newrelic
diff --git a/‎gradle.properties
+1-1 b/‎gradle.properties
+1-1
diff --git a/‎instrumentation-security/servlet-2.4/src/main/java/javax/servlet/http/HttpServletResponse_Instrumentation.java
+8-5 b/‎instrumentation-security/servlet-2.4/src/main/java/javax/servlet/http/HttpServletResponse_Instrumentation.java
+8-5
diff --git a/‎instrumentation-security/servlet-2.4/src/test/java/com/nr/agent/security/instrumentation/servlet24/HttpSessionTest.java
+120-33 b/‎instrumentation-security/servlet-2.4/src/test/java/com/nr/agent/security/instrumentation/servlet24/HttpSessionTest.java
+120-33
diff --git a/‎instrumentation-security/servlet-2.4/src/test/java/com/nr/agent/security/instrumentation/servlet24/HttpTestServlet.java
+29-1 b/‎instrumentation-security/servlet-2.4/src/test/java/com/nr/agent/security/instrumentation/servlet24/HttpTestServlet.java
+29-1
diff --git a/‎instrumentation-security/servlet-5.0/src/main/java/jakarta/servlet/http/HttpServletResponse_Instrumentation.java
+8-5 b/‎instrumentation-security/servlet-5.0/src/main/java/jakarta/servlet/http/HttpServletResponse_Instrumentation.java
+8-5
@@ -1,6 +1,6 @@
 # The agent version.
 agentVersion=1.4.0
-jsonVersion=1.2.4
+jsonVersion=1.2.5
 # Updated exposed NR APM API version.
 nrAPIVersion=8.12.0
 
 
@@ -9,7 +9,6 @@
 import com.newrelic.api.agent.security.schema.SecurityMetaData;
 import com.newrelic.api.agent.security.schema.StringUtils;
 import com.newrelic.api.agent.security.schema.exceptions.NewRelicSecurityException;
-import com.newrelic.api.agent.security.schema.operation.SecureCookieOperation;
 import com.newrelic.api.agent.security.schema.operation.SecureCookieOperationSet;
 import com.newrelic.api.agent.security.utils.logging.LogLevel;
 import com.newrelic.api.agent.weaver.MatchType;
@@ -56,12 +55,16 @@ private AbstractOperation preprocessSecurityHook(Cookie cookie, String className
                 sameSiteStrict = StringUtils.containsIgnoreCase(cookie.getValue(), "SameSite=Strict");
             }
 
-            SecureCookieOperation operation = new SecureCookieOperation(Boolean.toString(isSecure ), isSecure, isHttpOnly, sameSiteStrict, cookie.getValue(), className, methodName);
-            operation.setLowSeverityHook(true);
-            NewRelicSecurity.getAgent().registerOperation(operation);
+            SecureCookieOperationSet operations = NewRelicSecurity.getAgent().getSecurityMetaData().getCustomAttribute("SECURE_COOKIE_OPERATION", SecureCookieOperationSet.class);
+            if(operations == null){
+                operations = new SecureCookieOperationSet(className, methodName);;
+                operations.setLowSeverityHook(true);
+                NewRelicSecurity.getAgent().getSecurityMetaData().addCustomAttribute("SECURE_COOKIE_OPERATION", operations);
+            }
+            operations.addOperation(cookie.getName(), cookie.getValue(), isSecure, isHttpOnly, sameSiteStrict);
 //            NewRelicSecurity.getAgent().registerOperation(operation);
 
-            return operation;
+            return operations;
         } catch (Throwable e) {
             if (e instanceof NewRelicSecurityException) {
                 NewRelicSecurity.getAgent().log(LogLevel.WARNING, String.format(GenericHelper.SECURITY_EXCEPTION_MESSAGE, HttpServletHelper.SERVLET_2_4, e.getMessage()), e, HttpServletResponse_Instrumentation.class.getName());
 
@@ -5,7 +5,7 @@
 import com.newrelic.agent.security.introspec.SecurityIntrospector;
 import com.newrelic.api.agent.security.schema.AbstractOperation;
 import com.newrelic.api.agent.security.schema.VulnerabilityCaseType;
-import com.newrelic.api.agent.security.schema.operation.SecureCookieOperation;
+import com.newrelic.api.agent.security.schema.operation.SecureCookieOperationSet;
 import com.newrelic.api.agent.security.schema.operation.TrustBoundaryOperation;
 import org.junit.Assert;
 import org.junit.ClassRule;
@@ -18,6 +18,7 @@
 import java.net.HttpURLConnection;
 import java.net.URISyntaxException;
 import java.net.URL;
+import java.util.Iterator;
 import java.util.List;
 
 @RunWith(SecurityInstrumentationTestRunner.class)
@@ -29,9 +30,7 @@ public class HttpSessionTest {
 
     @Test
     public void testSessionSetAttribute() throws IOException, URISyntaxException {
-        String method = "GET";
-        String POST_PARAMS = "hook=readLine";
-        makeRequest(method, POST_PARAMS, "set");
+        makeRequest("set");
 
         SecurityIntrospector introspector = SecurityInstrumentationTestRunner.getIntrospector();
         List<AbstractOperation> operations = introspector.getOperations();
@@ -61,9 +60,7 @@ else if(i==1){
 
     @Test
     public void testSessionPutValue() throws IOException, URISyntaxException {
-        String method = "GET";
-        String POST_PARAMS = "hook=readLine";
-        makeRequest(method, POST_PARAMS, "put");
+        makeRequest("put");
 
         SecurityIntrospector introspector = SecurityInstrumentationTestRunner.getIntrospector();
         List<AbstractOperation> operations = introspector.getOperations();
@@ -84,56 +81,146 @@ public void testSessionPutValue() throws IOException, URISyntaxException {
 
     @Test
     public void testAddCookie() throws IOException, URISyntaxException {
-        String method = "GET";
-        String POST_PARAMS = "hook=readLine";
-        makeRequest(method, POST_PARAMS, "cookie");
+        makeRequest("securecookie");
 
         SecurityIntrospector introspector = SecurityInstrumentationTestRunner.getIntrospector();
         List<AbstractOperation> operations = introspector.getOperations();
         Assert.assertTrue("No operations detected", operations.size() > 0);
         Assert.assertTrue("Unexpected operation count detected", operations.size() == 1 || operations.size() == 2);
-        SecureCookieOperation targetOperation = null;
-        for (AbstractOperation operation : operations) {
-            if (operation instanceof SecureCookieOperation)
-                targetOperation = (SecureCookieOperation) operation;
-        };
-        Assert.assertNotNull("No target operation detected", targetOperation);
-        Assert.assertEquals("Wrong case-type detected", VulnerabilityCaseType.SECURE_COOKIE, targetOperation.getCaseType());
-        Assert.assertEquals("Wrong key detected", "false", targetOperation.getValue());
+        SecureCookieOperationSet targetOperation = null;
+        targetOperation = verifySecureCookieOp(operations);
+
+        Assert.assertEquals(1, targetOperation.getOperations().size());
+        Iterator<SecureCookieOperationSet.SecureCookieOperation> secureCookieOps = targetOperation.getOperations().iterator();
+        Assert.assertTrue(secureCookieOps.hasNext());
+
+        SecureCookieOperationSet.SecureCookieOperation secureCookieOp = secureCookieOps.next();
+        verifySecureCookie(secureCookieOp, "key", false, true);
     }
 
     @Test
     public void testAddCookie1() throws IOException, URISyntaxException {
-        String method = "GET";
-        String POST_PARAMS = "hook=readLine";
-        makeRequest(method, POST_PARAMS, "securecookie");
+        makeRequest("cookie");
 
         SecurityIntrospector introspector = SecurityInstrumentationTestRunner.getIntrospector();
         List<AbstractOperation> operations = introspector.getOperations();
-        Assert.assertTrue("No operations detected", operations.size() > 0);
-        Assert.assertTrue("Unexpected operation count detected", operations.size() == 1 || operations.size() == 2);
-        SecureCookieOperation targetOperation = null;
-        for (AbstractOperation operation : operations) {
-            if (operation instanceof SecureCookieOperation)
-                targetOperation = (SecureCookieOperation) operation;
-        };
-        Assert.assertNotNull("No target operation detected", targetOperation);
-        Assert.assertEquals("Wrong case-type detected", VulnerabilityCaseType.SECURE_COOKIE, targetOperation.getCaseType());
-        Assert.assertEquals("Wrong key detected", "true", targetOperation.getValue());
+
+        SecureCookieOperationSet targetOperation = verifySecureCookieOp(operations);
+        Assert.assertEquals(1, targetOperation.getOperations().size());
+
+        Iterator<SecureCookieOperationSet.SecureCookieOperation> secureCookieOps = targetOperation.getOperations().iterator();
+        Assert.assertTrue(secureCookieOps.hasNext());
+
+        SecureCookieOperationSet.SecureCookieOperation secureCookieOp = secureCookieOps.next();
+        verifySecureCookie(secureCookieOp, "key", false, false);
+    }
+
+    @Test
+    public void testAddSecureCookies() throws IOException, URISyntaxException {
+        makeRequest("secure_cookies");
+
+        SecurityIntrospector introspector = SecurityInstrumentationTestRunner.getIntrospector();
+        List<AbstractOperation> operations = introspector.getOperations();
+
+        SecureCookieOperationSet targetOperation = verifySecureCookieOp(operations);
+        Assert.assertEquals(2, targetOperation.getOperations().size());
+
+        for (SecureCookieOperationSet.SecureCookieOperation secureCookieOp : targetOperation.getOperations()) {
+            if (secureCookieOp.getName().equals("secure-cookie-1")) {
+                verifySecureCookie(secureCookieOp, "secure-cookie-1", false, true);
+            } else {
+                verifySecureCookie(secureCookieOp, "secure-cookie-2", true, true);
+            }
+        }
+    }
+
+    @Test
+    public void testAddInSecureCookies() throws IOException, URISyntaxException {
+        makeRequest("insecure_cookies");
+
+        SecurityIntrospector introspector = SecurityInstrumentationTestRunner.getIntrospector();
+        List<AbstractOperation> operations = introspector.getOperations();
+
+        SecureCookieOperationSet targetOperation = verifySecureCookieOp(operations);
+        Assert.assertEquals(2, targetOperation.getOperations().size());
+
+        for (SecureCookieOperationSet.SecureCookieOperation secureCookieOp : targetOperation.getOperations()) {
+            if (secureCookieOp.getName().equals("insecure-cookie-1")) {
+                verifySecureCookie(secureCookieOp, "insecure-cookie-1", false, false);
+            } else {
+                verifySecureCookie(secureCookieOp, "insecure-cookie-2", false, false);
+            }
+        }
     }
 
-    private void makeRequest( String Method, final String POST_PARAMS, String path) throws URISyntaxException, IOException{
+    @Test
+    public void testAddMultiSecureCookies() throws IOException, URISyntaxException {
+        makeRequest("cookies");
+
+        SecurityIntrospector introspector = SecurityInstrumentationTestRunner.getIntrospector();
+        List<AbstractOperation> operations = introspector.getOperations();
+
+        SecureCookieOperationSet targetOperation = verifySecureCookieOp(operations);
+        Assert.assertEquals(2, targetOperation.getOperations().size());
+
+        for (SecureCookieOperationSet.SecureCookieOperation secureCookieOp : targetOperation.getOperations()) {
+            if (secureCookieOp.getName().equals("insecure-cookie")) {
+                verifySecureCookie(secureCookieOp, "insecure-cookie", false, false);
+            } else {
+                verifySecureCookie(secureCookieOp, "secure-cookie", false, true);
+            }
+        }
+    }
+
+    @Test
+    public void testSingleCookie() throws IOException, URISyntaxException {
+        makeRequest("single-cookie");
+
+        SecurityIntrospector introspector = SecurityInstrumentationTestRunner.getIntrospector();
+        List<AbstractOperation> operations = introspector.getOperations();
+
+        SecureCookieOperationSet targetOperation = verifySecureCookieOp(operations);
+        Assert.assertEquals(1, targetOperation.getOperations().size());
+
+        Iterator<SecureCookieOperationSet.SecureCookieOperation> secureCookieOps = targetOperation.getOperations().iterator();
 
+        Assert.assertTrue(secureCookieOps.hasNext());
+        SecureCookieOperationSet.SecureCookieOperation secureCookieOp = secureCookieOps.next();
+        verifySecureCookie(secureCookieOp, "cookie", true, true);
+    }
+
+    private void makeRequest(String path) throws URISyntaxException, IOException{
         URL u = server.getEndPoint("session/"+path).toURL();
         HttpURLConnection conn = (HttpURLConnection) u.openConnection();
-        conn.setRequestMethod(Method);
         conn.setDoOutput(true);
         conn.setRequestProperty("Connection", "Keep-Alive");
         conn.setRequestProperty("Cache-Control", "no-cache");
         conn.setRequestProperty("Content-Type", "multipart/form-data");
 
         conn.connect();
         conn.getResponseCode();
+    }
+
+    private SecureCookieOperationSet verifySecureCookieOp(List<AbstractOperation> operations) {
+        SecureCookieOperationSet targetOperation = null;
+        for (AbstractOperation operation : operations) {
+            if (operation instanceof SecureCookieOperationSet) {
+                targetOperation = (SecureCookieOperationSet) operation;
+            }
+        }
+
+        Assert.assertNotNull("No target operation detected", targetOperation);
+        Assert.assertEquals("Wrong method detected", "addCookie", targetOperation.getMethodName());
+        Assert.assertEquals("Wrong case-type detected", VulnerabilityCaseType.SECURE_COOKIE, targetOperation.getCaseType());
+        Assert.assertTrue("isLowSeverityHook should be true", targetOperation.isLowSeverityHook());
+        return targetOperation;
+    }
 
+    private void verifySecureCookie(SecureCookieOperationSet.SecureCookieOperation secureCookieOp, String key, boolean isHttpOnly, boolean isSecure) {
+        Assert.assertEquals("Wrong cookie key detected", key, secureCookieOp.getName());
+        Assert.assertEquals("Wrong cookie value detected", "value", secureCookieOp.getValue());
+        Assert.assertEquals(String.format("isHttpOnly should be %s", isHttpOnly), isHttpOnly, secureCookieOp.isHttpOnly());
+        Assert.assertEquals(String.format("isSecure should be %s", isSecure), isSecure, secureCookieOp.isSecure());
+        Assert.assertTrue(String.format("isSameSiteStrict should be %s", true), secureCookieOp.isSameSiteStrict());
     }
 }
@@ -102,7 +102,35 @@ else if(path.equals("/session/put")){
             cookie.setSecure(true);
             response.addCookie(cookie);
         } else if(path.equals("/session/cookie")){
-            Cookie cookie = new Cookie("key1", "value1");
+            // add insecure cookie to response
+            response.addCookie(new Cookie("key", "value"));
+        } else if (path.equals("/session/secure_cookies")) {
+            // add multiple secure cookies to response
+            Cookie cookie = new Cookie("secure-cookie-1", "value");
+            cookie.setSecure(true);
+            response.addCookie(cookie);
+
+            Cookie cookie1 = new Cookie("secure-cookie-2", "value");
+            cookie1.setSecure(true);
+            cookie1.setHttpOnly(true);
+            cookie1.setComment("__SAME_SITE_STRICT__");
+            response.addCookie(cookie1);
+        } else if (path.equals("/session/insecure_cookies")) {
+            // add multiple insecure cookies to response
+            response.addCookie(new Cookie("insecure-cookie-1", "value"));
+            response.addCookie(new Cookie("insecure-cookie-2", "value"));
+        } else if (path.equals("/session/cookies")){
+            // add multiple cookies to response
+            Cookie cookie = new Cookie("secure-cookie", "value");
+            cookie.setSecure(true);
+            response.addCookie(cookie);
+
+            response.addCookie(new Cookie("insecure-cookie","value"));
+        } else if (path.equals("/session/single-cookie")){
+            Cookie cookie = new Cookie("cookie", "value");
+            cookie.setSecure(true);
+            cookie.setHttpOnly(true);
+            cookie.setComment("__SAME_SITE_LAX__");
             response.addCookie(cookie);
         }
     }
 
@@ -9,7 +9,6 @@
 import com.newrelic.api.agent.security.schema.SecurityMetaData;
 import com.newrelic.api.agent.security.schema.StringUtils;
 import com.newrelic.api.agent.security.schema.exceptions.NewRelicSecurityException;
-import com.newrelic.api.agent.security.schema.operation.SecureCookieOperation;
 import com.newrelic.api.agent.security.schema.operation.SecureCookieOperationSet;
 import com.newrelic.api.agent.security.utils.logging.LogLevel;
 import com.newrelic.api.agent.weaver.MatchType;
@@ -56,12 +55,16 @@ private AbstractOperation preprocessSecurityHook(Cookie cookie, String className
                 sameSiteStrict = StringUtils.containsIgnoreCase(cookie.getValue(), "SameSite=Strict");
             }
 
-            SecureCookieOperation operation = new SecureCookieOperation(Boolean.toString(isSecure ), isSecure, isHttpOnly, sameSiteStrict, cookie.getValue(), className, methodName);
-            operation.setLowSeverityHook(true);
-            NewRelicSecurity.getAgent().registerOperation(operation);
+            SecureCookieOperationSet operations = NewRelicSecurity.getAgent().getSecurityMetaData().getCustomAttribute("SECURE_COOKIE_OPERATION", SecureCookieOperationSet.class);
+            if(operations == null){
+                operations = new SecureCookieOperationSet(className, methodName);;
+                operations.setLowSeverityHook(true);
+                NewRelicSecurity.getAgent().getSecurityMetaData().addCustomAttribute("SECURE_COOKIE_OPERATION", operations);
+            }
+            operations.addOperation(cookie.getName(), cookie.getValue(), isSecure, isHttpOnly, sameSiteStrict);
 //            NewRelicSecurity.getAgent().registerOperation(operation);
 
-            return operation;
+            return operations;
         } catch (Throwable e) {
             if (e instanceof NewRelicSecurityException) {
                 NewRelicSecurity.getAgent().log(LogLevel.WARNING, String.format(GenericHelper.SECURITY_EXCEPTION_MESSAGE, HttpServletHelper.SERVLET_5_0, e.getMessage()), e, HttpServletResponse_Instrumentation.class.getName());