Introduction
As part of its capabilities, JFrog Xray is able to scan builds that have been published to Artifactory for vulnerability, license and SBOM information.
You can find more information on build publishing and scanning builds and other artifacts here.
After scanning a build, we may find that some of the expected dependencies are missing from the scan results. This article will help troubleshoot and mitigate this scenario by describing common use cases and their solutions.
Resolution
Verifying the build info
First, verify that the build’s build-info has been collected and published to Artifactory.
By navigating to the build’s Build Info JSON tab, we can see the contents of the build-info and verify whether it includes all expected dependencies.
In case dependencies are missing from the build info, it will be necessary to redeploy the build with a new build info that does have all of the dependencies.
Verifying the remote repository is indexed
Next, verify that the remote repository used for dependency resolution is 100% indexed.
When we create a new build, we define a remote repository through which we resolve the build’s dependencies. In case a dependency already exists in the remote repository’s cache but is not indexed by Xray, we will not have the scan results for that vulnerability.
Depending on the method and technology used to create the build, the resolution repository is configured in the steps preceding the build. For example:
- For builds that were created with the JFrog CLI, this repository is configured using the –repo-resolve flag or a variation of it.
Information on integration with package managers and the relevant flags may be found here. - For builds created using the Azure Devops JFrog extensions, this repository is configured by the “Resolution Repository” setting.
A common reason for repositories to not be 100% indexed is due to Xray’s retention period- the retention period defines how long Xray will retain artifacts scan data, and after the set retention period, this data is deleted, thus improving performance and freeing up storage space.
You can read more on Xray’s retention period here.
To check whether the repository is fully indexed, we can navigate to Administration → Xray Settings → Indexed Resources, and look for the repository’s scan status.
If the Index Status is less than 100%, we’ll reindex the repository by choosing “Index now”:
We can either select to index artifacts that were deployed in a specific timeframe, or to index all artifacts.
If selecting “Index artifacts from Last X days”, make sure the relevant dependencies were deployed to Artifactory within this timeframe.
If the repository is not set to be indexed, we can add it to indexing by choosing “Add Repository”:
And then click on “Index Now” as described above.