Artifact Summary

JFrog REST APIs

ft:sourceType
Paligo

Description: Provides details about any artifact specified by path identifiers or checksum.

Notes:

  • Supported checksums are SHA-256 and SHA-1.

  • Starting from Xray version 3.42.3, JFrog Security CVE Research and Enrichment data is supported. Important notes:JFrog Security CVE Research and Enrichment

    • The following fields are markdown texts

      • short_description

      • full_description

      • remediation

    • Extended information fields will not appear to Free Tier users.

Security: Requires a valid user with "Read" permission.

Usage: POST /summary/artifact

Consumes: application/json

Artifactory ID

The artifactory_id parameter is no longer required in Xray version 3.x, this parameter (also within a path) will be ignored.

{
  "checksums": [
    ""
  ],
  "paths": [
    ""
  ]
}

Produces: application/json

{
  "artifacts": [
    {
      "general": {
        "component_id": "",
        "name": "",
        "path": "",
        "pkg_type": "",
        "sha256": ""
      },
      "issues": [
        {
          "created": "",
          "description": "",
          "impact_path": [
            {}
          ],
          "issue_type": "",
          "provider": "",
          "severity": "",
          "summary": ""
        }
      ],
      "licenses": [
        {
          "components": [
            "sets.SetInterface"
          ],
          "full_name": "",
          "more_info_url": [
            ""
          ],
          "name": ""
        }
      ]
    }
  ],
  "errors": [
    {
      "error": "",
      "identifier": ""
    }
  ]
}

Sample Usage:

POST /summary/artifact
{
    "checksums":["d160c68ed8879ae42756e159daec1dd7ecfd53b6192321656b72715e20d46dd2"]
}
  
Response
{
  artifacts: [
    "general": {
      "name": "artifactory-pro.zip",
      "path": "art2/ext-release-local/",
      "pkg_type": "Generic",
      "sha256": "d160c68ed8879ae42756e159daec1dd7ecfd53b6192321656b72715e20d46dd2",
      "component_id": "gav://org.artifactory.pro:artifactory-pro-war:4.14.0"
    },
    "issues":[
      {
        "summary":"FileSystemBytecodeCache in Jinja2 2.7.2 does not properly create temporary directories",
        "description":"this is the description of the issue",
        "issue_type":"security",
        "severity":"Medium",
        "provider":"JFrog",
        "created":"2016-10-26T11:15:51.17Z",
        "impact_path": [
          "xray-artifactory/maven-1000/com/atlassian/aui/auiplugin/0.0.5-9-0-snapshot-035-do-not-use/Jinja2-2.7.2"
        ]
      }
    ],
    "licenses":[
      {
        "name":"MIT",
        "full_name":"The MIT License",
        "more_info_url":"https://opensource.org/licenses/MIT",
        "components":[
          "some-component-1",
          "some-component-2",
          "some-component-3"
        ]
      },
      {
        "name":"AGPL-3.0",
        "full_name":"GNU AFFERO GENERAL PUBLIC LICENSE, Version 3",
        "more_info_url":"https://opensource.org/licenses/AGPL-3.0",
        "components":[
          "some-component-4",
          "some-component-5"
        ]
      },
      {
        "name":"unknown",
        "components":[
          "some-component-6",
          "some-component-7"
        ]
      }
  ],
  errors: [
    {
      identifier: "4e39f19212597312ee02db873847bcb12c17cc639898bd2fd9b6a4aff16690e5",
      error: "Artifact doesn't exist or not indexed in Xray"
    }
  ]
}

CVE Research and Enrichment Sample Response

{
    "artifacts": [
        {
            "general": {
                "name": "example_app:latest",
                "component_id": "example_app:latest",
                "pkg_type": "Docker",
                "path": "default/docker_containers/example/latest/",
                "sha256": "063a3067cb61add7ad3280bcccccea3c4efe4f16cf2beef27900f8045e3a0"
            },
            "issues": [
                {
                    "issue_id": "XRAY-97724",
                    "summary": "** DISPUTED ** An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely.",
                    "description": "** DISPUTED ** An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely.",
                    "issue_type": "security",
                    "severity": "High",
                    "provider": "JFrog",
                    "cves": [
                        {
                            "cve": "CVE-2018-20225",
                            "cwe": [
                                "CWE-20"
                            ],
                            "cvss_v2": "6.8/CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P",
                            "cvss_v3": "7.8/CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
                        }
                    ],
                    "created": "2020-05-11T00:00:00.784Z",
                    "impact_path": [
                        "default/docker_containers/example/latest/sha256__063a3067cb61add7ad3280bcccccea3c4efe4f16cf2beef27900f8045e3a0.tar.gz/pip:9.0.1"
                    ],
                    "extended_information": {
                        "short_description": "pip could download private packages from a public PyPI repository leading to code execution",
                        "full_description": "This vulnerability has been disputed by the maintainers of pip as the described behavior, while potentially insecure, is the intended one. If pip is executed with the `--extra-index-url` when using a private PyPI repository, an attacker could cause pip to download a private package (for example one named `private_package`) by adding a package with the same name (`private_package`) in the public PyPI repository. This would lead to remote code execution as pip will download the public package that could contain malicious code. This is similar to the dependency confusion attack from 2021 by Alex Birsan. However, this isn't considered a vulnerability in itself in pip, and there is no plan to patch or change it.",
                        "jfrog_research_severity": "Medium",
                        "jfrog_research_severity_reasons": [
                            {
                                "name": "The CVE can't be remotely exploited",
                                "is_positive": true
                            },
                            {
                                "name": "This CVE has been disputed by the vendor",
                                "description": "Pip maintainers, and others such as [RHEL](https://access.redhat.com/security/cve/cve-2018-20225) do not consider this a vulnerability as it is the intended behaviour",
                                "is_positive": true
                            },
                            {
                                "name": "The CVE was marked as unimportant by the [Debian tracker](https://security-tracker.debian.org/tracker/CVE-2018-20225)",
                                "is_positive": true
                            }
                        ],
                        "remediation": "##### Deployment mitigations\r\n\r\nDo not use the `--extra-index-url` flag with pip and consider using version pinning for deployments."
                    }
                }
            ],
            "licenses": [
                {
                    "name": "Unknown",
                    "full_name": "Unknown license",
                    "more_info_url": [
                        "Unknown link"
                    ],
                    "components": [
                        "deb://ubuntu:bionic:perl-base:5.26.1-6ubuntu0.5",
                        "deb://ubuntu:bionic:libss2:1.44.1-1ubuntu1.3",
                    ]
                }
            ]
        }
    ]
}

Component Physical Path Sample Response

{
    "artifacts": [
        {
            "general": {
                "name": "artifactory-pro:7.29.80",
                "component_id": "artifactory-pro:7.29.80",
                "pkg_type": "Docker",
                "path": "default/docker-local-a/artifactory-pro/7.29.80/",
                "sha256": "4704b659a183fecc786783e826537978249f2dd2d6665b434340dc7cc75016a9"
            },
            "issues": [
                {
                    "issue_id": "XRAY-191997",
                    "summary": "In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.",
                    "description": "In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.",
                    "issue_type": "security",
                    "severity": "Medium",
                    "provider": "JFrog",
                    "cves": [
                        {
                            "cve": "CVE-2021-28170",
                            "cwe": [
                                "CWE-20"
                            ],
                            "cvss_v2": "5.0/CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:P/A:N",
                            "cvss_v3": "5.3/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
                        }
                    ],
                    "created": "2021-12-14T00:00:00.537Z",
                    "impact_path": [
                        "default/docker-local-b/artifactory-pro/7.29.80/sha256__8ab79a3097a73eb8104022347b7535a8b84ba1b2dcabeb96359c7ed26e8a22f6.tar.gz/opt/jfrog/artifactory/app/artifactory/tomcat/webapps/artifactory.war/WEB-INF/lib/jakarta.el-3.0.3.jar",
                        "default/docker-local-b/artifactory-pro/7.29.80/sha256__8ab79a3097a73eb8104022347b7535a8b84ba1b2dcabeb96359c7ed26e8a22f6.tar.gz/opt/jfrog/artifactory/app/misc/tomcat/mc.war/WEB-INF/lib/jakarta.el-3.0.3.jar"
                    ],
                    "component_physical_paths": [
                        "sha256__8ab79a3097a73eb8104022347b7535a8b84ba1b2dcabeb96359c7ed26e8a22f6.tar.gz/opt/jfrog/artifactory/app/artifactory/tomcat/webapps/artifactory.war/WEB-INF/lib/jakarta.el-3.0.3.jar",
                        "sha256__8ab79a3097a73eb8104022347b7535a8b84ba1b2dcabeb96359c7ed26e8a22f6.tar.gz/opt/jfrog/artifactory/app/misc/tomcat/mc.war/WEB-INF/lib/jakarta.el-3.0.3.jar"
                    ]
                }
            ]
        }
    ]
}

Operational Risk Sample Response

{
  "artifacts": [
    {

      "general": {

        "name": "datanucleus-core-3.0.4.jar",
        "component_id": "org.datanucleus:datanucleus-core:3.0.4",
        "pkg_type": "Maven",
        "path": "default/generic-local/datanucleus-core-3.0.4.jar",
        "sha256": "5a30df15b3de7c0c349c76e33c12d3f5142a92e81e3fe827e723ba13c662de92"
      },
      "issues": [],
      "licenses": [],
      "operational_risks": [

        {

          "component_id": "gav://org.datanucleus:datanucleus-core:3.0.4",
          "risk": "High",
          "risk_reason": "Health",
          "is_eol": null,
          "eol_message": "",
          "latest_version": "6.0.0-m4",
          "newer_versions": 120,
          "cadence": 1,
          "commits": null,
          "committers": null,
          "released": "2012-12-12T20:02:00Z"
        }
      ]
    }
  ]
}

Response Codes:

200: Obtained artifact summary

415: Failed to parse JSON