newrelic_rpm 9.12.0 → 9.17.0

data/lib/new_relic/agent/configuration/default_source.rb

@@ -35,6 +35,15 @@ module NewRelic
       end
 
       class DefaultSource
+        BOOLEAN_MAP = {
+          'true' => true,
+          'yes' => true,
+          'on' => true,
+          'false' => false,
+          'no' => false,
+          'off' => false
+        }.freeze
+
         attr_reader :defaults
 
         extend Forwardable
@@ -64,6 +73,12 @@ module NewRelic
           value_from_defaults(key, :allowlist)
         end
 
+        def self.boolean_for(key, value)
+          string_value = (value.respond_to?(:call) ? value.call : value).to_s
+
+          BOOLEAN_MAP.fetch(string_value, nil)
+        end
+
         def self.default_for(key)
           value_from_defaults(key, :default)
         end
@@ -124,14 +139,16 @@ module NewRelic
               case Rails::VERSION::MAJOR
               when 3
                 :rails3
-              when 4..7
+              when 4..8
                 :rails_notifications
               else
                 ::NewRelic::Agent.logger.warn("Detected untested Rails version #{Rails::VERSION::STRING}")
                 :rails_notifications
               end
+            when defined?(::Padrino) && defined?(::Padrino::PathRouter::Router) then :padrino
             when defined?(::Sinatra) && defined?(::Sinatra::Base) then :sinatra
             when defined?(::Roda) then :roda
+            when defined?(::Grape) then :grape
             when defined?(::NewRelic::IA) then :external
             else :ruby
             end
@@ -410,6 +427,7 @@ module NewRelic
           :public => true,
           :type => String,
           :allowed_from_server => false,
+          :exclude_from_reported_settings => true,
           :description => 'Your New Relic <InlinePopover type="userKey" />. Required when using the New Relic REST API v2 to record deployments using the `newrelic deployments` command.'
         },
         :backport_fast_active_record_connection_lookup => {
@@ -425,7 +443,7 @@ module NewRelic
           :public => true,
           :type => String,
           :allowed_from_server => false,
-          :description => "Manual override for the path to your local CA bundle. This CA bundle will be used to validate the SSL certificate presented by New Relic's data collection service."
+          :description => "Manual override for the path to your local CA bundle. This CA bundle validates the SSL certificate presented by New Relic's data collection service."
         },
         :capture_memcache_keys => {
           :default => false,
@@ -454,6 +472,14 @@ module NewRelic
           :allowed_from_server => false,
           :description => 'If `true`, the agent will clear `Tracer::State` in `Agent.drop_buffered_data`.'
         },
+        :'cloud.aws.account_id' => {
+          :default => nil,
+          :public => true,
+          :type => String,
+          :allow_nil => true,
+          :allowed_from_server => false,
+          :description => 'The AWS account ID for the AWS account associated with this app'
+        },
         :config_path => {
           :default => DefaultSource.config_path,
           :public => true,
@@ -620,7 +646,7 @@ module NewRelic
           :public => true,
           :type => Boolean,
           :allowed_from_server => true,
-          :description => 'If `true`, enables the collection of explain plans in transaction traces. This setting will also apply to explain plans in slow SQL traces if [`slow_sql.explain_enabled`](#slow_sql-explain_enabled) is not set separately.'
+          :description => "If `true`, enables the collection of explain plans in transaction traces. This setting will also apply to explain plans in slow SQL traces if [`slow_sql.explain_enabled`](#slow_sql-explain_enabled) isn't set separately."
         },
         :'transaction_tracer.explain_threshold' => {
           :default => 0.5,
@@ -832,7 +858,7 @@ module NewRelic
           :description => <<~DESCRIPTION
             Sets the minimum level a log event must have to be forwarded to New Relic.
 
-            This is based on the integer values of Ruby's `Logger::Severity` constants: https://github.com/ruby/ruby/blob/master/lib/logger/severity.rb
+            This is based on the integer values of [Ruby's `Logger::Severity` constants](https://github.com/ruby/logger/blob/113b82a06b3076b93a71cd467e1605b23afb3088/lib/logger/severity.rb).
 
             The intention is to forward logs with the level given to the configuration, as well as any logs with a higher level of severity.
 
@@ -855,6 +881,21 @@ module NewRelic
           :allowed_from_server => false,
           :description => 'A hash with key/value pairs to add as custom attributes to all log events forwarded to New Relic. If sending using an environment variable, the value must be formatted like: "key1=value1,key2=value2"'
         },
+        :'application_logging.forwarding.labels.enabled' => {
+          :default => false,
+          :public => true,
+          :type => Boolean,
+          :allowed_from_server => false,
+          :description => 'If `true`, the agent attaches [labels](https://docs.newrelic.com/docs/apm/agents/ruby-agent/configuration/ruby-agent-configuration/#labels) to log records.'
+        },
+        :'application_logging.forwarding.labels.exclude' => {
+          :default => [],
+          :public => true,
+          :type => Array,
+          :transform => DefaultSource.method(:convert_to_list),
+          :allowed_from_server => false,
+          :description => 'A case-insensitive array or comma-delimited string containing the labels to exclude from log records.'
+        },
         :'application_logging.forwarding.max_samples_stored' => {
           :default => 10000,
           :public => true,
@@ -1135,6 +1176,56 @@ module NewRelic
           :allowed_from_server => false,
           :description => 'If `false`, custom attributes will not be sent on events.'
         },
+        :automatic_custom_instrumentation_method_list => {
+          :default => NewRelic::EMPTY_ARRAY,
+          :public => true,
+          :type => Array,
+          :allowed_from_server => false,
+          :transform => proc { |arr| NewRelic::Agent.add_automatic_method_tracers(arr) },
+          :description => <<~DESCRIPTION
+            An array of `CLASS#METHOD` (for instance methods) and/or `CLASS.METHOD` (for class methods) strings representing Ruby methods that the agent can automatically add custom instrumentation to. This doesn't require any modifications of the source code that defines the methods.
+
+            Use fully qualified class names (using the `::` delimiter) that include any module or class namespacing.
+
+            Here is some Ruby source code that defines a `render_png` instance method for an `Image` class and a `notify` class method for a `User` class, both within a `MyCompany` module namespace:
+
+            ```rb
+            module MyCompany
+              class Image
+                def render_png
+                  # code to render a PNG
+                end
+              end
+
+              class User
+                def self.notify
+                  # code to notify users
+                end
+              end
+            end
+            ```
+
+            Given that source code, the `newrelic.yml` config file might request instrumentation for both of these methods like so:
+
+            ```yaml
+            automatic_custom_instrumentation_method_list:
+              - MyCompany::Image#render_png
+              - MyCompany::User.notify
+            ```
+
+            That configuration example uses YAML array syntax to specify both methods. Alternatively, you can use a comma-delimited string:
+
+            ```yaml
+            automatic_custom_instrumentation_method_list: 'MyCompany::Image#render_png, MyCompany::User.notify'
+            ```
+
+            Whitespace around the comma(s) in the list is optional. When configuring the agent with a list of methods via the `NEW_RELIC_AUTOMATIC_CUSTOM_INSTRUMENTATION_METHOD_LIST` environment variable, use this comma-delimited string format:
+
+            ```sh
+            export NEW_RELIC_AUTOMATIC_CUSTOM_INSTRUMENTATION_METHOD_LIST='MyCompany::Image#render_png, MyCompany::User.notify'
+            ```
+          DESCRIPTION
+        },
         # Custom events
         :'custom_insights_events.enabled' => {
           :default => true,
@@ -1149,9 +1240,10 @@ module NewRelic
           :type => Integer,
           :allowed_from_server => true,
           :dynamic_name => true,
+          # Keep the extra two-space indent before the second bullet to appease translation tool
           :description => <<~DESC
             * Specify a maximum number of custom events to buffer in memory at a time.
-            * When configuring the agent for [AI monitoring](/docs/ai-monitoring/intro-to-ai-monitoring), \
+              * When configuring the agent for [AI monitoring](/docs/ai-monitoring/intro-to-ai-monitoring), \
             set to max value `100000`. This ensures the agent captures the maximum amount of LLM events.
           DESC
         },
@@ -1218,6 +1310,7 @@ module NewRelic
           :default => false,
           :public => true,
           :type => Boolean,
+          :aliases => %i[disable_active_job],
           :allowed_from_server => false,
           :description => 'If `true`, disables Active Job instrumentation.'
         },
@@ -1460,6 +1553,58 @@ module NewRelic
           :allowed_from_server => false,
           :description => 'Controls auto-instrumentation of bunny at start-up. May be one of: `auto`, `prepend`, `chain`, `disabled`.'
         },
+        :'instrumentation.aws_sdk_firehose' => {
+          :default => 'auto',
+          :documentation_default => 'auto',
+          :public => true,
+          :type => String,
+          :dynamic_name => true,
+          :allowed_from_server => false,
+          :description => 'Controls auto-instrumentation of the aws-sdk-firehose library at start-up. May be one of `auto`, `prepend`, `chain`, `disabled`.'
+        },
+        :'instrumentation.aws_sdk_lambda' => {
+          :default => 'auto',
+          :documentation_default => 'auto',
+          :public => true,
+          :type => String,
+          :dynamic_name => true,
+          :allowed_from_server => false,
+          :description => 'Controls auto-instrumentation of the aws_sdk_lambda library at start-up. May be one of `auto`, `prepend`, `chain`, `disabled`.'
+        },
+        :'instrumentation.aws_sdk_kinesis' => {
+          :default => 'auto',
+          :documentation_default => 'auto',
+          :public => true,
+          :type => String,
+          :dynamic_name => true,
+          :allowed_from_server => false,
+          :description => 'Controls auto-instrumentation of the aws-sdk-kinesis library at start-up. May be one of `auto`, `prepend`, `chain`, `disabled`.'
+        },
+        :'instrumentation.ruby_kafka' => {
+          :default => 'auto',
+          :public => true,
+          :type => String,
+          :dynamic_name => true,
+          :allowed_from_server => false,
+          :description => 'Controls auto-instrumentation of the ruby-kafka library at start-up. May be one of `auto`, `prepend`, `chain`, `disabled`.'
+        },
+        :'instrumentation.opensearch' => {
+          :default => 'auto',
+          :documentation_default => 'auto',
+          :public => true,
+          :type => String,
+          :dynamic_name => true,
+          :allowed_from_server => false,
+          :description => 'Controls auto-instrumentation of the opensearch-ruby library at start-up. May be one of `auto`, `prepend`, `chain`, `disabled`.'
+        },
+        :'instrumentation.rdkafka' => {
+          :default => 'auto',
+          :public => true,
+          :type => String,
+          :dynamic_name => true,
+          :allowed_from_server => false,
+          :description => 'Controls auto-instrumentation of the rdkafka library at start-up. May be one of `auto`, `prepend`, `chain`, `disabled`.'
+        },
         :'instrumentation.aws_sqs' => {
           :default => 'auto',
           :public => true,
@@ -1785,7 +1930,7 @@ module NewRelic
           :description => <<~DESCRIPTION
             An array of strings to specify which keys inside a Stripe event's `user_data` hash should be reported
             to New Relic. Each string in this array will be turned into a regular expression via `Regexp.new` to
-            permit advanced matching. Setting the value to `["."]` will report all `user_data`.
+            enable advanced matching. Setting the value to `["."]` will report all `user_data`.
           DESCRIPTION
         },
         :'stripe.user_data.exclude' => {
@@ -1798,9 +1943,9 @@ module NewRelic
           :description => <<~DESCRIPTION
             An array of strings to specify which keys and/or values inside a Stripe event's `user_data` hash should
             not be reported to New Relic. Each string in this array will be turned into a regular expression via
-            `Regexp.new` to permit advanced matching. For each hash pair, if either the key or value is matched the
-            pair will not be reported. By default, no `user_data` is reported, so this option should only be used if
-            the `stripe.user_data.include` option is being used.
+            `Regexp.new` to permit advanced matching. For each hash pair, if either the key or value is matched the pair
+            isn't reported. By default, no `user_data` is reported. Use this option only if the
+            `stripe.user_data.include` option is also used.
           DESCRIPTION
         },
         :'instrumentation.thread' => {
@@ -1867,6 +2012,21 @@ module NewRelic
           :allowed_from_server => true,
           :description => 'If `true`, the agent obfuscates Mongo queries in transaction traces.'
         },
+        # OpenSearch
+        :'opensearch.capture_queries' => {
+          :default => true,
+          :public => true,
+          :type => Boolean,
+          :allowed_from_server => true,
+          :description => 'If `true`, the agent captures OpenSearch queries in transaction traces.'
+        },
+        :'opensearch.obfuscate_queries' => {
+          :default => true,
+          :public => true,
+          :type => Boolean,
+          :allowed_from_server => true,
+          :description => 'If `true`, the agent obfuscates OpenSearch queries in transaction traces.'
+        },
         # Process host
         :'process_host.display_name' => {
           :default => proc { NewRelic::Agent::Hostname.get },
@@ -1928,7 +2088,7 @@ module NewRelic
           :transform => proc { |bool| NewRelic::Agent::ServerlessHandler.env_var_set? || bool },
           :description => 'If `true`, the agent will operate in a streamlined mode suitable for use with short-lived ' \
                           'serverless functions. NOTE: Only AWS Lambda functions are supported currently and this ' \
-                          "option is not intended for use without [New Relic's Ruby Lambda layer](https://docs.newrelic.com/docs/serverless-function-monitoring/aws-lambda-monitoring/get-started/monitoring-aws-lambda-serverless-monitoring/) offering."
+                          "option isn't intended for use without [New Relic's Ruby Lambda layer](https://docs.newrelic.com/docs/serverless-function-monitoring/aws-lambda-monitoring/get-started/monitoring-aws-lambda-serverless-monitoring/) offering."
         },
         # Sidekiq
         :'sidekiq.args.include' => {
@@ -2022,9 +2182,10 @@ module NewRelic
           :public => true,
           :type => Integer,
           :allowed_from_server => true,
+          # Keep the extra two-space indent before the second bullet to appease translation tool
           :description => <<~DESC
             * Defines the maximum number of span events reported from a single harvest. Any Integer between `1` and `10000` is valid.'
-            * When configuring the agent for [AI monitoring](/docs/ai-monitoring/intro-to-ai-monitoring), set to max value `10000`.\
+              * When configuring the agent for [AI monitoring](/docs/ai-monitoring/intro-to-ai-monitoring), set to max value `10000`.\
             This ensures the agent captures the maximum amount of distributed traces.
           DESC
         },
@@ -2035,7 +2196,7 @@ module NewRelic
           :public => true,
           :type => Boolean,
           :allowed_from_server => false,
-          :description => 'If true, the agent strips messages from all exceptions except those in the [allowlist](#strip_exception_messages-allowlist). Enabled automatically in [high security mode](/docs/accounts-partnerships/accounts/security/high-security).'
+          :description => 'If true, the agent strips messages from all exceptions except those in the [allowed classes list](#strip_exception_messages-allowed_classes). Enabled automatically in [high security mode](/docs/accounts-partnerships/accounts/security/high-security).'
         },
         :'strip_exception_messages.allowed_classes' => {
           :default => '',
@@ -2045,6 +2206,28 @@ module NewRelic
           :transform => DefaultSource.method(:convert_to_constant_list),
           :description => 'Specify a list of exceptions you do not want the agent to strip when [strip_exception_messages](#strip_exception_messages-enabled) is `true`. Separate exceptions with a comma. For example, `"ImportantException,PreserveMessageException"`.'
         },
+        # Agent Control
+        :'agent_control.enabled' => {
+          :default => false,
+          :public => false,
+          :type => Boolean,
+          :allowed_from_server => false,
+          :description => 'Boolean value that denotes whether Agent Control functionality should be enabled. At the moment, this functionality is limited to whether agent health should be reported. This configuration will be set using an environment variable by Agent Control, or one of its components, prior to agent startup.'
+        },
+        :'agent_control.health.delivery_location' => {
+          :default => '/newrelic/apm/health',
+          :public => false,
+          :type => String,
+          :allowed_from_server => false,
+          :description => 'A `file:` URI that specifies the fully qualified directory path for health file(s) to be written to. This defaults to: `file:///newrelic/apm/health`. This configuration will be set using an environment variable by Agent Control, or one of its components, prior to agent startup.'
+        },
+        :'agent_control.health.frequency' => {
+          :default => 5,
+          :public => false,
+          :type => Integer,
+          :allowed_from_server => false,
+          :description => 'The interval, in seconds, of how often the health file(s) will be written to. This configuration will be set using an environment variable by Agent Control, or one of its components, prior to agent startup.'
+        },
         # Thread profiler
         :'thread_profiler.enabled' => {
           :default => DefaultSource.thread_profiler_enabled,
@@ -2174,7 +2357,7 @@ module NewRelic
           :description => 'Enable or disable debugging version of JavaScript agent loader for browser monitoring instrumentation.'
         },
         :'browser_monitoring.ssl_for_http' => {
-          :default => nil,
+          :default => false,
           :allow_nil => true,
           :public => false,
           :type => Boolean,
@@ -2576,47 +2759,196 @@ module NewRelic
           :description => 'Defines the endpoint URL for posting security-related data',
           :dynamic_name => true
         },
-        :'security.detection.rci.enabled' => {
-          :default => true,
+        :'security.application_info.port' => {
+          :default => nil,
+          :allow_nil => true,
+          :public => true,
+          :type => Integer,
+          :external => true,
+          :allowed_from_server => false,
+          :description => 'The port the application is listening on. This setting is mandatory for Passenger servers. The agent detects other servers by default.'
+        },
+        :'security.exclude_from_iast_scan.api' => {
+          :default => [],
+          :public => true,
+          :type => Array,
+          :external => true,
+          :allowed_from_server => true,
+          :transform => DefaultSource.method(:convert_to_list),
+          :description => 'Defines API paths the security agent should ignore in IAST scans. Accepts an array of regex patterns matching the URI to ignore. The regex pattern should find a complete match for the URL without the endpoint. For example, `[".*account.*"], [".*/\api\/v1\/.*?\/login"]`'
+        },
+        :'security.exclude_from_iast_scan.http_request_parameters.header' => {
+          :default => [],
+          :public => true,
+          :type => Array,
+          :external => true,
+          :allowed_from_server => true,
+          :transform => DefaultSource.method(:convert_to_list),
+          :description => 'An array of HTTP request headers the security agent should ignore in IAST scans. The array should specify a list of patterns matching the headers to ignore.'
+        },
+        :'security.exclude_from_iast_scan.http_request_parameters.query' => {
+          :default => [],
+          :public => true,
+          :type => Array,
+          :external => true,
+          :allowed_from_server => true,
+          :transform => DefaultSource.method(:convert_to_list),
+          :description => 'An array of HTTP request query parameters the security agent should ignore in IAST scans. The array should specify a list of patterns matching the HTTP request query parameters to ignore.'
+        },
+        :'security.exclude_from_iast_scan.http_request_parameters.body' => {
+          :default => [],
+          :public => true,
+          :type => Array,
+          :external => true,
+          :allowed_from_server => true,
+          :transform => DefaultSource.method(:convert_to_list),
+          :description => 'An array of HTTP request body keys the security agent should ignore in IAST scans.'
+        },
+        :'security.exclude_from_iast_scan.iast_detection_category.insecure_settings' => {
+          :default => false,
           :external => true,
           :public => true,
           :type => Boolean,
           :allowed_from_server => false,
-          :description => 'If `true`, enables RCI (remote code injection) detection'
+          :description => 'If `true`, disables the detection of low-severity insecure settings. For example, hash, crypto, cookie, random generators, trust boundary).'
         },
-        :'security.detection.rxss.enabled' => {
-          :default => true,
+        :'security.exclude_from_iast_scan.iast_detection_category.invalid_file_access' => {
+          :default => false,
           :external => true,
           :public => true,
           :type => Boolean,
           :allowed_from_server => false,
-          :description => 'If `true`, enables RXSS (reflected cross-site scripting) detection'
+          :description => 'If `true`, disables file operation-related IAST detections (File Access & Application integrity violation)'
         },
-        :'security.detection.deserialization.enabled' => {
-          :default => true,
+        :'security.exclude_from_iast_scan.iast_detection_category.sql_injection' => {
+          :default => false,
           :external => true,
           :public => true,
           :type => Boolean,
           :allowed_from_server => false,
-          :description => 'If `true`, enables deserialization detection'
+          :description => 'If `true`, disables SQL injection detection in IAST scans.'
         },
-        :'security.application_info.port' => {
-          :default => nil,
-          :allow_nil => true,
+        :'security.exclude_from_iast_scan.iast_detection_category.nosql_injection' => {
+          :default => false,
+          :external => true,
           :public => true,
-          :type => Integer,
+          :type => Boolean,
+          :allowed_from_server => false,
+          :description => 'If `true`, disables NOSQL injection detection in IAST scans.'
+        },
+        :'security.exclude_from_iast_scan.iast_detection_category.ldap_injection' => {
+          :default => false,
           :external => true,
+          :public => true,
+          :type => Boolean,
           :allowed_from_server => false,
-          :description => 'The port the application is listening on. This setting is mandatory for Passenger servers. Other servers should be detected by default.'
+          :description => 'If `true`, disables LDAP injection detection in IAST scans.'
         },
-        :'security.request.body_limit' => {
-          :default => 300,
-          :allow_nil => true,
+        :'security.exclude_from_iast_scan.iast_detection_category.javascript_injection' => {
+          :default => false,
+          :external => true,
+          :public => true,
+          :type => Boolean,
+          :allowed_from_server => false,
+          :description => 'If `true`, disables Javascript injection detection in IAST scans.'
+        },
+        :'security.exclude_from_iast_scan.iast_detection_category.command_injection' => {
+          :default => false,
+          :external => true,
+          :public => true,
+          :type => Boolean,
+          :allowed_from_server => false,
+          :description => 'If `true`, disables system command injection detection in IAST scans.'
+        },
+        :'security.exclude_from_iast_scan.iast_detection_category.xpath_injection' => {
+          :default => false,
+          :external => true,
+          :public => true,
+          :type => Boolean,
+          :allowed_from_server => false,
+          :description => 'If `true`, disables XPATH injection detection in IAST scans.'
+        },
+        :'security.exclude_from_iast_scan.iast_detection_category.ssrf' => {
+          :default => false,
+          :external => true,
+          :public => true,
+          :type => Boolean,
+          :allowed_from_server => false,
+          :description => 'If `true`, disables Sever-Side Request Forgery (SSRF) detection in IAST scans.'
+        },
+        :'security.exclude_from_iast_scan.iast_detection_category.rxss' => {
+          :default => false,
+          :external => true,
+          :public => true,
+          :type => Boolean,
+          :allowed_from_server => false,
+          :description => 'If `true`, disables Reflected Cross-Site Scripting (RXSS) detection in IAST scans.'
+        },
+        :'security.scan_schedule.delay' => {
+          :default => 0,
+          :public => true,
+          :type => Integer,
+          :external => true,
+          :allowed_from_server => true,
+          :description => 'Specifies the delay time (in minutes) before the IAST scan begins after the application starts.'
+        },
+        :'security.scan_schedule.duration' => {
+          :default => 0,
           :public => true,
           :type => Integer,
           :external => true,
+          :allowed_from_server => true,
+          :description => 'Indicates the duration (in minutes) for which the IAST scan will be performed.'
+        },
+        :'security.scan_schedule.schedule' => {
+          :default => '',
+          :public => true,
+          :type => String,
+          :external => true,
+          :allowed_from_server => true,
+          :description => 'Specifies a cron expression that sets when the IAST scan should run.',
+          :dynamic_name => true
+        },
+        :'security.scan_schedule.always_sample_traces' => {
+          :default => false,
+          :external => true,
+          :public => true,
+          :type => Boolean,
           :allowed_from_server => false,
-          :description => 'Defines the request body limit to process in security events (in KB). The default value is 300, for 300KB.'
+          :description => 'If `true`, allows IAST to continuously gather trace data in the background. The security agent uses collected data to perform an IAST scan at the scheduled time.'
+        },
+        :'security.scan_controllers.iast_scan_request_rate_limit' => {
+          :default => 3600,
+          :public => true,
+          :type => Integer,
+          :external => true,
+          :allowed_from_server => true,
+          :description => 'Sets the maximum number of HTTP requests allowed for the IAST scan per minute. Any Integer between 12 and 3600 is valid. The default value is 3600.'
+        },
+        :'security.scan_controllers.scan_instance_count' => {
+          :default => 0,
+          :public => true,
+          :type => Integer,
+          :external => true,
+          :allowed_from_server => true,
+          :description => 'The number of application instances for a specific entity to perform IAST analysis on.'
+        },
+        :'security.scan_controllers.report_http_response_body' => {
+          :default => true,
+          :public => true,
+          :type => Boolean,
+          :external => true,
+          :allowed_from_server => true,
+          :description => 'If `true`, enables the sending of HTTP responses bodies. Disabling this also disables Reflected Cross-Site Scripting (RXSS) vulnerability detection.'
+        },
+        :'security.iast_test_identifier' => {
+          :default => nil,
+          :allow_nil => true,
+          :public => true,
+          :type => String,
+          :external => true,
+          :allowed_from_server => true,
+          :description => 'A unique test identifier when runnning IAST in a CI/CD environment to differentiate between different test runs. For example, a build number.'
         }
       }.freeze
       # rubocop:enable Metrics/CollectionLiteralLength

data/lib/new_relic/agent/configuration/environment_source.rb

@@ -92,7 +92,11 @@ module NewRelic
           elsif type == Symbol
             self[config_key] = value.to_sym
           elsif type == Array
-            self[config_key] = value.split(/\s*,\s*/)
+            self[config_key] = if DEFAULTS[config_key].key?(:transform)
+              DEFAULTS[config_key][:transform].call(value)
+            else
+              value.split(/\s*,\s*/)
+            end
           elsif type == NewRelic::Agent::Configuration::Boolean
             if /false|off|no/i.match?(value)
               self[config_key] = false

data/lib/new_relic/agent/configuration/manager.rb

@@ -142,6 +142,9 @@ module NewRelic
           default = enforce_allowlist(key, evaluated)
           return default if default
 
+          boolean = enforce_boolean(key, value)
+          evaluated = boolean if [true, false].include?(boolean)
+
           apply_transformations(key, evaluated)
         end
 
@@ -167,6 +170,18 @@ module NewRelic
           default
         end
 
+        def enforce_boolean(key, value)
+          type = default_source.value_from_defaults(key, :type)
+          return unless type == Boolean
+
+          bool_value = default_source.boolean_for(key, value)
+          return bool_value unless bool_value.nil?
+
+          default = default_source.default_for(key)
+          NewRelic::Agent.logger.warn "Invalid value '#{value}' for #{key}, applying default value of '#{default}'"
+          default
+        end
+
         def transform_from_default(key)
           default_source.transform_for(key)
         end
@@ -382,6 +397,14 @@ module NewRelic
         def reset_cache
           return new_cache unless defined?(@cache) && @cache
 
+          # Modifying the @cache hash under JRuby - even with a `synchronize do`
+          # block and a `Hash#dup` operation - has been known to cause issues
+          # with JRuby for concurrent access of the hash while it is being
+          # modified. The hash really only needs to be modified for the benefit
+          # of the security agent, so if JRuby is in play and the security agent
+          # is not, don't attempt to modify the hash at all and return early.
+          return new_cache if NewRelic::LanguageSupport.jruby? && !Agent.config[:'security.agent.enabled']
+
           @lock.synchronize do
             preserved = @cache.dup.select { |_k, v| DEPENDENCY_DETECTION_VALUES.include?(v) }
             new_cache

data/lib/new_relic/agent/configuration/yaml_source.rb

@@ -36,6 +36,7 @@ module NewRelic
             erb_file = process_erb(raw_file)
             config = process_yaml(erb_file, env, config, @file_path)
           rescue ScriptError, StandardError => e
+            NewRelic::Agent.agent.health_check.update_status(NewRelic::Agent::HealthCheck::FAILED_TO_PARSE_CONFIG)
             log_failure("Failed to read or parse configuration file at #{path}", e)
           end
 
@@ -99,7 +100,11 @@ module NewRelic
             file.gsub!(/^\s*#.*$/, '#')
             ERB.new(file).result(binding)
           rescue ScriptError, StandardError => e
-            log_failure('Failed ERB processing configuration file. This is typically caused by a Ruby error in <% %> templating blocks in your newrelic.yml file.', e)
+            NewRelic::Agent.agent.health_check.update_status(NewRelic::Agent::HealthCheck::FAILED_TO_PARSE_CONFIG)
+            message = 'Failed ERB processing configuration file. This is typically caused by a Ruby error in <% %> templating blocks in your newrelic.yml file.'
+            failure_array = [message, e]
+            failure_array << e.backtrace[0] if Gem::Version.new(RUBY_VERSION) >= Gem::Version.new('3.4.0')
+            log_failure(*failure_array)
             nil
           end
         end