Cloud customer?
Start for Free >
Upgrade in MyJFrog >
What's New in Cloud >





Overview

Limited Availability

This feature is available by request-only. Contact your JFrog Account Manager for further details


JFrog Security and the JFrog research team's continuous effort to enhance security with the Vdoo integration is introducing an additional capability: CVE Contextual Analysis. Xray previously released a powerful capability, the JFrog Security CVE Research and Enrichment feature, that helps you with enhanced analysis on CVE findings in a way that allows you to focus on the most important issues with the capability of finding the best resources invested in fixing themCVE Contextual Analysis is an extension to that capability, ensuring Xray's analysis findings are as focused as possible.

The Issue

When Xray scans your packages, it can potentially find thousands of vulnerabilities. Thus, developers will have to sift through these long lists of vulnerabilities to identify their relevance and in some cases, it can be hard to pinpoint where to start, as many of these vulnerabilities may not affect your artifacts. This process is erroneous and time-consuming. 

The Solution

CVE Contextual Analysis uses the artifact context to eliminate CVEs that are not applicable or patched. This process involves automated scanners running on top of the container to find reachable paths for the analyzed CVEs. Xray automatically validates some high and very high impact CVEs, such as CVEs that have prerequisites for exploitations, and provides contextual analysis information for these CVEs, to assist you in figuring out which CVEs are applicable to a specific artifact. 

What are the Benefits of CVE Contextual Analysis?

  • Analyzes the finished code the way an attacker would. Know what issues are exploitable and their potential impact.
  • Tests an issue in the context of the complete artifact, also within a build or Release Bundle​.
  • Enables action and remediation in the context of the actual artifact, build or Release Bundle.

Important details in regards to the Contextual Analysis feature: 

  • Supported for Docker packages only. 
  • Covers 140 Java, JavaScript and Python high profile CVES.

JFrog Subscription Levels

CLOUD (SaaS)

ENTERPRISE (with Security Pack)

ENTERPRISE+



Page Contents


How Does it Work?

Enabling/Disabling Contextual Analysis

CVE Contextual Analysis is enabled by default for new artifacts in all resources that are are marked for indexing by Xray. 

Contextual Analysis is applied on new scans only, and not on existing scans. The analysis will run on indexed resources, however, it will not run on the Index Artifacts History. For more information, see Indexing Xray Resources. 


Take note that in some cases, as deep scanning is involved, the scan might take longer to complete. 

If you would like to disable Contextual Analysis per resource, do the following:

  1. Navigate to the Administration module, go to Xray | Settings | General and click Indexed Resources.
  2. Select the repository or build and select Configure
  3. Disable the Vulnerability Contextual Analysis option. 

Alternatively, if you would like to disable the feature all together, you can disable the contextualAnalysis parameter in the Xray System YAML.

Contextual Analysis Statuses and Results

Once an artifact is indexed in Xray as part of a single upload, build or Release Bundle, Xray will validate if the artifact contains CVEs that are considered to have a very high impact. If such CVEs are found, Xray will run the contextual analysis on-demand and retrieve the contextual analysis results. The results consist of the following:

CVE Contextual Analysis Statuses

  • Disabled: An admin needs to enable this feature.
  • Not applicable: The CVE is not applicable
  • Applicable: The CVE is applicable
  • In progress: If Xray is in the process of analyzing the CVE applicability, it is indicated in the CVE details as scanning in progress.  
  • Undetermined: Xray was unable to determine whether or no the CVE is applicable.

CVE Contextual Analysis Results 


REST API Support

The following REST APIs are supported for the Contextual Analysis feature.

Get Contextual Analysis per CVE

Description: Retrieves Contextual Analysis Data per CVE. 
Security:  Requires a valid user with the "Read" permissions.
Usage: GET xray/api/v1/cve_applicability?component_id={}&vulnerability_id={}&source_comp_id={}&path={}
Required Parameters

ParameterDescription
component_id

One of artifact/build/bundle component ID, used to identify the artifact for which results should be returned.
If the ID is of an artifact, all artifacts with this ID will be considered.
If the ID is of a build or a release bundle, all artifacts which are direct children of the build/bundle will be considered.
Examples: docker://pyyaml_3_10_app:1, build://ubuntu:18.04

vulnerability_idID of vulnerability.
Example: XRAY-140308

Optional Parameters: 

ParameterDescription
source_comp_id

If given, only a result matching that component will be returned. If not given, returned results will contain data for any component in the artifact.
Example: pypi://PyYAML:3.10

path

If given, will be used to identify the specific artifact that is relevant. Otherwise, going only by component_id can result in aggregation of results from several artifacts. Only relevant for artifacts (not build/bundle).
Example: docker_containers/pyyaml_3_10_app/1/manifest.json

user_issue_idIf given, will be used to identify the specific artifact that is relevant. Otherwise, going only by component_id can result in aggregation of results from several artifacts. Only relevant for artifacts (not build/bundle).
Example: 147764179185893785
Sample Response
{
    "applicability": *bool,
    "scan_status": int8,
    "scanner_available": bool,    
    "Items": [
   	 {
   		 "scanner_available": bool,    
   		 "component_id": string,   # of the artifact
   		 "source_comp_id": string,
   		 "cve_id": string,
   		 "scan_status": int8,   	# 0 for started, 1 for done
   		 "applicability": *bool,
   		 "info": string,
   		 "details": [           	# Might be empty
   			 {
   				 "file_path": string,
   				 "details": string
   			 },
   			 ...
   		 ]
   	 }
   	 ...
    ]
}


Existing REST APIs that support the Contextual Analysis Feature

  • Artifact Summary - Applicability information was added to each issue. See sample response below.
  • Build Summary - Applicability information was added to each issue.
  • Get Violations - Applicability information was added to each violation.
  • List Ignored Violations - Applicability information was added to each violation.
  • Scan Build V1 - Applicability information was added to each alert.
  • Get Repositories Configurations - Added a new parameter vuln_contextual_analysis: true or false. Only if feature is enabled and it is possible to enable or disable it per repository.

    Sample Response
    {
        "repo_name": "test",
        "repo_config": {
            "vuln_contextual_analysis": true,
            "retention_in_days": 90
        }
    }
  • Update Repositories Configurations - Added the option to enable or disable Contextual Analysis per repository with the parameter vuln_contextual_analysis: true or false. 

    Sample Request
    {
        "repo_name": "test",
        "repo_config": {
            "retention_in_days": 90,
            "vuln_contextual_analysis": true
        }
    }
    
Artifact Summary Sample Response
{
                    "issue_id": "XRAY-58291",
                    "summary": "Heap-based buffer overflow in the alloc_segs function in lib/dbm/src/hash.c in Mozilla Network Security Services (NSS)    allows context-dependent attackers to have unspecified impact using a crafted cert8.db file.",
                    "description": "Heap-based buffer overflow in the alloc_segs function in lib/dbm/src/hash.c in Mozilla Network Security Services (NSS) allows context-dependent attackers to have unspecified impact using a crafted cert8.db file.",
                    "issue_type": "security",
                    "severity": "Low",
                    "provider": "JFrog",
                    "cves": [
                        {
                            "cve": "CVE-2017-11695",
                            "cwe": [
                                "CWE-119"
                            ],
                            "cvss_v2": "4.6/CVSS:2.0/AV:L/AC:L/Au:N/C:P/I:P/A:P",
                            "cvss_v3": "7.8/CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
                        }
                    ],
                    "created": "2017-09-03T00:00:00.475Z",
                    "impact_path": [
                        "default/kseniam/xmas_java_applicable_correct/latest/sha256__a4ae154e5895965ad18c63d1fa58909c3d434e1efcfe6a7b866ccc617b967aee.tar.gz/libnss3:2:3.35-2ubuntu2.13"
                    ],
                    "applicability": []
}
 
CVE is not applicable:
"applicability": [
                        {
                            "scanner_available": true,
                            "component_id": "docker://xmas_java_applicable_correct:latest",
                            "source_comp_id": "gav://log4j:log4j:1.2.16",
                            "cve_id": "CVE-2019-17571",
                            "scan_status": 1,
                            "applicability": false,
                            "info": "sub-class-ing HttpInvokerServiceExporter not detected",
                            "details": null
                        }
]  
 
CVE is applicable:
"applicability": [
                        {
                            "scanner_available": true,
                            "component_id": "docker://xmas_java_applicable_correct:latest",
                            "source_comp_id": "gav://com.fasterxml.jackson.core:jackson-databind:2.9.1",
                            "cve_id": "CVE-2020-11111",
                            "scan_status": 1,
                            "applicability": true,
                            "info": "Possible unsafe deserialization by jackson databind found",
                            "details": [
                                {
                                    "file_path": "/app/jackson_databind_vulnerable.jar",
                                    "details": "</var/firmware_store/e29979f1-00f2-4a63-b3c2-73edac5eb119/extracted/unpacked/filesystem/411303fcf80e076da6003a4a61d1914103bbee9b6f45d3a35fe1ea865a802cee/app/jackson_databind_vulnerable.jar> com/mycompany/app/App"
                                 
                                }         
                            ]
                        }
]



  • No labels
Copyright © 2022 JFrog Ltd.