Description: Invokes scanning of a build that was uploaded to Artifactory as requested by a CI server.
Notes: Requires the "Manage Xray Metadata" role to be set on the User or Group level.
Security: Requires Manage Xray Metadata permissions.
Usage: POST /xray/api/v1/scanBuild
Consumes: application/json
Produces: application/json
Path Parameters: None
Query Parameters: None
Request Body:
Name | Type | Required/Optional | Description |
|---|---|---|---|
| string | mandatory | Name of the build |
| string | mandatory | Build number |
| boolean | optional | Flag to rescan the artifact |
| optional | Filters object for specifying scanning options | |
| string | optional | The project key that the build belongs to |
FiltersObj:
Name | Type | Required/Optional | Description |
|---|---|---|---|
| boolean | optional | Flag to include licenses |
Response Body:
Name | Type | Description |
|---|---|---|
| Summary object of the scan result | |
| array[AlertObj] | An array of alert details generated from the scan |
| array[LicenseObj] | Array of license details from the scan |
SummaryObj:
Name | Type | Description |
|---|---|---|
| number | Total number of alerts generated from the scan |
| boolean | Flag indicating if the build failed |
| string | Message with more information regarding the scan |
| string | Link to all created Alerts in Xray |
AlertObj:
Name | Type | Description |
|---|---|---|
| string | Creation time of the Alert |
| string | Top severity of the Alert |
| string | Name of the Watch that caused the Alert |
| array[IssueObj] | An array of issues included in the Alert |
IssueObj:
Name | Type | Description |
|---|---|---|
| string | The severity of the issue |
| string | Type of the issue Possible values: |
| string | Provider of the issue |
| string | The creation time of the issue |
| string | Summary of the issue |
| string | Description of the issue |
| string | Common Vulnerabilities and Exposures Identifier |
| array [ImpactedArtifactObj] | An array of impacted artifacts |
| array [ApplicabilityDetailsObj] | Applicability details |
ImpactedArtifactObj:
Name | Type | Description |
|---|---|---|
| string | Name of the impacted artifact |
| string | Display name of the impacted artifact |
| string | Path of the impacted artifact |
| string | Package type of the impacted artifact |
| string | SHA-256 hash of the impacted artifact |
| integer | Depth of the impacted artifact |
| string | SHA-256 of the impacted artifact |
| array[InfectedFileObj] | Array of infected files in the impacted artifact |
InfectedFileObj:
Name | Type | Description |
|---|---|---|
| string | Name of the infected file |
| string | Path of the infected file |
| string | SHA256 hash of the infected file |
| string | ID of the component related to the infected file |
| integer | Depth of the infected file |
| string | SHA-256 of the infected file Parent |
| string | Display name of the infected file |
LicenseObj:
Name | Type | Description |
|---|---|---|
| string | Name of the license |
| array[string] | Array of build’s components IDs with this license |
| string | Full name of the license |
| array[string] | An array of links to more information about this license |
ApplicabilityDetailsObj
Name | Type | Description |
|---|---|---|
| string | Component id of the artifact |
| string | Component id of the vulnerable package |
| string | Cve id |
| string | Contextual Analysis result. Possible values: |
Response Codes:
Status code | Description |
|---|---|
200 | Build scanned |
415 | Failed to parse scan build request |
400 | Request is missing mandatory fields |
403 | No valid license was found |
500 | Failed to get Artifactory instance data |
500 | Failed to check watches |
500 | Failed to send build to scan |
Example Request:
{
"buildName": "example-build",
"buildNumber": "4",
"rescan": true,
"filters": {
"includeLicenses": true
}
Example Request - Project build:
{
"buildName": "build-name",
"buildNumber": "8",
"project": "myproject"
}
Example Successful Response - build in Project scope:
{
"summary": {
"total_alerts": 2,
"fail_build": true,
"message": "Build test-project number 3 was scanned by Xray and 2 Alerts were generated",
"more_details_url": "https://example.jfrog.io/ui/scans-list/builds-scans/test-project/scan-descendants/3?version=3&package_id=build%3A%2F%2F%5Btest-project-key-build-info%5D%2Ftest-project&build_repository=test-project-key-build-info&component_id=build%3A%2F%2F%5Btest-project-key-build-info%5D%2Ftest-project%3A3&page_type=security-vulnerabilities&exposure_status=to_fix"
},
"alerts": [
{
"schema_version": "",
"created": "2024-02-24T22:06:39.979Z",
"top_severity": "Critical",
"watch_name": "project-watch",
"issues": [
{
"severity": "Critical",
"type": "Security",
"provider": "JFrog",
"created": "2024-02-24T22:06:39.979Z",
"summary": "By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.",
"description": "By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.",
"impacted_artifacts": [
{
"name": "test-project",
"display_name": "[test-project-key-build-info]/test-project:3",
"path": "default/test-project-key-build-info/test-project",
"pkg_type": "Build",
"sha256": "3fe6ac318de3717969b1df85f87404c52ee7d0056a335de0277fcea53351aa3f",
"sha1": "",
"depth": 0,
"parent_sha": "3fe6ac318de3717969b1df85f87404c52ee7d0056a335de0277fcea53351aa3f",
"infected_files": [
{
"name": "log4j-1.2.17.jar",
"path": "",
"sha256": "a2234476879b9e76f99a561f3d9da243684edb54b0b44ef7c0cf7a1a3d1e6776",
"component_id": "gav://log4j:log4j:1.2.17",
"depth": 0,
"parent_sha": "3fe6ac318de3717969b1df85f87404c52ee7d0056a335de0277fcea53351aa3f",
"display_name": "log4j:log4j:1.2.17"
}
]
}
],
"cve": "CVE-2022-23305"
},
{
"severity": "Critical",
"type": "Security",
"provider": "JFrog",
"created": "2024-02-24T22:06:39.993Z",
"summary": "Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.",
"description": "Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions 1.2 up to 1.2.17.\n\nUsers are advised to migrate to `org.apache.logging.log4j:log4j-core`.",
"impacted_artifacts": [
{
"name": "test-project",
"display_name": "[test-project-key-build-info]/test-project:3",
"path": "default/test-project-key-build-info/test-project",
"pkg_type": "Build",
"sha256": "3fe6ac318de3717969b1df85f87404c52ee7d0056a335de0277fcea53351aa3f",
"sha1": "",
"depth": 0,
"parent_sha": "3fe6ac318de3717969b1df85f87404c52ee7d0056a335de0277fcea53351aa3f",
"infected_files": [
{
"name": "log4j-1.2.17.jar",
"path": "",
"sha256": "a2234476879b9e76f99a561f3d9da243684edb54b0b44ef7c0cf7a1a3d1e6776",
"component_id": "gav://log4j:log4j:1.2.17",
"depth": 0,
"parent_sha": "3fe6ac318de3717969b1df85f87404c52ee7d0056a335de0277fcea53351aa3f",
"display_name": "log4j:log4j:1.2.17"
}
]
}
],
"cve": "CVE-2019-17571"
}
]
}
],
"licenses": [
{
"name": "Apache-2.0",
"full_name": "Apache License 2.0",
"more_info_url": [
"https://www.apache.org/licenses/LICENSE-2.0",
"https://opensource.org/licenses/Apache-2.0",
"http://www.opensource.org/licenses/Apache-2.0",
"http://www.opensource.org/licenses/apache2.0.php",
"https://spdx.org/licenses/Apache-2.0",
"https://spdx.org/licenses/Apache-2.0.html",
"http://www.apache.org/licenses/LICENSE-2.0",
"https://licenses.nuget.org/Apache-2.0",
"http://licenses.nuget.org/Apache-2.0",
"https://raw.githubusercontent.com/aspnet/AspNetCore/2.0.0/LICENSE.txt",
"http://raw.githubusercontent.com/aspnet/AspNetCore/2.0.0/LICENSE.txt"
],
"components": [
"gav://log4j:log4j:1.2.17"
]
}
]
}
{
"summary": {
"total_alerts": 2,
"fail_build": true,
"message": "Build build-name number 2 was scanned by Xray and 2 Alerts were generated",
"more_details_url": "https://artifactory.jfrog.io/ui/scans-list/builds-scans/build-name/scan-descendants/2?version=2&package_id=build%3A%2F%2Fbuild-name&build_repository=artifactory-build-info&component_id=build%3A%2F%2Fbuild-name%3Abe0583&page_type=security-vulnerabilities&exposure_status=to_fix"
},
"alerts": [
{
"schema_version": "",
"created": "2024-02-29T04:56:51.205Z",
"top_severity": "Critical",
"watch_name": "watch-name",
"issues": [
{
"severity": "High",
"type": "Security",
"provider": "JFrog",
"created": "2024-03-04T20:00:09.227Z",
"summary": "In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service (DoS) attack if Spring MVC is used together with a reverse proxy cache.",
"description": "In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service (DoS) attack if Spring MVC is used together with a reverse proxy cache.\n\nSpecifically, an application is vulnerable if all of the conditions are true:\n\n* The application has Spring MVC auto-configuration enabled. This is the case by default if Spring MVC is on the classpath.\n* The application makes use of Spring Boot's welcome page support, either static or templated.\n* Your application is deployed behind a proxy which caches 404 responses.\n\nYour application is NOT vulnerable if any of the following are true:\n\n* Spring MVC auto-configuration is disabled. This is true if WebMvcAutoConfiguration is explicitly excluded, if Spring MVC is not on the classpath, or if spring.main.web-application-type is set to a value other than SERVLET.\n* The application does not use Spring Boot's welcome page support.\n* You do not have a proxy which caches 404 responses.\n\n\nAffected Spring Products and Versions\n\nSpring Boot\n\n3.0.0 to 3.0.6 2.7.0 to 2.7.11 2.6.0 to 2.6.14 2.5.0 to 2.5.14\n\nOlder, unsupported versions are also affected\nMitigation\n\nUsers of affected versions should apply the following mitigations:\n\n* 3.0.x users should upgrade to 3.0.7+\n* 2.7.x users should upgrade to 2.7.12+\n* 2.6.x users should upgrade to 2.6.15+\n* 2.5.x users should upgrade to 2.5.15+\n\nUsers of older, unsupported versions should upgrade to 3.0.7+ or 2.7.12+.\n\nWorkarounds: configure the reverse proxy not to cache 404 responses and/or not to cache responses to requests to the root (/) of the application.",
"impacted_artifacts": [
{
"name": "build-name",
"display_name": "build-name:2",
"path": "default/builds/build-name",
"pkg_type": "Build",
"sha256": "5242d3177c47ec81429f1348e004f2e26c3a219cdc20edadd8c5d12e084400e1",
"sha1": "",
"depth": 0,
"parent_sha": "5242d3177c47ec81429f1348e004f2e26c3a219cdc20edadd8c5d12e084400e1",
"infected_files": [
{
"name": "spring-boot-autoconfigure-2.2.6.RELEASE.jar",
"path": "",
"sha256": "b84273b4a4ca10acd9619de50882bd793d031d65efde2f3286c0f0566ec756c2",
"component_id": "gav://org.springframework.boot:spring-boot-autoconfigure:2.2.6.RELEASE",
"depth": 0,
"parent_sha": "5242d3177c47ec81429f1348e004f2e26c3a219cdc20edadd8c5d12e084400e1",
"display_name": "org.springframework.boot:spring-boot-autoconfigure:2.2.6.RELEASE"
}
]
}
],
"cve": "CVE-2023-20883",
"applicability": [
{
"scanner_available": true,
"component_id": "gav://com.in28minutes.springboot:student-services-security:0.0.1-SNAPSHOT",
"source_comp_id": "gav://org.springframework.boot:spring-boot-autoconfigure:2.2.6.RELEASE",
"cve_id": "CVE-2023-20883",
"scan_status": 1,
"applicability": true,
"scanner_explanation": "<p>The scanner checks whether the annotations <code>@EnableAutoConfiguration</code> or <code>@SpringBootApplication</code> are applied to any class.</p>\n<p>For determining the applicability of this CVE, an additional condition (that the scanner currently does not check) should be verified: The Spring application is deployed behind a proxy that caches 404 (\"Page Not Found\") HTTP responses.</p>",
"evidence": [
{
"column_names": [
"Path",
"Location",
"Issue Found"
],
"rows": [
[
"/BOOT-INF/classes/com/in28minutes/springboot/StudentServicesApplication.class",
"StudentServicesApplication",
"The vulnerable @SpringBootApplication class annotation is used"
]
]
}
],
"info": "The vulnerable @SpringBootApplication class annotation is used",
"details": [
{
"file_path": "/BOOT-INF/classes/com/in28minutes/springboot/StudentServicesApplication.class",
"details": "Location: StudentServicesApplication, Issue Found: The vulnerable @SpringBootApplication class annotation is used"
}
]
}
],
"applicability_details": [
{
"component_id": "gav://com.in28minutes.springboot:student-services-security:0.0.1-SNAPSHOT",
"source_comp_id": "gav://org.springframework.boot:spring-boot-autoconfigure:2.2.6.RELEASE",
"vulnerability_id": "CVE-2023-20883",
"result": "applicable"
}
]
},
{
"severity": "High",
"type": "Security",
"provider": "JFrog",
"created": "2024-02-29T04:56:51.215Z",
"summary": "In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.",
"description": "In FasterXML jackson-databind before 2.12.7.1 and in 2.13.x before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.",
"impacted_artifacts": [
{
"name": "build-name",
"display_name": "build-name:2",
"path": "default/builds/build-name",
"pkg_type": "Build",
"sha256": "fb32d42470fc88649240f336e145b90b5387d9650ca68f6f00e4fd8dc8d3bdb4",
"sha1": "",
"depth": 0,
"parent_sha": "fb32d42470fc88649240f336e145b90b5387d9650ca68f6f00e4fd8dc8d3bdb4",
"infected_files": [
{
"name": "jackson-databind-2.10.3.jar",
"path": "",
"sha256": "50eec40443f387be50a409186165298aaadbb6c4d4826d319720e245714600d2",
"component_id": "gav://com.fasterxml.jackson.core:jackson-databind:2.10.3",
"depth": 0,
"parent_sha": "fb32d42470fc88649240f336e145b90b5387d9650ca68f6f00e4fd8dc8d3bdb4",
"display_name": "com.fasterxml.jackson.core:jackson-databind:2.10.3"
}
]
}
],
"cve": "CVE-2022-42004",
"applicability": [
{
"scanner_available": true,
"component_id": "gav://com.in28minutes.springboot:student-services-security:0.0.1-SNAPSHOT",
"source_comp_id": "gav://com.fasterxml.jackson.core:jackson-databind:2.10.3",
"cve_id": "CVE-2022-42004",
"scan_status": 1,
"applicability": false,
"scanner_explanation": "<p>This scanner checks whether or not an <code>ObjectMapper</code> object has enabled the vulnerable <code>DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS</code> functionality. If it has, the scanner checks if any of the following vulnerable functions are called with external input:</p>\n<ul>\n<li><code>ObjectMapper.readTree()</code></li>\n<li><code>ObjectMapper.readValue()</code></li>\n<li><code>ObjectMapper.readValues()</code></li>\n</ul>",
"evidence": null,
"info": "The vulnerable functions ObjectMapper.enable/ObjectMapper.configure never set the vulnerable enum DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS to true",
"details": null
}
],
"applicability_details": [
{
"component_id": "gav://com.in28minutes.springboot:student-services-security:0.0.1-SNAPSHOT",
"source_comp_id": "gav://com.fasterxml.jackson.core:jackson-databind:2.10.3",
"vulnerability_id": "CVE-2022-42004",
"result": "not_applicable"
}
]
}
]
}
],
"licenses": [
{
"name": "CDDL-1.0",
"full_name": "Common Development and Distribution License 1.0",
"more_info_url": [
"https://opensource.org/licenses/cddl1",
"http://www.opensource.org/licenses/cddl1.php",
"https://spdx.org/licenses/CDDL-1.0",
"https://spdx.org/licenses/CDDL-1.0.html",
"http://www.opensource.org/licenses/cddl1"
],
"components": [
"gav://org.apache.tomcat.embed:tomcat-embed-core:9.0.33"
]
}
]
}