Heap Dump Tool can capture and, more importantly, sanitize sensitive data from Java heap dumps. Sanitization is accomplished by replacing field values in the heap dump file with zero values. Heap dump can then be more freely shared freely and analyzed.
A typical scenario is when a heap dump needs to be sanitized before it can be given to another person or moved to a different environment. For example, an app running in production environment may contain sensitive data (passwords, credit card numbers, etc) which should not be viewable when the heap dump is copied to a development environment for analysis with a graphical program.
The tool can be run in several ways depending on tool's packaging and where the target to-be-captured app is running.
Simplest way to capture sanitized heap dump of an app is to run:
# capture plain heap dump of Java process with given pid
$ jcmd {pid} GC.heap_dump /path/to/plain-heap-dump.hprof
# then sanitize the heap dump
$ wget -O heap-dump-tool.jar https://repo1.maven.org/maven2/com/paypal/heap-dump-tool/1.1.1/heap-dump-tool-1.1.1-all.jar
$ java -jar heap-dump-tool.jar sanitize /path/to/plain-dump.hprof /path/to/sanitized-dump.hprof
Suppose the tool is a packaged jar on the host, and the target app is running as the only Java process within a container.
Then, to capture sanitized heap dump of a containerized app, run:
# list docker containers
$ docker ps
CONTAINER ID IMAGE [...] NAMES
06e633da3494 registry.example.com/my-app:latest [...] my-app
# capture and sanitize
$ wget -O heap-dump-tool.jar https://repo1.maven.org/maven2/com/paypal/heap-dump-tool/1.1.1/heap-dump-tool-1.1.1-all.jar
$ java -jar heap-dump-tool.jar capture my-app
Note that a plain stack dump is also captured.
Suppose the tool is a Docker image, and the target app is running as the only Java process within a container.
Then, to capture sanitized heap dump of another containerized app, run:
# list docker containers
$ docker ps
CONTAINER ID IMAGE [...] NAMES
06e633da3494 registry.example.com/my-app:latest [...] my-app
# capture and sanitize
$ docker run heapdumptool/heapdumptool capture my-app | bash
To sanitize environment variables in hs_err* files, you can run:
# with java -jar
$ wget -O heap-dump-tool.jar https://repo1.maven.org/maven2/com/paypal/heap-dump-tool/1.1.1/heap-dump-tool-1.1.1-all.jar
$ java -jar heap-dump-tool.jar sanitize-hserr input-hs_err.log outout-hs_err.log
# Or, with docker
$ docker run heapdumptool/heapdumptool sanitize-hserr input-hs_err.log outout-hs_err.log | bash
To use it as a library and embed it within another app, you can declare it as dependency in maven:
<dependency>
<groupId>com.paypal</groupId>
<artifactId>heap-dump-tool</artifactId>
<version>1.1.1</version>
</dependency>
java -jar target/heap-dump-tool.jar help
Usage: heap-dump-tool [-hV] [COMMAND]
Tool for capturing or sanitizing heap dumps
-h, --help Show this help message and exit.
-V, --version Print version information and exit.
Commands:
capture Capture sanitized heap dump of a containerized app
sanitize Sanitize a heap dump by replacing byte and char array contents
sanitize-hserr Sanitize fatal error log by censoring environment variable values
help Displays help information about the specified command
See whitepaper (pdf)
Heap Dump Tool is Open Source software released under the Apache 2.0 license.