Upgrade Xray with CVSS v3.0 Support in an Offline Mode

JFrog Security Documentation

ft:sourceType
Paligo

If you are working in an offline mode, you need to manually sync the database to download vulnerabilities and enable CVSS v3.0 scoring.

Do the following:

  1. In the Administration module, go to Xray Security and Compliance and select Database Sync.

  2. Select the Offline sync mode and click Generate Download Command.

  3. A command is generated similar to this:

    jfrog xr offline-update --license-id=<LICENSE_ID> --version=<XRAY_VERSION>

    If the command includes From and To parameters, remove them so command looks like the example above.

  4. Copy the command and run it in the CLI.

  5. Unzip the vulnerabilities file, for example, vuln_-{NUMBER}.zip. It contains two additional zip files:

    1. onboardingf__vulnR1_XX__.zip

    2. onboardingf__vulnS1_X__.zip

  6. Copy the two downloaded zip files from your DMZ environment to the Xray server. Required permission is 770.

    ${XRAY_HOME}/var/work/server/updates/data_migration/cvss_v3_files/
  7. Trigger the CVSS v3.0 vulnerabilities persistence migration:

    [post] <XRAY_URL>/api/v1/migration/trigger/cvss_v3_vulnerabilities
  8. Use the migration status REST API to monitor the CVSS v3.0 upgrade process. To learn more about running Xray commands, see Xray REST API.Xray REST APIs

    Once the migration is completed, the status will be set to enabled_finished. If the migration was executed before Artifactory was upgraded to the supported version (Artifactory 7.17 and above), the status will be set to vuln_finished. In case of any other status that contains failure information, check the logs and or contact JFrog's customer support.

    [GET] <XRAY_URL>/api/v1/migration/cvssV3/status

    Sample Response:

    {
       "status": "enable_finished",
       "status_msg": "CVSS V3 enable migration finished successfully"
    }