Runtime Surveys

A runtime survey instruments a running JVM to detect the cryptographic operations your application actually executes. It complements an inventory survey, which finds the cryptography present in your artifacts: inventory answers “what cryptography is present?” while runtime answers “what cryptography did this artifact actually use?”

Running a survey

Run your application under the surveyor:

spice survey runtime <subject> --jfr -- <command>
  • <subject> — a label for the system being surveyed (shown on the dashboard).
  • --jfr — required; uses JDK Flight Recorder instrumentation to observe cryptographic calls.
  • -- — separates surveyor options from the command to run.
  • <command> — the JVM process to instrument.

Examples:

# Instrument a running application
spice survey runtime my-app --jfr -- java -jar app.jar

# Instrument a test run
spice survey runtime my-app --jfr -- mvn test
ℹ️ Runtime vs inventory

The two survey types are far more powerful together than either alone. Survey the same artifact both ways and Spice Labs correlates the results into a combined report.

CBOMs

Every survey produces a Cryptography Bill of Materials. To correlate a runtime survey with an inventory survey that indexed the same artifact — into a single combined CBOM — anchor it with --anchor:

spice survey runtime my-app --anchor ./build/output/app.jar --jfr -- java -jar ./build/output/app.jar

Runtime instrumentation alone cannot tell which build artifact it is exercising, so without --anchor the runtime survey will not correlate with your inventory survey and no combined CBOM is produced. See CBOMs for the full workflow.

See the Surveyor CLI Reference for the complete list of runtime survey options.