• Home
  • Platform modules
  • Application Security
  • Vulnerability Analytics
  • Code-level vulnerabilities
  • Manage code-level vulnerabilities

Manage code-level vulnerabilities

A code-level vulnerability is a security problem based on a flaw in your application code. After you enable and configure Dynatrace Runtime Vulnerability Analytics, Dynatrace starts inspecting your libraries and first-party code to detect code-level vulnerabilities.

  • A spinning radar in the upper-right corner of the Code-level vulnerabilities page is displayed, indicating that your environment is being monitored. If Code-level Vulnerability Analytics is disabled, information on this page is unavailable and the radar screen in the upper-right corner stops, with the warning that Monitoring stopped. Please check settings. Follow the associated link to enable Code-level Vulnerability Analytics.

    spinning-radar

  • The security problem indicator on the Dynatrace top bar displays the number of critical or high vulnerabilities in your environment. Select it to navigate to the Code-level vulnerabilities page.

    security-problem-indicator

Code-level vulnerabilities list

To see the list of detected code-level vulnerabilities in your environment, in the Dynatrace menu, go to Code-level vulnerabilities. The following information is displayed.

Vulnerabilities detected

clv-list

A list of detected code-level vulnerabilities in your environment. For optimized performance, a maximum of 500 vulnerabilities are displayed at a time. You can narrow down the results by applying filters. To sort the list by any item, select the corresponding column heading. To add or remove column headings, select Format table.

Vulnerabilities

  • The Dynatrace vulnerability ID (example: S-3694)
  • The type of code-level vulnerability and the matching code location where it was detected (for example, SQL injection at DatabaseManager.updateBio():82)
  • The vulnerable component (the affected process group name, for example: launch.Main).

Risk level

  • The vulnerability risk level (typically Critical), indicating the severity of the vulnerability, and the symbol associated with it.
  • The public exposure symbol, if the vulnerability affects at least one process that is exposed to the internet. This is analyzed based on the traffic that hits the process directly, via source IP, or indirectly, via a header set by an intermediary service such as _X-Forwarded-For_). If the symbol is grayed out and crossed out, there's no public exposure. If the symbol isn't present, no data is available.
  • The reachable data symbol, if the vulnerability affects a process that has database access, based on the Dynatrace entity model (Smartscape). If the symbol is grayed out and crossed out, there are no reachable data assets affected. If the symbol isn't present, no data is available.

Status

  • Open: The code-level vulnerability is currently present.

  • Resolved: The code-level vulnerability has been automatically resolved because the root cause (the vulnerable code location) is not present anymore.

  • Muted: The code-level vulnerability has been muted by request.

    Note: A muted vulnerability that has been automatically resolved doesn't change its status to Resolved.

Attacks

The number of attacks related to this code-level vulnerability. The same vulnerability can be exploited by multiple attacks.

Note: This column is displayed only if Dynatrace Runtime Application Protection is activated.

Affected processes

The number of processes affected by the code-level vulnerability. Each affected process runs a code where this vulnerability was detected.

First detected

When Dynatrace first detected the code-level vulnerability.

Last update

The last time the code-level vulnerability was updated due to changes in the underlying data detected by Dynatrace.

Note: To display this column, select Format table and add Last update to the list.

Details

Expand vulnerability rows for details, or to perform the following actions:

  • Select Change status to mute, unmute, or mute again the vulnerability with a different reason or comment.
  • Select View vulnerability details to navigate to the details page of a vulnerability.

Code-level vulnerability details

To see details about a code-level vulnerability, select a vulnerability on the Code-level vulnerabilities page. The following information is displayed.

Vulnerability title

Example title:

clv-title

  • The type of code-level vulnerability and the matching code location where it was detected (example: SQL injection at DatabaseManager.updateBio():82)
  • The Dynatrace vulnerability ID (example: S-3694)
  • The affected entity (example: SpringBoot org.dynatrace.ssrfservice.Application unguard-proxy-service-*)

Infographic of the key features

infographic-clv

  • Risk level: A code-level vulnerability has a Critical risk level. Once the vulnerability has been muted, the risk level symbol is grayed out.

  • Public internet exposure: If there's any public internet exposure. Possible states are:

    • Public network: There is public internet exposure.
    • Not detected: No internet exposure was found.
    • Not available: Data isn't available, because the related hosts are running in infrastructure-only mode. For details, see Monitoring modes.
  • Reachable data assets: If there are any reachable data assets affected. Possible states are:

    • Within range: There are reachable data assets affected.
    • Not detected: No reachable data assets were found.
    • Not available: Data isn't available, because the related hosts are running in infrastructure-only mode. For details, see Monitoring modes.
  • Attacks: The number of attacks detected on the code location from different source IP addresses.

    Note: This feature is displayed only if Application Protection is activated.

  • Processes: The number of processes affected by the vulnerability.

  • Type: The type of exploit (SQL injection, command injection, or improper input validation).

To change the status of the vulnerability, select Change status in the upper-right corner of the page.

Context and details

context-and-details

  • A description of the vulnerability type.

  • The exact code location.

  • The vulnerable function.

  • The SQL statement (in the case of SQL injection), the command (in the case of command injection), or the JNDI lookup name (in the case of improper input validation). The actual malicious input is highlighted.

    Note: For data protection, asterisks (*****) are displayed instead of user information.

  • Affected entities:

    • The process group where the vulnerability was detected.
    • The number of affected processes.

    Select a process group name to navigate to the respective process group details page.

Attack paths

This section is displayed only if

  • Application Protection is activated.
  • There are fewer than 500 attacks for an affected vulnerability.

attack-path-clv-details

A visual representation of the attack paths, with information about the attack source IPs, entry points, affected vulnerability, and target name.

Attacks detected

This section is displayed only if Application Protection is activated.

attacks-detected

  • Identifies how many attacks were detected on the same vulnerability, and evaluates them by type (how many have been exploited, blocked, and allowlisted, out of the total number of attacks).
  • Lists the last five attacks that happened during the last 365 days, with details such as attack identifier (and a link to the respective attack details page, entry point, status (exploited, blocked, allowlisted), source IP, and timestamp.
  • Select Application Protection settings to navigate to Application protection: General settings.
  • Select View all attacks to navigate to the Attacks page, filtered by the vulnerability ID.

Related entities

related-entities-clv-details

The number of applications, services, hosts, and databases that are somehow connected to the identified code-level vulnerability, based on the last hour, with links to the details page of the related entities:

  • Applications: Applications that call a vulnerable service, or applications that call a non-vulnerable service that calls a vulnerable service.
    • Limitations: When determining related applications, the Dynatrace PurePath® distributed traces are not analyzed.
  • Services: Services that directly run on a vulnerable process group instance.
  • Hosts: Hosts on which the vulnerable process runs.
  • Databases: Databases that run on the vulnerable process.
  • Kubernetes workloads: In Kubernetes environments, the workloads to which the vulnerable process belongs.
  • Kubernetes clusters: In Kubernetes environments, the clusters to which the vulnerable process belongs.

The Kubernetes workloads and Kubernetes clusters sections are displayed only if Kubernetes workloads or clusters are detected.

Vulnerability evolution

vuln-evolution-clv

The current status and the last five vulnerability status changes (for example, when the vulnerability is first resolved and then detected again) over the last 30 days. Select Show more to see the next five changes.

Notes: Possible status changes happen when

  • A vulnerability is detected or resolved
  • A vulnerability was muted or unmuted

Reachable data assets

reachable-data-assets-clv

Lists reachable data assets exposed via the attack on the code-level vulnerability, based on the last hour (only applicable for SQL-injection types).

Note: Select the database name to navigate to the respective database details page.

Related topics
  • How vulnerabilities are evaluated

    Application Security mechanism to detect vulnerabilities and assess risk