This table lists the available conditions in Curation:
| Category | Condition | Description | Custom condition available | Relaxation Parameters | Supported Package Types |
|---|---|---|---|---|---|
| Security | Malicious package | Blocks 3rd party packages that the JFrog Security Research team has identified as malicious. | No | N/A | All |
| Security | CVE with CVSS (all score combinations) | Blocks 3rd party package versions with a known CVE with NVD CVSS score (all combinations) | Yes |
| All (except Docker) |
| Security | OpenSSF | Block packages based on one or more scorecard checks. | Yes | Disregard if the score does not exist. | All (except Docker) |
| Security | Package Vulnerable to CVE | Detects if the 3rd party package is vulnerable to the configured CVE ID | Yes | N/A | All (except Docker) |
| Security | Block packages listed by Catalog labels | Blocks 3rd party packages that are on a blocked list | Yes | N/A | All (except Docker) |
| Security | Allow only packages listed by Catalog labels | Blocks 3rd party any packages that are not on the allowed list | Yes | N/A | All (except Docker) |
| Legal | Block list by License | Blocks 3rd party packages with any version that you define | Yes | Allow if one or more package licenses are not on the list. | All (except Docker) |
| Legal | Allow list by License | Blocks 3rd party packages with any version that is not on the defined list | Yes | Allow if at least one package license is on the list. | All (except Docker) |
| Operational | Image is not Docker Hub official | Detects Docker Images from the Docker Hub registry that do not have “Docker Official Image" | No | N/A | Docker |
| Operational | Package version is aged (no newer version identified) | Blocks 3rd party package versions whose release date is more than 2 years old, and no newer version of the package exists. | Yes | N/A | All (except Docker) |
| Operational | Package version is aged (new version available) | Blocks 3rd party package versions whose release date is more than 180 days older than the package’s latest version release date. | No | N/A | All (except Docker) |
| Operational | Package version is immature | Blocks 3rd party packages whose version release date is less than the defined number of dates old | Yes | Allow if fixes CVE in your repositories | All (except Docker) |