Exposures Scans

JFrog Security Documentation

ft:sourceType
Paligo

Subscription Information

This feature is supported with the Enterprise X or Enterprise+ license, with the Advanced Security Add-on.

Overview

In addition to Xray's software composition analysis and scanning for vulnerabilities in packages, Xray now enables you to perform scans for multiple categories that cover security issues in your configurations and the usage of open source libraries in your code. Along with other Xray capabilities, such as CVE Enrichment, ContextualAnalysis, and Operational Risk, Xray now provides end-to-end supply chain security to cover different forms of software supply chain attacks.

The Issue

When it comes to non-code-related security issues, they are often overlooked in an organization as a potential security threat, since they are the smallest and easiest issues to fix. This leaves your software potentially exposed to security threats due to security malpractices (e.g., missing authentication), insecure configurations (e.g., excessive privileges), weak authentication, and so on.

The Solution

Xray conducts an automated security scan to detect these potential security exposures in the analyzed artifact. The scan is performed via automated scanning of the artifact using static analysis scanners, which are continuously enhanced by the JFrog research team. The following sections describe the scanning categories in detail.

Note

Exposures supports the following package types:

  • Docker

  • Maven (Xray version 3.78.9)

  • npm (Xray version 3.78.9)

  • PyPI (Xray version 3.78.9)

Scanning Categories

Secrets Category
Secrets Detection

Detects any secret left exposed in the artifacts stored in Artifactory to stop any accidental leak of internal tokens or credentials.

Xray scans your configuration files, text files and binary files for plaintext credentials, private keys, tokens, and similar secrets. Xray uses a constantly-updated list of more than 150 specific types of credentials. In addition, Xray uses a proprietary generic secrets matcher, for the best coverage possible. Xray also scans for issues in the certificates used in the software, such as expired or weak certificates.

Examples:

  • Use of expired certificates

  • Inclusion of plaintext API keys, private keys

Services Category
Services Configuration Security

Detects whether common OSS libraries and services are configured securely, so an application can be easily hardened by default.

Xray scans for configuration issues and security malpractices for specific services and daemons included in your artifacts, such as web servers, database services, proxies, logging daemons, and so on.

Note

Supported Services:

  • Envoy

  • Etcd

  • Prometheus

  • NGINX

  • Apache

Examples:

  • Insecure use of credentials (NGINX credential in config file, credential stored insecurely)

  • Enforcement of secure communication (redirecting HTTP to HTTPS, enforcing TLS, TLS version)

  • Allowing weak crypto algorithms

  • Externally exposing Admin interface

  • Un-authenticated access to resources

Applications Category
Application Libraries Misuse

Detects whether common OSS libraries and services are used securely by the application.

Xray scans for configuration issues, security malpractices, and insecure usage of common OSS libraries in your application framework, including the use of excessive privileges, insecure communication methods, insufficient authorization mechanisms, or unsafe cryptographic operations.

Note

In this version, only Python and Node-JS applications are supported.

Examples:

  • Insecure use of credentials (insecure key storage)

  • Enforcement of secure communication (redirecting HTTP to HTTPS, enforcing TLS, verifying the TLS certificates of all servers in Python scripts, enforcing TLS version, using secure HTTP headers)

  • Use of weak crypto keys

  • Throttle logins to prevent brute-force attacks (Throttle Node.js logins to prevent brute-force attacks)

  • Invoking Node.js exec functionality with user-provided input

IaC Category
IaC Security Analysis

Scans IaC files stored in Artifactory for early detection of cloud and infrastructure misconfigurations to prevent attacks and data leak.

Xray scans your Terraform state in Artifactory for Cloud services configuration issues such as the following examples. Xray scans Terraform states for AWS, Azure and GCP cloud services.

Examples:

  • Insufficient access restrictions to services (public access to repositories, publicly accessible clusters, globally readable/deletable/writeable buckets, use of admin roles in ECS services, IAM users with privileged access to all resources, enforce authorization for all API Gateway methods)

  • Insecure use of credentials (use of hardcoded credentials)

  • Allowing weak crypto algorithms (use of weak cipher suites)

  • Running batches in privileged mode

  • Enforcement of secure communication (listening to HTTP, unencrypted communications)

  • Wildcard actions in Glue policies

  • Missing logging (e.g., found CloudTrail trails with logging disabled)

  • Disabled upgrades (e.g., RDS database instance with disabled minor engine upgrades)

  • Data at rest encryption enablement for Kinesis streams

How Does it Work?

Enabling/Disabling Scanning Categories

The scanning categories are disabled by default. You can enable or disable each category separately as desired.

Note

The scanning categories are applied on new scans only, and not on existing indexed artifacts. The scan will run on indexed resources, however, it will not run on the Index Artifacts History. For more information, see Indexing Xray Resources.

Note that in some cases, because deep scanning is involved, the scan might take longer to complete.

If you would like to enable the scanning categories, do the following:

  1. Go to the Administration module, go to Xray | Settings | General, and click Indexed Resources.

  2. Select the repository or build and select Configure.

  3. Select the categories you want to enable: Vulnerability Contextual Analysis, Services, Secrets, and Applications.

Viewing Scan Statuses and Results

Once an artifact is indexed, Xray will validate if the artifact contains any security issues in any of the categories you have enabled for scanning.

To view scan results, go to Application | Xray | Scans List.

  1. Select the resource type Repositories. Note that, in this version, the new scan categories are only supported for Repositories.

  2. Select the resource from the list.

    Each scan contains an overview of the results such as how many vulnerabilities were found, the scan status, and so on. It is important to note that each category has a set of scanners that will search for specific issues. To provide you with full visibility as to what Xray scanned for, the results will show all scanners including items that were scanned and are OK.

    158564801.png
  3. Select the scan you want to view.

    The scan results are displayed under Security Issues.

    158564803.png
  4. Select the issue to view more details. Each issue contains the following information:

    Field

    Description

    JFrog Severity Badge

    The severity of the issue that was determined by the JFrog Security Research Team:

    • Critical

    • High

    • Medium

    • Low

    Status

    There are two possible statues:

    • To Fix: An issue that was found and should be fixed

    • OK: An issue Xray scanned for and verified is okay (i.e., no security issues were found)

    ID

    Issue identifier

    CWE

    The Common Weakness Enumeration (CWE) identifier for the weakness type this issue is associated with.

    Fix Cost

    Estimate for the effort involved in fixing the suggested resolution:

    • High effort: Substantial effort is required from the software developer. Examples include building code from source and applying broad configuration changes.

    • Medium effort:A medium-level action is required from the software developer. Examples include making changes to existing configurations.

    • Low effort:Minimal effort is required from the software developer. Examples include removing a file, and making minor changes to existing configurations

    Findings

    Provides information on the issue in terms of exactly what and where was found, the security impact of the issue, and what needs to be done to fix it.

    Outcomes

    Possible consequences of an attack utilizing this issue.

Exposures Scan on an Existing Artifact

Starting from Xray version 3.66.x and above, you can scan for Exposures on an existing artifact. Do the following:

  1. From the Scans List page, Repositories tab, select the repository.

  2. Navigate to the artifact you want to scan.

  3. Click the Actions Menu next to the artifact, and select Scan for Exposures.

180127300.png

The results appear under Security Issues.

180127301.png

REST API Support

The following REST APIs are supported for the Exposures Scanning Categories feature: