Scan Build V2

JFrog REST APIs

ft:sourceType
Paligo

Description: Invokes scanning of a build that was uploaded to Artifactory as requested by a CI server.

Security: Requires the "Manage Xray Metadata" role to be set on the User or Group level.

Notes: Starting from Xray version 3.42.3, JFrog Security CVE Research and Enrichment data is supported. Important notes:JFrog Xray

  • The following fields are markdown texts

    • short_description

    • full_description

    • remediation

  • Extended information fields will not appear to Free Tier users.

Usage: POST /api/v2/ci/build (invokes the scanning of a build)

GET /api/v2/ci/build/{build_name}/{build_number}[?include_vulnerabilities={true|false}] (Gets the build scan results)

Consumes: application/json

Produces: wild card

Sample Request

{
 "build_name": "my-build",
 "build_number": "8"
}

Sample Response

{
 "info": "Scan of build name 'my-build', build number '8' is in progress"
}

Sample Response

{
    "build_name": "mybuild",
    "build_number": "4",
    "project": "ecosys",
    "status": "completed",
    "more_details_url": "http://localhost:8046/xray/ui/builds/mybuild/4/1641386839295/xrayData?buildRepo=ecosys-build-info&projectKey=ecosys",
    "fail_build": false,
    "violations": [],
    "vulnerabilities": [
        {
            "cves": [
                {
                    "cvss_v2_score": "10.0",
                    "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C",
                    "cvss_v3_score": "9.8",
                    "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
                }
            ],
            "summary": "Netty codec/src/main/java/io/netty/handler/codec/compression/Lz4FrameEncoder.java Lz4FrameEncoder::finishEncode() Function Buffer Overflow",
            "severity": "Critical",
            "components": {
                "gav://io.netty:netty-codec:4.1.53.Final": {
                    "package_name": "io.netty:netty-codec",
                    "package_version": "4.1.53.Final",
                    "package_type": "maven",
                    "fixed_versions": [
                        "[4.1.66.Final]"
                    ],
                    "infected_versions": [
                        "(,4.1.66.Final)"
                    ],
                    "impact_paths": [
                        [
                            {
                                "component_id": "build://[ecosys-build-info]/mybuild:4"
                            },
                            {
                                "component_id": "generic://sha256:97c77dd8ef40cbdb5fdaff24f8853101a5db6fa819d16966d251c972c543b507/bill.jar"
                            },
                            {
                                "component_id": "gav://io.netty:netty-codec:4.1.53.Final"
                            }
                        ]
                    ]
                }
            },
            "issue_id": "XRAY-179837",
            "references": [
                "https://netty.io/news/2021/07/16/4-1-66-Final.html",
                "https://github.com/netty/netty/pull/11429",
                "https://github.com/netty/netty/commit/194a81ff4f0304d928bbcfd57ff3e961e12ac8d4"
            ],
            "is_high_profile": false,
            "provider": "JFrog",
            "edited": "2022-01-05T11:20:26Z"
        }
    ]
}

Build in Project Scope Sample Response

{
 "build_name": "my-build",
 "build_number": "14",
 "project": "projA"
}

CVE Research and Enrichment Sample Response

{
    "build_name": "mybuild",
    "build_number": "4",
    "project": "proj",
    "status": "completed",
    "more_details_url": "http://localhost:8046/xray/ui/builds/mybuild/4/1641386839295/xrayData?buildRepo=ecosys-build-info&projectKey=proj",
    "fail_build": true,
    "violations": [
        {
            "cves": [
                {
                    "cve": "CVE-2021-43618",
                    "cvss_v2_score": "5.0",
                    "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P",
                    "cvss_v3_score": "7.5",
                    "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
                }
            ],
            "summary": "GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms.",
            "severity": "Low",
            "components": {
                "deb://ubuntu:focal:libgmp10:2:6.2.0+dfsg-4": {
                    "package_name": "ubuntu:focal:libgmp10",
                    "package_version": "2:6.2.0+dfsg-4",
                    "package_type": "debian",
                    "impact_paths": [
                        [
                            {
                                "component_id": "build://[proj-build-info]/proj-docker-build:8"
                            },
                            {
                                "component_id": "docker://ubuntu:4",
                                "full_path": "/ubuntu/4/manifest.json"
                            },
                            {
                                "component_id": "generic://sha256:7b1a6ab2e44dbac178598dabe7cff59bd67233dba0b27e4fbd1f9d4b3c877a54/sha256__7b1a6ab2e44dbac178598dabe7cff59bd67233dba0b27e4fbd1f9d4b3c877a54.tar.gz",
                                "full_path": "sha256__7b1a6ab2e44dbac178598dabe7cff59bd67233dba0b27e4fbd1f9d4b3c877a54.tar.gz"
                            },
                            {
                                "component_id": "deb://ubuntu:focal:libgmp10:2:6.2.0+dfsg-4",
                                "full_path": "libgmp10:2:6.2.0+dfsg-4"
                            }
                        ]
                    ]
                }
            },
            "issue_id": "XRAY-190339",
            "references": [
                "https://gmplib.org/list-archives/gmp-bugs/2021-September/005077.html",
                "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43618"
            ],
            "type": "security",
            "watch_name": "w0w",
            "fail_build": true,
            "is_high_profile": true,
            "policies": null,
            "updated": "",
            "extended_information": {
                "short_description": "A signed comparison issue in glibc's memcpy() on ARMv7 lead to unspecified impact",
                "full_description": "When supplying a negative value as the length parameter for the `memcpy()` function on ARMv7,  a signed comparison issue causes the program to copy less bytes than intended. Specifically, the number of copied bytes will always be smaller than 64.\r\n\r\nThis can cause undefined behavior instead of crashing (due to the expected huge buffer copy).\r\n\r\nA context-dependent attacker could use this vulnerability to exploit other types of vulnerabilities, such as remote code execution (which may normally not be exploitable) in applications which use the vulnerable function.\r\nDue to the highly-context-dependent nature of this issue, it is most likely to be exploited as part of a targeted attack only.",
                "jfrog_research_severity": "Low",
                "jfrog_research_severity_reasons": [
                    {
                        "name": "The CVE can be remotely exploited",
                        "is_positive": false
                    },
                    {
                        "name": "The CVE has no exploit published",
                        "is_positive": true
                    },
                    {
                        "name": "The CVE has difficult prerequisites for exploitation",
                        "description": "Fully controllable length to memcpy",
                        "is_positive": true
                    },
                    {
                        "name": "The impact is highly contextual",
                        "is_positive": true
                    }
                ]
            }
        }
    ],
    "vulnerabilities": [
        {
            "cves": [
                {
                    "cve": "CVE-2021-43618",
                    "cvss_v2_score": "5.0",
                    "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P",
                    "cvss_v3_score": "7.5",
                    "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
                }
            ],
            "summary": "GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms.",
            "severity": "Low",
            "components": {
                "deb://ubuntu:focal:libgmp10:2:6.2.0+dfsg-4": {
                    "package_name": "ubuntu:focal:libgmp10",
                    "package_version": "2:6.2.0+dfsg-4",
                    "package_type": "deb",
                    "infected_versions": [
                        "(,)"
                    ],
                    "impact_paths": [
                        [
                            {
                                "component_id": "build://[proj-build-info]/proj-docker-build:8"
                            },
                            {
                                "component_id": "docker://ubuntu:4"
                            },
                            {
                                "component_id": "generic://sha256:7b1a6ab2e44dbac178598dabe7cff59bd67233dba0b27e4fbd1f9d4b3c877a54/sha256__7b1a6ab2e44dbac178598dabe7cff59bd67233dba0b27e4fbd1f9d4b3c877a54.tar.gz"
                            },
                            {
                                "component_id": "deb://ubuntu:focal:libgmp10:2:6.2.0+dfsg-4"
                            }
                        ]
                    ]
                }
            },
            "issue_id": "XRAY-190339",
            "references": [
                "https://gmplib.org/list-archives/gmp-bugs/2021-September/005077.html",
                "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43618"
            ],
            "is_high_profile": true,
            "provider": "JFrog",
            "edited": "2021-12-14T10:57:50+02:00",
            "extended_information": {
                "short_description": "A signed comparison issue in glibc's memcpy() on ARMv7 lead to unspecified impact",
                "full_description": "When supplying a negative value as the length parameter for the `memcpy()` function on ARMv7,  a signed comparison issue causes the program to copy less bytes than intended. Specifically, the number of copied bytes will always be smaller than 64.\r\n\r\nThis can cause undefined behavior instead of crashing (due to the expected huge buffer copy).\r\n\r\nA context-dependent attacker could use this vulnerability to exploit other types of vulnerabilities, such as remote code execution (which may normally not be exploitable) in applications which use the vulnerable function.\r\nDue to the highly-context-dependent nature of this issue, it is most likely to be exploited as part of a targeted attack only.",
                "jfrog_research_severity": "Low",
                "jfrog_research_severity_reasons": [
                    {
                        "name": "The CVE can be remotely exploited",
                        "is_positive": false
                    },
                    {
                        "name": "The CVE has no exploit published",
                        "is_positive": true
                    },
                    {
                        "name": "The CVE has difficult prerequisites for exploitation",
                        "description": "Fully controllable length to memcpy",
                        "is_positive": true
                    },
                    {
                        "name": "The impact is highly contextual",
                        "is_positive": true
                    }
                ]
            }
        }
    ]

Operational Risk Sample Response

{

  "build_name": "test",
  "build_number": "2",
  "status": "completed",
  "more_details_url": "http://localhost:8046/xray/ui/builds/test/2/1648117400418/xrayData?buildRepo=artifactory-build-info",
  "fail_build": true,
  "violations": [

    {

      "components": {

        "gav://org.datanucleus:datanucleus-core:3.0.4": {

          "package_name": "org.datanucleus:datanucleus-core",
          "package_version": "3.0.4",
          "package_type": "maven",
          "impact_paths": [

            [

              {

                "component_id": "build://test:2"
              },
              {

                "component_id": "gav://org.datanucleus:datanucleus-core:3.0.4",
                "full_path": "datanucleus-core-3.0.4.jar"
              }
            ]
          ]
        }
      },
      "risk": "Low",
      "risk_reason": "Custom Rule",
      "released": "2012-12-12T20:02:00.689Z",
      "latest_version": "6.0.0-m4",
      "newer_versions": 120,
      "cadence": 1,
      "issue_id": "d3c3dcfc1576633da237136c14ba52e0c4282dda2a0e9646090cd78717e41258",
      "type": "operational_risk",
      "severity": "Low",
      "watch_name": "or-watch",
      "fail_build": true,
      "policies": null,
      "updated": ""
    }
  ]
}
  

Response Codes:

415: Failed to parse scan build request

400: Request is missing mandatory fields

403: No valid license was found

403: Permission denied

200: Build %v is not selected for indexing

200: No Xray “Fail build in case of a violation” policy rule has been defined on this build. The Xray scan will run in parallel to the deployment of the build and will not obstruct the build. To review the Xray scan results, see the Xray Violations tab in the UI.

200: Scan of build %v is in progress