IAST Error inbox. NR-313412

Deprecations

  • Status File Used for Debugging: This feature has been deprecated. All debugging capabilities have been moved to either Init Logging or Error Inbox and will be removed in a future agent release. NR-293966

@jtduffy jtduffy mentioned this pull request Sep 26, 2024
Merged
@jtduffy jtduffy deleted the release/csec/v1.5.0 branch September 26, 2024 17:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
Java Engineering Board
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@lovesh-ap