feat: Add initial deny list

DataDog · Sep 18, 2024 · 017a398 · 017a398
1 parent 1429d59
commit 017a398
Show file tree

Hide file tree

Showing 6 changed files with 173 additions and 0 deletions.
diff --git a/.gitlab/prepare-oci-package.sh b/.gitlab/prepare-oci-package.sh
@@ -10,3 +10,4 @@ fi
 mkdir -p sources
 cp ../workspace/dd-java-agent/build/libs/*.jar sources/dd-java-agent.jar
 echo -n "$VERSION" > sources/version
+cp ../metadata/requirements.json sources/
diff --git a/metadata/.gitignore b/metadata/.gitignore
@@ -0,0 +1 @@
+/requirements.json
diff --git a/metadata/base-requirements.json b/metadata/base-requirements.json
@@ -0,0 +1,79 @@
+{
+  "version": 1,
+  "deny": [
+    {
+      "id": "unsupported_jvm",
+      "description": "Skip older JVMs",
+      "cmds": [
+        "**/java-1.5*/**/java",
+        "**/java-1.6*/**/java",
+        "**/java-6*/**/java",
+        "**/java-7/**/java"
+      ],
+      "args": [],
+      "envars": null
+    },
+    {
+      "id": "java8_version",
+      "description": "Skip java -version command",
+      "cmds": [
+        "**/java"
+      ],
+      "args": [
+        {
+          "args": [
+            "-version"
+          ],
+          "position": 0
+        }
+      ],
+      "envars": null
+    },
+    {
+      "id": "java_version",
+      "description": "Skip java --version command",
+      "cmds": [
+        "**/java"
+      ],
+      "args": [
+        {
+          "args": [
+            "--version"
+          ],
+          "position": 0
+        }
+      ],
+      "envars": null
+    }
+  ],
+  "native_deps": {
+    "glibc": [
+      {
+        "arch": "x86",
+        "supported": true
+      },
+      {
+        "arch": "x64",
+        "supported": true
+      },
+      {
+        "arch": "arm64",
+        "supported": true
+      }
+    ],
+    "musl": [
+      {
+        "arch": "x86",
+        "supported": true
+      },
+      {
+        "arch": "x64",
+        "supported": true
+      },
+      {
+        "arch": "arm64",
+        "supported": true
+      }
+    ]
+  }
+}
diff --git a/metadata/build-requirements.sh b/metadata/build-requirements.sh
@@ -0,0 +1,81 @@
+#!/bin/bash
+#
+# This script builds the requirements.json file based on
+# - the base-requirements.json as base file,
+# - the denied-main-classes.tsv as rules to exclude application from their main classes,
+# - the denied-environment-variables.tsv as rules to exclude applications from their exported environment variables.
+#
+
+log-json() {
+    local JSON=$1
+    echo "Logging JSON"
+    echo "$JSON" | jq
+}
+
+#
+# Initialize requirements from base file
+#
+JSON=$(cat base-requirements.json)
+
+#
+# Append deny list entries based on main classes
+#
+while read -r ENTRY; do
+    # Skip comments or empty lines
+    if [[ -z $ENTRY || $ENTRY == \#* ]]; then
+        continue
+    fi
+    # Take first word
+    IDENTIFIER=$(echo "$ENTRY" | awk '{print $1}')
+    # Take second word
+    MAIN_CLASS=$(echo "$ENTRY" | awk '{print $2}')
+    # Take the rest as description
+    DESCRIPTION=$(echo "$ENTRY" | awk '{for(i=3;i<=NF;++i) printf "%s%s", $i, (i<NF)?" ":""}')
+    # Build deny list entry
+    DENY_ENTRY=$(cat <<-END
+    {
+        "id": "$IDENTIFIER",
+        "description": "$DESCRIPTION",
+        "cmds": ["**/java"],
+        "args": [{
+          "arg": "$MAIN_CLASS",
+        }],
+        "envars": null
+    }
+END
+    )
+    JSON=$(echo "$JSON" | jq ".deny += [$DENY_ENTRY]")
+done < denied-main-classes.tsv
+
+#
+# Append deny list entries based on environment variables
+#
+while read -r ENTRY; do
+    # Skip comments or empty lines
+    if [[ -z $ENTRY || $ENTRY == \#* ]]; then
+        continue
+    fi
+    # Take first word
+    IDENTIFIER=$(echo "$ENTRY" | awk '{print $1}')
+    # Take second word
+    ENVIRONMENT_VARIABLE=$(echo "$ENTRY" | awk '{print $2}')
+    # Take the rest as description
+    DESCRIPTION=$(echo "$ENTRY" | awk '{for(i=3;i<=NF;++i) printf "%s%s", $i, (i<NF)?" ":""}')
+    # Build deny list entry
+    DENY_ENTRY=$(cat <<-END
+    {
+        "id": "$IDENTIFIER",
+        "description": "$DESCRIPTION",
+        "cmds": ["**/java"],
+        "args": [],
+        "envars": {
+            "$ENVIRONMENT_VARIABLE": null
+        }
+    }
+END
+    )
+    JSON=$(echo "$JSON" | jq ".deny += [$DENY_ENTRY]")
+done < denied-environment-variables.tsv
+
+log-json "$JSON"
+echo "$JSON" > requirements.json
diff --git a/metadata/denied-environment-variables.tsv b/metadata/denied-environment-variables.tsv
@@ -0,0 +1,3 @@
+# Identifier    EnvironmentVariable     Description
+apache_hbase    HBASE_HOME              Skip Apache HBase
+apache_hive     HIVE_HOME               Skip Apache Hive
diff --git a/metadata/denied-main-classes.tsv b/metadata/denied-main-classes.tsv
@@ -0,0 +1,8 @@
+# Identifier    MainClass   Description
+
+# Apache Lucene
+apache_lucene8_luke     org.apache.lucene.luke.app.desktop.LukeMain     Skip Lucene 8 Luke
+apache_lucene9_luke     org.apache.lucene.luke                          Skip Apache Netbeans
+
+# Apache Netbeans
+apache_netbeans         org.netbeans.Main                               Skip Apache Netbeans