このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Prerequisites

Before setting up Software Composition Analysis, ensure the following prerequisites are met:

  1. Datadog Agent Installation: The Datadog Agent is installed and configured for your application’s operating system or container, cloud, or virtual environment.
  2. Datadog APM Configuration: Datadog APM is configured for your application or service, and traces are being received by Datadog.
  3. Supported Tracing Library: The Datadog Tracing Library used by your application or service supports Software Composition Analysis capabilities for the language of your application or service. For more details, refer to the Library Compatibility page for each ASM product.

Software Composition Analysis enablement types

Quick Start Guide

  1. Navigate to the Quick Start Guide:
    1. Expand Enable Vulnerability Detection.
    2. Select Open source vulnerabilities.
    3. Select Start Activation.
    4. Select the services where you want to identify library vulnerabilities, and then click Next.
    5. Select Enable for Selected Services.

Settings page

Alternatively, you can enable Software Composition Analysis through the [Settings] page.

  1. Navigate to the [Settings] page and select Get Started in Software Composition Analysis (SCA).
  2. For static analysis in source code, select Select Repositories.
  3. Select Add Github Account and follow the instructions to create a new GitHub Application.
  4. Once the GitHub account is set up, select Select Repositories and enable Software Composition Analysis (SCA).
  5. For runtime analysis in running services, click Select Services.
  6. Choose the services where you want to identify library vulnerabilities, and select Next.
  7. Select Enable for Selected Services.

Datadog Tracing Libraries

Add an environment variable or a new argument to your Datadog Tracing Library configuration.

By following these steps, you will successfully set up Software Composition Analysis for your application, ensuring comprehensive monitoring and identification of vulnerabilities in open source libraries used by your applications or services.

You can use Datadog Software Composition Analysis (SCA) to monitor the open source libraries in your apps.

SCA is configured by setting the -Ddd.appsec.sca.enabled flag or the DD_APPSEC_SCA_ENABLED environment variable to true in supported languages:

  • Java
  • .NET
  • Go
  • Ruby
  • PHP
  • Node.js
  • Python

This topic explains how to set up SCA using a Java example.

Example: enabling Software Composition Analysis in Java

  1. Update your Datadog Java library to at least version 0.94.0 (at least version 1.1.4 for Software Composition Analysis detection features):

    wget -O dd-java-agent.jar 'https://dtdg.co/latest-java-tracer'
    
    curl -Lo dd-java-agent.jar 'https://dtdg.co/latest-java-tracer'
    
    ADD 'https://dtdg.co/latest-java-tracer' dd-java-agent.jar
    
    To check that your service’s language and framework versions are supported for ASM capabilities, see Compatibility.

  2. Run your Java application with SCA enabled. From the command line:

    java -javaagent:/path/to/dd-java-agent.jar -Ddd.appsec.sca.enabled=true -Ddd.service=<MY SERVICE> -Ddd.env=<MY_ENV> -jar path/to/app.jar
    

    Or one of the following methods, depending on where your application runs:

    Note: Read-only file systems are not supported at this time. The application must have access to a writable /tmp directory.

    Update your configuration container for APM by adding the following argument in your docker run command:

    docker run [...] -e DD_APPSEC_SCA_ENABLED=true [...]
    

    Add the following environment variable value to your container Dockerfile:

    ENV DD_APPSEC_SCA_ENABLED=true
    

    Update your deployment configuration file for APM and add the SCA environment variable:

    spec:
      template:
        spec:
          containers:
            - name: <CONTAINER_NAME>
              image: <CONTAINER_IMAGE>/<TAG>
              env:
                - name: DD_APPSEC_SCA_ENABLED
                  value: "true"
    

    Update your ECS task definition JSON file, by adding this in the environment section:

    "environment": [
      ...,
      {
        "name": "DD_APPSEC_SCA_ENABLED",
        "value": "true"
      }
    ]
    

    Set the -Ddd.appsec.sca.enabled flag or the DD_APPSEC_SCA_ENABLED environment variable to true in your service invocation:

    java -javaagent:dd-java-agent.jar \
         -Ddd.appsec.sca.enabled=true \
         -jar <YOUR_SERVICE>.jar \
         <YOUR_SERVICE_FLAGS>
    

Further reading