Get Build’s Scan Results

Xray REST APIs

Products
JFrog Xray
Content Type
REST API
ft:sourceType
Paligo

Description: Gets the build scan results

Security: Requires the "Manage Xray Metadata" role to be set on the User or Group level.

Usage: GET /xray/api/v2/ci/build/{build_name}/{build_number}

Consumes: None

Produces: application/json

Path parameters:

Name

Type

Required/Optional

Description

build_name

string

required

Name of the build

build_number

string

required

Build number

Query parameters:

Name

Type

Required/Optional

Description

projectKey

string

optional

The project key that the build belongs to

include_vulnerabilities

boolean

optional

Indicates whether to include the the CVEs in the response

Request Body: None

Response Body:

Name

Type

Description

error

string

Error message text

build_name

string

Name of the build.

build_number

string

Number of the build.

project

string

Project associated with the build.

status

string

Status of the build (e.g., completed).

more_details_url

string

URL for more details about the build.

fail_build

boolean

Fail build overall status

violations

array[ViolationObj]

An array of detected violations.

vulnerabilities

array[VulnerabilityObj]

An array of detected vulnerabilities.

ViolationObj:

Name

Type

Description

issue_id

string

Xray Id for the issue.

summary

string

Summary of the violation.

severity

string

Severity level of the violation.

Possible values: Critical, High, Medium, Low, Information, Unknown

risk

string

Operation Risk level of the violation.

Possible values: High, Medium, Low

components

object

Components affected by the vulnerability.

type

string

Type of the violation. Possible values: security, license, operational_risk

watch_name

string

Name of the watch associated with the violation.

fail_build

boolean

Violation’s Fail build status

cves

array[CVEObj]

An array of CVE objects representing Common Vulnerabilities and Exposures.

references

array[string]

An array of references related to the vulnerability.

is_high_profile

boolean

Indicates if the vulnerability is high profile.

extended_information

ExtendedInfoObj

Additional information about the issue. As of Xray version 3.42.3

applicability_details

array [ApplicabilityDetailsObj]

Applicability details

VulnerabilityObj:

Name

Type

Description

issue_id

string

Identifier of the issue.

summary

string

Summary of the vulnerability.

severity

string

Severity level of the vulnerability.

Possible values: Critical,High, Medium, Low, InformationUnknown

cves

array[CVEObj]

An array of CVE objects representing Common Vulnerabilities and Exposures.

components

ComponentsObj

Components affected by the vulnerability.

references

array[string]

An array of references related to the vulnerability.

is_high_profile

boolean

Indicates if the vulnerability is high profile.

provider

string

Provider of the vulnerability information.

edited

string

Timestamp of when the vulnerability was last edited.

extended_information

ExtendedInfoObj

Additional information about the issue. As of Xray version 3.42.3

applicability

array[ApplicabilityObj]

An array of applicability details

applicability_details

array [ApplicabilityDetailsObj]

Applicability details

CVEObj:

Name

Type

Description

cve

string

Common Vulnerabilities and Exposures Identifier

cvss_v2_score

string

CVSS v2 score

cvss_v2_vector

string

CVSS v2 vector

cvss_v3_score

string

CVSS v3 score

cvss_v3_vector

string

CVSS v3 vector

ComponentsObj:

Name

Type

Description

package_name

string

Name of the package.

package_version

string

The version of the package.

package_type

string

Type of the package (e.g., Maven, Debian).

fixed_versions

array[string]

An array of fixed versions of the package.

infected_versions

array[string]

An array of infected versions of the package.

impact_paths

array[array[ComponentPathObj]]

An array of impact paths of the component.

ComponentPathObj:

Name

Type

Description

component_id

string

ID of the component.

full_path

string

The full path of the component.

ExtendedInfoObj:

Name

Type

Description

short_description

string

A brief description of the issue. The field is markdown text.

full_description

string

Full description of the issue. The field is markdown text.

jfrog_research_severity

string

The severity of the issue according to JFrog's research

jfrog_research_severity_reasons

array[SeverityReasonObj]

Reasons for the severity assigned by JFrog research

remediation

string

Remediation steps for the issue. The field is markdown text.

SeverityReasonObj:

Name

Type

Description

name

string

The reason for the severity assessment.

description

string

Detailed explanation supporting the severity assessment.

is_positive

boolean

Indicates whether the reason contributes positively to the severity assessment.

ApplicabilityDetailsObj:

Name

Type

Description

component_id

string

Component id of the artifact

source_comp_id

string

Component id of the vulnerable package

vulnerability_id

string

Cve id

result

string

Contextual Analysis result.

Possible values: not_scanned, applicable, not_applicable, undetermined, rescan_required, upgrade_required, not_covered

ApplicabilityObj:

Name

Type

Description

scanner_available

boolean

Indicates whether a scanner is available to check the applicability of the issue

component_id

string

Identifier for the component or environment where the issue is applicable

source_comp_id

string

Identifier for the source component or environment where the issue was detected

cve_id

string

Identifier for the CVE associated with the issue

scan_status

integer

Status of the scan (e.g., 1 for successful, 0 for unsuccessful)

applicability

boolean

Indicates whether the issue is applicable to the specified component or environment

scanner_explanation

string

Explanation provided by the scanner regarding the applicability check

evidence

array[EvidenceObj]

Evidence or additional information related to the applicability check

info

string

Additional information about the applicability of the issue

details

array[DetailsObj]

Additional details or notes regarding the applicability of the issue

EvidenceObj:

Field Name

Type

Description

column_names

array[string]

Names of the columns in the evidence data

rows

array[array[string]]

Rows of evidence data, each containing specific details about the issue

DetailsObj:

Field Name

Type

Description

file_path

string

File path or location where the issue was detected

details

string

Detailed information about the applicability of the issue

Response codes:

Status code

Description

200

OK

403

Permission denied

404

Build doesn't exist or not indexed in Xray

Example request:

GET /xray/api/v2/ci/build/my_build/2?include_vulnerabilities=true

Example of successful response with Contextual Analysis results:

{
    "build_name": "build-name",
    "build_number": "2",
    "status": "completed",
    "more_details_url": "https://artifactory.jfrog.io/ui/scans-list/builds-scans/build-name/scan-descendants/2?version=2&package_id=build%3A%2F%2Fbuild-name&build_repository=artifactory-build-info&component_id=build%3A%2F%2Fbuild-name%3A2&page_type=security-vulnerabilities&exposure_status=to_fix",
    "fail_build": true,
    "violations": [
        {
            "cves": [
                {
                    "cve": "CVE-2023-20873",
                    "cvss_v3_score": "9.8",
                    "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
                }
            ],
            "summary": "In Spring Boot versions 3.0.0 - 3.0.5, 2.7.0 - 2.7.10, and older unsupported versions, an application that is deployed to Cloud Foundry could be susceptible to a security bypass. Users of affected versions should apply the following mitigation: 3.0.x users should upgrade to 3.0.6+. 2.7.x users should upgrade to 2.7.11+. Users of older, unsupported versions should upgrade to 3.0.6+ or 2.7.11+.",
            "severity": "Critical",
            "components": {
                "gav://org.springframework.boot:spring-boot-actuator-autoconfigure:2.2.6.RELEASE": {
                    "package_name": "org.springframework.boot:spring-boot-actuator-autoconfigure",
                    "package_version": "2.2.6.RELEASE",
                    "package_type": "maven",
                    "fixed_versions": [
                        "[2.7.11]",
                        "[3.0.6]"
                    ],
                    "impact_paths": [
                        [
                            {
                                "component_id": "build://build-name:2"
                            },
                            {
                                "component_id": "gav://com.in28minutes.springboot:student-services-security:0.0.1-SNAPSHOT",
                                "full_path": "student-services-security-0.0.1-20230711.143048-1.jar"
                            },
                            {
                                "component_id": "gav://org.springframework.boot:spring-boot-actuator-autoconfigure:2.2.6.RELEASE",
                                "full_path": "BOOT-INF/lib/spring-boot-actuator-autoconfigure-2.2.6.RELEASE.jar"
                            }
                        ]
                    ]
                }
            },
            "issue_id": "XRAY-515384",
            "references": [
                "https://github.com/spring-projects/spring-boot",
                "https://github.com/spring-projects/spring-boot/releases/tag/v3.0.6",
                "https://github.com/spring-projects/spring-boot/commit/32444fed4b51cc58dc908467f706102d7f0bfc15",
                "https://security.netapp.com/advisory/ntap-20230601-0009/",
                "https://spring.io/blog/2023/05/18/spring-boot-2-5-15-and-2-6-15-available-now",
                "https://github.com/spring-projects/spring-boot/commit/3522714c13b47af03bf42e7f2d5994af568cb1a7",
                "https://nvd.nist.gov/vuln/detail/CVE-2023-20873",
                "https://github.com/spring-projects/spring-boot/releases/tag/v2.7.11",
                "https://spring.io/security/cve-2023-20873"
            ],
            "type": "security",
            "watch_name": "watch-name",
            "fail_build": true,
            "is_high_profile": true,
            "policies": null,
            "updated": "",
            "extended_information": {
                "short_description": "Improper endpoint path mapping in Sprint Boot allows an attacker to perform path traversal attacks when using catch-all request mappings on an application deployed to Cloud Foundry.",
                "full_description": "[Spring Boot](https://spring.io/) is an open-source Java framework that simplifies the development of stand-alone, production-grade Spring-based applications by providing a pre-configured environment with a range of features and capabilities. It eliminates the need for manual configuration and enables developers to focus on writing business logic rather than setting up infrastructure.\n[Cloud Foundry](https://www.cloudfoundry.org/) is a cloud platform that enables the deployment and management of Java-based applications. When deploying Spring Boot applications to Cloud Foundry, a potential security vulnerability arises with catch-all request mappings that match `/**`, as they route all requests to the same endpoint.\n\nAn issue has been discovered in the endpoint path mappings that do not limit the range of the catch-all request mappings, thereby allowing attackers to perform path traversal attacks using characters such as `../` in the requested URL. Exploiting this issue can allow attackers to read files that are outside of the application's root directory.\n\nIt is worth noting that applications using `Spring Cloud Config Server` are vulnerable if they are deployed to Cloud Foundry. Spring Cloud Config Server handles requests to the `/cloudfoundryapplication/**` path by default, which could make the application vulnerable to path traversal attacks.\n\nExample of vulnerable code:\n```\n@RestController\n@RequestMapping(\"/cloudfoundryapplication\")\npublic class CloudFoundryController {\n\n    @GetMapping(\"/**\")\n    public String handleRequest() {\n        // handle the request here\n        return \"Hello, Cloud Foundry!\";\n    }\n}\n```\n\nIn the above example, requesting a URL such as `https://victimsite.com/cloudfoundryapplication/foo/../../../../../otherpath` would allow the attacker to read files that do not belong to the Spring Boot application that was deployed to Cloud Foundry.",
                "jfrog_research_severity": "High",
                "jfrog_research_severity_reasons": [
                    {
                        "name": "The prerequisites for exploiting the issue are either extremely common or nonexistent (always exploitable)",
                        "description": "In Spring Boot apps deployed to Cloud Foundry, it is very common to find the catch-all request mapping `/**`. Also, applications using Spring Cloud Config Server are vulnerable by default.",
                        "is_positive": false
                    },
                    {
                        "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector",
                        "description": "The attacker must find an endpoint using the catch-all request mappings `/**` in Spring Boot application that has been deployed specifically to [Cloud Foundry](https://www.cloudfoundry.org/).",
                        "is_positive": true
                    },
                    {
                        "name": "The issue is trivial to exploit and does not require a published writeup or PoC",
                        "description": "The attacker simply needs to add traversal characters to the requested URL, for example - `/cloudfoundryapplication/../../../../../../../../../etc/passwd`",
                        "is_positive": false
                    },
                    {
                        "name": "The impact of exploiting the issue depends on the context of surrounding software. A severe impact such as RCE is not guaranteed.",
                        "description": "The attacker can leak files outside of the deployed Spring Boot application's root directory. The importance of the leaked files depend on which data is stored in the Cloud Foundry server.",
                        "is_positive": true
                    }
                ],
                "remediation": "##### Deployment mitigations\n\nDisable Cloud Foundry actuator endpoints by setting `management.cloudfoundry.enabled` to `false` in your `application.properties` file.\n```\nmanagement.cloudfoundry.enabled=false\n```"
            }
        }
    ],
    "vulnerabilities": [
        {
            "cves": [
                {
                    "cve": "CVE-2023-20883",
                    "cvss_v3_score": "7.5",
                    "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
                }
            ],
            "summary": "In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service (DoS) attack if Spring MVC is used together with a reverse proxy cache.",
            "severity": "High",
            "components": {
                "gav://org.springframework.boot:spring-boot-autoconfigure:2.2.6.RELEASE": {
                    "package_name": "org.springframework.boot:spring-boot-autoconfigure",
                    "package_version": "2.2.6.RELEASE",
                    "package_type": "maven",
                    "fixed_versions": [
                        "[2.5.15]",
                        "[2.6.15]",
                        "[2.7.12]",
                        "[3.0.7]"
                    ],
                    "infected_versions": [
                        "(,2.5.15)",
                        "[2.6.0,2.6.15)",
                        "[2.7.0,2.7.12)",
                        "[3.0.0,3.0.7)"
                    ],
                    "impact_paths": [
                        [
                            {
                                "component_id": "build://build-name:2"
                            },
                            {
                                "component_id": "gav://com.in28minutes.springboot:student-services-security:0.0.1-SNAPSHOT"
                            },
                            {
                                "component_id": "gav://org.springframework.boot:spring-boot-autoconfigure:2.2.6.RELEASE"
                            }
                        ]
                    ]
                }
            },
            "issue_id": "XRAY-520740",
            "references": [
                "https://nvd.nist.gov/vuln/detail/CVE-2023-20883",
                "https://github.com/spring-projects/spring-boot",
                "https://github.com/spring-projects/spring-boot/releases/tag/v2.5.15",
                "https://github.com/spring-projects/spring-boot/issues/35552",
                "https://github.com/spring-projects/spring-boot/releases/tag/v2.7.12",
                "https://security.netapp.com/advisory/ntap-20230703-0008/",
                "https://github.com/spring-projects/spring-boot/commit/418dd1ba5bdad79b55a043000164bfcbda2acd78",
                "https://github.com/spring-projects/spring-boot/releases/tag/v2.6.15",
                "https://spring.io/security/cve-2023-20883"
            ],
            "is_high_profile": true,
            "provider": "JFrog",
            "edited": "0001-01-01T00:00:00Z",
            "extended_information": {
                "short_description": "A design problem in Spring Boot may lead to denial of service when using the welcome page support.",
                "full_description": "[Spring Boot](https://spring.io/) is an open-source Java framework that simplifies the development of stand-alone, production-grade Spring-based applications by providing a pre-configured environment with a range of features and capabilities. It eliminates the need for manual configuration and enables developers to focus on writing business logic rather than setting up infrastructure.\nAn issue has been discovered in the way that Spring Boot serves a welcome page.\nThe welcome page is an automatically generated page that is served when accessing the web root `/` or `index.html`.\nIf an acceptable response cannot be produced (for example, an `Accept` header in the client's request is not present), the welcome page results in a 404 error.\nThis issue could lead to a denial-of-service when the application is used with a reverse proxy cache that caches these error responses. Specifically - after an attacker causes the 404 response to get cached, any other clients that access the welcome page (or web root) will also get a 404 response.\n\nNote that the vulnerability only affects applications that meet *all* of the following requirements:\n\n* `Spring MVC` auto-configuration is used in the application, using one of these class annotations: `@EnableAutoConfiguration` or `@SpringBootApplication`.\n\n* The application utilizes Spring Boot's welcome page feature, which can be static or templated. This is enabled by default but can be disabled by excluding `WelcomePageHandlerMapping` from the Spring context, or by overwriting the root `/` with a custom handler (`@GetMapping(\"/\")`).\n\n* The application is set up behind a proxy that caches 404 responses.",
                "jfrog_research_severity": "Medium",
                "jfrog_research_severity_reasons": [
                    {
                        "name": "The issue cannot result in a severe impact (such as remote code execution)",
                        "description": "Partial denial of service (DoS of the welcome page / root page only).",
                        "is_positive": true
                    },
                    {
                        "name": "The reported CVSS was either wrongly calculated, downgraded by other vendors, or does not reflect the vulnerability's impact",
                        "description": "The CVSS does not reflect the contextual prerequisites required to exploit the vulnerability.",
                        "is_positive": true
                    },
                    {
                        "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector",
                        "description": "The application must have Spring MVC auto-configuration enabled, and also be deployed behind a proxy that caches `404 Not Found` HTTP responses.\nAlso, the application must make use of the welcome / landing page support.",
                        "is_positive": true
                    }
                ],
                "remediation": "##### Deployment mitigations\n\nConfigure the reverse proxy not to cache 404 responses and/or not to cache responses to requests to the root (/) of the application."
            },
            "applicability": [
                {
                    "scanner_available": true,
                    "component_id": "gav://com.in28minutes.springboot:student-services-security:0.0.1-SNAPSHOT",
                    "source_comp_id": "gav://org.springframework.boot:spring-boot-autoconfigure:2.2.6.RELEASE",
                    "cve_id": "CVE-2023-20883",
                    "scan_status": 1,
                    "applicability": true,
                    "scanner_explanation": "<p>The scanner checks whether the annotations <code>@EnableAutoConfiguration</code> or <code>@SpringBootApplication</code> are applied to any class.</p>\n<p>For determining the applicability of this CVE, an additional condition (that the scanner currently does not check) should be verified: The Spring application is deployed behind a proxy that caches 404 (\"Page Not Found\") HTTP responses.</p>",
                    "evidence": [
                        {
                            "column_names": [
                                "Path",
                                "Location",
                                "Issue Found"
                            ],
                            "rows": [
                                [
                                    "/BOOT-INF/classes/com/in28minutes/springboot/StudentServicesApplication.class",
                                    "StudentServicesApplication",
                                    "The vulnerable @SpringBootApplication class annotation is used"
                                ]
                            ]
                        }
                    ],
                    "info": "The vulnerable @SpringBootApplication class annotation is used",
                    "details": [
                        {
                            "file_path": "/BOOT-INF/classes/com/in28minutes/springboot/StudentServicesApplication.class",
                            "details": "Location: StudentServicesApplication, Issue Found: The vulnerable @SpringBootApplication class annotation is used"
                        }
                    ]
                }
            ],
            "applicability_details": [
                {
                    "component_id": "gav://com.in28minutes.springboot:student-services-security:0.0.1-SNAPSHOT",
                    "source_comp_id": "gav://org.springframework.boot:spring-boot-autoconfigure:2.2.6.RELEASE",
                    "vulnerability_id": "CVE-2023-20883",
                    "result": "applicable"
                }
            ]
        }
    ]
}

Operational Risk Sample Response:

{
  "build_name": "test",
  "build_number": "2",
  "status": "completed",
  "more_details_url": "http://localhost:8046/xray/ui/builds/test/2/1648117400418/xrayData?buildRepo=artifactory-build-info",
  "fail_build": true,
  "violations": [
    {
      "components": {
        "gav://org.datanucleus:datanucleus-core:3.0.4": {
          "package_name": "org.datanucleus:datanucleus-core",
          "package_version": "3.0.4",
          "package_type": "maven",
          "impact_paths": [
            [
              {
                "component_id": "build://test:2"
              },
              {
                "component_id": "gav://org.datanucleus:datanucleus-core:3.0.4",
                "full_path": "datanucleus-core-3.0.4.jar"
              }
            ]
          ]
        }
      },
      "risk": "Low",
      "risk_reason": "Custom Rule",
      "released": "2012-12-12T20:02:00.689Z",
      "latest_version": "6.0.0-m4",
      "newer_versions": 120,
      "cadence": 1,
      "issue_id": "d3c3dcfc1576633da237136c14ba52e0c4282dda2a0e9646090cd78717e41258",
      "type": "operational_risk",
      "severity": "Low",
      "watch_name": "or-watch",
      "fail_build": true,
      "policies": null,
      "updated": ""
    }
  ]
}

Example Error Response

404 Not Found
{
  "error": "Build doesn't exist or not indexed in Xray"
}