CVSS Scoring in Xray

JFrog Security Documentation

ft:sourceType
Paligo
Overview

Starting from Xray version 3.21.2, Xray supports CVSS v3.0 scoring. This will ensure that Xray's scoring of vulnerabilities is up-to-date and provide the latest universally standard severity ratings of vulnerabilities.

Note

This feature requires Artifactory version 7.17.4 and above.

Xray CVSS Score and Severity

Xray collects scores and severities from two sources:

  • NVD: The National Vulnerability Database (NVD) which contains known vulnerabilities each with their CVSS score.

  • Security Advisory: Some open source operating systems have their own security trackers with further analysis of the vulnerability inside the operating system package.

Xray sends one severity field that is set according to the NVD or according to the OS Packages Security Advisories. The OS Packages Security Advisories may also provide their own severity and CVSS score of a vulnerability when identified in their OS-level packages, as described in Determining the Issue Severity Level for Operating Systems Packages.

This severity is now determined by the CVSS v3.0 score that is obtained from the NVD or from the Security Advisory Board. Xray will continue to support CVSS v2.0 score on top of CVSS v3.0 score. If the CVSS v3.0 score is not available, Xray will use the CVSS v2.0 score instead.

Score Range and Severity Levels

The scoring range is from 0-10, and the following are the vulnerabilities severity levels:

CVSS v2.0 Ratings

CVSS v3.0 Ratings

Severity

Base Score Range

Severity

Base Score Range

None

0.0

Low

0.0-3.9

Low

0.1-3.9

Medium

4.0-6.9

Medium

4.0-6.9

High

7.0-10.0

High

7.0-8.9

Critical

9.0-10.0

You can set security rules according to the CVSS v3.0 score and severity to trigger violations, as described in Creating Xray Policies and Rules.Creating Xray Policies and Rules

Upgrading Xray with CVSS v3 Support

When upgrading to Xray version 3.21.2, with the new CVSS v3.0 scoring, all existing policies and rules will remain the same. Xray will not rescan existing artifacts. Only new artifacts will be scanned and receive the new CVSS v3.0 scoring and severity levels.

If existing resources are updated with new artifacts, images, etc., the new data will be scanned according to the new scoring and severity. When new vulnerabilities are found, with a Critical severity, and an existing Policy rule is set to High severity , the violation will be created with the Critical severity. Existing vulnerabilities will not be impacted, only new vulnerabilities found will be set according to the CVSS v3.0 score.

Updating Existing Policies

Existing Policies can be updated to support the new Critical severity level using theUpdate Policy REST API.Update Policy

Upgrading Xray with CVSS v3.0 Support in an Offline Mode

If you are working in an offline mode, you need to manually sync the database to download vulnerabilities and enable CVSS v3.0 scoring.

Do the following:

  1. In the Administration module, go to Xray Security and Compliance and select Database Sync.

  2. Select the Offline sync mode and click Generate Download Command.

  3. A command is generated similar to this:

    jfrog xr offline-update --license-id=<LICENSE_ID> --version=<XRAY_VERSION>

    If the command includes From and To parameters, remove them so command looks like the example above.

  4. Copy the command and run it in the CLI.

  5. Unzip the vulnerabilities file, for example, vuln_-{NUMBER}.zip. It contains two additional zip files:

    1. onboardingf__vulnR1_XX__.zip

    2. onboardingf__vulnS1_X__.zip

  6. Copy the two downloaded zip files from your DMZ environment to the Xray server. Required permission is 770.

    ${XRAY_HOME}/var/work/server/updates/data_migration/cvss_v3_files/
  7. Trigger the CVSS v3.0 vulnerabilities persistence migration:

    [post] <XRAY_URL>/api/v1/migration/trigger/cvss_v3_vulnerabilities
  8. Use the migration status REST API to monitor the CVSS v3.0 upgrade process. To learn more about running Xray commands, see Xray REST API.Xray REST APIs

    Once the migration is completed, the status will be set to enabled_finished. If the migration was executed before Artifactory was upgraded to the supported version (Artifactory 7.17 and above), the status will be set to vuln_finished. In case of any other status that contains failure information, check the logs and or contact JFrog's customer support.

    [GET] <XRAY_URL>/api/v1/migration/cvssV3/status

    Sample Response:

    {
       "status": "enable_finished",
       "status_msg": "CVSS V3 enable migration finished successfully"
    }