newrelic_security 0.1.0 → 0.3.0

data/lib/newrelic_security/agent/control/event_processor.rb

@@ -5,6 +5,7 @@ module NewRelic::Security
     module Control
       EVENT_QUEUE_SIZE = 10_000
       HEALTH_INTERVAL = 300
+      ERROR_REPORTING_INTERVAL = 30
 
       class EventProcessor
 
@@ -15,6 +16,7 @@ module NewRelic::Security
           @eventQ = ::SizedQueue.new(EVENT_QUEUE_SIZE)
           create_dequeue_threads
           create_keep_alive_thread
+          create_error_reporting_thread
           NewRelic::Security::Agent.init_logger.info "[STEP-5] => Security agent components started"
         end
 
@@ -46,6 +48,7 @@ module NewRelic::Security
           enqueue(event)
           if @first_event
             NewRelic::Security::Agent.init_logger.info "[STEP-8] => First event sent for validation. Security agent started successfully : #{event.to_json}"
+            NewRelic::Security::Agent.config.traffic_start_time = current_time_millis unless NewRelic::Security::Agent.config[:traffic_start_time]
             @first_event = false
           end
           event = nil
@@ -128,6 +131,29 @@ module NewRelic::Security
           NewRelic::Security::Agent.logger.error "Exception in health check thread, #{exception.inspect}"
         end
 
+        def current_time_millis
+          (Time.now.to_f * 1000).to_i
+        end
+
+        def create_error_reporting_thread
+          @error_reporting_thread = Thread.new {
+            Thread.current.name = "newrelic_security_error_reporting_thread"
+            while true do
+              sleep ERROR_REPORTING_INTERVAL
+              send_error_reporting_event if NewRelic::Security::Agent::Control::WebsocketClient.instance.is_open?
+            end
+          }
+        rescue Exception => exception
+          NewRelic::Security::Agent.logger.error "Exception in error_reporting thread, #{exception.inspect}"
+        end
+
+        def send_error_reporting_event
+          NewRelic::Security::Agent.agent.error_reporting&.exceptions_map&.each_value do |exception|
+            NewRelic::Security::Agent::Control::WebsocketClient.instance.send(exception)
+          end
+          NewRelic::Security::Agent.agent.error_reporting&.exceptions_map&.clear
+        end
+
       end
     end
   end

data/lib/newrelic_security/agent/control/event_subscriber.rb

@@ -7,19 +7,13 @@ module NewRelic::Security
               NewRelic::Security::Agent.logger.info "NewRelic server_source_configuration_added for pid : #{Process.pid}, Parent Pid : #{Process.ppid}"
               NewRelic::Security::Agent.init_logger.info "NewRelic server_source_configuration_added for pid : #{Process.pid}, Parent Pid : #{Process.ppid}"
               NewRelic::Security::Agent.config.update_server_config
-              if NewRelic::Security::Agent.config[:enabled] && !NewRelic::Security::Agent.config[:high_security]
-                NewRelic::Security::Agent.agent.init
+              if NewRelic::Security::Agent.config[:'security.enabled'] && !NewRelic::Security::Agent.config[:high_security]
+                Thread.new { NewRelic::Security::Agent.agent.scan_scheduler.init_via_scan_scheduler }
               else
                 NewRelic::Security::Agent.logger.info "New Relic Security is disabled by one of the user provided config `security.enabled` or `high_security`."
                 NewRelic::Security::Agent.init_logger.info "New Relic Security is disabled by one of the user provided config `security.enabled` or `high_security`."
               end
             }
-            ::NewRelic::Agent.instance.events.subscribe(:security_policy_received) { |received_policy| 
-              NewRelic::Security::Agent.logger.info "security_policy_received pid ::::::: #{Process.pid} #{Process.ppid}, #{received_policy}"
-              NewRelic::Security::Agent.config[:policy].merge!(received_policy)
-              NewRelic::Security::Agent.init_logger.info "[STEP-7] => Received and applied policy/configuration : #{received_policy}"
-              NewRelic::Security::Agent.agent.start_iast_client if NewRelic::Security::Agent::Utils.is_IAST?
-            }
         end
       end
     end

data/lib/newrelic_security/agent/control/exit_event.rb

@@ -14,6 +14,8 @@ module NewRelic::Security
           @collectorVersion =  NewRelic::Security::VERSION
           @buildNumber = nil
           @applicationUUID = NewRelic::Security::Agent.config[:uuid]
+          @appAccountId = NewRelic::Security::Agent.config[:account_id]
+          @appEntityGuid = NewRelic::Security::Agent.config[:entity_guid]
           @groupName = NewRelic::Security::Agent.config[:mode]
           @jsonVersion = NewRelic::Security::Agent.config[:json_version]
           @policyVersion = nil

data/lib/newrelic_security/agent/control/grpc_context.rb

@@ -8,7 +8,7 @@ module NewRelic::Security
       
       class GRPCContext
         
-        attr_accessor :time_stamp, :method, :headers, :body, :route, :cache, :fuzz_files, :url, :server_name, :server_port, :client_ip, :client_port, :is_grpc, :metadata, :event_counter
+        attr_accessor :time_stamp, :method, :headers, :body, :route, :cache, :fuzz_files, :url, :server_name, :server_port, :client_ip, :client_port, :is_grpc, :metadata, :event_counter, :mutex
 
         def initialize(grpc_request)
           @time_stamp = current_time_millis
@@ -32,6 +32,7 @@ module NewRelic::Security
           @cache = {}
           @fuzz_files = ::Set.new
           @event_counter = 0
+          @mutex = Mutex.new
           NewRelic::Security::Agent.agent.http_request_count.increment
         end
 

data/lib/newrelic_security/agent/control/health_check.rb

@@ -18,6 +18,8 @@ module NewRelic::Security
           @framework = NewRelic::Security::Agent.config[:framework]
           @protectedServer = nil
           @applicationUUID = NewRelic::Security::Agent.config[:uuid]
+          @appAccountId = NewRelic::Security::Agent.config[:account_id]
+          @appEntityGuid = NewRelic::Security::Agent.config[:entity_guid]
           @collectorVersion = NewRelic::Security::VERSION
           @buildNumber = nil
           @jsonVersion = NewRelic::Security::Agent.config[:json_version]
@@ -33,6 +35,9 @@ module NewRelic::Security
           @iastEventStats = {}
           @raspEventStats = {}
           @exitEventStats = {}
+          @procStartTime = NewRelic::Security::Agent.config[:process_start_time]
+          @trafficStartedTime = NewRelic::Security::Agent.config[:traffic_start_time]
+          @scanStartTime = NewRelic::Security::Agent.config[:scan_start_time]
         end
 
         def as_json

data/lib/newrelic_security/agent/control/http_context.rb

@@ -10,18 +10,22 @@ module NewRelic::Security
       UNDERSCORE = '_'
       HYPHEN = '-'
       REQUEST_METHOD = 'REQUEST_METHOD'
+      HTTP_HOST = 'HTTP_HOST'
       PATH_INFO = 'PATH_INFO'
+      QUERY_STRING = 'QUERY_STRING'
       RACK_INPUT = 'rack.input'
-      CGI_VARIABLES = ::Set.new(%W[ AUTH_TYPE CONTENT_LENGTH CONTENT_TYPE GATEWAY_INTERFACE HTTPS PATH_INFO PATH_TRANSLATED REQUEST_URI QUERY_STRING REMOTE_ADDR REMOTE_HOST REMOTE_IDENT REMOTE_USER REQUEST_METHOD SCRIPT_NAME SERVER_NAME SERVER_PORT SERVER_PROTOCOL SERVER_SOFTWARE rack.url_scheme ])
+      CGI_VARIABLES = ::Set.new(%W[ AUTH_TYPE CONTENT_LENGTH CONTENT_TYPE GATEWAY_INTERFACE HTTPS HTTP_HOST PATH_INFO PATH_TRANSLATED REQUEST_URI QUERY_STRING REMOTE_ADDR REMOTE_HOST REMOTE_IDENT REMOTE_USER REQUEST_METHOD SCRIPT_NAME SERVER_NAME SERVER_PORT SERVER_PROTOCOL SERVER_SOFTWARE rack.url_scheme ])
+      REQUEST_BODY_LIMIT = 500 #KB
 
       class HTTPContext
         
-        attr_accessor :time_stamp, :req, :method, :headers, :params, :body, :data_truncated, :route, :cache, :fuzz_files, :event_counter
+        attr_accessor :time_stamp, :req, :method, :headers, :params, :body, :data_truncated, :route, :cache, :fuzz_files, :event_counter, :mutex, :url
 
         def initialize(env)
           @time_stamp = current_time_millis
           @req = env.select { |key, _| CGI_VARIABLES.include? key}
           @method = @req[REQUEST_METHOD]
+          @url = "#{@req[PATH_INFO]}?#{@req[QUERY_STRING]}"
           @headers = env.select { |key, _| key.include?(HTTP_) }
           @headers = @headers.transform_keys{ |key| key[5..-1].gsub(UNDERSCORE, HYPHEN).downcase }
           request = Rack::Request.new(env) unless env.empty?
@@ -30,23 +34,24 @@ module NewRelic::Security
           strio = env[RACK_INPUT]
           if strio.instance_of?(::StringIO)
 						offset = strio.tell
-						@body = strio.read(NewRelic::Security::Agent.config[:'security.request.body_limit'] * 1024) #after read, offset changes
+						@body = strio.read(REQUEST_BODY_LIMIT * 1024) #after read, offset changes
 						strio.seek(offset)
             # In case of Grape and Roda strio.read giving empty result, added below approach to handle such cases
             @body = strio.string if @body.nil? && strio.size > 0
           elsif defined?(::Rack) && defined?(::Rack::Lint::InputWrapper) && strio.instance_of?(::Rack::Lint::InputWrapper)
-						@body = strio.read(NewRelic::Security::Agent.config[:'security.request.body_limit'] * 1024)
+						@body = strio.read(REQUEST_BODY_LIMIT * 1024)
           elsif defined?(::Protocol::Rack::Input) && defined?(::Protocol::Rack::Input) && strio.instance_of?(::Protocol::Rack::Input)
-            @body = strio.read(NewRelic::Security::Agent.config[:'security.request.body_limit'] * 1024)
+            @body = strio.read(REQUEST_BODY_LIMIT * 1024)
           elsif defined?(::PhusionPassenger::Utils::TeeInput) && strio.instance_of?(::PhusionPassenger::Utils::TeeInput)
-						@body = strio.read(NewRelic::Security::Agent.config[:'security.request.body_limit'] * 1024)
+						@body = strio.read(REQUEST_BODY_LIMIT * 1024)
           end
-          @data_truncated = @body && @body.size >= NewRelic::Security::Agent.config[:'security.request.body_limit'] * 1024
+          @data_truncated = @body && @body.size >= REQUEST_BODY_LIMIT * 1024
 					strio&.rewind
 					@body = @body.force_encoding(Encoding::UTF_8) if @body.is_a?(String)
           @cache = Hash.new
           @fuzz_files = ::Set.new
           @event_counter = 0
+          @mutex = Mutex.new
           NewRelic::Security::Agent.agent.http_request_count.increment
           NewRelic::Security::Agent.agent.iast_client.completed_requests[@headers[NR_CSEC_PARENT_ID]] = [] if @headers.key?(NR_CSEC_PARENT_ID)
         end
@@ -66,6 +71,10 @@ module NewRelic::Security
         def self.reset_context
           ::NewRelic::Agent::Tracer.current_transaction.remove_instance_variable(:@security_context_data) if ::NewRelic::Agent::Tracer.current_transaction.instance_variable_defined?(:@security_context_data)
         end
+
+        def self.get_current_transaction
+          ::NewRelic::Agent::Tracer.current_transaction
+        end
       end
 
     end

data/lib/newrelic_security/agent/control/iast_client.rb

@@ -17,9 +17,8 @@ module NewRelic::Security
       IS_GRPC = 'isGrpc'
       INPUT_CLASS = 'inputClass'
       SERVER_PORT_1 = 'serverPort'
-      PROBING = 'probing'
-      INTERVAL = 'interval'
       IS_GRPC_CLIENT_STREAM = 'isGrpcClientStream'
+      PROBING_INTERVAL = 5
 
       class IASTClient
         
@@ -54,6 +53,7 @@ module NewRelic::Security
               Thread.current.name = "newrelic_security_iast_thread-#{t}"
               loop do
                 fuzz_request = @fuzzQ.deq #thread blocks when the queue is empty
+                NewRelic::Security::Agent.config.scan_start_time = current_time_millis unless NewRelic::Security::Agent.config[:scan_start_time]
                 if fuzz_request.request[IS_GRPC]
                   fire_grpc_request(fuzz_request.id, fuzz_request.request, fuzz_request.reflected_metadata)
                 else
@@ -71,7 +71,8 @@ module NewRelic::Security
           @iast_data_transfer_request_processor_thread = Thread.new do
             Thread.current.name = "newrelic_security_iast_data_transfer_request_processor"
             loop do
-              sleep NewRelic::Security::Agent.config[:policy][VULNERABILITY_SCAN][IAST_SCAN][PROBING][INTERVAL]
+              # TODO: Check & remove this probing interval if not required, earlier this was used from policy sent by SE.
+              sleep PROBING_INTERVAL
               current_timestamp = current_time_millis
               cooldown_sleep_time = @cooldown_till_timestamp - current_timestamp
               sleep cooldown_sleep_time/1000 if cooldown_sleep_time > 0
@@ -84,9 +85,21 @@ module NewRelic::Security
               if batch_size > 100 && remaining_record_capacity > batch_size
                 iast_data_transfer_request = NewRelic::Security::Agent::Control::IASTDataTransferRequest.new
                 iast_data_transfer_request.batchSize = batch_size * 2
+                # TODO: Below calculation of batch_size overrides above logic and can be removed once below one is stablises or rate limit feature is released.
+                if NewRelic::Security::Agent.config[:'security.scan_controllers.iast_scan_request_rate_limit']
+                  batch_size =
+                    if NewRelic::Security::Agent.config[:'security.scan_controllers.iast_scan_request_rate_limit'] < 12
+                      1
+                    elsif NewRelic::Security::Agent.config[:'security.scan_controllers.iast_scan_request_rate_limit'] > 3600
+                      300
+                    else
+                      NewRelic::Security::Agent.config[:'security.scan_controllers.iast_scan_request_rate_limit'] / 12
+                    end
+                  iast_data_transfer_request.batchSize = batch_size
+                end
                 iast_data_transfer_request.pendingRequestIds = pending_request_ids.to_a
                 iast_data_transfer_request.completedRequests = completed_requests
-                NewRelic::Security::Agent.agent.event_processor.send_iast_data_transfer_request(iast_data_transfer_request)
+                NewRelic::Security::Agent.agent.event_processor&.send_iast_data_transfer_request(iast_data_transfer_request)
               end
             end
           end
@@ -122,18 +135,18 @@ module NewRelic::Security
         def fire_grpc_request(fuzz_request_id, request, reflected_metadata)
           service = Object.const_get(request[METHOD].split(SLASH)[0]).superclass
           method = request[METHOD].split(SLASH)[1]
-          @stub = service.rpc_stub_class.new("localhost:#{request[SERVER_PORT_1]}", :this_channel_is_insecure) unless @stub
+          @stub ||= service.rpc_stub_class.new("localhost:#{request[SERVER_PORT_1]}", :this_channel_is_insecure)
 
-          parsed_body =  request[BODY][1..-2].split(',')
-          if reflected_metadata[IS_GRPC_CLIENT_STREAM]
-            chunks_enum = Enumerator.new do |y|
+          parsed_body = request[BODY][1..-2].split(',')
+          chunks_enum = if reflected_metadata[IS_GRPC_CLIENT_STREAM]
+            Enumerator.new do |y|
               parsed_body.each do |b|
                 y << Object.const_get(reflected_metadata[INPUT_CLASS]).decode_json(b)
               end
             end
-          else
-            chunks_enum = Object.const_get(reflected_metadata[INPUT_CLASS]).decode_json(request[BODY])
-          end
+                        else
+            Object.const_get(reflected_metadata[INPUT_CLASS]).decode_json(request[BODY])
+                        end
           response = @stub.public_send(method, chunks_enum, metadata: request[HEADERS])
           # response = @stub.send(method, JSON.parse(request['body'], object_class: OpenStruct))
           # request[HEADERS].delete(VERSION) if request[HEADERS].key?(VERSION)

data/lib/newrelic_security/agent/control/iast_data_transfer_request.rb

@@ -11,6 +11,8 @@ module NewRelic::Security
         def initialize
           @jsonName = :'iast-data-request'
           @applicationUUID = NewRelic::Security::Agent.config[:uuid]
+          @appAccountId = NewRelic::Security::Agent.config[:account_id]
+          @appEntityGuid = NewRelic::Security::Agent.config[:entity_guid]
           @batchSize = 10
           @pendingRequestIds = []
           @completedRequests = Hash.new

data/lib/newrelic_security/agent/control/scan_scheduler.rb

@@ -0,0 +1,77 @@
+require 'newrelic_security/parse-cron/cron_parser'
+
+module NewRelic::Security
+  module Agent
+    module Control
+      class ScanScheduler
+        def init_via_scan_scheduler
+          if NewRelic::Security::Agent.config[:'security.scan_schedule.delay'].positive?
+            NewRelic::Security::Agent.logger.info "IAST delay is set to: #{NewRelic::Security::Agent.config[:'security.scan_schedule.delay']}, current time: #{Time.now}"
+            start_agent_with_delay(NewRelic::Security::Agent.config[:'security.scan_schedule.delay']*60)
+          elsif !NewRelic::Security::Agent.config[:'security.scan_schedule.schedule'].to_s.empty?
+            cron_expression_task(NewRelic::Security::Agent.config[:'security.scan_schedule.schedule'], NewRelic::Security::Agent.config[:'security.scan_schedule.duration']*60)
+          else
+            NewRelic::Security::Agent.agent.init
+            NewRelic::Security::Agent.agent.start_iast_client if NewRelic::Security::Agent::Utils.is_IAST?
+            shutdown_at_duration_reached(NewRelic::Security::Agent.config[:'security.scan_schedule.duration']*60)
+          end
+        rescue StandardError => exception
+          NewRelic::Security::Agent.logger.error "Exception in IAST scan scheduler: #{exception.inspect} #{exception.backtrace}"
+          ::NewRelic::Agent.notice_error(exception)
+        end
+
+        def start_agent_with_delay(delay)
+          NewRelic::Security::Agent.logger.info "Security Agent delay scan time is set to: #{(delay/60).ceil} minutes when always_sample_traces is #{NewRelic::Security::Agent.config[:'security.scan_schedule.always_sample_traces']}, current time: #{Time.now}"
+          if NewRelic::Security::Agent.config[:'security.scan_schedule.always_sample_traces']
+            NewRelic::Security::Agent.agent.init unless NewRelic::Security::Agent.config[:enabled]
+            sleep delay if NewRelic::Security::Agent.config[:'security.scan_schedule.always_sample_traces']
+          else
+            sleep delay
+            NewRelic::Security::Agent.agent.init
+          end
+          NewRelic::Security::Agent.agent.start_iast_client if NewRelic::Security::Agent::Utils.is_IAST?
+          shutdown_at_duration_reached(NewRelic::Security::Agent.config[:'security.scan_schedule.duration']*60)
+        end
+
+        def shutdown_at_duration_reached(duration)
+          shutdown_at = Time.now.to_i + duration
+          shut_down_time = (Time.now + duration).strftime("%a %d %b %Y %H:%M:%S")
+          return if duration <= 0
+          NewRelic::Security::Agent.logger.info "IAST Duration is set to: #{duration/60} minutes, timestamp: #{shut_down_time} time, current time: #{Time.now}"
+          @shutdown_monitor_thread = Thread.new do
+            Thread.current.name = "newrelic_security_shutdown_monitor_thread"
+            loop do
+              sleep 1
+              next if Time.now.to_i < shutdown_at
+              if NewRelic::Security::Agent.config[:'security.scan_schedule.always_sample_traces']
+                NewRelic::Security::Agent.logger.info "Shutdown IAST Data transfer request processor only as 'security.scan_schedule.always_sample_traces' is #{NewRelic::Security::Agent.config[:'security.scan_schedule.always_sample_traces']} now at current time: #{Time.now}"
+                NewRelic::Security::Agent.agent.iast_client&.iast_data_transfer_request_processor_thread&.kill
+              else
+                NewRelic::Security::Agent.logger.info "Shutdown IAST agent now at current time: #{Time.now}"
+                ::NewRelic::Agent.notice_error(StandardError.new("WS Connection closed by local"))
+                NewRelic::Security::Agent.agent.shutdown_security_agent
+              end
+              break
+            end
+          end
+        end
+
+        def cron_expression_task(schedule, duration)
+          @cron_parser = NewRelic::Security::ParseCron::CronParser.new(schedule)
+          loop do
+            next_run = @cron_parser.next(Time.now)
+            NewRelic::Security::Agent.logger.info "Next init via cron exp: #{schedule},  is scheduled at : #{next_run}"
+            delay = next_run - Time.now
+            if NewRelic::Security::Agent.agent.iast_client&.iast_data_transfer_request_processor_thread&.alive?
+              sleep delay > 2 ? delay - 2 : delay
+            else
+              start_agent_with_delay(delay) 
+            end
+            return if duration <= 0
+          end
+        end
+        
+      end
+    end
+  end
+end

data/lib/newrelic_security/agent/control/websocket_client.rb

@@ -21,6 +21,8 @@ module NewRelic::Security
       NR_CSEC_ENTITY_NAME = 'NR-CSEC-ENTITY-NAME'
       NR_CSEC_ENTITY_GUID = 'NR-CSEC-ENTITY-GUID'
       NR_CSEC_IAST_DATA_TRANSFER_MODE = 'NR-CSEC-IAST-DATA-TRANSFER-MODE'
+      NR_CSEC_IGNORED_VUL_CATEGORIES = 'NR-CSEC-IGNORED-VUL-CATEGORIES'
+      NR_CSEC_PROCESS_START_TIME = 'NR-CSEC-PROCESS-START-TIME'
 
       class WebsocketClient
         include Singleton
@@ -43,6 +45,8 @@ module NewRelic::Security
           headers[NR_CSEC_ENTITY_NAME] = NewRelic::Security::Agent.config[:app_name]
           headers[NR_CSEC_ENTITY_GUID] = NewRelic::Security::Agent.config[:entity_guid]
           headers[NR_CSEC_IAST_DATA_TRANSFER_MODE] = PULL
+          headers[NR_CSEC_IGNORED_VUL_CATEGORIES] = ingnored_vul_categories.join(COMMA)
+          headers[NR_CSEC_PROCESS_START_TIME] = NewRelic::Security::Agent.config[:process_start_time]
 
           begin
             cert_store = ::OpenSSL::X509::Store.new
@@ -76,21 +80,26 @@ module NewRelic::Security
 
             connection.on :error do |e|
               NewRelic::Security::Agent.logger.error "Error in websocket connection : #{e.inspect} #{e.backtrace}"
+              ::NewRelic::Agent.notice_error(e)
               Thread.new { NewRelic::Security::Agent::Control::WebsocketClient.instance.close(true) }
             end
           rescue Errno::EPIPE => exception
             NewRelic::Security::Agent.logger.error "Unable to connect to validator_service: #{exception.inspect}"
+            ::NewRelic::Agent.notice_error(exception)
             NewRelic::Security::Agent.config.disable_security
           rescue Errno::ECONNRESET => exception
             NewRelic::Security::Agent.logger.error "Unable to connect to validator_service: #{exception.inspect}"
+            ::NewRelic::Agent.notice_error(exception)
             NewRelic::Security::Agent.config.disable_security
             Thread.new { NewRelic::Security::Agent.agent.reconnect(15) }
           rescue Errno::ECONNREFUSED => exception
             NewRelic::Security::Agent.logger.error "Unable to connect to validator_service: #{exception.inspect}"
+            ::NewRelic::Agent.notice_error(exception)
             NewRelic::Security::Agent.config.disable_security
             Thread.new { NewRelic::Security::Agent.agent.reconnect(15) }
           rescue => exception
             NewRelic::Security::Agent.logger.error "Exception in websocket init: #{exception.inspect} #{exception.backtrace}"
+            ::NewRelic::Agent.notice_error(exception)
             NewRelic::Security::Agent.config.disable_security
             Thread.new { NewRelic::Security::Agent.agent.reconnect(15) }
           end
@@ -125,6 +134,20 @@ module NewRelic::Security
           false
         end
 
+        private
+
+        def ingnored_vul_categories
+          list = []
+          list << FILE_OPERATION << FILE_INTEGRITY if NewRelic::Security::Agent.config[:'security.exclude_from_iast_scan.iast_detection_category.invalid_file_access']
+          list << SQL_DB_COMMAND if NewRelic::Security::Agent.config[:'security.exclude_from_iast_scan.iast_detection_category.sql_injection']
+          list << NOSQL_DB_COMMAND if NewRelic::Security::Agent.config[:'security.exclude_from_iast_scan.iast_detection_category.nosql_injection']
+          list << LDAP if NewRelic::Security::Agent.config[:'security.exclude_from_iast_scan.iast_detection_category.ldap_injection']
+          list << SYSTEM_COMMAND if NewRelic::Security::Agent.config[:'security.exclude_from_iast_scan.iast_detection_category.command_injection']
+          list << XPATH if NewRelic::Security::Agent.config[:'security.exclude_from_iast_scan.iast_detection_category.xpath_injection']
+          list << HTTP_REQUEST if NewRelic::Security::Agent.config[:'security.exclude_from_iast_scan.iast_detection_category.ssrf']
+          list << REFLECTED_XSS if NewRelic::Security::Agent.config[:'security.exclude_from_iast_scan.iast_detection_category.rxss']
+          list
+        end
       end
     end
   end

data/lib/newrelic_security/agent/utils/agent_utils.rb

@@ -15,8 +15,7 @@ module NewRelic::Security
       ASTERISK = '*'
 
       def is_IAST?
-        return false if NewRelic::Security::Agent.config[:policy].empty?
-        return NewRelic::Security::Agent.config[:policy][VULNERABILITY_SCAN][IAST_SCAN][ENABLED] if NewRelic::Security::Agent.config[:policy][VULNERABILITY_SCAN][ENABLED]
+        return true if NewRelic::Security::Agent.config[:mode] == IAST
         false
       end
 
@@ -36,10 +35,11 @@ module NewRelic::Security
               decrypted_data.split(COMMA).each do |filename|
                 begin
                   filename.gsub!(NR_CSEC_VALIDATOR_HOME_TMP, NewRelic::Security::Agent.config[:fuzz_dir_path])
+                  filename.gsub!(NR_CSEC_VALIDATOR_HOME_TMP_URL_ENCODED, NewRelic::Security::Agent.config[:fuzz_dir_path])
                   filename.gsub!(NR_CSEC_VALIDATOR_FILE_SEPARATOR, ::File::SEPARATOR)
                   dirname = ::File.dirname(filename)
                   ::FileUtils.mkdir_p(dirname, :mode => 0770) unless ::File.directory?(dirname)
-                  ctxt&.fuzz_files << filename
+                  ctxt&.fuzz_files&.<< filename
                   ::File.open(filename, ::File::WRONLY | ::File::CREAT | ::File::EXCL) do |fd|
                       # puts "Ownership acquired by : #{Process.pid}"
                   end unless ::File.exist?(filename)
@@ -95,7 +95,8 @@ module NewRelic::Security
 
       def get_app_routes(framework, router = nil)
         enable_object_space_in_jruby
-        if framework == :rails
+        case framework
+        when :rails
           ::Rails.application.routes.routes.each do |route|
             if route.verb.is_a?(::Regexp)
               method = route.verb.inspect.match(/[a-zA-Z]+/)
@@ -106,27 +107,31 @@ module NewRelic::Security
               }
             end
           end
-        elsif framework == :sinatra
+        when :sinatra
           ::Sinatra::Application.routes.each do |method, routes|
             routes.map { |r| r.first.to_s }.map do |route|
               NewRelic::Security::Agent.agent.route_map << "#{method}@#{route}"
             end
           end
-        elsif framework == :grape
+        when :grape
           ObjectSpace.each_object(::Grape::Endpoint) { |z|
             z.instance_variable_get(:@routes)&.each { |route|
-              http_method = route.instance_variable_get(:@request_method) ? route.instance_variable_get(:@request_method) : route.instance_variable_get(:@options)[:method]
+              http_method = route.instance_variable_get(:@request_method) || route.instance_variable_get(:@options)[:method]
               NewRelic::Security::Agent.agent.route_map << "#{http_method}@#{route.pattern.origin}"
             }
           }
-        elsif framework == :padrino
+        when :padrino
           if router.instance_of?(::Padrino::PathRouter::Router)
             router.instance_variable_get(:@routes).each do |route|
               NewRelic::Security::Agent.agent.route_map << "#{route.instance_variable_get(:@verb)}@#{route.matcher.instance_variable_get(:@path)}"
             end
           end
-        elsif framework == :roda
+        when :roda
           NewRelic::Security::Agent.logger.warn "TODO: Roda is a routing tree web toolkit, which generates route dynamically, hence route extraction is not possible."
+        when :grpc
+          router.owner.superclass.public_instance_methods(false).each do |m|
+            NewRelic::Security::Agent.agent.route_map << "*@/#{router.owner}/#{m}"
+          end
         else
           NewRelic::Security::Agent.logger.error "Unable to get app routes as Framework not detected"
         end

data/lib/newrelic_security/constants.rb

@@ -7,6 +7,7 @@ module NewRelic::Security
   LANGUAGE_COLLECTOR = 'LANGUAGE_COLLECTOR'
   STANDARD_OUT = 'STDOUT'
   NR_CSEC_VALIDATOR_HOME_TMP = '{{NR_CSEC_VALIDATOR_HOME_TMP}}'
+  NR_CSEC_VALIDATOR_HOME_TMP_URL_ENCODED = '%7B%7BNR_CSEC_VALIDATOR_HOME_TMP%7D%7D'
   NR_CSEC_VALIDATOR_FILE_SEPARATOR = '{{NR_CSEC_VALIDATOR_FILE_SEPARATOR}}'
   SEC_HOME_PATH = 'nr-security-home'
   LOGS_DIR = 'logs'
@@ -16,6 +17,7 @@ module NewRelic::Security
   NR_CSEC_FUZZ_REQUEST_ID = 'nr-csec-fuzz-request-id'
   NR_CSEC_TRACING_DATA = 'nr-csec-tracing-data'
   NR_CSEC_PARENT_ID = 'nr-csec-parent-id'
+  IAST = 'IAST'
   COLON_IAST_COLON = ':IAST:'
   NOSQL_DB_COMMAND = 'NOSQL_DB_COMMAND'
   SQL_DB_COMMAND = 'SQL_DB_COMMAND'
@@ -62,6 +64,4 @@ module NewRelic::Security
   CONTENT_TYPE1 = 'content-Type'
   PULL = 'PULL'
   SHA1 = 'sha1'
-  VULNERABILITY_SCAN = 'vulnerabilityScan'
-  IAST_SCAN = 'iastScan'
 end

data/lib/newrelic_security/instrumentation-security/async-http/instrumentation.rb

@@ -6,22 +6,11 @@ module NewRelic::Security
   module Instrumentation
     module AsyncHttp
 
-      def call_on_enter(method, url, headers, body)
+      def call_on_enter(_method, url, headers, _body)
         event = nil
         NewRelic::Security::Agent.logger.debug "OnEnter : #{self.class}.#{__method__}"
-        ob = {}
-        ob[:Method] = method
         uri = ::URI.parse url
-        ob[:scheme]  = uri.scheme
-        ob[:host]    = uri.host
-        ob[:port]    = uri.port
-        ob[:URI]     = uri.to_s
-        ob[:path]    = uri.path
-        ob[:query]   = uri.query
-        ob[:Body] = body.respond_to?(:join) ? body.join.to_s : body.to_s
-        ob[:Headers] = headers.to_h
-        ob.each { |_, value| value.dup.force_encoding(ISO_8859_1).encode(UTF_8) if value.is_a?(String) }
-        event = NewRelic::Security::Agent::Control::Collector.collect(HTTP_REQUEST, [ob])
+        event = NewRelic::Security::Agent::Control::Collector.collect(HTTP_REQUEST, [uri.to_s])
         NewRelic::Security::Instrumentation::InstrumentationUtils.append_tracing_data(headers, event) if event
         event
       rescue => exception

data/lib/newrelic_security/instrumentation-security/curb/instrumentation.rb

@@ -12,20 +12,7 @@ module NewRelic::Security
         self.requests.each {
           |key, req|
           uri = NewRelic::Security::Instrumentation::InstrumentationUtils.parse_uri(req.url)
-          ob = {}
-          if uri
-            ob[:Method]  = nil
-            ob[:scheme]  = uri.scheme
-            ob[:host]    = uri.host
-            ob[:port]    = uri.port
-            ob[:URI]     = uri.to_s
-            ob[:path]    = uri.path
-            ob[:query]   = uri.query
-            ob[:Body]    = req.post_body
-            ob[:Headers] = req.headers
-            ob.each { |_, value| value.dup.force_encoding(ISO_8859_1).encode(UTF_8) if value.is_a?(String) }
-            ic_args.push(ob)
-          end
+          ic_args.push(uri.to_s) if uri
         }
         event = NewRelic::Security::Agent::Control::Collector.collect(HTTP_REQUEST, ic_args)
         self.requests.each { |key, req| NewRelic::Security::Instrumentation::InstrumentationUtils.add_tracing_data(req.headers, event) } if event

data/lib/newrelic_security/instrumentation-security/ethon/chain.rb

@@ -7,12 +7,6 @@ module NewRelic::Security
             ::Ethon::Easy.class_eval do
               include NewRelic::Security::Instrumentation::Ethon::Easy
 
-              alias_method :fabricate_without_security, :fabricate
-    
-              def fabricate(url, action_name, options)
-                fabricate_on_enter(url, action_name, options) { return fabricate_without_security(url, action_name, options) }
-              end
-
               alias_method(:headers_equals_without_security, :headers=)
     
               def headers=(headers)