View loaded dynamic packages in your application¶
Note
The Runtime Reachability Assessment feature is under limited availablity. Please contact us to gain access to this feature.
Lightrun enables you to monitor and receive notifications about dynamically loaded packages in your application during runtime. This functionality operates by tracking a predefined list of packages that you've added to a watchlist.
As part of the Runtime Reachability Assessment feature, once you've set up the watch list, you can proceed to manually review the status of the monitored packages and classes or set up notifications to be triggered in your target third-party applications using webhooks.
Before you begin¶
- Add the packages you want to track to the watch list.
- (Optional) To receive automated notifications in your third-party applications, configure at least one webhook.
View loaded/ not loaded dynamic packages based on watch list¶
- Log in to your Lightrun account.
-
Navigate to Runtime Reachability Assessment and click the Loaded Packages tab.
The list of Loaded and Not Loaded packages and classes are displayed.
-
(Optional) You can filter using a set of filters to narrow down the view based on your requirements.
- You can expand this list by adding more packages to the Watch list. Simply click Add Packages, and you will be directed to the Watched Packages page.
Get notifications for loaded packages¶
To help you keep track of your monitored loaded packages without needing to manually review the Loaded packages list constantly, you can create notifications for each of your monitored packages. This way, you'll receive alerts when they are loaded into your live application based on the integration with webhooks.
Prerequisite
Before proceeding, ensure you have set up at least one webhook. For more information, see Webhooks.
Set up a notification¶
- Log in to your Lightrun account.
- Click Settings on the top right hand side of your screen to navigate to the Settings dashboard.
-
Navigate to the Runtime Reachability Assessment section and click the Loaded Packages tab.
The Loaded Packages page opens.
-
In the required Watched package line, click the Notifications icon.
The Set notification dialog opens.
-
Set the notification details:
a. Enter the Package Name.
b. Package Version: Select a specific version. Leave it empty to apply all versions.
c. Notification Method: Select a Webhook from a preset list.
When a webhook is triggered, it sends a notification to a web location that is listening for that specific event notification. To learn more, click Webhooks.
-
Click Set Notification.
Manage notifications¶
About notifications icons¶
The following table lists the supported notification icons and what they indicate:
Icon | Description |
---|---|
Set a notification for when a package is loaded. | |
A notification has been set on the package. Click the icon to remove the notification. | |
The notification has been triggered. Note that it may take up to an hour for it to appear in the targeted tool. | |
Cannot be configured since the package is already loaded. |
Delete a notification¶
You can delete an active notification for a package that has not yet been loaded. However, you cannot delete a notification for a package that has already been tagged as loaded.
- Log in to your Lightrun account.
- Click Settings on the top right hand side of your screen to navigate to the Settings dashboard.
-
Navigate to the Runtime Reachability section and click Loaded Packages.
The Loaded Packages page opens.
-
Hover over the Notification.
The Delete notification tooltip is displayed.
-
Click Delete Notification.
Export watched loaded/ not loaded packges to a JSON file¶
You have the option to export your SBOM as a JSON file, providing detailed information about the loaded packages in the runtime application. This export feature facilitates a more in-depth analysis of your CVE vulnerabilities.
- Log in to your Lightrun account.
- Click Settings on the top right-hand side of your screen to navigate to the Settings dashboard.
- Navigate to Runtime Reachability Assessment and click the Loaded Packages tab. The list of packages is displayed.
-
Click Export as JSON.
The file is then downloaded to your local drive as a dedicated JSON file as displayed in the following example.
lightrun_loaded_packages-2024-02-08T07_28_58.992Z.json
[ { "package": { "name": "org.json:json", "version": "20230618", "agents": 5, "tags": [], "status": "LOADED", "classes": [ { "name": "org.json.JSONObject", "status": "NOT_LOADED", "agents": 5, "tags": [] }, { "name": "org.json.JSONObjection", "status": "LOADED", "agents": 5, "tags": [] } ] } }, { "package": { "name": "org.apache.commons:commons-lang3", "version": "3.14.0", "agents": 5, "tags": [], "status": "NOT", "classes": [] } }, { "package": { "name": "org.springframework:spring-web", "version": "6.0.13", "agents": 4, "tags": [], "status": "NOT_LOADED", "classes": [ { "name": "org.springframework.http.HttpStatus.Series", "status": "LOADED", "agents": 4, "tags": [] }, { "name": "org.spring.net.load", "status": "NOT_LOADED", "agents": 4, "tags": [] }, { "name": "org.springframework.http.HttpMethod", "status": "LOADED", "agents": 4, "tags": [] } ] } } ]