Description: Gets a list of all Ignored violations on a watch.
Applicable Environment: JFrog SaaS, Self-Hosted
Since: 3.11
Security: Requires a "Manage Watches" role to be set on the User or Group level.
Usage: GET /xray/api/v1/violations/ignored/{watch_name}
Consumes: N/A
Produces: application/JSON
Path Parameters:
Name | Type | Mandatory/Optional | Description |
---|---|---|---|
| string | Required | The name of the watch to retrieve violations |
Query Parameters:
Name | Type | Mandatory/Optional | Description |
---|---|---|---|
| string | Optional | Limit of violations to retrieve (default: 500) |
| string | Optional | Offset for pagination (default: 1) |
| string | Optional | Order the violations by severity or updated (default: updated) |
Request Body: N/A
Response Body:
Name | Type | Description |
---|---|---|
| integer | Total count of ignored violations |
| array[ViolationObj] | Array of ignored violations |
ViolationObj:
Name | Type | Description |
---|---|---|
| string | The ID of the violation |
| string | Description of the violation |
| string | Severity level of the violation |
| string | Type of violation |
| array[string] | List of infected components |
| string | Timestamp of when the violation was created |
| string | Name of the watch associated with the violation |
| array[PolicyObj] | List of policies matched with the violation |
| array[string] | List of impacted artifacts |
| string | ID of the issue |
| IgnoreRuleInfoObj | Information about the ignore rule |
| ExtendedInfoObj | Extended information about the violation |
| null or array[ApplicabilityObj] | Details about the applicability of the violation |
| array[ApplicabilityDetailsObj] | Applicability details |
PolicyObj:
Name | Type | Description |
---|---|---|
| string | Name of the policy |
| string | Rule applied |
| boolean | Indicates if the policy is blocking (true/false) |
| boolean | Indicates if the policy is ignored (true/false) |
IgnoreRuleInfoObj:
Name | Type | Description |
---|---|---|
| string | Type of ignore rule (e.g., Ignore Permanently) |
| string | Author of the ignore rule |
| integer | Timestamp when the ignore rule was created |
| string | ID of the ignore rule |
| string | Additional notes about the ignore rule |
| boolean | Indicates if the ignore rule is expired |
| string | Date and time when the ignore rule expires (if applicable)RFC 3339 timestamp format: <YYYY-MM-DDTHH:MM:SSZ> |
ExtendedInfoObj:
Name | Type | Description |
---|---|---|
| string | Short description of the vulnerability |
| string | Full description of the vulnerability |
| string | Severity of the vulnerability according to JFrog research |
| array[ReasonObj] | Reasons for JFrog research severity |
| string | Remediation steps for the vulnerability |
ReasonObj:
Name | Type | Description |
---|---|---|
| string | Name of the reason |
| string | Description of the reason |
| boolean | Indicates if the reason is positive (true/false) |
ApplicabilityObj:
Name | Type | Description |
---|---|---|
| boolean | Indicates if the scanner is available for checking the applicability of the vulnerability |
| string | Identifier of the component |
| string | Identifier of the source component |
| string | Common Vulnerabilities and Exposures identifier |
| integer | Status of the scan for applicability |
| boolean | Indicates if the vulnerability is applicable |
| string | Explanation provided by the scanner for applicability |
| null orarray[EvidenceObj] | Evidence related to the applicability of the vulnerability |
| string | Additional information about the applicability |
| null or array[DetailsObj] | Additional details about the applicability |
ApplicabilityDetailsObj:
Name | Type | Description |
---|---|---|
| string | Component id of the artifact |
| string | Component id of the vulnerable package |
| string | CVE id |
| Contextual Analysis result enum | Contextual Analysis result |
EvidenceObj:
Name | Type | Description |
---|---|---|
| array[string] | Names of the columns in the evidence |
| array[array[string]] | Rows of evidence |
DetailsObj:
Name | Type | Description |
---|---|---|
| string | Path to the file |
| string | Additional details about the applicability |
Response codes:
Status code | Description |
---|---|
200 | OK |
400 | Parsing/validation error |
401 | Unauthorized |
403 | Forbidden |
500 | Failed to get ignored violations |
Successful Response Example:
{ "violations_count": 1, "violations": [ { "violation_id": "1742877329343852544", "description": "The GNU General Public License Version 2", "severity": "High", "type": "License", "infected_components": [ "alpine://3.15:libstdc++:10.3.1_git20211027-r0", "alpine://3.15:g++:10.3.1_git20211027-r0", "alpine://3.15:libgphobos:10.3.1_git20211027-r0", "gav://javax.vecmath:vecmath:1.5.2", "alpine://3.15:libgcc:10.3.1_git20211027-r0", "alpine://3.15:gcc:10.3.1_git20211027-r0", "gav://javax.annotation:javax.annotation-api:1.3.2", "alpine://3.15:libatomic:10.3.1_git20211027-r0", "alpine://3.15:libgomp:10.3.1_git20211027-r0" ], "created": "2024-01-04T11:55:11Z", "watch_name": "demo", "matched_policies": [ { "policy": "demo-license", "rule": "ban-GPL&LGPL", "is_blocking": false, "is_ignored": true } ], "issue_id": "GPL-2.0", "impacted_artifacts": [ "default/ockers/ics/latest/" ], "ignore_rule_info": { "id": "93989214-d2db-4692-6e3e-7dbc39f1bc17", "author": "usera", "created": 1708770133, "notes": "test", "is_expired": false, "expires_at": "2024-02-25T21:59:59Z" }, "applicability": null } ] }
Get Ignored Violation in a Watch in Projects Example
GET /xray/api/v1/violations/ignored/proj-watch?projectKey=<project_key>&?limit={limit}&order_by={order_by}&offset={offset}
CVE Research and Enrichment Response Example
{ "violations_count": 3, "violations": [ { "violation_id": "1764742097225699328", "description": "spring-boot versions prior to version v2.2.11.RELEASE was vulnerable to temporary directory hijacking. This vulnerability impacted the org.springframework.boot.web.server.AbstractConfigurableWebServerFactory.createTempDir method. NOTE: This vulnerability only affects products and/or versions that are no longer supported by the maintainer", "severity": "High", "type": "Security", "infected_components": [ "gav://org.springframework.boot:spring-boot:2.2.6.RELEASE" ], "created": "2024-03-04T19:57:57Z", "watch_name": "watch-name", "matched_policies": [ { "policy": "policy-name", "rule": "rule-name", "is_blocking": false, "is_ignored": true } ], "issue_id": "XRAY-202749", "impacted_artifacts": [ "default/maven-local/student-services-security-0.0.1-20230711.143048-1_8db924.jar" ], "ignore_rule_info": { "id": "b03fd7b9-ea42-41b5-62e4-cdbc4b1c067f", "ignore_rule_type": "Ignore Permanently", "author": "admin", "created": 1709582260, "notes": "Ignore notes", "is_expired": false }, "extended_information": { "short_description": "Improper temporary directory management in Spring Boot can lead to local privilege escalation.", "full_description": "[Spring Boot](https://spring.io/projects/spring-boot) is a project that is built on the top of the Spring Framework. It provides an easier and faster way to set up, configure, and run both simple and web-based applications. Spring Boot is the combination of the Spring Framework and an embedded application server such as Tomcat or Jetty. When the application instantiates a web server, it creates by default a work directory for configuration files, class files and others. \n\nSpring Boot is vulnerable to temporary directory hijacking. The temporary directory creation function [`createTempDir`](https://github.com/spring-projects/spring-boot/blob/ce70e7d768977242a8ea6f93188388f273be5851/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/server/AbstractConfigurableWebServerFactory.java#L165-L177) deletes the temporary directory first, and then creates it again so that it will be empty and clean. A local attacker can monitor the Spring Boot process, catch the deletion of a temporary directory and start a race to create the directory before Spring Boot dies. If successful, the attacker will be the owner of the directory and will be able to dump and modify any created temporary files.\nThis can potentially lead to application takeover (running code with the privileges of Spring Boot) if the temporary directory contains important files such as configuration files, class files and others.\n\nNote: Spring Boot Autoconfiguration's popular annotations `@SpringBootApplication` and `@EnableAutoConfiguration` are instantiating a web server at runtime. Thus, if one of the annotations is present, it always makes the application vulnerable for this CVE.", "jfrog_research_severity": "Medium", "jfrog_research_severity_reasons": [ { "name": "The issue is trivial to exploit and does not require a published writeup or PoC", "description": "Requires the attacker to create a temporary directory before the Spring Boot process", "is_positive": false }, { "name": "The issue can only be exploited by an attacker that can execute code on the vulnerable machine (excluding exceedingly rare circumstances)", "description": "The attacker should be able to monitor temporary directories", "is_positive": true }, { "name": "The impact of exploiting the issue depends on the context of surrounding software. A severe impact such as RCE is not guaranteed.", "description": "The impact depends on the contents of the hijacked directory", "is_positive": true }, { "name": "The issue has a detailed technical explanation published, that can aid in exploit development", "is_positive": false } ], "remediation": "##### Deployment mitigations\n\nSetting the `java.io.tmpdir` system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability for all operating systems as follows:\n```\nexport _JAVA_OPTIONS=-Djava.io.tmpdir=/my/tmp/dir\n```" }, "applicability": [ { "scanner_available": true, "component_id": "gav://com.in28minutes.springboot:student-services-security:0.0.1-SNAPSHOT", "source_comp_id": "gav://org.springframework.boot:spring-boot:2.2.6.RELEASE", "cve_id": "CVE-2022-27772", "scan_status": 1, "applicability": true, "scanner_explanation": "<p>The scanner checks whether the vulnerable inner function <code>AbstractConfigurableWebServerFactory.createTempDir()</code> is called, <br />\nby checking whether any of the following external functions are called:</p>\n<ul>\n<li><code>JettyServletWebServerFactory.getWebServer()</code></li>\n<li><code>TomcatServletWebServerFactory.getWebServer()</code></li>\n<li><code>UndertowServletWebServerFactory.getWebServer()</code></li>\n<li><code>TomcatReactiveWebServerFactory.getWebServer()</code></li>\n</ul>\n<p>It additionally checks whether the <code>@SpringBootApplication</code> or <code>@EnableAutoConfiguration</code> annotations are used, since Spring-Boot-based web servers also lead to the vulnerable inner function.</p>", "evidence": [ { "column_names": [ "Path", "Location", "Issue Found" ], "rows": [ [ "/BOOT-INF/classes/com/in28minutes/springboot/StudentServicesApplication.class", "StudentServicesApplication", "The vulnerable @SpringBootApplication class annotation is used" ] ] } ], "info": "The vulnerable @SpringBootApplication class annotation is used", "details": [ { "file_path": "/BOOT-INF/classes/com/in28minutes/springboot/StudentServicesApplication.class", "details": "Location: StudentServicesApplication, Issue Found: The vulnerable @SpringBootApplication class annotation is used" } ] } ], "applicability_details": [ { "component_id": "gav://com.in28minutes.springboot:student-services-security:0.0.1-SNAPSHOT", "source_comp_id": "gav://org.springframework.boot:spring-boot:2.2.6.RELEASE", "vulnerability_id": "CVE-2022-27772", "result": "applicable" } ] }, { "violation_id": "1764742097427025920", "description": "Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.", "severity": "Medium", "type": "Security", "infected_components": [ "gav://org.springframework.security:spring-security-core:5.2.2.RELEASE" ], "created": "2024-03-04T19:57:58Z", "watch_name": "watch-name", "matched_policies": [ { "policy": "policy-name", "rule": "rule-name", "is_blocking": false, "is_ignored": true } ], "issue_id": "XRAY-98355", "impacted_artifacts": [ "default/maven-local/student-services-security-0.0.1-20230711.143048-1_8db924.jar" ], "ignore_rule_info": { "id": "b03fd7b9-ea42-41b5-62e4-cdbc4b1c067f", "ignore_rule_type": "Ignore Permanently", "author": "admin", "created": 1709582260, "notes": "Ignore notes", "is_expired": false }, "applicability": null, "applicability_details": [ { "component_id": "gav://com.in28minutes.springboot:student-services-security:0.0.1-SNAPSHOT", "source_comp_id": "", "vulnerability_id": "CVE-2020-5408", "result": "not_covered" } ] }, { "violation_id": "1764742097791930368", "description": "Pivotal Spring Framework before 6.0.0 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required.\n\nMaintainers recommend investigating alternative components or a potential mitigating control. Version 4.2.6 and 3.2.17 contain [enhanced documentation](https://github.com/spring-projects/spring-framework/commit/5cbe90b2cd91b866a5a9586e460f311860e11cfa) advising users to take precautions against unsafe Java deserialization, version 5.3.0 [deprecate the impacted classes](https://github.com/spring-projects/spring-framework/issues/25379) and version 6.0.0 [removed it entirely](https://github.com/spring-projects/spring-framework/issues/27422).", "severity": "Critical", "type": "Security", "infected_components": [ "gav://org.springframework:spring-web:5.2.5.RELEASE" ], "created": "2024-03-04T19:57:58Z", "watch_name": "watch-name", "matched_policies": [ { "policy": "policy-name", "rule": "rule-name", "is_blocking": false, "is_ignored": true } ], "issue_id": "XRAY-125778", "impacted_artifacts": [ "default/maven-local/student-services-security-0.0.1-20230711.143048-1_8db924.jar" ], "ignore_rule_info": { "id": "b03fd7b9-ea42-41b5-62e4-cdbc4b1c067f", "ignore_rule_type": "Ignore Permanently", "author": "admin", "created": 1709582260, "notes": "Ignore notes", "is_expired": false }, "extended_information": { "short_description": "Unsafe deserialization in Spring RemoteInvocationSerializingExporter could lead to remote code execution.", "full_description": "Spring-based applications that export service beans as endpoints using classes that extend the [RemoteInvocationSerializingExporter](https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/remoting/rmi/RemoteInvocationSerializingExporter.html) class are vulnerable to Java deserialization attacks which could lead to RCE (Remote Code Execution). As of 2016, this vulnerability is still not fixed, as the Pivotal team (the maintainers of the Spring framework) disputed it as a security vulnerability in Spring itself and decided not to issue a fix. Instead, they deprecated `HttpInvokerServiceExporter` and `SimpleHttpInvokerServiceExporter`, the potentially vulnerable exporter classes that extend `RemoteInvocationSerializingExporter` and warned application developers not to use them when exposed to untrusted user input (see \"WARNING\" in the [documentation](https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/remoting/httpinvoker/HttpInvokerServiceExporter.html)). Applications that do not use the above classes can safely ignore this vulnerability.", "jfrog_research_severity": "Critical", "jfrog_research_severity_reasons": [ { "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", "description": "The attacker must find a request that is handled by a class extending `RemoteInvocationSerializingExporter`", "is_positive": true }, { "name": "The issue results in a severe impact (such as remote code execution)", "description": "Remote code execution", "is_positive": false }, { "name": "The issue has an exploit published", "description": "An RMI exploit can be generated by frameworks such as [ysoserial](https://github.com/frohoff/ysoserial/tree/master/src)", "is_positive": false }, { "name": "The issue has a detailed technical explanation published, that can aid in exploit development", "description": "The original advisory contains a technical writeup", "is_positive": false } ], "remediation": "##### Deployment mitigations\n\nDo not use Java serialization for external endpoints (Do not extend the `RemoteInvocationSerializingExporter` class)" }, "applicability": [ { "scanner_available": true, "component_id": "gav://com.in28minutes.springboot:student-services-security:0.0.1-SNAPSHOT", "source_comp_id": "gav://org.springframework:spring-web:5.2.5.RELEASE", "cve_id": "CVE-2016-1000027", "scan_status": 1, "applicability": false, "scanner_explanation": "<p>The scanner checks whether the vulnerable class <code>(Simple)HttpInvokerServiceExporter</code> is instantiated.</p>", "evidence": null, "info": "The vulnerable class (Simple)HttpInvokerServiceExporter is never instantiated", "details": null } ], "applicability_details": [ { "component_id": "gav://com.in28minutes.springboot:student-services-security:0.0.1-SNAPSHOT", "source_comp_id": "gav://org.springframework:spring-web:5.2.5.RELEASE", "vulnerability_id": "CVE-2016-1000027", "result": "not_applicable" } ] } ] }