Oracle Cloud Infrastructure Documentation

Scan for Java Libraries

Advanced usage tracking detects libraries associated with both Application and Deployed Application in the fleet, and provides security vulnerability information, if any. It can detect usage associated with both Oracle JDK and OpenJDK distributions.

The Java libraries are scanned using static analysis and does not identify dynamically loaded libraries. The static scan:

  1. Gets all the jars from the class path (obtained from system properties). The class path scanning depends on the include and exclude path that is configured in agent settings.
  2. Reads the manifests of all jars in the class path to load all possible dependencies
  3. Reads the pom file to get the first level dependencies
  4. Scans all dependencies within a war or ear package in case of application server deployments
Note

For shaded jars, only pom file, if any, is scanned. As details about the dependent jar files are not available, Scan for Java Libraries does not provide details of JAR manifest.
A library scan can also provide details of all applications associated with each library, along with vulnerability information. The vulnerability information and the Common Vulnerability Scoring System (CVSS) scores are provided by the National Vulnerability Database. CVSS 2.0 base score is displayed for the detected Common Vulnerabilities and Exposures (CVEs). The information and the scores are identified by matching the names of the library.
Note

  • Scan for Java Libraries might not have identified all library dependencies of the application.
  • Analysis might not have identified all vulnerabilities.
  • There might be new vulnerabilities affecting your application as data is refreshed from the National Vulnerability Database on a weekly basis. To detect new vulnerabilities, we recommend you to perform the scan for Java libraries frequently.

The results of the analysis aren't to be treated as absolute. You might need to perform additional analysis or investigation.

You can initiate the scan using one of the following methods:

  • In the Fleet details panel, click Scan for Java libraries.
  • In the Resources section on the fleet details page, navigate to Managed instances. Select the desired managed instances by checking the respective boxes in the Managed instances table. Then, click Actions and choose Scan for Java libraries.
  • In the Resources section on the fleet details page, navigate to Managed instances. In the Managed instances table, locate the specific managed instance where you want to install the Java runtime. Click the managed instance to access its details page, and then click Scan for Java libraries.
Note

The scan might cause high CPU and memory utilization in managed instances.

You can view the progress or status of the operation from the Work request module.

See Java Libraries panel and Java Library Details to review the results of the scan for Java libraries.