Advanced Usage Tracking

Advanced usage tracking allows you to get insights about Java servers running on managed instances and about libraries used by your Java applications with focus on security by showing if the detected libraries contain some known vulnerabilities.

Advanced usage tracking includes:

  • Scan for Java Servers
  • Scan for Java Libraries

Scan for Java Servers

This feature allows you to discover Java servers running in your fleet. JMS is currently able to detect WebLogic, JBoss and Tomcat servers. After the successful discovery, you can find all detected Java Servers in JMS Fleet's section Java Servers.

OCI Cloud Console

  1. Sign in to the OCI Console as an administrator.
  2. Open the navigation menu, click Observability & Management, and then click Fleets under Java Management.
  3. Select your fleet.
  4. Click Actions and from the menu select Scan for Java servers.
  5. Click Scan.
  6. Once the work request is finished, click on fleet's Java servers section. All detected Java servers should be listed

OCI CLI

  1. Execute the following command: 
    oci jms java-server-usage scan --fleet-id $FLEET_OCID

    Note:

    You can specify a JSON list of managed instances where the scan should be run with additional parameter --managed-instance-ids, otherwise all managed instances in the fleet will be selected.

Sample JSON payload sent by JMS plugin to OCI inventory log object during the Java servers scan: 

{
  "datetime": 1749559306604,
  "logContent": {
    "id": "ac26cc41-de6d-4f8a-994b-909a3705d0db",
    "time": "2025-06-10T12:41:46.604Z",
    "oracle": {
      "compartmentid": "ocid1.compartment.oc1..compartment-id",
      "ingestedtime": "2025-06-10T12:42:08.158306651Z",
      "instanceid": "ocid1.instance.oc1.eu-frankfurt-1.instance-id",
      "loggroupid": "ocid1.loggroup.oc1.eu-frankfurt-1.log-group-id",
      "logid": "ocid1.log.oc1.eu-frankfurt-1.log-id",
      "tenantid": "ocid1.tenancy.oc1..tenant-id"
    },
    "source": "ocid1.instance.oc1.eu-frankfurt-1.instance-id",
    "specversion": "1.0",
    "subject": "Oracle JMS Plugin",
    "type": "jms.javaserver.metadata.log",
    "data": {
      "data": {
        "clusterName": "",
        "committedHeap": 16252928,
        "deployments": [],
        "fleetId": "ocid1.jmsfleet.oc1.eu-frankfurt-1.fleet-id",
        "initHeap": 16777216,
        "javaDistribution": "Java(TM) SE Runtime Environment",
        "javaHome": "/usr/lib/jvm/jdk-17.0.15-oracle-x64",
        "javaMajorVersion": "17",
        "javaVendor": "Oracle Corporation",
        "javaVersion": "17.0.15",
        "managedInstanceId": "ocid1.instance.oc1.eu-frankfurt-1.instance-id",
        "maxHeap": 241303552,
        "osArch": "amd64",
        "osName": "Linux",
        "osVersion": "5.15.0-306.177.4.el9uek.x86_64",
        "productName": "Apache Tomcat",
        "productVersion": "11.0.8.0",
        "serverHome": "/home/opc/apache-tomcat-11.0.8",
        "serverName": "N/A",
        "serverPort": "8088",
        "usedHeap": 13224344
      },
      "datacontenttype": "application/json",
      "dataschema": "1.0",
      "id": "5d1178ee-f8e9-4cd4-a463-5bb309c02b99",
      "source": "ocid1.instance.oc1.eu-frankfurt-1.instance-id",
      "specversion": "1.0",
      "time": "2025-06-10T12:41:46.601Z",
      "type": "jms.javaserver.metadata.log"
    }
  },
  "regionId": "eu-frankfurt-1"
}

Scan for Java Libraries

This feature allows you to have a report of all libraries used by your Java applications in a single section of your fleet called Java Libraries.

You can use it for scanning of known vulnerabilities in Java third party libraries and ensuring that no unwanted library is used by your Java applications. For better understanding of what JMS is able to or unable to detect, see the official documentation here: Scan for Java Libraries.

OCI Cloud Console

  1. Sign in to the OCI Console as an administrator.
  2. Open the navigation menu, click Observability & Management, and then click Fleets under Java Management.
  3. Select your fleet.
  4. Click Actions and from the menu select Scan for Java libraries.
  5. Click Scan.
  6. Once the work request is finished, click on fleet's Java libraries section. All detected Java libraries should be listed

OCI CLI

  1. Execute the following command: 
    oci jms library-usage scan --fleet-id $FLEET_OCID

    Note:

    You can specify a JSON list of managed instances where the scan should be run with additional parameter --managed-instance-ids, otherwise all managed instances in the fleet will be selected.

Sample JSON payload sent by JMS plugin to OCI inventory log object during the Java libraries scan: 

{
  "datetime": 1749633185521,
  "logContent": {
    "id": "e7915f73-ac67-4ec7-9d4d-7798cb9e0ce0",
    "time": "2025-06-11T09:13:05.521Z",
    "oracle": {
      "compartmentid": "ocid1.compartment.oc1..compartment-id",
      "ingestedtime": "2025-06-11T09:14:53.129341509Z",
      "instanceid": "ocid1.instance.oc1.eu-frankfurt-1.instance-id",
      "loggroupid": "ocid1.loggroup.oc1.eu-frankfurt-1.log-group-id",
      "logid": "ocid1.log.oc1.eu-frankfurt-1.log-id",
      "tenantid": "ocid1.tenancy.oc1..tenant-id"
    },
    "source": "ocid1.instance.oc1.eu-frankfurt-1.instance-id",
    "specversion": "1.0",
    "subject": "Oracle JMS Plugin",
    "type": "jms.javaserver.libraries.log",
    "data": {
      "data": {
        "applicationSourcePath": "/var/lib/tomcat/webapps/java-webapp-demo-0.0.1-SNAPSHOT.war",
        "clusterName": "",
        "committedHeap": 25296896,
        "deploymentName": "java-webapp-demo-0.0.1-SNAPSHOT",
        "deploymentType": "war",
        "fleetId": "ocid1.jmsfleet.oc1.eu-frankfurt-1.fleet-id",
        "initHeap": 16777216,
        "javaDistribution": "Java(TM) SE Runtime Environment",
        "javaHome": "/opt/java/jdk-24.0.1",
        "javaMajorVersion": "24",
        "javaVendor": "Oracle Corporation",
        "javaVersion": "24.0.1",
        "libraries": [
          "google llc:error_prone_annotations:2.30.0:com.google.errorprone",
          "fasterxml:jackson-datatype-jsr310:2.19.0:com.fasterxml.jackson.datatype",
          "fasterxml:jackson-core:2.19.0:com.fasterxml.jackson.core",
          "the apache software foundation:log4j-to-slf4j:2.24.3:org.apache.logging.log4j",      
          "google gson project:gson:2.13.1:com.google.code.gson",
          "slf4j.org:slf4j-api:2.0.17:org.slf4j",
          "google llc:proto-google-common-protos:2.54.1:com.google.api.grpc",
          "the apache software foundation:log4j-api:2.24.3:org.apache.logging.log4j",
          "h2 group:h2:2.3.232:n/a",
          "slf4j.org:jul-to-slf4j:2.0.17:org.slf4j",
          "qos.ch:logback-classic:1.5.18:ch.qos.logback",
          "fasterxml:jackson-annotations:2.19.0:com.fasterxml.jackson.core",    
          "fasterxml:jackson-module-parameter-names:2.19.0:com.fasterxml.jackson.module",
          "fasterxml:jackson-databind:2.19.0:com.fasterxml.jackson.core",
          "eclipse foundation:jakarta.annotation-api:2.1.1:jakarta.annotation",
          "qos.ch:logback-core:1.5.18:ch.qos.logback"
        ],
        "managedInstanceId": "ocid1.instance.oc1.eu-frankfurt-1.instance-id",
        "maxHeap": 241303552,
        "osArch": "amd64",
        "osName": "Linux",
        "osVersion": "5.15.0-306.177.4.el9uek.x86_64",
        "productName": "Apache Tomcat",
        "productVersion": "9.0.87.0",
        "serverHome": "/usr/share/tomcat",
        "serverName": "N/A",
        "serverPort": "8080",
        "usedHeap": 23623336
      },
      "datacontenttype": "application/json",
      "dataschema": "1.0",
      "id": "f725e769-aea1-4c46-9125-9bec280b75c6",
      "source": "ocid1.instance.oc1.eu-frankfurt-1.instance-id",
      "specversion": "1.0",
      "time": "2025-06-11T09:13:05.518Z",
      "type": "jms.javaserver.libraries.log"
    }
  },
  "regionId": "eu-frankfurt-1"
}

Example

Imagine you have a Java application developed by your favorite software provider and the application is deployed on a server residing inside your infrastructure. To avoid any possible security problem, you'd like to know if the application doesn't contain any known security vulnerabilities. In the following example we have a Java web application deployed on an Apache Tomcat server, and now we will execute a Java library scan with the following script: 
#!/usr/bin/env bash
 
# configuration variables
FLEET_OCID=ocid1.jmsfleet.oc1.eu-frankfurt-1.amaaaaaaptiaquqa2qxxkco6hrguz7nyug2hcpgikhe5gz4d7uy6j6ilbtta
MANAGED_INSTANCE_OCID=ocid1.instance.oc1.eu-frankfurt-1.antheljtptiaquqcrjmnu7mxbjthm2jm5qzryu7xy4w27rfo56nxf4uwv6pq
 
# execute library scan on specific managed instance within your fleet where example application is running
WORK_REQUEST_OCID=$(oci jms library-usage scan \
        --fleet-id "$FLEET_OCID" \
        --managed-instance-ids "[\"$MANAGED_INSTANCE_OCID\"]" | jq -r '."opc-work-request-id"')
 
echo $WORK_REQUEST_OCID
 
# additionally you can add your own logic to check if work request is finished
# sleep 600
# oci jms work-request get --work-request-id "$WORK_REQUEST_OCID" | jq .data.status

Once the work request is finished and data is present in JMS, we can check if our application contains some vulnerabilities with the following command: 

#!/usr/bin/env bash
 
# configuration variables
FLEET_OCID=ocid1.jmsfleet.oc1.eu-frankfurt-1.amaaaaaaptiaquqa2qxxkco6hrguz7nyug2hcpgikhe5gz4d7uy6j6ilbtta
MANAGED_INSTANCE_OCID=ocid1.instance.oc1.eu-frankfurt-1.antheljtptiaquqcrjmnu7mxbjthm2jm5qzryu7xy4w27rfo56nxf4uwv6pq
 
# show first 1000 libraries and print those where JMS is aware of some CVE
oci jms library-usage summarize \
        --fleet-id $FLEET_OCID \
        --managed-instance-id $MANAGED_INSTANCE_OCID \
        --limit 1000 \
        --sort-by timeFirstSeen \
        --sort-order desc | jq '.data.items|map(select(."cve-id" != null))'
 
[
  {
    "approximate-application-count": 0,
    "approximate-deployed-application-count": 1,
    "approximate-java-server-instance-count": 1,
    "approximate-managed-instance-count": 1,
    "cve-id": "CVE-2021-20190",
    "cvss-score": 8.3,
    "fleet-id": "ocid1.jmsfleet.oc1.eu-frankfurt-1.amaaaaaaptiaquqa2qxxkco6hrguz7nyug2hcpgikhe5gz4d7uy6j6ilbtta",
    "library-key": "425505b8076ceac87cc479168829bd75d6a9b2a9e9a1546989b87622da59af39",
    "library-name": "jackson-databind",
    "library-version": "2.8.11.6",
    "time-end": "2025-06-16T16:14:44.233000+00:00",
    "time-first-seen": "2025-06-16T13:09:00+00:00",
    "time-last-cve-refreshed": "2025-06-15T00:00:00+00:00",
    "time-last-seen": "2025-06-16T13:09:00+00:00",
    "time-start": "2025-06-09T00:00:00+00:00"
  },
  {
    "approximate-application-count": 0,
    "approximate-deployed-application-count": 1,
    "approximate-java-server-instance-count": 1,
    "approximate-managed-instance-count": 1,
    "cve-id": "CVE-2021-36090",
    "cvss-score": 5.0,
    "fleet-id": "ocid1.jmsfleet.oc1.eu-frankfurt-1.amaaaaaaptiaquqa2qxxkco6hrguz7nyug2hcpgikhe5gz4d7uy6j6ilbtta",
    "library-key": "6cdd56d2278eec9e4c31a9c50567821a06695341957496956d5a9defcfd3dd10",
    "library-name": "commons-compress",
    "library-version": "1.20",
    "time-end": "2025-06-16T16:14:44.233000+00:00",
    "time-first-seen": "2025-06-16T13:09:00+00:00",
    "time-last-cve-refreshed": "2025-06-15T00:00:00+00:00",
    "time-last-seen": "2025-06-16T13:09:00+00:00",
    "time-start": "2025-06-09T00:00:00+00:00"
  }
]

In the example above we can see that application has dependency on jackson-databind library of version 2.8.11.6 which should be updated because of CVE-2021-20190. Similar finding is for dependency commons-compress of version 1.20, which has reported vulnerability CVE-2021-36090.