From 0caec07718fc64a4aeae591f678a8d36ae30ed83 Mon Sep 17 00:00:00 2001 From: Hans Ott Date: Thu, 9 Jul 2026 12:19:47 +0200 Subject: [PATCH 1/2] Document --enable-native-access in readme --- README.md | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 97f92037..1af34503 100644 --- a/README.md +++ b/README.md @@ -73,7 +73,25 @@ To activate Zen you then just have to add the following `-javaagent` to your Jav ``` java -javaagent:/opt/zen/agent.jar -jar build/myapp.jar ``` -Replace `/opt/zen` with your directory of choice. +Replace `/opt/zen` with your directory of choice. Keep `agent.jar` together with the `binaries` folder from the +release - if you copy `agent.jar` into a different location or a different Docker build stage, copy the whole +directory, not just the jar. Without `binaries`, SQL injection detection is disabled. + +
+Seeing System::load has been called ... in an unnamed module on Java 22+? + +This warning (and similar ones about restricted/deprecated methods) is safe to ignore for now - Zen keeps working, +since `--illegal-native-access` still defaults to `warn`, not `deny`, on Java 25. + +To get rid of it, add `--enable-native-access=ALL-UNNAMED` to your Java command, or set it through the +`JDK_JAVA_OPTIONS` environment variable so you don't have to touch your existing startup command: +``` +java --enable-native-access=ALL-UNNAMED -javaagent:/opt/zen/agent.jar -jar build/myapp.jar +``` +``` +JDK_JAVA_OPTIONS=--enable-native-access=ALL-UNNAMED +``` +
To use user-blocking and/or rate-limiting features, you will have to include the following Jarfile into your repository ### Gradle From e4bcbfeded4e01905aed7f32a20585c3696082e1 Mon Sep 17 00:00:00 2001 From: Hans Ott Date: Thu, 9 Jul 2026 12:27:18 +0200 Subject: [PATCH 2/2] Mention that SQL injection stays working --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 1af34503..fa819450 100644 --- a/README.md +++ b/README.md @@ -80,8 +80,8 @@ directory, not just the jar. Without `binaries`, SQL injection detection is disa
Seeing System::load has been called ... in an unnamed module on Java 22+? -This warning (and similar ones about restricted/deprecated methods) is safe to ignore for now - Zen keeps working, -since `--illegal-native-access` still defaults to `warn`, not `deny`, on Java 25. +This warning is safe to ignore for now - SQL injection detection still works, since `--illegal-native-access` +still defaults to `warn`, not `deny`, on Java 25. To get rid of it, add `--enable-native-access=ALL-UNNAMED` to your Java command, or set it through the `JDK_JAVA_OPTIONS` environment variable so you don't have to touch your existing startup command: