Combine Copilot and JFrog Artifactory for Maximum Efficiency

Writing clean and efficient code can be time consuming, but with the right tools, it can be much easier. In this blog post, we will explore how to use Copilot for code autocompletion and JFrog Artifactory for your package management. What is Copilot? ​​GitHub Copilot is an AI-powered code auto completion tool developed by OpenAI …

Contextual Analysis Scans with JFrog CLI

Don’t waste time on irrelevant false positive alerts in your source code

Are you tired of using security tools that generate endless results, making it impossible to identify actual risks? Do you struggle with inefficient prioritization due to a lack of context, making the process of assessing and remediating vulnerabilities a time-consuming nightmare? Look no further than JFrog’s Contextual Analysis, available as part of the “jf audit” …

JAS Contextual Analysis WebGoat Application

Testing the actual security of the most insecure Docker application

Our previous research on CVE exploitability in the top DockerHub images discovered that 78% of the reported CVEs were actually not exploitable. This time, the JFrog Security Research team used JFrog Xray’s Contextual Analysis feature, automatically analyzing the applicability of reported CVEs, to scan OWASP WebGoat – a deliberately insecure application. The results identified that …

Watch out for DoS when using Rust’s popular Hyper package

Watch out for DoS when using Rust’s popular Hyper package

The JFrog Security Research team is constantly looking for new and previously unknown vulnerabilities and security issues in popular open-source projects to help improve their security posture and defend the wider software supply chain. As part of this effort, we recently discovered and disclosed multiple vulnerabilities in popular Rust projects such as Axum, Salvo and …

Latest LastPass security breach highlights

Latest LastPass security breach highlights developers as a high-value target

Last August, the maintainers of the LastPass cloud-based password manager tool reported a security breach in their servers. The disclosure maintained that an unauthorized party gained access to the LastPass development environment through a single compromised developer account. However – while source code and technical information was stolen, no user data was compromised and no …

PyPI malware are starting to employ Anti-Debug techniques

PyPI malware creators are starting to employ Anti-Debug techniques

The JFrog Security Research team continuously monitors popular open-source software (OSS) repositories with our automated tooling, and reports any vulnerabilities or malicious packages discovered to repository maintainers and the wider community. Most PyPI malware today tries to avoid static detection using various techniques: starting from primitive variable mangling to sophisticated code flattening and steganography techniques. …

JFrog Contextual Analysis 203x148

Turns out 78% of reported common CVEs on top DockerHub images are not really exploitable

Research motivations Similarly to our previous research on “Secrets Detection,” during the development and testing of JFrog Xray’s new “Contextual Analysis” feature, we wanted to test our detection in a large-scale real-world use case, both for eliminating bugs and testing the real-world viability of our current solution. However, unlike the surprising results we got in our …

CVE-2021-38297 - Analysis of a Go Web Assembly vulnerability

CVE-2021-38297 – Analysis of a Go Web Assembly vulnerability

The JFrog Security Research team continuously monitors reported vulnerabilities in open-source software (OSS) to help our customers and the wider community be aware of potential software supply chain security threats and their impact. In doing so, we often notice important trends and key learnings worth highlighting. The following analysis of a vulnerability discovered in the …