Analyzing Resource Scan Results

JFrog Security Documentation

ft:sourceType
Paligo
Overview

JFrog Xray scans and displays Xray data in the JFrog Platform. You can view Xray data on each of the scanned resources, enabling you to drill down to expose greater detail and analyze the state of your components.

If need be you can drill down to gain radical transparency about any infected components or license breaches in your software as described in the following section.

Analyzing Detailed Scanned Data on Resources

Each of the scanned resources - packages, builds, artifacts and Release Bundles contains the following set of Xray sub-tabs and a list of actions.

xray_data in tabs.png

The Xray Data sub tabs are:

  • Violations: These are violations to filters defined on a watch. They are only reported for the root component, not for its dependencies.

  • Security: Known security vulnerabiliites for the selected component.

  • Licenses: OSS licenses used by the component.

  • Decedents: Components that the selected component includes (depends on).

  • Ascendants: Components that include (depend on) the selected component.

The following sections describe the Xray Data sub tabs displaying the Packages resource as an example. Please note the tabs are identical for builds, artifacts and Release Bundles.

Violations

Displays the violations detected on the package version based on the watches and associated policies set by the users. You can view the vulnerability severity, type and the associated policies. To view a components and its dependencies, click on the Component icon. In some cases, when violations are detected, as security or legal personnel, you would like to accept or to add some of these violations to an Allow List. For more information, see Ignore Rules.

image2020-10-26_23-17-46.png

Violation Details

image (64).png

Vulnerability Details

image (65).png

Physical Path of Vulnerable Component

image (66).png
Security

Displays the known security vulnerabilities for the selected package version and the effected versions and fixed versions that do not contain the vulnerability.

package_version_xray_data_license_tab.png

To examine the details of a violation, click the violation in the list to display the Issues Details popup.

Determining the Issue Severity Level for Operating Systems Packages

Xray initially populates data about vulnerabilities and licenses from the Xray global database server managed by JFrog. After the initial database synchronisation, Xray is then continuously synchronized with the central database for new updates on a daily basis.

When analyzing the vulnerabilities for open source operating systems packages, Xray fetches data regarding the severity of the vulnerability from two sources:

  • NVD: The National Vulnerability Database which contains known vulnerabilities each with their CVSS score. For more information on CVSS scoring in Xray, see CVSS Scoring in Xray.

  • Security Advisory: Some open source operating systems have their own security trackers with further analysis of the vulnerability inside the operating system package.

In the case where the Operating System Security Advisory contains data about the vulnerability in a package, Xray will compute the severity of the vulnerability based on this data instead of the CVSS score of the vulnerability.

The reason for that, is that the Security Advisory team of the Operating System had done further analysis to come to a more precise conclusion regarding the priority/urgency/severity of the vulnerability inside the operating system package.

To help you understand how Xray maps the information from each, we have outlined each operating system’s severity/priority and how it is presented in Xray.

Take note, that if a vulnerability's severity is unknown in the security advisory, the CVSS score will be calculated from the NVD.

Ubuntu

Vulnerabilities source: Ubuntu CVE Tracker

Severity mapped from: Priority

Priority to Xray Severity mapping:

Ubuntu Priority

Xray Severity

Critical

High

High

High

Medium

Medium

Low

Low

Negligible

Low

Untriaged

Unknown (will use CVSS score from NVD)

Priority to Xray Severity mapping: CVSS v3

Ubuntu Priority

Xray Severity

Critical

Critical

High

High

Medium

Medium

Low

Low

Negligible

Low

Untriaged

Unknown (will use CVSS score from NVD)

Debian

Vulnerabilities source:Debian Security Bug Tracker

Severity mapped from: Urgency

Urgency to Severity mapping:

Debian Urgency

Xray Severity

High

High

Medium

Medium

Low

Low

Unimportant

Low

End of Life

Unknown (will use CVSS score from NVD)

RPM

Vulnerabilities source: Red Hat Security Advisories and CVE database

Severity mapped from: Severity Rating

Red Hat Severity to Severity mapping:

Red Hat Severity

Xray Severity

Critical

High

Important

High

Moderate

Medium

Low

Low

Red Hat Severity to Severity mapping: CVSS v3

Red Hat Severity

Xray Severity

Critical

Critical

Important

High

Moderate

Medium

Low

Low

Licenses

Displays the licenses is assigned to a specific version and triggers violations in case it matches criteria of any existing Watches. Click on the License to view the license attached to the components.