Analyze Detailed Scanned Data on Resources

JFrog Security Documentation

Products
JFrog Xray
Content Type
User Guide
ft:sourceType
Paligo

Each of the scanned resources - packages, builds, artifacts and Release Bundles contains the following set of Xray sub-tabs and a list of actions.

xray_data in tabs.png

The Xray Data sub tabs are:

  • Violations: These are violations to filters defined on a watch. They are only reported for the root component, not for its dependencies.

  • Security: Known security vulnerabilities for the selected component.

  • Licenses: OSS licenses used by the component.

  • Decedents: Components that the selected component includes (depends on).

  • Ascendants: Components that include (depend on) the selected component.

The following sections describe the Xray Data sub tabs displaying the Packages resource as an example. Please note the tabs are identical for builds, artifacts and Release Bundles.

Violations

Displays the violations detected on the package version based on the watches and associated policies set by the users. You can view the vulnerability severity, type and the associated policies. To view a components and its dependencies, click on the Component icon. In some cases, when violations are detected, as security or legal personnel, you would like to accept or to add some of these violations to an Allow List. For more information, see Ignore Rules.

image2020-10-26_23-17-46.png

Violation Details

image (64).png

Vulnerability Details

image (65).png

Physical Path of Vulnerable Component

image (66).png

Security

Displays the known security vulnerabilities for the selected package version and the effected versions and fixed versions that do not contain the vulnerability. For a description of detailed severity levels see Determine the Issue Severity Level for Operating Systems Packages

package_version_xray_data_license_tab.png

To examine the details of a violation, click the violation in the list to display the Issues Details popup.

Licenses

Displays the licenses is assigned to a specific version and triggers violations in case it matches criteria of any existing Watches. Click on the License to view the license attached to the components.