Troubleshoot Application Security

Application Security writes to the following existing Dynatrace log files:

• The OneAgent Java code module log
• The Dynatrace Cluster server log and debug log

See below how you can fix potential issues regarding Application Security.

Security overview page is unavailable

If the Application Security overview page displays Enable Third-party and Code-level Vulnerability Analytics with a Configure option, the Application Security feature is activated but not enabled for both third-party and code-level vulnerability detection. For instructions, see Get started with Runtime Vulnerability Analytics.

Vulnerabilities aren't displayed

See below for potential reasons why vulnerabilities aren't displayed:

Application Security isn't activated

If the Third-party vulnerabilities page displays Runtime Vulnerability Analytics with About, Gallery, Use cases, and Supported distributions sections, the Application Security feature isn't activated. To activate Application Security, contact a Dynatrace product expert via live chat.

Runtime Vulnerability Analytics isn't enabled

• If the Third-party vulnerabilities page displays Enable Third-party Vulnerability Analytics with a Configure option, the Application Security feature is activated but third-party vulnerability detection is not enabled. For instructions, see Get started with Runtime Vulnerability Analytics.
• If the Code-level vulnerabilities page displays Enable Code-level Vulnerability Analytics with a Configure option, the Application Security feature is activated but code-level vulnerability detection is not enabled. For instructions, see Get started with Runtime Vulnerability Analytics.

Attacks page is unavailable

If the Attacks page displays Enable Runtime Application Protection with a Configure option, the Application Security feature is activated but Runtime Application Protection is not enabled. For instructions, see Get started with Runtime Application Protection.

No software components are reported

If no software components are reported, vulnerabilities aren't displayed on the Third-party vulnerabilities page. Make sure that the necessary OneAgent features have been confirmed.

To confirm the OneAgent features

1. In the Dynatrace menu, go to Settings.

2. In Preferences, select OneAgent features, and then filter for Software component reporting.

3. Enable any disabled feature in the list.

   For OneAgent versions earlier than the technology-specific version, besides enabling the disabled features, you also need to enable Activate this feature also in OneAgents only fulfilling the minimum opt-in version in the Details of each feature.

4. Select Save changes.

OneAgent auto-injection in Infrastructure Monitoring mode is disabled

OneAgent in Infrastructure Monitoring mode automatically injects into processes to be able to monitor backing services written in Java and runtime metrics for supported languages. If the auto-injection is disabled for individual hosts, related vulnerabilities can't be assessed.

To enable auto-injection in Infrastructure Monitoring mode, you need to enable runtime metrics. For details, see Process injection in Infrastructure Monitoring mode.

Monitoring stopped error

See below for potential reasons why the monitoring status radar shows Monitoring stopped. Please check settings on any of the pages below.

Monitoring stopped on Security overview

• Application Security isn't activated.

  • To activate Application Security, see Get started with Application Security.

• Both Third-party Vulnerability Analytics and Code-level Vulnerability Analytics are disabled. Your environment is monitored when at least one of these features is enabled.

  • To enable Third-party Vulnerability Analytics, see Enable Third-party Vulnerability Analytics.
  • To enable Code-level Vulnerability Analytics, see Enable Code-level Vulnerability Analytics.

• No supported technology for Third-party Vulnerability Analytics is enabled, Global Java code-level vulnerability detection control for Code-level Vulnerability Analytics is disabled, and no custom monitoring rules for code-level vulnerabilities are in place. Your environment is monitored when at least one of these requirements is met.

  • To enable technologies for Third-party Vulnerability Analytics, see Control by technology.
  • To enable Global Java code-level vulnerability detection control, see Configure monitoring.
  • To set custom monitoring rules for code-level vulnerabilities, see Monitoring rules - Code-level Vulnerability Analytics.

Monitoring stopped on Third-party vulnerabilities

• Application Security isn't activated.

  • To activate Application Security, see Get started with Application Security.

• Third-party Vulnerability Analytics is disabled.

  • To enable Third-party Vulnerability Analytics, see Enable Third-party Vulnerability Analytics.

• No supported technology for Third-party Vulnerability Analytics is enabled.

  • To enable technologies for Third-party Vulnerability Analytics, see Control by technology.

Monitoring stopped on Code-level vulnerabilities

• Application Security isn't activated.

  • To activate Application Security, see Get started with Application Security.

• Code-level Vulnerability Analytics is disabled.

  • To enable Code-level Vulnerability Analytics, see Enable Code-level Vulnerability Analytics.

• Global Java code-level vulnerability detection control for Code-level Vulnerability Analytics is disabled, and no custom monitoring rules for code-level vulnerabilities are in place. Your environment is monitored when at least one of these requirements is met.

  • To enable Global Java code-level vulnerability detection control, see Configure monitoring.
  • To set custom monitoring rules for code-level vulnerabilities, see Monitoring rules - Code-level Vulnerability Analytics.

Not all entities are displayed

Check your management zones filter and the timeframe selector.

The feed import isn't working

When the feed import isn't working:

• If the vulnerability feed hasn't been imported, Runtime Vulnerability Analytics cannot detect any third-party vulnerabilities.
• If the vulnerability feed has been imported but isn't currently working, Runtime Vulnerability Analytics continues to detect vulnerabilities from the imported vulnerability feed, but it cannot detect vulnerabilities that are added in the newer feed versions.

To fix this problem, verify your firewall rules. This issue can be diagnosed via the JMX metrics and fixed by ensuring that the server process can access the Mission Control endpoint https://mcsvc.dynatrace.com/vulnerabilityFeed/*.

False positive results

A vulnerability might be identified incorrectly. Possible reasons for false positives include:

• The extracted information from the software component isn't correct and a wrong library was identified (for example, due to wrong information in the pom.xml file).
• The identified version of the library has a version string (or a well-known identifier) that was incorrectly parsed or compared. If you see any false positive results, please open a support ticket to help us improve Application Security monitoring.

For more information on how to identify false positives, query the relevant process for information via API, and mute false positives, see Reported vulnerability is considered as a false positive.

False negative (missing) results

Vulnerabilities can be missing if, for example, libraries aren't shipped with a pom.xml file.

A Java process is having problems

If the Java application process appears to be affected by Application Security, please open a support ticket.

Increase host coverage

• To increase the host coverage for third-party vulnerabilities

  1. Enable Third-party Vulnerability Analytics globally.
  2. Enable all the technologies that you want Dynatrace to cover. Note that only hosts running technologies that are listed and enabled can be collected.
  3. In your monitoring rules, look for hosts that are excluded from monitoring, and adapt these rules if you want the respective hosts to be collected.

• To increase the host coverage for code-level vulnerabilities

  1. Enable Code-level Vulnerability Analytics globally.
  2. Enable OneAgent monitoring.
  3. Set the global code-level vulnerability detection control to Monitor.
  4. In your monitoring rules, look for process groups that are excluded from monitoring, and adapt these rules. Note that a host is monitored when all its processes are monitored with Application Security.
  5. Restart OneAgent.

Note that it can take up to 10 minutes until any change is displayed.

To find out how host coverage is calculated, see Application Security overview: Host coverage.

FAQ: Why isn't the host coverage increasing?

If you have followed the steps above to increase the Application Security host coverage, yet the number of covered hosts stays the same, follow the instructions below.

• For third-party vulnerability detection, make sure that

  1. Your OneAgent version is compatible with the supported technologies.
  2. (…) software component reporting OneAgent features are enabled for all technologies (in Dynatrace, go to Settings > Preferences > OneAgent features and search for (…) software component reporting).
  3. There are no OneAgent features configured at the process-group level overriding the global OneAgent configuration. For details, see OneAgent features.

• For code-level vulnerability detection, make sure that

  1. Your OneAgent version is compatible with the supported technologies.
  2. There are no OneAgent features configured at the process-group level overriding the global OneAgent configuration. For details, see OneAgent features.

FAQ: Why doesn't the number of covered hosts match?

If you define tags for hosts covered by Application Security and you notice that the number of hosts on the Hosts page filtered by your Application Security tags is different from the number of hosts displayed on the Application Security overview page under Host coverage, follow the instructions below.

• For third-party vulnerability detection

  1. Make sure that your OneAgent version is compatible with the supported technologies.
  2. Enable (…) software component reporting OneAgent features for all technologies (in Dynatrace, go to Settings > Preferences > OneAgent features, and search for (…) software component reporting).
  3. Make sure that there are no OneAgent features configured at the process-group level overriding the global OneAgent configuration. For details, see OneAgent features.
  4. Enable all supported technologies (in Dynatrace, go to Settings > Application Security > Vulnerability Analytics > General settings and select Third-party Vulnerability Analytics). For details, see Control by technology.

• For code-level vulnerability detection

  1. Make sure that your OneAgent version is compatible with the supported technologies.
  2. Make sure that there are no OneAgent features configured at the process-group level overriding the global OneAgent configuration. For details, see OneAgent features.

All vulnerabilities are closed (set to Resolved)

All vulnerabilities on the Vulnerabilities page appear as closed when no software components are reported. Make sure that the necessary OneAgent features have been confirmed.

To confirm the OneAgent features

1. In the Dynatrace menu, go to Settings.

2. In Preferences, select OneAgent features, and then filter for Software component reporting.

3. Enable any disabled feature in the list.

   For OneAgent versions earlier than the technology-specific version, besides enabling the disabled features, you also need to enable Activate this feature also in OneAgents only fulfilling the minimum opt-in version in the Details of each feature.

4. Select Save changes.

Public internet exposure and reachable data assets are Not available

If, on the details page of a third-party vulnerability, data for public internet exposure and reachable data assets isn't available, this happens because one or more related hosts are running in Infrastructure Monitoring mode. A full assessment can only be done when all related hosts are running in Full-Stack Monitoring mode. For details, see Monitoring modes.

Different values on the Third-party vulnerabilities and vulnerability details pages

Different number of affected entities

The number of affected entities (process groups or hosts) on the Third-party vulnerabilities page (in the Affected entities column for a specific vulnerability) may differ from the number of affected entities on the vulnerability details page for the following reasons:

• On the Third-party vulnerabilities page:

  • Affected entities aren't filtered by management zone.
  • Calculations take place every 15 minutes.

• On the vulnerability details page:

  • Affected entities are filtered by management zone.
  • Current data is considered.

Different risk factors

The assessment of risk factors (Public exploit, Public internet exposure, Reachable data assets, Vulnerable functions in use) in the infographic on the vulnerability details page and the Davis Security Score column on the Third-party vulnerabilities page may be different from the assessment of risk factors on the vulnerability details page (in the Vulnerability details section) for the following reason:

• For the infographic on the vulnerability details page and the Davis Security Score column on the Third-party vulnerabilities page, calculations take place every 15 minutes
• For the Vulnerability details section on the vulnerability details page, current data is considered.

Information about the affected database isn't available

If there's no information about the affected database on the details page of an attack by an SQL injection exploit type, the Java JDBC OneAgent feature is disabled.

To enable the Java JDBC OneAgent feature

1. In the Dynatrace menu, go to Settings.
2. In Preferences, select OneAgent features, and then filter for JDBC.
3. Enable Java JDBC.
4. In the feature Details, make sure Instrumentation enabled is turned on.
5. Select Save changes.

Vulnerability status fluctuations

If a vulnerability keeps being resolved and reopened, even if the third-party application containing the vulnerability has been upgraded, it might be that a process is still using that vulnerable library, and that process isn't running all the time. When the process is not in use, the vulnerability is resolved. When it starts running again, the vulnerability is reopened. On the details page of the vulnerability, check for affected processes.

All .NET framework runtime vulnerabilities are closed

Due to an elevated false positives rate, support for .NET framework runtime vulnerabilities has been halted, and all open .NET framework runtime vulnerabilities have been automatically closed.