Vulnerability Contextual Analysis

Overview

JFrog Security and the JFrog research team's continuous effort to enhance security is introducing an additional capability: Vulnerability Contextual Analysis. JFrog Xray previously released a powerful capability, the JFrog Security CVE Research and Enrichment feature, that helps you with enhanced analysis on CVE findings in a way that allows you to focus on the most important issues with the capability of finding the best resources invested in fixing them. Vulnerability Contextual Analysis is an extension to that capability, ensuring Xray's analysis findings are as focused as possible.

For Self Hosted, Contextual Analysis is supported in Xray version 3.67.x and above.

The Issue

When Xray scans your packages, it can potentially find thousands of vulnerabilities. Thus, developers will have to sift through these long lists of vulnerabilities to identify their relevance and in some cases, it can be hard to pinpoint where to start, as many of these vulnerabilities may not affect your artifacts. This process is erroneous and time-consuming.

The Solution

Vulnerability Contextual Analysis uses the artifact context to eliminate false positive reports on vulnerabilities that are not applicable. This process involves automated scanners running on top of the container to find reachable paths for the analyzed vulnerabilities. Xray automatically validates some high and very high impact vulnerabilities, such as vulnerabilities that have prerequisites for exploitations, and provides contextual analysis information for these vulnerabilities, to assist you in figuring out which vulnerabilities are applicable to a specific artifact.

What are the Benefits of Vulnerability Contextual Analysis?

Analyzes the finished code the way an attacker would. Know what issues are exploitable and their potential impact.
Tests an issue in the context of the complete artifact, also within a build or Release Bundle.
Enables action and remediation in the context of the actual artifact, build or Release Bundle.

Important details in regards to the Contextual Analysis feature:

Supported for Docker and OCI packages only.
Covers hundreds of CVEs with support for Java, JavaScript, Python and compiled binaries (Native & Golang).

JFrog Subscription Levels

CLOUD (SaaS)/ SELF HOSTED

_{ENTERPRISE X}

_ENTERPRISE+

_{with Advanced DevSecOps}

Page Contents

How Does it Work?

Enabling/Disabling Contextual Analysis

Vulnerability Contextual Analysis is disabled by default for new artifacts in all resources that are marked for indexing by Xray. To enable, do the following:

Navigate to the Administration module, go to Xray | Settings | General and click Indexed Resources.
Select the repository or build and select Configure.
Enable the Vulnerability Contextual Analysis option.

Contextual Analysis is applied on new scans only, and not on existing scans. The analysis will run on indexed resources, however, it will not run on the Index Artifacts History. For more information, see Indexing Xray Resources.

Starting from Xray version 3.66.x and above, you can scan an existing artifact for Vulnerability Contextual Analysis.

Take note that in some cases, as deep scanning is involved, the scan might take longer to complete.

Contextual Analysis Statuses and Results

Once an artifact is indexed in Xray as part of a single upload, build or Release Bundle, Xray will validate if the artifact contains vulnerabilities that are considered to have a very high impact. If such vulnerabilities are found, Xray will run the contextual analysis and retrieve the contextual analysis results. The results consist of the following:

Vulnerability Contextual Analysis Statuses

Not applicable: The vulnerability is not applicable
Applicable: The vulnerability is applicable
Undetermined - not triggered: An admin needs to enable this feature.
Undetermined – analysis in progress: If Xray is in the process of analyzing the vulnerability applicability, it is indicated in the vulnerability details as analysis in progress.
Undetermined - inconclusive: Xray was unable to determine if the vulnerability is applicable or not.
Undetermined - no scanner: An applicability scanner for this vulnerability is not available.

Vulnerability Contextual Analysis Results

The contextual analysis results can be accessed from Scans List.

Run Contextual Analysis on an Existing Artifact

Starting from Xray version 3.66.x and above, you can run contextual analysis on an existing artifact. Do the following:

From the Scans List page, Repositories tab, select the repository.
Navigate to the artifact you want.
Click the Actions Menu next to the artifact, and select Run Contextual Analysis.

The results appear under Security Issues > Vulnerabilities.

REST API Support

The following REST APIs are supported for the Contextual Analysis feature:

Get Contextual Analysis per Vulnerability
Artifact Summary - Applicability information was added to each issue.
Build Summary - Applicability information was added to each issue.
Get Violations - Applicability information was added to each violation.
List Ignored Violations - Applicability information was added to each violation.
Scan Build V1 - Applicability information was added to each alert.
Get Repositories Configurations: Added a new parameter vuln_contextual_analysis: true or false. Only if feature is enabled and it is possible to enable or disable it per repository.
Update Repositories Configurations - Added the option to enable or disable Contextual Analysis per repository with the parameter vuln_contextual_analysis: true or false.

Content

Space Tools