This article is about using Dynatrace AppSec and dealing with reported false-positives in your applications.
Looking for known CVEs in Dynatrace components? Go to https://cve-status.dynatrace.com
This is a Self Service Diagnostics article of type Full-Self-Service.
For unexpected product issues on the Dynatrace side please submit a Support Ticket.
Self Service Summary
| Issue |
Solution |
Tasks |
Alternative |
| Reported third-party vulnerabilities for certain process groups or Kubernetes nodes are not relevant for your environment |
Mute entities: They will be hidden and not taken into account for Application Security metrics or Davis Security Score |
Mute* entities via UI (security problem or its individual items) or API (security problem or individual items) |
Set up fine-grained Security-monitoring rules for affected processes, e.g. based on process or host tags |
* Available mute state changes include CONFIGURATION_NOT_AFFECTED, FALSE_POSITIVE, IGNORE, OTHER, VULNERABLE_CODE_NOT_IN_USE
The following query examples may be helpful to identify relevant processes before muting them:
Filter by Java version
This example shows how to filter out processes of a security problem with a Java version < 9.
Steps to reproduce:
- Get all security problems
- For each: Get a list of "affectedEntities" (processes)
- For each: Get entity (process) property "softwareTechnologies" and filter by version ("type"="JAVA")
...
"softwareTechnologies": [
{
"type": "JAVA"
},
{
"type": "JAVA",
"edition": "OpenJDK",
"version": "1.8.0_312"
},
...
Related Python script: https://github.com/robinwyss/spring4shell-dynatrace-export
Filter by third-party library data
This example shows how to identify processes with a certain third-party library package name or version.
Step to reproduce: Get entities using
- "entitySelector" type(SOFTWARE_COMPONENT), softwareComponentType(JAVA) and your specific criteria e.g. packageName(org.springframework.boot:spring-boot), softwareComponentFileName(spring-boot-1.5.12.RELEASE.jar), or softwareComponentShortName(spring-boot),
and response "fields" fromRelationships.isSoftwareComponentOfPgi to retrieve affected processes.
- previously identified Process Group Instances and response "fields" fromRelationships.isInstanceOf to retrieve affected Process Groups required for remediation.
Notes:
Request 1:
GET /api/v2/entities?entitySelector=type(SOFTWARE_COMPONENT),softwareComponentType(JAVA),packageName(org.springframework.boot:spring-boot)&fields=properties.packageName,properties.softwareComponentFileName,properties.softwareComponentShortName,properties.softwareComponentType,fromRelationships.isSoftwareComponentOfPgi
Response:
...
"entities": [
{
"entityId": "SOFTWARE_COMPONENT-x",
"displayName": "org.springframework.boot:spring-boot:1.5.12.RELEASE",
"properties": {
"softwareComponentFileName": "spring-boot-1.5.12.RELEASE.jar",
"softwareComponentType": "JAVA",
"softwareComponentShortName": "spring-boot",
"packageName": "org.springframework.boot:spring-boot"
},
"fromRelationships": {
"isSoftwareComponentOfPgi": [
{
"id": "PROCESS_GROUP_INSTANCE-x",
"type": "PROCESS_GROUP_INSTANCE"
},
{
"id": "PROCESS_GROUP_INSTANCE-x",
"type": "PROCESS_GROUP_INSTANCE"
}
]
}
}
]
...
Request 2:
GET /api/v2/entities/PROCESS_GROUP_INSTANCE-x?fields=fromRelationships.isInstanceOf
Response:
{
"entityId": "PROCESS_GROUP_INSTANCE-x",
"type": "PROCESS_GROUP_INSTANCE",
"displayName": "NAME",
"fromRelationships": {
"isInstanceOf": [
{
"id": "PROCESS_GROUP-x",
"type": "PROCESS_GROUP"
}
]
}
}
