Manage code-level vulnerabilities
A code-level vulnerability is a security problem based on a flaw in your application code. It is created by Dynatrace when an attack is detected1. For each code-level vulnerability, there can be one or more attacks, which groups attacks by the flaw that resides behind an attack.
Code-level vulnerabilities are based only on reported attacks. Therefore, Dynatrace can't currently list code-level vulnerabilities that aren't attacked.
After you enable Application Protection
-
A spinning radar in the upper-right corner of the Code-level vulnerabilities page is displayed, indicating that your environment is being monitored. If Application Protection is disabled, information on this page is unavailable and the radar screen in the upper-right corner stops, with the warning that Monitoring stopped. Please check settings. Follow the associated link to enable Application Protection.
-
The security problem indicator on the Dynatrace top bar displays the number of critical or high vulnerabilities in your environment. Select it to navigate to the Code-level vulnerabilities page.
Code-level vulnerabilities list
To see the list of detected code-level vulnerabilities in your environment, in the Dynatrace menu, go to Code-level vulnerabilities. The following information is displayed.
Vulnerabilities detected
A list of detected code-level vulnerabilities in your environment. For optimized performance, a maximum of 500 vulnerabilities are displayed at a time. You can narrow down the results by applying filters. To sort the list by any item, select the corresponding column heading. To add or remove column headings, select Format table.
Vulnerabilities
- The Dynatrace vulnerability ID (example:
S-3694
) - The type of code-level vulnerability and the matching code location where it was detected (example:
SQL injection at DatabaseManager.updateBio():82
) - The vulnerable component (the affected process group name, for example:
launch.Main
).
Risk level
- The vulnerability risk level (typically
Critical
), indicating the severity of the vulnerability, and the symbol associated with it. - The public exposure symbol, if the vulnerability affects a process that is exposed to the internet, based on the Dynatrace entity model (Smartscape). If the symbol is grayed out and crossed out, there's no public exposure. If the symbol isn't present, there's no data available.
- The reachable data symbol, if the vulnerability affects a process that has database access, based on the Dynatrace entity model. If the symbol is grayed out and crossed out, there are no reachable data assets affected. If the symbol isn't present, there's no data available.
Status
-
Detected: At least one attack on a code-level vulnerability has been detected.
-
Resolved: The code-level vulnerability is closed automatically one year after the last occurrence of a related attack.
-
Muted - Detected: The detected code-level vulnerability has been muted by request.
-
Muted - Resolved: The muted vulnerability is closed automatically one year after the last occurrence of a related attack.
Note: A muted vulnerability that has been closed automatically doesn't change its status to
Resolved
, but toMuted - Resolved
.
Attacks
The number of attacks related to this code-level vulnerability. The same vulnerability can be exploited by multiple attacks.
Affected processes
The number of processes affected by the code-level vulnerability. Each affected process runs a code where this vulnerability was detected.
First detected
When Dynatrace first detected the code-level vulnerability.
Last update
The last time the code-level vulnerability was updated on account of changes in the underlying data detected by Dynatrace.
Details
Expand vulnerability rows for details, or to perform the following actions:
- Select Change status to mute, unmute, or mute again the vulnerability with a different reason or comment.
- Select View vulnerability details to navigate to the details page of a vulnerability.
Code-level vulnerability details
To see details about a code-level vulnerability, select a vulnerability on the Code-level vulnerabilities page. The following information is displayed.
Vulnerability title
Example title:
- The type of code-level vulnerability and the matching code location where it was detected (example:
SQL injection at DatabaseManager.updateBio():82
) - The Dynatrace vulnerability ID (example:
S-3694
) - The affected entity (example:
SpringBoot org.dynatrace.ssrfservice.Application unguard-proxy-service-*
)
Infographic of the key features
-
Risk level: A code-level vulnerability has a
Critical
risk level. Once the vulnerability has been muted, the risk level symbol is grayed out. -
Public internet exposure: If there's any public internet exposure. Possible states are:
- Public network: There is public internet exposure.
- Not detected: No internet exposure was found.
- Not available: Data isn't available, because the related hosts are running in infrastructure-only mode. For details, see Monitoring modes.
-
Reachable data assets: If there are any reachable data assets affected. Possible states are:
- Within range: There are reachable data assets affected.
- Not detected: No reachable data assets were found.
- Not available: Data isn't available, because the related hosts are running in infrastructure-only mode. For details, see Monitoring modes.
-
Attacks: The number of attacks detected on the code location from different source IP addresses
-
Processes: The number of processes affected by the vulnerability
-
Type: The type of exploit (SQL injection, command injection, or improper input validation)
To change the status of the vulnerability, select Change status in the upper-right corner of the page.
Context and details
-
A description of the vulnerability type.
-
The exact code location and vulnerable function name where the attack was detected in your environment.
-
The SQL statement (in the case of SQL injection), the command (in the case of command injection), or the JNDI lookup name (in the case of improper input validation). The actual malicious input is highlighted.
-
Affected entities:
- The process group where the vulnerability was detected.
- The number of affected processes.
Select a process group name to navigate to the respective process group details page.
Attack paths
A visual representation of the attack paths, with information about the attack source IPs, entry points, affected vulnerability, and target name.
Note: This section is only displayed if there are less than 500 attacks for an affected vulnerability.
Attacks on this vulnerability
- Identifies how many attacks happened on the same vulnerability, and evaluates them by type (how many have been exploited, blocked, and allowlisted, out of the total number of attacks).
- Lists the last five attacks that happened during the selected timeframe, with details such as attack identifier (and a link to the respective code-level vulnerability details page), entry point, status (exploited, blocked, allowlisted), source IP, and timestamp.
- Select Attack detection settings to navigate to the Application protection settings page.
- Select View all attacks to navigate to the Attacks page, filtered by the vulnerability ID.
Related entities
The number of applications, services, hosts, and databases that are related to the identified code-level vulnerability, with direct links to those entities.
Vulnerability evolution
The last five vulnerability status changes (for example, when the vulnerability is first resolved and then detected again) over the last 30 days. Select See more to see the next five changes.
Note: Possible status changes happen when
- A vulnerability is detected or resolved
- A vulnerability was muted or unmuted
Reachable data assets
Lists reachable data assets exposed via the attack on the code-level vulnerability (only applicable for SQL-injection types).
Note: Select the database name to navigate to the respective database details page.
Filter vulnerabilities
There are several ways to filter the Code-level vulnerabilities page.
Filter by global timeframe
The table displays the code-level vulnerabilities which were detected at some point within the selected global timeframe. However, the data displayed about an entry reflects the current status of the entry, not the historical status.
Filtering by global timeframe is not available for the details page of a code-level vulnerability. The current status of the vulnerability and historical data are displayed (for example, detected attacks over the last 30 days). For entity-related views (reachable data, related entities), the timeframe is 24 hours, while for attacks, it's 30 days. Hover over the Info icon next to any section on the details page to view the timeframe that applies to the respective section.
Filter by management zone
You can also filter by management zone to view, for example, only code-level vulnerabilities from hosts that are in a certain management zone.
Notes:
- The numeric values displayed on the overview page, such as the number of affected processes, are global, management-zone unaware.
- You can't access management zones that aren't affected by code-level vulnerabilities.
For information on how to set up and apply management zones, and about the rules that define and limit the entities that can be accessed within a management zone, see Management zones.
Filter by code-level vulnerability details
The following filters are available:
-
Risk assessment:
Public internet exposure
,Reachable data assets
,Reduced accuracy (infra-only)
.Note:
Reduced accuracy (infra-only)
filters for vulnerabilities that have related hosts running in Infrastructure Monitoring mode. For details, see Monitoring modes. -
Status:
Detected
,Resolved
,Muted
-
Vulnerability ID: Select a vulnerability based on the 'S' string that represents its ID
-
Affected or related entity: Select and enter any combination of the following:
Process group name
,Host name
,Kubernetes workload name
,Kubernetes cluster name
,Tag
Note: For
Tag
, you can use tags on a host, process, and process group, with the syntaxkey:value
orkey
. For more information about tagging, see Define and apply tags.
Change vulnerability status
You can
-
Mute (silence) vulnerabilities that are
- Open, if you don't consider them important
- Resolved, if you don't want to deal with them if they are reopened
Note: Muted vulnerabilities don't appear on the list of vulnerabilities unless you filter for
Status: muted
. -
Unmute vulnerabilities that are muted, if you consider them important
Notes:
- Unmuting an open vulnerability makes it active again—its status changes back to
Open
, and the vulnerability shows up again in the list of vulnerabilities when you filter forOpen
vulnerabilities. - Unmuting a resolved vulnerability changes its status back to
Resolved
, and the vulnerability shows up again in the list of vulnerabilities when you filter forResolved
vulnerabilities.
- Unmuting an open vulnerability makes it active again—its status changes back to
Additionally, you can change the vulnerability status by selecting a new reason for the current status or adding more information to the current status.
There are two ways to change the status of a vulnerability:
Option 1: On the Code-level vulnerabilities page
- Select Details for the selected vulnerability and then select Change status.
- Under Select new status, select the status and reason for the status change from the New status menu.
- Optionally, provide Additional information.
- Select Save.
Option 2: On the details page of the code-level vulnerability
- Select Change status in the upper-right corner of the page.
- Under Select new status, select the status and reason for the status change from the New status menu.
- Optionally, provide Additional information.
- Select Save.
You need to wait up to a minute for the change to take effect. Refresh the page to see your change.
The last five status changes of the vulnerability within the last 30 days are logged in the Vulnerability evolution section of the vulnerability details page.
- Select Show more for the next five status changes.
- Select Details to see who changed the status of the vulnerability, the reason for changing the status, and any additional comments.
Note: You can't change the status of a vulnerability if
To see why muting/unmuting isn't possible, hover over Mute problem/Unmute problem.