Enabling Software Composition Analysis using Datadog tracing libraries

Docs > Datadog Security > Application Security Management > Enabling ASM > Enabling ASM using Datadog Tracing Libraries > Enabling Software Composition Analysis using Datadog tracing libraries

You can use Datadog Software Composition Analysis (SCA) to monitor the open source libraries in your apps.

SCA is configured by setting the -Ddd.appsec.sca.enabled flag or the DD_APPSEC_SCA_ENABLED environment variable to true in supported languages:

Java
.NET
Go
Ruby
PHP
Node.js
Python

This topic explains how to set up SCA using a Java example.

Example: enabling Software Composition Analysis in Java

Update your Datadog Java library to at least version 0.94.0 (at least version 1.1.4 for Software Composition Analysis detection features):
wget -O dd-java-agent.jar 'https://dtdg.co/latest-java-tracer'
curl -Lo dd-java-agent.jar 'https://dtdg.co/latest-java-tracer'
ADD 'https://dtdg.co/latest-java-tracer' dd-java-agent.jar
To check that your service’s language and framework versions are supported for ASM capabilities, see Compatibility.

Run your Java application with SCA enabled. From the command line:

java -javaagent:/path/to/dd-java-agent.jar -Ddd.appsec.sca.enabled=true -Ddd.service=<MY SERVICE> -Ddd.env=<MY_ENV> -jar path/to/app.jar

Or one of the following methods, depending on where your application runs:

Note: Read-only file systems are not supported at this time. The application must have access to a writable /tmp directory.

Update your configuration container for APM by adding the following argument in your docker run command:

docker run [...] -e DD_APPSEC_SCA_ENABLED=true [...]

Add the following environment variable value to your container Dockerfile:

ENV DD_APPSEC_SCA_ENABLED=true

Update your deployment configuration file for APM and add the SCA environment variable:

spec:
  template:
    spec:
      containers:
        - name: <CONTAINER_NAME>
          image: <CONTAINER_IMAGE>/<TAG>
          env:
            - name: DD_APPSEC_SCA_ENABLED
              value: "true"

Update your ECS task definition JSON file, by adding this in the environment section:

"environment": [
  ...,
  {
    "name": "DD_APPSEC_SCA_ENABLED",
    "value": "true"
  }
]

Set the -Ddd.appsec.sca.enabled flag or the DD_APPSEC_SCA_ENABLED environment variable to true in your service invocation:

java -javaagent:dd-java-agent.jar \
     -Ddd.appsec.sca.enabled=true \
     -jar <YOUR_SERVICE>.jar \
     <YOUR_SERVICE_FLAGS>