Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable Single Step Instrumentation Guardrails #7568

Merged
merged 1 commit into from
Oct 4, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions .gitlab-ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -203,6 +203,13 @@ deploy_artifacts_to_github:
max: 2
when: always

requirements_json_test:
rules:
- when: on_success
variables:
REQUIREMENTS_BLOCK_JSON_PATH: "metadata/requirements-block.json"
REQUIREMENTS_ALLOW_JSON_PATH: "metadata/requirements-allow.json"

package-oci:
needs: [ build ]

Expand Down
1 change: 1 addition & 0 deletions .gitlab/prepare-oci-package.sh
Original file line number Diff line number Diff line change
Expand Up @@ -10,3 +10,4 @@ fi
mkdir -p sources
cp ../workspace/dd-java-agent/build/libs/*.jar sources/dd-java-agent.jar
echo -n "$VERSION" > sources/version
cp ../metadata/requirements.json sources/
82 changes: 82 additions & 0 deletions metadata/base-requirements.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
{
"version": 1,
"deny": [
{
"id": "unsupported_jvm",
"description": "Skip older JVMs",
"os": null,
"cmds": [
"**/java-1.5*/**/java",
"**/java-1.6*/**/java",
"**/java-6*/**/java",
"**/java-7/**/java"
],
"args": [],
"envars": null
},
{
"id": "java8_version",
"description": "Skip java -version command",
"os": null,
"cmds": [
"**/java"
],
"args": [
{
"args": [
"-version"
],
"position": 1
}
],
"envars": null
},
{
"id": "java_version",
"description": "Skip java --version command",
"os": null,
"cmds": [
"**/java"
],
"args": [
{
"args": [
"--version"
],
"position": 1
}
],
"envars": null
}
],
"native_deps": {
"glibc": [
{
"arch": "x86",
"supported": true
},
{
"arch": "x64",
"supported": true
},
{
"arch": "arm64",
"supported": true
}
],
"musl": [
{
"arch": "x86",
"supported": true
},
{
"arch": "x64",
"supported": true
},
{
"arch": "arm64",
"supported": true
}
]
}
}
84 changes: 84 additions & 0 deletions metadata/build-requirements.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
#!/bin/bash
#
# This script builds the requirements.json file based on
# - the base-requirements.json as base file,
# - the denied-arguments.tsv as rules to exclude application from their arguments (main classes, System properties, application arguments),
# - the denied-environment-variables.tsv as rules to exclude applications from their exported environment variables.
#

log-json() {
local JSON=$1
echo "Logging JSON"
echo "$JSON" | jq
}

#
# Initialize requirements from base file
#
JSON=$(cat base-requirements.json)

#
# Append deny list entries based on arguments
#
while read -r ENTRY; do
# Skip comments or empty lines
if [[ -z $ENTRY || $ENTRY == \#* ]]; then
continue
fi
# Take first word
IDENTIFIER=$(echo "$ENTRY" | awk '{print $1}')
# Take second word
ARGUMENT=$(echo "$ENTRY" | awk '{print $2}')
# Take the rest as description
DESCRIPTION=$(echo "$ENTRY" | awk '{for(i=3;i<=NF;++i) printf "%s%s", $i, (i<NF)?" ":""}')
# Build deny list entry
DENY_ENTRY=$(cat <<-END
{
"id": "$IDENTIFIER",
"description": "$DESCRIPTION",
"os": null,
"cmds": ["**/java"],
"args": [{
"args": ["$ARGUMENT"],
"position": null
}],
"envars": null
}
END
)
JSON=$(echo "$JSON" | jq ".deny += [$DENY_ENTRY]")
done < denied-arguments.tsv

#
# Append deny list entries based on environment variables
#
while read -r ENTRY; do
# Skip comments or empty lines
if [[ -z $ENTRY || $ENTRY == \#* ]]; then
continue
fi
# Take first word
IDENTIFIER=$(echo "$ENTRY" | awk '{print $1}')
# Take second word
ENVIRONMENT_VARIABLE=$(echo "$ENTRY" | awk '{print $2}')
# Take the rest as description
DESCRIPTION=$(echo "$ENTRY" | awk '{for(i=3;i<=NF;++i) printf "%s%s", $i, (i<NF)?" ":""}')
# Build deny list entry
DENY_ENTRY=$(cat <<-END
{
"id": "$IDENTIFIER",
"description": "$DESCRIPTION",
"os": null,
"cmds": ["**/java"],
"args": [],
"envars": {
"$ENVIRONMENT_VARIABLE": null
}
}
END
)
JSON=$(echo "$JSON" | jq ".deny += [$DENY_ENTRY]")
done < denied-environment-variables.tsv

log-json "$JSON"
echo "$JSON" > requirements.json
33 changes: 33 additions & 0 deletions metadata/denied-arguments.tsv
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
# Identifier Argument Description

# Apache ActiveMQ Artemis
apache_activemq_artemis org.apache.activemq.artemis.boot.Artemis Skip Apache ActiveMQ Artemis

# Apache Cassandra

apache_cassandra org.apache.cassandra.service.CassandraDaemon Skip Apache Cassandra
apache_cassandra_debugcql org.apache.cassandra.transport.Client Skip Apache Cassandra debug-cql
apache_cassandra_nodetool org.apache.cassandra.tools.NodeTool Skip Apache Cassandra nodetool
apache_cassandra_sstableloader org.apache.cassandra.tools.BulkLoader Skip Apache Cassandra sstableloader
apache_cassandra_sstablescrub org.apache.cassandra.tools.StandaloneScrubber Skip Apache Cassandra stablescrub
apache_cassandra_sstableupgrade org.apache.cassandra.tools.StandaloneUpgrader Skip Apache Cassandra sstableupgrade
apache_cassandra_sstableutil org.apache.cassandra.tools.StandaloneSSTableUtil Skip Apache Cassandra sstableutil
apache_cassandra_sstableverify org.apache.cassandra.tools.StandaloneVerifier Skip Apache Cassandra sstableverify

# Apache Lucene
apache_lucene8_luke org.apache.lucene.luke.app.desktop.LukeMain Skip Lucene 8 Luke
apache_lucene9_luke org.apache.lucene.luke Skip Apache Netbeans

# Apache Netbeans
apache_netbeans org.netbeans.Main Skip Apache Netbeans

# Apache Solr 8
apache_solr8_start -Dsolr.solr.home=* Skip Apache Solr 8 start command using System Properties
apache_solr8_stop *solr/server/start.jar Skip Apache Solr 8 stop using path to jar
apache_solr8_tools org.apache.solr.util.SolrCLI Skip Apache Solr 8 CLI tools

# Elastic Search 7+
elasticsearch7 -Des.path.home=* Skip Elastic Search 7+ commands

# Jetbrains IntelliJ IDEA
intellij_idea com.intellij.idea.Main Skip Jetbrains IntelliJ IDEA
5 changes: 5 additions & 0 deletions metadata/denied-environment-variables.tsv
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# Identifier EnvironmentVariable Description
apache_hbase HBASE_HOME Skip Apache HBase
apache_hadoop3 HADOOP_HOME Skip Apache Hadoop 3
apache_hive HIVE_HOME Skip Apache Hive
apache_solr9 SOLR_PORT Skip Apache Solr 9
62 changes: 62 additions & 0 deletions metadata/requirements-allow.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
[
{
"name": "should allow -version args if not java",
"filepath": "/usr/bin/notjava",
"args": [
"notjava",
"-version"
],
"envars": [],
"host": {
"os": "linux",
"arch": "x64",
"libc": "glibc:2.17"
}
},
{
"name": "should allow --version args if not java",
"filepath": "/usr/bin/notjava",
"args": [
"notjava",
"--version"
],
"envars": [],
"host": {
"os": "linux",
"arch": "x64",
"libc": "glibc:2.17"
}
},
{
"name": "should allow -version as application parameter",
"filepath": "/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java",
"args": [
"java",
"-jar",
"app.jar",
"-version"
],
"envars": [],
"host": {
"os": "linux",
"arch": "x64",
"libc": "glibc:2.17"
}
},
{
"name": "should allow --version as application parameter",
"filepath": "/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java",
"args": [
"java",
"-jar",
"app.jar",
"--version"
],
"envars": [],
"host": {
"os": "linux",
"arch": "x64",
"libc": "glibc:2.17"
}
}
PerfectSlayer marked this conversation as resolved.
Show resolved Hide resolved
]
Loading