Subscription Information
This feature is supported with the Enterprise X or Enterprise+ license, with the Advanced Security Add-on.
JFrog Security and the JFrog research team's continuous effort to enhance security is introducing an additional capability: Vulnerability Contextual Analysis. JFrog Xray previously released a powerful capability, the JFrog Security CVE Research and Enrichment feature, that helps you with enhanced analysis on CVE findings in a way that allows you to focus on the most important issues with the capability of finding the best resources invested in fixing them. Vulnerability Contextual Analysis is an extension to that capability, ensuring Xray's analysis findings are as focused as possible.
The Issue
When Xray scans your packages, it can potentially find thousands of vulnerabilities. Thus, developers will have to sift through these long lists of vulnerabilities to identify their relevance and in some cases, it can be hard to pinpoint where to start, as many of these vulnerabilities may not affect your artifacts. This process is erroneous and time-consuming.
The Solution
Vulnerability Contextual Analysis uses the artifact context to eliminate false positive reports on vulnerabilities that are not applicable. This process involves automated scanners running on top of the container to find reachable paths for the analyzed vulnerabilities. Xray automatically validates some high and very high-impact vulnerabilities, such as vulnerabilities that have prerequisites for exploitations, and provides contextual analysis information for these vulnerabilities, to assist you in figuring out which vulnerabilities are applicable to a specific artifact.
What are the Benefits of Vulnerability Contextual Analysis?
Analyzes the finished code the way an attacker would. Know what issues are exploitable and their potential impact.
Tests an issue in the context of the complete artifact, also within a build or Release Bundle.
Enables action and remediation in the context of the actual artifact, build or Release Bundle.
Note
Important details regarding the Contextual Analysis feature:
Supported Repositories:
Docker
Maven
npm
Supported languages inside a container:
Java
Go
Python
JavaScript
TypeScript
Rust with Cargo auditable build
.Net binaries
Native binaries (C, C++ ELF)
Kotlin
Supported languages in source code analysis:
Java
Go
Python
JavaScript
TypeScript
Covers More than 1400 high-profile CVEs
Maven repo is supported in Xray version 3.77.4 and above (Java supports only JAR-of-JARs Uber JAR. See the example here for creating an Uber JAR)
Rust binaries in Docker containers are supported in Xray version 3.79.x and above
.Net binaries in Docker containers are supported in Xray version 3.95.4 and above