newrelic_rpm 9.15.0 → 9.16.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8a02ae0dd81c8e98102873ea89251171352151071c77d4e30743cfff6e8570cc
-  data.tar.gz: da90bad15981745bdcaa2e8e1b22ad5d7d072ba75e4dfc8d54db412a3b800362
+  metadata.gz: 23ad23d616fbcea334710ab3d67003e1775aedbadaecd7d50932c22543419ef4
+  data.tar.gz: f26ff6b168dc8975354fa1bf7f73f02400d01e2feca735f71b510f92978b3edf
 SHA512:
-  metadata.gz: 7ea9ab0cae780bc052ff7290876908358c158c3b93934cebb3380e56b53e9e141f79b5cb46b5ed7ded659cb4f52eafeb18b9a34932870383773c5b4e1ffd7a80
-  data.tar.gz: a005499eee4aae21a1e610dde7d4d466c4c2b8b24f64a5130cd4ff4a5897046677a0a7c07555d79234221eda6e375e347ab86b088a3be1a55d30cef213d371af
+  metadata.gz: 4519cf295a06513f04810805b8428d0cebdbd8aa4731c4e831de0d873c014978396dee436a966c726866246a26b6ced9dcea5fd1bba2c839b6d69b66b00f51d7
+  data.tar.gz: 5e32b59dea295c346c88de6c0cc317d7d2d8981fbe7fed6d2d0d72a6cfb2bd6b2eb5ae006871603757e957e85fe0404b618d4e4cee7afae0189ffebb1770945f

data/.build_ignore

@@ -19,6 +19,7 @@ lefthook.yml
 log/
 README.md
 test/
+trivy.yaml
 lib/tasks/bump_version.rb
 lib/tasks/coverage_report.rb
 lib/tasks/multiverse.rake

data/CHANGELOG.md

@@ -1,12 +1,32 @@
 # New Relic Ruby Agent Release Notes
 
+## v9.16.0
+
+Version 9.16.0 introduces instrumentation for the aws-sdk-lambda gem, allows users to opt-in to adding labels to logs, updates View Component instrumentation, and fixes a bug with explain plans on Rails 7.2+.
+
+- **Feature: Instrumentation for aws-sdk-lambda**
+
+  If the aws-sdk-lambda gem is present and used to invoke remote AWS Lambda functions, timing and error details for the invocations will be reported to New Relic. [PR#2926](https://github.com/newrelic/newrelic-ruby-agent/pull/2926).
+
+- **Feature: Add new configuration options to attach custom tags (labels) to logs**
+
+  The Ruby agent now allows you to opt-in to adding your custom tags (labels) to agent-forwarded logs. With custom tags on logs, platform engineers can easily filter, search, and correlate log data for faster and more efficient troubleshooting, improved performance, and optimized resource utilization. [PR#2925](https://github.com/newrelic/newrelic-ruby-agent/pull/2925)
+
+- **Feature: Update View Component instrumentation+**
+
+  The `.identifier` method will be formally exposed as part of the View Component public API. The agent will now use this method for building metric names when available, ensuring ongoing compatibility with all View Component versions. [PR#2956](https://github.com/newrelic/newrelic-ruby-agent/pull/2956)
+
+- **Bugfix: Record explain plan traces on Rails 7.2+**
+
+  Rails 7.2 removed adapter-specific connection methods (ex. `ActiveRecord::Base.postgresql_connection`) and replaced them with `ActiveRecord::Base.with_connection`. Our explain plan feature relies on making a connection to the database to create an explain plan trace. Due to a bug in our tests, we missed this regression. Now, the agent uses the new method to fetch explain plans on Rails 7.2+. Thank you, [@gsar](https://github.com/gsar) and [@gstark](https://github.com/gstark) for bringing this to our attention! [Issue#2922](https://github.com/newrelic/newrelic-ruby-agent/issues/2922) [PR#2940](https://github.com/newrelic/newrelic-ruby-agent/pull/2940)
+
 ## v9.15.0
 
-Version 9.15.0 updates View Componment instrumentation to use a default metric name when one is unavailable, adds a configuration option to associate the AWS account ID with the DynamoDB calls from the AWS SDK, resolves a bug in rdkafka instrumentation when using the karafka-rdkafka gem, resolves a bug in the ruby-kafka instrumentation, fixes a bug with Grape instrumentation, and addresses a bug preventing the agent from running in serverless mode in an AWS Lambda layer.
-  
+Version 9.15.0 updates View Component instrumentation to use a default metric name when one is unavailable, adds a configuration option to associate the AWS account ID with the DynamoDB calls from the AWS SDK, resolves a bug in rdkafka instrumentation when using the karafka-rdkafka gem, resolves a bug in the ruby-kafka instrumentation, fixes a bug with Grape instrumentation, and addresses a bug preventing the agent from running in serverless mode in an AWS Lambda layer.
+
 - **Feature: New configuration option cloud.aws.account_id**
 
-  A new configuration option has been added, `cloud.aws.account_id`, that will allow New Relic to provide more details about certain calls made using the AWS SDK. One example, is that relationships between AWS services instrumented with New Relic's CloudWatch Metric Streams will have relationships formed in the service map with APM applications. Currently, the DynamoDB instrumentation is the only instrumentation that will make use of this configuration option, but this will be used in future instrumentation as well. [PR#2904](https://github.com/newrelic/newrelic-ruby-agent/pull/2904)
+  A new configuration option has been added, `cloud.aws.account_id`, that will allow New Relic to provide more details about certain calls made using the AWS SDK. For example, relationships between AWS services instrumented with New Relic's CloudWatch Metric Streams will have relationships formed in the service map with APM applications. Currently, the DynamoDB instrumentation is the only instrumentation that will make use of this configuration option, but this will be used in future instrumentation as well. [PR#2904](https://github.com/newrelic/newrelic-ruby-agent/pull/2904)
 
 - **Feature: Use default `View/component` metric name for unidentified View Components**
 

data/lib/new_relic/agent/configuration/default_source.rb

@@ -443,7 +443,7 @@ module NewRelic
           :public => true,
           :type => String,
           :allowed_from_server => false,
-          :description => "Manual override for the path to your local CA bundle. This CA bundle will be used to validate the SSL certificate presented by New Relic's data collection service."
+          :description => "Manual override for the path to your local CA bundle. This CA bundle validates the SSL certificate presented by New Relic's data collection service."
         },
         :capture_memcache_keys => {
           :default => false,
@@ -881,6 +881,21 @@ module NewRelic
           :allowed_from_server => false,
           :description => 'A hash with key/value pairs to add as custom attributes to all log events forwarded to New Relic. If sending using an environment variable, the value must be formatted like: "key1=value1,key2=value2"'
         },
+        :'application_logging.forwarding.labels.enabled' => {
+          :default => false,
+          :public => true,
+          :type => Boolean,
+          :allowed_from_server => false,
+          :description => 'If `true`, the agent attaches [labels](https://docs.newrelic.com/docs/apm/agents/ruby-agent/configuration/ruby-agent-configuration/#labels) to log records.'
+        },
+        :'application_logging.forwarding.labels.exclude' => {
+          :default => [],
+          :public => true,
+          :type => Array,
+          :transform => DefaultSource.method(:convert_to_list),
+          :allowed_from_server => false,
+          :description => 'A case-insensitive array or comma-delimited string containing the labels to exclude from log records.'
+        },
         :'application_logging.forwarding.max_samples_stored' => {
           :default => 10000,
           :public => true,
@@ -1174,7 +1189,7 @@ module NewRelic
 
             Here is some Ruby source code that defines a `render_png` instance method for an `Image` class and a `notify` class method for a `User` class, both within a `MyCompany` module namespace:
 
-            ```
+            ```rb
             module MyCompany
               class Image
                 def render_png
@@ -1192,7 +1207,7 @@ module NewRelic
 
             Given that source code, the `newrelic.yml` config file might request instrumentation for both of these methods like so:
 
-            ```
+            ```yaml
             automatic_custom_instrumentation_method_list:
               - MyCompany::Image#render_png
               - MyCompany::User.notify
@@ -1200,13 +1215,13 @@ module NewRelic
 
             That configuration example uses YAML array syntax to specify both methods. Alternatively, you can use a comma-delimited string:
 
-            ```
+            ```yaml
             automatic_custom_instrumentation_method_list: 'MyCompany::Image#render_png, MyCompany::User.notify'
             ```
 
             Whitespace around the comma(s) in the list is optional. When configuring the agent with a list of methods via the `NEW_RELIC_AUTOMATIC_CUSTOM_INSTRUMENTATION_METHOD_LIST` environment variable, use this comma-delimited string format:
 
-            ```
+            ```sh
             export NEW_RELIC_AUTOMATIC_CUSTOM_INSTRUMENTATION_METHOD_LIST='MyCompany::Image#render_png, MyCompany::User.notify'
             ```
           DESCRIPTION
@@ -1537,6 +1552,15 @@ module NewRelic
           :allowed_from_server => false,
           :description => 'Controls auto-instrumentation of bunny at start-up. May be one of: `auto`, `prepend`, `chain`, `disabled`.'
         },
+        :'instrumentation.aws_sdk_lambda' => {
+          :default => 'auto',
+          :documentation_default => 'auto',
+          :public => true,
+          :type => String,
+          :dynamic_name => true,
+          :allowed_from_server => false,
+          :description => 'Controls auto-instrumentation of the aws_sdk_lambda library at start-up. May be one of `auto`, `prepend`, `chain`, `disabled`.'
+        },
         :'instrumentation.ruby_kafka' => {
           :default => 'auto',
           :public => true,
@@ -1901,8 +1925,8 @@ module NewRelic
             An array of strings to specify which keys and/or values inside a Stripe event's `user_data` hash should
             not be reported to New Relic. Each string in this array will be turned into a regular expression via
             `Regexp.new` to permit advanced matching. For each hash pair, if either the key or value is matched the
-            pair will not be reported. By default, no `user_data` is reported, so this option should only be used if
-            the `stripe.user_data.include` option is being used.
+            pair will not be reported. By default, no `user_data` is reported. Use this option only if the
+            `stripe.user_data.include` option is also used.
           DESCRIPTION
         },
         :'instrumentation.thread' => {
@@ -2665,7 +2689,7 @@ module NewRelic
           :public => true,
           :type => Boolean,
           :allowed_from_server => false,
-          :description => "If `true`, the security agent is loaded (a Ruby 'require' is performed)"
+          :description => "If `true`, the security agent is loaded (the agent performs a Ruby 'require')"
         },
         :'security.enabled' => {
           :default => false,
@@ -2694,47 +2718,196 @@ module NewRelic
           :description => 'Defines the endpoint URL for posting security-related data',
           :dynamic_name => true
         },
-        :'security.detection.rci.enabled' => {
-          :default => true,
+        :'security.application_info.port' => {
+          :default => nil,
+          :allow_nil => true,
+          :public => true,
+          :type => Integer,
+          :external => true,
+          :allowed_from_server => false,
+          :description => 'The port the application is listening on. This setting is mandatory for Passenger servers. The agent detects other servers by default.'
+        },
+        :'security.exclude_from_iast_scan.api' => {
+          :default => [],
+          :public => true,
+          :type => Array,
+          :external => true,
+          :allowed_from_server => true,
+          :transform => DefaultSource.method(:convert_to_list),
+          :description => 'Defines API paths the security agent should ignore in IAST scans. Accepts an array of regex patterns matching the URI to ignore. The regex pattern should find a complete match for the URL without the endpoint. For example, `[".*account.*"], [".*/\api\/v1\/.*?\/login"]`'
+        },
+        :'security.exclude_from_iast_scan.http_request_parameters.header' => {
+          :default => [],
+          :public => true,
+          :type => Array,
+          :external => true,
+          :allowed_from_server => true,
+          :transform => DefaultSource.method(:convert_to_list),
+          :description => 'An array of HTTP request headers the security agent should ignore in IAST scans. The array should specify a list of patterns matching the headers to ignore.'
+        },
+        :'security.exclude_from_iast_scan.http_request_parameters.query' => {
+          :default => [],
+          :public => true,
+          :type => Array,
+          :external => true,
+          :allowed_from_server => true,
+          :transform => DefaultSource.method(:convert_to_list),
+          :description => 'An array of HTTP request query parameters the security agent should ignore in IAST scans. The array should specify a list of patterns matching the HTTP request query parameters to ignore.'
+        },
+        :'security.exclude_from_iast_scan.http_request_parameters.body' => {
+          :default => [],
+          :public => true,
+          :type => Array,
+          :external => true,
+          :allowed_from_server => true,
+          :transform => DefaultSource.method(:convert_to_list),
+          :description => 'An array of HTTP request body keys the security agent should ignore in IAST scans.'
+        },
+        :'security.exclude_from_iast_scan.iast_detection_category.insecure_settings' => {
+          :default => false,
           :external => true,
           :public => true,
           :type => Boolean,
           :allowed_from_server => false,
-          :description => 'If `true`, enables RCI (remote code injection) detection'
+          :description => 'If `true`, disables the detection of low-severity insecure settings. For example, hash, crypto, cookie, random generators, trust boundary).'
         },
-        :'security.detection.rxss.enabled' => {
-          :default => true,
+        :'security.exclude_from_iast_scan.iast_detection_category.invalid_file_access' => {
+          :default => false,
           :external => true,
           :public => true,
           :type => Boolean,
           :allowed_from_server => false,
-          :description => 'If `true`, enables RXSS (reflected cross-site scripting) detection'
+          :description => 'If `true`, disables file operation-related IAST detections (File Access & Application integrity violation)'
         },
-        :'security.detection.deserialization.enabled' => {
-          :default => true,
+        :'security.exclude_from_iast_scan.iast_detection_category.sql_injection' => {
+          :default => false,
           :external => true,
           :public => true,
           :type => Boolean,
           :allowed_from_server => false,
-          :description => 'If `true`, enables deserialization detection'
+          :description => 'If `true`, disables SQL injection detection in IAST scans.'
         },
-        :'security.application_info.port' => {
-          :default => nil,
-          :allow_nil => true,
+        :'security.exclude_from_iast_scan.iast_detection_category.nosql_injection' => {
+          :default => false,
+          :external => true,
           :public => true,
-          :type => Integer,
+          :type => Boolean,
+          :allowed_from_server => false,
+          :description => 'If `true`, disables NOSQL injection detection in IAST scans.'
+        },
+        :'security.exclude_from_iast_scan.iast_detection_category.ldap_injection' => {
+          :default => false,
           :external => true,
+          :public => true,
+          :type => Boolean,
           :allowed_from_server => false,
-          :description => 'The port the application is listening on. This setting is mandatory for Passenger servers. Other servers should be detected by default.'
+          :description => 'If `true`, disables LDAP injection detection in IAST scans.'
         },
-        :'security.request.body_limit' => {
-          :default => 300,
-          :allow_nil => true,
+        :'security.exclude_from_iast_scan.iast_detection_category.javascript_injection' => {
+          :default => false,
+          :external => true,
+          :public => true,
+          :type => Boolean,
+          :allowed_from_server => false,
+          :description => 'If `true`, disables Javascript injection detection in IAST scans.'
+        },
+        :'security.exclude_from_iast_scan.iast_detection_category.command_injection' => {
+          :default => false,
+          :external => true,
+          :public => true,
+          :type => Boolean,
+          :allowed_from_server => false,
+          :description => 'If `true`, disables system command injection detection in IAST scans.'
+        },
+        :'security.exclude_from_iast_scan.iast_detection_category.xpath_injection' => {
+          :default => false,
+          :external => true,
+          :public => true,
+          :type => Boolean,
+          :allowed_from_server => false,
+          :description => 'If `true`, disables XPATH injection detection in IAST scans.'
+        },
+        :'security.exclude_from_iast_scan.iast_detection_category.ssrf' => {
+          :default => false,
+          :external => true,
+          :public => true,
+          :type => Boolean,
+          :allowed_from_server => false,
+          :description => 'If `true`, disables Sever-Side Request Forgery (SSRF) detection in IAST scans.'
+        },
+        :'security.exclude_from_iast_scan.iast_detection_category.rxss' => {
+          :default => false,
+          :external => true,
+          :public => true,
+          :type => Boolean,
+          :allowed_from_server => false,
+          :description => 'If `true`, disables Reflected Cross-Site Scripting (RXSS) detection in IAST scans.'
+        },
+        :'security.scan_schedule.delay' => {
+          :default => 0,
+          :public => true,
+          :type => Integer,
+          :external => true,
+          :allowed_from_server => true,
+          :description => 'Specifies the delay time (in minutes) before the IAST scan begins after the application starts.'
+        },
+        :'security.scan_schedule.duration' => {
+          :default => 0,
           :public => true,
           :type => Integer,
           :external => true,
+          :allowed_from_server => true,
+          :description => 'Specifies the length of time (in minutes) that the IAST scan will run.'
+        },
+        :'security.scan_schedule.schedule' => {
+          :default => '',
+          :public => true,
+          :type => String,
+          :external => true,
+          :allowed_from_server => true,
+          :description => 'Specifies a cron expression that sets when the IAST scan should run.',
+          :dynamic_name => true
+        },
+        :'security.scan_schedule.always_sample_traces' => {
+          :default => false,
+          :external => true,
+          :public => true,
+          :type => Boolean,
           :allowed_from_server => false,
-          :description => 'Defines the request body limit to process in security events (in KB). The default value is 300, for 300KB.'
+          :description => 'If `true`, allows IAST to continuously gather trace data in the background. Collected data will be used by the security agent to perform an IAST scan at the scheduled time.'
+        },
+        :'security.scan_controllers.iast_scan_request_rate_limit' => {
+          :default => 3600,
+          :public => true,
+          :type => Integer,
+          :external => true,
+          :allowed_from_server => true,
+          :description => 'Sets the maximum number of HTTP requests allowed for the IAST scan per minute. Any Integer between 12 and 3600 is valid. The default value is 3600.'
+        },
+        :'security.scan_controllers.scan_instance_count' => {
+          :default => 0,
+          :public => true,
+          :type => Integer,
+          :external => true,
+          :allowed_from_server => true,
+          :description => 'The number of application instances for a specific entity to perform IAST analysis on.'
+        },
+        :'security.scan_controllers.report_http_response_body' => {
+          :default => true,
+          :public => true,
+          :type => Boolean,
+          :external => true,
+          :allowed_from_server => true,
+          :description => 'If `true`, enables the sending of HTTP responses bodies. Disabling this also disables Reflected Cross-Site Scripting (RXSS) vulnerability detection.'
+        },
+        :'security.iast_test_identifier' => {
+          :default => nil,
+          :allow_nil => true,
+          :public => true,
+          :type => String,
+          :external => true,
+          :allowed_from_server => true,
+          :description => 'A unique test identifier when runnning IAST in a CI/CD environment to differentiate between different test runs. For example, a build number.'
         }
       }.freeze
       # rubocop:enable Metrics/CollectionLiteralLength

data/lib/new_relic/agent/database.rb

@@ -90,6 +90,42 @@ module NewRelic
         ConnectionManager.instance.get_connection(config, &connector)
       end
 
+      def explain_this(statement, use_execute = false)
+        if supports_with_connection?
+          explain_this_using_with_connection(statement)
+        else
+          explain_this_using_adapter_connection(statement, use_execute)
+        end
+      rescue => e
+        NewRelic::Agent.logger.error("Couldn't fetch the explain plan for statement: #{e}")
+      end
+
+      def explain_this_using_with_connection(statement)
+        ::ActiveRecord::Base.with_connection do |conn|
+          conn.exec_query("EXPLAIN #{statement.sql}", "Explain #{statement.name}", statement.binds)
+        end
+      end
+
+      def explain_this_using_adapter_connection(statement, use_execute)
+        connection = get_connection(statement.config) do
+          ::ActiveRecord::Base.send(:"#{statement.config[:adapter]}_connection", statement.config)
+        end
+
+        if use_execute
+          connection.execute("EXPLAIN #{statement.sql}")
+        else
+          connection.exec_query("EXPLAIN #{statement.sql}", "Explain #{statement.name}", statement.binds)
+        end
+      end
+
+      # ActiveRecord v7.2.0 introduced with_connection
+      def supports_with_connection?
+        return @supports_with_connection if defined?(@supports_with_connection)
+
+        @supports_with_connection = defined?(::ActiveRecord::VERSION::STRING) &&
+          Gem::Version.new(ActiveRecord::VERSION::STRING) >= Gem::Version.new('7.2.0')
+      end
+
       def close_connections
         ConnectionManager.instance.close_connections
       end

data/lib/new_relic/agent/instrumentation/active_record.rb

@@ -9,14 +9,7 @@ module NewRelic
     module Instrumentation
       module ActiveRecord
         EXPLAINER = lambda do |statement|
-          connection = NewRelic::Agent::Database.get_connection(statement.config) do
-            ::ActiveRecord::Base.send("#{statement.config[:adapter]}_connection",
-              statement.config)
-          end
-          # the following line needs else branch coverage
-          if connection && connection.respond_to?(:execute) # rubocop:disable Style/SafeNavigation
-            return connection.execute("EXPLAIN #{statement.sql}")
-          end
+          NewRelic::Agent::Database.explain_this(statement, true)
         end
 
         def self.insert_instrumentation

data/lib/new_relic/agent/instrumentation/active_record_subscriber.rb

@@ -70,18 +70,7 @@ module NewRelic
         end
 
         def get_explain_plan(statement)
-          connection = NewRelic::Agent::Database.get_connection(statement.config) do
-            ::ActiveRecord::Base.send("#{statement.config[:adapter]}_connection",
-              statement.config)
-          end
-          # the following line needs else branch coverage
-          if connection && connection.respond_to?(:exec_query) # rubocop:disable Style/SafeNavigation
-            return connection.exec_query("EXPLAIN #{statement.sql}",
-              "Explain #{statement.name}",
-              statement.binds)
-          end
-        rescue => e
-          NewRelic::Agent.logger.debug("Couldn't fetch the explain plan for #{statement} due to #{e}")
+          NewRelic::Agent::Database.explain_this(statement)
         end
 
         def active_record_config(payload)

data/lib/new_relic/agent/instrumentation/aws_sdk_lambda/chain.rb

@@ -0,0 +1,33 @@
+# This file is distributed under New Relic's license terms.
+# See https://github.com/newrelic/newrelic-ruby-agent/blob/main/LICENSE for complete details.
+# frozen_string_literal: true
+
+require_relative 'instrumentation'
+
+module NewRelic::Agent::Instrumentation
+  module AwsSdkLambda::Chain
+    def self.instrument!
+      ::Aws::Lambda::Client.class_eval do
+        include NewRelic::Agent::Instrumentation::AwsSdkLambda
+
+        alias_method(:invoke_without_new_relic, :invoke)
+
+        def invoke(*args)
+          invoke_with_new_relic(*args) { invoke_without_new_relic(*args) }
+        end
+
+        alias_method(:invoke_async_without_new_relic, :invoke_async)
+
+        def invoke_async(*args)
+          invoke_async_with_new_relic(*args) { invoke_async_without_new_relic(*args) }
+        end
+
+        alias_method(:invoke_with_response_stream_without_new_relic, :invoke_with_response_stream)
+
+        def invoke_with_response_stream(*args)
+          invoke_with_response_stream_with_new_relic(*args) { invoke_with_response_stream_without_new_relic(*args) }
+        end
+      end
+    end
+  end
+end

data/lib/new_relic/agent/instrumentation/aws_sdk_lambda/instrumentation.rb

@@ -0,0 +1,94 @@
+# This file is distributed under New Relic's license terms.
+# See https://github.com/newrelic/newrelic-ruby-agent/blob/main/LICENSE for complete details.
+# frozen_string_literal: true
+
+require 'json'
+
+module NewRelic::Agent::Instrumentation
+  module AwsSdkLambda
+    INSTRUMENTATION_NAME = 'aws_sdk_lambda'
+    AWS_SERVICE = 'lambda'
+    CLOUD_PLATFORM = 'aws_lambda'
+    WRAPPED_RESPONSE = Struct.new(:status_code, :has_status_code?)
+
+    def invoke_with_new_relic(*args)
+      with_tracing(:invoke, *args) { yield }
+    end
+
+    def invoke_async_with_new_relic(*args)
+      with_tracing(:invoke_async, *args) { yield }
+    end
+
+    def invoke_with_response_stream_with_new_relic(*args)
+      with_tracing(:invoke_with_response_stream, *args) { yield }
+    end
+
+    private
+
+    def with_tracing(action, *args)
+      segment = generate_segment(action, *args)
+
+      # prevent additional instrumentation for things like Net::HTTP from
+      # creating any segments that may appear as redundant / confusing
+      NewRelic::Agent.disable_all_tracing do
+        response = NewRelic::Agent::Tracer.capture_segment_error(segment) { yield }
+        process_response(response, segment)
+        response
+      end
+    ensure
+      segment&.finish
+    end
+
+    def process_response(response, segment)
+      process_function_error(response) if response.respond_to?(:function_error)
+    rescue => e
+      NewRelic::Agent.logger.error("Error processing aws-sdk-lambda invocation response: #{e}")
+    end
+
+    # notice error that was raised / unhandled by the function
+    def process_function_error(response)
+      function_error = response.function_error
+      return unless function_error
+
+      msg = "[#{function_error}]"
+      payload = response.payload&.string if response.respond_to?(:payload)
+      payload_hash = JSON.parse(payload) if payload
+      msg = "#{msg} #{payload_hash['errorType']} - #{payload_hash['errorMessage']}" if payload_hash
+      e = StandardError.new(msg)
+      e.set_backtrace(payload_hash['stackTrace']) if payload_hash
+
+      NewRelic::Agent.notice_error(e)
+    end
+
+    def generate_segment(action, options = {})
+      function = function_name(options)
+      region = aws_region
+      account_id = aws_account_id
+      arn = aws_arn(function, region)
+      segment = NewRelic::Agent::Tracer.start_segment(name: "Lambda/#{action}/#{function}")
+      segment.add_agent_attribute('cloud.account.id', account_id)
+      segment.add_agent_attribute('cloud.platform', CLOUD_PLATFORM)
+      segment.add_agent_attribute('cloud.region', region)
+      segment.add_agent_attribute('cloud.resource_id', arn) if arn
+      segment
+    end
+
+    def function_name(options = {})
+      (options.fetch(:function_name, nil) if options.respond_to?(:fetch)) || NewRelic::UNKNOWN
+    end
+
+    def aws_account_id
+      return unless self.respond_to?(:config)
+
+      config&.account_id || NewRelic::Agent.config[:'cloud.aws.account_id']
+    end
+
+    def aws_region
+      config&.region if self.respond_to?(:config)
+    end
+
+    def aws_arn(function, region)
+      NewRelic::Agent::Aws.create_arn(AWS_SERVICE, "function:#{function}", region)
+    end
+  end
+end

data/lib/new_relic/agent/instrumentation/aws_sdk_lambda/prepend.rb

@@ -0,0 +1,23 @@
+# This file is distributed under New Relic's license terms.
+# See https://github.com/newrelic/newrelic-ruby-agent/blob/main/LICENSE for complete details.
+# frozen_string_literal: true
+
+require_relative 'instrumentation'
+
+module NewRelic::Agent::Instrumentation
+  module AwsSdkLambda::Prepend
+    include NewRelic::Agent::Instrumentation::AwsSdkLambda
+
+    def invoke(*args)
+      invoke_with_new_relic(*args) { super }
+    end
+
+    def invoke_async(*args)
+      invoke_async_with_new_relic(*args) { super }
+    end
+
+    def invoke_with_response_stream(*args)
+      invoke_with_response_stream_with_new_relic(*args) { super }
+    end
+  end
+end

data/lib/new_relic/agent/instrumentation/aws_sdk_lambda.rb

@@ -0,0 +1,23 @@
+# This file is distributed under New Relic's license terms.
+# See https://github.com/newrelic/newrelic-ruby-agent/blob/main/LICENSE for complete details.
+# frozen_string_literal: true
+
+DependencyDetection.defer do
+  named :aws_sdk_lambda
+
+  depends_on do
+    defined?(Aws::Lambda::Client)
+  end
+
+  executes do
+    require_relative 'aws_sdk_lambda/instrumentation'
+
+    if use_prepend?
+      require_relative 'aws_sdk_lambda/prepend'
+      prepend_instrument Aws::Lambda::Client, NewRelic::Agent::Instrumentation::AwsSdkLambda::Prepend
+    else
+      require_relative 'aws_sdk_lambda/chain'
+      chain_instrument NewRelic::Agent::Instrumentation::AwsSdkLambda::Chain
+    end
+  end
+end

data/lib/new_relic/agent/instrumentation/view_component/instrumentation.rb

@@ -21,7 +21,11 @@ module NewRelic::Agent::Instrumentation
     end
 
     def metric_name
-      "View/#{metric_path(self.class.source_location)}/#{self.class.name}"
+      # ViewComponent determines a component's identifier differently depending on the version
+      # https://github.com/ViewComponent/view_component/pull/2153
+      component_identifier = defined?(self.class.source_location) ? self.class.source_location : self.class.identifier
+
+      "View/#{metric_path(component_identifier)}/#{self.class.name}"
     rescue => e
       NewRelic::Agent.logger.error('Error identifying View Component metric name', e)
 

data/lib/new_relic/agent/log_event_aggregator.rb

@@ -25,6 +25,7 @@ module NewRelic
       METRICS_SUPPORTABILITY_FORMAT = 'Supportability/Logging/Metrics/Ruby/%s'.freeze
       FORWARDING_SUPPORTABILITY_FORMAT = 'Supportability/Logging/Forwarding/Ruby/%s'.freeze
       DECORATING_SUPPORTABILITY_FORMAT = 'Supportability/Logging/LocalDecorating/Ruby/%s'.freeze
+      LABELS_SUPPORTABILITY_FORMAT = 'Supportability/Logging/Labels/Ruby/%s'.freeze
       MAX_BYTES = 32768 # 32 * 1024 bytes (32 kibibytes)
 
       named :LogEventAggregator
@@ -38,6 +39,7 @@ module NewRelic
       METRICS_ENABLED_KEY = :'application_logging.metrics.enabled'
       FORWARDING_ENABLED_KEY = :'application_logging.forwarding.enabled'
       DECORATING_ENABLED_KEY = :'application_logging.local_decorating.enabled'
+      LABELS_ENABLED_KEY = :'application_logging.forwarding.labels.enabled'
       LOG_LEVEL_KEY = :'application_logging.forwarding.log_level'
       CUSTOM_ATTRIBUTES_KEY = :'application_logging.forwarding.custom_attributes'
 
@@ -51,6 +53,7 @@ module NewRelic
         @high_security = NewRelic::Agent.config[:high_security]
         @instrumentation_logger_enabled = NewRelic::Agent::Instrumentation::Logger.enabled?
         @attributes = NewRelic::Agent::LogEventAttributes.new
+
         register_for_done_configuring(events)
       end
 
@@ -186,6 +189,10 @@ module NewRelic
         attributes.add_custom_attributes(custom_attributes)
       end
 
+      def labels
+        @labels ||= create_labels
+      end
+
       # Because our transmission format (MELT) is different than historical
       # agent payloads, extract the munging here to keep the service focused
       # on the general harvest + transmit instead of the format.
@@ -201,8 +208,9 @@ module NewRelic
         # To save on unnecessary data transmission, trim the entity.type
         # sent by classic logs-in-context
         common_attributes.delete(ENTITY_TYPE_KEY)
-
-        common_attributes.merge!(NewRelic::Agent.agent.log_event_aggregator.attributes.custom_attributes)
+        aggregator = NewRelic::Agent.agent.log_event_aggregator
+        common_attributes.merge!(aggregator.attributes.custom_attributes)
+        common_attributes.merge!(aggregator.labels)
 
         _, items = data
         payload = [{
@@ -247,6 +255,7 @@ module NewRelic
           record_configuration_metric(METRICS_SUPPORTABILITY_FORMAT, METRICS_ENABLED_KEY)
           record_configuration_metric(FORWARDING_SUPPORTABILITY_FORMAT, FORWARDING_ENABLED_KEY)
           record_configuration_metric(DECORATING_SUPPORTABILITY_FORMAT, DECORATING_ENABLED_KEY)
+          record_configuration_metric(LABELS_SUPPORTABILITY_FORMAT, LABELS_ENABLED_KEY)
 
           add_custom_attributes(NewRelic::Agent.config[CUSTOM_ATTRIBUTES_KEY])
         end
@@ -327,6 +336,23 @@ module NewRelic
 
         Logger::Severity.const_get(severity_constant) < Logger::Severity.const_get(configured_log_level_constant)
       end
+
+      def create_labels
+        return NewRelic::EMPTY_HASH unless NewRelic::Agent.config[LABELS_ENABLED_KEY]
+
+        downcased_exclusions = NewRelic::Agent.config[:'application_logging.forwarding.labels.exclude'].map(&:downcase)
+        log_labels = {}
+
+        NewRelic::Agent.config.parsed_labels.each do |parsed_label|
+          next if downcased_exclusions.include?(parsed_label['label_type'].downcase)
+
+          # labels are referred to as tags in the UI, so prefix the
+          # label-related attributes with 'tags.*'
+          log_labels["tags.#{parsed_label['label_type']}"] = parsed_label['label_value']
+        end
+
+        log_labels
+      end
     end
   end
 end

data/lib/new_relic/version.rb

@@ -6,7 +6,7 @@
 module NewRelic
   module VERSION # :nodoc:
     MAJOR = 9
-    MINOR = 15
+    MINOR = 16
     TINY = 0
 
     STRING = "#{MAJOR}.#{MINOR}.#{TINY}"

data/newrelic.yml

@@ -65,6 +65,13 @@ common: &default_settings
   # If true, the agent captures log records emitted by your application.
   # application_logging.forwarding.enabled: true
 
+  # If true, the agent attaches labels to log records.
+  # application_logging.forwarding.labels.enabled: false
+
+  # A case-insensitive array or comma-delimited string containing the labels to
+  # exclude from log records.
+  # application_logging.forwarding.labels.exclude: []
+
   # Sets the minimum level a log event must have to be forwarded to New Relic.
   # This is based on the integer values of Ruby's Logger::Severity constants:
   # https://github.com/ruby/ruby/blob/master/lib/logger/severity.rb
@@ -114,17 +121,15 @@ common: &default_settings
   # audit_log.path: log/newrelic_audit.log
 
   # An array of CLASS#METHOD (for instance methods) and/or CLASS.METHOD (for class
-  # methods) strings representing Ruby methods for the agent to automatically
-  # add custom instrumentation to without the need for altering any of the
+  # methods) strings representing Ruby methods that the agent can automatically
+  # add custom instrumentation to. This doesn't require any modifications of the
   # source code that defines the methods.
-  #
   # Use fully qualified class names (using the :: delimiter) that include any
   # module or class namespacing.
-  #
   # Here is some Ruby source code that defines a render_png instance method for an
   # Image class and a notify class method for a User class, both within a
   # MyCompany module namespace:
-  # 
+  #
   # module MyCompany
   #   class Image
   #     def render_png
@@ -147,17 +152,20 @@ common: &default_settings
   # - MyCompany::User.notify
   #
   # That configuration example uses YAML array syntax to specify both methods.
-  # Alternatively, a comma-delimited string can be used instead:
-  # 
-  # automatic_custom_instrumentation_method_list: 'MyCompany::Image#render_png, MyCompany::User.notify'
-  # 
+  # Alternatively, you can use a comma-delimited string:
+  #
+  # automatic_custom_instrumentation_method_list: 'MyCompany::Image#render_png,
+  # MyCompany::User.notify'
+  #
   # Whitespace around the comma(s) in the list is optional. When configuring the
   # agent with a list of methods via the
   # NEW_RELIC_AUTOMATIC_CUSTOM_INSTRUMENTATION_METHOD_LIST environment variable,
-  # this comma-delimited string format should be used:
-  # 
-  # export NEW_RELIC_AUTOMATIC_CUSTOM_INSTRUMENTATION_METHOD_LIST='MyCompany::Image#render_png, MyCompany::User.notify'
-  # 
+  # use this comma-delimited string format:
+  #
+  # export
+  # NEW_RELIC_AUTOMATIC_CUSTOM_INSTRUMENTATION_METHOD_LIST='MyCompany::Image#render_png,
+  # MyCompany::User.notify'
+  #
   # automatic_custom_instrumentation_method_list: []
 
   # Specify a list of constants that should prevent the agent from starting
@@ -315,18 +323,7 @@ common: &default_settings
   # If true, disables agent middleware for Sinatra. This middleware is responsible
   # for advanced feature support such as cross application tracing, page load
   # timing, and error collection.
-  # Cross application tracing is deprecated in favor of distributed tracing.
-  # Distributed tracing is on by default for Ruby agent versions 8.0.0 and above.
-  # Middlewares are not required to support distributed tracing.
-  # To continue using cross application tracing, update the following options in
-  # your newrelic.yml configuration file:
-  # ``yaml
-  # # newrelic.yml
-  # cross_application_tracer:
-  # enabled: true
-  # distributed_tracing:
-  # enabled: false
-  # ``
+  #
   # disable_sinatra_auto_middleware: false
 
   # If true, disables view instrumentation.
@@ -458,6 +455,10 @@ common: &default_settings
   # prepend, chain, disabled.
   # instrumentation.async_http: auto
 
+  # Controls auto-instrumentation of the aws_sdk_lambda library at start-up. May
+  # be one of auto, prepend, chain, disabled.
+  # instrumentation.aws_sdk_lambda: auto
+
   # Controls auto-instrumentation of the aws-sdk-sqs library at start-up. May be
   # one of: auto, prepend, chain, disabled.
   # instrumentation.aws_sqs: auto
@@ -950,33 +951,104 @@ common: &default_settings
   #   NOTE: All "security.*" configuration parameters are related only to the
   #         security agent, and all other configuration parameters that may
   #         have "security" in the name somewhere are related to the APM agent.
-  
+
   # If true, the security agent is loaded (a Ruby 'require' is performed)
   # security.agent.enabled: false
 
   # The port the application is listening on. This setting is mandatory for
-  # Passenger servers. Other servers should be detected by default.
+  # Passenger servers. Other servers are detected by default.
   # security.application_info.port: nil
 
-  # If true, enables deserialization detection
-  # security.detection.deserialization.enabled: true
+  # If true, the security agent is started (the agent runs in its event loop)
+  # security.enabled: false
 
-  # If true, enables RCI (remote code injection) detection
-  # security.detection.rci.enabled: true
+  # Defines API paths the security agent should ignore in IAST scans. Accepts an
+  # array of regex patterns matching the URI to ignore. The regex pattern should
+  # provide a complete match for the URL without the endpoint. For example,
+  # [".*account.*"], [".*/\api\/v1\/.*?\/login"]
+  # security.exclude_from_iast_scan.api: []
 
-  # If true, enables RXSS (reflected cross-site scripting) detection
-  # security.detection.rxss.enabled: true
+  # An array of HTTP request body keys the security agent should ignore in IAST
+  # scans.
+  # security.exclude_from_iast_scan.http_request_parameters.body: []
 
-  # If true, the security agent is started (the agent runs in its event loop)
-  # security.enabled: false
+  # An array of HTTP request headers the security agent should ignore in IAST
+  # scans. The array should specify a list of patterns matching the headers to
+  # ignore.
+  # security.exclude_from_iast_scan.http_request_parameters.header: []
+
+  # An array of HTTP request query parameters the security agent should ignore in
+  # IAST scans. The array should specify a list of patterns matching the HTTP
+  # request query parameters to ignore.
+  # security.exclude_from_iast_scan.http_request_parameters.query: []
+
+  # If true, disables system command injection detection in IAST scans.
+  # security.exclude_from_iast_scan.iast_detection_category.command_injection: false
+
+  # If true, disables the detection of low-severity insecure settings (e.g., hash,
+  # crypto, cookie, random generators, trust boundary).
+  # security.exclude_from_iast_scan.iast_detection_category.insecure_settings: false
+
+  # If true, disables file operation-related IAST detections (File Access &
+  # Application integrity violation)
+  # security.exclude_from_iast_scan.iast_detection_category.invalid_file_access: false
+
+  # If true, disables Javascript injection detection in IAST scans.
+  # security.exclude_from_iast_scan.iast_detection_category.javascript_injection: false
+
+  # If true, disables LDAP injection detection in IAST scans.
+  # security.exclude_from_iast_scan.iast_detection_category.ldap_injection: false
+
+  # If true, disables NOSQL injection detection in IAST scans.
+  # security.exclude_from_iast_scan.iast_detection_category.nosql_injection: false
+
+  # If true, disables Reflected Cross-Site Scripting (RXSS) detection in IAST
+  # scans.
+  # security.exclude_from_iast_scan.iast_detection_category.rxss: false
+
+  # If true, disables SQL injection detection in IAST scans.
+  # security.exclude_from_iast_scan.iast_detection_category.sql_injection: false
+
+  # If true, disables Sever-Side Request Forgery (SSRF) detection in IAST scans.
+  # security.exclude_from_iast_scan.iast_detection_category.ssrf: false
+
+  # If true, disables XPATH injection detection in IAST scans.
+  # security.exclude_from_iast_scan.iast_detection_category.xpath_injection: false
+
+  # Unique test identifier when runnning IAST in CI/CD environment to
+  # differentiate between different test runs, e.g., a build number.
+  # security.iast_test_identifier: nil
 
   # Defines the mode for the security agent to operate in. Currently only IAST is
   # supported
   # security.mode: IAST
 
-  # Defines the request body limit to process in security events (in KB). The
-  # default value is 300, for 300KB.
-  # security.request.body_limit: 300
+  # Sets the maximum number of HTTP requests allowed for the IAST scan per minute.
+  # Any Integer between 12 and 3600 is valid. The default value is 3600.
+  # security.scan_controllers.iast_scan_request_rate_limit: 3600
+
+  # If true, enables the sending of HTTP responses bodies. Disabling this also
+  # disables Reflected Cross-Site Scripting (RXSS) vulnerability detection.
+  # security.scan_controllers.report_http_response_body: true
+
+  # The number of application instances for a specific entity on which IAST
+  # analysis is performed.
+  # security.scan_controllers.scan_instance_count: 0
+
+  # If true, allows IAST to continuously gather trace data in the background.
+  # Collected data will be used by the security agent to perform an IAST scan at
+  # the scheduled time.
+  # security.scan_schedule.always_sample_traces: false
+
+  # Specifies the delay time (in minutes) before the IAST scan begins after the
+  # application starts.
+  # security.scan_schedule.delay: 0
+
+  # Specifies the length of time (in minutes) that the IAST scan will run.
+  # security.scan_schedule.duration: 0
+
+  # Specifies a cron expression that sets when the IAST scan should run.
+  # security.scan_schedule.schedule: ""
 
   # Defines the endpoint URL for posting security-related data
   # security.validator_service_url: wss://csec.nr-data.net

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: newrelic_rpm
 version: !ruby/object:Gem::Version
-  version: 9.15.0
+  version: 9.16.0
 platform: ruby
 authors:
 - Tanna McClure
@@ -11,7 +11,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-10-31 00:00:00.000000000 Z
+date: 2024-11-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -392,6 +392,10 @@ files:
 - lib/new_relic/agent/instrumentation/async_http/chain.rb
 - lib/new_relic/agent/instrumentation/async_http/instrumentation.rb
 - lib/new_relic/agent/instrumentation/async_http/prepend.rb
+- lib/new_relic/agent/instrumentation/aws_sdk_lambda.rb
+- lib/new_relic/agent/instrumentation/aws_sdk_lambda/chain.rb
+- lib/new_relic/agent/instrumentation/aws_sdk_lambda/instrumentation.rb
+- lib/new_relic/agent/instrumentation/aws_sdk_lambda/prepend.rb
 - lib/new_relic/agent/instrumentation/aws_sqs.rb
 - lib/new_relic/agent/instrumentation/aws_sqs/chain.rb
 - lib/new_relic/agent/instrumentation/aws_sqs/instrumentation.rb
@@ -778,7 +782,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 1.3.1
 requirements: []
-rubygems_version: 3.5.16
+rubygems_version: 3.5.22
 signing_key: 
 specification_version: 4
 summary: New Relic Ruby Agent