--- title: Java Compatibility Requirements description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Software Composition Analysis > Set up SCA in your running services > Compatibility Requirements > Java Compatibility Requirements --- # Java Compatibility Requirements {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). (). {% /alert %} {% /callout %} ## Code Security capabilities{% #code-security-capabilities %} The following code security capabilities are supported in the Java library, for the specified tracer version: | Application Security capability | Minimum Java tracer version | | ------------------------------------------- | --------------------------- | | Runtime Software Composition Analysis (SCA) | 1.1.4 | | Runtime Code Analysis (IAST) | 1.15.0 | The minimum tracer version to get all supported code security capabilities for Java is 1.15.0. **Note**: **Static Software Composition Analysis (SCA)** and **Static Code Analysis (SAST)** capabilities do not require Datadog's tracing library. Therefore, the requirements listd above do not apply to these two Code Security capabilities. ### Supported deployment types{% #supported-deployment-types %} | Type | Runtime Software Composition Analysis (SCA) | Runtime Code Analysis (IAST) | | ----------------- | ------------------------------------------- | ---------------------------- | | Docker | yes | yes | | Kubernetes | yes | yes | | Amazon ECS | yes | yes | | AWS Fargate | yes | Preview (1.15.0) | | AWS Lambda | not supported | not supported | | Azure App Service | yes | yes | **Note**: Azure App Service is supported for **web applications only**. Code Security doesn't support Azure Functions. ## Language and framework compatibility{% #language-and-framework-compatibility %} ### Supported Java versions{% #supported-java-versions %} The Java Tracer supports automatic instrumentation for the following Oracle JDK and OpenJDK JVM runtimes. | JVM versions | Operating Systems | Support level | Tracer version | | ------------ | ------------------------------------------------------------------------ | ------------- | -------------- | | 8 to 17 | Windows (x86-64)Linux (glibc, musl) (arm64, x86-64)MacOS (arm64, x86-64) | Supported | Latest | Datadog does not officially support any early-access versions of Java. ### Web framework compatibility{% #web-framework-compatibility %} - Tags for the HTTP request (status code, method, etc) - Distributed Tracing to see attack flows through your applications ##### Code Security Capability Notes{% #code-security-capability-notes %} - **Runtime Software Composition Analysis (SCA)** is supported on all frameworks - If **Runtime Code Analysis (IAST)** does not support your framework, it will still detect Weak Cipher, Weak Hashing, Insecure Cookie, Cookie without HttpOnly Flag, and Cookie without SameSite Flag vulnerabilities. | Framework | Versions | Runtime Code Analysis (IAST) | | ---------------- | ------------- | ---------------------------- | | Grizzly | 2.0+ | yes | | Glassfish | yes | | Java Servlet | 2.3+, 3.0+ | yes | | Jetty | 7.0-9.x, 10.x | yes | | Spring Boot | 1.5 | yes | | Spring Web (MVC) | 4.0+ | yes | | Spring WebFlux | 5.0+ | yes | | Tomcat | 5.5+ | yes | | Vert.x | 3.4-3.9.x | yes | **Note**: Many application servers are Servlet compatible and are automatically covered by that instrumentation, such as Websphere, Weblogic, and JBoss. Also, frameworks like Spring Boot (version 3) inherently work because they usually use a supported embedded application server, such as Tomcat, Jetty, or Netty. {% alert level="info" %} If you don't see your framework of choice listed, let us know! Fill out [this short form to send details](https://forms.gle/gHrxGQMEnAobukfn7). {% /alert %} ### Networking framework compatibility{% #networking-framework-compatibility %} `dd-java-agent` includes support for automatically tracing the following networking frameworks. **Networking tracing provides:** ##### Code Security Capability Notes{% #code-security-capability-notes-1 %} - **Runtime Software Composition Analysis (SCA)** is supported on all frameworks - If **Runtime Code Analysis (IAST)** does not support your framework, it will still detect Weak Cipher, Weak Hashing, Insecure Cookie, Cookie without HttpOnly Flag, and Cookie without SameSite Flag vulnerabilities. | Framework | Versions | Runtime Code Analysis (IAST) | | ---------------------------------- | -------- | ---------------------------- | | Apache HTTP Client | 4.0+ | | gRPC | 1.5+ | | HttpURLConnection | all | | Jax RS Clients | 2.0+ | yes | | Jersey Server | 1.9-2.29 | yes | | Netty HTTP Server | 3.8+ | | RESTEasy | 3.0.x | | Spring SessionAwareMessageListener | 3.1+ | {% alert level="info" %} If you don't see your framework of choice listed, let us know! Fill out [this short form to send details](https://forms.gle/gHrxGQMEnAobukfn7). {% /alert %} ### Data store compatibility{% #data-store-compatibility %} `dd-java-agent` includes support for automatically tracing the following database frameworks/drivers. **Datastore tracing provides:** - Query info (for example, a sanitized query string) - Error and stacktrace capturing ##### Code Security Capability Notes{% #code-security-capability-notes-2 %} - **Runtime Software Composition Analysis (SCA)** is supported on all frameworks - If your framework is not supported below, **Runtime Code Analysis (IAST)** won't detect SQL Injection vulnerabilities, but will still detect the rest of vulnerability types listed [here](https://docs.datadoghq.com/security/code_security/software_composition_analysis.md). | Database | Versions | Runtime Code Analysis (IAST) | | --------- | -------- | ---------------------------- | | Aerospike | 4.0+ | | Couchbase | 2.0+ | | JDBC | N/A | yes | | MongoDB | 3.0-4.0+ |