This page is not yet available in Spanish. We are working on its translation. If you have any questions or feedback about our current translation project, feel free to reach out to us!
Application Security capabilities
The following application security capabilities are supported in the Java library, for the specified tracer version:
Application Security capability
Minimum Java tracer version
Threat Detection
1.8.0
API Security
1.31.0
Threat Protection
1.9.0
Customize response to blocked requests
1.11.0
Software Composition Analysis (SCA)
1.1.4
Code Security
1.15.0
Automatic user activity event tracking
1.20.0
The minimum tracer version to get all supported application security capabilities for Java is 1.31.0.
Note: Threat Protection requires enabling Remote Configuration, which is included in the listed minimum tracer version.
Supported deployment types
Type
Threat Detection support
Software Composition Analysis
Docker
Kubernetes
Amazon ECS
AWS Fargate
AWS Lambda
Azure App Service
Note: Azure App Service is supported for web applications only. Application Security doesn’t support Azure Functions.
Language and framework compatibility
Supported Java versions
The Java Tracer supports automatic instrumentation for the following Oracle JDK and OpenJDK JVM runtimes.
JVM versions
Operating Systems
Support level
Tracer version
8 to 17
Windows (x86-64) Linux (glibc, musl) (arm64, x86-64) MacOS (arm64, x86-64)
Supported
Latest
Datadog does not officially support any early-access versions of Java.
Web framework compatibility
Attacker source HTTP request details
Tags for the HTTP request (status code, method, etc)
Distributed Tracing to see attack flows through your applications
Application Security Capability Notes
Software Composition Analysis is supported on all frameworks
If Code Security does not support your framework, it will still detect Weak Cipher, Weak Hashing, Insecure Cookie, Cookie without HttpOnly Flag, and Cookie without SameSite Flag vulnerabilities.
Framework
Versions
Threat Detection supported?
Threat Protection supported?
Code Security?
Grizzly
2.0+
Glassfish
gRPC
1.5+
Blocking not yet available for gRPC
Java Servlet
2.3+, 3.0+
Jetty
7.0-9.x, 10.x
Spring Boot
1.5
Spring Web (MVC)
4.0+
Spring WebFlux
5.0+
Tomcat
5.5+
Vert.x
3.4-3.9.x
Note: Many application servers are Servlet compatible and are automatically covered by that instrumentation, such as Websphere, Weblogic, and JBoss. Also, frameworks like Spring Boot (version 3) inherently work because they usually use a supported embedded application server, such as Tomcat, Jetty, or Netty.
dd-java-agent includes support for automatically tracing the following networking frameworks.
Networking tracing provides:
Distributed tracing through your applications
Request-based blocking
Application Security Capability Notes
Software Composition Analysis is supported on all frameworks
If Code Security does not support your framework, it will still detect Weak Cipher, Weak Hashing, Insecure Cookie, Cookie without HttpOnly Flag, and Cookie without SameSite Flag vulnerabilities.
dd-java-agent includes support for automatically tracing the following database frameworks/drivers.
Datastore tracing provides:
Timing request to response
Query info (for example, a sanitized query string)
Error and stacktrace capturing
Application Security Capability Notes
Software Composition Analysis is supported on all frameworks
Threat Protection also works at the HTTP request (input) layer, and so works for all databases by default, even those not listed in the table below.
If your framework is not supported below, Code Security won’t detect SQL Injection vulnerabilities, but will still detect the rest of vulnerability types listed here.
Database
Versions
Threat Detection supported?
Code Security?
Aerospike
4.0+
Couchbase
2.0+
JDBC
N/A
MongoDB
3.0-4.0+
dd-java-agent is also compatible with common JDBC drivers for Threat Detection, such as:
