Open source tracing
It provides the configuration method how to trace frameworks or open source libraries used in Java applications through the agent. It is configured by adding the weaving
option in the Java agent configuration file (whatap.conf). The guide on how to respond to various framework and library versions is also provided.
For example, when using spring-boot-3.x, feign-client-11, or okhttp3-4.4 with a framework or open source, set the options as follows:
weaving=spring-boot-3.0,feign-11,okhttp3-4.4
Supported open source list
For configuration of the framework or open source to trace through the Java agent, see the following:
Framework/open source | Versions | Configuration | Minimum agent version | Remarks |
---|---|---|---|---|
apache-camel-cxf | camel-cxf-3.15 or later | weaving=camel-cxf-3.15 | v2.2.27 | - |
apache-camel-netty | camel-netty4 2.25 or later | weaving=camel-netty4-2.25 | v2.2.42 | - |
apache-camel-seda | camel-seda-2.22 or later | weaving=camel-seda-2.22 | v2.2.20 | - |
camel-seda-3.2 or later | weaving=camel-seda-3.2 | v2.2.20 | - | |
db2 | db2-11.5 or later | weaving=db2-11.5 | v2.2.18 | - |
dynamodb | dynamodb-1.11 | weaving=dynamodb-1.11 | v2.2.39 | - |
dynamodb-2.25 | weaving=dynamodb-2.25 | v2.2.39 | - | |
feign-client | feign-11 or later | weaving=feign-11 | v2.2.6 | - |
hystrix | hystrix-1.5 or later | weaving=hystrix-1.5 | v2.0_21 | - |
kafka | kafka-clients-2.4.0 or later | weaving=kafka-clients-2.4.0 | v2.2.15 | - |
reactor-kafka-1.3 or later | weaving=reactor-kafka-1.3 | v2.2.5 | - | |
logback | logback-1.2.8 or later | weaving=logback-1.2.8 | v2.2.28 | Provision of the agent option to exclude a specific appender |
log4j2 | log4j-2.17 or later | weaving=log4j-2.17 | v2.2.28 | Provision of the agent option to exclude a specific appender |
mongodb, mongodb-reactive | mongodb-3.8.2 or later | weaving=mongodb-3.8.2 | v2.2.11 | - |
mongodb-4.0.3 or later | weaving=mongodb-4.0.3 | v2.2.11 | - | |
mongodb-4.4 or later | weaving=mongodb-4.4 | v2.2.11 | - | |
mongodb-4.8 or later | weaving=mongodb-4.8 | v2.2.11 | - | |
mule framework | mule-3.9.5 or later | weaving=mule-3.9.5 | v2.2.23 | - |
mule-4.5 or later | weaving=mule-4.5 | v2.2.23 | - | |
okhttp | okhttp-2.7 or later | weaving=okhttp-2.7 | v2.0_15 | - |
quarkus, quarkus-reactive | quarkus-reactive-1.13 or later | weaving=quarkus-reactive-1.13 | v2.2.19 | - |
quarkus-reactive-2.10 or later | weaving=quarkus-reactive-2.10 | v2.2.19 | - | |
redis (jedis) | jedis-2.9.3 or later | weaving=jedis-2.9.3 | v2.0_33 | - |
jedis-3.2 or later | weaving=jedis-3.2 | v2.0_09 | - | |
redis (lettuce) | lettuce-5.1 or later | weaving=lettuce-5.1 | v2.2.7 | - |
lettuce-6.2 or later | weaving=lettuce-6.2 | v2.2.16 | - | |
okhttp3 or later | weaving=okhttp3 | v2.0_15 | - | |
okhttp3-4.4 | weaving=okhttp3-4.4 | v2.2.9 | - | |
rabbitmq | reactor-rabbitmq-1.2 or later | weaving=reactor-rabbitmq-1.2 | v2.0_06 | - |
retrofit | retrofit-2.5 or later | weaving=retrofit-2.5 | v2.2.39 | It cannot be used together with the okhttp setting. |
ribbon | ribbon | weaving=ribbon | v2.2.10 | - |
spring-boot | spring-boot-2.1 or later | weaving=spring-boot-2.1 | v2.2.23 | Including kafka-clients, r2dbc-mysql, spring-cloud-gateway, spring-webflux, tomcat9, and undertow |
spring-boot-2.5 or later | weaving=spring-boot-2.5 | v2.2.9 | Including kafka-clients, r2dbc-mysql, redis(lettuce), spring-cloud-gateway, spring-webflux, tomcat9, and undertow | |
spring-boot-2.7 or later | weaving=spring-boot-2.7 | v2.2.9 | Including jasync-r2dbc-mysql, kafka-clients, r2dbc-mysql, redis(lettuce), spring-cloud-gateway, spring-webflux, tomcat9, and undertow | |
spring-boot-3.0 or later | weaving=spring-boot-3.0 | v2.2.9 | Including jasync-r2dbc-mysql, kafka-clients, r2dbc-mysql, redis(lettuce), spring-cloud-gateway,spring-webflux, tomcat10, and undertow | |
spring-boot-3.2 or later | weaving=spring-boot-3.2 | v2.2.38 | Including jasync-r2dbc-mysql, spring-kafka, spring-kafka-batch, r2dbc-mysql, redis(lettuce), spring-cloud-gateway, spring-webflux, tomcat10, and undertow | |
tomcat | tomcat9 | weaving=tomcat9 | v2.2.5 | - |
tomcat10 | weaving=tomcat10 | v2.2.5 | - | |
undertow | undertow-2.3 or later | weaving=undertow-2.3 | v2.2.14 | - |
undertow-2.2 or later | weaving=undertow-2.2 | v2.2.39 | - | |
vertx | vertx-3.5.3 | weaving=vertx-3.5.3 | v2.2.42 | - |
vertx-4.5 | weaving=vertx-4.5 | v2.2.39 | - |
Preventing CVE false positive of the Java agent
The following explains how to prevent false positives of CVE vulnerabilities in Java agents and remove unnecessary library classes.
Even if a CVE vulnerability is detected, the Java agent may not be vulnerable. The agent includes various library classes to monitor libraries used by Java applications, but they are not loaded unless they are actually used. This is because monitoring is performed only when a specific class is loaded in the Java application, at which point the tracing class and methods are combined.
Therefore, during CVE vulnerability scanning, warnings may be triggered based solely on the software name and version. Even if multiple libraries are detected, it does not always mean that the application is vulnerable, because the vulnerability is not exposed unless the application uses those libraries.
If you do not want to use the version in the Java application and want to remove the tracing class, execute the following command. However, you need to perform deletion again each time the Java agent is updated.
java -cp whatap.agent-X.Y.Z.jar whatap.agent.setup.RemoveWeaving -remove [weaving jar filename]
The command to remove a specific library class is supported in Java Agent 2.2.37 or later.
Usage: java -cp whatap.agent-X.Y.Z.jar whatap.agent.setup.RemoveWeaving [arguments] [weaving jar filename]
java -cp whatap.agent-2.2.37.jar whatap.agent.setup.RemoveWeaving -remove spring-boot-2.5.jar spring-boot-2.7.jar
Arguments:
-
-r
or-remove
: It removes the weaving jar file from the Java agent and creates a new Java agent. -
-l
or-list
: It outputs a list of weaving jar files. -
-d
or-debug
: It enables the debug logging. -
-e
or-error
: It displays the full stack trace information for errors. -
-h
or-help
: It displays the help and exits.