From 66d7f4000e4e1961f3d728989ad5e45ed401abe3 Mon Sep 17 00:00:00 2001 From: Bruce Bujon Date: Fri, 4 Oct 2024 06:53:02 +0200 Subject: [PATCH] feat: Add initial SSI deny list (#7568) --- .gitlab-ci.yml | 7 + .gitlab/prepare-oci-package.sh | 1 + metadata/base-requirements.json | 82 +++++ metadata/build-requirements.sh | 84 +++++ metadata/denied-arguments.tsv | 33 ++ metadata/denied-environment-variables.tsv | 5 + metadata/requirements-allow.json | 62 ++++ metadata/requirements-block.json | 201 +++++++++++ metadata/requirements.json | 419 ++++++++++++++++++++++ 9 files changed, 894 insertions(+) create mode 100644 metadata/base-requirements.json create mode 100755 metadata/build-requirements.sh create mode 100644 metadata/denied-arguments.tsv create mode 100644 metadata/denied-environment-variables.tsv create mode 100644 metadata/requirements-allow.json create mode 100644 metadata/requirements-block.json create mode 100644 metadata/requirements.json diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 3f34f6fd49e..b46c81caaf0 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -203,6 +203,13 @@ deploy_artifacts_to_github: max: 2 when: always +requirements_json_test: + rules: + - when: on_success + variables: + REQUIREMENTS_BLOCK_JSON_PATH: "metadata/requirements-block.json" + REQUIREMENTS_ALLOW_JSON_PATH: "metadata/requirements-allow.json" + package-oci: needs: [ build ] diff --git a/.gitlab/prepare-oci-package.sh b/.gitlab/prepare-oci-package.sh index 38ae97ea950..8a7caea76c2 100755 --- a/.gitlab/prepare-oci-package.sh +++ b/.gitlab/prepare-oci-package.sh @@ -10,3 +10,4 @@ fi mkdir -p sources cp ../workspace/dd-java-agent/build/libs/*.jar sources/dd-java-agent.jar echo -n "$VERSION" > sources/version +cp ../metadata/requirements.json sources/ diff --git a/metadata/base-requirements.json b/metadata/base-requirements.json new file mode 100644 index 00000000000..2c43016231d --- /dev/null +++ b/metadata/base-requirements.json @@ -0,0 +1,82 @@ +{ + "version": 1, + "deny": [ + { + "id": "unsupported_jvm", + "description": "Skip older JVMs", + "os": null, + "cmds": [ + "**/java-1.5*/**/java", + "**/java-1.6*/**/java", + "**/java-6*/**/java", + "**/java-7/**/java" + ], + "args": [], + "envars": null + }, + { + "id": "java8_version", + "description": "Skip java -version command", + "os": null, + "cmds": [ + "**/java" + ], + "args": [ + { + "args": [ + "-version" + ], + "position": 1 + } + ], + "envars": null + }, + { + "id": "java_version", + "description": "Skip java --version command", + "os": null, + "cmds": [ + "**/java" + ], + "args": [ + { + "args": [ + "--version" + ], + "position": 1 + } + ], + "envars": null + } + ], + "native_deps": { + "glibc": [ + { + "arch": "x86", + "supported": true + }, + { + "arch": "x64", + "supported": true + }, + { + "arch": "arm64", + "supported": true + } + ], + "musl": [ + { + "arch": "x86", + "supported": true + }, + { + "arch": "x64", + "supported": true + }, + { + "arch": "arm64", + "supported": true + } + ] + } +} \ No newline at end of file diff --git a/metadata/build-requirements.sh b/metadata/build-requirements.sh new file mode 100755 index 00000000000..3422e8d2a69 --- /dev/null +++ b/metadata/build-requirements.sh @@ -0,0 +1,84 @@ +#!/bin/bash +# +# This script builds the requirements.json file based on +# - the base-requirements.json as base file, +# - the denied-arguments.tsv as rules to exclude application from their arguments (main classes, System properties, application arguments), +# - the denied-environment-variables.tsv as rules to exclude applications from their exported environment variables. +# + +log-json() { + local JSON=$1 + echo "Logging JSON" + echo "$JSON" | jq +} + +# +# Initialize requirements from base file +# +JSON=$(cat base-requirements.json) + +# +# Append deny list entries based on arguments +# +while read -r ENTRY; do + # Skip comments or empty lines + if [[ -z $ENTRY || $ENTRY == \#* ]]; then + continue + fi + # Take first word + IDENTIFIER=$(echo "$ENTRY" | awk '{print $1}') + # Take second word + ARGUMENT=$(echo "$ENTRY" | awk '{print $2}') + # Take the rest as description + DESCRIPTION=$(echo "$ENTRY" | awk '{for(i=3;i<=NF;++i) printf "%s%s", $i, (i requirements.json diff --git a/metadata/denied-arguments.tsv b/metadata/denied-arguments.tsv new file mode 100644 index 00000000000..01614d77e2a --- /dev/null +++ b/metadata/denied-arguments.tsv @@ -0,0 +1,33 @@ +# Identifier Argument Description + +# Apache ActiveMQ Artemis +apache_activemq_artemis org.apache.activemq.artemis.boot.Artemis Skip Apache ActiveMQ Artemis + +# Apache Cassandra + +apache_cassandra org.apache.cassandra.service.CassandraDaemon Skip Apache Cassandra +apache_cassandra_debugcql org.apache.cassandra.transport.Client Skip Apache Cassandra debug-cql +apache_cassandra_nodetool org.apache.cassandra.tools.NodeTool Skip Apache Cassandra nodetool +apache_cassandra_sstableloader org.apache.cassandra.tools.BulkLoader Skip Apache Cassandra sstableloader +apache_cassandra_sstablescrub org.apache.cassandra.tools.StandaloneScrubber Skip Apache Cassandra stablescrub +apache_cassandra_sstableupgrade org.apache.cassandra.tools.StandaloneUpgrader Skip Apache Cassandra sstableupgrade +apache_cassandra_sstableutil org.apache.cassandra.tools.StandaloneSSTableUtil Skip Apache Cassandra sstableutil +apache_cassandra_sstableverify org.apache.cassandra.tools.StandaloneVerifier Skip Apache Cassandra sstableverify + +# Apache Lucene +apache_lucene8_luke org.apache.lucene.luke.app.desktop.LukeMain Skip Lucene 8 Luke +apache_lucene9_luke org.apache.lucene.luke Skip Apache Netbeans + +# Apache Netbeans +apache_netbeans org.netbeans.Main Skip Apache Netbeans + +# Apache Solr 8 +apache_solr8_start -Dsolr.solr.home=* Skip Apache Solr 8 start command using System Properties +apache_solr8_stop *solr/server/start.jar Skip Apache Solr 8 stop using path to jar +apache_solr8_tools org.apache.solr.util.SolrCLI Skip Apache Solr 8 CLI tools + +# Elastic Search 7+ +elasticsearch7 -Des.path.home=* Skip Elastic Search 7+ commands + +# Jetbrains IntelliJ IDEA +intellij_idea com.intellij.idea.Main Skip Jetbrains IntelliJ IDEA diff --git a/metadata/denied-environment-variables.tsv b/metadata/denied-environment-variables.tsv new file mode 100644 index 00000000000..556912ccf34 --- /dev/null +++ b/metadata/denied-environment-variables.tsv @@ -0,0 +1,5 @@ +# Identifier EnvironmentVariable Description +apache_hbase HBASE_HOME Skip Apache HBase +apache_hadoop3 HADOOP_HOME Skip Apache Hadoop 3 +apache_hive HIVE_HOME Skip Apache Hive +apache_solr9 SOLR_PORT Skip Apache Solr 9 diff --git a/metadata/requirements-allow.json b/metadata/requirements-allow.json new file mode 100644 index 00000000000..1f157140cb1 --- /dev/null +++ b/metadata/requirements-allow.json @@ -0,0 +1,62 @@ +[ + { + "name": "should allow -version args if not java", + "filepath": "/usr/bin/notjava", + "args": [ + "notjava", + "-version" + ], + "envars": [], + "host": { + "os": "linux", + "arch": "x64", + "libc": "glibc:2.17" + } + }, + { + "name": "should allow --version args if not java", + "filepath": "/usr/bin/notjava", + "args": [ + "notjava", + "--version" + ], + "envars": [], + "host": { + "os": "linux", + "arch": "x64", + "libc": "glibc:2.17" + } + }, + { + "name": "should allow -version as application parameter", + "filepath": "/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java", + "args": [ + "java", + "-jar", + "app.jar", + "-version" + ], + "envars": [], + "host": { + "os": "linux", + "arch": "x64", + "libc": "glibc:2.17" + } + }, + { + "name": "should allow --version as application parameter", + "filepath": "/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java", + "args": [ + "java", + "-jar", + "app.jar", + "--version" + ], + "envars": [], + "host": { + "os": "linux", + "arch": "x64", + "libc": "glibc:2.17" + } + } +] \ No newline at end of file diff --git a/metadata/requirements-block.json b/metadata/requirements-block.json new file mode 100644 index 00000000000..54b0e78aacb --- /dev/null +++ b/metadata/requirements-block.json @@ -0,0 +1,201 @@ +[ + { + "name": "should block -version args", + "filepath": "/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java", + "args": [ + "java", + "-version" + ], + "envars": [], + "host": { + "os": "linux", + "arch": "x64", + "libc": "glibc:2.17" + } + }, + { + "name": "should block -version args", + "filepath": "/home/user/workspace/java", + "args": [ + "java", + "-version" + ], + "envars": [], + "host": { + "os": "linux", + "arch": "x64", + "libc": "glibc:2.17" + } + }, + { + "name": "should block --version args", + "filepath": "/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java", + "args": [ + "java", + "--version" + ], + "envars": [], + "host": { + "os": "linux", + "arch": "x64", + "libc": "glibc:2.17" + } + }, + { + "name": "should block --version args", + "filepath": "/home/user/workspace/java", + "args": [ + "java", + "--version" + ], + "envars": [], + "host": { + "os": "linux", + "arch": "x64", + "libc": "glibc:2.17" + } + }, + { + "name": "should block old java versions", + "filepath": "/usr/lib/jvm/java-1.5-openjdk-amd64/jre/bin/java", + "args": [ + "java", + "--version" + ], + "envars": [], + "host": { + "os": "linux", + "arch": "x64", + "libc": "glibc:2.17" + } + }, + { + "name": "should block old java versions", + "filepath": "/usr/lib/jvm/java-1.6-openjdk-amd64/jre/bin/java", + "args": [ + "java", + "--version" + ], + "envars": [], + "host": { + "os": "linux", + "arch": "x64", + "libc": "glibc:2.17" + } + }, + { + "name": "should block old java versions", + "filepath": "/usr/lib/jvm/java-6-openjdk-amd64/jre/bin/java", + "args": [ + "java", + "--version" + ], + "envars": [], + "host": { + "os": "linux", + "arch": "x64", + "libc": "glibc:2.17" + } + }, + { + "name": "should block old java versions", + "filepath": "/usr/lib/jvm/java-7-openjdk-amd64/jre/bin/java", + "args": [ + "java", + "--version" + ], + "envars": [], + "host": { + "os": "linux", + "arch": "x64", + "libc": "glibc:2.17" + } + }, + { + "name": "should block based on main class", + "filepath": "/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java", + "args": [ + "java", + "-XX:+UseParallelGC", + "-XX:+AggressiveOpts", + "-XX:+UseFastAccessorMethods", + "-Xms512M", + "-Xmx1024M", + "-classpath", + "/var/home/artemis/lib/artemis-boot.jar", + "-Dartemis.home=/var/home/artemis", + "-Djava.library.path=/var/home/artemis/bin/lib/linux-x64", + "org.apache.activemq.artemis.boot.Artemis", + "queue", + "stat" + ], + "envars": [], + "host": { + "os": "linux", + "arch": "x64", + "libc": "glibc:2.17" + } + }, + { + "name": "should block based on environment variables", + "filepath": "/usr/lib/jvm/java-17-openjdk-amd64/jre/bin/java", + "args": [ + "java", + "-server", + "-Xms512m", + "-Xmx512m", + "-XX:+UseG1GC", + "-XX:+PerfDisableSharedMem", + "-XX:+ParallelRefProcEnabled", + "-XX:MaxGCPauseMillis=250", + "-XX:+UseLargePages", + "-XX:+AlwaysPreTouch", + "-XX:+ExplicitGCInvokesConcurrent", + "-Xlog:gc*:file=/var/lib/solr-9.6.1/server/logs/solr_gc.log:time,uptime:filecount=9,filesize=20M", + "-Dsolr.jetty.inetaccess.includes= -Dsolr.jetty.inetaccess.excludes=", + "-DzkClientTimeout=30000", + "-DzkHost=localhost:9983", + "-Dsolr.log.dir=/var/lib/solr-9.6.1/server/logs", + "-Djetty.port=8984", + "-DSTOP.PORT=7984", + "-DSTOP.KEY=solrrocks ", + "-Dhost=localhost", + "-Duser.timezone=UTC", + "-XX:-OmitStackTraceInFastThrow", + "-XX:+CrashOnOutOfMemoryError ", + "-XX:ErrorFile=/var/lib/solr-9.6.1/server/logs/jvm_crash_%p.log", + "-Djetty.home=/var/lib/solr-9.6.1/server ", + "-Dsolr.solr.home=/var/lib/solr-9.6.1/server/solr", + "-Dsolr.install.dir=/var/lib/solr-9.6.1", + "-Dsolr.install.symDir=/var/lib/solr-9.6.1", + "-Dsolr.default.confdir=/var/lib/solr-9.6.1/server/solr/configsets/_default/conf", + "-Djava.util.logging.manager=org.apache.logging.log4j.jul.LogManager", + "-Xss256k", + "-XX:CompileCommand=exclude,com.github.benmanes.caffeine.cache.BoundedLocalCache::put", + "-Djava.security.manager", + "-Djava.security.policy=/var/lib/solr-9.6.1/server/etc/security.policy", + "-Djava.security.properties=/var/lib/solr-9.6.1/server/etc/security.properties", + "-Dsolr.internal.network.permission=*", + "-DdisableAdminUI=false", + "-jar", + "start.jar", + "--module=http", + "--module=requestlog", + "--module=gzip" + ], + "envars": [ + "SOLR_INCLUDE=bin/solr.in.sh", + "SOLR_PORT=8984", + "SOLR_SCRIPT=bin/solr", + "SOLR_TIP=/var/lib/solr-9.6.1", + "SOLR_TIP_SYM=/var/lib/solr-9.6.1", + "SOLR_TOOL_HOST=localhost", + "SOLR_URL_SCHEME=http" + ], + "host": { + "os": "linux", + "arch": "x64", + "libc": "glibc:2.17" + } + } +] \ No newline at end of file diff --git a/metadata/requirements.json b/metadata/requirements.json new file mode 100644 index 00000000000..b353086cf51 --- /dev/null +++ b/metadata/requirements.json @@ -0,0 +1,419 @@ +{ + "version": 1, + "deny": [ + { + "id": "unsupported_jvm", + "description": "Skip older JVMs", + "os": null, + "cmds": [ + "**/java-1.5*/**/java", + "**/java-1.6*/**/java", + "**/java-6*/**/java", + "**/java-7/**/java" + ], + "args": [], + "envars": null + }, + { + "id": "java8_version", + "description": "Skip java -version command", + "os": null, + "cmds": [ + "**/java" + ], + "args": [ + { + "args": [ + "-version" + ], + "position": 1 + } + ], + "envars": null + }, + { + "id": "java_version", + "description": "Skip java --version command", + "os": null, + "cmds": [ + "**/java" + ], + "args": [ + { + "args": [ + "--version" + ], + "position": 1 + } + ], + "envars": null + }, + { + "id": "apache_activemq_artemis", + "description": "Skip Apache ActiveMQ Artemis", + "os": null, + "cmds": [ + "**/java" + ], + "args": [ + { + "args": [ + "org.apache.activemq.artemis.boot.Artemis" + ], + "position": null + } + ], + "envars": null + }, + { + "id": "apache_cassandra", + "description": "Skip Apache Cassandra", + "os": null, + "cmds": [ + "**/java" + ], + "args": [ + { + "args": [ + "org.apache.cassandra.service.CassandraDaemon" + ], + "position": null + } + ], + "envars": null + }, + { + "id": "apache_cassandra_debugcql", + "description": "Skip Apache Cassandra debug-cql", + "os": null, + "cmds": [ + "**/java" + ], + "args": [ + { + "args": [ + "org.apache.cassandra.transport.Client" + ], + "position": null + } + ], + "envars": null + }, + { + "id": "apache_cassandra_nodetool", + "description": "Skip Apache Cassandra nodetool", + "os": null, + "cmds": [ + "**/java" + ], + "args": [ + { + "args": [ + "org.apache.cassandra.tools.NodeTool" + ], + "position": null + } + ], + "envars": null + }, + { + "id": "apache_cassandra_sstableloader", + "description": "Skip Apache Cassandra sstableloader", + "os": null, + "cmds": [ + "**/java" + ], + "args": [ + { + "args": [ + "org.apache.cassandra.tools.BulkLoader" + ], + "position": null + } + ], + "envars": null + }, + { + "id": "apache_cassandra_sstablescrub", + "description": "Skip Apache Cassandra stablescrub", + "os": null, + "cmds": [ + "**/java" + ], + "args": [ + { + "args": [ + "org.apache.cassandra.tools.StandaloneScrubber" + ], + "position": null + } + ], + "envars": null + }, + { + "id": "apache_cassandra_sstableupgrade", + "description": "Skip Apache Cassandra sstableupgrade", + "os": null, + "cmds": [ + "**/java" + ], + "args": [ + { + "args": [ + "org.apache.cassandra.tools.StandaloneUpgrader" + ], + "position": null + } + ], + "envars": null + }, + { + "id": "apache_cassandra_sstableutil", + "description": "Skip Apache Cassandra sstableutil", + "os": null, + "cmds": [ + "**/java" + ], + "args": [ + { + "args": [ + "org.apache.cassandra.tools.StandaloneSSTableUtil" + ], + "position": null + } + ], + "envars": null + }, + { + "id": "apache_cassandra_sstableverify", + "description": "Skip Apache Cassandra sstableverify", + "os": null, + "cmds": [ + "**/java" + ], + "args": [ + { + "args": [ + "org.apache.cassandra.tools.StandaloneVerifier" + ], + "position": null + } + ], + "envars": null + }, + { + "id": "apache_lucene8_luke", + "description": "Skip Lucene 8 Luke", + "os": null, + "cmds": [ + "**/java" + ], + "args": [ + { + "args": [ + "org.apache.lucene.luke.app.desktop.LukeMain" + ], + "position": null + } + ], + "envars": null + }, + { + "id": "apache_lucene9_luke", + "description": "Skip Apache Netbeans", + "os": null, + "cmds": [ + "**/java" + ], + "args": [ + { + "args": [ + "org.apache.lucene.luke" + ], + "position": null + } + ], + "envars": null + }, + { + "id": "apache_netbeans", + "description": "Skip Apache Netbeans", + "os": null, + "cmds": [ + "**/java" + ], + "args": [ + { + "args": [ + "org.netbeans.Main" + ], + "position": null + } + ], + "envars": null + }, + { + "id": "apache_solr8_start", + "description": "Skip Apache Solr 8 start command using System Properties", + "os": null, + "cmds": [ + "**/java" + ], + "args": [ + { + "args": [ + "-Dsolr.solr.home=*" + ], + "position": null + } + ], + "envars": null + }, + { + "id": "apache_solr8_stop", + "description": "Skip Apache Solr 8 stop using path to jar", + "os": null, + "cmds": [ + "**/java" + ], + "args": [ + { + "args": [ + "*solr/server/start.jar" + ], + "position": null + } + ], + "envars": null + }, + { + "id": "apache_solr8_tools", + "description": "Skip Apache Solr 8 CLI tools", + "os": null, + "cmds": [ + "**/java" + ], + "args": [ + { + "args": [ + "org.apache.solr.util.SolrCLI" + ], + "position": null + } + ], + "envars": null + }, + { + "id": "elasticsearch7", + "description": "Skip Elastic Search 7+ commands", + "os": null, + "cmds": [ + "**/java" + ], + "args": [ + { + "args": [ + "-Des.path.home=*" + ], + "position": null + } + ], + "envars": null + }, + { + "id": "intellij_idea", + "description": "Skip Jetbrains IntelliJ IDEA", + "os": null, + "cmds": [ + "**/java" + ], + "args": [ + { + "args": [ + "com.intellij.idea.Main" + ], + "position": null + } + ], + "envars": null + }, + { + "id": "apache_hbase", + "description": "Skip Apache HBase", + "os": null, + "cmds": [ + "**/java" + ], + "args": [], + "envars": { + "HBASE_HOME": null + } + }, + { + "id": "apache_hadoop3", + "description": "Skip Apache Hadoop 3", + "os": null, + "cmds": [ + "**/java" + ], + "args": [], + "envars": { + "HADOOP_HOME": null + } + }, + { + "id": "apache_hive", + "description": "Skip Apache Hive", + "os": null, + "cmds": [ + "**/java" + ], + "args": [], + "envars": { + "HIVE_HOME": null + } + }, + { + "id": "apache_solr9", + "description": "Skip Apache Solr 9", + "os": null, + "cmds": [ + "**/java" + ], + "args": [], + "envars": { + "SOLR_PORT": null + } + } + ], + "native_deps": { + "glibc": [ + { + "arch": "x86", + "supported": true + }, + { + "arch": "x64", + "supported": true + }, + { + "arch": "arm64", + "supported": true + } + ], + "musl": [ + { + "arch": "x86", + "supported": true + }, + { + "arch": "x64", + "supported": true + }, + { + "arch": "arm64", + "supported": true + } + ] + } +}