Implement SCA Reachability runtime detection: report vulnerable classes and callsites via telemetry

.github/CODEOWNERS

@@ -88,6 +88,8 @@
 /dd-trace-api/src/main/java/datadog/trace/api/EventTracker.java @DataDog/asm-java
 /internal-api/src/main/java/datadog/trace/api/gateway/          @DataDog/asm-java
 /internal-api/src/main/java/datadog/trace/api/http/             @DataDog/asm-java
+/internal-api/src/main/java/datadog/trace/api/telemetry/ScaReachability* @DataDog/asm-java
+/telemetry/src/main/java/datadog/telemetry/sca/                 @DataDog/asm-java
 **/appsec/                                                      @DataDog/asm-java
 **/*CallSite*.java                                              @DataDog/asm-java
 **/*CallSite*.groovy                                            @DataDog/asm-java

.gitignore

@@ -53,6 +53,8 @@ out/
 # Claude Code local custom settings #
 #####################################
 .claude/*.local.*
+.claude-invariants.md
+.claude-status.md
 
 # Vim #
 #######

benchmark/load/petclinic/k6.js

@@ -19,6 +19,9 @@ const variants = {
   },
   "code_origins": {
     "APP_URL": 'http://localhost:8085',
+  },
+  "sca": {
+    "APP_URL": 'http://localhost:8086',
   }
 }
 

benchmark/load/petclinic/start-servers.sh

@@ -24,5 +24,6 @@ start_server "profiling" "-javaagent:${TRACER} -Ddd.profiling.enabled=true -Dser
 start_server "appsec" "-javaagent:${TRACER} -Ddd.appsec.enabled=true -Dserver.port=8083" "taskset -c 37-38 " &
 start_server "iast" "-javaagent:${TRACER} -Ddd.iast.enabled=true -Dserver.port=8084" "taskset -c 39-40 " &
 start_server "code_origins" "-javaagent:${TRACER} -Ddd.code.origin.for.spans.enabled=true -Dserver.port=8085" "taskset -c 41-42 " &
+start_server "sca" "-javaagent:${TRACER} -Ddd.appsec.enabled=true -Ddd.appsec.sca.enabled=true -Dserver.port=8086" "taskset -c 43-44 " &
 
 wait

benchmark/load/run.sh

@@ -57,7 +57,7 @@ for app in *; do
 
     echo "Waiting for serves to start..."
     if [ "${app}" == "petclinic" ]; then
-      for port in $(seq 8080 8085); do
+      for port in $(seq 8080 8086); do
         healthcheck http://localhost:$port
       done
     elif [ "${app}" == "insecure-bank" ]; then

benchmark/startup/petclinic/benchmark.json

@@ -24,6 +24,12 @@
         "JAVA_OPTS": "-Ddd.appsec.enabled=true"
       }
     },
+    "sca": {
+      "env": {
+        "VARIANT": "sca",
+        "JAVA_OPTS": "-Ddd.appsec.enabled=true -Ddd.appsec.sca.enabled=true"
+      }
+    },
     "iast": {
       "env": {
         "VARIANT": "iast",

buildSrc/build.gradle.kts

@@ -63,6 +63,11 @@ gradlePlugin {
       id = "dd-trace-java.instrumentation-naming"
       implementationClass = "datadog.gradle.plugin.naming.InstrumentationNamingPlugin"
     }
+
+    create("sca-enrichments-plugin") {
+      id = "dd-trace-java.sca-enrichments"
+      implementationClass = "datadog.gradle.plugin.sca.ScaEnrichmentsPlugin"
+    }
   }
 }
 

buildSrc/src/main/kotlin/datadog/gradle/plugin/sca/ScaEnrichmentsPlugin.kt

@@ -0,0 +1,120 @@
+package datadog.gradle.plugin.sca
+
+import datadog.gradle.sca.GhsaEnrichmentParser
+import groovy.json.JsonOutput
+import groovy.json.JsonSlurper
+import java.net.HttpURLConnection
+import java.net.URL
+import org.gradle.api.GradleException
+import org.gradle.api.Plugin
+import org.gradle.api.Project
+
+/**
+ * Registers the [generateScaCvesJson] task that downloads GHSA enrichments from
+ * `sca-reachability-database` and generates `sca_cves.json` bundled in the appsec JAR.
+ *
+ * This is a **temporary** build-time approach. The symbol database will be delivered
+ * via Remote Config in a future iteration, at which point this plugin and the committed
+ * `sca_cves.json` file will be removed.
+ *
+ * Usage: `apply plugin: 'dd-trace-java.sca-enrichments'`. The task runs only when
+ * `-PrefreshSca` is passed or the output file is absent; CI uses the committed copy.
+ */
+@Suppress("unused")
+class ScaEnrichmentsPlugin : Plugin<Project> {
+
+  companion object {
+    private const val SCA_ENRICHMENTS_API =
+        "https://api.github.com/repos/DataDog/sca-reachability-database/contents/enrichments"
+  }
+
+  override fun apply(project: Project) {
+    val outputFile = project.file("src/main/resources/sca_cves.json")
+
+    val generateTask =
+        project.tasks.register("generateScaCvesJson") {
+          description =
+              "Downloads GHSA enrichments from sca-reachability-database and updates " +
+                  "src/main/resources/sca_cves.json. Run with -PrefreshSca to force a refresh. " +
+                  "sca_cves.json is committed to the repo so CI does not need network access."
+          group = "build"
+          outputs.file(outputFile)
+          onlyIf { project.hasProperty("refreshSca") || !outputFile.exists() }
+
+          doLast {
+            val token = System.getenv("GITHUB_TOKEN")
+
+            logger.lifecycle("Fetching GHSA enrichment index from GitHub...")
+            @Suppress("UNCHECKED_CAST")
+            val fileList = githubFetch(SCA_ENRICHMENTS_API, token) as List<Map<String, Any>>
+            val ghsaFiles =
+                fileList.filter {
+                  it["name"]?.toString()?.endsWith(".json") == true && it["type"] == "file"
+                }
+            logger.lifecycle("Found ${ghsaFiles.size} enrichment files")
+
+            val entries = mutableListOf<Any>()
+            ghsaFiles.forEach { fileInfo ->
+              val ghsaId = fileInfo["name"]!!.toString().removeSuffix(".json")
+              val rawContent = githubFetchRaw(fileInfo["download_url"]!!.toString(), token)
+              entries.addAll(GhsaEnrichmentParser.parse(ghsaId, rawContent))
+            }
+
+            outputFile.writeText(JsonOutput.toJson(mapOf("version" to 1, "entries" to entries)))
+            logger.lifecycle(
+                "sca_cves.json: ${entries.size} entries from ${ghsaFiles.size} GHSA files")
+            logger.lifecycle(
+                "Remember to commit src/main/resources/sca_cves.json after updating the database.")
+          }
+        }
+
+    // Defer wiring until after the java plugin adds processResources.
+    project.pluginManager.withPlugin("java") {
+      project.tasks.named("processResources") {
+        dependsOn(generateTask)
+        doLast {
+          // Minify only sca_cves.json — not all JSON files in the module output.
+          project
+              .fileTree(mapOf("dir" to outputs.files.asPath, "includes" to listOf("**/sca_cves.json")))
+              .forEach { f -> f.writeText(JsonOutput.toJson(JsonSlurper().parse(f))) }
+        }
+      }
+    }
+  }
+
+  private fun githubConnect(url: String, token: String?): HttpURLConnection {
+    val connection = URL(url).openConnection() as HttpURLConnection
+    connection.setRequestProperty("Accept", "application/vnd.github+json")
+    connection.setRequestProperty("X-GitHub-Api-Version", "2022-11-28")
+    if (!token.isNullOrEmpty()) {
+      connection.setRequestProperty("Authorization", "Bearer $token")
+    }
+    connection.connectTimeout = 10_000
+    connection.readTimeout = 30_000
+    val code = connection.responseCode
+    if (code != 200) {
+      throw GradleException(
+          "GitHub API returned HTTP $code for $url.\n" +
+              "Unauthenticated rate limit is 60 req/hr. Set GITHUB_TOKEN to raise it.")
+    }
+    return connection
+  }
+
+  private fun githubFetch(url: String, token: String?): Any {
+    val conn = githubConnect(url, token)
+    return try {
+      JsonSlurper().parse(conn.inputStream)
+    } finally {
+      conn.disconnect()
+    }
+  }
+
+  private fun githubFetchRaw(url: String, token: String?): String {
+    val conn = githubConnect(url, token)
+    return try {
+      conn.inputStream.bufferedReader().readText()
+    } finally {
+      conn.disconnect()
+    }
+  }
+}

buildSrc/src/main/kotlin/datadog/gradle/sca/GhsaEnrichmentParser.kt

@@ -0,0 +1,83 @@
+package datadog.gradle.sca
+
+import com.fasterxml.jackson.databind.JsonNode
+import com.fasterxml.jackson.databind.ObjectMapper
+
+/**
+ * Parses GHSA enrichment JSON files from the sca-reachability-database into the internal
+ * sca_cves.json format consumed by SCA Reachability at runtime.
+ *
+ * Key transformations:
+ * - Filters entries to JVM language only
+ * - Expands multi-package GHSA entries into N records (one per Maven artifact), because
+ *   each artifact may have different version ranges for the same set of class symbols
+ * - Converts class FQNs to JVM internal format (slashes) so the ClassFileTransformer
+ *   can do O(1) map lookups without per-class string conversion
+ * - Sets method=null for all symbols — field exists for forward compatibility when the
+ *   database adds method-level symbols in the future (see APPSEC-62260)
+ */
+object GhsaEnrichmentParser {
+
+  private val mapper = ObjectMapper()
+
+  /**
+   * Parses a single GHSA enrichment file.
+   *
+   * @param ghsaId the GHSA identifier (e.g. "GHSA-645p-88qh-w398"), used as vuln_id
+   * @param jsonContent the raw JSON content of the enrichment file
+   * @return list of sca_cves.json entry maps, one per affected Maven artifact
+   */
+  fun parse(ghsaId: String, jsonContent: String): List<Map<String, Any?>> {
+    val root = mapper.readTree(jsonContent)
+    require(root.isArray) { "GHSA enrichment file $ghsaId must be a JSON array, got ${root.nodeType}" }
+
+    val entries = mutableListOf<Map<String, Any?>>()
+
+    for (entry in root) {
+      if (entry.path("language").asText() != "jvm") continue
+
+      val symbols = extractSymbols(entry)
+      if (symbols.isEmpty()) continue
+
+      for (pkg in entry.path("package")) {
+        if (pkg.path("ecosystem").asText() != "maven") continue
+        val artifact = pkg.path("name").asText().takeIf { it.isNotEmpty() } ?: continue
+        val versionRanges = pkg.path("version_range").map { it.asText() }
+
+        entries += mapOf(
+          "vuln_id" to ghsaId,
+          "artifact" to artifact,
+          "version_ranges" to versionRanges,
+          "symbols" to symbols,
+        )
+      }
+    }
+
+    return entries
+  }
+
+  private fun extractSymbols(entry: JsonNode): List<Map<String, Any?>> {
+    val symbols = mutableListOf<Map<String, Any?>>()
+    val imports = entry.path("ecosystem_specific").path("imports")
+    if (imports.isMissingNode || !imports.isArray) return symbols
+
+    for (importGroup in imports) {
+      for (symbol in importGroup.path("symbols")) {
+        if (symbol.path("type").asText() != "class") continue
+        val pkg = symbol.path("value").asText().takeIf { it.isNotEmpty() } ?: continue
+        val name = symbol.path("name").asText().takeIf { it.isNotEmpty() } ?: continue
+
+        // JVM internal format (slashes) — avoids per-class conversion in the
+        // ClassFileTransformer hot path at runtime.
+        // TODO(APPSEC-62260): verify inner-class format when database adds method-level symbols.
+        // If GHSA uses dot notation for inner classes (e.g. name="Outer.Inner"), the replace below
+        // produces com/example/Outer/Inner instead of the correct com/example/Outer$Inner.
+        // When the database team defines the format, update this to handle the $ separator.
+        val internalName = "$pkg.$name".replace('.', '/')
+        symbols += mapOf("class" to internalName, "method" to null)
+      }
+    }
+
+    return symbols
+  }
+}

buildSrc/src/test/kotlin/datadog/gradle/plugin/sca/ScaEnrichmentsPluginTest.kt

@@ -0,0 +1,75 @@
+package datadog.gradle.plugin.sca
+
+import datadog.gradle.plugin.GradleFixture
+import org.assertj.core.api.Assertions.assertThat
+import org.gradle.testkit.runner.TaskOutcome
+import org.junit.jupiter.api.BeforeEach
+import org.junit.jupiter.api.Test
+
+class ScaEnrichmentsPluginTest : GradleFixture() {
+
+  @BeforeEach
+  fun setup() {
+    writeSettings("""rootProject.name = "test-appsec"""")
+    writeRootProject(
+      """
+      plugins {
+        java
+        id("dd-trace-java.sca-enrichments")
+      }
+      """
+    )
+  }
+
+  @Test
+  fun `generateScaCvesJson is SKIPPED when file exists and refreshSca is not set`() {
+    file("src/main/resources/sca_cves.json").also {
+      it.parentFile.mkdirs()
+      it.writeText("{\"version\":1,\"entries\":[]}")
+    }
+
+    val result = run("generateScaCvesJson")
+
+    assertThat(result.task(":generateScaCvesJson")?.outcome).isEqualTo(TaskOutcome.SKIPPED)
+  }
+
+  @Test
+  fun `generateScaCvesJson attempts to run when refreshSca is set even if file exists`() {
+    file("src/main/resources/sca_cves.json").also {
+      it.parentFile.mkdirs()
+      it.writeText("{}")
+    }
+
+    // With -PrefreshSca the onlyIf condition is true; task will fail at the GitHub fetch
+    // (no network in tests) but must NOT be SKIPPED
+    val result = run("generateScaCvesJson", "-PrefreshSca", expectFailure = true)
+
+    assertThat(result.task(":generateScaCvesJson")?.outcome)
+        .isNotNull
+        .isNotEqualTo(TaskOutcome.SKIPPED)
+  }
+
+  @Test
+  fun `generateScaCvesJson attempts to run when output file does not exist`() {
+    // File absent: onlyIf returns true; task will fail at GitHub fetch but must not be SKIPPED
+    val result = run("generateScaCvesJson", expectFailure = true)
+
+    assertThat(result.task(":generateScaCvesJson")?.outcome)
+        .isNotNull
+        .isNotEqualTo(TaskOutcome.SKIPPED)
+  }
+
+  @Test
+  fun `processResources depends on generateScaCvesJson`() {
+    file("src/main/resources/sca_cves.json").also {
+      it.parentFile.mkdirs()
+      it.writeText("{\"version\":1,\"entries\":[]}")
+    }
+
+    val result = run("processResources")
+
+    // generateScaCvesJson must appear as SKIPPED (file exists, no -PrefreshSca)
+    assertThat(result.task(":generateScaCvesJson")?.outcome).isEqualTo(TaskOutcome.SKIPPED)
+    assertThat(result.task(":processResources")?.outcome).isEqualTo(TaskOutcome.SUCCESS)
+  }
+}