Merge branch 'security-agent-support' into refactor/security-agent-su…

…pport
newrelic · Feb 21, 2025 · a5afe89 · a5afe89
2 parents f0c3fde + 084453d
commit a5afe89
Show file tree

Hide file tree

Showing 412 changed files with 19,775 additions and 1,531 deletions.
diff --git a/.github/actions/ubuntu16-build-action/Dockerfile b/.github/actions/ubuntu16-build-action/Dockerfile
diff --git a/.github/actions/ubuntu16-build-action/action.yml b/.github/actions/ubuntu16-build-action/action.yml
diff --git a/.github/actions/ubuntu16-build-action/build.sh b/.github/actions/ubuntu16-build-action/build.sh
diff --git a/.github/actions/ubuntu18-build-action/Dockerfile b/.github/actions/ubuntu18-build-action/Dockerfile
diff --git a/.github/actions/ubuntu18-build-action/action.yml b/.github/actions/ubuntu18-build-action/action.yml
diff --git a/.github/actions/ubuntu18-build-action/build.sh b/.github/actions/ubuntu18-build-action/build.sh
diff --git a/.github/actions/ubuntu20-build-action/Dockerfile b/.github/actions/ubuntu20-build-action/Dockerfile
diff --git a/.github/actions/ubuntu20-build-action/action.yml b/.github/actions/ubuntu20-build-action/action.yml
diff --git a/.github/actions/ubuntu20-build-action/build.sh b/.github/actions/ubuntu20-build-action/build.sh
diff --git a/.github/workflows/code-coverage-baseline.yml b/.github/workflows/code-coverage-baseline.yml
@@ -69,7 +69,7 @@ jobs:
       matrix:
         platform: [gnu, musl]
         arch: [amd64]
-        php: ['7.0', '7.1', '7.2', '7.3', '7.4', '8.0', '8.1', '8.2', '8.3']
+        php: ['7.2', '7.3', '7.4', '8.0', '8.1', '8.2', '8.3', '8.4']
         include:
           - codecov: 0
           - platform: gnu
@@ -147,7 +147,7 @@ jobs:
       matrix:
         platform: [gnu, musl]
         arch: [amd64]
-        php: ['7.0', '7.1', '7.2', '7.3', '7.4', '8.0', '8.1', '8.2', '8.3']
+        php: ['7.2', '7.3', '7.4', '8.0', '8.1', '8.2', '8.3', '8.4']
         include:
           - codecov: 0
           - platform: gnu

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -16,7 +16,7 @@ jobs:
     #   - https://gh.io/supported-runners-and-hardware-resources
     #   - https://gh.io/using-larger-runners
     # Consider using larger runners for possible analysis time improvements.
-    runs-on: 'ubuntu-latest'
+    runs-on: 'ubuntu-22.04'
     timeout-minutes: 360
     permissions:
       # required for all workflows

diff --git a/.github/workflows/issue-comment.yml b/.github/workflows/issue-comment.yml
@@ -25,4 +25,4 @@ jobs:
     steps:
       - name: respond to issue
         run: |
-          gh issue comment ${{ inputs.issue-number }} --body "${{ inputs.message }}"
+          gh issue -R ${{ github.repository }} comment ${{ inputs.issue-number }} --body "${{ inputs.message }}"
diff --git a/.github/workflows/make-agent.yml b/.github/workflows/make-agent.yml
@@ -32,7 +32,7 @@ jobs:
     strategy:
       matrix:
         platform: [gnu, musl]
-        php: ['8.0', '8.1', '8.2', '8.3']
+        php: ['8.0', '8.1', '8.2', '8.3', '8.4']
     steps:
       - name: Checkout Repo
         uses: actions/checkout@v4

diff --git a/.github/workflows/make-integration-tests.yml b/.github/workflows/make-integration-tests.yml
@@ -34,7 +34,7 @@ jobs:
       fail-fast: true
       matrix:
         platform: [gnu, musl]
-        php: ['8.0', '8.1', '8.2', '8.3']
+        php: ['8.0', '8.1', '8.2', '8.3', '8.4']
     steps:
       - name: Checkout integration tests
         uses: actions/checkout@v4

diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
@@ -0,0 +1,49 @@
+name: Security scan
+on:
+  push:
+    branches:
+      - main
+      - dev
+  pull_request:
+  schedule:
+    - cron: '0 0 * * 0' # Every Sunday at 12:00 AM
+
+jobs:
+  trivy-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout newrelic-php-agent code
+        uses: actions/checkout@v4
+        with:
+          path: php-agent
+      - name: Run Trivy in table mode
+        # Table output is only useful when running on a pull request or push.
+        if: contains(fromJSON('["push", "pull_request"]'), github.event_name)
+        uses: aquasecurity/[email protected]
+        with:
+          scan-type: fs
+          scan-ref: ./php-agent
+          trivy-config: ./php-agent/trivy.yaml
+          trivyignores: ./php-agent/.trivyignore
+          format: table
+          exit-code: 1
+
+      - name: Run Trivy in report mode
+        # Only generate sarif when running nightly on the dev branch.
+        if: ${{ github.event_name == 'schedule' }}
+        uses: aquasecurity/[email protected]
+        with:
+          scan-type: fs
+          scan-ref: ./php-agent
+          trivy-config: ./php-agent/trivy.yaml
+          trivyignores: ./php-agent/.trivyignore
+          format: sarif
+          output: trivy-results.sarif
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        # Only upload sarif when running nightly on the dev branch.
+        if: ${{ github.event_name == 'schedule' }}
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          checkout_path: ./php-agent
+          sarif_file: trivy-results.sarif
diff --git a/.github/workflows/test-agent.yml b/.github/workflows/test-agent.yml
@@ -19,6 +19,64 @@ on:
   pull_request:
 
 jobs:
+  gofmt-check:
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    steps:
+      - name: Checkout newrelic-php-agent code
+        uses: actions/checkout@v4
+        with:
+          path: php-agent
+      - name: Setup go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: ./php-agent/daemon/go.mod
+          cache: false
+      - name: Display go version
+        run: |
+          go version
+      - name: Run gofmt
+        run: |
+          GOFMT_REPORTED_FILES="$(gofmt -l -e ./php-agent/daemon)"
+          if [ ! -z "$GOFMT_REPORTED_FILES" ]; then
+            gofmt -d -e ./php-agent/daemon
+            echo "### gofmt violations found in $(echo "$GOFMT_REPORTED_FILES" | wc -l) files" >> $GITHUB_STEP_SUMMARY
+            echo "$GOFMT_REPORTED_FILES" >> $GITHUB_STEP_SUMMARY
+            exit 1
+          fi
+  govet:
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    steps:
+      - name: Checkout newrelic-php-agent code
+        uses: actions/checkout@v4
+        with:
+          path: php-agent
+      - name: Get go version
+        id: get-go-version
+        run: |
+          echo "go toolchain version required to build the daemon:"
+          toolchain="$(awk '/^toolchain */ {gsub(/^go/, "", $2); print $2}' ./php-agent/daemon/go.mod)"
+          echo "[${toolchain}]"
+          echo "go-toolchain-version=${toolchain}" >> $GITHUB_OUTPUT
+      - name: Setup go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ steps.get-go-version.outputs.go-toolchain-version }}
+          cache-dependency-path: "**/*.sum"
+      - name: Verify go version
+        run: |
+          echo "Verify correct go toolchain version is used"
+          actual="$(go version)"
+          echo "Actual: [$actual]"
+          expected="go version go${{ steps.get-go-version.outputs.go-toolchain-version }} linux/amd64"
+          echo "Expected: [$expected]"
+          if [ "$actual" != "$expected" ]; then
+            exit 1
+          fi
+      - name: Run go vet
+        run: go vet -C ./php-agent/daemon ./...
+        shell: bash
   daemon-unit-tests:
     runs-on: ubuntu-latest
     env:
@@ -72,12 +130,8 @@ jobs:
       matrix:
         platform: [gnu, musl]
         arch: [amd64, arm64]
-        php: ['7.0', '7.1', '7.2', '7.3', '7.4', '8.0', '8.1', '8.2', '8.3']
+        php: ['7.2', '7.3', '7.4', '8.0', '8.1', '8.2', '8.3', '8.4']
         exclude:
-          - arch: arm64
-            php: '7.0'
-          - arch: arm64
-            php: '7.1'
           - arch: arm64
             php: '7.2'
           - arch: arm64
@@ -117,9 +171,7 @@ jobs:
             echo "AGENT_CHECK_VARIANT=check" >> $GITHUB_OUTPUT
           elif [[ ${{ matrix.platform }} = 'gnu' ]]; then
             echo "AGENT_CHECK_VARIANT=valgrind" >> $GITHUB_OUTPUT
-          elif [[ ${{matrix.php}} = '7.0' || ${{matrix.php}} = '7.1' ]]; then
-            echo "AGENT_CHECK_VARIANT=check" >> $GITHUB_OUTPUT
-          else 
+          else
             echo "AGENT_CHECK_VARIANT=valgrind" >> $GITHUB_OUTPUT
           fi
       - name: Build axiom
@@ -174,6 +226,7 @@ jobs:
         uses: actions/upload-artifact@v4
         with:
           name: agent.gcov-${{matrix.platform}}-${{matrix.arch}}-${{matrix.php}}
+          include-hidden-files: true
           path: php-agent/agent/.libs/*.gc*
   integration-tests:
     needs: [daemon-unit-tests, agent-unit-test]
@@ -183,12 +236,8 @@ jobs:
       matrix:
         platform: [gnu, musl]
         arch: [amd64, arm64]
-        php: ['7.0', '7.1', '7.2', '7.3', '7.4', '8.0', '8.1', '8.2', '8.3']
+        php: ['7.2', '7.3', '7.4', '8.0', '8.1', '8.2', '8.3', '8.4']
         exclude:
-          - arch: arm64
-            php: '7.0'
-          - arch: arm64
-            php: '7.1'
           - arch: arm64
             php: '7.2'
           - arch: arm64

diff --git a/.github/workflows/trigger-test-suite.yml b/.github/workflows/trigger-test-suite.yml
@@ -8,11 +8,11 @@ on:
   pull_request:
 
 jobs:
-  trigger-multiverse-tests:
+  trigger-test-suite:
     runs-on: ubuntu-latest
     env:
       GH_TOKEN: ${{ secrets.TEST_SUITE_REPO_GH_TOKEN }}
     steps:
-      - name: Trigger Multiverse Test Suite
+      - name: Trigger Test Suite
         run: |
           gh workflow run -R ${{ secrets.TEST_SUITE_REPO }} ${{ secrets.TEST_SUITE_WORKFLOW }} -f agent_git_ref=${{ github.head_ref }} -f pr-number=${{ github.event.number }}
diff --git a/.trivyignore b/.trivyignore
@@ -0,0 +1,2 @@
+# Ignore missing HEALTHCHECK in Dockerfile - devenv service from files/Dockerfile doesn't need it:
+AVD-DS-0026
diff --git a/Makefile b/Makefile
@@ -475,25 +475,28 @@ test-services-stop:
 # Docker Development Environment
 #
 
-dev-shell:
-	docker compose --profile dev up --build --remove-orphans -d
-	docker exec -it agent-devenv bash -c "sh files/set_path.sh ; bash"
+devenv-image:
+	@docker compose --profile dev build devenv
 
-dev-build:
-	docker compose --profile dev up --build --remove-orphans -d
-	docker exec -it agent-devenv bash -c "sh files/set_path.sh ; make -j4 all"
+dev-shell: devenv-image
+	docker compose --profile dev up --pull missing --remove-orphans -d
+	docker compose exec -it devenv bash -c "sh files/set_path.sh ; bash"
 
-dev-unit-tests:
-	docker compose --profile dev up --build --remove-orphans -d
-	docker exec -it agent-devenv bash -c "sh files/set_path.sh ; make -j4 valgrind"
+dev-build: devenv-image
+	docker compose --profile dev up --pull missing --remove-orphans -d
+	docker compose exec -it devenv bash -c "sh files/set_path.sh ; make -j4 all"
 
-dev-integration-tests:
-	docker compose --profile dev up --build --remove-orphans -d
-	docker exec -it agent-devenv bash -c "sh files/set_path.sh ; ./bin/integration_runner -agent ./agent/.libs/newrelic.so"
+dev-unit-tests: devenv-image
+	docker compose --profile dev up --pull missing --remove-orphans -d
+	docker compose exec -it devenv bash -c "sh files/set_path.sh ; make -j4 valgrind"
 
-dev-all:
-	docker compose --profile dev up --build --remove-orphans -d
-	docker exec -it agent-devenv bash -c "sh files/set_path.sh ; make -j4 all valgrind; ./bin/integration_runner -agent ./agent/.libs/newrelic.so"
+dev-integration-tests: devenv-image
+	docker compose --profile dev up --pull missing --remove-orphans -d
+	docker compose exec -it devenv bash -c "sh files/set_path.sh ; ./bin/integration_runner -agent ./agent/.libs/newrelic.so"
+
+dev-all: devenv-image
+	docker compose --profile dev up --pull missing --remove-orphans -d
+	docker compose exec -it devenv bash -c "sh files/set_path.sh ; make -j4 all valgrind; ./bin/integration_runner -agent ./agent/.libs/newrelic.so"
 
 dev-stop:
 	docker compose --profile dev stop

diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-10.21.0
+11.6.0
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		# Ignore missing HEALTHCHECK in Dockerfile - devenv service from files/Dockerfile doesn't need it:
		AVD-DS-0026