Xray incorporates a built-in Impact Analysis process that continuously assesses how a vulnerability in one component affects others based on latest updates in the JFrog vulnerability database.
This analysis is triggered upon the inclusion of new security vulnerability updates in the database.
The impact analysis process identifies all artifacts affected by the new vulnerability and they are added to the Xray scan report.
If a vulnerability update meets the criteria of a Watch and a Policy, a new violation will subsequently be generated. This may trigger automatic actions if configured in a policy rule.
It's important to note that the impact analysis process operates exclusively on indexed artifacts with scans whose retention period has not yet expired.
For our Saas product, new vulnerabilities are added to the Xray database every hour at which point the impact analysis process will be triggered.
For self-hosted customers, the impact analysis process will be initiated with each database sync update.
Note
DB sync v1 impact analysis is triggered only for vulnerability updates marked as high profile.
DB sync v3 impact analysis is triggered for all vulnerability updates.
More details on checking the DB sync version in use and migration can be found in DB sync migration documentation.
The JFrog security research team denotes if a new vulnerability is considered high profile.
The team focuses on relevant technologies for JFrog clients and prioritizes “high” and “critical” severity issues and vulnerabilities that are exploited in the wild or have high media profiles, even if they received a “medium” public severity rating.
Impact analysis is effective for newly identified vulnerabilities or new vulnerability updates. In cases where there are withdrawn CVEs, a rescan will be required in order to update the scan of the affected components.