• Home
  • How to use Dynatrace
  • Application Security
  • Application Protection
  • Manage code-level vulnerabilities

Manage code-level vulnerabilities

A code-level vulnerability is a security problem based on a flaw in your application code. It is created by Dynatrace when an attack is detected1. For each code-level vulnerability, there can be one or more attacks, which groups attacks by the flaw that resides behind an attack.

1

Code-level vulnerabilities are based only on reported attacks. Therefore, Dynatrace can't currently list code-level vulnerabilities that aren't attacked.

After you enable Application Protection

  • A spinning radar in the upper-right corner of the Code-level vulnerabilities page is displayed, indicating that your environment is being monitored. If Application Protection is disabled, information on this page is unavailable and the radar screen in the upper-right corner stops, with the warning that Monitoring stopped. Please check settings. Follow the associated link to enable Application Protection.

    spinning-radar

  • The security problem indicator on the Dynatrace top bar displays the number of critical or high vulnerabilities in your environment. Select it to navigate to the Code-level vulnerabilities page.

    security-problem-indicator

Code-level vulnerabilities list

To see the list of detected code-level vulnerabilities in your environment, in the Dynatrace menu, go to Code-level vulnerabilities. The following information is displayed.

Vulnerabilities detected

clv-list

A list of detected code-level vulnerabilities in your environment. For optimized performance, a maximum of 500 vulnerabilities are displayed at a time. You can narrow down the results by applying filters. To sort the list by any item, select the corresponding column heading. To add or remove column headings, select Format table.

Vulnerabilities

  • The Dynatrace vulnerability ID (example: S-3694)
  • The type of code-level vulnerability and the matching code location where it was detected (example: SQL injection at DatabaseManager.updateBio():82)
  • The vulnerable component (the affected process group name, for example: launch.Main).

Risk level

  • The vulnerability risk level (typically Critical), indicating the severity of the vulnerability, and the symbol associated with it.
  • The public exposure symbol, if the vulnerability affects a process that is exposed to the internet, based on the Dynatrace entity model (Smartscape). If the symbol is grayed out and crossed out, there's no public exposure. If the symbol isn't present, there's no data available.
  • The reachable data symbol, if the vulnerability affects a process that has database access, based on the Dynatrace entity model. If the symbol is grayed out and crossed out, there are no reachable data assets affected. If the symbol isn't present, there's no data available.

Status

  • Detected: At least one attack on a code-level vulnerability has been detected.

  • Resolved: The code-level vulnerability is closed automatically one year after the last occurrence of a related attack.

  • Muted - Detected: The detected code-level vulnerability has been muted by request.

  • Muted - Resolved: The muted vulnerability is closed automatically one year after the last occurrence of a related attack.

    Note: A muted vulnerability that has been closed automatically doesn't change its status to Resolved, but to Muted - Resolved.

Attacks

The number of attacks related to this code-level vulnerability. The same vulnerability can be exploited by multiple attacks.

Affected processes

The number of processes affected by the code-level vulnerability. Each affected process runs a code where this vulnerability was detected.

First detected

When Dynatrace first detected the code-level vulnerability.

Last update

The last time the code-level vulnerability was updated on account of changes in the underlying data detected by Dynatrace.

Details

Expand vulnerability rows for details, or to perform the following actions:

  • Select Change status to mute, unmute, or mute again the vulnerability with a different reason or comment.
  • Select View vulnerability details to navigate to the details page of a vulnerability.

Code-level vulnerability details

To see details about a code-level vulnerability, select a vulnerability on the Code-level vulnerabilities page. The following information is displayed.

Vulnerability title

Example title:

clv-title

  • The type of code-level vulnerability and the matching code location where it was detected (example: SQL injection at DatabaseManager.updateBio():82)
  • The Dynatrace vulnerability ID (example: S-3694)
  • The affected entity (example: SpringBoot org.dynatrace.ssrfservice.Application unguard-proxy-service-*)

Infographic of the key features

infographic-clv

  • Risk level: A code-level vulnerability has a Critical risk level. Once the vulnerability has been muted, the risk level symbol is grayed out.

  • Public internet exposure: If there's any public internet exposure. Possible states are:

    • Public network: There is public internet exposure.
    • Not detected: No internet exposure was found.
    • Not available: Data isn't available, because the related hosts are running in infrastructure-only mode. For details, see Monitoring modes.
  • Reachable data assets: If there are any reachable data assets affected. Possible states are:

    • Within range: There are reachable data assets affected.
    • Not detected: No reachable data assets were found.
    • Not available: Data isn't available, because the related hosts are running in infrastructure-only mode. For details, see Monitoring modes.
  • Attacks: The number of attacks detected on the code location from different source IP addresses

  • Processes: The number of processes affected by the vulnerability

  • Type: The type of exploit (SQL injection, command injection, or improper input validation)

To change the status of the vulnerability, select Change status in the upper-right corner of the page.

Context and details

context-clv-details

  • A description of the vulnerability type.

  • The exact code location and vulnerable function name where the attack was detected in your environment.

  • The SQL statement (in the case of SQL injection), the command (in the case of command injection), or the JNDI lookup name (in the case of improper input validation). The actual malicious input is highlighted.

  • Affected entities:

    • The process group where the vulnerability was detected.
    • The number of affected processes.

    Select a process group name to navigate to the respective process group details page.

Attack paths

attack-path-clv-details

A visual representation of the attack paths, with information about the attack source IPs, entry points, affected vulnerability, and target name.

Note: This section is only displayed if there are less than 500 attacks for an affected vulnerability.

Attacks on this vulnerability

attacks-on-same-vuln-clv-details

  • Identifies how many attacks happened on the same vulnerability, and evaluates them by type (how many have been exploited, blocked, and allowlisted, out of the total number of attacks).
  • Lists the last five attacks that happened during the selected timeframe, with details such as attack identifier (and a link to the respective code-level vulnerability details page), entry point, status (exploited, blocked, allowlisted), source IP, and timestamp.
  • Select Attack detection settings to navigate to the Application protection settings page.
  • Select View all attacks to navigate to the Attacks page, filtered by the vulnerability ID.

Related entities

related-entities-clv-details

The number of applications, services, hosts, and databases that are related to the identified code-level vulnerability, with direct links to those entities.

Vulnerability evolution

vuln-evolution-clv

The last five vulnerability status changes (for example, when the vulnerability is first resolved and then detected again) over the last 30 days. Select See more to see the next five changes.

Note: Possible status changes happen when

  • A vulnerability is detected or resolved
  • A vulnerability was muted or unmuted

Reachable data assets

reachable-data-assets-clv

Lists reachable data assets exposed via the attack on the code-level vulnerability (only applicable for SQL-injection types).

Note: Select the database name to navigate to the respective database details page.

Filter vulnerabilities

There are several ways to filter the Code-level vulnerabilities page.

Filter by global timeframe

The table displays the code-level vulnerabilities which were detected at some point within the selected global timeframe. However, the data displayed about an entry reflects the current status of the entry, not the historical status.

Filtering by global timeframe is not available for the details page of a code-level vulnerability. The current status of the vulnerability and historical data are displayed (for example, detected attacks over the last 30 days). For entity-related views (reachable data, related entities), the timeframe is 24 hours, while for attacks, it's 30 days. Hover over the Info icon next to any section on the details page to view the timeframe that applies to the respective section.

Filter by management zone

You can also filter by management zone to view, for example, only code-level vulnerabilities from hosts that are in a certain management zone.

Notes:

  • The numeric values displayed on the overview page, such as the number of affected processes, are global, management-zone unaware.
  • You can't access management zones that aren't affected by code-level vulnerabilities.

For information on how to set up and apply management zones, and about the rules that define and limit the entities that can be accessed within a management zone, see Management zones.

Filter by code-level vulnerability details

The following filters are available:

  • Risk assessment: Public internet exposure, Reachable data assets, Reduced accuracy (infra-only).

    Note: Reduced accuracy (infra-only) filters for vulnerabilities that have related hosts running in Infrastructure Monitoring mode. For details, see Monitoring modes.

  • Status: Detected, Resolved, Muted

  • Vulnerability ID: Select a vulnerability based on the 'S' string that represents its ID

  • Affected or related entity: Select and enter any combination of the following: Process group name, Host name, Kubernetes workload name, Kubernetes cluster name, Tag

    Note: For Tag, you can use tags on a host, process, and process group, with the syntax key:value or key. For more information about tagging, see Define and apply tags.

Change vulnerability status

You can

  • Mute (silence) vulnerabilities that are

    • Open, if you don't consider them important
    • Resolved, if you don't want to deal with them if they are reopened

    Note: Muted vulnerabilities don't appear on the list of vulnerabilities unless you filter for Status: muted.

  • Unmute vulnerabilities that are muted, if you consider them important

    Notes:

    • Unmuting an open vulnerability makes it active again—its status changes back to Open, and the vulnerability shows up again in the list of vulnerabilities when you filter for Open vulnerabilities.
    • Unmuting a resolved vulnerability changes its status back to Resolved, and the vulnerability shows up again in the list of vulnerabilities when you filter for Resolved vulnerabilities.

Additionally, you can change the vulnerability status by selecting a new reason for the current status or adding more information to the current status.

There are two ways to change the status of a vulnerability:

Option 1: On the Code-level vulnerabilities page

  1. Select Details for the selected vulnerability and then select Change status.
  2. Under Select new status, select the status and reason for the status change from the New status menu.
  3. Optionally, provide Additional information.
  4. Select Save.

Option 2: On the details page of the code-level vulnerability

  1. Select Change status in the upper-right corner of the page.
  2. Under Select new status, select the status and reason for the status change from the New status menu.
  3. Optionally, provide Additional information.
  4. Select Save.

You need to wait up to a minute for the change to take effect. Refresh the page to see your change.

The last five status changes of the vulnerability within the last 30 days are logged in the Vulnerability evolution section of the vulnerability details page.

  • Select Show more for the next five status changes.
  • Select Details to see who changed the status of the vulnerability, the reason for changing the status, and any additional comments.

Note: You can't change the status of a vulnerability if

To see why muting/unmuting isn't possible, hover over Mute problem/Unmute problem.