feat: Add initial SSI deny list (#7568)

DataDog · Oct 4, 2024 · 66d7f40 · 66d7f40
1 parent 85b316b
commit 66d7f40
Show file tree

Hide file tree

Showing 9 changed files with 894 additions and 0 deletions.
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
@@ -203,6 +203,13 @@ deploy_artifacts_to_github:
     max: 2
     when: always
 
+requirements_json_test:
+  rules:
+    - when: on_success
+  variables:
+    REQUIREMENTS_BLOCK_JSON_PATH: "metadata/requirements-block.json"
+    REQUIREMENTS_ALLOW_JSON_PATH: "metadata/requirements-allow.json"
+
 package-oci:
   needs: [ build ]
 

diff --git a/.gitlab/prepare-oci-package.sh b/.gitlab/prepare-oci-package.sh
@@ -10,3 +10,4 @@ fi
 mkdir -p sources
 cp ../workspace/dd-java-agent/build/libs/*.jar sources/dd-java-agent.jar
 echo -n "$VERSION" > sources/version
+cp ../metadata/requirements.json sources/
diff --git a/metadata/base-requirements.json b/metadata/base-requirements.json
@@ -0,0 +1,82 @@
+{
+  "version": 1,
+  "deny": [
+    {
+      "id": "unsupported_jvm",
+      "description": "Skip older JVMs",
+      "os": null,
+      "cmds": [
+        "**/java-1.5*/**/java",
+        "**/java-1.6*/**/java",
+        "**/java-6*/**/java",
+        "**/java-7/**/java"
+      ],
+      "args": [],
+      "envars": null
+    },
+    {
+      "id": "java8_version",
+      "description": "Skip java -version command",
+      "os": null,
+      "cmds": [
+        "**/java"
+      ],
+      "args": [
+        {
+          "args": [
+            "-version"
+          ],
+          "position": 1
+        }
+      ],
+      "envars": null
+    },
+    {
+      "id": "java_version",
+      "description": "Skip java --version command",
+      "os": null,
+      "cmds": [
+        "**/java"
+      ],
+      "args": [
+        {
+          "args": [
+            "--version"
+          ],
+          "position": 1
+        }
+      ],
+      "envars": null
+    }
+  ],
+  "native_deps": {
+    "glibc": [
+      {
+        "arch": "x86",
+        "supported": true
+      },
+      {
+        "arch": "x64",
+        "supported": true
+      },
+      {
+        "arch": "arm64",
+        "supported": true
+      }
+    ],
+    "musl": [
+      {
+        "arch": "x86",
+        "supported": true
+      },
+      {
+        "arch": "x64",
+        "supported": true
+      },
+      {
+        "arch": "arm64",
+        "supported": true
+      }
+    ]
+  }
+}
diff --git a/metadata/build-requirements.sh b/metadata/build-requirements.sh
@@ -0,0 +1,84 @@
+#!/bin/bash
+#
+# This script builds the requirements.json file based on
+# - the base-requirements.json as base file,
+# - the denied-arguments.tsv as rules to exclude application from their arguments (main classes, System properties, application arguments),
+# - the denied-environment-variables.tsv as rules to exclude applications from their exported environment variables.
+#
+
+log-json() {
+    local JSON=$1
+    echo "Logging JSON"
+    echo "$JSON" | jq
+}
+
+#
+# Initialize requirements from base file
+#
+JSON=$(cat base-requirements.json)
+
+#
+# Append deny list entries based on arguments
+#
+while read -r ENTRY; do
+    # Skip comments or empty lines
+    if [[ -z $ENTRY || $ENTRY == \#* ]]; then
+        continue
+    fi
+    # Take first word
+    IDENTIFIER=$(echo "$ENTRY" | awk '{print $1}')
+    # Take second word
+    ARGUMENT=$(echo "$ENTRY" | awk '{print $2}')
+    # Take the rest as description
+    DESCRIPTION=$(echo "$ENTRY" | awk '{for(i=3;i<=NF;++i) printf "%s%s", $i, (i<NF)?" ":""}')
+    # Build deny list entry
+    DENY_ENTRY=$(cat <<-END
+    {
+        "id": "$IDENTIFIER",
+        "description": "$DESCRIPTION",
+        "os": null,
+        "cmds": ["**/java"],
+        "args": [{
+          "args": ["$ARGUMENT"],
+          "position": null
+        }],
+        "envars": null
+    }
+END
+    )
+    JSON=$(echo "$JSON" | jq ".deny += [$DENY_ENTRY]")
+done < denied-arguments.tsv
+
+#
+# Append deny list entries based on environment variables
+#
+while read -r ENTRY; do
+    # Skip comments or empty lines
+    if [[ -z $ENTRY || $ENTRY == \#* ]]; then
+        continue
+    fi
+    # Take first word
+    IDENTIFIER=$(echo "$ENTRY" | awk '{print $1}')
+    # Take second word
+    ENVIRONMENT_VARIABLE=$(echo "$ENTRY" | awk '{print $2}')
+    # Take the rest as description
+    DESCRIPTION=$(echo "$ENTRY" | awk '{for(i=3;i<=NF;++i) printf "%s%s", $i, (i<NF)?" ":""}')
+    # Build deny list entry
+    DENY_ENTRY=$(cat <<-END
+    {
+        "id": "$IDENTIFIER",
+        "description": "$DESCRIPTION",
+        "os": null,
+        "cmds": ["**/java"],
+        "args": [],
+        "envars": {
+            "$ENVIRONMENT_VARIABLE": null
+        }
+    }
+END
+    )
+    JSON=$(echo "$JSON" | jq ".deny += [$DENY_ENTRY]")
+done < denied-environment-variables.tsv
+
+log-json "$JSON"
+echo "$JSON" > requirements.json
diff --git a/metadata/denied-arguments.tsv b/metadata/denied-arguments.tsv
@@ -0,0 +1,33 @@
+# Identifier                    Argument                                            Description
+
+# Apache ActiveMQ Artemis
+apache_activemq_artemis         org.apache.activemq.artemis.boot.Artemis            Skip Apache ActiveMQ Artemis
+
+# Apache Cassandra
+
+apache_cassandra                org.apache.cassandra.service.CassandraDaemon        Skip Apache Cassandra
+apache_cassandra_debugcql       org.apache.cassandra.transport.Client               Skip Apache Cassandra debug-cql
+apache_cassandra_nodetool       org.apache.cassandra.tools.NodeTool                 Skip Apache Cassandra nodetool
+apache_cassandra_sstableloader  org.apache.cassandra.tools.BulkLoader               Skip Apache Cassandra sstableloader
+apache_cassandra_sstablescrub   org.apache.cassandra.tools.StandaloneScrubber       Skip Apache Cassandra stablescrub
+apache_cassandra_sstableupgrade org.apache.cassandra.tools.StandaloneUpgrader       Skip Apache Cassandra sstableupgrade
+apache_cassandra_sstableutil    org.apache.cassandra.tools.StandaloneSSTableUtil    Skip Apache Cassandra sstableutil
+apache_cassandra_sstableverify  org.apache.cassandra.tools.StandaloneVerifier       Skip Apache Cassandra sstableverify
+
+# Apache Lucene
+apache_lucene8_luke             org.apache.lucene.luke.app.desktop.LukeMain         Skip Lucene 8 Luke
+apache_lucene9_luke             org.apache.lucene.luke                              Skip Apache Netbeans
+
+# Apache Netbeans
+apache_netbeans                 org.netbeans.Main                                   Skip Apache Netbeans
+
+# Apache Solr 8
+apache_solr8_start              -Dsolr.solr.home=*                                  Skip Apache Solr 8 start command using System Properties
+apache_solr8_stop               *solr/server/start.jar                              Skip Apache Solr 8 stop using path to jar
+apache_solr8_tools              org.apache.solr.util.SolrCLI                        Skip Apache Solr 8 CLI tools
+
+# Elastic Search 7+
+elasticsearch7                  -Des.path.home=*                                    Skip Elastic Search 7+ commands
+
+# Jetbrains IntelliJ IDEA
+intellij_idea                   com.intellij.idea.Main                              Skip Jetbrains IntelliJ IDEA
diff --git a/metadata/denied-environment-variables.tsv b/metadata/denied-environment-variables.tsv
@@ -0,0 +1,5 @@
+# Identifier    EnvironmentVariable     Description
+apache_hbase    HBASE_HOME              Skip Apache HBase
+apache_hadoop3  HADOOP_HOME             Skip Apache Hadoop 3
+apache_hive     HIVE_HOME               Skip Apache Hive
+apache_solr9    SOLR_PORT               Skip Apache Solr 9
diff --git a/metadata/requirements-allow.json b/metadata/requirements-allow.json
@@ -0,0 +1,62 @@
+[
+    {
+        "name": "should allow -version args if not java",
+        "filepath": "/usr/bin/notjava",
+        "args": [
+            "notjava",
+            "-version"
+        ],
+        "envars": [],
+        "host": {
+            "os": "linux",
+            "arch": "x64",
+            "libc": "glibc:2.17"
+        }
+    },
+    {
+        "name": "should allow --version args if not java",
+        "filepath": "/usr/bin/notjava",
+        "args": [
+            "notjava",
+            "--version"
+        ],
+        "envars": [],
+        "host": {
+            "os": "linux",
+            "arch": "x64",
+            "libc": "glibc:2.17"
+        }
+    },
+    {
+        "name": "should allow -version as application parameter",
+        "filepath": "/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java",
+        "args": [
+            "java",
+            "-jar",
+            "app.jar",
+            "-version"
+        ],
+        "envars": [],
+        "host": {
+            "os": "linux",
+            "arch": "x64",
+            "libc": "glibc:2.17"
+        }
+    },
+    {
+        "name": "should allow --version as application parameter",
+        "filepath": "/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java",
+        "args": [
+            "java",
+            "-jar",
+            "app.jar",
+            "--version"
+        ],
+        "envars": [],
+        "host": {
+            "os": "linux",
+            "arch": "x64",
+            "libc": "glibc:2.17"
+        }
+    }
+]