Upgrading Xray with CVSS v3 Support
When upgrading to Xray version 3.21.2, with the new CVSS v3.0 scoring, all existing policies and rules will remain the same. Xray will not rescan existing artifacts. Only new artifacts will be scanned and receive the new CVSS v3.0 scoring and severity levels.
If existing resources are updated with new artifacts, images, etc., the new data will be scanned according to the new scoring and severity. When new vulnerabilities are found, with a Critical severity, and an existing Policy rule is set to High severity , the violation will be created with the Critical severity. Existing vulnerabilities will not be impacted, only new vulnerabilities found will be set according to the CVSS v3.0 score.
Updating Existing Policies
Existing Policies can be updated to support the new Critical severity level using the Update Policy REST API.
Upgrading Xray with CVSS v3.0 Support in an Offline Mode
If you are working in an offline mode, you need to manually sync the database to download vulnerabilities and enable CVSS v3.0 scoring.
Do the following:
- In the Administration module, go to Xray Security and Compliance and select Database Sync.
- Select the Offline sync mode and click Generate Download Command.
A command is generated similar to this:
jfrog xr offline-update --license-id=<LICENSE_ID> --version=<XRAY_VERSION>
If the command includes
From
andTo
parameters, remove them so command looks like the example above.Copy the command and run it in the CLI.
Unzip the vulnerabilities file, for example,
vuln_-{NUMBER}.zip
. It contains two additional zip files:o
nboardingf__vulnR1_XX__.zip
onboardingf__vulnS1_X__.zip
Copy the two downloaded zip files from your DMZ environment to the Xray server. Required permission is 770.
${XRAY_HOME}/var/work/server/updates/data_migration/cvss_v3_files/
Trigger the CVSS v3.0 vulnerabilities persistence migration:
[post] <XRAY_URL>/api/v1/migration/trigger/cvss_v3_vulnerabilities
Use the migration status REST API to monitor the CVSS v3.0 upgrade process. To learn more about running Xray commands, see Xray REST API.
Once the migration is completed, the status will be set toenabled_finished
. If the migration was executed before Artifactory was upgraded to the supported version (Artifactory 7.17 and above), the status will be set tovuln_finished
. In case of any other status that contains failure information, check the logs and or contact JFrog's customer support.[GET] <XRAY_URL>/api/v1/migration/cvssV3/status
Sample Response:
{ "status": "enable_finished", "status_msg": "CVSS V3 enable migration finished successfully" }