Policies contain user-defined rules allowing you to trigger violations for specific vulnerabilities or license breaches by setting a license or security criteria, with a corresponding set of automatic actions according to your needs. Rules are processed according to the ascending order in which they are placed in the Rules list on the Policy. If a rule is met, the subsequent rules in the list will not be applied.
Xray supports the following policy types:
Security Rules
A Security Rule allows you to create a set of rules around security vulnerabilities. These are the possible criteria:
CVEs: Create a rule to generate violations on CVEs by the following:
Minimal Severity (Minor, Major, Critical, All): The minimal security vulnerability severity as it is in the JFrog vulnerabilities database. If the artifact or build contains a vulnerability with the selected severity or higher, the rule will meet the criteria, the automatic actions will be executed, and the policy will stop processing.
CVSS Score (1-10): The CVSS score range to apply to the rule. This is used for a fine-grained control, rather than using the predefined severities. The score range is based on CVSS v3 scoring, and CVSS v2 score is CVSS v3 score is not available.
CVE IDs: Create policy rules for specific vulnerability IDs that you input. You can add multiple vulnerability IDs up to 100, separated by ",". CVEs and Xray IDs are supported.
Except if a Fix Version is available: Xray will not generate violations for issues that do not contain a fixed version. If a fixed version is available later, the violation will be generated.
Skip if not applicable CVEs (JFrog Advanced Security only): If The CVE is not applicable as defined by a Contextual Analysis scan, the rule will not be applied.
Malicious Packages:Create a rule that generates violations for detected malicious packages.
Exposures: Create a rule to generate violations for detected Secrets, Applications, Services and IaC misconfigurations.
Package Version: Xray will generate violations for the specific packages defined in this Policy. Provide the package type and name, and versions. You can either select all versions of the package or custom versions. Custom versions allow you to add specific package versions, or include a range.
License Rules
A license Rule allows you to create a set of rules around license compliance. There are three possible criteria:
Allowed Licenses: Specifies an Allow List of OSS licenses that may be attached to a component. If a component has an OSS license outside the specified Allow List, The rule will meet the criteria, a violation will be generated, automatic actions will be executed, and the policy will stop processing.
Banned Licenses: Specifies a Block List of OSS licenses that may not be attached to a component. If a component has any of the OSS licenses specified, The rule will meet the criteria, a violation will be generated, automatic actions will be executed, and the policy will stop processing.
Multiple license permissive approach: A violation will not be generated if at least one license is valid in cases where multiple licenses were detected on the component.