Skip to content
Okrasp Okrasp
Docs
Blog

ChangeLog

0.9.0【2025-03】

Enhancement

  • [agent] Add alert suppression and rate-limiting features
  • [module] Add memory horse detection hook class

Bugfix

  • [agent] Fix the memory leak issue in the rasp thread pool finalize method

0.8.0【2024-11】

Enhancement

  • [daemon] Support injecting into containers on the host machine
  • [daemon] Add environment fingerprint recognition
  • [agent] Use socket for log transmission
  • [agent] Simplify bytecode framework
  • [agent] Add rate-limiting feature
  • [agent] Asynchronous serialization and transmission of log objects
  • [agent] Add security checks to the unload interface
  • [module] Add new agent-load-hook
  • [module] Refactor modules to lower the threshold for module development
  • [engineering] Add cross-platform cross-compilation functionality
  • [agent] Runtime encryption for jrasp-core

Bugfix

  • [module] Do not use the IP from request for local IP

0.7.0【2024-07】

Bugfix

  • [agent] Add IP to agent logs
  • [agent] Fix JDK compatibility issues
  • [module] Fix JNDI bug
  • [module] Fix memory horse bug
  • [module] Enable deserialization by default
  • [module] Fix type mismatch bug in spel switch
  • [daemon] Resolve daemon logging to /var/log/messages issue

0.6.0【2023-10】

Enhancement

  • [module] Add custom response header X-Protected-By: JRASP
  • [module] Add hook for java.io.file#createNewFile
  • [module] Add hook and detection module for HTTP response

Bugfix

  • [module] Fix XXE module runtime class conversion failure issue
  • [agent] Fix log path initialization as empty bug
  • [module] Fix contentType judgment bug in requests
  • [module] Fix XML deserialization false-negative issue
  • [daemon] Fix incorrect process identification issue in startup script service.sh
  • [daemon] Resolve process delay reporting bug

0.5.0【2023-09】

Enhancement

  • [module] Refactor JNDI detection module
  • [daemon] Add monitoring for the number of open files in jrasp-daemon
  • [daemon] Add JDK deserialization blacklist

Bugfix

  • [module] Fix HTTP-hook type conversion failure bug
  • [module] Optimize scanner signature recognition to prevent false positives
  • [daemon] Fix JSON deserialization detection exception
  • [module] Postpone fetching HTTP request parameters
  • [daemon] PathExists optimization to resolve high CPU usage issue
  • [daemon] Resolve process delay reporting bug

0.4.0【2023-07】

Enhancement

  • [agent] Add JVM performance monitoring
  • [module] Add Shiro detection module

Bugfix

  • [module] xercesImpl 2.6.2 version does not implement setFeature method, calling it causes an error
  • [module] Fix XML deserialization type conversion error issue
  • [daemon] Fix Docker hostname retrieval bug
  • [module] Fix high CPU usage issue in SQL detection algorithm
  • [module] Fix command token splitting failure issue

TODO

  • [daemon] Support container & runtime injection
  • [agent] Built-in filebeat in jrasp agent
  • [module] Automatically generate module parameters based on annotations

0.3.0 【2023-01】

Enhancement

  • [module] Add memory horse detection module
  • [module] Add compilation time to modules for version differentiation
  • [daemon] Daemon-to-server communication supports HTTPS
  • [module] Add LRU cache to SQL detection, same SQL is only detected once
  • [module] Add custom HTML support to detection modules
  • [module] Plugin JAR package supports encryption and runtime classloader decryption
  • [engineering] Add module encryption flow to Maven plugin
  • [engineering] Support Linux aarch64 architecture

Bugfix

  • [attach & build] Solve Windows packaging script compatibility issues, add automatic packaging function for Windows system compilation
  • [module] Solve dependency loading bug when method parameters involve third-party classes
  • [agent] Fix string parameter to map parameter loss bug
  • [agent] Fix global configuration non-singleton bug @Yuyin
  • [agent] Complete isolation of jrasp logs and Tomcat logs

TODO

  • [Deployment Plan] Small-scale service deployment
  • [module] Support SQL Server database
  • [agent] Remove the function of copying modules to the run directory
  • [engineering] Provide a convenient testing jrasp-vulns project
  • [daemon] Support JAR updates in installation directory lib
  • [daemon] Support JAR updates in installation directory lib

0.2.0【2022-10】

Enhancement

  • [attach] Add jrasp-attach project (Golang), supporting manual injection, viewing hook classes, updating module parameters, and uninstalling RASP
  • [agent] Specify agent-dependent bridge during packaging to prevent wrong dependency loading
  • [agent] Remove logback/sl4j, use native JUL to reduce insecure dependencies
  • [agent] Remove built-in Jetty, use native sockets
  • [agent] Remove JSON log format in Java-agent and modify Filebeat’s log split Grok expression
  • [module] Optimize context object to be a context object
  • [module] Unified parameter update interface for modules
  • [project] Merge jrasp-agent, jrasp-module, jrasp-attach, and jrasp-daemon projects for unified compilation and packaging
  • [project] Fully compatible with Windows, Linux, and Mac
  • [agent] Optimize class matching mechanism, unique global transform instance to reduce STW time

BugFix

  • [agent] Add version numbers to JAR filenames to resolve JAR file handle cleanup issue
  • [module] Replace @Resource annotation to resolve conflicts with javax packages
  • [agent] Fix memory leak bug when jvm-sandbox throws exceptions (patch already merged into jvm-sandbox)
  • [jetty module] Resolve duplicate hook issue for http input.read method (confirmed by OpenRASP)
  • [xxe module] Resolve duplicate hook issue for dom4j methods (confirmed by OpenRASP)

TODO

  • [agent] Use InheritableThreadLocal instead of ThreadLocal to prevent thread injection (memory leak exists, postponed)

0.1.8【2022-08】

Enhancement

  • [module] Add multiple security modules
  • [daemon] Optimize process scanning
  • [daemon] Prevent multiple daemons from starting

0.1.7【2022-07】

Enhancement

  • [daemon] Report configuration update time
  • [daemon] Daemon reports Nacos initialization status and registered service IP upon startup
  • [daemon] Automatically restart if unable to connect to Nacos, check every 24 hours

BugFix

  • [daemon] Fix soft refresh panic
  • [daemon] Remove dependency fetching functionality, reported by security plugins themselves

0.1.6【2022-06】

BugFix

  • [daemon] Use os.RemoveAll to delete Java process folders

0.1.5【2022-05】

  • [daemon] Plugins are based on configuration files; those not in the config file are deleted from disk
  • [daemon] Add soft refresh and parameter update functions after injection

0.1.4【2022-04】

  • [agent] Add native method hook
  • [daemon] Support injection into multiple Java processes, each with its own data directory