Subscription Information
This feature is supported with the Enterprise X or Enterprise+ license, with the Advanced Security Add-on.
Overview
JFrog Security and the JFrog research team's continuous effort to enhance security is introducing an additional capability: Vulnerability Contextual Analysis. JFrog Xray previously released a powerful capability, the JFrog Security CVE Research and Enrichment feature, that helps you with enhanced analysis on CVE findings in a way that allows you to focus on the most important issues with the capability of finding the best resources invested in fixing them. Vulnerability Contextual Analysis is an extension to that capability, ensuring Xray's analysis findings are as focused as possible.
The Issue
When Xray scans your packages, it can potentially find thousands of vulnerabilities. Thus, developers will have to sift through these long lists of vulnerabilities to identify their relevance and in some cases, it can be hard to pinpoint where to start, as many of these vulnerabilities may not affect your artifacts. This process is erroneous and time-consuming.
The Solution
Vulnerability Contextual Analysis uses the artifact context to eliminate false positive reports on vulnerabilities that are not applicable. This process involves automated scanners running on top of the container to find reachable paths for the analyzed vulnerabilities. Xray automatically validates some high and very high-impact vulnerabilities, such as vulnerabilities that have prerequisites for exploitations, and provides contextual analysis information for these vulnerabilities, to assist you in figuring out which vulnerabilities are applicable to a specific artifact.
What are the Benefits of Vulnerability Contextual Analysis?
Analyzes the finished code the way an attacker would. Know what issues are exploitable and their potential impact.
Tests an issue in the context of the complete artifact, also within a build or Release Bundle.
Enables action and remediation in the context of the actual artifact, build or Release Bundle.
Note
Important details in regard to the Contextual Analysis feature:
Supported packages:
Docker
OCI
Maven ( Xray version 3.77.4)
Rust with cargo auditable build (Xray version 3.79.x)
Covers hundreds of CVEs with support for JavaScript, Python, and compiled binaries: Java, Kotlin, C/C++ and Golang. ( Java supports only Uber JAR. See the example here for creating an Uber JAR)
How Does it Work?
Enabling/Disabling Contextual Analysis
Vulnerability Contextual Analysis is disabled by default for new artifacts in all resources that are marked for indexing by Xray. To enable, do the following:
Navigate to the Administration module, go to Xray | Settings | General and click Indexed Resources.
Select the repository or build and select Configure.
Enable the Vulnerability Contextual Analysis option.
Note
Contextual Analysis is applied on new scans only, and not on existing scans. The analysis will run on indexed resources, however, it will not run on the Index Artifacts History. For more information, see Indexing Xray Resources.
Starting from Xray version 3.66.x and above, you can scan an existing artifact for Vulnerability Contextual Analysis.
Take note that in some cases, as deep scanning is involved, the scan might take longer to complete.
Contextual Analysis Statuses and Results
Once an artifact is indexed in Xray as part of a single upload, build or Release Bundle, Xray will validate if the artifact contains vulnerabilities that are considered to have a very high impact. If such vulnerabilities are found, Xray will run the contextual analysis and retrieve the contextual analysis results. The results consist of the following:
Vulnerability Contextual Analysis Statuses
Not applicable: The vulnerability is not applicable
Applicable: The vulnerability is applicable
Undetermined - not triggered: An admin needs to enable this feature.
Undetermined – analysis in progress: If Xray is in the process of analyzing the vulnerability applicability, it is indicated in the vulnerability details as analysis in progress.
Undetermined - inconclusive: Xray was unable to determine if the vulnerability is applicable or not.
Undetermined - no scanner: An applicability scanner for this vulnerability is not available.
Vulnerability Contextual Analysis Results
The contextual analysis results can be accessed from Scans List.
Run Contextual Analysis on an Existing Artifact
Starting from Xray version 3.66.x and above, you can run contextual analysis on an existing artifact. Do the following:
From the Scans List page, Repositories tab, select the repository.
Navigate to the artifact you want.
Click the Actions Menu next to the artifact, and select Run Contextual Analysis.
The results appear under Security Issues > Vulnerabilities.
Create Uber JAR
You can use “spring-boot-maven-plugin” for creating the Uber JAR. Here is an example of how to use it in a pom.xml:
<?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> <modelVersion>4.0.0</modelVersion> <groupId>org.example</groupId> <artifactId>MavenTest</artifactId> <version>1.0-SNAPSHOT</version> <properties> <maven.compiler.source>11</maven.compiler.source> <maven.compiler.target>11</maven.compiler.target> <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> </properties> <dependencies> <dependency> <groupId>org.apache.tomcat.embed</groupId> <artifactId>log4j-core</artifactId> <version>2.14.0</version> </dependency> </dependencies> <build> <finalName>my-project-name</finalName> <plugins> <plugin> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-maven-plugin</artifactId> <version>2.7.14</version> <executions> <execution> <goals> <goal>repackage</goal> </goals> </execution> </executions> </plugin> </plugins> </build> </project>
REST API Support
The following REST APIs are supported for the Contextual Analysis feature:
Artifact Summary - Applicability information was added to each issue.
Build Summary - Applicability information was added to each issue.
Get Violations - Applicability information was added to each violation.
List Ignored Violations - Applicability information was added to each violation.
Scan Build V1 - Applicability information was added to each alert.
Get Repositories Configurations: Added a new parameter
vuln_contextual_analysis
:true or false
. Only if feature is enabled and it is possible to enable or disable it per repository.Update Repositories Configurations - Added the option to enable or disable Contextual Analysis per repository with the parameter
vuln_contextual_analysis
:true or false.