Assign an Automatic Action to an Xray Policy Rule

JFrog Security Documentation

ft:sourceType
Paligo

You can define one or more actions within each Policy Rule. To view a list of actions, see Automatic Actions.

image2020-7-30_16-20-27.png

Block Unscanned Artifacts

This configuration will block unscanned artifact download requests. The download timeout should be set by your system administrator.

Multiple License Permissive Approach

When a component is detected with multiple licenses, the policy rules apply on all of the licenses, thus if one of the multiple licenses meets the policy rule, a violation will be created anyways. The multiple license permissive approach enables you to have more flexibility in the policy level and to configure a more permissive approach that allows components that have at least one of the licenses as permitted to go through without triggering a violation even if some licenses are not allowed.

Triggering a Webhook

You can select a predefined Webhook as an automatic action in case a violations is found.

  • Select the Trigger Webhook checkbox and select predefined Webhook from the list.

The payload provided to any triggered webhook is a JSON object describing a list of Alerts.

The following shows an example payload for a webhook.

{
	"created": "2022-11-23T15:13:19.005062109Z",
	"top_severity": "High",
	"watch_name": "webhook-example",
	"policy_name": "high-cve",
	"policy_rule": "high-cve",
	"issues": [
		{
			"vulnerability_id": "XRAY-261308",
			"severity": "High",
			"type": "security",
			"provider": "JFrog",
			"created": "2022-11-16T10:36:39.205Z",
			"summary": "CVE-2022-42898 krb5: integer overflow vulnerabilities in PAC parsing (important)",
			"description": "DOCUMENTATION: A vulnerability was found in MIT krb5. This flaw allows an authenticated attacker to cause a KDC or kadmind process to crash by reading beyond the bounds of allocated memory, creating a denial of service. A privileged attacker may similarly be able to cause a Kerberos or GSS application service to crash.             STATEMENT: Samba in RHEL does not implement the AD DC role and is not built against Heimdal, thus Samba is not affected by this CVE.",
			"impacted_artifacts": [
				{
					"name": "manifest.json",
					"display_name": "mysql:8.0",
					"path": "default/dockers/mysql/8.0/",
					"pkg_type": "Docker",
					"sha256": "44f98f4dd825a945d2a6a4b7b2f14127b5d07c5aaa07d9d232c2b58936fb76dc",
					"sha1": "",
					"depth": 0,
					"parent_sha": "44f98f4dd825a945d2a6a4b7b2f14127b5d07c5aaa07d9d232c2b58936fb76dc",
					"infected_files": [
						{
							"name": "krb5-libs:0:1.18.2-14.0.1.el8",
							"path": "",
							"sha256": "c8b498f4f6f42862326eae3df128ff9b0aea2a1f6da72dbb4c2716a8366c97a8",
							"depth": 0,
							"parent_sha": "e54b73e95ef388354463a761e4e93ce3dac29cb244b2dc0424f2f4afc6ddf5cd",
							"display_name": "8:krb5-libs:0:1.18.2-14.0.1.el8",
							"pkg_type": "Rpm"
						}
					]
				}
			],
			"cve": "CVE-2022-42898",
			"applicability": null
		},
		{
			"vulnerability_id": "XRAY-97724",
			"severity": "High",
			"type": "security",
			"provider": "JFrog",
			"created": "2020-05-11T12:08:54.784Z",
			"summary": "** DISPUTED ** An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely.",
			"description": "** DISPUTED ** An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely.",
			"impacted_artifacts": [
				{
					"name": "manifest.json",
					"display_name": "mysql:8.0",
					"path": "default/dockers/mysql/8.0/",
					"pkg_type": "Docker",
					"sha256": "44f98f4dd825a945d2a6a4b7b2f14127b5d07c5aaa07d9d232c2b58936fb76dc",
					"sha1": "",
					"depth": 0,
					"parent_sha": "44f98f4dd825a945d2a6a4b7b2f14127b5d07c5aaa07d9d232c2b58936fb76dc",
					"infected_files": [
						{
							"name": "pip-20.2.4-py2.py3-none-any.whl",
							"path": "usr/share/python39-wheels/",
							"sha256": "e266d0fa6cead0e80c6c962edcce8156dcd8e9842bae72276bedb352adf1b300",
							"depth": 0,
							"parent_sha": "f6cfbf240ed7196ec43fc009b344e17a6c84451079f19efea7b3fd2dab9bd65e",
							"display_name": "pip:20.2.4",
							"pkg_type": "Pypi"
						}
					]
				}
			],
			"cve": "CVE-2018-20225",
			"applicability": null
		}
	]
}