Oracle Cloud Infrastructure Documentation

Application Dependency Vulnerabilities Monitoring

You can monitor application dependency vulnerabilities in Trace Explorer.

Application Performance Monitoring (APM) monitors the libraries a customer application uses through the integration with Application Dependency Management (ADM) service. It provides visibility to known security flaws by identifying whether an application has vulnerable libraries. APM is integrated with ADM to receive common vulnerabilities and exposure (CVE) information. If a library associated with an application that is being monitored by APM, has been identified as vulnerable and potentially exposing the application to risks, APM lists all the vulnerabilities associated to these monitored libraries. For information about ADM, see Application Dependency Management.

The application libraries along with their version information are extracted by the APM Agent at the application startup time and sent to APM as special spans: one span per a given library version. The library name and version (if present as part of the libraries properties files) are captured as a span attribute named ArtifactPurl, also known as the package URL. APM leverages ADM to look up the vulnerability information given a library version. If the vulnerability information is available, APM enriches these spans with that information as another span attribute named ArtifactVulnerabilities which contains the list of all CVEs for a given library version present in the ArtifactPurl.
  • ArtifactPurl: Library information such as library name and version number.
  • ArtifactVulnerabilities: Security vulnerabilities information obtained from the integration with ADM. For a complete list, see Application Dependency Management.

If a given ArtifactPurl does not have any vulnerability information, the ArtifactVulnerabilities attribute shows an empty value.

The APM agent sends these special spans (one span per a given library version) at the application startup time and afterward sends these periodically every 6 hours. If an application loads a new library during its runtime, the special span denoting that new library will be sent to APM and attached to the last sent trace.

This feature gives customers the ability to view and monitor any security vulnerabilities that might be there in the libraries that their application is using.

Note

Not all spans have the ArtifactPurl attribute. The ArtifactPurl is only present for the special spans that have the library information that an application is using.

View and Explore Security Vulnerabilities

You can run queries in Trace Explorer to explore spans for detection of security vulnerabilities in application libraries.

To see the ArtifactPurl and ArtifactVulnerabilities values, run the following query: 

SHOW SPANS *, ArtifactPurl, ArtifactVulnerabilities 
WHERE (ArtifactPurl is not omitted)

Result:

To view an individual span, you can click the Actions icon and select Show Span Details.

Show Spans Details

Span details show all the attributes of an individual span. For potential vulnerabilities and exposures of libraries or packages used by an application, review the value of the following attributes:

  • ArtifactPurl

    For example:

    ArtifactPurl=pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.4

    ArtifactPurl has components separated by a specific character for unambiguous parsing.

    Format: scheme:type/namespace/name@version?qualifiers#subpath

    The following are the seven components:

    1. Scheme: This is the URL scheme with the constant value of pkg.
    2. Type: The package type or package protocol such as maven, npm, nuget, gem, pypi and others. Required.
    3. Namespace: Some name prefix such as a Maven groupid, a Docker image owner, a GitHub user ororganization. Optional and type-specific.
    4. Name: The name of the package. Required.
    5. Version: The version of the package. Optional.
    6. Qualifiers: The extra qualifying data for a package such as an OS, architecture, a distro, etc. Optional.
    7. Subpath: The extra subpath within a package, relative to the package root. Optional.
  • ArtifactVulnerabilities

    For example:

    ArtifactVulnerabilities=[{"id":"GHSA-jjjh-jjxp-wpff","severity":"HIGH"},{"id":"CVE-2023-35116","severity":"MEDIUM"}]

    1. Id: This is the CVE ID.

      For known CVEs, the format is CVE-[Year]-[Number]. For unknown CVEs, the CVE would be vendor specific.

    2. Severity: The CVE severity. It can be: NONE, LOW, MEDIUM, HIGH or CRITICAL.
    An invalid or incomplete PURL will not have ArtifactVulnerabilities attribute, but it will show up in the spans. For example:
    • An incomplete PURL: pkg:pypi/django@1.11.1
    • An invalid PURL: pkg:npm//cherrypy

Both attributes are populated in spans in which the ArtifactPurl has the information about the library identified with security vulnerabilities.