Build Summary

JFrog REST APIs

ft:sourceType
Paligo

Description: Provides details about any build specified by build identifier (name + number)

Security: Requires a valid user with "Read" permission

Notes: Starting from Xray version 3.42.3, JFrog Security CVE Research and Enrichment data is supported. Important notes:JFrog Security CVE Research and Enrichment

  • The following fields are markdown texts

    • short_description

    • full_description

    • remediation

  • Extended information fields will not appear to Free Tier users.

Usage: GET /summary/build?build_name=<build name>&build_number=<build number>

Produces: application/json

{
  "artifacts": [
    {
      "general": {
        "component_id": "",
        "name": "",
        "path": "",
        "pkg_type": "",
        "sha256": ""
      },
      "issues": [
        {
          "created": "",
          "description": "",
          "impact_path": [
            {}
          ],
          "issue_type": "",
          "provider": "",
          "severity": "",
          "summary": ""
        }
      ],
      "licenses": [
        {
          "components": [
            "sets.SetInterface"
          ],
          "full_name": "",
          "more_info_url": [
            ""
          ],
          "name": ""
        }
      ]
    }
  ],
  "errors": [
    {
      "error": "",
      "identifier": ""
    }
  ]
}

CVE Research and Enrichment Sample Response

{
    "build": {
        "name": "exmplae_build",
        "component_id": "exmplae_build:1.0.0",
        "pkg_type": "Build",
        "path": "default/builds/exmplae_build",
        "sha256": "ff55b68d5f507aeaa2253f9506fd9ea847cbb29e1858edfe67d9153650698b12"
    },
    "issues": [{
            "issue_id": "XRAY-95701",
            "summary": "A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.",
            "description": "A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.",
            "issue_type": "security",
            "severity": "Critical",
            "provider": "JFrog",
            "cves": [
                {
                    "cve": "CVE-2020-1747",
                    "cwe": [
                        "CWE-20",
                        "CWE-20"
                    ],
                    "cvss_v2": "10.0/CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C",
                    "cvss_v3": "9.8/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
                }
            ],
            "created": "2020-03-25T00:00:00.669Z",
            "impact_path": [
                "default/builds/example_build/example/latest/sha256__4918dff128ffe9fdb453e4c25c904c6c1bcbec34da8bcaa9921b154f4c891e2e.tar.gz/root/.cache/pip/wheels/ab/da/46/2f3778bfc6d5ec360917e3eeff42bade7d0497ad6879b1c05c/PyYAML-3.10-cp36-cp36m-linux_x86_64.whl"
            ],
            "extended_information": {
                "short_description": "Insufficient input validation in the PyYAML library allows unauthenticated network attackers to perform code execution when parsing a crafted YAML file.",
                "full_description": "The [PyYAML](https://pypi.org/project/PyYAML/) library is a Python YAML parser, and it is widely used in connected devices. \r\n\r\nAttackers can trigger the exploit by supplying a crafted YAML file to the `full_load` method or a `load` method that uses `Loader=FullLoader` (which is the default). A public [Exploit (PoC)](https://gist.github.com/adamczi/23a3b6d4bb7b2be35e79b0667d6682e1) exists which demonstrates remote code execution, making this vulnerability likely to be exploited in practice.\r\n\r\nThe library implementation has a [prototype pollution](https://shieldfy.io/security-wiki/prototype-pollution/introduction-to-prototype-pollution/) issue in the `construct_python_object_apply()` function in the `lib/yaml/constructor.py` module, used by the `full_load()` method and the `FullLoader` loader. This allows an attacker to create a property for an object created from the loaded file. The constructor does not check the attribute for conflicts; for example, it is possible to create an `extend` attribute when an `extend` method already exists in an object. This can be exploited to replace the `extend` method with the insecure `yaml.unsafe_load()` function, which is later invoked by `construct_python_object_apply()` and executes a malicious YAML payload. \r\n\r\nThe [official solution]() provides a blacklist of properties and attributes that cannot be redefined, such as the `extend` method and all special methods (`__set__`, `__setitem__`, etc.). In addition, the `README` file is updated with a request to use the `safe_load()` function and `SafeLoader` loader for all untrusted input. It is still possible to use the `UnsafeLoader`, and the fix does not completely solve the problem, as shown by the later CVE-2020-14343.\r\n\r\nThe vulnerability was discovered by [Riccardo Schirone](https://github.com/ret2libc).",
                "jfrog_research_severity": "Critical",
                "jfrog_research_severity_reasons": [
                    {
                        "name": "The CVE can be remotely exploited",
                        "is_positive": false
                    },
                    {
                        "name": "The CVE has an exploit published",
                        "is_positive": false
                    },
                    {
                        "name": "The CVE has reasonable prerequisites for exploitation",
                        "is_positive": false
                    },
                    {
                        "name": "The CVE results in severe effects",
                        "is_positive": false
                    }
                ],
                "remediation": "##### Development upgrade\n\n- Upgrade the component to any of the suggested fixed versions.\n\n##### Development mitigations\n\n* Apply the official [patch](https://github.com/yaml/pyyaml/pull/386/commits/6f675f711a807af61233355c6d127a3a2e412dbe). This is not recommended, as this version can still have other vulnerabilities.\n\n##### Deployment mitigations \n\n* Use `yaml.safe_load()` or the `SafeLoader` loader for all inputs."
            }
        }],
    "licenses": [
        {
            "name": "Unknown",
            "full_name": "Unknown license",
            "more_info_url": [
                "Unknown link"
            ],
            "components": [
                "deb://ubuntu:bionic:grep:3.1-2build1",
                "deb://ubuntu:bionic:passwd:1:4.5-1ubuntu2",
            ]
        }
    ],
    "errors": []
}

Component Physical Path Sample Response

{
    "build": {
        "name": "proj-docker-build",
        "component_id": "[proj-build-info]/proj-docker-build:14",
        "pkg_type": "Build",
        "path": "default/proj-build-info/proj-docker-build",
        "sha256": "1515db44689ca12c77c1b846c562fcaa40c26a5cc96153776752c96de01ea2f7"
    },
    "issues": [
        {
            "issue_id": "XRAY-79479",
            "summary": "In Apache ActiveMQ 5.0.0 - 5.15.8, unmarshalling corrupt MQTT frame can lead to broker Out of Memory exception making it unresponsive.",
            "description": "In Apache ActiveMQ 5.0.0 - 5.15.8, unmarshalling corrupt MQTT frame can lead to broker Out of Memory exception making it unresponsive.",
            "issue_type": "security",
            "severity": "High",
            "provider": "JFrog",
            "cves": [
                {
                    "cve": "CVE-2019-0222",
                    "cwe": [
                        "CWE-94"
                    ],
                    "cvss_v2": "5.0/CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P",
                    "cvss_v3": "7.5/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
                }
            ],
            "created": "2019-03-31T00:00:00.273Z",
            "impact_path": [
                "default/proj-build-info/proj-docker-build/bill.jar/META-INF/maven/org.fusesource.mqtt-client/mqtt-client/pom.xml",
                "default/proj-build-info/proj-docker-build/bill.jar/META-INF/maven/org.apache.activemq/activemq-mqtt/pom.xml"
            ],
            "components": [
                {
                    "component_id": "org.fusesource.mqtt-client:mqtt-client",
                    "fixed_versions": [
                        "[1.15]"
                    ]
                },
                {
                    "component_id": "org.apache.activemq:activemq-mqtt",
                    "fixed_versions": [
                        "[5.15.9]"
                    ]
                }
            ],
            "component_physical_paths": [
                "bill.jar/META-INF/maven/org.fusesource.mqtt-client/mqtt-client/pom.xml",
                "bill.jar/META-INF/maven/org.apache.activemq/activemq-mqtt/pom.xml"
            ]
        }
    ],
    "errors": []
}

Operational Risk Sample Response

{
  "build": {
    "name": "test",
    "component_id": "test:2",
    "pkg_type": "Build",
    "path": "default/builds/test",
    "sha256": "c9c5b7926184065a8cdabe1e2f28e52b269d4a50adb6b24f84c0dc9211530506"
  },
  "issues": [],
  "licenses": [],
  "operational_risks": [
    {

      "component_id": "gav://org.datanucleus:datanucleus-core:3.0.4",
      "risk": "High",
      "risk_reason": "Health",
      "is_eol": null,
      "eol_message": "",
      "latest_version": "6.0.0-m4",
      "newer_versions": 120,
      "cadence": 1,
      "commits": null,
      "committers": null,
      "released": "2012-12-12T20:02:00Z"
    }
  ],
  "errors": []
}

Response Codes:

200: Obtained artifact build summary

400: Missing build name or build number