Cloud customer?
Start for Free >
Upgrade in MyJFrog >
What's New in Cloud >

Search





Working with an older version? JFrog Artifactory 6.x | JFrog Xray 2.x | JFrog Mission Control 3.x | JFrog Distribution 1.x |


Skip to end of metadata
Go to start of metadata

Overview

This feature is available with Artifactory version 7.10.5 and above.

This feature requires you to have the Manage Watches role. For more information, see Users and Groups.

Some of the feature enhancements introduced in Xray version 3.13.0 require Artifactory version 7.12.0 and above. For more information, see Xray Release Notes 3.13.0.


In some cases, when violations are detected, as security or legal personnel, you would like to accept or whitelist some of these violations. This could be for different reasons, such as:

  • Although the security vulnerability is real, you have ways to protect against it (such as a WAF configuration).
  • The conditions needed for this vulnerability to happen are not met in the specific case.
  • As an organization, you are aware of the violation, but you would still like to release the product.
  • The violation is not a showstopper, and you would like to deal with it in future versions.
  • The violation is a false positive.
  • The violation is valid, but you need more time to deal with it. Time based ignore enables you to silence the violation for a period of time. Once that period expires, the Ignore Rule will be deleted automatically, and if the violation occurs again it will not be ignored moving forward.

In such cases, the ignore violations feature, enables you to have granular control on the violations that should be ignored. Xray allows you to define the scope of the ignore rule on the vulnerability, component, artifact, watch level, and more. Thus, giving you the flexibility and control needed to apply the ignore rule. 

The following procedures are supported when Ignoring violations:

Page Contents

Ignoring a Violation

Follow these steps to create an Ignore Rule for a violation. When creating an ignore rule, the ignore rule is applied to the specific violation and all future violations that meet the ignore rule criteria.

  1. Select the required Watch and click the Violations tab. 

    You can also view violations for an Artifact, Build, or Release Bundle by selecting the Violations tab in a Package, or in the specific Artifact, Build, or Release Bundle. You can filter to see only ignored violations.
  2. From the Violations list, hover over the required violation in the list and click Ignore Violation, located on the rightmost side of the line.
    The Create Vulnerability Ignore Rule dialog box appears. 

  3. Choose a combination of the ignore criteria depending on your needs. 

    Ignore RuleDescription

    Based on the Vulnerability

    Vulnerability ID selectedThe rule will be applied on the specific security vulnerability only.
    For any VulnerabilityThe rule will be applied on all security vulnerabilities.

    Based on the Component

    Component name selected current versionThe rule will be applied on the specific component for that specific version of the component only.
    Component name selected any versionThe rule will be applied on the specific component for all versions of that component.
    For any componentThe rule will be applied on all components that contain that violation.

    Based on the Artifact

    Note: Take note, if it's in a Build or Release Bundle, it will appear here as based on Build or Release Bundle.

    Artifact name selected current versionThe rule will be applied on the specific artifact for that specific version of the artifact only.
    Artifact name selected any versionThe rule will be applied on the specific artifact for all versions of that artifact.
    For any ArtifactThe rule will be applied on all artifacts that contain that violation.

    Based on the Watch

    Specific Watch The rule will be applied on the specific watch where the violation was found.
    For any WatchThe rule will be applied on all watches.

    The ignore rule will expire at

    The rule will expire on the date you set here. This gives you the ability to keep the ignore rule for a violation for the period of time you set. 

    When the time expires, the ignore rule will be removed. Once a scan is triggered after the expiration date, violations will be created again.

Combination Criteria

When selecting the ignore criteria, take note of the combinations you choose. Some combinations such as selecting everything as Any is not allowed as it will ignore all future violations (in the watch or in the system).

The Ignore Rules REST API allows you to choose more scopes for the Ignore Rule as well as more options in each scope. 

Ignoring Violations Examples

We provided you with some scenarios where an ignore violation is needed, and how to use the different options to achieve them.

Example 1: Ignoring a violation for a specific version of a specific component, in a specific version of a specific artifact, on a specific Watch, for a period of 3 weeks.

Example 2: Ignoring a violation for a specific version of a specific component, in a specific version of a specific artifact, on a specific Watch. 

Example 3: Ignoring a license on any version of a specific component, in any version of a build in any Watch.

Example 4: Ignoring any vulnerability on a specific component in any artifact in any Watch.

Viewing Ignore Rules and Info 

Follow these steps to view an Ignore Rule and information for each rule.

  1. On the Watches page, you can view ignored rules in the Ignore Rules tab.

     
  2. To view details of an ignored rule, select the , located on the rightmost side of the line.
    The details dialog box appears.

Deleting an Ignore Rule

Deleting an Ignore Rule will restore all violations that were previously ignored by the rule.

  1. On the Watches page, select the Ignore Rules tab.
  2. Select the , located on the rightmost side of the line.
    The details dialog box appears.

  3. Click Delete.
    A confirmation message appears. Do the following:


Starting from Xray version 3.13.0, the restore violations option is no longer available. If you are using Xray 3.13.0 and above and a version of Artifactory prior to 7.12, the restore violations will not work and error is issued.

Filtering Ignore Rules

Starting from Xray version 3.31.x and above, you can filter the Ignore Rules list in the Ignore Rules page in Xray to narrow down and display only Ignore Rules that are relevant to you. Select the Filter button, in the top-right corner, and the filter appears. Use the filtering options to display the Ignore Rules or Ignore Rules data you want to see. 

Searching for Ignored Violations

To view a list of ignored violations, from the Violations tab on the Watch select the Ignored Violations status from the Status filter and click Search.


The list of ignored violations appears. 

The list includes all of the ignored violations, such as:

  • Violations that are ignored by the ignore rule created.
  • Violations that are created after the ignore rule, but the ignore rule applies to them as well.
  • Violations that had an ignore rule, but the ignore rule was deleted.

You can view info for each violation by selecting the violation. The issue details window appears with the ignore rule details.

A violation with an active ignore rule:


REST API Support

To use REST API to get, create, delete an Ignore Rule, see Ignore Rules.

  • No labels
Copyright © 2022 JFrog Ltd.