Problem
When a security scan is performed, it reports back vulnerabilities for the New Relic Java agent (newrelic.jar
).
Cause
While any software product has the potential to have security vulnerabilities, the New Relic Java agent may be erroneously identified by security products that scan for certain string patterns in files due to instrumentation jar files that are a part of the agent.
The modules in the instrumentation
package are named after the software frameworks they are designed to instrument. They are packaged as JAR files inside the agent jar file, newrelic.jar
. Some security scanning tools detect these names and interpret them as being the actual software framework itself, when it's just an instrumentation module.
Warnings for all jar files within the newrelic.jar
file are false positives, and should be suppressed.
Solution
Suppress the false positive warnings coming from the instrumentation
package in the newrelic.jar
file with your scanning tool, including all JAR files whose names match the modules listed in the New Relic Java agent repository.
For example, false positives discovered by the DependencyCheck
project at github.com/jeremylong/DependencyCheck can be suppressed with:
<suppress> <notes><![CDATA[newrelic-agent false positives due to the instrumentation package]]></notes> <filePath regex="true">.*newrelic-agent-.*\.jar[\\\/]instrumentation.*\.jar</filePath> <cpe regex="true">.*</suppress>
Consult your security scan vendor for the appropriate configuration to suppress false positives.