XRAY: How to Determine How Many Vulnerabilities There Are in a Given Artifact

XRAY: How to Determine How Many Vulnerabilities There Are in a Given Artifact

AuthorFullName__c
Joey Naor
articleNumber
000004853
ft:sourceType
Salesforce
FirstPublishedDate
2020-07-29T06:16:09Z
lastModifiedDate
2021-02-18
VersionNumber
8
XRAY: How to Determine How Many Vulnerabilities There Are in a Given Artifact

JFrog encourages the practice of DevSecOps. It will keep you focused on gathering as much information as possible regarding your artifacts and their components. Of course, in certain scenarios, you'll need to know precisely how many vulnerabilities there are in a specific artifact and what are their respective levels of severity. To do this automatically, let's look at an example of a vulnerable Docker image, which contains 47 high-severity and 89 medium-severity vulnerabilities.

Prerequisites:
With your setup in place, you can now generate a fully-detailed list of all of the vulnerabilities within the indexed artifact. To do that, use the Artifact Summary Xray REST API call:
$ curl -uadmin -XPOST -H "Content-type: application/json" https://<Xray-host>:8000/api/v1/summary/artifact -d @artifact-digest.json

In artifact-digest.json, you'll want to enter the checksum of the artifact. In this case, as a Docker image is being scanned, you'll need the SHA-1 digest of the manifest.json file within the Docker image. The checksum can be found in your Artifactory UI.
artifact-digest.json:{
  "checksums": [
    "dcea05bc0348712d9cf5b502df5fe7884bd20fd3"
  ]
}

The cURL request above will provide you with a JSON-formatted report that includes all the vulnerabilities found in the artifact. However, as this report is generated as a long single line, it can be difficult to parse through. To overcome this, you can beautify the JSON output by using a Python module called json.tool:
$ curl -uadmin -XPOST -H "Content-type: application/json" https://<Xray-host>:8000/api/v1/summary/artifact -d @artifact-digest.json | python -m json.tool > out.json

As can be seen in the cURL command above, you'd send the one-line JSON output to the Python module, and subsequently save the easier-to-read output to out.json.

Now, you'll have a properly-ordered, multiline JSON file, which contains a list of all vulnerabilities. The last thing you'll want to do is count the number of times severity: High appears by using the wc Linux command:
$ cat out.json | grep "\"severity\": \"High\"" | wc -l
      47

And the same goes for “medium” severities:$ cat out.json | grep "\"severity\": \"Medium\"" | wc -l
      89

The commands above can be built into a single script, which will automatically report the amount of vulnerabilities in an artifact that has been indexed by Xray.