Xray Dependencies Scan

JFrog Security Documentation

ft:sourceType
Paligo

Overview

As part of JFrog's shift left efforts to aid developers, Xray also provides the capability to scan your sources dependencies using the JFrog CLI, Frogbot, and JFrog IDE Integrations for vulnerabilities and licenses violations. With this feature, before a developer even checks-in the code they can scan for security or license violations saving valuable time to address these issues. Using a simple command line tool, you can scan a source directory that can be run anywhere and anytime, providing a faster scan, without the need to compile, test or deploy to Artifactory. This enables you to detect vulnerabilities in your dependencies as early as possible.

Once you run the command successfully, Xray scans your dependencies the same way it would when run against artifacts in Artifactory repositories. For more information, see Xray Security and Compliance. The CLI returns a detailed scan results report that contains the details of vulnerabilities and violations discovered in your dependency tree.

Note

This is only supported for Maven, Gradle, and npm packages.

Starting from JFrog CLI version 2.4.0 PyPI and Go packages are supported.

Setting Up Xray Dependencies Scan

  1. Install XrayInstalling Xray

  2. Install JFrog CLI version 2.1.0

How Does it Work?

Step 1 - Trigger the JFrog CLI

Trigger the JFrog CLI in a directory containing the source files.

Step 2 - Run the JFrog CLI Command

Supported commands in the JFrog CLI: (links to the section in cli)

  • Auditing an Npm Project: The audit-npm command audits an npm project, by generating a dependency tree for the sources, and scans it with Xray. The command should be executed while inside the root directory of the project.

  • Auditing Maven Projects: The audit-mvn command audits Maven projects, by generating a dependency tree for the sources, and scans it with Xray. The command should be executed while inside the root directory of the project.

  • Auditing Gradle Projects: The audit-gradle command audits Gradle projects, by generating a dependency tree for the sources, and scans it with Xray. The command should be executed while inside the root directory of the project.

  • Auditing Pip Projects: The The audit-pip command audits Pip projects, by generating a dependency tree for the sources, and scans it with Xray. The command should be executed while inside the root directory of the project.

  • Auditing Go Projects: The audit-go command audits Go projects, by generating a dependency tree for the sources, and scans it with Xray. The command should be executed while inside the root directory of the project.

Run the scan command with the relevant command options. You can view scan results for the following:

  • Vulnerabilities

  • Violations

  • Licenses

By default, the scan returns vulnerabilities data found in your dependencies. To retrieve violations data, use one of the following methods:

  • Watches - Select Watches to apply to the scan.

  • Repo Path- Provide a target destination path in Artifactory, and Watches will be determined by the path.

  • Project- Select a Project by project key, and use all Watches defined for the Project.

Take note, that if you run the scan using one of these command options, the scan results will only show violations data and not vulnerabilities data. To view vulnerabilities data, run the scan without these options.

Step 3 - View Results

The results are displayed in table format.

image (47).png

You can also view results in JSON format for automation purposes and to view more scan results data by using the following command option:

--format=json

Sample Output

{
  "scan_id": "11148acb-f8d4-4640-56e4-db312cb5ba0c",
  "violations": [
    {
      "summary": "Apache Commons IO FileNameUtils.normalize Path Traversal Remote File Disclosure Weakness",
      "severity": "Medium",
      "type": "security",
      "components": {
        "gav://commons-io:commons-io:2.2": {
          "fixed_versions": [
            "[2.7]"
          ],
          "impact_paths": [
            [
              {
                "component_id": "gav://de.is24.common:appmon4j-agent:1.53"
              },
              {
                "component_id": "gav://de.is24.common:appmon4j-agent:1.53",
                "full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar"
              },
              {
                "component_id": "gav://commons-io:commons-io:2.2",
                "full_path": "META-INF/maven/commons-io/commons-io/pom.xml"
              }
            ]
          ]
        }
      },
      "watch_name": "Sec-Watch",
      "issue_id": "XRAY-78200",
      "ignore_url": "http://jfrog.com/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=11148acb-f8d4-4640-56e4-db312cb5ba0c&issue_id=XRAY-78200&show_popup=true&type=security&watch_name=Sec-Watch",
      "cves": [
        {
        }
      ],
      "references": [
        "https://issues.apache.org/jira/browse/IO-556"
      ],
    },
    {
      "severity": "Medium",
      "type": "security",
      "components": {
        "gav://commons-io:commons-io:2.2": {
          "fixed_versions": [
            "[2.7]"
          ],
          "impact_paths": [
            [
              {
                "component_id": "gav://de.is24.common:appmon4j-agent:1.53"
              },
              {
                "component_id": "gav://de.is24.common:appmon4j-agent:1.53",
                "full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar"
              },
              {
                "component_id": "gav://commons-io:commons-io:2.2",
                "full_path": "META-INF/maven/commons-io/commons-io/pom.xml"
              }
            ]
          },
          "watch_name": "Sec-Watch",
          "issue_id": "XRAY-172728",
          "ignore_url": "http://jfrog.com/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=11148acb-f8d4-4640-56e4-db312cb5ba0c&issue_id=XRAY-172728&show_popup=true&type=security&watch_name=Sec-Watch",
          "cves": [
            {
              "cve": "CVE-2021-29425",
              "cvss_v2_score": "5.0",
              "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N",
              "cvss_v3_score": "5.3",
              "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
            }
          ],
          "references": [
            "https://issues.apache.org/jira/browse/IO-556",
            "https://lists.apache.org/thread.html/rc359823b5500e9a9a2572678ddb8e01d3505a7ffcadfa8d13b8780ab%40%3Cuser.commons.apache.org%3E"
          ],
        },
        {
          "severity": "High",
          "type": "license",
          "components": {
            "gav://org.slf4j:slf4j-api:1.7.5": {
              "impact_paths": [
                [
                  {
                    "component_id": "gav://de.is24.common:appmon4j-agent:1.53"
                  },
                  {
                    "component_id": "gav://de.is24.common:appmon4j-agent:1.53",
                    "full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar"
                  },
                  {
                    "component_id": "gav://org.slf4j:slf4j-api:1.7.5",
                    "full_path": "META-INF/maven/org.slf4j/slf4j-api/pom.xml"
                  }
                ]
              ]
            }
          },
          "watch_name": "Sec-Watch",
          "ignore_url": "http://jfrog.com/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=11148acb-f8d4-4640-56e4-db312cb5ba0c&issue_id=MIT&show_popup=true&type=security&watch_name=Sec-Watch",
          "references": [
            "http://www.opensource.org/licenses/MIT",
            "http://www.opensource.org/licenses/mit-license.php",
            "https://spdx.org/licenses/MIT",
            "https://spdx.org/licenses/MIT.html"
          ],
          "license_key": "MIT",
          "license_name": "The MIT License",
        }
      ],
      "licenses": [
        {
          "license_key": "Apache-2.0",
          "components": {
            "gav://commons-io:commons-io:2.2": {
              "impact_paths": [
                [
                  {
                    "component_id": "gav://de.is24.common:appmon4j-agent:1.53"
                  },
                  {
                    "component_id": "gav://de.is24.common:appmon4j-agent:1.53",
                    "full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar"
                  },
                  {
                    "component_id": "gav://commons-io:commons-io:2.2",
                    "full_path": "META-INF/maven/commons-io/commons-io/pom.xml"
                  }
                ]
              ]
            },
            "gav://commons-lang:commons-lang:2.6": {
              "impact_paths": [
                [
                  {
                    "component_id": "gav://de.is24.common:appmon4j-agent:1.53"
                  },
                  {
                    "component_id": "gav://de.is24.common:appmon4j-agent:1.53",
                    "full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar"
                  },
                  {
                    "component_id": "gav://commons-lang:commons-lang:2.6",
                    "full_path": "META-INF/maven/commons-lang/commons-lang/pom.xml"
                  }
                ]
              ]
            },
            "gav://de.is24.common:appmon4j-agent:1.53": {
              "impact_paths": [
                [
                  {
                    "component_id": "gav://de.is24.common:appmon4j-agent:1.53"
                  },
                  {
                    "component_id": "gav://de.is24.common:appmon4j-agent:1.53",
                    "full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar"
                  },
                  {
                    "component_id": "gav://de.is24.common:appmon4j-agent:1.53",
                    "full_path": "META-INF/maven/de.is24.common/appmon4j-agent/pom.xml"
                  }
                ],
                [
                  {
                    "component_id": "gav://de.is24.common:appmon4j-agent:1.53"
                  }
                ],
                [
                  {
                    "component_id": "gav://de.is24.common:appmon4j-agent:1.53"
                  },
                  {
                    "component_id": "gav://de.is24.common:appmon4j-agent:1.53",
                    "full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar"
                  }
                ]
              ]
            },
            "gav://de.is24.common:appmon4j-core:1.53": {
              "impact_paths": [
                [
                  {
                    "component_id": "gav://de.is24.common:appmon4j-agent:1.53"
                  },
                  {
                    "component_id": "gav://de.is24.common:appmon4j-agent:1.53",
                    "full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar"
                  },
                  {
                  }"http://www.opensource.org/licenses/Apache-2.0",
                  {
                    "impact_paths": [
                    ]"status": "completed""violations": [
                      "severity": "Medium",
                      "type": "security",
                      {
                        "component_id": "gav://de.is24.common:appmon4j-agent:1.53",
                      ],
                    },
                    "type": "security",
                    "components": {
                      {
                        "component_id": "gav://de.is24.common:appmon4j-agent:1.53",
                        "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N",
                      }"https://lists.apache.org/thread.html/rc359823b5500e9a9a2572678ddb8e01d3505a7ffcadfa8d13b8780ab%40%3Cuser.commons.apache.org%3E"
                    ],
                  },
                  {
                  },
                  {
                    "references": [
                      "https://spdx.org/licenses/MIT.html""license_name": "The MIT License",
                    }"gav://commons-io:commons-io:2.2": {
                    },
                    "full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar""impact_paths": [
                      "component_id": "gav://de.is24.common:appmon4j-agent:1.53""full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar"
                    },
                    "gav://de.is24.common:appmon4j-agent:1.53": {
                      {
                        "component_id": "gav://de.is24.common:appmon4j-agent:1.53"
                      },
                      {
                        "component_id": "gav://de.is24.common:appmon4j-agent:1.53",
                        "component_id": "gav://de.is24.common:appmon4j-agent:1.53"[
                          {
                            "component_id": "gav://de.is24.common:appmon4j-agent:1.53",
                            [
                              {
                                "component_id": "gav://de.is24.common:appmon4j-core:1.53",
                                "full_path": "META-INF/maven/de.is24.common/appmon4j-core/pom.xml"
                              }
                            ]
                          ]
                        }
                      },
                      "references": [
                        "http://www.opensource.org/licenses/Apache-2.0",
                        "http://www.opensource.org/licenses/apache2.0.php",
                        "https://spdx.org/licenses/Apache-2.0",
                        "https://spdx.org/licenses/Apache-2.0.html",
                        "http://www.apache.org/licenses/LICENSE-2.0",
                        "https://licenses.nuget.org/Apache-2.0",
                        "http://licenses.nuget.org/Apache-2.0",
                        "https://raw.githubusercontent.com/aspnet/AspNetCore/2.0.0/LICENSE.txt",
                        "http://raw.githubusercontent.com/aspnet/AspNetCore/2.0.0/LICENSE.txt"
                      ]
                    },
                    {
                      "license_key": "MIT",
                      "components": {
                        "gav://org.slf4j:slf4j-api:1.7.5": {
                          "impact_paths": [
                            [
                              {
                                "component_id": "gav://de.is24.common:appmon4j-agent:1.53"
                              },
                              {
                                "component_id": "gav://de.is24.common:appmon4j-agent:1.53",
                                "full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar"
                              },
                              {
                                "component_id": "gav://org.slf4j:slf4j-api:1.7.5",
                                "full_path": "META-INF/maven/org.slf4j/slf4j-api/pom.xml"
                              }
                            ]
                          ]
                        }
                      },
                      "references": [
                        "http://www.opensource.org/licenses/MIT",
                        "http://www.opensource.org/licenses/mit-license.php",
                        "https://spdx.org/licenses/MIT",
                        "https://spdx.org/licenses/MIT.html"
                      ]
                    }
                  ],
                  "component_id": "gav://de.is24.common:appmon4j-agent:1.53",
                  "package_type": "Maven",
                  "status": "completed"
                }
              }

Field Name

Description

Example

artifact_name

The name of the artifact.

jenkins-war-2.289.1.war

component_id

Component ID in JFrog Component Format Standards.

gav://org.jenkins-ci.main:jenkins-war:2.289.1

package_type

Type of the artifact package.

Maven

repo_path

The repo path as it was provided in the scan request.

default/maven-local-repo/org/jenkins-ci/main/jenkins-war/2.289.1/

scan_id

Unique scan ID.

4f811ab8-51a2-4baf-61d3-3a277aaa8066

status

Scan status. If a scan is pending, completed or failed.

pending

failed

completed

violations

A list of minimal violations.

violations[].summary

violations[].severity

Medium

Critical

violations[].type

Security or license.

security

violations[].components

Map of violating component the lowest level in the artifact graph. The Key is component ID.

violations[].components[].impact_paths

List of impact paths. Each impact path is a JSON array by itself, indicating the path from the artifact in the scan to the vulnerable component in the graph.

violations[].components[].impact_paths[][].component_id

The component ID in the current impact path node.

gav://commons-httpclient:commons-httpclient:3.1-jenkins-2

violations[].components[].impact_paths[][].full_path

The file path of the current component, relative to the previous component in the list. The first component (which is the artifact itself) will not have full_path filled.

META-INF/maven/commons-httpclient/commons-httpclient/pom.xml

violations[].components[].fixed_versions

Versions of the component in which this violation is not effective anymore.

["[4.0.9-2+deb9u4]", "[4.0.10-3+deb9u4]"]

violations[].watch_name

Watch that created the violation.

cloud-watch

violations[].issue_id

Xray issue ID.

XRAY-73704

violations[].ignore_url

Violation Ignore Rule Creation URL.

http://jfrog.com/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=11148acb-f8d4-4640-56e4-db312cb5ba0c&issue_id=MIT&show_popup=true&type=security&watch_name=Sec-Watch

violations[].cves

List of CVE objects.

violations[].cves[].cve

CVE ID.

CVE-2018-9116

violations[].cves[].cvss_v2_score

6.4

violations[].cves[].cvss_v3_score

9.1

violations[].cves[].cvss_v2_vector

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:P

violations[].cves[].cvss_v3_vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

violations[].references

Links for more information.

violations[].fail_build

Indicates if this violation fails a build.

true

violations[].license_key

Apache-2.0

violations[].license_name

The Apache Software License, Version 2.0

vulnerabilities

List of vulnerabilities discovered on the scanned graph.

vulnerabilities[].cves

List of CVE objects.

vulnerabilities[].summary

Summary of the vulnerability.

vulnerabilities[].severity

Medium

Critical

vulnerabilities[].vulnerable_components

List of vulnerable components, the lowest level in the artifact graph

[" npm://highlight.js:9.18.3"]

vulnerabilities[].components

List of vulnerable components, the lowest level in the artifact graph.

licenses

List of licenses

licenses[].license_key

Apache-2.0

licenses[].license_name

The Apache Software License, Version 2.0

licenses[].components

Map of components with this license, where the key is component ID.

licenses[].custom

Indicated if this is a custom license.

false

licenses[].references

Links for more information