View Xray Dependency Scan Results

JFrog Security Documentation

ft:sourceType
Paligo

This topic describes how to review the results of a dependency scan. For information on running an Xray dependency scan, see Xray Dependencies Scan.

The results are displayed in table format.

image (47).png

Note

For a list of field names used in the dependency scan, scroll down past the Sample Output and see the table Dependency Scan Field Names

You can also view results in JSON format for automation purposes and to view more scan results data by using the following command option:

--format=json

Sample Output

{
  "scan_id": "11148acb-f8d4-4640-56e4-db312cb5ba0c",
  "violations": [
    {
      "summary": "Apache Commons IO FileNameUtils.normalize Path Traversal Remote File Disclosure Weakness",
      "severity": "Medium",
      "type": "security",
      "components": {
        "gav://commons-io:commons-io:2.2": {
          "fixed_versions": [
            "[2.7]"
          ],
          "impact_paths": [
            [
              {
                "component_id": "gav://de.is24.common:appmon4j-agent:1.53"
              },
              {
                "component_id": "gav://de.is24.common:appmon4j-agent:1.53",
                "full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar"
              },
              {
                "component_id": "gav://commons-io:commons-io:2.2",
                "full_path": "META-INF/maven/commons-io/commons-io/pom.xml"
              }
            ]
          ]
        }
      },
      "watch_name": "Sec-Watch",
      "issue_id": "XRAY-78200",
      "ignore_url": "http://jfrog.com/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=11148acb-f8d4-4640-56e4-db312cb5ba0c&issue_id=XRAY-78200&show_popup=true&type=security&watch_name=Sec-Watch",
      "cves": [
        {
        }
      ],
      "references": [
        "https://issues.apache.org/jira/browse/IO-556"
      ],
    },
    {
      "severity": "Medium",
      "type": "security",
      "components": {
        "gav://commons-io:commons-io:2.2": {
          "fixed_versions": [
            "[2.7]"
          ],
          "impact_paths": [
            [
              {
                "component_id": "gav://de.is24.common:appmon4j-agent:1.53"
              },
              {
                "component_id": "gav://de.is24.common:appmon4j-agent:1.53",
                "full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar"
              },
              {
                "component_id": "gav://commons-io:commons-io:2.2",
                "full_path": "META-INF/maven/commons-io/commons-io/pom.xml"
              }
            ]
          },
          "watch_name": "Sec-Watch",
          "issue_id": "XRAY-172728",
          "ignore_url": "http://jfrog.com/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=11148acb-f8d4-4640-56e4-db312cb5ba0c&issue_id=XRAY-172728&show_popup=true&type=security&watch_name=Sec-Watch",
          "cves": [
            {
              "cve": "CVE-2021-29425",
              "cvss_v2_score": "5.0",
              "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N",
              "cvss_v3_score": "5.3",
              "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
            }
          ],
          "references": [
            "https://issues.apache.org/jira/browse/IO-556",
            "https://lists.apache.org/thread.html/rc359823b5500e9a9a2572678ddb8e01d3505a7ffcadfa8d13b8780ab%40%3Cuser.commons.apache.org%3E"
          ],
        },
        {
          "severity": "High",
          "type": "license",
          "components": {
            "gav://org.slf4j:slf4j-api:1.7.5": {
              "impact_paths": [
                [
                  {
                    "component_id": "gav://de.is24.common:appmon4j-agent:1.53"
                  },
                  {
                    "component_id": "gav://de.is24.common:appmon4j-agent:1.53",
                    "full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar"
                  },
                  {
                    "component_id": "gav://org.slf4j:slf4j-api:1.7.5",
                    "full_path": "META-INF/maven/org.slf4j/slf4j-api/pom.xml"
                  }
                ]
              ]
            }
          },
          "watch_name": "Sec-Watch",
          "ignore_url": "http://jfrog.com/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=11148acb-f8d4-4640-56e4-db312cb5ba0c&issue_id=MIT&show_popup=true&type=security&watch_name=Sec-Watch",
          "references": [
            "http://www.opensource.org/licenses/MIT",
            "http://www.opensource.org/licenses/mit-license.php",
            "https://spdx.org/licenses/MIT",
            "https://spdx.org/licenses/MIT.html"
          ],
          "license_key": "MIT",
          "license_name": "The MIT License",
        }
      ],
      "licenses": [
        {
          "license_key": "Apache-2.0",
          "components": {
            "gav://commons-io:commons-io:2.2": {
              "impact_paths": [
                [
                  {
                    "component_id": "gav://de.is24.common:appmon4j-agent:1.53"
                  },
                  {
                    "component_id": "gav://de.is24.common:appmon4j-agent:1.53",
                    "full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar"
                  },
                  {
                    "component_id": "gav://commons-io:commons-io:2.2",
                    "full_path": "META-INF/maven/commons-io/commons-io/pom.xml"
                  }
                ]
              ]
            },
            "gav://commons-lang:commons-lang:2.6": {
              "impact_paths": [
                [
                  {
                    "component_id": "gav://de.is24.common:appmon4j-agent:1.53"
                  },
                  {
                    "component_id": "gav://de.is24.common:appmon4j-agent:1.53",
                    "full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar"
                  },
                  {
                    "component_id": "gav://commons-lang:commons-lang:2.6",
                    "full_path": "META-INF/maven/commons-lang/commons-lang/pom.xml"
                  }
                ]
              ]
            },
            "gav://de.is24.common:appmon4j-agent:1.53": {
              "impact_paths": [
                [
                  {
                    "component_id": "gav://de.is24.common:appmon4j-agent:1.53"
                  },
                  {
                    "component_id": "gav://de.is24.common:appmon4j-agent:1.53",
                    "full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar"
                  },
                  {
                    "component_id": "gav://de.is24.common:appmon4j-agent:1.53",
                    "full_path": "META-INF/maven/de.is24.common/appmon4j-agent/pom.xml"
                  }
                ],
                [
                  {
                    "component_id": "gav://de.is24.common:appmon4j-agent:1.53"
                  }
                ],
                [
                  {
                    "component_id": "gav://de.is24.common:appmon4j-agent:1.53"
                  },
                  {
                    "component_id": "gav://de.is24.common:appmon4j-agent:1.53",
                    "full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar"
                  }
                ]
              ]
            },
            "gav://de.is24.common:appmon4j-core:1.53": {
              "impact_paths": [
                [
                  {
                    "component_id": "gav://de.is24.common:appmon4j-agent:1.53"
                  },
                  {
                    "component_id": "gav://de.is24.common:appmon4j-agent:1.53",
                    "full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar"
                  },
                  {
                  }"http://www.opensource.org/licenses/Apache-2.0",
                  {
                    "impact_paths": [
                    ]"status": "completed""violations": [
                      "severity": "Medium",
                      "type": "security",
                      {
                        "component_id": "gav://de.is24.common:appmon4j-agent:1.53",
                      ],
                    },
                    "type": "security",
                    "components": {
                      {
                        "component_id": "gav://de.is24.common:appmon4j-agent:1.53",
                        "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N",
                      }"https://lists.apache.org/thread.html/rc359823b5500e9a9a2572678ddb8e01d3505a7ffcadfa8d13b8780ab%40%3Cuser.commons.apache.org%3E"
                    ],
                  },
                  {
                  },
                  {
                    "references": [
                      "https://spdx.org/licenses/MIT.html""license_name": "The MIT License",
                    }"gav://commons-io:commons-io:2.2": {
                    },
                    "full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar""impact_paths": [
                      "component_id": "gav://de.is24.common:appmon4j-agent:1.53""full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar"
                    },
                    "gav://de.is24.common:appmon4j-agent:1.53": {
                      {
                        "component_id": "gav://de.is24.common:appmon4j-agent:1.53"
                      },
                      {
                        "component_id": "gav://de.is24.common:appmon4j-agent:1.53",
                        "component_id": "gav://de.is24.common:appmon4j-agent:1.53"[
                          {
                            "component_id": "gav://de.is24.common:appmon4j-agent:1.53",
                            [
                              {
                                "component_id": "gav://de.is24.common:appmon4j-core:1.53",
                                "full_path": "META-INF/maven/de.is24.common/appmon4j-core/pom.xml"
                              }
                            ]
                          ]
                        }
                      },
                      "references": [
                        "http://www.opensource.org/licenses/Apache-2.0",
                        "http://www.opensource.org/licenses/apache2.0.php",
                        "https://spdx.org/licenses/Apache-2.0",
                        "https://spdx.org/licenses/Apache-2.0.html",
                        "http://www.apache.org/licenses/LICENSE-2.0",
                        "https://licenses.nuget.org/Apache-2.0",
                        "http://licenses.nuget.org/Apache-2.0",
                        "https://raw.githubusercontent.com/aspnet/AspNetCore/2.0.0/LICENSE.txt",
                        "http://raw.githubusercontent.com/aspnet/AspNetCore/2.0.0/LICENSE.txt"
                      ]
                    },
                    {
                      "license_key": "MIT",
                      "components": {
                        "gav://org.slf4j:slf4j-api:1.7.5": {
                          "impact_paths": [
                            [
                              {
                                "component_id": "gav://de.is24.common:appmon4j-agent:1.53"
                              },
                              {
                                "component_id": "gav://de.is24.common:appmon4j-agent:1.53",
                                "full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar"
                              },
                              {
                                "component_id": "gav://org.slf4j:slf4j-api:1.7.5",
                                "full_path": "META-INF/maven/org.slf4j/slf4j-api/pom.xml"
                              }
                            ]
                          ]
                        }
                      },
                      "references": [
                        "http://www.opensource.org/licenses/MIT",
                        "http://www.opensource.org/licenses/mit-license.php",
                        "https://spdx.org/licenses/MIT",
                        "https://spdx.org/licenses/MIT.html"
                      ]
                    }
                  ],
                  "component_id": "gav://de.is24.common:appmon4j-agent:1.53",
                  "package_type": "Maven",
                  "status": "completed"
                }
              }

Dependency Scan Field Names

Field Name

Description

Example

artifact_name

The name of the artifact.

jenkins-war-2.289.1.war

component_id

Component ID in JFrog Component Format Standards.

gav://org.jenkins-ci.main:jenkins-war:2.289.1

package_type

Type of the artifact package.

Maven

repo_path

The repo path as it was provided in the scan request.

default/maven-local-repo/org/jenkins-ci/main/jenkins-war/2.289.1/

scan_id

Unique scan ID.

4f811ab8-51a2-4baf-61d3-3a277aaa8066

status

Scan status. If a scan is pending, completed or failed.

pending

failed

completed

violations

A list of minimal violations.

violations[].summary

violations[].severity

Medium

Critical

violations[].type

Security or license.

security

violations[].components

Map of violating component the lowest level in the artifact graph. The Key is component ID.

violations[].components[].impact_paths

List of impact paths. Each impact path is a JSON array by itself, indicating the path from the artifact in the scan to the vulnerable component in the graph.

violations[].components[].impact_paths[][].component_id

The component ID in the current impact path node.

gav://commons-httpclient:commons-httpclient:3.1-jenkins-2

violations[].components[].impact_paths[][].full_path

The file path of the current component, relative to the previous component in the list. The first component (which is the artifact itself) will not have full_path filled.

META-INF/maven/commons-httpclient/commons-httpclient/pom.xml

violations[].components[].fixed_versions

Versions of the component in which this violation is not effective anymore.

["[4.0.9-2+deb9u4]", "[4.0.10-3+deb9u4]"]

violations[].watch_name

Watch that created the violation.

cloud-watch

violations[].issue_id

Xray issue ID.

XRAY-73704

violations[].ignore_url

Violation Ignore Rule Creation URL.

http://jfrog.com/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=11148acb-f8d4-4640-56e4-db312cb5ba0c&issue_id=MIT&show_popup=true&type=security&watch_name=Sec-Watch

violations[].cves

List of CVE objects.

violations[].cves[].cve

CVE ID.

CVE-2018-9116

violations[].cves[].cvss_v2_score

6.4

violations[].cves[].cvss_v3_score

9.1

violations[].cves[].cvss_v2_vector

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:P

violations[].cves[].cvss_v3_vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

violations[].references

Links for more information.

violations[].fail_build

Indicates if this violation fails a build.

true

violations[].license_key

Apache-2.0

violations[].license_name

The Apache Software License, Version 2.0

vulnerabilities

List of vulnerabilities discovered on the scanned graph.

vulnerabilities[].cves

List of CVE objects.

vulnerabilities[].summary

Summary of the vulnerability.

vulnerabilities[].severity

Medium

Critical

vulnerabilities[].vulnerable_components

List of vulnerable components, the lowest level in the artifact graph

[" npm://highlight.js:9.18.3"]

vulnerabilities[].components

List of vulnerable components, the lowest level in the artifact graph.

licenses

List of licenses

licenses[].license_key

Apache-2.0

licenses[].license_name

The Apache Software License, Version 2.0

licenses[].components

Map of components with this license, where the key is component ID.

licenses[].custom

Indicated if this is a custom license.

false

licenses[].references

Links for more information