Advanced Usage Tracking
To enable Advanced Usage Tracking operations in your fleet, see Enabling Advanced Features. Advanced usage tracking allows you to monitor the usage of Java servers and Java libraries in a fleet.
Advanced usage tracking enables you to:
- View details about the Java servers associated with a fleet. This includes the applications deployed on the Java server, and the managed server and managed instances on which the Java server is deployed.
- Detect libraries and its associated Common Vulnerability Scoring System (CVSS) score as reported by National Vulnerability Database.
Enabling Advanced usage tracking will activate:
When you initiate the scans, the agent will find the Java servers and Java libraries in the fleet respectively. JMS will report the servers and libraries used by managed instances when their respective management agents receive the scan request.
Decide which scan to use
Static scanning is typically enough to find most of the direct, known libraries your application uses. Dynamic scanning is useful for confirming which libraries or packages are actively being used during runtime.
Static Scan: A standard static scan analyses the application package (JAR/WAR/EAR) and its classpath to build list of library dependencies in your fleet. This tells you which libraries are declared as dependencies, even if they're not used by a single line of your code. This process is often called "reachable" or "imported".
Dynamic Scan: By observing the application as it runs, a dynamic scan confirms which libraries are actually loaded, executed, and called during the execution paths. This is crucial for prioritization, as a vulnerability in a library that is never executed poses a much lower risk than one that is actively being used.
They are complementary methods that operate at different times and on different artifacts or sources.
Refer to the following use cases:
| Feature | Static scan | Dynamic scan |
|---|---|---|
| What it scans? | The classpath derived from a running application and the package (JAR/WAR/EAR) | A running application (code in execution) in addition to the details from static scan |
| Result | Finds all declared (direct and transitive) dependencies. | Finds libraries that are actively used in the executed paths during the lifetime of the application instance |
| Focus | Known library vulnerabilities (CVEs). | Durational based that reports libraries used during the executed paths. |
The client system impact between the two scans is that the dynamic scan has more overhead compared to the static scan.