Description: Gets the Xray violations based on a set of search criteria
Security: Requires a user with Read permissions.
Notes: Starting from Xray version 3.42.3, JFrog Security CVE Research and Enrichment data is supported. Important notes:
The following fields are markdown texts
short_description
full_description
remediation
Extended information fields will not appear to Free Tier users.
Usage: POST /api/v1/violations
Consumes: application/json
Sample usage (all of the filter fields are optional):
POST /api/v1/violations
{
"filters": {
"name_contains": "Denial of service attack",
"violation_type": "Security",
"watch_name": "watch",
"min_severity": "Medium",
"created_from": "2018-06-06T12:22:16+03:00"
},
"pagination": {
"order_by": "updated",
"limit": 25,
"offset": 1
}
}
Operational Risk Sample Request
POST /api/v1/violations
{
"filters": {
"violation_type": "Operational_Risk",
"watch_name": "watch",
"min_severity": "Medium",
},
"pagination": {
"order_by": "updated",
"limit": 25,
"offset": 1
}
}Sample response:
{
"total_violations": 295,
"violations": [
{
"description": "Amazon Digital Services License",
"severity": "High",
"type": "License",
"infected_component": [
"generic://sha256:72daef35b54f95a97e7da5ae2dd7cccecc71183788656083f35fdf6e0ca5a24f/opkg-4.3.54.jar"
],
"created": "2018-05-29T17:30:49+03:00",
"watch_name": "watch_license",
"issue_id": "ADSL",
"violation_details_url": "localhost:8000/api/v1/violations?watch_id=5b163b41ab1bdddbb2e16492&issue_id=XRAY-60763",
"impacted_artifacts": [
"arti1/libs-release-local/jfrog-artifactory-pro-5.9.0.zip"
]
},
{
"description": "If a user of Commons-Email (typically an application programmer) passes unvalidated input as the so-called \"Bounce Address\", and that input contains line-breaks, then the email details (recipients, contents, etc.) might be manipulated.",
"severity": "Low",
"type": "Security",
"infected_component": [
"gav://org.apache.commons:commons-email:1.1"
],
"created": "2018-06-06T12:21:18+03:00",
"watch_name": "all",
"issue_id": "XRAY-60829",
"violation_details_url": "localhost:8000/api/v1/violations?watch_id=5b163b41ab1bdddbb2e16492&issue_id=XRAY-60829",
"impacted_artifacts": [
"arti1/libs-release-local/jfrog-artifactory-pro-5.9.0.zip"
]
}
]
}CVE Research and Enrichment Sample Response
{
"total_violations": 1,
"violations": [{
"description": "urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.",
"severity": "Critical",
"type": "Security",
"infected_components": [
"pypi://urllib3:1.22"
],
"created": "2021-11-30T06:40:10+02:00",
"watch_name": "MyFirstWatch",
"issue_id": "XRAY-74787",
"violation_details_url": "http://localhost:8046/xray/api/v1/violations?watch_id=7c64876c5e206011ed08ce25&issue_id=XRAY-74787&comp_id=build:%2F%2Fexample-build:3.10.0",
"impacted_artifacts": [
"default/builds/example-build"
],
"extended_information": {
"short_description": "An information leak in urllib3 can lead to authentication bypass via leaked HTTP authorization client credentials",
"full_description": "urllib3 does not remove the `Authorization` HTTP header when following redirects (even cross-origin redirects, that differ in host, port, or scheme)\r\n\r\nThis issue can be exploited when a client is using `urllib3` and the following conditions apply:\r\n1. The client uses some kind of HTTP authorization (`Basic`, `Digest`, etc.)\r\n2. The client initially contacts an HTTPS server\r\n3. The HTTPS server redirects the client to a non-HTTP server\r\n4. The attacker can sniff the data between the client and the HTTP server (possibly by using a MitM attack)\r\n\r\nThe issue is not relevant if the client originally contacts an HTTP server, since the `Authorization` header can be sniffed by an attacker from the original connection, regardless of this CVE.\r\n\r\nRed Hat also updated the original CVSS analysis, which was downgraded to [7.5](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)",
"jfrog_research_severity": "Medium",
"jfrog_research_severity_reasons": [
{
"name": "The CVE can be remotely exploited",
"is_positive": false
},
{
"name": "The CVE has a published technical writeup",
"is_positive": false
},
{
"name": "The CVE has no exploit published",
"is_positive": true
},
{
"name": "The CVE has difficult prerequisites for exploitation",
"description": "See CVE details for more information",
"is_positive": true
},
{
"name": "The initial CVSS was disputed by Red Hat, and downgraded to 7.5",
"is_positive": true
}
]
}
}
]
}Operational Risk Sample Response
{
"total_violations": 1,
"violations": [
{
"description": "Number of new versions and Version Age",
"severity": "High",
"type": "Operational_Risk",
"infected_components": [
"gav://joda-time:joda-time:2.9.9"
],
"created": "2022-03-24T14:54:42+02:00",
"watch_name": "OpRiskWatch",
"issue_id": "1ea7a8e0904b4a6c1a837e8ab437e0892dd00ad203814f3b9edfd2a3d8be3b88",
"violation_details_url": "http://test.jfrog.io/xray/api/v1/violations?watch_id=8d5a6d7364154c5c2455993a&issue_id=1ea7a8e0904b4a6c1a837e8ab437e0892dd00ad203814f3b9edfd2a3d8be3b88&comp_id=gav:%2F%2Forg.jruby:jruby-complete:9.2.0.0",
"impacted_artifacts": [
"default/generic-local/jruby-complete-9.2.0.0.jar"
],
"applicability": null
}
]
} Exposures Violations Sample Response
{
"total_violations": 1,
"violations": [
{
"description": "Number of new versions and Version Age",
"severity": "High",
"type": "Operational_Risk",
"infected_components": [
"gav://joda-time:joda-time:2.9.9"
],
"created": "2022-03-24T14:54:42+02:00",
"watch_name": "OpRiskWatch",
"issue_id": "1ea7a8e0904b4a6c1a837e8ab437e0892dd00ad203814f3b9edfd2a3d8be3b88",
"violation_details_url": "http://test.jfrog.io/xray/api/v1/violations?watch_id=8d5a6d7364154c5c2455993a&issue_id=1ea7a8e0904b4a6c1a837e8ab437e0892dd00ad203814f3b9edfd2a3d8be3b88&comp_id=gav:%2F%2Forg.jruby:jruby-complete:9.2.0.0",
"impacted_artifacts": [
"default/generic-local/jruby-complete-9.2.0.0.jar"
],
"applicability": null
}
]
}