Visit Azul.com Support

What Info is Transmitted Between Your System and Azul Vulnerability Detection

Azul Vulnerability Detection is a combination of applications running within your environment combined with an analysis and data collection solution provided by Azul as Software as a Service (SaaS). This means there is an exchange of JVM Meta Data from your environment to the Azul system. This document describes what data are exchanged exactly and how the security of your JVM Meta Data is handled at every level involved.

Components Within the System

To be able to provide vulnerability information, three components are involved:

  • Within your environment

    • Java Runtimes

    • Forwarder(s)

  • Provided by Azul

    • Azul Vulnerability Detection Web UI and APIs

Java Runtime

The Java Runtime (being Azul Zulu JRE and/or Azul Zulu Prime JRE) runs within your environment and will never need access to the public internet to exchange data with Azul Vulnerability Detection. The runtime will collect information about the libraries inside the application using the Connected Runtime Service (CRS), a component inside the JVM. But only when the argument -XX:AzCRSMode=on or environment variable AZ_CRS_ARGUMENTS are added (for more info, see Connect to Azul Vulnerability Detection via the Forwarder), the runtime will collect information about the libraries inside the application using the Connected Runtime Service (CRS), a component inside the JVM. CRS will transmit these data via the Forwarder.

Note
Our runtimes only send data regarding the Java runtime and libraries for this very specific functionality. There is no other information exchanged with Azul, and all collected JVM Meta Data in the Saas environment is available to you via our Web UI and API. In contrast to distributions from other providers, Azul will not, and cannot, use this information to check licenses.

Forwarder

The Forwarder is a separate application provided by Azul to be installed within your environment (at least once, for more info, see "One-time Setup"), that will transmit the JVM Meta Data provided by the runtimes to Azul Vulnerability Detection. It requires access to the public internet. Rotating certificates secure the connection between the Forwarder and Azul Vulnerability Detection.

Azul Vulnerability Detection

Our SaaS solution to detect vulnerabilities in your applications, uses an internal knowledge base containing "fingerprints" (hashes) as described on "How CVEs are Detected". At this point, Azul doesn’t have any other reference to your code or applications except the info related to the Instance ID.

Example of an Instance view in the Azul Vulnerability Detection UI

APIs Between Java Runtime and Forwarder

The Forwarder is the "gateway" between the runtimes within your environment and the Azul Vulnerability Detection SaaS solution. All data flowing through the Forwarder is transmitted via an API approach.

API Method Description

/crs/instance/{vmId}

POST

Report new VM instance events.

/crs/auth/rt/token

GET

Get new runtime token.

/crs/auth/rt/token

POST

Refresh runtime token.

Data Model Exchanged Between Java Runtime and Forwarder

VM Event

Each JVM instance reports VM events to the Forwarder.

Field Description

vmId

VM instance associated with event, must be set only for user initiated requests

eventId

Synthetic primary key of event

eventType

eventPayload

Optional payload, based on eventType, see the VM Event Types

eventTime

VM event time (epoch millis)

receivedTime

The time VM event first observed by the server (epoch millis)

VM Event Types

VM event types supported by CRS.

Event Type Event Payload

VM_CREATE

VM Instance

VM_PATCH

VM Instance

VM_ARTIFACT_CREATE

VM Artifact

VM_ARTIFACT_PATCH

VM Artifact

VM_ARTIFACT_DATA

VM Artifact Data

VM_JAR_LOADED

VM Jar Loaded

VM_CLASS_LOADED

VM Class Loaded

VM_METHOD_FIRST_CALLED

VM Method First Called

VM_PERFORMANCE_METRICS

VM Performance Metrics

VM_HEARTBEAT

-

VM_SHUTDOWN

-

VM Event Payloads

The eventPayload in VM Event is defined by the VM Event Type and uses one of the following structures.

VM Instance

Payload of VM_CREATE and VM_PATCH events.

The model of a VM instance managed by CRS.

Field Description

vmId

VM instance ID generated by CRS

clientVersion

Version of CRS client used by VM instance

clientRevision

Source code revision of CRS client used by VM instance

inventory

See the Inventory model.

jvmInfo

JVM information derived from VM instance metadata:

  • Xmx: Max Java heap size

  • Xms: Initial Java heap size

startTime

Start time of the VM instance (epoch millis)

lastHeardTime

Last time VM instance was heard by CRS service (epoch millis)

owner

User name associated with VM instance

mailbox

Mailbox ID used by CRS to report VM instance metadata and telemetry

state

State of VM instance last known to CRS:

  • STARTED - [Deprecated, but can be found in old VMs] VM instance is started but not running yet

  • RUNNING - VM instance is running

  • TERMINATED - VM instance is terminated

  • OFFLINE - VM instance does not respond for a long time (disconnected, crashed or any other reason)

tags

Tags of VM instance consisted of named string values

VM Artifact

Payload of VM_ARTIFACT_CREATE and VM_ARTIFACT_PATCH events.

Represents information about a file associated with a specific VMInstance (e.g. GC log or JFR recording). The content of the file is not a part of the model. It is hosted by a suitable storage and is simply referenced by the VMArtifact.

Field Description

artifactId

VM artifact ID generated by CRS on artifact creation

artifactType

Types of VM artifacts supported by CRS

  • GC_LOG: GC log generated by JVM according to arguments passed to JVM

  • VM_LOG: log generated by JVM according to arguments passed to JVM

  • CRS_LOG: log generated by CRS agent for debug purpose

  • JFR: JFR recording generated by JVM according to arguments passed to JVM

  • JAR: JAR file content, can be uploaded or sent by runtime if allowed by a policy

  • JAR_ENTRY: JAR entry content, can be sent by runtime if allowed by a policy

  • LARGE_VM_EVENT: payload of VM event that exceeds threshold and can not be sent inlined

  • OTHER: other type of VM artifact

metadata

VM artifact metadata with free form schema dependent on artifact type

filename

Name of the artifact

vmId

VM instance associated with the artifact

createTime

Time of VM artifact creation (epoch millis).

uploadURL

Presigned URL to upload artifact file. Only used as a return value.

snapshot

Presigned URL to download artifact snapshot. Only used as a return value.

size

Size of artifact data in bytes, -1 if no data available. Only used as a return value.

VM Artifact Data

Payload of VM_ARTIFACT_DATA events.

The data is appended to VM artifact content accumulated by CRS so far. That means no concurrent events for the same VM artifact are allowed, and the ordering of sent data should be preserved by CRS.

Field Description

artifactId

ID of VM artifact the data belongs to

data

Plain text representation of VM artifact data to be appended to the artifact.

VM Jar Loaded

Payload of VM_JAR_LOADED events.

Field Description

jarName

JAR file name

url

URL used by JVM to access JAR content

centralDirectoryHash

Hash value computed by central directory of JAR archive

centralDirectoryLength

Length of the central directory of JAR archive

centralDirectoryExtractionMethod

Method used to obtain central directory of JAR archive

recursionDepth

Depth of JAR when nested JAR is reported recursively

manifestHash

Hash value computed by META-INF/MANIFEST.MF of JAR

initiatedBy

The party that initiated the reporting of JAR:

  • CLASS_LOADING

  • JDK_NATIVE_LOADING

  • RECURSIVE_LOADING

  • OTHER

mavenComponents

Maven components detected by metadata files of JAR (pom.properties, etc.), containing:

  • groupId: Group ID of maven component

  • artifactId: Artifact ID of maven component

  • version: Version of maven component

stats

Time counters computed on JAR processing, containing:

  • visitJarEntries: Elapsed time to visit JAR entries, ns

  • jarEntriesHashes: Elapsed time to compute hashes of JAR class entries, ns

  • jarEntriesShaded: Elapsed time to compute shaded hashes of JAR class entries, ns

  • pomProperties: Elapsed time to process POM properties of JAR, ns

entries

Packed data with JAR entry details

VM Class Loaded

Payload of VM_CLASS_LOADED events.

Field Description

classId

VM specific ID of the class

loaderId

VM specific ID of the class loader that loaded the class

className

Fully qualified class name

source

Source of the loaded class

hash

Hash calculated by original class content

transformedHash

Hash of the class that was transformed on loading (e.g. instrumented)

VM Method First Called

Payload of VM_METHOD_FIRST_CALLED events.

Field Description

classId

VM specific ID of the class

methodName

Name and signature of the method

VM Performance Metrics

Payload of VM_PERFORMANCE_METRICS events.

Field Description

numEventBatches

Number of buckets sent to the cloud (events are sent in buckets)

numBytesOut

Number of bytes of data sent to the cloud

numConnections

Total number of HTTP connections established to the cloud (including all reconnects)

numRequests

Total number of HTTP requests to the cloud (greater than the number of connections since connections may be cached)

numClassLoads

Total number of registered class load events

maxQueueLength

Max reached event queue length

handshakeMillis

Elapsed time on handshake with the cloud

numBytesInArtifacts

Number of bytes sent as artifact data

communicationMillis

Elapsed time on network activity (handshake + read + write)

numBytesIn

Number of bytes received from the cloud

numEvents

Number of events sent to the cloud (class load, jar load, and everything else)

numEventHistogram

Histogram of the number of events sent to the cloud in one batch (base 2 logarithm of the number of events in the batch)

preShutdownMillis

Time elapsed since the start of VM shutdown hooks (effectively the end of user application), till the end of processing of rest events in the queue

numMethodEntries

Number of executed unique Java methods

Inventory

VM instance inventory reported by connected runtime.

Field Description

hostName

Host name of machine running VM instance

networks

Network interfaces of machine running VM instance, containing an array with hostname and address

systemProperties

The following subset of JVM system properties:

 
com.azul.crs.instance.offline.timeout com.azul.crs.instance.store.discarded.vmevents com.azul.crs.instance.tags file.encoding file.separator java.class.path java.compiler java.home java.io.tmpdir java.library.path java.runtime.version java.specification.version java.vendor java.vendor.version java.version java.vm.name java.vm.version java.vm.vendor jdk.vendor.version line.separator os.arch os.name os.version path.separator sun.arch.data.model sun.boot.class.path sun.boot.library.path sun.cpu.endian sun.desktop sun.io.unicode.encoding sun.java.launcher sun.jnu.encoding sun.management.compiler sun.os.patch.level user.country user.dir user.home user.language user.name

systemInfo

System info of machine running VM instance

For example:

 
sysctl.hw.activecpu: "16" sysctl.hw.cpufrequency_min: "2300000000" sysctl.hw.memsize: "17179869184" sysctl.hw.l1dcachesize: "32768"

cpuInfo

CPU info of machine running VM instance

For example:

 
CPU Microcode: 240 Affected by MCU Erratum SKX102: false Number of Processors: 16 CPU Stepping: 13

memInfo

Memory info of machine running VM instance

For example:

 
System RAM max, GB: 16

osInfo

OS info of machine running VM instance

For example:

 
OS Name: Mac OS X OS Version: 10.16 OS Arch: x86_64

osEnvironment

Only the following list of OS environment variables, needed by Azul Vulnerability Detection, are transmitted:

 
AZ_CRS_ARGUMENTS CRS_DATACENTER CRS_IMAGE CRS_OWNER CRS_SERVICE CRS_TAGS

mainMethod

Main method executed by JVM on VM instance invocation

For example:

 
HelloWorld.main