Xray On-Demand Binary Scan

JFrog Security Documentation

ft:sourceType
Paligo

Overview

As an organization, you wish to build software securely during development, without trying to find and fix vulnerabilities after your code is compiled. Xray uses the JFrog CLI to provide on-demand binary scanning to address your needs.

  • Run ad-hoc scans for security purposes without uploading to Artficatory first.

  • Adhere to organizational standards, whereas binaries and builds need to be approved first before uploading to Artifactory.

  • Not all binaries are stored in Artifactory, and as a user, you want to use Xray scanning capabilities.

You can point to a binary in your local file system and receive a report that contains a list of vulnerabilities and licenses for that binary. The JFrog CLI encapsulates a closed source component that contains the logic of extracting a binary and composes a component graph from the binary, similar to the way Xray scans your binaries in Artifactory. For more information, see Xray Security and Compliance. The CLI returns a detailed scan results report that contains the details of vulnerabilities, violations, and licenses discovered in your binary.

Note

Starting from Xray version 3.40.3 and JFrog CLI version 2.11.0, you can run an on-demand binary scan on Docker images.

Setting Up On-Demand Binary Scan

  1. Install XrayInstalling Xray

  2. Install JFrog CLI version 2.1.0

How Does it Work?

Step 1 - Trigger the JFrog CLI

Trigger the JFrog CLI in a directory containing the binaries of a project.

Step 2 - Run the JFrog CLI Commands

Run the JFrog CLI Commands using one of the two methods:

  • Use the existing upload command with additional parameters that will serve as a conditional upload. A conditional upload ensures that the files are scanned prior to uploading to Artifactory, and will not be uploaded if the scan contains any security issues and does not comply with the policies you set.

  • Run an independent scan command.

Supported commands in the JFrog CLI:

Depending on the command option you use, you can view scan results for the following:

  • Vulnerabilities

  • Violations

  • Licenses

By default, the scan returns vulnerabilities data found in your dependencies. To retrieve violations data, use one of the following methods:

  • Watches - Select Watches to apply to the scan.

  • Repo Path- Provide a target destination path in Artifactory, and Watches will be determined by the path.

  • Project- Select a Project by project key, and use all Watches defined for the Project.

Take note, that if you run the scan using one of these command options, the scan results will only show violations data and not vulnerabilities data. To view vulnerabilities data, run the scan without these options.

Step 3 - View Results

The results are displayed in table format.

image (47).png

You can also view results in JSON format for automation purposes and view more scan results data by using the following command option:

--format=json

Sample Output

{
  "scan_id": "11148acb-f8d4-4640-56e4-db312cb5ba0c",
  "violations": [
    {
      "summary": "Apache Commons IO FileNameUtils.normalize Path Traversal Remote File Disclosure Weakness",
      "severity": "Medium",
      "type": "security",
      "components": {
        "gav://commons-io:commons-io:2.2": {
          "fixed_versions": [
            "[2.7]"
          ],
          "impact_paths": [
            [
              {
                "component_id": "gav://de.is24.common:appmon4j-agent:1.53"
              },
              {
                "component_id": "gav://de.is24.common:appmon4j-agent:1.53",
                "full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar"
              },
              {
                "component_id": "gav://commons-io:commons-io:2.2",
                "full_path": "META-INF/maven/commons-io/commons-io/pom.xml"
              }
            ]
          ]
        }
      },
      "watch_name": "Sec-Watch",
      "issue_id": "XRAY-78200",
      "ignore_url": "http://jfrog.com/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=11148acb-f8d4-4640-56e4-db312cb5ba0c&issue_id=XRAY-78200&show_popup=true&type=security&watch_name=Sec-Watch",
      "cves": [
        {
        }
      ],
      "references": [
        "https://issues.apache.org/jira/browse/IO-556"
      ],
    },
    {
      "severity": "Medium",
      "type": "security",
      "components": {
        "gav://commons-io:commons-io:2.2": {
          "fixed_versions": [
            "[2.7]"
          ],
          "impact_paths": [
            [
              {
                "component_id": "gav://de.is24.common:appmon4j-agent:1.53"
              },
              {
                "component_id": "gav://de.is24.common:appmon4j-agent:1.53",
                "full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar"
              },
              {
                "component_id": "gav://commons-io:commons-io:2.2",
                "full_path": "META-INF/maven/commons-io/commons-io/pom.xml"
              }
            ]
          },
          "watch_name": "Sec-Watch",
          "issue_id": "XRAY-172728",
          "ignore_url": "http://jfrog.com/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=11148acb-f8d4-4640-56e4-db312cb5ba0c&issue_id=XRAY-172728&show_popup=true&type=security&watch_name=Sec-Watch",
          "cves": [
            {
              "cve": "CVE-2021-29425",
              "cvss_v2_score": "5.0",
              "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N",
              "cvss_v3_score": "5.3",
              "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
            }
          ],
          "references": [
            "https://issues.apache.org/jira/browse/IO-556",
            "https://lists.apache.org/thread.html/rc359823b5500e9a9a2572678ddb8e01d3505a7ffcadfa8d13b8780ab%40%3Cuser.commons.apache.org%3E"
          ],
        },
        {
          "severity": "High",
          "type": "license",
          "components": {
            "gav://org.slf4j:slf4j-api:1.7.5": {
              "impact_paths": [
                [
                  {
                    "component_id": "gav://de.is24.common:appmon4j-agent:1.53"
                  },
                  {
                    "component_id": "gav://de.is24.common:appmon4j-agent:1.53",
                    "full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar"
                  },
                  {
                    "component_id": "gav://org.slf4j:slf4j-api:1.7.5",
                    "full_path": "META-INF/maven/org.slf4j/slf4j-api/pom.xml"
                  }
                ]
              ]
            }
          },
          "watch_name": "Sec-Watch",
          "ignore_url": "http://jfrog.com/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=11148acb-f8d4-4640-56e4-db312cb5ba0c&issue_id=MIT&show_popup=true&type=security&watch_name=Sec-Watch",
          "references": [
            "http://www.opensource.org/licenses/MIT",
            "http://www.opensource.org/licenses/mit-license.php",
            "https://spdx.org/licenses/MIT",
            "https://spdx.org/licenses/MIT.html"
          ],
          "license_key": "MIT",
          "license_name": "The MIT License",
        }
      ],
      "licenses": [
        {
          "license_key": "Apache-2.0",
          "components": {
            "gav://commons-io:commons-io:2.2": {
              "impact_paths": [
                [
                  {
                    "component_id": "gav://de.is24.common:appmon4j-agent:1.53"
                  },
                  {
                    "component_id": "gav://de.is24.common:appmon4j-agent:1.53",
                    "full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar"
                  },
                  {
                    "component_id": "gav://commons-io:commons-io:2.2",
                    "full_path": "META-INF/maven/commons-io/commons-io/pom.xml"
                  }
                ]
              ]
            },
            "gav://commons-lang:commons-lang:2.6": {
              "impact_paths": [
                [
                  {
                    "component_id": "gav://de.is24.common:appmon4j-agent:1.53"
                  },
                  {
                    "component_id": "gav://de.is24.common:appmon4j-agent:1.53",
                    "full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar"
                  },
                  {
                    "component_id": "gav://commons-lang:commons-lang:2.6",
                    "full_path": "META-INF/maven/commons-lang/commons-lang/pom.xml"
                  }
                ]
              ]
            },
            "gav://de.is24.common:appmon4j-agent:1.53": {
              "impact_paths": [
                [
                  {
                    "component_id": "gav://de.is24.common:appmon4j-agent:1.53"
                  },
                  {
                    "component_id": "gav://de.is24.common:appmon4j-agent:1.53",
                    "full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar"
                  },
                  {
                    "component_id": "gav://de.is24.common:appmon4j-agent:1.53",
                    "full_path": "META-INF/maven/de.is24.common/appmon4j-agent/pom.xml"
                  }
                ],
                [
                  {
                    "component_id": "gav://de.is24.common:appmon4j-agent:1.53"
                  }
                ],
                [
                  {
                    "component_id": "gav://de.is24.common:appmon4j-agent:1.53"
                  },
                  {
                    "component_id": "gav://de.is24.common:appmon4j-agent:1.53",
                    "full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar"
                  }
                ]
              ]
            },
            "gav://de.is24.common:appmon4j-core:1.53": {
              "impact_paths": [
                [
                  {
                    "component_id": "gav://de.is24.common:appmon4j-agent:1.53"
                  },
                  {
                    "component_id": "gav://de.is24.common:appmon4j-agent:1.53",
                    "full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar"
                  },
                  {
                  }"http://www.opensource.org/licenses/Apache-2.0",
                  {
                    "impact_paths": [
                    ]"status": "completed""violations": [
                      "severity": "Medium",
                      "type": "security",
                      {
                        "component_id": "gav://de.is24.common:appmon4j-agent:1.53",
                      ],
                    },
                    "type": "security",
                    "components": {
                      {
                        "component_id": "gav://de.is24.common:appmon4j-agent:1.53",
                        "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N",
                      }"https://lists.apache.org/thread.html/rc359823b5500e9a9a2572678ddb8e01d3505a7ffcadfa8d13b8780ab%40%3Cuser.commons.apache.org%3E"
                    ],
                  },
                  {
                  },
                  {
                    "references": [
                      "https://spdx.org/licenses/MIT.html""license_name": "The MIT License",
                    }"gav://commons-io:commons-io:2.2": {
                    },
                    "full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar""impact_paths": [
                      "component_id": "gav://de.is24.common:appmon4j-agent:1.53""full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar"
                    },
                    "gav://de.is24.common:appmon4j-agent:1.53": {
                      {
                        "component_id": "gav://de.is24.common:appmon4j-agent:1.53"
                      },
                      {
                        "component_id": "gav://de.is24.common:appmon4j-agent:1.53",
                        "component_id": "gav://de.is24.common:appmon4j-agent:1.53"[
                          {
                            "component_id": "gav://de.is24.common:appmon4j-agent:1.53",
                            [
                              {
                                "component_id": "gav://de.is24.common:appmon4j-core:1.53",
                                "full_path": "META-INF/maven/de.is24.common/appmon4j-core/pom.xml"
                              }
                            ]
                          ]
                        }
                      },
                      "references": [
                        "http://www.opensource.org/licenses/Apache-2.0",
                        "http://www.opensource.org/licenses/apache2.0.php",
                        "https://spdx.org/licenses/Apache-2.0",
                        "https://spdx.org/licenses/Apache-2.0.html",
                        "http://www.apache.org/licenses/LICENSE-2.0",
                        "https://licenses.nuget.org/Apache-2.0",
                        "http://licenses.nuget.org/Apache-2.0",
                        "https://raw.githubusercontent.com/aspnet/AspNetCore/2.0.0/LICENSE.txt",
                        "http://raw.githubusercontent.com/aspnet/AspNetCore/2.0.0/LICENSE.txt"
                      ]
                    },
                    {
                      "license_key": "MIT",
                      "components": {
                        "gav://org.slf4j:slf4j-api:1.7.5": {
                          "impact_paths": [
                            [
                              {
                                "component_id": "gav://de.is24.common:appmon4j-agent:1.53"
                              },
                              {
                                "component_id": "gav://de.is24.common:appmon4j-agent:1.53",
                                "full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar"
                              },
                              {
                                "component_id": "gav://org.slf4j:slf4j-api:1.7.5",
                                "full_path": "META-INF/maven/org.slf4j/slf4j-api/pom.xml"
                              }
                            ]
                          ]
                        }
                      },
                      "references": [
                        "http://www.opensource.org/licenses/MIT",
                        "http://www.opensource.org/licenses/mit-license.php",
                        "https://spdx.org/licenses/MIT",
                        "https://spdx.org/licenses/MIT.html"
                      ]
                    }
                  ],
                  "component_id": "gav://de.is24.common:appmon4j-agent:1.53",
                  "package_type": "Maven",
                  "status": "completed"
                }
              }

Field Name

Description

Example

artifact_name

The name of the artifact.

jenkins-war-2.289.1.war

component_id

Component ID in the JFrog Component Format Standards.

gav://org.jenkins-ci.main:jenkins-war:2.289.1

package_type

Type of the artifact package.

Maven

repo_path

The repo path as it was provided in the scan request.

default/maven-local-repo/org/jenkins-ci/main/jenkins-war/2.289.1/

scan_id

Unique scan ID.

4f811ab8-51a2-4baf-61d3-3a277aaa8066

status

Scan status. If a scan is pending, completed or failed.

pending

failed

completed

violations

A list of minimal violations.

violations[].summary

violations[].severity

Medium

Critical

violations[].type

Security or license.

security

violations[].components

Map of violating component the lowest level in the artifact graph. The key is the component ID.

violations[].components[].impact_paths

List of impact paths. Each impact path is a JSON array by itself, indicating the path from the artifact in scan to the vulnerable component in the graph.

violations[].components[].impact_paths[][].component_id

The component ID in the current impact path node.

gav://commons-httpclient:commons-httpclient:3.1-jenkins-2

violations[].components[].impact_paths[][].full_path

The file path of the current component, relative to the previous component in the list. The first component (which is the artifact itself) will not have full_path filled.

META-INF/maven/commons-httpclient/commons-httpclient/pom.xml

violations[].components[].fixed_versions

Versions of the component in which this violation is not effective anymore.

["[4.0.9-2+deb9u4]", "[4.0.10-3+deb9u4]"]

violations[].watch_name

Watch that created the violation.

cloud-watch

violations[].issue_id

Xray issue ID.

XRAY-73704

violations[].ignore_url

Violation Ignore Rule Creation URL.

http://jfrog.com/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=11148acb-f8d4-4640-56e4-db312cb5ba0c&issue_id=MIT&show_popup=true&type=security&watch_name=Sec-Watch

violations[].cves

List of CVE objects.

violations[].cves[].cve

CVE ID.

CVE-2018-9116

violations[].cves[].cvss_v2_score

6.4

violations[].cves[].cvss_v3_score

9.1

violations[].cves[].cvss_v2_vector

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:P

violations[].cves[].cvss_v3_vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

violations[].references

Links for more information.

violations[].fail_build

Indicates if this violation fails a build.

true

violations[].license_key

Apache-2.0

violations[].license_name

The Apache Software License, Version 2.0

vulnerabilities

List of vulnerabilities discovered on the scanned graph.

vulnerabilities[].cves

List of CVE objects.

vulnerabilities[].summary

Summary of the vulnerability.

vulnerabilities[].severity

Medium

Critical

vulnerabilities[].vulnerable_components

List of vulnerable components the lowest level in the artifact graph

[" npm://highlight.js:9.18.3"]

vulnerabilities[].components

List of vulnerable components the lowest level in the artifact graph.

licenses

List of licenses

licenses[].license_key

Apache-2.0

licenses[].license_name

The Apache Software License, Version 2.0

licenses[].components

Map of components with this license, where the key is component ID.

licenses[].custom

Indicated if this is this a custom license.

false

licenses[].references

Links for more information

View Results in the JFrog Platform

Navigate to Administration | Security and Compliance | On-Demand Scanning.

image2021-12-14_22-8-59.png

A list with all the on-demand binaries scans is displayed.

image2022-1-13_11-34-39.png

Click on a scan from the list to view the results. The results consist of a scan overview details, list of security and license violations, security vulnerabilities, discovered licenses, and descendants. You can learn more about these Xray scan results in Analyzing Resource Scan Results.

Overview

image2021-12-14_22-23-3.png

Violations

image2021-12-14_22-25-42.png

Security Vulnerabilities

image2022-1-13_11-36-34.png

CVE Details