This topic describes how to review the results of a dependency scan. For information on running an Xray dependency scan, see Xray Dependencies Scan.
The results are displayed in table format.
Note
For a list of field names used in the dependency scan, scroll down past the Sample Output and see the table Dependency Scan Field Names
You can also view results in JSON format for automation purposes and to view more scan results data by using the following command option:
--format=json
Sample Output
{ "scan_id": "11148acb-f8d4-4640-56e4-db312cb5ba0c", "violations": [ { "summary": "Apache Commons IO FileNameUtils.normalize Path Traversal Remote File Disclosure Weakness", "severity": "Medium", "type": "security", "components": { "gav://commons-io:commons-io:2.2": { "fixed_versions": [ "[2.7]" ], "impact_paths": [ [ { "component_id": "gav://de.is24.common:appmon4j-agent:1.53" }, { "component_id": "gav://de.is24.common:appmon4j-agent:1.53", "full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar" }, { "component_id": "gav://commons-io:commons-io:2.2", "full_path": "META-INF/maven/commons-io/commons-io/pom.xml" } ] ] } }, "watch_name": "Sec-Watch", "issue_id": "XRAY-78200", "ignore_url": "http://jfrog.com/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=11148acb-f8d4-4640-56e4-db312cb5ba0c&issue_id=XRAY-78200&show_popup=true&type=security&watch_name=Sec-Watch", "cves": [ { } ], "references": [ "https://issues.apache.org/jira/browse/IO-556" ], }, { "severity": "Medium", "type": "security", "components": { "gav://commons-io:commons-io:2.2": { "fixed_versions": [ "[2.7]" ], "impact_paths": [ [ { "component_id": "gav://de.is24.common:appmon4j-agent:1.53" }, { "component_id": "gav://de.is24.common:appmon4j-agent:1.53", "full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar" }, { "component_id": "gav://commons-io:commons-io:2.2", "full_path": "META-INF/maven/commons-io/commons-io/pom.xml" } ] }, "watch_name": "Sec-Watch", "issue_id": "XRAY-172728", "ignore_url": "http://jfrog.com/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=11148acb-f8d4-4640-56e4-db312cb5ba0c&issue_id=XRAY-172728&show_popup=true&type=security&watch_name=Sec-Watch", "cves": [ { "cve": "CVE-2021-29425", "cvss_v2_score": "5.0", "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N", "cvss_v3_score": "5.3", "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" } ], "references": [ "https://issues.apache.org/jira/browse/IO-556", "https://lists.apache.org/thread.html/rc359823b5500e9a9a2572678ddb8e01d3505a7ffcadfa8d13b8780ab%40%3Cuser.commons.apache.org%3E" ], }, { "severity": "High", "type": "license", "components": { "gav://org.slf4j:slf4j-api:1.7.5": { "impact_paths": [ [ { "component_id": "gav://de.is24.common:appmon4j-agent:1.53" }, { "component_id": "gav://de.is24.common:appmon4j-agent:1.53", "full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar" }, { "component_id": "gav://org.slf4j:slf4j-api:1.7.5", "full_path": "META-INF/maven/org.slf4j/slf4j-api/pom.xml" } ] ] } }, "watch_name": "Sec-Watch", "ignore_url": "http://jfrog.com/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=11148acb-f8d4-4640-56e4-db312cb5ba0c&issue_id=MIT&show_popup=true&type=security&watch_name=Sec-Watch", "references": [ "http://www.opensource.org/licenses/MIT", "http://www.opensource.org/licenses/mit-license.php", "https://spdx.org/licenses/MIT", "https://spdx.org/licenses/MIT.html" ], "license_key": "MIT", "license_name": "The MIT License", } ], "licenses": [ { "license_key": "Apache-2.0", "components": { "gav://commons-io:commons-io:2.2": { "impact_paths": [ [ { "component_id": "gav://de.is24.common:appmon4j-agent:1.53" }, { "component_id": "gav://de.is24.common:appmon4j-agent:1.53", "full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar" }, { "component_id": "gav://commons-io:commons-io:2.2", "full_path": "META-INF/maven/commons-io/commons-io/pom.xml" } ] ] }, "gav://commons-lang:commons-lang:2.6": { "impact_paths": [ [ { "component_id": "gav://de.is24.common:appmon4j-agent:1.53" }, { "component_id": "gav://de.is24.common:appmon4j-agent:1.53", "full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar" }, { "component_id": "gav://commons-lang:commons-lang:2.6", "full_path": "META-INF/maven/commons-lang/commons-lang/pom.xml" } ] ] }, "gav://de.is24.common:appmon4j-agent:1.53": { "impact_paths": [ [ { "component_id": "gav://de.is24.common:appmon4j-agent:1.53" }, { "component_id": "gav://de.is24.common:appmon4j-agent:1.53", "full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar" }, { "component_id": "gav://de.is24.common:appmon4j-agent:1.53", "full_path": "META-INF/maven/de.is24.common/appmon4j-agent/pom.xml" } ], [ { "component_id": "gav://de.is24.common:appmon4j-agent:1.53" } ], [ { "component_id": "gav://de.is24.common:appmon4j-agent:1.53" }, { "component_id": "gav://de.is24.common:appmon4j-agent:1.53", "full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar" } ] ] }, "gav://de.is24.common:appmon4j-core:1.53": { "impact_paths": [ [ { "component_id": "gav://de.is24.common:appmon4j-agent:1.53" }, { "component_id": "gav://de.is24.common:appmon4j-agent:1.53", "full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar" }, { }"http://www.opensource.org/licenses/Apache-2.0", { "impact_paths": [ ]"status": "completed""violations": [ "severity": "Medium", "type": "security", { "component_id": "gav://de.is24.common:appmon4j-agent:1.53", ], }, "type": "security", "components": { { "component_id": "gav://de.is24.common:appmon4j-agent:1.53", "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N", }"https://lists.apache.org/thread.html/rc359823b5500e9a9a2572678ddb8e01d3505a7ffcadfa8d13b8780ab%40%3Cuser.commons.apache.org%3E" ], }, { }, { "references": [ "https://spdx.org/licenses/MIT.html""license_name": "The MIT License", }"gav://commons-io:commons-io:2.2": { }, "full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar""impact_paths": [ "component_id": "gav://de.is24.common:appmon4j-agent:1.53""full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar" }, "gav://de.is24.common:appmon4j-agent:1.53": { { "component_id": "gav://de.is24.common:appmon4j-agent:1.53" }, { "component_id": "gav://de.is24.common:appmon4j-agent:1.53", "component_id": "gav://de.is24.common:appmon4j-agent:1.53"[ { "component_id": "gav://de.is24.common:appmon4j-agent:1.53", [ { "component_id": "gav://de.is24.common:appmon4j-core:1.53", "full_path": "META-INF/maven/de.is24.common/appmon4j-core/pom.xml" } ] ] } }, "references": [ "http://www.opensource.org/licenses/Apache-2.0", "http://www.opensource.org/licenses/apache2.0.php", "https://spdx.org/licenses/Apache-2.0", "https://spdx.org/licenses/Apache-2.0.html", "http://www.apache.org/licenses/LICENSE-2.0", "https://licenses.nuget.org/Apache-2.0", "http://licenses.nuget.org/Apache-2.0", "https://raw.githubusercontent.com/aspnet/AspNetCore/2.0.0/LICENSE.txt", "http://raw.githubusercontent.com/aspnet/AspNetCore/2.0.0/LICENSE.txt" ] }, { "license_key": "MIT", "components": { "gav://org.slf4j:slf4j-api:1.7.5": { "impact_paths": [ [ { "component_id": "gav://de.is24.common:appmon4j-agent:1.53" }, { "component_id": "gav://de.is24.common:appmon4j-agent:1.53", "full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar" }, { "component_id": "gav://org.slf4j:slf4j-api:1.7.5", "full_path": "META-INF/maven/org.slf4j/slf4j-api/pom.xml" } ] ] } }, "references": [ "http://www.opensource.org/licenses/MIT", "http://www.opensource.org/licenses/mit-license.php", "https://spdx.org/licenses/MIT", "https://spdx.org/licenses/MIT.html" ] } ], "component_id": "gav://de.is24.common:appmon4j-agent:1.53", "package_type": "Maven", "status": "completed" } }
Dependency Scan Field Names
Field Name | Description | Example |
---|---|---|
artifact_name | The name of the artifact. | jenkins-war-2.289.1.war |
component_id | Component ID in JFrog Component Format Standards. | gav://org.jenkins-ci.main:jenkins-war:2.289.1 |
package_type | Type of the artifact package. | Maven |
repo_path | The repo path as it was provided in the scan request. | default/maven-local-repo/org/jenkins-ci/main/jenkins-war/2.289.1/ |
scan_id | Unique scan ID. | 4f811ab8-51a2-4baf-61d3-3a277aaa8066 |
status | Scan status. If a scan is pending, completed or failed. | pending failed completed |
violations | A list of minimal violations. | |
violations[].summary | ||
violations[].severity | Medium Critical | |
violations[].type | Security or license. | security |
violations[].components | Map of violating component the lowest level in the artifact graph. The Key is component ID. | |
violations[].components[].impact_paths | List of impact paths. Each impact path is a JSON array by itself, indicating the path from the artifact in the scan to the vulnerable component in the graph. | |
violations[].components[].impact_paths[][].component_id | The component ID in the current impact path node. | gav://commons-httpclient:commons-httpclient:3.1-jenkins-2 |
violations[].components[].impact_paths[][].full_path | The file path of the current component, relative to the previous component in the list. The first component (which is the artifact itself) will not have full_path filled. | META-INF/maven/commons-httpclient/commons-httpclient/pom.xml |
violations[].components[].fixed_versions | Versions of the component in which this violation is not effective anymore. | ["[4.0.9-2+deb9u4]", "[4.0.10-3+deb9u4]"] |
violations[].watch_name | Watch that created the violation. | cloud-watch |
violations[].issue_id | Xray issue ID. | XRAY-73704 |
violations[].ignore_url | Violation Ignore Rule Creation URL. | http://jfrog.com/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=11148acb-f8d4-4640-56e4-db312cb5ba0c&issue_id=MIT&show_popup=true&type=security&watch_name=Sec-Watch |
violations[].cves | List of CVE objects. | |
violations[].cves[].cve | CVE ID. | CVE-2018-9116 |
violations[].cves[].cvss_v2_score | 6.4 | |
violations[].cves[].cvss_v3_score | 9.1 | |
violations[].cves[].cvss_v2_vector | CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:P | |
violations[].cves[].cvss_v3_vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H | |
violations[].references | Links for more information. | |
violations[].fail_build | Indicates if this violation fails a build. | true |
violations[].license_key | Apache-2.0 | |
violations[].license_name | The Apache Software License, Version 2.0 | |
vulnerabilities | List of vulnerabilities discovered on the scanned graph. | |
vulnerabilities[].cves | List of CVE objects. | |
vulnerabilities[].summary | Summary of the vulnerability. | |
vulnerabilities[].severity | Medium Critical | |
vulnerabilities[].vulnerable_components | List of vulnerable components, the lowest level in the artifact graph | [" npm://highlight.js:9.18.3"] |
vulnerabilities[].components | List of vulnerable components, the lowest level in the artifact graph. | |
licenses | List of licenses | |
licenses[].license_key | Apache-2.0 | |
licenses[].license_name | The Apache Software License, Version 2.0 | |
licenses[].components | Map of components with this license, where the key is component ID. | |
licenses[].custom | Indicated if this is a custom license. | false |
licenses[].references | Links for more information |