Cloud customer?
Upgrade in MyJFrog >

Working with an older version?

JFrog Artifactory 6.x
JFrog Xray 2.x
JFrog Mission Control 3.x
JFrog Distribution 1.x
JFrog Enterprise+ (Pre-Platform Release)


The Vulnerabilities report provides information about vulnerabilities in your artifacts, builds, and release bundles. In addition to the information provided in the JFrog Platform on each of these entities, the report gives you a wider range of information such as vulnerabilities in multiple repositories, builds and release bundles. Criteria such as vulnerable component, CVE, cvss score, and severity are available in the report.

You can define the information you want to see by defining a scope and advanced filters that provide you with a flexible vulnerabilities report, that is available both through the JFrog Platform and REST API.

Requires Permissions

To create a Vulnerabilities report, you need the Manage Reports role permissions set in Users and Groups.

Page Contents

Creating a Vulnerabilities Report

Step 1 Creating a New Report

Navigate to Application module | Security & Compliance | Reports and select Create New.

Step 2 Selecting a Scope

Select a scope to generate the list of vulnerabilities for that particular scope. You can only select one scope at a time. 

Repositories Scope

Select the repositories you would like to view vulnerabilities information for in the report. You can narrow select specific repositories and include/exclude patterns to filter out specific repositories. 

In each field, you can specify a list of Ant-like patterns to filter in and filter out artifact queries. Filtering works by subtracting the excluded patterns (default is none) from the included patterns (default is all).


Consider that the Include Patterns and Exclude Patterns for a repository are as follows:

Include Patterns: org/apache/**,com/acme/**
Exclude Patterns: com/acme/exp-project/**

In this case, the repository is searched for org/apache/maven/parent/1/1.pom and com/acme/project-x/core/1.0/nit-1.0.jar but not for com/acme/exp-project/core/1.1/san-1.1.jar because com/acme/exp-project/** is specified as an Exclude pattern.

Builds Scope

Select the  you would like to view vulnerabilities information for in the report. You can select builds by name or by pattern. 

Filter your builds selection by patterns, or select to view only the latest. You can also select the number of latest build versions. The default is 1 and you can set to any number to display the latest build versions. 

Release Bundles Scope

Select the release bundles you would like to view vulnerabilities information for in the report. The selection of the release bundles scope is the same as the builds scope selection. 

Step 3 Using Advanced Filters 

To filter out the vulnerabilities information you would like to see in the report, you can set advanced filters. Here are a few examples of how you can filter data:

Example 1: Filter by a specific CVE that was scanned on a particular date.

Example 2: Filter by CVSS2 Score, on a specific scan date, and contains a fix.

Example 3: Filter by a specific impacted artifact, published on a particular date and scan date.

Example 4: Filter by vulnerable component, and severity.

Step 4 Generating a Report

After defining the scope and filters you can generate the report. The report will run in an asynchronous mode, and will be added to the report list page. New reports will be displayed at the top of the list.

Managing the Reports List and Performing Actions on Reports

After you generate a report, it will appear in the reports list. Each report in the list will have the following information:


Report Name

The reports given name


The author that created the report.

Start Time

The time when the report started running.


The status of the report:

  • Running
  • Pending
  • Completed
  • Aborted
  • Failed
  • Abandoned


Progress of the report 

    • Artifacts reported so far 
    • Total number of artifacts

Report Length

The number of rows in a report.

You can perform several actions to help you manage the generated reports. In the reports list, click on the Actions drop-down to view all the possible actions, such as:

Viewing a Report

After a report completes, you can select to view it in the UI. Information such as CVE, Summary, Severity, etc are displayed in the view. You can export the report to a PDF, JSON, and CVE. 

Viewing Report Details

Displays the details of the report, such as report type, the scope, and filter criteria. 

Exporting a Report

You can export reports to a PDF, JSON, or CSV file. Each file format will provide you with different capabilities depending on your needs. These files can be further used by applications and tools that your organization uses to gain further analytics. Below are some examples of each file format.




{ "total_rows" : 68,
  "rows" : [
	"cves": [],
	"summary": "nir4",
	"severity": "High",
	"vulnerable_component": "rubygems://rubygems-update:2.0.6",
	"impacted_artifact": "deb://all:jfrog-artifactory-pro:7.2.0~m027",
	"path": "nir-debian/pool/artifactory-pro-7.2.0-m027.deb",
	"fixed_versions": [],
	"published": "2020-05-26T15:06:05+03:00",
	"issue_id": "CustomIssue_69Q3m2hFXWCFHr0T",
	"package_type": "rubygems",
	"provider": "Custom",
	"description": "s",
	"references": []
	"cves": [
	"cve": "CVE-2020-11612",
	"cvss_v2_score": 7.5,
	"cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P"
	"cvss2_max_score": 7.5,
	"summary": "The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder.",
	"severity": "High",
	"vulnerable_component": "gav://io.netty:netty-codec:4.1.38.Final",
	"impacted_artifact": "deb://all:jfrog-artifactory-pro:7.2.0~m027",
	"path": "nir-debian/pool/artifactory-pro-7.2.0-m027.deb",
	"fixed_versions": [
	"published": "2020-04-12T19:41:55+03:00",
	"issue_id": "XRAY-96164",
	"package_type": "maven",

REST API Support

To use REST API for generating and exporting reports, see Reports API.

  • No labels
Copyright © 2020 JFrog Ltd.