Oracle Cloud Infrastructure Documentation

Scan for Java Libraries

Advanced usage tracking detects libraries associated with both Application and Deployed Application in the fleet, and provides security vulnerability information, if any. It can detect usage associated with both Oracle JDK and OpenJDK distributions.

The Java libraries can be scanned using either a dynamic scan or static scan:

Dynamic scan:
  1. Detects libraries loaded dynamically by your applications at runtime.
  2. Helps identify and understand third-party Java libraries actively used by your applications.

Static scan:

  1. Gets all the jars from the class path (obtained from system properties). The class path scanning depends on the include and exclude path that is configured in agent settings.
  2. Reads the manifest files of each JAR to identify dependencies.
  3. Analyzes pom files to determine first-level dependencies.
  4. For application server deployments, examines all dependencies within war and ear packages.
Note

For shaded jars, only pom file, if any, is scanned. As details about the dependent jar files are not available, Scan for Java Libraries does not provide details of JAR manifest.
A library scan can also provide details of all applications associated with each library, along with vulnerability information. The vulnerability information and the Common Vulnerability Scoring System (CVSS) scores are provided by the National Vulnerability Database. CVSS 3.0 base score is displayed for the detected Common Vulnerabilities and Exposures (CVEs). The information and the scores are identified by matching the names of the library.
Note

  • Scan for Java Libraries might not have identified all library dependencies of the application.
  • Analysis might not have identified all vulnerabilities.
  • There might be new vulnerabilities affecting your application as data is refreshed from the National Vulnerability Database on a weekly basis. To detect new vulnerabilities, we recommend you to perform the scan for Java libraries frequently.

The results of the analysis aren't to be treated as absolute. You might need to perform additional analysis or investigation.

You can initiate the scan using one of the following methods:

  • In the Fleet details panel, select Actions and choose Scan for Java libraries.
  • In the Managed instances details page, select Actions and choose Scan for Java libraries.
  • From any Managed instances tab, select the desired managed instances by checking the respective boxes in the Managed instances table. Then, select Actions and choose Scan for Java libraries.
Note

The scan might cause high CPU and memory utilization in managed instances.
In the Select your scan options section, select either Perform dynamic scan or Perform static scan.
  • For a dynamic scan, specify the period over which to detect running applications. You can set this duration in minutes or hours, with a maximum of 24 hours. By default, the recording period is 10 minutes. This duration determines how long agents will monitor each detected running application.
  • A static scan doesn't run over a period of time but instead captures a snapshot of the Java libraries present in the class path at the moment of the scan. A static analysis might miss libraries that are loaded dynamically at runtime and relies on detecting well-known library signatures, so it might not identify intentionally obfuscated or lesser-known libraries.
Note

  • If the Record Java Library usage setting is enabled, agents will periodically scan managed instances to automatically discover vulnerabilities in Java libraries used by applications. In this case, you do not need to manually run the Scan for Java library action. To gain additional insights on your application servers, you can still perform an on-demand static scan.
  • Dynamic scan supports only applications, while static scan supports both applications and application servers.
You can use either of the following options to submit the work request:
  • Submit request: the work request will be submitted for processing immediately.
  • Schedule for later: the work request can be scheduled for processing at a specified date and time. In addition, you can configure a recurrence frequency, along with either an end date or a defined number of occurrences.

A work request is created for this operation. If you have scheduled the analysis for a later date and time, you can view the task in the Scheduled Tasks tab.

See Java Libraries panel and Java Library Information to review the results of the scan for Java libraries.