If you are working in an offline mode, you need to manually sync the database to download vulnerabilities and enable CVSS v3.0 scoring.
Do the following:
In the Administration module, go to Xray Security and Compliance and select Database Sync.
Select the Offline sync mode and click Generate Download Command.
A command is generated similar to this:
jfrog xr offline-update --license-id=<LICENSE_ID> --version=<XRAY_VERSION>
If the command includes
From
andTo
parameters, remove them so command looks like the example above.Copy the command and run it in the CLI.
Unzip the vulnerabilities file, for example,
vuln_-{NUMBER}.zip
. It contains two additional zip files:o
nboardingf__vulnR1_XX__.zip
onboardingf__vulnS1_X__.zip
Copy the two downloaded zip files from your DMZ environment to the Xray server. Required permission is 770.
${XRAY_HOME}/var/work/server/updates/data_migration/cvss_v3_files/
Trigger the CVSS v3.0 vulnerabilities persistence migration:
[post] <XRAY_URL>/api/v1/migration/trigger/cvss_v3_vulnerabilities
Use the migration status REST API to monitor the CVSS v3.0 upgrade process. To learn more about running Xray commands, see Xray REST API.
Once the migration is completed, the status will be set to
enabled_finished
. If the migration was executed before Artifactory was upgraded to the supported version (Artifactory 7.17 and above), the status will be set tovuln_finished
. In case of any other status that contains failure information, check the logs and or contact JFrog's customer support.[GET] <XRAY_URL>/api/v1/migration/cvssV3/status
Sample Response:
{ "status": "enable_finished", "status_msg": "CVSS V3 enable migration finished successfully" }