security: Bumped minimum version of security agent (#3713)

Co-authored-by: Bob Evans <revans@newrelic.com>

Author: jsumners-nr

THIRD_PARTY_NOTICES.md

@@ -3,4 +3,7 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
-export * from 'import-in-the-middle/hook.mjs'
+// eslint-disable-next-line n/no-unsupported-features/node-builtins
+import { register } from 'node:module'
+
+register('import-in-the-middle/hook.mjs', import.meta.url, {})

esm-loader.mjs

@@ -296,7 +296,6 @@ module.exports = function initialize(shim, when) {
         ret = agent.tracer.bindFunction(fn, context, true).apply(this, arguments)
       } finally {
         if (ret && typeof ret.then === 'function') {
-          // eslint-disable-next-line sonarjs/no-dead-store
           ret = ctx.next[symbols.context].continue(ret)
         }
       }

lib/instrumentation/when/index.js

@@ -203,7 +203,7 @@
   "dependencies": {
     "@grpc/grpc-js": "^1.13.2",
     "@grpc/proto-loader": "^0.7.5",
-    "@newrelic/security-agent": "^2.4.2",
+    "@newrelic/security-agent": "^2.4.4",
     "@opentelemetry/api": "^1.9.0",
     "@opentelemetry/core": "^2.0.0",
     "@opentelemetry/exporter-metrics-otlp-proto": "^0.201.1",

package.json

@@ -9,6 +9,7 @@ const helper = require('../../lib/agent_helper')
 const test = require('node:test')
 const assert = require('node:assert')
 const symbols = require('../../../lib/symbols')
+const nock = require('nock')
 
 test('external requests', async function (t) {
   t.beforeEach((ctx) => {
@@ -102,10 +103,15 @@ test('external requests', async function (t) {
       let connectChildren = tx.trace.getChildren(connect.id)
       assert.equal(connectChildren.length, 1, 'connect should have 1 child')
 
+      // as of Node 24.5.0 there's yet another layer of net segments
+      if (connectChildren[0].name === 'net.createConnection') {
+        connectChildren = tx.trace.getChildren(connectChildren[0].id)
+      }
       // There is potentially an extra layer of create/connect segments.
       if (connectChildren[0].name === 'net.Socket.connect') {
         connect = connectChildren[0]
       }
+
       connectChildren = tx.trace.getChildren(connect.id)
 
       const dnsLookup = connectChildren[0]
@@ -159,42 +165,15 @@ test('external requests', async function (t) {
     })
   })
 
-  await t.test('should not duplicate the external segment', function (t, end) {
-    const { agent } = t.nr
-    const https = require('https')
-
-    helper.runInTransaction(agent, function inTransaction() {
-      https.get('https://example.com:443/', function onResponse(res) {
-        res.once('end', check)
-        res.resume()
-      })
-    })
-
-    function check() {
-      const tx = agent.getTransaction()
-      const [segment] = tx.trace.getChildren(tx.trace.root.id)
-
-      assert.equal(segment.name, 'External/example.com/', 'should be named')
-      assert.ok(segment.timer.start, 'should have started')
-      assert.ok(segment.timer.hasEnd(), 'should have ended')
-      const segmentChildren = tx.trace.getChildren(segment.id)
-      assert.equal(segmentChildren.length, 1, 'should have 1 child')
-
-      const notDuped = segmentChildren[0]
-      assert.notEqual(
-        notDuped.name,
-        segment.name,
-        'child should not be named the same as the external segment'
-      )
-
-      end()
-    }
-  })
-
   await t.test('NODE-1647 should not interfere with `got`', { timeout: 5000 }, function (t, end) {
     const { agent } = t.nr
     // Our way of wrapping HTTP response objects caused `got` to hang. This was
     // resolved in agent 2.5.1.
+    nock.disableNetConnect()
+    t.after(() => {
+      nock.enableNetConnect()
+    })
+    nock('https://example.com').get('/').reply(200)
     const got = require('got')
     helper.runInTransaction(agent, function () {
       const req = got('https://example.com/')
@@ -215,8 +194,13 @@ test('external requests', async function (t) {
 
   await t.test('should record requests to default ports', (t, end) => {
     const { agent, http } = t.nr
+    nock.disableNetConnect()
+    t.after(() => {
+      nock.enableNetConnect()
+    })
+    nock('http://example.com').get('/').reply(200)
     helper.runInTransaction(agent, (tx) => {
-      http.get('http://example.com', (res) => {
+      http.get('http://example.com/', (res) => {
         res.resume()
         res.on('end', () => {
           const [segment] = tx.trace.getChildren(tx.trace.root.id)
@@ -229,9 +213,14 @@ test('external requests', async function (t) {
 
   await t.test('should expose the external segment on the http request', (t, end) => {
     const { agent, http } = t.nr
+    nock.disableNetConnect()
+    t.after(() => {
+      nock.enableNetConnect()
+    })
+    nock('http://example.com').get('/').reply(200)
     helper.runInTransaction(agent, (tx) => {
       let reqSegment = null
-      const req = http.get('http://example.com', (res) => {
+      const req = http.get('http://example.com/', (res) => {
         res.resume()
         res.on('end', () => {
           const [segment] = tx.trace.getChildren(tx.trace.root.id)

test/integration/instrumentation/http-outbound.test.js

@@ -119,11 +119,9 @@ test('sends metrics', { timeout: 5_000 }, async (t) => {
   assert.equal(found.length, 1)
   let metric = found[0]
   assert.equal(metric.name, 'test-counter')
-  assert.equal(metric.sum.dataPoints.length, 2)
+  assert.equal(metric.sum.dataPoints.length, 1)
   assert.equal(metric.sum.dataPoints[0].attributes[0].key, 'ready')
   assert.deepEqual(metric.sum.dataPoints[0].attributes[0].value, { stringValue: 'no' })
-  assert.equal(metric.sum.dataPoints[1].attributes[0].key, 'ready')
-  assert.deepEqual(metric.sum.dataPoints[1].attributes[0].value, { stringValue: 'yes' })
 
   await once(server, 'requestComplete')
   payload = requestSchema.decode(
@@ -134,9 +132,11 @@ test('sends metrics', { timeout: 5_000 }, async (t) => {
   assert.deepEqual(resource.attributes[0].value, { stringValue: 'guid-123456' })
   metric = payload.resourceMetrics[0].scopeMetrics[0].metrics[0]
   assert.equal(metric.name, 'test-counter')
-  assert.equal(metric.sum.dataPoints.length, 1)
-  assert.equal(metric.sum.dataPoints[0].attributes[0].key, 'otel')
+  assert.equal(metric.sum.dataPoints.length, 2)
+  assert.equal(metric.sum.dataPoints[0].attributes[0].key, 'ready')
   assert.deepEqual(metric.sum.dataPoints[0].attributes[0].value, { stringValue: 'yes' })
+  assert.equal(metric.sum.dataPoints[1].attributes[0].key, 'otel')
+  assert.deepEqual(metric.sum.dataPoints[1].attributes[0].value, { stringValue: 'yes' })
 
   const supportMetrics = agent.metrics._metrics.unscoped
   const expectedMetricNames = [

test/integration/otel/metrics.test.js

@@ -32,11 +32,11 @@ const selfCert = require('self-cert')
  */
 module.exports = function fakeCert({ commonName = null } = {}) {
   const cert = selfCert({
-    // We set the certificate bits to 1,024 because we don't need 4,096 bit
+    // We set the certificate bits to 2,048 because we don't need 4,096 bit
     // certificates for tests. This speeds up certificate generation time by
     // a significant amount, and thus speeds up tests that rely on these
     // certificates.
-    bits: 1_024,
+    bits: 2_048,
     attrs: {
       commonName,
       stateName: 'Georgia',

test/lib/fake-cert.js

@@ -0,0 +1,27 @@
+/*
+ * Copyright 2026 New Relic Corporation. All rights reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+'use strict'
+
+module.exports = readPackageVersion
+
+const fs = require('node:fs')
+const path = require('node:path')
+
+/**
+ * Used to get version from package.json.
+ * Some packages define exports and omit `package.json` so `require` or `import`
+ * will fail when trying to read package.json. This instead just reads file and parses to json
+ *
+ * @param {string} dirname value of `__dirname` in caller
+ * @param {string} pkg name of package
+ * @returns {string} package version
+ */
+function readPackageVersion(dirname, pkg) {
+  const parsedPath = path.join(dirname, 'node_modules', pkg, 'package.json')
+  const packageFile = fs.readFileSync(parsedPath)
+  const { version } = JSON.parse(packageFile.toString())
+  return version
+}

test/lib/read-package-version.js

@@ -8,10 +8,11 @@ const assert = require('node:assert')
 const test = require('node:test')
 const DatastoreShim = require('../../../lib/shim/datastore-shim')
 const helper = require('../../lib/agent_helper')
-const https = require('https')
+const http = require('http')
 const SpanEvent = require('../../../lib/spans/span-event')
 const DatastoreParameters = require('../../../lib/shim/specs/params/datastore')
 const { QuerySpec } = require('../../../lib/shim/specs')
+const nock = require('nock')
 
 test('#constructor() should construct an empty span event', () => {
   const attrs = {}
@@ -43,6 +44,7 @@ test('#constructor() should construct an empty span event', () => {
 
 test('fromSegment()', async (t) => {
   t.beforeEach((ctx) => {
+    nock.disableNetConnect()
     ctx.nr = {}
     ctx.nr.agent = helper.instrumentMockedAgent({
       distributed_tracing: {
@@ -52,6 +54,7 @@ test('fromSegment()', async (t) => {
   })
 
   t.afterEach((ctx) => {
+    nock.enableNetConnect()
     helper.unloadAgent(ctx.nr.agent)
   })
 
@@ -132,8 +135,9 @@ test('fromSegment()', async (t) => {
     helper.runInTransaction(agent, (transaction) => {
       transaction.sampled = true
       transaction.priority = 42
+      nock('http://example.com').get('/?foo=bar').reply(200)
 
-      https.get('https://example.com?foo=bar', (res) => {
+      http.get('http://example.com?foo=bar', (res) => {
         res.resume()
         res.on('end', () => {
           const tx = agent.tracer.getTransaction()
@@ -159,7 +163,7 @@ test('fromSegment()', async (t) => {
           assert.equal(span.intrinsics.name, 'External/example.com/')
           assert.equal(span.intrinsics.timestamp, segment.timer.start)
 
-          assert.ok(span.intrinsics.duration >= 0.01 && span.intrinsics.duration <= 2)
+          assert.ok(span.intrinsics.duration > 0 && span.intrinsics.duration <= 2)
 
           // Should have type-specific intrinsics
           assert.equal(span.intrinsics.component, 'http')
@@ -169,13 +173,12 @@ test('fromSegment()', async (t) => {
           const attributes = span.attributes
 
           // Should have (most) http properties.
-          assert.equal(attributes['http.url'], 'https://example.com/')
+          assert.equal(attributes['http.url'], 'http://example.com/')
           assert.equal(attributes['server.address'], 'example.com')
-          assert.equal(attributes['server.port'], 443)
+          assert.equal(attributes['server.port'], 80)
           assert.ok(attributes['http.method'])
           assert.ok(attributes['http.request.method'])
           assert.equal(attributes['http.statusCode'], 200)
-          assert.equal(attributes['http.statusText'], 'OK')
 
           // should nullify mapped properties
           assert.ok(!attributes.library)
@@ -353,8 +356,9 @@ test('fromSegment()', async (t) => {
 
   await t.test('should handle truncated http spans', (t, end) => {
     const { agent } = t.nr
+    nock('http://www.example.com').get('/path?foo=bar').reply(200)
     helper.runInTransaction(agent, (transaction) => {
-      https.get('https://example.com?foo=bar', (res) => {
+      http.get('http://www.example.com/path?foo=bar', (res) => {
         transaction.end() // prematurely end to truncate
 
         res.resume()

test/unit/spans/span-event.test.js

@@ -6,12 +6,11 @@
 'use strict'
 const test = require('node:test')
 const assert = require('node:assert')
-const path = require('node:path')
 const helper = require('../../lib/agent_helper')
 const params = require('../../lib/params')
 const urltils = require('../../../lib/util/urltils')
+const readPackageVersion = require('../../lib/read-package-version')
 const crypto = require('crypto')
-const { readFile } = require('fs/promises')
 const semver = require('semver')
 const DB_INDEX = `test-${randomString()}`
 const DB_INDEX_2 = `test2-${randomString()}`
@@ -53,8 +52,7 @@ test('Elasticsearch instrumentation', async (t) => {
   t.beforeEach(async (ctx) => {
     // Determine version. ElasticSearch v7 did not export package, so we have to read the file
     // instead of requiring it, as we can with 8+.
-    const pkg = await readFile(path.join(__dirname, '/node_modules/@elastic/elasticsearch/package.json'))
-    const { version: pkgVersion } = JSON.parse(pkg.toString())
+    const pkgVersion = readPackageVersion(__dirname, '@elastic/elasticsearch')
 
     const agent = helper.instrumentMockedAgent()
 
@@ -66,23 +64,26 @@ test('Elasticsearch instrumentation', async (t) => {
     // need to capture attributes
     agent.config.attributes.enabled = true
 
-    const { Client } = require('@elastic/elasticsearch')
-    const client = new Client({
-      node: `http://${params.elastic_host}:${params.elastic_port}`
-    })
+    try {
+      const { Client } = require('@elastic/elasticsearch')
+      const client = new Client({
+        node: `http://${params.elastic_host}:${params.elastic_port}`
+      })
 
-    ctx.nr = {
-      agent,
-      client,
-      pkgVersion,
-      METRIC_HOST_NAME,
-      HOST_ID
+      ctx.nr = {
+        agent,
+        client,
+        pkgVersion,
+        METRIC_HOST_NAME,
+        HOST_ID
+      }
+      return Promise.all([
+        client.indices.create({ index: DB_INDEX }),
+        client.indices.create({ index: DB_INDEX_2 })
+      ])
+    } catch (error) {
+      console.error(error)
     }
-
-    return Promise.all([
-      client.indices.create({ index: DB_INDEX }),
-      client.indices.create({ index: DB_INDEX_2 })
-    ])
   })
 
   t.afterEach((ctx) => {