進階使用追蹤
進階使用狀況追蹤可讓您深入瞭解在受管理執行處理上執行的 Java 伺服器,以及 Java 應用程式所使用的程式庫,並藉由顯示偵測到的程式庫是否包含部分已知漏洞來著重於安全。
進階使用追蹤包括:
- 掃描 Java 伺服器
- 掃描 Java 庫
掃描 Java 伺服器
此功能可讓您尋找機組中執行的 Java 伺服器。JMS 目前能夠偵測 WebLogic、JBoss 以及 Tomcat 伺服器。成功尋找之後,您可以在 JMS Fleet 的 Java 伺服器小節中找到所有偵測到的 Java 伺服器。
OCI 雲端主控台
- 以管理員身分登入 OCI 主控台。
- 開啟導覽功能表,按一下可觀測性與管理,然後按一下 Java 管理下的機組。
- 選取您的機組。
- 按一下動作,然後從功能表選取掃描 Java 伺服器。
- 按一下掃描。
- 工作要求完成後,請按一下機組的 Java 伺服器區段。應該列出所有偵測到的 Java 伺服器
OCI CLI
- 執行下列命令:
oci jms java-server-usage scan --fleet-id $FLEET_OCID附註:
您可以指定要以其他參數--managed-instance-ids執行掃描的受管理執行處理 JSON 清單,否則將會選取機組中的所有受管理執行處理。
JMS Plugin 在 Java 伺服器掃描期間傳送至 OCI 產品目錄日誌物件的範例 JSON 有效負載:
{
"datetime": 1749559306604,
"logContent": {
"id": "ac26cc41-de6d-4f8a-994b-909a3705d0db",
"time": "2025-06-10T12:41:46.604Z",
"oracle": {
"compartmentid": "ocid1.compartment.oc1..compartment-id",
"ingestedtime": "2025-06-10T12:42:08.158306651Z",
"instanceid": "ocid1.instance.oc1.eu-frankfurt-1.instance-id",
"loggroupid": "ocid1.loggroup.oc1.eu-frankfurt-1.log-group-id",
"logid": "ocid1.log.oc1.eu-frankfurt-1.log-id",
"tenantid": "ocid1.tenancy.oc1..tenant-id"
},
"source": "ocid1.instance.oc1.eu-frankfurt-1.instance-id",
"specversion": "1.0",
"subject": "Oracle JMS Plugin",
"type": "jms.javaserver.metadata.log",
"data": {
"data": {
"clusterName": "",
"committedHeap": 16252928,
"deployments": [],
"fleetId": "ocid1.jmsfleet.oc1.eu-frankfurt-1.fleet-id",
"initHeap": 16777216,
"javaDistribution": "Java(TM) SE Runtime Environment",
"javaHome": "/usr/lib/jvm/jdk-17.0.15-oracle-x64",
"javaMajorVersion": "17",
"javaVendor": "Oracle Corporation",
"javaVersion": "17.0.15",
"managedInstanceId": "ocid1.instance.oc1.eu-frankfurt-1.instance-id",
"maxHeap": 241303552,
"osArch": "amd64",
"osName": "Linux",
"osVersion": "5.15.0-306.177.4.el9uek.x86_64",
"productName": "Apache Tomcat",
"productVersion": "11.0.8.0",
"serverHome": "/home/opc/apache-tomcat-11.0.8",
"serverName": "N/A",
"serverPort": "8088",
"usedHeap": 13224344
},
"datacontenttype": "application/json",
"dataschema": "1.0",
"id": "5d1178ee-f8e9-4cd4-a463-5bb309c02b99",
"source": "ocid1.instance.oc1.eu-frankfurt-1.instance-id",
"specversion": "1.0",
"time": "2025-06-10T12:41:46.601Z",
"type": "jms.javaserver.metadata.log"
}
},
"regionId": "eu-frankfurt-1"
}掃描 Java 庫
此功能可讓您將 Java 應用程式使用的所有程式庫報告放在機組的單一區段中 (稱為 Java 程式庫)。
您可以使用它來掃描 Java 第三方程式庫中的已知漏洞,以及確保您的 Java 應用程式不會使用不想要的程式庫。如需深入瞭解 JMS 能夠偵測或無法偵測的內容,請參閱此處的官方文件:掃描 Java 程式庫。
OCI 雲端主控台
- 以管理員身分登入 OCI 主控台。
- 開啟導覽功能表,按一下可觀測性與管理,然後按一下 Java 管理下的機組。
- 選取您的機組。
- 按一下動作,然後從功能表中選取掃描 Java 程式庫。
- 按一下掃描。
- 工作要求完成後,請按一下機組的 Java 程式庫區段。應該列出所有偵測到的 Java 程式庫
OCI CLI
- 執行下列命令:
oci jms library-usage scan --fleet-id $FLEET_OCID附註:
您可以指定要以其他參數--managed-instance-ids執行掃描的受管理執行處理 JSON 清單,否則將會選取機組中的所有受管理執行處理。
JMS Plugin 在 Java 程式庫掃描期間傳送至 OCI 產品目錄日誌物件的範例 JSON 有效負載:
{
"datetime": 1749633185521,
"logContent": {
"id": "e7915f73-ac67-4ec7-9d4d-7798cb9e0ce0",
"time": "2025-06-11T09:13:05.521Z",
"oracle": {
"compartmentid": "ocid1.compartment.oc1..compartment-id",
"ingestedtime": "2025-06-11T09:14:53.129341509Z",
"instanceid": "ocid1.instance.oc1.eu-frankfurt-1.instance-id",
"loggroupid": "ocid1.loggroup.oc1.eu-frankfurt-1.log-group-id",
"logid": "ocid1.log.oc1.eu-frankfurt-1.log-id",
"tenantid": "ocid1.tenancy.oc1..tenant-id"
},
"source": "ocid1.instance.oc1.eu-frankfurt-1.instance-id",
"specversion": "1.0",
"subject": "Oracle JMS Plugin",
"type": "jms.javaserver.libraries.log",
"data": {
"data": {
"applicationSourcePath": "/var/lib/tomcat/webapps/java-webapp-demo-0.0.1-SNAPSHOT.war",
"clusterName": "",
"committedHeap": 25296896,
"deploymentName": "java-webapp-demo-0.0.1-SNAPSHOT",
"deploymentType": "war",
"fleetId": "ocid1.jmsfleet.oc1.eu-frankfurt-1.fleet-id",
"initHeap": 16777216,
"javaDistribution": "Java(TM) SE Runtime Environment",
"javaHome": "/opt/java/jdk-24.0.1",
"javaMajorVersion": "24",
"javaVendor": "Oracle Corporation",
"javaVersion": "24.0.1",
"libraries": [
"google llc:error_prone_annotations:2.30.0:com.google.errorprone",
"fasterxml:jackson-datatype-jsr310:2.19.0:com.fasterxml.jackson.datatype",
"fasterxml:jackson-core:2.19.0:com.fasterxml.jackson.core",
"the apache software foundation:log4j-to-slf4j:2.24.3:org.apache.logging.log4j",
"google gson project:gson:2.13.1:com.google.code.gson",
"slf4j.org:slf4j-api:2.0.17:org.slf4j",
"google llc:proto-google-common-protos:2.54.1:com.google.api.grpc",
"the apache software foundation:log4j-api:2.24.3:org.apache.logging.log4j",
"h2 group:h2:2.3.232:n/a",
"slf4j.org:jul-to-slf4j:2.0.17:org.slf4j",
"qos.ch:logback-classic:1.5.18:ch.qos.logback",
"fasterxml:jackson-annotations:2.19.0:com.fasterxml.jackson.core",
"fasterxml:jackson-module-parameter-names:2.19.0:com.fasterxml.jackson.module",
"fasterxml:jackson-databind:2.19.0:com.fasterxml.jackson.core",
"eclipse foundation:jakarta.annotation-api:2.1.1:jakarta.annotation",
"qos.ch:logback-core:1.5.18:ch.qos.logback"
],
"managedInstanceId": "ocid1.instance.oc1.eu-frankfurt-1.instance-id",
"maxHeap": 241303552,
"osArch": "amd64",
"osName": "Linux",
"osVersion": "5.15.0-306.177.4.el9uek.x86_64",
"productName": "Apache Tomcat",
"productVersion": "9.0.87.0",
"serverHome": "/usr/share/tomcat",
"serverName": "N/A",
"serverPort": "8080",
"usedHeap": 23623336
},
"datacontenttype": "application/json",
"dataschema": "1.0",
"id": "f725e769-aea1-4c46-9125-9bec280b75c6",
"source": "ocid1.instance.oc1.eu-frankfurt-1.instance-id",
"specversion": "1.0",
"time": "2025-06-11T09:13:05.518Z",
"type": "jms.javaserver.libraries.log"
}
},
"regionId": "eu-frankfurt-1"
}範例
假設您有一個由常用的軟體提供者開發的 Java 應用程式,且該應用程式部署在位於您基礎架構內的伺服器上。為了避免任何可能的安全問題,您想要知道應用程式是否未包含任何已知的安全漏洞。在下列範例中,我們在 Apache Tomcat 伺服器上部署了 Java Web 應用程式,現在我們將使用下列指令碼執行 Java 程式庫掃描:
#!/usr/bin/env bash
# configuration variables
FLEET_OCID=ocid1.jmsfleet.oc1.eu-frankfurt-1.amaaaaaaptiaquqa2qxxkco6hrguz7nyug2hcpgikhe5gz4d7uy6j6ilbtta
MANAGED_INSTANCE_OCID=ocid1.instance.oc1.eu-frankfurt-1.antheljtptiaquqcrjmnu7mxbjthm2jm5qzryu7xy4w27rfo56nxf4uwv6pq
# execute library scan on specific managed instance within your fleet where example application is running
WORK_REQUEST_OCID=$(oci jms library-usage scan \
--fleet-id "$FLEET_OCID" \
--managed-instance-ids "[\"$MANAGED_INSTANCE_OCID\"]" | jq -r '."opc-work-request-id"')
echo $WORK_REQUEST_OCID
# additionally you can add your own logic to check if work request is finished
# sleep 600
# oci jms work-request get --work-request-id "$WORK_REQUEST_OCID" | jq .data.status工作要求完成且資料存在於 JMS 之後,我們可以使用下列命令檢查應用程式是否包含某些漏洞:
#!/usr/bin/env bash
# configuration variables
FLEET_OCID=ocid1.jmsfleet.oc1.eu-frankfurt-1.amaaaaaaptiaquqa2qxxkco6hrguz7nyug2hcpgikhe5gz4d7uy6j6ilbtta
MANAGED_INSTANCE_OCID=ocid1.instance.oc1.eu-frankfurt-1.antheljtptiaquqcrjmnu7mxbjthm2jm5qzryu7xy4w27rfo56nxf4uwv6pq
# show first 1000 libraries and print those where JMS is aware of some CVE
oci jms library-usage summarize \
--fleet-id $FLEET_OCID \
--managed-instance-id $MANAGED_INSTANCE_OCID \
--limit 1000 \
--sort-by timeFirstSeen \
--sort-order desc | jq '.data.items|map(select(."cve-id" != null))'
[
{
"approximate-application-count": 0,
"approximate-deployed-application-count": 1,
"approximate-java-server-instance-count": 1,
"approximate-managed-instance-count": 1,
"cve-id": "CVE-2021-20190",
"cvss-score": 8.3,
"fleet-id": "ocid1.jmsfleet.oc1.eu-frankfurt-1.amaaaaaaptiaquqa2qxxkco6hrguz7nyug2hcpgikhe5gz4d7uy6j6ilbtta",
"library-key": "425505b8076ceac87cc479168829bd75d6a9b2a9e9a1546989b87622da59af39",
"library-name": "jackson-databind",
"library-version": "2.8.11.6",
"time-end": "2025-06-16T16:14:44.233000+00:00",
"time-first-seen": "2025-06-16T13:09:00+00:00",
"time-last-cve-refreshed": "2025-06-15T00:00:00+00:00",
"time-last-seen": "2025-06-16T13:09:00+00:00",
"time-start": "2025-06-09T00:00:00+00:00"
},
{
"approximate-application-count": 0,
"approximate-deployed-application-count": 1,
"approximate-java-server-instance-count": 1,
"approximate-managed-instance-count": 1,
"cve-id": "CVE-2021-36090",
"cvss-score": 5.0,
"fleet-id": "ocid1.jmsfleet.oc1.eu-frankfurt-1.amaaaaaaptiaquqa2qxxkco6hrguz7nyug2hcpgikhe5gz4d7uy6j6ilbtta",
"library-key": "6cdd56d2278eec9e4c31a9c50567821a06695341957496956d5a9defcfd3dd10",
"library-name": "commons-compress",
"library-version": "1.20",
"time-end": "2025-06-16T16:14:44.233000+00:00",
"time-first-seen": "2025-06-16T13:09:00+00:00",
"time-last-cve-refreshed": "2025-06-15T00:00:00+00:00",
"time-last-seen": "2025-06-16T13:09:00+00:00",
"time-start": "2025-06-09T00:00:00+00:00"
}
]在上面的範例中,我們可以看到應用程式相依於 2.8.11.6 版本的 jackson-databind 程式庫,因為 CVE-2021-20190 而應該更新此程式庫。類似的發現項目適用於版本 1.20 的相依性 commons-compress,其回報漏洞為 CVE-2021-36090。