AppSec: Reported vulnerability is considered as a false positive

stefanie_pachne — Tue, 21 Oct 2025 16:20:01 GMT

This article is about using Dynatrace AppSec and dealing with reported false-positives in your applications.
Looking for known CVEs in Dynatrace components? Go to https://cve-status.dynatrace.com

This is a Self Service Diagnostics article of type Full-Self-Service.

For unexpected product issues on the Dynatrace side please submit a Support Ticket.

Self Service Summary

Issue	Solution	Tasks	Alternative
Reported third-party vulnerabilities for certain process groups or Kubernetes nodes are not relevant for your environment	Mute entities: They will be hidden and not taken into account for Application Security metrics or Davis Security Score	Mute* entities via UI (security problem or its individual items) or API (security problem or individual items)	Set up fine-grained Security-monitoring rules for affected processes, e.g. based on process or host tags

* Available mute state changes include CONFIGURATION_NOT_AFFECTED, FALSE_POSITIVE, IGNORE, OTHER, VULNERABLE_CODE_NOT_IN_USE

The following query examples may be helpful to identify relevant processes before muting them:

Filter by Java version

This example shows how to filter out processes of a security problem with a Java version < 9.

Steps to reproduce:

Get all security problems
For each: Get a list of "affectedEntities" (processes)
For each: Get entity (process) property "softwareTechnologies" and filter by version ("type"="JAVA")

...
"softwareTechnologies": [
  {
    "type": "JAVA"
  },
  {
    "type": "JAVA",
    "edition": "OpenJDK",
    "version": "1.8.0_312"
  },
...

Filter by third-party library data

This example shows how to identify processes with a certain third-party library package name or version.

Step to reproduce: Get entities using

"entitySelector" type(SOFTWARE_COMPONENT), softwareComponentType(JAVA) and your specific criteria e.g. packageName(org.springframework.boot:spring-boot), softwareComponentFileName(spring-boot-1.5.12.RELEASE.jar), or softwareComponentShortName(spring-boot),
and response "fields" fromRelationships.isSoftwareComponentOfPgi to retrieve affected processes.
previously identified Process Group Instances and response "fields" fromRelationships.isInstanceOf to retrieve affected Process Groups required for remediation.

Notes:

The libraries in use by PROCESS_GROUP_INSTANCES are reported as SOFTWARE_COMPONENT entities by the OneAgent.
Possible properties of an entity of a specified type can be listed via the entityTypes API.

Request 1:

GET /api/v2/entities?entitySelector=type(SOFTWARE_COMPONENT),softwareComponentType(JAVA),packageName(org.springframework.boot:spring-boot)&fields=properties.packageName,properties.softwareComponentFileName,properties.softwareComponentShortName,properties.softwareComponentType,fromRelationships.isSoftwareComponentOfPgi

Response:

...
"entities": [
  {
    "entityId": "SOFTWARE_COMPONENT-x",
    "displayName": "org.springframework.boot:spring-boot:1.5.12.RELEASE",
    "properties": {
      "softwareComponentFileName": "spring-boot-1.5.12.RELEASE.jar",
      "softwareComponentType": "JAVA",
      "softwareComponentShortName": "spring-boot",
      "packageName": "org.springframework.boot:spring-boot"
    },
    "fromRelationships": {
      "isSoftwareComponentOfPgi": [
        {
          "id": "PROCESS_GROUP_INSTANCE-x",
          "type": "PROCESS_GROUP_INSTANCE"
        },
        {
          "id": "PROCESS_GROUP_INSTANCE-x",
          "type": "PROCESS_GROUP_INSTANCE"
        }
      ]
    }
  }
]
...

Request 2:

GET /api/v2/entities/PROCESS_GROUP_INSTANCE-x?fields=fromRelationships.isInstanceOf

Response:

{ 
  "entityId": "PROCESS_GROUP_INSTANCE-x", 
  "type": "PROCESS_GROUP_INSTANCE", 
  "displayName": "NAME", 
  "fromRelationships": { 
    "isInstanceOf": [ 
      { 
        "id": "PROCESS_GROUP-x", 
        "type": "PROCESS_GROUP" 
      } 
    ] 
  } 
}

Re: Reported vulnerability is considered as a false positive

ChadTurner — Tue, 10 Jan 2023 14:56:38 GMT

Thank you @stefanie_pachne for sharing this 🙂

article AppSec: Reported vulnerability is considered as a false positive in Troubleshooting

AppSec: Reported vulnerability is considered as a false positive

Self Service Summary

Filter by Java version

Filter by third-party library data

Re: Reported vulnerability is considered as a false positive