When a security scan is performed, it reports back vulnerabilities for the New Relic Java agent (
While any software product has the potential to have security vulnerabilities, the New Relic Java agent may be erroneously identified by security products that scan for certain string patterns in files due to instrumentation jar files that are a part of the agent.
The modules in the
instrumentation package are named after the software frameworks they are designed to instrument. They are packaged as JAR files inside the agent jar file,
newrelic.jar. Some security scanning tools detect these names and interpret them as being the actual software framework itself, when it's just an instrumentation module.
Warnings for all jar files within the
newrelic.jar file are false positives, and should be suppressed.
Suppress the false positive warnings coming from the
instrumentation package in the
newrelic.jar file with your scanning tool, including all JAR files whose names match the modules listed in the New Relic Java agent repository.
For example, false positives discovered by the
DependencyCheck project at github.com/jeremylong/DependencyCheck can be suppressed with:
<suppress><notes><![CDATA[newrelic-agent false positives due to the instrumentation package]]></notes><filePath regex="true">.*newrelic-agent-.*\.jar[\\\/]instrumentation.*\.jar</filePath><cpe regex="true">.*</suppress>
Consult your security scan vendor for the appropriate configuration to suppress false positives.