What Info is Transmitted Between Your System and Azul Vulnerability Detection
Azul Vulnerability Detection is a combination of applications running within your environment combined with an analysis and data collection solution provided by Azul as Software as a Service (SaaS). This means there is an exchange of JVM Meta Data from your environment to the Azul system. This document describes what data are exchanged exactly and how the security of your JVM Meta Data is handled at every level involved.
Components Within the System
To be able to provide vulnerability information, three components are involved:
-
Within your environment
-
Java Runtimes
-
Forwarder(s)
-
-
Provided by Azul
-
Azul Vulnerability Detection Web UI and APIs
-
Java Runtime
The Java Runtime (being Azul Zulu JRE and/or Azul Zulu Prime JRE) runs within your environment and will never need access to the public internet to exchange data with Azul Vulnerability Detection. The runtime will collect information about the libraries inside the application using the Connected Runtime Service (CRS), a component inside the JVM. But only when the argument -XX:AzCRSMode=on or environment variable AZ_CRS_ARGUMENTS are added (for more info, see Connect to Azul Vulnerability Detection via the Forwarder), the runtime will collect information about the libraries inside the application using the Connected Runtime Service (CRS), a component inside the JVM. CRS will transmit these data via the Forwarder.
|
Note
|
Our runtimes only send data regarding the Java runtime and libraries for this very specific functionality. There is no other information exchanged with Azul, and all collected JVM Meta Data in the Saas environment is available to you via our Web UI and API. In contrast to distributions from other providers, Azul will not, and cannot, use this information to check licenses. |
Forwarder
The Forwarder is a separate application provided by Azul to be installed within your environment (at least once, for more info, see "One-time Setup"), that will transmit the JVM Meta Data provided by the runtimes to Azul Vulnerability Detection. It requires access to the public internet. Rotating certificates secure the connection between the Forwarder and Azul Vulnerability Detection.
Azul Vulnerability Detection
Our SaaS solution to detect vulnerabilities in your applications, uses an internal knowledge base containing "fingerprints" (hashes) as described on "How CVEs are Detected". At this point, Azul doesn’t have any other reference to your code or applications except the info related to the Instance ID.
APIs Between Java Runtime and Forwarder
The Forwarder is the "gateway" between the runtimes within your environment and the Azul Vulnerability Detection SaaS solution. All data flowing through the Forwarder is transmitted via an API approach.
| API | Method | Description |
|---|---|---|
/crs/instance/{vmId} |
POST |
Report new VM instance events. |
/crs/auth/rt/token |
GET |
Get new runtime token. |
/crs/auth/rt/token |
POST |
Refresh runtime token. |
Data Model Exchanged Between Java Runtime and Forwarder
VM Event
Each JVM instance reports VM events to the Forwarder.
| Field | Description |
|---|---|
vmId |
VM instance associated with event, must be set only for user initiated requests |
eventId |
Synthetic primary key of event |
eventType |
See VM Event Types |
eventPayload |
Optional payload, based on |
eventTime |
VM event time (epoch millis) |
receivedTime |
The time VM event first observed by the server (epoch millis) |
VM Event Types
VM event types supported by CRS.
| Event Type | Event Payload |
|---|---|
VM_CREATE |
|
VM_PATCH |
|
VM_ARTIFACT_CREATE |
|
VM_ARTIFACT_PATCH |
|
VM_ARTIFACT_DATA |
|
VM_JAR_LOADED |
|
VM_CLASS_LOADED |
|
VM_METHOD_FIRST_CALLED |
|
VM_PERFORMANCE_METRICS |
|
VM_SENSITIVE_ACTION |
|
VM_HEARTBEAT |
- |
VM_SHUTDOWN |
- |
VM Event Payloads
The eventPayload in VM Event is defined by the VM Event Type and uses one of the following structures.
VM Instance
Payload of VM_CREATE and VM_PATCH events.
The model of a VM instance managed by CRS.
| Field | Description |
|---|---|
vmId |
VM instance ID generated by CRS |
clientVersion |
Version of CRS client used by VM instance |
clientRevision |
Source code revision of CRS client used by VM instance |
inventory |
See the Inventory model. |
jvmInfo |
JVM information derived from VM instance metadata:
|
startTime |
Start time of the VM instance (epoch millis) |
lastHeardTime |
Last time VM instance was heard by CRS service (epoch millis) |
owner |
User name associated with VM instance |
mailbox |
Mailbox ID used by CRS to report VM instance metadata and telemetry |
state |
State of VM instance last known to CRS:
|
tags |
Tags of VM instance consisted of named string values |
VM Artifact
Payload of VM_ARTIFACT_CREATE and VM_ARTIFACT_PATCH events.
Represents information about a file associated with a specific VMInstance (e.g. GC log or JFR recording). The content of the file is not a part of the model. It is hosted by a suitable storage and is simply referenced by the VMArtifact.
| Field | Description |
|---|---|
artifactId |
VM artifact ID generated by CRS on artifact creation |
artifactType |
Types of VM artifacts supported by CRS
|
metadata |
VM artifact metadata with free form schema dependent on artifact type |
filename |
Name of the artifact |
vmId |
VM instance associated with the artifact |
createTime |
Time of VM artifact creation (epoch millis). |
uploadURL |
Presigned URL to upload artifact file. Only used as a return value. |
snapshot |
Presigned URL to download artifact snapshot. Only used as a return value. |
size |
Size of artifact data in bytes, -1 if no data available. Only used as a return value. |
VM Artifact Data
Payload of VM_ARTIFACT_DATA events.
The data is appended to VM artifact content accumulated by CRS so far. That means no concurrent events for the same VM artifact are allowed, and the ordering of sent data should be preserved by CRS.
| Field | Description |
|---|---|
artifactId |
ID of VM artifact the data belongs to |
data |
Plain text representation of VM artifact data to be appended to the artifact. |
VM Jar Loaded
Payload of VM_JAR_LOADED events.
| Field | Description |
|---|---|
jarName |
JAR file name |
url |
URL used by JVM to access JAR content |
centralDirectoryHash |
Hash value computed by central directory of JAR archive |
centralDirectoryLength |
Length of the central directory of JAR archive |
centralDirectoryExtractionMethod |
Method used to obtain central directory of JAR archive |
recursionDepth |
Depth of JAR when nested JAR is reported recursively |
manifestHash |
Hash value computed by META-INF/MANIFEST.MF of JAR |
initiatedBy |
The party that initiated the reporting of JAR:
|
mavenComponents |
Maven components detected by metadata files of JAR (pom.properties, etc.), containing:
|
stats |
Time counters computed on JAR processing, containing:
|
entries |
Packed data with JAR entry details |
VM Class Loaded
Payload of VM_CLASS_LOADED events.
| Field | Description |
|---|---|
classId |
VM specific ID of the class |
loaderId |
VM specific ID of the class loader that loaded the class |
className |
Fully qualified class name |
source |
Source of the loaded class |
hash |
Hash calculated by original class content |
transformedHash |
Hash of the class that was transformed on loading (e.g. instrumented) |
VM Method First Called
Payload of VM_METHOD_FIRST_CALLED events.
| Field | Description |
|---|---|
classId |
VM specific ID of the class |
methodName |
Name and signature of the method |
VM Performance Metrics
Payload of VM_PERFORMANCE_METRICS events.
| Field | Description |
|---|---|
numEventBatches |
Number of buckets sent to the cloud (events are sent in buckets) |
numBytesOut |
Number of bytes of data sent to the cloud |
numConnections |
Total number of HTTP connections established to the cloud (including all reconnects) |
numRequests |
Total number of HTTP requests to the cloud (greater than the number of connections since connections may be cached) |
numClassLoads |
Total number of registered class load events |
maxQueueLength |
Max reached event queue length |
handshakeMillis |
Elapsed time on handshake with the cloud |
numBytesInArtifacts |
Number of bytes sent as artifact data |
communicationMillis |
Elapsed time on network activity (handshake + read + write) |
numBytesIn |
Number of bytes received from the cloud |
numEvents |
Number of events sent to the cloud (class load, jar load, and everything else) |
numEventHistogram |
Histogram of the number of events sent to the cloud in one batch (base 2 logarithm of the number of events in the batch) |
preShutdownMillis |
Time elapsed since the start of VM shutdown hooks (effectively the end of user application), till the end of processing of rest events in the queue |
numMethodEntries |
Number of executed unique Java methods |
VM Sensitive Action
Payload of VM_SENSITIVE_ACTION events.
| Field | Description |
|---|---|
permissionClass |
Permission class - the topmost sensitive actions category. Example: |
permissionAction |
Permission action, for example, for FilePermission it can be "read", "write" or "execute". Example: |
permissionName string |
The name of the object, to which permission is requested. Example: |
stack |
Inventory
VM instance inventory reported by connected runtime.
| Field | Description |
|---|---|
hostName |
Host name of machine running VM instance |
networks |
Network interfaces of machine running VM instance, containing an array with hostname and address |
systemProperties |
The following subset of JVM system properties: |
systemInfo |
System info of machine running VM instance For example: |
cpuInfo |
CPU info of machine running VM instance For example: |
memInfo |
Memory info of machine running VM instance For example: |
osInfo |
OS info of machine running VM instance For example: |
osEnvironment |
Only the following list of OS environment variables, needed by Azul Vulnerability Detection, are transmitted: |
mainMethod |
Main method executed by JVM on VM instance invocation For example: |