{"_id":"57a146b9d778850e0047e22e","githubsync":"","user":"56688ec8ee1dbf0d008f62ae","version":{"_id":"55db8f901a91690d007ad978","project":"55db8f8f1a91690d007ad975","__v":17,"createdAt":"2015-08-24T21:41:36.034Z","releaseDate":"2015-08-24T21:41:36.034Z","categories":["55db8f901a91690d007ad979","55db9856b3d6540d00886426","55dc751b00a8811900c230e3","55dc766255be9f21004ee250","55dc769200a8811900c230ed","55e4c701177b6e0d003330fa","55f4915caf0bc71900a53130","55f491b2be9c2b2100f0635d","560b22739c7be70d00100bd8","57488c53e8c6a420000b729c","574cefd95953e20e00f40f9f","5798edfd7700d30e00ad250c","579ac88234b5fd0e00b9e140","57c81c6d690c200e0047b72e","57d9b8fbda17c30e003897f1","57d9b90e608ea00e00f358d8","57d9b91cda17c30e003897f4"],"is_deprecated":false,"is_hidden":false,"is_beta":false,"is_stable":true,"codename":"","version_clean":"1.0.0","version":"1.0"},"__v":1,"category":{"_id":"55f491b2be9c2b2100f0635d","version":"55db8f901a91690d007ad978","__v":2,"pages":["55f4920210a10c1700af1cce","560b438e3bcbd80d0077d0e9"],"project":"55db8f8f1a91690d007ad975","sync":{"url":"","isSync":false},"reference":false,"createdAt":"2015-09-12T20:57:22.715Z","from_sync":false,"order":9,"slug":"release-notes","title":"Release Notes"},"parentDoc":null,"project":"55db8f8f1a91690d007ad975","updates":[],"next":{"pages":[],"description":""},"createdAt":"2016-08-03T01:19:53.337Z","link_external":false,"link_url":"","sync_unique":"","hidden":false,"api":{"settings":"","results":{"codes":[]},"auth":"required","params":[],"url":""},"isReference":false,"order":2,"body":"##Version 2.1.2\nReleased June 7th, 2018\n* Fixes\n - Fix JSP include in ignored templates\n\n##Version 2.1.1\nReleased June 5th, 2018\n* Fixes\n - Fix occasional compilation issues with <% ... %> in JSP pages\n\n##Version 2.1.0\nReleased May 16th, 2018\n* New Features\n - Add ignoreTemplates config\n* Improvements\n - Reduce size of XSS instrumentation code\n\n##Version 2.0.7\nReleased March 2nd, 2018\n* New Features\n - Multi-apps support on all supported servers\n\n##Version 2.0.6\nReleased February 7th, 2018\n* New Features\n - Added support for XSS code protection with WebSphere 8.5 and 9\n\n##Version 2.0.5\nReleased January 26th, 2018\n* New Features\n - Added support for WebSphere 8.5 and 9\n   Note: XSS code protection is not yet supported for WebSphere\n\n##Version 2.0.4\nReleased January 12th, 2018\n* New Features\n   - Stateless security algorithm for SQLi\n   - Windows support\n   - Added support  HSQLDB 2+\n   - Enable context IDs for RCE and FileIO code change\n* Improvements\n   - Agent instrumentation reporting status even when not all SQLi features hooked\n* Fixes:\n   - Prevent crash and log error when log file can not be created\n   - Catch Java non-checked exceptions in runHook\n   - Template rendering when pushBody is used\n   - Fix issue with <c:set> tag in JSP templates\n\n##Version 1.8.0\nReleased April 10th, 2017\n* New Features\n   - Support for Struts Framework\n   - Support for Remote Method Invocation (RMI)\n   - Support for agent level alert logging\n   - Support for captcha with single page applications\n   - Enable overriding response code for captcha\n* Improvements\n   - Improved the algorithm for computing application code location\n       - Important note: Upgrading to this agent version may cause new \n         contexts to be generated for code protection\n   - Enhancements to the detection and protection for SQLi\n   - Enhancements to protection for application code change\n   - Enhancements to the detection and protection for HTTP Headers\n\n\n##Version 1.7.0\nReleased April 10th, 2017\n* New Features\n   - Scala Twirl template engine support for XSS\n   - Custom Events API\n   - Enhanced learning algorithm capabilities for code protection\n* Improvements\n   - Enhancements to agent instrumentation reporting\n   - Defaults trust store to the bundled one\n* Fixes\n   - Request completion instrumentation was being invoked prematurely on JSP include\n\n##Version 1.5.0\nReleased March 2, 2017\n* Improvements\n   - Log environment information on startup\n   - New hook framework_input_params\n   - Change the framework_session hook until the session is requested\n   - XSS param improvements\n   - Separate do_mitigation from policy stuff\n   - Accept percent-encoded commas in secure_permit\n   - Disable fencing for file_io and shell_io by default\n* New Features\n   - Add custom_event policy handler for agent actions \n   - Scala Play framework support (except for XSS)\n   - Support for ModelAndView and View redirect in Spring\n   - Added inline_captcha mitigation\n   - XSS Code change detection\n* Fixes\n   - Switched captcha response to 403 instead of 200\n   - Don't mitigate custom events to whitelisted IPs\n   - Fix for SQLi degraded mode\n\n##Version 1.4.0\nReleased February 9, 2017\n* Fixes\n     - Changes to avoid double markers in xss instrumentation and exceptions\n     - Schema fixes\n\n## Version 1.3.0\nReleased February 8, 2017\n* Improvements\n     - Report Finagle MySQL hooks in a separate plugin\n     - Bump http timeouts in test to 60 sec\n     - Support configuring the proxy settings in the immunio configuration:\n        - httpProxyHost\n        - httpProxyPort\n     - Allow multiple Set-Cookie headers to be added\n     - Separate CAPTCHA challenge vs verify URLs\n     - Use the suspicious_payload feature name for blocking\n     - Centralize learning code and add limits\n     - msys aliad to mingw\n* New Features\n     - Support for CentOS 6\n     - Support for running on OSX 10.12\n     - Introduce support for template rendering API\n     - Add ability to set client-side captcha parameters.\n     - Add ip whitelist\n     - Added agents timing telemetry\n     - Added function to set report flag and reason\n* Fixes\n     - Fixed issue where tracking config can incorrectly stop a report\n\n## Version 1.2.0\nReleased January 11, 2017\n* Improvements\n     - Changes to make Code Protection plugins disabled by default\n     - Added logging of bytesize in channel\n* Fixes\n     - Fixes for polling interval to poll multiple times a second rather than every 10 seconds\n     - Drop messages that cannot fit in reports\n\n## Version 1.1.1\n* Improvements\n     - Agent LUA updates\n* Fixes\n     - Fixes to XSS JSP code instrumentation so that the Java agent works with the New Relic agent\n\n## Version 0.8.0\n* Improvements\n     - Instrumentation report includes:\n        - Disabled state\n        - Hooks installed\n     - Enhancements to support for scala with asynchronous messaging\n     - Route name provided with JSP page only, and no spring\n* New Features\n     - Add http header information for mitigated and agent threat\n* Enhancements\n     - Performance improvements\n     - Fast SHA1 implementation\n\n## Version 0.7.0\n* Improvements\n     - Add support for tracking template vars (for XSS) inside <% ... %> in Jsp\n     - Ensure http_response_start runs before template_render_done\n     - Update spring-tests hooks.csv\n     - Support for Scala/Finagle:\n     - Improve NettyHooksIT http_response_start assertions\n     - Move Netty's http_response_start hook to ChannelHandlerContext\n     - Ensure Netty's http_request_start only runs once\n     - Restructure Netty hooks to fix overridden response errors\n     - Add more exception hooks in Netty and tests\n     - Add exception hook for Finagle\n     - Run Netty's http_request_finish at the very end of the request \n     - Implement http_* hooks for Netty\n     - Add remaining hooks for Finagle Mysql client \n     - Add support for framework_redirect in Finatra \n     - Add framework_route hook for Finatra\n     - Support for windows:\n          Unixify paths passed to file_io \n          Update Lua version\n* Fixes\n     - Fix sqli degraded `get_wl_mode` check\n     - Fix var leak in validations union function\n     - Add missing connection_uuid to SQL display_meta schema\n     - Fix for blacklist bug\n* New Features\n     - Add the required global to sha1\n     - Support for mongodb sql\n     - Add a expected_command to shell_io display_meta\n     - Disable missing-CSRF reporting by default.\n     - Add httpoxy detection as Suspicious HTTP Header.\n     - Allow relative redirects\n     - Add more basic url query parsing\n     - Add context based whitelisting to xss patterns\n     - Handle context based sqli degraded mode\n     - Add RCE context-based whitelisting\n     - Restore fencing\n     - Returning maps from systemTests and agentTimings\n     - File io read blacklist\n     - Make verb tamper always allow GET and POST\n     - Tracking cookie includes fingerprint of IP and user agent \n\n## Version 0.6.0\nReleased August 24, 2016\n* Improvements\n     - Improved support for applications that do not use Spring MVC\n     - If route is not available, code vulnerabilities use servlet class name instead of route name\n     - Agent collects data about successful framework hooks \n     - Updated core agent logic\n* Fixes\n     - Improved IP address support\n     - Improved precision for reporting of File Access threats\n\n## Version 0.5.0\nReleased May 10, 2016\n* Improvements\n     - enable override of meta data from config\n     - lower the logging level for method not present\n     - added support for H2 and HSQLDB\n     - Fix for functionality related to config pluginsDisabled\n     - FIx to prevent attempting to instrument interfaces\n     - Improved instrumentation of Tomcat for OverrideResponseException\n     - Processing optimization for sql ignored queries.\n     - Processing optimization, compute context and stack only when\nrunning hooks\n     - updated version of algorithms supported\n     - Memory optimizations\n     - XSS template cache validation on agent version changes\n     - Add robustness to method\n     - renaming of java package for immun.io\n     - Fix template_sha not set for vars inside included templates\n     - Added support for Jasper v8\n     - generate route name from Spring Controller methods\n     - added white listing support\n\n## Version 0.4.0\nReleased April 9, 2016\n - First release","excerpt":"","slug":"java-agent","type":"basic","title":"Java Agent"}
##Version 2.1.2 Released June 7th, 2018 * Fixes - Fix JSP include in ignored templates ##Version 2.1.1 Released June 5th, 2018 * Fixes - Fix occasional compilation issues with <% ... %> in JSP pages ##Version 2.1.0 Released May 16th, 2018 * New Features - Add ignoreTemplates config * Improvements - Reduce size of XSS instrumentation code ##Version 2.0.7 Released March 2nd, 2018 * New Features - Multi-apps support on all supported servers ##Version 2.0.6 Released February 7th, 2018 * New Features - Added support for XSS code protection with WebSphere 8.5 and 9 ##Version 2.0.5 Released January 26th, 2018 * New Features - Added support for WebSphere 8.5 and 9 Note: XSS code protection is not yet supported for WebSphere ##Version 2.0.4 Released January 12th, 2018 * New Features - Stateless security algorithm for SQLi - Windows support - Added support HSQLDB 2+ - Enable context IDs for RCE and FileIO code change * Improvements - Agent instrumentation reporting status even when not all SQLi features hooked * Fixes: - Prevent crash and log error when log file can not be created - Catch Java non-checked exceptions in runHook - Template rendering when pushBody is used - Fix issue with <c:set> tag in JSP templates ##Version 1.8.0 Released April 10th, 2017 * New Features - Support for Struts Framework - Support for Remote Method Invocation (RMI) - Support for agent level alert logging - Support for captcha with single page applications - Enable overriding response code for captcha * Improvements - Improved the algorithm for computing application code location - Important note: Upgrading to this agent version may cause new contexts to be generated for code protection - Enhancements to the detection and protection for SQLi - Enhancements to protection for application code change - Enhancements to the detection and protection for HTTP Headers ##Version 1.7.0 Released April 10th, 2017 * New Features - Scala Twirl template engine support for XSS - Custom Events API - Enhanced learning algorithm capabilities for code protection * Improvements - Enhancements to agent instrumentation reporting - Defaults trust store to the bundled one * Fixes - Request completion instrumentation was being invoked prematurely on JSP include ##Version 1.5.0 Released March 2, 2017 * Improvements - Log environment information on startup - New hook framework_input_params - Change the framework_session hook until the session is requested - XSS param improvements - Separate do_mitigation from policy stuff - Accept percent-encoded commas in secure_permit - Disable fencing for file_io and shell_io by default * New Features - Add custom_event policy handler for agent actions - Scala Play framework support (except for XSS) - Support for ModelAndView and View redirect in Spring - Added inline_captcha mitigation - XSS Code change detection * Fixes - Switched captcha response to 403 instead of 200 - Don't mitigate custom events to whitelisted IPs - Fix for SQLi degraded mode ##Version 1.4.0 Released February 9, 2017 * Fixes - Changes to avoid double markers in xss instrumentation and exceptions - Schema fixes ## Version 1.3.0 Released February 8, 2017 * Improvements - Report Finagle MySQL hooks in a separate plugin - Bump http timeouts in test to 60 sec - Support configuring the proxy settings in the immunio configuration: - httpProxyHost - httpProxyPort - Allow multiple Set-Cookie headers to be added - Separate CAPTCHA challenge vs verify URLs - Use the suspicious_payload feature name for blocking - Centralize learning code and add limits - msys aliad to mingw * New Features - Support for CentOS 6 - Support for running on OSX 10.12 - Introduce support for template rendering API - Add ability to set client-side captcha parameters. - Add ip whitelist - Added agents timing telemetry - Added function to set report flag and reason * Fixes - Fixed issue where tracking config can incorrectly stop a report ## Version 1.2.0 Released January 11, 2017 * Improvements - Changes to make Code Protection plugins disabled by default - Added logging of bytesize in channel * Fixes - Fixes for polling interval to poll multiple times a second rather than every 10 seconds - Drop messages that cannot fit in reports ## Version 1.1.1 * Improvements - Agent LUA updates * Fixes - Fixes to XSS JSP code instrumentation so that the Java agent works with the New Relic agent ## Version 0.8.0 * Improvements - Instrumentation report includes: - Disabled state - Hooks installed - Enhancements to support for scala with asynchronous messaging - Route name provided with JSP page only, and no spring * New Features - Add http header information for mitigated and agent threat * Enhancements - Performance improvements - Fast SHA1 implementation ## Version 0.7.0 * Improvements - Add support for tracking template vars (for XSS) inside <% ... %> in Jsp - Ensure http_response_start runs before template_render_done - Update spring-tests hooks.csv - Support for Scala/Finagle: - Improve NettyHooksIT http_response_start assertions - Move Netty's http_response_start hook to ChannelHandlerContext - Ensure Netty's http_request_start only runs once - Restructure Netty hooks to fix overridden response errors - Add more exception hooks in Netty and tests - Add exception hook for Finagle - Run Netty's http_request_finish at the very end of the request - Implement http_* hooks for Netty - Add remaining hooks for Finagle Mysql client - Add support for framework_redirect in Finatra - Add framework_route hook for Finatra - Support for windows: Unixify paths passed to file_io Update Lua version * Fixes - Fix sqli degraded `get_wl_mode` check - Fix var leak in validations union function - Add missing connection_uuid to SQL display_meta schema - Fix for blacklist bug * New Features - Add the required global to sha1 - Support for mongodb sql - Add a expected_command to shell_io display_meta - Disable missing-CSRF reporting by default. - Add httpoxy detection as Suspicious HTTP Header. - Allow relative redirects - Add more basic url query parsing - Add context based whitelisting to xss patterns - Handle context based sqli degraded mode - Add RCE context-based whitelisting - Restore fencing - Returning maps from systemTests and agentTimings - File io read blacklist - Make verb tamper always allow GET and POST - Tracking cookie includes fingerprint of IP and user agent ## Version 0.6.0 Released August 24, 2016 * Improvements - Improved support for applications that do not use Spring MVC - If route is not available, code vulnerabilities use servlet class name instead of route name - Agent collects data about successful framework hooks - Updated core agent logic * Fixes - Improved IP address support - Improved precision for reporting of File Access threats ## Version 0.5.0 Released May 10, 2016 * Improvements - enable override of meta data from config - lower the logging level for method not present - added support for H2 and HSQLDB - Fix for functionality related to config pluginsDisabled - FIx to prevent attempting to instrument interfaces - Improved instrumentation of Tomcat for OverrideResponseException - Processing optimization for sql ignored queries. - Processing optimization, compute context and stack only when running hooks - updated version of algorithms supported - Memory optimizations - XSS template cache validation on agent version changes - Add robustness to method - renaming of java package for immun.io - Fix template_sha not set for vars inside included templates - Added support for Jasper v8 - generate route name from Spring Controller methods - added white listing support ## Version 0.4.0 Released April 9, 2016 - First release