Skip to main content

Open source tracing

It provides the configuration method how to trace frameworks or open source libraries used in Java applications through the agent. It is configured by adding the weaving option in the Java agent configuration file (whatap.conf). The guide on how to respond to various framework and library versions is also provided.

For example, when using spring-boot-3.x, feign-client-11, or okhttp3-4.4 with a framework or open source, set the options as follows:

whatap.conf
weaving=spring-boot-3.0,feign-11,okhttp3-4.4

Supported open source list

For configuration of the framework or open source to trace through the Java agent, see the following:

Framework/open sourceVersionsConfigurationMinimum agent versionRemarks
apache-camel-cxfcamel-cxf-3.15 or laterweaving=camel-cxf-3.15v2.2.27-
apache-camel-nettycamel-netty4 2.25 or laterweaving=camel-netty4-2.25v2.2.42-
apache-camel-sedacamel-seda-2.22 or laterweaving=camel-seda-2.22v2.2.20-
camel-seda-3.2 or laterweaving=camel-seda-3.2v2.2.20-
db2db2-11.5 or laterweaving=db2-11.5v2.2.18-
dynamodbdynamodb-1.11weaving=dynamodb-1.11v2.2.39-
dynamodb-2.25weaving=dynamodb-2.25v2.2.39-
feign-clientfeign-11 or laterweaving=feign-11v2.2.6-
hystrixhystrix-1.5 or laterweaving=hystrix-1.5v2.0_21-
kafkakafka-clients-2.4.0 or laterweaving=kafka-clients-2.4.0v2.2.15-
reactor-kafka-1.3 or laterweaving=reactor-kafka-1.3v2.2.5-
logbacklogback-1.2.8 or laterweaving=logback-1.2.8v2.2.28Provision of the agent option to exclude a specific appender
log4j2log4j-2.17 or laterweaving=log4j-2.17v2.2.28Provision of the agent option to exclude a specific appender
mongodb, mongodb-reactivemongodb-3.8.2 or laterweaving=mongodb-3.8.2v2.2.11-
mongodb-4.0.3 or laterweaving=mongodb-4.0.3v2.2.11-
mongodb-4.4 or laterweaving=mongodb-4.4v2.2.11-
mongodb-4.8 or laterweaving=mongodb-4.8v2.2.11-
mule frameworkmule-3.9.5 or laterweaving=mule-3.9.5v2.2.23-
mule-4.5 or laterweaving=mule-4.5v2.2.23-
okhttpokhttp-2.7 or laterweaving=okhttp-2.7v2.0_15-
quarkus, quarkus-reactivequarkus-reactive-1.13 or laterweaving=quarkus-reactive-1.13v2.2.19-
quarkus-reactive-2.10 or laterweaving=quarkus-reactive-2.10v2.2.19-
redis (jedis)jedis-2.9.3 or laterweaving=jedis-2.9.3v2.0_33-
jedis-3.2 or laterweaving=jedis-3.2v2.0_09-
redis (lettuce)lettuce-5.1 or laterweaving=lettuce-5.1v2.2.7-
lettuce-6.2 or laterweaving=lettuce-6.2v2.2.16-
okhttp3 or laterweaving=okhttp3v2.0_15-
okhttp3-4.4weaving=okhttp3-4.4v2.2.9-
rabbitmqreactor-rabbitmq-1.2 or laterweaving=reactor-rabbitmq-1.2v2.0_06-
retrofitretrofit-2.5 or laterweaving=retrofit-2.5v2.2.39It cannot be used together with the okhttp setting.
ribbonribbonweaving=ribbonv2.2.10-
spring-bootspring-boot-2.1 or laterweaving=spring-boot-2.1v2.2.23Including kafka-clients, r2dbc-mysql, spring-cloud-gateway, spring-webflux, tomcat9, and undertow
spring-boot-2.5 or laterweaving=spring-boot-2.5v2.2.9Including kafka-clients, r2dbc-mysql, redis(lettuce), spring-cloud-gateway, spring-webflux, tomcat9, and undertow
spring-boot-2.7 or laterweaving=spring-boot-2.7v2.2.9Including jasync-r2dbc-mysql, kafka-clients, r2dbc-mysql, redis(lettuce), spring-cloud-gateway, spring-webflux, tomcat9, and undertow
spring-boot-3.0 or laterweaving=spring-boot-3.0v2.2.9Including jasync-r2dbc-mysql, kafka-clients, r2dbc-mysql, redis(lettuce), spring-cloud-gateway,spring-webflux, tomcat10, and undertow
spring-boot-3.2 or laterweaving=spring-boot-3.2v2.2.38Including jasync-r2dbc-mysql, spring-kafka, spring-kafka-batch, r2dbc-mysql, redis(lettuce), spring-cloud-gateway, spring-webflux, tomcat10, and undertow
tomcattomcat9weaving=tomcat9v2.2.5-
tomcat10weaving=tomcat10v2.2.5-
undertowundertow-2.3 or laterweaving=undertow-2.3v2.2.14-
undertow-2.2 or laterweaving=undertow-2.2v2.2.39-
vertxvertx-3.5.3weaving=vertx-3.5.3v2.2.42-
vertx-4.5weaving=vertx-4.5v2.2.39-

Preventing CVE false positive of the Java agent

The following explains how to prevent false positives of CVE vulnerabilities in Java agents and remove unnecessary library classes.

Even if a CVE vulnerability is detected, the Java agent may not be vulnerable. The agent includes various library classes to monitor libraries used by Java applications, but they are not loaded unless they are actually used. This is because monitoring is performed only when a specific class is loaded in the Java application, at which point the tracing class and methods are combined.

Therefore, during CVE vulnerability scanning, warnings may be triggered based solely on the software name and version. Even if multiple libraries are detected, it does not always mean that the application is vulnerable, because the vulnerability is not exposed unless the application uses those libraries.

If you do not want to use the version in the Java application and want to remove the tracing class, execute the following command. However, you need to perform deletion again each time the Java agent is updated.

java -cp whatap.agent-X.Y.Z.jar whatap.agent.setup.RemoveWeaving -remove [weaving jar filename]
Note

The command to remove a specific library class is supported in Java Agent 2.2.37 or later.

Usage: java -cp whatap.agent-X.Y.Z.jar whatap.agent.setup.RemoveWeaving [arguments] [weaving jar filename]

Example
java -cp whatap.agent-2.2.37.jar whatap.agent.setup.RemoveWeaving -remove spring-boot-2.5.jar spring-boot-2.7.jar

Arguments:

  • -r or -remove: It removes the weaving jar file from the Java agent and creates a new Java agent.

  • -l or -list: It outputs a list of weaving jar files.

  • -d or -debug: It enables the debug logging.

  • -e or -error: It displays the full stack trace information for errors.

  • -h or -help: It displays the help and exits.