Description: Invokes scanning of a build that was uploaded to Artifactory as requested by a CI server.
Security: Requires the "Manage Xray Metadata" role to be set on the User or Group level.
Notes: Starting from Xray version 3.42.3, JFrog Security CVE Research and Enrichment data is supported. Important notes:
The following fields are markdown texts
short_description
full_description
remediation
Extended information fields will not appear to Free Tier users.
Usage: POST /api/v2/ci/build (invokes the scanning of a build)
GET /api/v2/ci/build/{build_name}/{build_number}[?include_vulnerabilities={true|false}] (Gets the build scan results)
Consumes: application/json
Produces: wild card
Sample Request
{
"build_name": "my-build",
"build_number": "8"
}Sample Response
{
"info": "Scan of build name 'my-build', build number '8' is in progress"
}Sample Response
{
"build_name": "mybuild",
"build_number": "4",
"project": "ecosys",
"status": "completed",
"more_details_url": "http://localhost:8046/xray/ui/builds/mybuild/4/1641386839295/xrayData?buildRepo=ecosys-build-info&projectKey=ecosys",
"fail_build": false,
"violations": [],
"vulnerabilities": [
{
"cves": [
{
"cvss_v2_score": "10.0",
"cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C",
"cvss_v3_score": "9.8",
"cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"summary": "Netty codec/src/main/java/io/netty/handler/codec/compression/Lz4FrameEncoder.java Lz4FrameEncoder::finishEncode() Function Buffer Overflow",
"severity": "Critical",
"components": {
"gav://io.netty:netty-codec:4.1.53.Final": {
"package_name": "io.netty:netty-codec",
"package_version": "4.1.53.Final",
"package_type": "maven",
"fixed_versions": [
"[4.1.66.Final]"
],
"infected_versions": [
"(,4.1.66.Final)"
],
"impact_paths": [
[
{
"component_id": "build://[ecosys-build-info]/mybuild:4"
},
{
"component_id": "generic://sha256:97c77dd8ef40cbdb5fdaff24f8853101a5db6fa819d16966d251c972c543b507/bill.jar"
},
{
"component_id": "gav://io.netty:netty-codec:4.1.53.Final"
}
]
]
}
},
"issue_id": "XRAY-179837",
"references": [
"https://netty.io/news/2021/07/16/4-1-66-Final.html",
"https://github.com/netty/netty/pull/11429",
"https://github.com/netty/netty/commit/194a81ff4f0304d928bbcfd57ff3e961e12ac8d4"
],
"is_high_profile": false,
"provider": "JFrog",
"edited": "2022-01-05T11:20:26Z"
}
]
}Build in Project Scope Sample Response
{
"build_name": "my-build",
"build_number": "14",
"project": "projA"
}CVE Research and Enrichment Sample Response
{
"build_name": "mybuild",
"build_number": "4",
"project": "proj",
"status": "completed",
"more_details_url": "http://localhost:8046/xray/ui/builds/mybuild/4/1641386839295/xrayData?buildRepo=ecosys-build-info&projectKey=proj",
"fail_build": true,
"violations": [
{
"cves": [
{
"cve": "CVE-2021-43618",
"cvss_v2_score": "5.0",
"cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P",
"cvss_v3_score": "7.5",
"cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"summary": "GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms.",
"severity": "Low",
"components": {
"deb://ubuntu:focal:libgmp10:2:6.2.0+dfsg-4": {
"package_name": "ubuntu:focal:libgmp10",
"package_version": "2:6.2.0+dfsg-4",
"package_type": "debian",
"impact_paths": [
[
{
"component_id": "build://[proj-build-info]/proj-docker-build:8"
},
{
"component_id": "docker://ubuntu:4",
"full_path": "/ubuntu/4/manifest.json"
},
{
"component_id": "generic://sha256:7b1a6ab2e44dbac178598dabe7cff59bd67233dba0b27e4fbd1f9d4b3c877a54/sha256__7b1a6ab2e44dbac178598dabe7cff59bd67233dba0b27e4fbd1f9d4b3c877a54.tar.gz",
"full_path": "sha256__7b1a6ab2e44dbac178598dabe7cff59bd67233dba0b27e4fbd1f9d4b3c877a54.tar.gz"
},
{
"component_id": "deb://ubuntu:focal:libgmp10:2:6.2.0+dfsg-4",
"full_path": "libgmp10:2:6.2.0+dfsg-4"
}
]
]
}
},
"issue_id": "XRAY-190339",
"references": [
"https://gmplib.org/list-archives/gmp-bugs/2021-September/005077.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43618"
],
"type": "security",
"watch_name": "w0w",
"fail_build": true,
"is_high_profile": true,
"policies": null,
"updated": "",
"extended_information": {
"short_description": "A signed comparison issue in glibc's memcpy() on ARMv7 lead to unspecified impact",
"full_description": "When supplying a negative value as the length parameter for the `memcpy()` function on ARMv7, a signed comparison issue causes the program to copy less bytes than intended. Specifically, the number of copied bytes will always be smaller than 64.\r\n\r\nThis can cause undefined behavior instead of crashing (due to the expected huge buffer copy).\r\n\r\nA context-dependent attacker could use this vulnerability to exploit other types of vulnerabilities, such as remote code execution (which may normally not be exploitable) in applications which use the vulnerable function.\r\nDue to the highly-context-dependent nature of this issue, it is most likely to be exploited as part of a targeted attack only.",
"jfrog_research_severity": "Low",
"jfrog_research_severity_reasons": [
{
"name": "The CVE can be remotely exploited",
"is_positive": false
},
{
"name": "The CVE has no exploit published",
"is_positive": true
},
{
"name": "The CVE has difficult prerequisites for exploitation",
"description": "Fully controllable length to memcpy",
"is_positive": true
},
{
"name": "The impact is highly contextual",
"is_positive": true
}
]
}
}
],
"vulnerabilities": [
{
"cves": [
{
"cve": "CVE-2021-43618",
"cvss_v2_score": "5.0",
"cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P",
"cvss_v3_score": "7.5",
"cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"summary": "GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms.",
"severity": "Low",
"components": {
"deb://ubuntu:focal:libgmp10:2:6.2.0+dfsg-4": {
"package_name": "ubuntu:focal:libgmp10",
"package_version": "2:6.2.0+dfsg-4",
"package_type": "deb",
"infected_versions": [
"(,)"
],
"impact_paths": [
[
{
"component_id": "build://[proj-build-info]/proj-docker-build:8"
},
{
"component_id": "docker://ubuntu:4"
},
{
"component_id": "generic://sha256:7b1a6ab2e44dbac178598dabe7cff59bd67233dba0b27e4fbd1f9d4b3c877a54/sha256__7b1a6ab2e44dbac178598dabe7cff59bd67233dba0b27e4fbd1f9d4b3c877a54.tar.gz"
},
{
"component_id": "deb://ubuntu:focal:libgmp10:2:6.2.0+dfsg-4"
}
]
]
}
},
"issue_id": "XRAY-190339",
"references": [
"https://gmplib.org/list-archives/gmp-bugs/2021-September/005077.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43618"
],
"is_high_profile": true,
"provider": "JFrog",
"edited": "2021-12-14T10:57:50+02:00",
"extended_information": {
"short_description": "A signed comparison issue in glibc's memcpy() on ARMv7 lead to unspecified impact",
"full_description": "When supplying a negative value as the length parameter for the `memcpy()` function on ARMv7, a signed comparison issue causes the program to copy less bytes than intended. Specifically, the number of copied bytes will always be smaller than 64.\r\n\r\nThis can cause undefined behavior instead of crashing (due to the expected huge buffer copy).\r\n\r\nA context-dependent attacker could use this vulnerability to exploit other types of vulnerabilities, such as remote code execution (which may normally not be exploitable) in applications which use the vulnerable function.\r\nDue to the highly-context-dependent nature of this issue, it is most likely to be exploited as part of a targeted attack only.",
"jfrog_research_severity": "Low",
"jfrog_research_severity_reasons": [
{
"name": "The CVE can be remotely exploited",
"is_positive": false
},
{
"name": "The CVE has no exploit published",
"is_positive": true
},
{
"name": "The CVE has difficult prerequisites for exploitation",
"description": "Fully controllable length to memcpy",
"is_positive": true
},
{
"name": "The impact is highly contextual",
"is_positive": true
}
]
}
}
]Operational Risk Sample Response
{
"build_name": "test",
"build_number": "2",
"status": "completed",
"more_details_url": "http://localhost:8046/xray/ui/builds/test/2/1648117400418/xrayData?buildRepo=artifactory-build-info",
"fail_build": true,
"violations": [
{
"components": {
"gav://org.datanucleus:datanucleus-core:3.0.4": {
"package_name": "org.datanucleus:datanucleus-core",
"package_version": "3.0.4",
"package_type": "maven",
"impact_paths": [
[
{
"component_id": "build://test:2"
},
{
"component_id": "gav://org.datanucleus:datanucleus-core:3.0.4",
"full_path": "datanucleus-core-3.0.4.jar"
}
]
]
}
},
"risk": "Low",
"risk_reason": "Custom Rule",
"released": "2012-12-12T20:02:00.689Z",
"latest_version": "6.0.0-m4",
"newer_versions": 120,
"cadence": 1,
"issue_id": "d3c3dcfc1576633da237136c14ba52e0c4282dda2a0e9646090cd78717e41258",
"type": "operational_risk",
"severity": "Low",
"watch_name": "or-watch",
"fail_build": true,
"policies": null,
"updated": ""
}
]
}
Response Codes:
415: Failed to parse scan build request
400: Request is missing mandatory fields
403: No valid license was found
403: Permission denied
200: Build %v is not selected for indexing
200: No Xray “Fail build in case of a violation” policy rule has been defined on this build. The Xray scan will run in parallel to the deployment of the build and will not obstruct the build. To review the Xray scan results, see the Xray Violations tab in the UI.
200: Scan of build %v is in progress