Description: Invokes scanning of a build that was uploaded to Artifactory as requested by a CI server. Gets the build scan results
Security: Requires the "Manage Xray Metadata" role to be set on the User or Group level.
Usage: POST /api/v2/ci/build (invokes the scanning of a build)
Usage: GET /api/v2/ci/build/{build_name}/{build_number}[?include_vulnerabilities={true|false}] (Gets the build scan results)
Consumes: application/json
Produces: application/json
Path parameters: None
Query parameters: None
Request body:
Name | Type | Required/Optional | Description |
|---|---|---|---|
| string | required | Name of the build |
| string | required | Build number |
Response body:
Name | Type | Description |
|---|---|---|
| string | Information about the scan progress. |
| string | Name of the build. |
| string | Number of the build. |
| string | Project associated with the build. |
| string | Status of the build (e.g., completed). |
| string | URL for more details about the build. |
| boolean | Fail build overall status |
| array[ViolationObj] | An array of detected violations. |
| array[VulnerabilityObj] | An array of detected vulnerabilities. |
ViolationObj:
Name | Type | Description |
|---|---|---|
| string | Xray Id for the issue. |
| string | Summary of the violation. |
| string | Severity level of the violation. Possible values: |
| string | Operation Risk level of the violation. Possible values: |
| object | Components affected by the vulnerability. |
| string | Type of the violation. Possible values: |
| string | Name of the watch associated with the violation. |
| boolean | Violation’s Fail build status |
| array[CVEObj] | An array of CVE objects representing Common Vulnerabilities and Exposures. |
| array[string] | An array of references related to the vulnerability. |
| boolean | Indicates if the vulnerability is high profile. |
| Additional information about the issue. As of Xray version 3.42.3 | |
| array [ApplicabilityDetailsObj] | Applicability details |
VulnerabilityObj:
Name | Type | Description |
|---|---|---|
| string | Identifier of the issue. |
| string | Summary of the vulnerability. |
| string | Severity level of the vulnerability. Possible values: |
| array[CVEObj] | An array of CVE objects representing Common Vulnerabilities and Exposures. |
| ComponentsObj | Components affected by the vulnerability. |
| array[string] | An array of references related to the vulnerability. |
| boolean | Indicates if the vulnerability is high profile. |
| string | Provider of the vulnerability information. |
| string | Timestamp of when the vulnerability was last edited. |
| Additional information about the issue. As of Xray version 3.42.3 | |
| array[ApplicabilityObj] | An array of applicability details |
| array [ApplicabilityDetailsObj] | Applicability details |
CVEObj:
Name | Type | Description |
|---|---|---|
| string | Common Vulnerabilities and Exposures Identifier |
| string | CVSS v2 score |
| string | CVSS v2 vector |
| string | CVSS v3 score |
| string | CVSS v3 vector |
ComponentsObj:
Name | Type | Description |
|---|---|---|
| string | Name of the package. |
| string | The version of the package. |
| string | Type of the package (e.g., Maven, Debian). |
| array[string] | An array of fixed versions of the package. |
| array[string] | An array of infected versions of the package. |
| array[array[ComponentPathObj]] | An array of impact paths of the component. |
ComponentPathObj:
Name | Type | Description |
|---|---|---|
| string | ID of the component. |
| string | The full path of the component. |
ExtendedInfoObj:
Name | Type | Description |
|---|---|---|
| string | A brief description of the issue. The field is markdown text. |
| string | Full description of the issue. The field is markdown text. |
| string | The severity of the issue according to JFrog's research |
| array[SeverityReasonObj] | Reasons for the severity assigned by JFrog research |
| string | Remediation steps for the issue. The field is markdown text. |
SeverityReasonObj:
Name | Type | Description |
|---|---|---|
| string | The reason for the severity assessment. |
| string | Detailed explanation supporting the severity assessment. |
| boolean | Indicates whether the reason contributes positively to the severity assessment. |
ApplicabilityDetailsObj:
Name | Type | Description |
|---|---|---|
| string | Component id of the artifact |
| string | Component id of the vulnerable package |
| string | Cve id |
| string | Contextual Analysis result. Possible values: |
ApplicabilityObj:
Name | Type | Description |
|---|---|---|
| boolean | Indicates whether a scanner is available to check the applicability of the issue |
| string | Identifier for the component or environment where the issue is applicable |
| string | Identifier for the source component or environment where the issue was detected |
| string | Identifier for the CVE associated with the issue |
| integer | Status of the scan (e.g., 1 for successful, 0 for unsuccessful) |
| boolean | Indicates whether the issue is applicable to the specified component or environment |
| string | Explanation provided by the scanner regarding the applicability check |
| array[EvidenceObj] | Evidence or additional information related to the applicability check |
| string | Additional information about the applicability of the issue |
| array[DetailsObj] | Additional details or notes regarding the applicability of the issue |
EvidenceObj:
Field Name | Type | Description |
|---|---|---|
| array[string] | Names of the columns in the evidence data |
| array[array[string]] | Rows of evidence data, each containing specific details about the issue |
DetailsObj:
Field Name | Type | Description |
|---|---|---|
| string | File path or location where the issue was detected |
| string | Detailed information about the applicability of the issue |
Response codes:
Status code | Description |
|---|---|
200 | Build %v is not selected for indexing |
200 | No Xray “Fail build in case of a violation” policy rule has been defined on this build. The Xray scan will run in parallel to the deployment of the build and will not obstruct the build. To review the Xray scan results, see the Xray Violations tab in the UI. |
400 | Request is missing mandatory fields |
403 | No valid license was found |
403 | Permission denied |
415 | Failed to parse scan build request |
Example request:
{
"build_name": "my-build",
"build_number": "8"
}
Project Scope Example request:
{
"build_name": "my-build",
"build_number": "14",
"project": "projA"
}
Example of successful response:
{
"info": "Scan of build name 'my-build', build number '8' is in progress"
}
Example of successful response with Contextual Analysis results:
{
"build_name": "build-name",
"build_number": "2",
"status": "completed",
"more_details_url": "https://artifactory.jfrog.io/ui/scans-list/builds-scans/build-name/scan-descendants/2?version=2&package_id=build%3A%2F%2Fbuild-name&build_repository=artifactory-build-info&component_id=build%3A%2F%2Fbuild-name%3A2&page_type=security-vulnerabilities&exposure_status=to_fix",
"fail_build": true,
"violations": [
{
"cves": [
{
"cve": "CVE-2023-20873",
"cvss_v3_score": "9.8",
"cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"summary": "In Spring Boot versions 3.0.0 - 3.0.5, 2.7.0 - 2.7.10, and older unsupported versions, an application that is deployed to Cloud Foundry could be susceptible to a security bypass. Users of affected versions should apply the following mitigation: 3.0.x users should upgrade to 3.0.6+. 2.7.x users should upgrade to 2.7.11+. Users of older, unsupported versions should upgrade to 3.0.6+ or 2.7.11+.",
"severity": "Critical",
"components": {
"gav://org.springframework.boot:spring-boot-actuator-autoconfigure:2.2.6.RELEASE": {
"package_name": "org.springframework.boot:spring-boot-actuator-autoconfigure",
"package_version": "2.2.6.RELEASE",
"package_type": "maven",
"fixed_versions": [
"[2.7.11]",
"[3.0.6]"
],
"impact_paths": [
[
{
"component_id": "build://build-name:2"
},
{
"component_id": "gav://com.in28minutes.springboot:student-services-security:0.0.1-SNAPSHOT",
"full_path": "student-services-security-0.0.1-20230711.143048-1.jar"
},
{
"component_id": "gav://org.springframework.boot:spring-boot-actuator-autoconfigure:2.2.6.RELEASE",
"full_path": "BOOT-INF/lib/spring-boot-actuator-autoconfigure-2.2.6.RELEASE.jar"
}
]
]
}
},
"issue_id": "XRAY-515384",
"references": [
"https://github.com/spring-projects/spring-boot",
"https://github.com/spring-projects/spring-boot/releases/tag/v3.0.6",
"https://github.com/spring-projects/spring-boot/commit/32444fed4b51cc58dc908467f706102d7f0bfc15",
"https://security.netapp.com/advisory/ntap-20230601-0009/",
"https://spring.io/blog/2023/05/18/spring-boot-2-5-15-and-2-6-15-available-now",
"https://github.com/spring-projects/spring-boot/commit/3522714c13b47af03bf42e7f2d5994af568cb1a7",
"https://nvd.nist.gov/vuln/detail/CVE-2023-20873",
"https://github.com/spring-projects/spring-boot/releases/tag/v2.7.11",
"https://spring.io/security/cve-2023-20873"
],
"type": "security",
"watch_name": "watch-name",
"fail_build": true,
"is_high_profile": true,
"policies": null,
"updated": "",
"extended_information": {
"short_description": "Improper endpoint path mapping in Sprint Boot allows an attacker to perform path traversal attacks when using catch-all request mappings on an application deployed to Cloud Foundry.",
"full_description": "[Spring Boot](https://spring.io/) is an open-source Java framework that simplifies the development of stand-alone, production-grade Spring-based applications by providing a pre-configured environment with a range of features and capabilities. It eliminates the need for manual configuration and enables developers to focus on writing business logic rather than setting up infrastructure.\n[Cloud Foundry](https://www.cloudfoundry.org/) is a cloud platform that enables the deployment and management of Java-based applications. When deploying Spring Boot applications to Cloud Foundry, a potential security vulnerability arises with catch-all request mappings that match `/**`, as they route all requests to the same endpoint.\n\nAn issue has been discovered in the endpoint path mappings that do not limit the range of the catch-all request mappings, thereby allowing attackers to perform path traversal attacks using characters such as `../` in the requested URL. Exploiting this issue can allow attackers to read files that are outside of the application's root directory.\n\nIt is worth noting that applications using `Spring Cloud Config Server` are vulnerable if they are deployed to Cloud Foundry. Spring Cloud Config Server handles requests to the `/cloudfoundryapplication/**` path by default, which could make the application vulnerable to path traversal attacks.\n\nExample of vulnerable code:\n```\n@RestController\n@RequestMapping(\"/cloudfoundryapplication\")\npublic class CloudFoundryController {\n\n @GetMapping(\"/**\")\n public String handleRequest() {\n // handle the request here\n return \"Hello, Cloud Foundry!\";\n }\n}\n```\n\nIn the above example, requesting a URL such as `https://victimsite.com/cloudfoundryapplication/foo/../../../../../otherpath` would allow the attacker to read files that do not belong to the Spring Boot application that was deployed to Cloud Foundry.",
"jfrog_research_severity": "High",
"jfrog_research_severity_reasons": [
{
"name": "The prerequisites for exploiting the issue are either extremely common or nonexistent (always exploitable)",
"description": "In Spring Boot apps deployed to Cloud Foundry, it is very common to find the catch-all request mapping `/**`. Also, applications using Spring Cloud Config Server are vulnerable by default.",
"is_positive": false
},
{
"name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector",
"description": "The attacker must find an endpoint using the catch-all request mappings `/**` in Spring Boot application that has been deployed specifically to [Cloud Foundry](https://www.cloudfoundry.org/).",
"is_positive": true
},
{
"name": "The issue is trivial to exploit and does not require a published writeup or PoC",
"description": "The attacker simply needs to add traversal characters to the requested URL, for example - `/cloudfoundryapplication/../../../../../../../../../etc/passwd`",
"is_positive": false
},
{
"name": "The impact of exploiting the issue depends on the context of surrounding software. A severe impact such as RCE is not guaranteed.",
"description": "The attacker can leak files outside of the deployed Spring Boot application's root directory. The importance of the leaked files depend on which data is stored in the Cloud Foundry server.",
"is_positive": true
}
],
"remediation": "##### Deployment mitigations\n\nDisable Cloud Foundry actuator endpoints by setting `management.cloudfoundry.enabled` to `false` in your `application.properties` file.\n```\nmanagement.cloudfoundry.enabled=false\n```"
}
}
],
"vulnerabilities": [
{
"cves": [
{
"cve": "CVE-2023-20883",
"cvss_v3_score": "7.5",
"cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"summary": "In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service (DoS) attack if Spring MVC is used together with a reverse proxy cache.",
"severity": "High",
"components": {
"gav://org.springframework.boot:spring-boot-autoconfigure:2.2.6.RELEASE": {
"package_name": "org.springframework.boot:spring-boot-autoconfigure",
"package_version": "2.2.6.RELEASE",
"package_type": "maven",
"fixed_versions": [
"[2.5.15]",
"[2.6.15]",
"[2.7.12]",
"[3.0.7]"
],
"infected_versions": [
"(,2.5.15)",
"[2.6.0,2.6.15)",
"[2.7.0,2.7.12)",
"[3.0.0,3.0.7)"
],
"impact_paths": [
[
{
"component_id": "build://build-name:2"
},
{
"component_id": "gav://com.in28minutes.springboot:student-services-security:0.0.1-SNAPSHOT"
},
{
"component_id": "gav://org.springframework.boot:spring-boot-autoconfigure:2.2.6.RELEASE"
}
]
]
}
},
"issue_id": "XRAY-520740",
"references": [
"https://nvd.nist.gov/vuln/detail/CVE-2023-20883",
"https://github.com/spring-projects/spring-boot",
"https://github.com/spring-projects/spring-boot/releases/tag/v2.5.15",
"https://github.com/spring-projects/spring-boot/issues/35552",
"https://github.com/spring-projects/spring-boot/releases/tag/v2.7.12",
"https://security.netapp.com/advisory/ntap-20230703-0008/",
"https://github.com/spring-projects/spring-boot/commit/418dd1ba5bdad79b55a043000164bfcbda2acd78",
"https://github.com/spring-projects/spring-boot/releases/tag/v2.6.15",
"https://spring.io/security/cve-2023-20883"
],
"is_high_profile": true,
"provider": "JFrog",
"edited": "0001-01-01T00:00:00Z",
"extended_information": {
"short_description": "A design problem in Spring Boot may lead to denial of service when using the welcome page support.",
"full_description": "[Spring Boot](https://spring.io/) is an open-source Java framework that simplifies the development of stand-alone, production-grade Spring-based applications by providing a pre-configured environment with a range of features and capabilities. It eliminates the need for manual configuration and enables developers to focus on writing business logic rather than setting up infrastructure.\nAn issue has been discovered in the way that Spring Boot serves a welcome page.\nThe welcome page is an automatically generated page that is served when accessing the web root `/` or `index.html`.\nIf an acceptable response cannot be produced (for example, an `Accept` header in the client's request is not present), the welcome page results in a 404 error.\nThis issue could lead to a denial-of-service when the application is used with a reverse proxy cache that caches these error responses. Specifically - after an attacker causes the 404 response to get cached, any other clients that access the welcome page (or web root) will also get a 404 response.\n\nNote that the vulnerability only affects applications that meet *all* of the following requirements:\n\n* `Spring MVC` auto-configuration is used in the application, using one of these class annotations: `@EnableAutoConfiguration` or `@SpringBootApplication`.\n\n* The application utilizes Spring Boot's welcome page feature, which can be static or templated. This is enabled by default but can be disabled by excluding `WelcomePageHandlerMapping` from the Spring context, or by overwriting the root `/` with a custom handler (`@GetMapping(\"/\")`).\n\n* The application is set up behind a proxy that caches 404 responses.",
"jfrog_research_severity": "Medium",
"jfrog_research_severity_reasons": [
{
"name": "The issue cannot result in a severe impact (such as remote code execution)",
"description": "Partial denial of service (DoS of the welcome page / root page only).",
"is_positive": true
},
{
"name": "The reported CVSS was either wrongly calculated, downgraded by other vendors, or does not reflect the vulnerability's impact",
"description": "The CVSS does not reflect the contextual prerequisites required to exploit the vulnerability.",
"is_positive": true
},
{
"name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector",
"description": "The application must have Spring MVC auto-configuration enabled, and also be deployed behind a proxy that caches `404 Not Found` HTTP responses.\nAlso, the application must make use of the welcome / landing page support.",
"is_positive": true
}
],
"remediation": "##### Deployment mitigations\n\nConfigure the reverse proxy not to cache 404 responses and/or not to cache responses to requests to the root (/) of the application."
},
"applicability": [
{
"scanner_available": true,
"component_id": "gav://com.in28minutes.springboot:student-services-security:0.0.1-SNAPSHOT",
"source_comp_id": "gav://org.springframework.boot:spring-boot-autoconfigure:2.2.6.RELEASE",
"cve_id": "CVE-2023-20883",
"scan_status": 1,
"applicability": true,
"scanner_explanation": "<p>The scanner checks whether the annotations <code>@EnableAutoConfiguration</code> or <code>@SpringBootApplication</code> are applied to any class.</p>\n<p>For determining the applicability of this CVE, an additional condition (that the scanner currently does not check) should be verified: The Spring application is deployed behind a proxy that caches 404 (\"Page Not Found\") HTTP responses.</p>",
"evidence": [
{
"column_names": [
"Path",
"Location",
"Issue Found"
],
"rows": [
[
"/BOOT-INF/classes/com/in28minutes/springboot/StudentServicesApplication.class",
"StudentServicesApplication",
"The vulnerable @SpringBootApplication class annotation is used"
]
]
}
],
"info": "The vulnerable @SpringBootApplication class annotation is used",
"details": [
{
"file_path": "/BOOT-INF/classes/com/in28minutes/springboot/StudentServicesApplication.class",
"details": "Location: StudentServicesApplication, Issue Found: The vulnerable @SpringBootApplication class annotation is used"
}
]
}
],
"applicability_details": [
{
"component_id": "gav://com.in28minutes.springboot:student-services-security:0.0.1-SNAPSHOT",
"source_comp_id": "gav://org.springframework.boot:spring-boot-autoconfigure:2.2.6.RELEASE",
"vulnerability_id": "CVE-2023-20883",
"result": "applicable"
}
]
}
]
}
Operational Risk Sample Response:
{
"build_name": "test",
"build_number": "2",
"status": "completed",
"more_details_url": "http://localhost:8046/xray/ui/builds/test/2/1648117400418/xrayData?buildRepo=artifactory-build-info",
"fail_build": true,
"violations": [
{
"components": {
"gav://org.datanucleus:datanucleus-core:3.0.4": {
"package_name": "org.datanucleus:datanucleus-core",
"package_version": "3.0.4",
"package_type": "maven",
"impact_paths": [
[
{
"component_id": "build://test:2"
},
{
"component_id": "gav://org.datanucleus:datanucleus-core:3.0.4",
"full_path": "datanucleus-core-3.0.4.jar"
}
]
]
}
},
"risk": "Low",
"risk_reason": "Custom Rule",
"released": "2012-12-12T20:02:00.689Z",
"latest_version": "6.0.0-m4",
"newer_versions": 120,
"cadence": 1,
"issue_id": "d3c3dcfc1576633da237136c14ba52e0c4282dda2a0e9646090cd78717e41258",
"type": "operational_risk",
"severity": "Low",
"watch_name": "or-watch",
"fail_build": true,
"policies": null,
"updated": ""
}
]
}