diff --git a/config/_default/menus/main.en.yaml b/config/_default/menus/main.en.yaml index 991f7db238c09..53fea9d40e038 100644 --- a/config/_default/menus/main.en.yaml +++ b/config/_default/menus/main.en.yaml @@ -3112,256 +3112,251 @@ menu: parent: containers identifier: containers_autoscaling weight: 2 - - name: Remediation - url: containers/bits_ai_kubernetes_remediation - parent: containers - identifier: containers_autoscaling - weight: 3 - name: Docker and other runtimes url: containers/docker/ parent: containers identifier: containers_docker - weight: 4 + weight: 3 - name: APM url: containers/docker/apm/ parent: containers_docker identifier: containers_docker_apm - weight: 401 + weight: 301 - name: Log collection url: containers/docker/log/ parent: containers_docker identifier: containers_docker_log - weight: 402 + weight: 302 - name: Tag extraction url: containers/docker/tag/ parent: containers_docker identifier: containers_docker_tag - weight: 403 + weight: 303 - name: Integrations url: containers/docker/integrations/ parent: containers_docker identifier: containers_docker_integrations - weight: 404 + weight: 304 - name: Prometheus url: containers/docker/prometheus/ parent: containers_docker identifier: containers_docker_prometheus - weight: 405 + weight: 305 - name: Data Collected url: containers/docker/data_collected/ parent: containers_docker identifier: containers_docker_data_collected - weight: 406 + weight: 306 - name: Kubernetes url: containers/kubernetes/ parent: containers identifier: containers_kubernetes - weight: 5 + weight: 4 - name: Installation url: containers/kubernetes/installation parent: containers_kubernetes identifier: containers_kubernetes_installation - weight: 501 + weight: 401 - name: Further Configuration url: containers/kubernetes/configuration parent: containers_kubernetes identifier: containers_kubernetes_configuration - weight: 502 + weight: 402 - name: Distributions url: containers/kubernetes/distributions parent: containers_kubernetes identifier: containers_kubernetes_distributions - weight: 503 + weight: 403 - name: APM url: containers/kubernetes/apm/ parent: containers_kubernetes identifier: containers_kubernetes_apm - weight: 504 + weight: 404 - name: Log collection url: containers/kubernetes/log/ parent: containers_kubernetes identifier: containers_kubernetes_log - weight: 505 + weight: 405 - name: Tag extraction url: containers/kubernetes/tag/ parent: containers_kubernetes identifier: containers_kubernetes_tag - weight: 506 + weight: 406 - name: Integrations url: containers/kubernetes/integrations/ parent: containers_kubernetes identifier: containers_kubernetes_integrations - weight: 507 + weight: 407 - name: Prometheus & OpenMetrics url: containers/kubernetes/prometheus/ parent: containers_kubernetes identifier: containers_kubernetes_prometheus - weight: 508 + weight: 408 - name: Control plane monitoring url: containers/kubernetes/control_plane/ parent: containers_kubernetes identifier: containers_kubernetes_control_plane - weight: 509 + weight: 409 - name: Data collected url: containers/kubernetes/data_collected/ parent: containers_kubernetes identifier: containers_kubernetes_data_collected - weight: 510 + weight: 410 - name: Datadog CSI Driver url: containers/kubernetes/csi_driver parent: containers_kubernetes identifier: csi_driver - weight: 511 + weight: 411 - name: Data security url: data_security/kubernetes parent: containers_kubernetes identifier: container_kubernetes_data_security - weight: 512 + weight: 412 - name: Cluster Agent url: containers/cluster_agent/ parent: containers identifier: containers_cluster - weight: 6 + weight: 5 - name: Setup url: containers/cluster_agent/setup/ parent: containers_cluster identifier: cluster_agent_setup - weight: 601 + weight: 501 - name: Commands & Options url: containers/cluster_agent/commands/ identifier: cluster_agent_commands parent: containers_cluster - weight: 602 + weight: 502 - name: Cluster Checks identifier: containers_cluster_agent_clusterchecks url: containers/cluster_agent/clusterchecks/ parent: containers_cluster - weight: 603 + weight: 503 - name: Endpoint Checks identifier: containers_cluster_agent_endpoint_checks url: containers/cluster_agent/endpointschecks/ parent: containers_cluster - weight: 604 + weight: 504 - name: Admission Controller identifier: containers_cluster_agent_admission_controller url: containers/cluster_agent/admission_controller/ parent: containers_cluster - weight: 605 + weight: 505 - name: Amazon ECS url: containers/amazon_ecs/ parent: containers identifier: containers_amazon_ecs - weight: 7 + weight: 6 - name: APM url: containers/amazon_ecs/apm/ parent: containers_amazon_ecs identifier: containers_amazon_ecs_apm - weight: 701 + weight: 601 - name: Log collection url: containers/amazon_ecs/logs/ parent: containers_amazon_ecs identifier: containers_amazon_ecs_logs - weight: 702 + weight: 602 - name: Tag extraction url: containers/amazon_ecs/tags/ parent: containers_amazon_ecs identifier: containers_amazon_ecs_tags - weight: 703 + weight: 603 - name: Data collected url: containers/amazon_ecs/data_collected/ parent: containers_amazon_ecs identifier: containers_amazon_ecs_data_collected - weight: 704 + weight: 604 - name: AWS Fargate url: integrations/ecs_fargate/ parent: containers identifier: ecs_fargate - weight: 8 + weight: 7 - name: Datadog Operator url: containers/datadog_operator identifier: containers_datadog_operator parent: containers - weight: 9 + weight: 8 - name: Advanced Install url: containers/datadog_operator/advanced_install identifier: containers_datadog_operator_installation parent: containers_datadog_operator - weight: 901 + weight: 801 - name: Configuration url: containers/datadog_operator/config identifier: containers_datadog_operator_configuration parent: containers_datadog_operator - weight: 902 + weight: 802 - name: Custom Checks url: containers/datadog_operator/custom_check identifier: containers_datadog_operator_customchecks parent: containers_datadog_operator - weight: 903 + weight: 803 - name: Data Collected url: containers/datadog_operator/data_collected identifier: containers_datadog_operator_datacollected parent: containers_datadog_operator - weight: 904 + weight: 804 - name: kubectl Plugin url: containers/datadog_operator/kubectl_plugin identifier: containers_datadog_operator_kubectlplugin parent: containers_datadog_operator - weight: 905 + weight: 805 - name: Secret Management url: containers/datadog_operator/secret_management identifier: containers_datadog_operator_secretmanagement parent: containers_datadog_operator - weight: 906 + weight: 806 - name: DatadogDashboard CRD url: containers/datadog_operator/crd_dashboard identifier: containers_datadog_operator_crd_dashboard parent: containers_datadog_operator - weight: 907 + weight: 807 - name: DatadogMonitor CRD url: containers/datadog_operator/crd_monitor identifier: containers_datadog_operator_crd_monitor parent: containers_datadog_operator - weight: 908 + weight: 808 - name: DatadogSLO CRD url: containers/datadog_operator/crd_slo identifier: containers_datadog_operator_crd_slo parent: containers_datadog_operator - weight: 909 + weight: 809 - name: Troubleshooting url: containers/troubleshooting/ parent: containers identifier: containers_troubleshooting - weight: 10 + weight: 9 - name: Duplicate hosts url: containers/troubleshooting/duplicate_hosts parent: containers_troubleshooting identifier: containers_troubleshooting_duplicate_hosts - weight: 1001 + weight: 901 - name: Cluster Agent url: containers/troubleshooting/cluster-agent parent: containers_troubleshooting identifier: containers_troubleshooting_cluster_agent - weight: 1002 + weight: 902 - name: Cluster Checks url: containers/troubleshooting/cluster-and-endpoint-checks parent: containers_troubleshooting identifier: containers_troubleshooting_cluster_and_endpoint_checks - weight: 1003 + weight: 903 - name: HPA and Metrics Provider url: containers/troubleshooting/hpa parent: containers_troubleshooting identifier: containers_troubleshooting_hpa - weight: 1004 + weight: 904 - name: Admission Controller url: containers/troubleshooting/admission-controller parent: containers_troubleshooting identifier: containers_troubleshooting_admission_controller - weight: 1005 + weight: 905 - name: Guides url: containers/guide parent: containers identifier: containers_guide - weight: 11 + weight: 10 - name: Processes url: infrastructure/process identifier: process @@ -7187,6 +7182,11 @@ menu: url: /security/code_security/software_composition_analysis/setup_runtime/compatibility/ parent: sca_setup_runtime weight: 1 + - name: Library Inventory + identifier: sca_library_inventory + url: /security/code_security/software_composition_analysis/library_inventory/ + parent: software_composition_analysis + weight: 3 - name: Secret Scanning identifier: sec_secret_scanning url: /security/code_security/secret_scanning/ diff --git a/content/en/security/code_security/software_composition_analysis/_index.md b/content/en/security/code_security/software_composition_analysis/_index.md index 5fe35e2a98ee6..e1b9f5c0baa45 100644 --- a/content/en/security/code_security/software_composition_analysis/_index.md +++ b/content/en/security/code_security/software_composition_analysis/_index.md @@ -59,8 +59,15 @@ Click on a library with a vulnerability to open a side panel that contains infor ### Library inventory -The Libraries [Inventory][8] helps you understand the list of libraries and its versions that are used in both your codebase and running on deployed services. For each library version, you can assess how often it is used, its license riskiness, and understand the health of each library (e.g. if it has reached EOL, if it is unmaintained, etc.) +The [Library Inventory][8] provides visibility into the third-party libraries detected across your codebase. Datadog collects this information from: + +* **Static SCA**, which identifies all libraries referenced in your repositories, and +* **Runtime SCA**, which detects libraries that are actually loaded and used by your services at runtime. + +Use the Library Inventory to understand which dependencies you rely on, where they are used, and whether they contain known vulnerabilities or license risks. + +To learn more about how the inventory is generated, how Static and Runtime data differ, and how to interpret the library details (usage, vulnerabilities, licenses, versions, and OpenSSF score), see [Library Inventory][14]. ### Library vulnerability context in APM SCA enriches the information Application Performance Monitoring (APM) is already collecting by flagging libraries that match with current vulnerability advisories. Potentially vulnerable services are highlighted directly in the **Security** view embedded in the [APM Software Catalog][10]. @@ -101,3 +108,4 @@ The Vulnerability Explorer offers remediation recommendations for detected vulne [11]: https://app.datadoghq.com/security/appsec/vm/library [12]: https://app.datadoghq.com/ci/code-analysis [13]: /security/code_security/software_composition_analysis/setup_static/#upload-third-party-sbom-to-datadog +[14]: /security/code_security/software_composition_analysis/library_inventory \ No newline at end of file diff --git a/content/en/security/code_security/software_composition_analysis/library_inventory.md b/content/en/security/code_security/software_composition_analysis/library_inventory.md new file mode 100644 index 0000000000000..d9cb7a4f7ac5b --- /dev/null +++ b/content/en/security/code_security/software_composition_analysis/library_inventory.md @@ -0,0 +1,164 @@ +--- +title: Library Inventory +description: The Library Inventory provides a unified view of all third-party libraries detected across your codebase and services. +disable_toc: false +--- + +The [Library Inventory][1] provides a unified view of all third-party libraries detected across your codebase and services. It helps you understand which components you depend on, which versions are in use, and where vulnerabilities or license risks might exist. The inventory is built from two complementary data sources: + +- **Static Software Composition Analysis (Static SCA)**, which scans your repositories to identify every library referenced in your source code. +- **Runtime Software Composition Analysis (Runtime SCA)**, which detects libraries that are actually loaded and used at runtime by your services. +This combined visibility helps you distinguish between theoretical dependencies and real risk exposure. + +## Static view + +The **Static** view lists all libraries referenced in your repositories as detected by **Static SCA**. + +Static SCA analyzes dependency files and source code to identify all declared third-party libraries, regardless of whether they are used at runtime. Use this view to: + +* See your complete dependency footprint +* Identify libraries present in specific repositories +* Track dependency versions and upgrade needs +* Explore vulnerabilities and license metadata for all referenced libraries + +Static data updates on every repository scan. + +## Runtime view + +The **Runtime** view lists only the libraries actively used by your services in production or other monitored environments, as detected by **Runtime SCA**. + +Runtime SCA observes loaded dependencies through the Datadog tracing library, enabling you to: + +* Prioritize vulnerabilities in libraries that are actually executed +* Reduce noise by filtering out unused dependencies +* Understand real exposure to vulnerable components +* Map vulnerable libraries to the services and environments using them + +This view updates continuously as your services run. + +## Library details + +Clicking any library in the inventory opens the library detail panel, which provides an in-depth view of its metadata, vulnerabilities, and usage. + +The panel includes the following sections. + +### Overview + +Displays key information about the selected library and version, including: + +* **Security status** (count of Critical, High, Medium, Low vulnerabilities) +* **License type** +* **Version status** (older version, actively maintained, deprecated, etc.) +* **Popularity** and download statistics when available + +This section provides a snapshot of the security and maintenance posture of the dependency. + +{{< img src="/security/code_security/overview.png" alt="a snapshot of the security and maintenance posture of the dependency" style="width:100%;" >}} + +### Repositories + +Shows all repositories where this library is referenced, as detected by **Static SCA**. + +For each repository, you can see: + +* The file and path where the dependency was declared +* Whether the dependency is direct or transitive +* The first detection timestamp +* The latest scanned commit + +Use this view to understand how widely the library is used across your codebase. + +{{< img src="/security/code_security/repositories.png" alt="a snapshot of the security and maintenance posture of the dependency" style="width:100%;" >}} + + +### Services + +Shows all services that load this library at runtime, as detected by **Runtime SCA**. + +For each service, you can view: + +* The environments where it is running (for example, env:dev, env:prod) +* The team responsible (when available) +* The first time the library was detected in that service + +If no services appear, the library is referenced statically but not used at runtime. + +{{< img src="/security/code_security/services.png" alt="services that load this library at runtime" style="width:100%;" >}} + + +### Security + +Lists all known vulnerabilities affecting this library version, including: + +* Severity (Critical, High, Medium, Low) +* CVE or advisory ID (for example, GHSA identifiers) +* A short description of each vulnerability +* Links to the full vulnerability details + +This section consolidates all vulnerabilities detected by Datadog from upstream security advisories. + +{{< img src="/security/code_security/security.png" alt="all known vulnerabilities affecting this library version" style="width:100%;" >}} + + +### Licenses + +The license table in this section is based on the **Choose a License Appendix**: [https://choosealicense.com/appendix/](https://choosealicense.com/appendix/) + +It summarizes the license's: + +* **Permissions** + **Conditions** +* **Limitations** + +Additionally, Datadog identifies **license risks**, including: + +* **Network copyleft**: code must be released when offered as a network service +* **Strong copyleft**: derivative work must be open-sourced under the same license +* **Non-standard copyleft**: copyleft terms differ from common OSI-approved patterns +* **Non-commercial**: use is restricted to non-commercial contexts +* **Non-standard / Non-free**: license does not meet standard open-source definitions + +Each risk contains a short explanation and links to more detailed license information. + +{{< img src="/security/code_security/licenses.png" alt="license summary" style="width:100%;" >}} + + +### Versions + +Lists all known versions of the library, along with: + +* Release dates +* Vulnerability counts for each version +* Whether the version is used in your repositories or services + +This helps you evaluate remediation options and identify safer upgrade paths. + +{{< img src="/security/code_security/versions_of_this_library.png" alt="all known versions of the library" style="width:100%;" >}} + + +### OpenSSF score + +Displays the **OpenSSF Scorecard** results for the upstream project. Each check provides insight into the project's security maturity, such as: + +* Maintenance activity +* Use of security policies +* Safe workflow practices +* Dependency pinning +* Binary artifact usage + +The score ranges from **0 to 10**, where 10 indicates best practices. + +{{< img src="/security/code_security/openSSF_Score_1.png" alt="OpenSSF Scorecard results for the upstream project" style="width:100%;" >}} + + +## Next steps + +To get started with Library Inventory: + +1. Enable **Static SCA** to detect libraries in your repositories. See [static setup][2] to get started. +2. Enable **Runtime SCA** to identify libraries actually used during execution. See [runtime setup][3] to get started. +3. Use both views together to understand both your full dependency footprint and your real runtime exposure. + +[1]: https://app.datadoghq.com/security/code-security/inventory/libraries +[2]: /security/code_security/software_composition_analysis/setup_static/ +[3]: /security/code_security/software_composition_analysis/setup_runtime/ \ No newline at end of file diff --git a/static/images/security/code_security/licenses.png b/static/images/security/code_security/licenses.png new file mode 100644 index 0000000000000..6f779aad9d23f Binary files /dev/null and b/static/images/security/code_security/licenses.png differ diff --git a/static/images/security/code_security/openSSF_Score_1.png b/static/images/security/code_security/openSSF_Score_1.png new file mode 100644 index 0000000000000..6cc530ea65504 Binary files /dev/null and b/static/images/security/code_security/openSSF_Score_1.png differ diff --git a/static/images/security/code_security/overview.png b/static/images/security/code_security/overview.png new file mode 100644 index 0000000000000..b421722c201b9 Binary files /dev/null and b/static/images/security/code_security/overview.png differ diff --git a/static/images/security/code_security/repositories.png b/static/images/security/code_security/repositories.png new file mode 100644 index 0000000000000..97520b1132c75 Binary files /dev/null and b/static/images/security/code_security/repositories.png differ diff --git a/static/images/security/code_security/security.png b/static/images/security/code_security/security.png new file mode 100644 index 0000000000000..e8e2d4a2b099b Binary files /dev/null and b/static/images/security/code_security/security.png differ diff --git a/static/images/security/code_security/services.png b/static/images/security/code_security/services.png new file mode 100644 index 0000000000000..bf25783654063 Binary files /dev/null and b/static/images/security/code_security/services.png differ diff --git a/static/images/security/code_security/versions_of_this_library.png b/static/images/security/code_security/versions_of_this_library.png new file mode 100644 index 0000000000000..24bdb7d0e3f96 Binary files /dev/null and b/static/images/security/code_security/versions_of_this_library.png differ