Vulnerability Contextual Analysis

JFrog Security Documentation
ft:sourceType
Paligo

Subscription Information

This feature is supported with the Enterprise X or Enterprise+ license, with the Advanced Security Add-on.

Overview

JFrog Security and the JFrog research team's continuous effort to enhance security is introducing an additional capability: Vulnerability Contextual Analysis. JFrog Xray previously released a powerful capability, the JFrog Security CVE Research and Enrichment feature, that helps you with enhanced analysis on CVE findings in a way that allows you to focus on the most important issues with the capability of finding the best resources invested in fixing them. Vulnerability Contextual Analysis is an extension to that capability, ensuring Xray's analysis findings are as focused as possible.

The Issue

When Xray scans your packages, it can potentially find thousands of vulnerabilities. Thus, developers will have to sift through these long lists of vulnerabilities to identify their relevance and in some cases, it can be hard to pinpoint where to start, as many of these vulnerabilities may not affect your artifacts. This process is erroneous and time-consuming.

The Solution

Vulnerability Contextual Analysis uses the artifact context to eliminate false positive reports on vulnerabilities that are not applicable. This process involves automated scanners running on top of the container to find reachable paths for the analyzed vulnerabilities. Xray automatically validates some high and very high-impact vulnerabilities, such as vulnerabilities that have prerequisites for exploitations, and provides contextual analysis information for these vulnerabilities, to assist you in figuring out which vulnerabilities are applicable to a specific artifact.

What are the Benefits of Vulnerability Contextual Analysis?

  • Analyzes the finished code the way an attacker would. Know what issues are exploitable and their potential impact.

  • Tests an issue in the context of the complete artifact, also within a build or Release Bundle.

  • Enables action and remediation in the context of the actual artifact, build or Release Bundle.

Note

Important details in regard to the Contextual Analysis feature:

  • Supported packages:

    • Docker

    • OCI

    • Maven ( Xray version 3.77.4)

    • Rust with cargo auditable build (Xray version 3.79.x)

  • Covers hundreds of CVEs with support for JavaScript, Python, and compiled binaries: Java, Kotlin, C/C++ and Golang. ( Java supports only Uber JAR. See the example here for creating an Uber JAR)

How Does it Work?

Enabling/Disabling Contextual Analysis

Vulnerability Contextual Analysis is disabled by default for new artifacts in all resources that are marked for indexing by Xray. To enable, do the following:

  1. Navigate to the Administration module, go to Xray | Settings | General and click Indexed Resources.

  2. Select the repository or build and select Configure.

  3. Enable the Vulnerability Contextual Analysis option.

    144802628.png

Note

Contextual Analysis is applied on new scans only, and not on existing scans. The analysis will run on indexed resources, however, it will not run on the Index Artifacts History. For more information, see Indexing Xray Resources.Indexing Xray Resources

Starting from Xray version 3.66.x and above, you can scan an existing artifact for Vulnerability Contextual Analysis.

Take note that in some cases, as deep scanning is involved, the scan might take longer to complete.

Contextual Analysis Statuses and Results

Once an artifact is indexed in Xray as part of a single upload, build or Release Bundle, Xray will validate if the artifact contains vulnerabilities that are considered to have a very high impact. If such vulnerabilities are found, Xray will run the contextual analysis and retrieve the contextual analysis results. The results consist of the following:

Vulnerability Contextual Analysis Statuses

  • Not applicable: The vulnerability is not applicable

  • Applicable: The vulnerability is applicable

  • Undetermined - not triggered: An admin needs to enable this feature.

  • Undetermined – analysis in progress: If Xray is in the process of analyzing the vulnerability applicability, it is indicated in the vulnerability details as analysis in progress.

  • Undetermined - inconclusive: Xray was unable to determine if the vulnerability is applicable or not.

  • Undetermined - no scanner: An applicability scanner for this vulnerability is not available.

Vulnerability Contextual Analysis Results

The contextual analysis results can be accessed from Scans List.

144802630.png
144802631.png
144802633.png
Run Contextual Analysis on an Existing Artifact

Starting from Xray version 3.66.x and above, you can run contextual analysis on an existing artifact. Do the following:

  1. From the Scans List page, Repositories tab, select the repository.

  2. Navigate to the artifact you want.

  3. Click the Actions Menu next to the artifact, and select Run Contextual Analysis.

180127293.png

The results appear under Security Issues > Vulnerabilities.

180127294.png
Create Uber JAR

You can use “spring-boot-maven-plugin” for creating the Uber JAR. Here is an example of how to use it in a pom.xml:

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>org.example</groupId>
    <artifactId>MavenTest</artifactId>
    <version>1.0-SNAPSHOT</version>

    <properties>
        <maven.compiler.source>11</maven.compiler.source>
        <maven.compiler.target>11</maven.compiler.target>
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
    </properties>

    <dependencies>
        <dependency>
            <groupId>org.apache.tomcat.embed</groupId>
            <artifactId>log4j-core</artifactId>
            <version>2.14.0</version>
        </dependency>

    </dependencies>

    <build>
        <finalName>my-project-name</finalName>
        <plugins>
             <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
                <version>2.7.14</version>
                <executions>
                    <execution>
                        <goals>
                            <goal>repackage</goal>
                        </goals>
                    </execution>
                </executions>
            </plugin>    
        </plugins>
    </build>

</project>

REST API Support

The following REST APIs are supported for the Contextual Analysis feature:

  • Get Contextual Analysis per VulnerabilityGet Contextual Analysis per Vulnerability

  • Artifact Summary - Applicability information was added to each issue.Artifact Summary

  • Build Summary - Applicability information was added to each issue.Build Summary

  • Get Violations - Applicability information was added to each violation.Get Violations

  • List Ignored Violations - Applicability information was added to each violation.List Ignored Violations

  • Scan Build V1 - Applicability information was added to each alert.Scan Build V1

  • Get Repositories Configurations: Added a new parameter vuln_contextual_analysis: true or false. Only if feature is enabled and it is possible to enable or disable it per repository.Get Repositories Configurations

  • Update Repositories Configurations - Added the option to enable or disable Contextual Analysis per repository with the parameter vuln_contextual_analysis: true or false.Update Repositories Configurations