• Home
  • Platform modules
  • Application Security
  • Troubleshoot Application Security

Troubleshoot Application Security

Application Security writes to the following existing Dynatrace log files:

  • The OneAgent Java code module log
  • The Dynatrace Cluster server log and debug log

See below how you can fix potential issues regarding Application Security.

Vulnerabilities aren't displayed

See below for potential reasons why vulnerabilities aren't displayed:

Application Security isn't activated

If the Vulnerabilities page displays Runtime Vulnerability Analytics with About, Gallery, Use cases, and Supported distributions sections, the Application Security feature isn't activated. To activate Application Security, contact a Dynatrace product specialist via in-product chat or speak to your account executive.

Application Security isn't enabled

If the Vulnerabilities page displays Enable settings to unlock full potential with an option to Activate settings, the Application Security feature is activated but not enabled. For instructions, see Get started with Vulnerability Analytics.

No software components are reported

If no software components are reported, vulnerabilities aren't displayed on the Vulnerabilities page. Make sure that the necessary OneAgent features have been confirmed.

To confirm the OneAgent features

  1. In the Dynatrace menu, go to Settings.

  2. In Preferences, select OneAgent features, and then filter for Software component reporting.

  3. Enable any disabled feature in the list.

    Note: For OneAgent versions earlier than the technology-specific version, besides enabling the disabled features, you also need to enable Activate this feature also in OneAgents only fulfilling the minimum opt-in version in the Details of each feature.

  4. Select Save changes.

OneAgent auto-injection in Infrastructure Monitoring mode is disabled

OneAgent in Infrastructure Monitoring mode automatically injects into processes to be able to monitor backing services written in Java and runtime metrics for supported languages. If the auto-injection is disabled for individual hosts, related vulnerabilities can't be assessed.

To enable auto-injection in Infrastructure Monitoring mode, you need to enable runtime metrics. For details, see Process injection in Infrastructure Monitoring mode.

Not all entities are displayed

Check your management zones filter and the timeframe selector.

The feed import isn't working

When the feed import isn't working:

  • If the vulnerability feed hasn't been imported, Vulnerability Analytics cannot detect any third-party vulnerabilities.
  • If the vulnerability feed has been imported but isn't currently working, Vulnerability Analytics continues to detect vulnerabilities from the imported vulnerability feed, but it cannot detect vulnerabilities that are added in the newer feed versions.

To fix this problem, verify your firewall rules. This issue can be diagnosed via the JMX metrics and fixed by ensuring that the server process can access the Mission Control endpoint https://mcsvc.dynatrace.com/vulnerabilityFeed/*.

False positive results

A vulnerability might be identified incorrectly. Possible reasons for false positives include:

  • The extracted information from the software component isn't correct and a wrong library was identified (for example, due to wrong information in the pom.xml file).
  • The identified version of the library has a version string (or a well-known identifier) that was incorrectly parsed or compared. If you see any false positive results, please open a support ticket to help us improve Application Security monitoring.

False negative (missing) results

Vulnerabilities can be missing if, for example, libraries aren't shipped with a pom.xml file.

A Java process is having problems

If the Java application process appears to be affected by Application Security, please open a support ticket.

Increase host coverage

To increase the host coverage

  1. Enable Third-party Vulnerability Analytics globally.
  2. Enable all the technologies that you want Dynatrace to cover.

Note: Only hosts running technologies that are listed and enabled can be collected.

  1. In your monitoring rules, look for hosts that are excluded from monitoring, and adapt these rules if you want the respective hosts to be collected.

Note that it can take up to 10 minutes until any change is displayed.

To find out how host coverage is calculated, see Application Security overview.

FAQ: Why isn't the host coverage increasing?

If you have followed the steps above to increase the Application Security host coverage, yet the number of covered hosts stays the same, make sure that:

  • Your OneAgent version is compatible with the supported technologies.
  • The (…) software component reporting OneAgent features are enabled for all technologies (in Dynatrace, go to Settings > Preferences > OneAgent features, and search for (…) software component reporting).
  • There are no OneAgent features configured at the process-group level overriding the global OneAgent configuration. For details, see OneAgent features.

FAQ: Why doesn't the number of covered hosts match?

If you define tags for hosts covered by Application Security, and you notice that the number of hosts on the Hosts page filtered by your Application Security tags is different from the number of hosts displayed on the Application overview page under Host coverage, make sure that:

  • Your OneAgent version is compatible with the supported technologies.
  • The (…) software component reporting OneAgent features are enabled for all technologies (in Dynatrace, go to Settings > Preferences > OneAgent features, and search for (…) software component reporting).
  • There are no OneAgent features configured at the process-group level overriding the global OneAgent configuration. For details, see OneAgent features.
  • All supported technologies are enabled (in Dynatrace, go to Settings > Application Security > Vulnerability Analytics > General settings and select Third-party Vulnerability Analytics). For details, see Control by technology.

All vulnerabilities are closed (set to Resolved)

All vulnerabilities on the Vulnerabilities page appear as closed when no software components are reported. Make sure that the necessary OneAgent features have been confirmed.

To confirm the OneAgent features

  1. In the Dynatrace menu, go to Settings.

  2. In Preferences, select OneAgent features, and then filter for Software component reporting.

  3. Enable any disabled feature in the list.

    Note: For OneAgent versions earlier than the technology-specific version, besides enabling the disabled features, you also need to enable Activate this feature also in OneAgents only fulfilling the minimum opt-in version in the Details of each feature.

  4. Select Save changes.

Public internet exposure and reachable data assets are Not available

If, on the details page of a third-party vulnerability, data for public internet exposure and reachable data assets isn't available, this happens because one or more related hosts are running in Infrastructure Monitoring mode. A full assessment can only be done when all related hosts are running in Full-Stack Monitoring mode. For details, see Monitoring modes.

Different values on the Third-party vulnerabilities and vulnerability details pages

Different number of affected entities

The number of affected entities (process groups or hosts) on the Third-party vulnerabilities page (in the Affected entities column for a specific vulnerability) may differ from the number of affected entities on the vulnerability details page for the following reasons:

  • On the Third-party vulnerabilities page:

    • Affected entities aren't filtered by management zone.
    • Calculations take place every 15 minutes.
  • On the vulnerability details page:

    • Affected entities are filtered by management zone.
    • Current data is considered.

Different risk factors

The assessment of risk factors (Public exploit, Public internet exposure, Reachable data assets, Vulnerable functions in use) in the infographic on the vulnerability details page and the Davis Security Score column on the Third-party vulnerabilities page may be different from the assessment of risk factors on the vulnerability details page (in the Vulnerability details section) for the following reason:

  • For the infographic on the vulnerability details page and the Davis Security Score column on the Third-party vulnerabilities page, calculations take place every 15 minutes
  • For the Vulnerability details section on the vulnerability details page, current data is considered.

Information about the affected database isn't available

If there's no information about the affected database on the details page of an attack by an SQL injection exploit type, the Java JDBC OneAgent feature is disabled.

Note: Be sure to check with your Dynatrace admin before enabling this feature in your environment.

To enable the Java JDBC OneAgent feature

  1. In the Dynatrace menu, go to Settings.
  2. In Preferences, select OneAgent features, and then filter for JDBC.
  3. Enable Java JDBC.
  4. In the feature Details, make sure Instrumentation enabled is turned on.
  5. Select Save changes.

Vulnerability status fluctuations

If a vulnerability keeps being resolved and reopened, even if the third-party application containing the vulnerability has been upgraded, it might be that a process is still using that vulnerable library, and that process isn't running all the time. When the process is not in use, the vulnerability is resolved. When it starts running again, the vulnerability is reopened. On the details page of the vulnerability, check for affected processes.