Setting Up On-Demand Binary Scan
- Install Xray
- Install JFrog CLI version 2.1.0
How Does it Work?
Step 1 - Trigger the JFrog CLI
Trigger the JFrog CLI in a directory containing the binaries of a project.
Step 2 - Run the JFrog CLI Commands
Run the JFrog CLI Commands using one of the two methods:
- Use the existing upload command with additional parameters that will serve as a conditional upload. A conditional upload ensures that the files are scanned prior to uploading to Artifactory, and will not be uploaded if the scan contains any security issues and does not comply with the policies you set.
- Run an independent scan command.
Supported commands in the JFrog CLI:
- Scanning Files on the Local File System: This command scans files on the local file-system with Xray.
Depending on the command option you use, you can view scan results for the following:
- Vulnerabilities
- Violations
- Licenses
By default, the scan returns vulnerabilities data found in your dependencies. To retrieve violations data, use one of the following methods:
Watches - Select Watches to apply to the scan.
Repo Path - Provide a target destination path in Artifactory, and Watches will be determined by the path.
Project - Select a Project by project key, and use all Watches defined for the Project.
Take note, that if you run the scan using one of these command options, the scan results will only show violations data and not vulnerabilities data. To view vulnerabilities data, run the scan without these options.
Step 3 - View Results
The results are displayed in table format.
You can also view results in JSON format for automation purposes and view more scan results data by using the following command option:
--format=json
{
"scan_id": "11148acb-f8d4-4640-56e4-db312cb5ba0c",
"violations": [
{
"summary": "Apache Commons IO FileNameUtils.normalize Path Traversal Remote File Disclosure Weakness",
"severity": "Medium",
"type": "security",
"components": {
"gav://commons-io:commons-io:2.2": {
"fixed_versions": [
"[2.7]"
],
"impact_paths": [
[
{
"component_id": "gav://de.is24.common:appmon4j-agent:1.53"
},
{
"component_id": "gav://de.is24.common:appmon4j-agent:1.53",
"full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar"
},
{
"component_id": "gav://commons-io:commons-io:2.2",
"full_path": "META-INF/maven/commons-io/commons-io/pom.xml"
}
]
]
}
},
"watch_name": "Sec-Watch",
"issue_id": "XRAY-78200",
"cves": [
{
}
],
"references": [
"https://issues.apache.org/jira/browse/IO-556"
],
},
{
"severity": "Medium",
"type": "security",
"components": {
"gav://commons-io:commons-io:2.2": {
"fixed_versions": [
"[2.7]"
],
"impact_paths": [
[
{
"component_id": "gav://de.is24.common:appmon4j-agent:1.53"
},
{
"component_id": "gav://de.is24.common:appmon4j-agent:1.53",
"full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar"
},
{
"component_id": "gav://commons-io:commons-io:2.2",
"full_path": "META-INF/maven/commons-io/commons-io/pom.xml"
}
]
},
"watch_name": "Sec-Watch",
"issue_id": "XRAY-172728",
"cves": [
{
"cve": "CVE-2021-29425",
"cvss_v2_score": "5.0",
"cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N",
"cvss_v3_score": "5.3",
"cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
}
],
"references": [
"https://issues.apache.org/jira/browse/IO-556",
"https://lists.apache.org/thread.html/rc359823b5500e9a9a2572678ddb8e01d3505a7ffcadfa8d13b8780ab%40%3Cuser.commons.apache.org%3E"
],
},
{
"severity": "High",
"type": "license",
"components": {
"gav://org.slf4j:slf4j-api:1.7.5": {
"impact_paths": [
[
{
"component_id": "gav://de.is24.common:appmon4j-agent:1.53"
},
{
"component_id": "gav://de.is24.common:appmon4j-agent:1.53",
"full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar"
},
{
"component_id": "gav://org.slf4j:slf4j-api:1.7.5",
"full_path": "META-INF/maven/org.slf4j/slf4j-api/pom.xml"
}
]
]
}
},
"watch_name": "Sec-Watch",
"references": [
"http://www.opensource.org/licenses/MIT",
"http://www.opensource.org/licenses/mit-license.php",
"https://spdx.org/licenses/MIT",
"https://spdx.org/licenses/MIT.html"
],
"license_key": "MIT",
"license_name": "The MIT License",
}
],
"licenses": [
{
"license_key": "Apache-2.0",
"components": {
"gav://commons-io:commons-io:2.2": {
"impact_paths": [
[
{
"component_id": "gav://de.is24.common:appmon4j-agent:1.53"
},
{
"component_id": "gav://de.is24.common:appmon4j-agent:1.53",
"full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar"
},
{
"component_id": "gav://commons-io:commons-io:2.2",
"full_path": "META-INF/maven/commons-io/commons-io/pom.xml"
}
]
]
},
"gav://commons-lang:commons-lang:2.6": {
"impact_paths": [
[
{
"component_id": "gav://de.is24.common:appmon4j-agent:1.53"
},
{
"component_id": "gav://de.is24.common:appmon4j-agent:1.53",
"full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar"
},
{
"component_id": "gav://commons-lang:commons-lang:2.6",
"full_path": "META-INF/maven/commons-lang/commons-lang/pom.xml"
}
]
]
},
"gav://de.is24.common:appmon4j-agent:1.53": {
"impact_paths": [
[
{
"component_id": "gav://de.is24.common:appmon4j-agent:1.53"
},
{
"component_id": "gav://de.is24.common:appmon4j-agent:1.53",
"full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar"
},
{
"component_id": "gav://de.is24.common:appmon4j-agent:1.53",
"full_path": "META-INF/maven/de.is24.common/appmon4j-agent/pom.xml"
}
],
[
{
"component_id": "gav://de.is24.common:appmon4j-agent:1.53"
}
],
[
{
"component_id": "gav://de.is24.common:appmon4j-agent:1.53"
},
{
"component_id": "gav://de.is24.common:appmon4j-agent:1.53",
"full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar"
}
]
]
},
"gav://de.is24.common:appmon4j-core:1.53": {
"impact_paths": [
[
{
"component_id": "gav://de.is24.common:appmon4j-agent:1.53"
},
{
"component_id": "gav://de.is24.common:appmon4j-agent:1.53",
"full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar"
},
{
}"http://www.opensource.org/licenses/Apache-2.0",
{
"impact_paths": [
]"status": "completed""violations": [
"severity": "Medium",
"type": "security",
{
"component_id": "gav://de.is24.common:appmon4j-agent:1.53",
],
},
"type": "security",
"components": {
{
"component_id": "gav://de.is24.common:appmon4j-agent:1.53",
"cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N",
}"https://lists.apache.org/thread.html/rc359823b5500e9a9a2572678ddb8e01d3505a7ffcadfa8d13b8780ab%40%3Cuser.commons.apache.org%3E"
],
},
{
},
{
"references": [
"https://spdx.org/licenses/MIT.html""license_name": "The MIT License",
}"gav://commons-io:commons-io:2.2": {
},
"full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar""impact_paths": [
"component_id": "gav://de.is24.common:appmon4j-agent:1.53""full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar"
},
"gav://de.is24.common:appmon4j-agent:1.53": {
{
"component_id": "gav://de.is24.common:appmon4j-agent:1.53"
},
{
"component_id": "gav://de.is24.common:appmon4j-agent:1.53",
"component_id": "gav://de.is24.common:appmon4j-agent:1.53"[
{
"component_id": "gav://de.is24.common:appmon4j-agent:1.53",
[
{
"component_id": "gav://de.is24.common:appmon4j-core:1.53",
"full_path": "META-INF/maven/de.is24.common/appmon4j-core/pom.xml"
}
]
]
}
},
"references": [
"http://www.opensource.org/licenses/Apache-2.0",
"http://www.opensource.org/licenses/apache2.0.php",
"https://spdx.org/licenses/Apache-2.0",
"https://spdx.org/licenses/Apache-2.0.html",
"http://www.apache.org/licenses/LICENSE-2.0",
"https://licenses.nuget.org/Apache-2.0",
"http://licenses.nuget.org/Apache-2.0",
"https://raw.githubusercontent.com/aspnet/AspNetCore/2.0.0/LICENSE.txt",
"http://raw.githubusercontent.com/aspnet/AspNetCore/2.0.0/LICENSE.txt"
]
},
{
"license_key": "MIT",
"components": {
"gav://org.slf4j:slf4j-api:1.7.5": {
"impact_paths": [
[
{
"component_id": "gav://de.is24.common:appmon4j-agent:1.53"
},
{
"component_id": "gav://de.is24.common:appmon4j-agent:1.53",
"full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar"
},
{
"component_id": "gav://org.slf4j:slf4j-api:1.7.5",
"full_path": "META-INF/maven/org.slf4j/slf4j-api/pom.xml"
}
]
]
}
},
"references": [
"http://www.opensource.org/licenses/MIT",
"http://www.opensource.org/licenses/mit-license.php",
"https://spdx.org/licenses/MIT",
"https://spdx.org/licenses/MIT.html"
]
}
],
"component_id": "gav://de.is24.common:appmon4j-agent:1.53",
"package_type": "Maven",
"status": "completed"
}
}
| Field Name | Description | Example |
|---|---|---|
artifact_name | The name of the artifact. | jenkins-war-2.289.1.war |
component_id | Component ID in the JFrog Component Format Standards. | |
package_type | Type of the artifact package. | Maven |
repo_path | The repo path as it was provided in the scan request. | default/maven-local-repo/org/jenkins-ci/main/jenkins-war/2.289.1/ |
scan_id | Unique scan ID. | 4f811ab8-51a2-4baf-61d3-3a277aaa8066 |
status | Scan status. If a scan is pending, completed or failed. | pending failed completed |
violations | A list of minimal violations. | |
violations[].summary | ||
violations[].severity | Medium Critical | |
violations[].type | Security or license. | security |
violations[].components | Map of violating component the lowest level in the artifact graph. The key is the component ID. | |
violations[].components[].impact_paths | List of impact paths. Each impact path is a JSON array by itself, indicating the path from the artifact in scan to the vulnerable component in the graph. | |
violations[].components[].impact_paths[][].component_id | The component ID in the current impact path node. | |
violations[].components[].impact_paths[][].full_path | The file path of the current component, relative to the previous component in the list. The first component (which is the artifact itself) will not have full_path filled. | META-INF/maven/commons-httpclient/commons-httpclient/pom.xml |
violations[].components[].fixed_versions | Versions of the component in which this violation is not effective anymore. | ["[4.0.9-2+deb9u4]", "[4.0.10-3+deb9u4]"] |
violations[].watch_name | Watch that created the violation. | cloud-watch |
violations[].issue_id | Xray issue ID. | XRAY-73704 |
violations[].cves | List of CVE objects. | |
violations[].cves[].cve | CVE ID. | CVE-2018-9116 |
violations[].cves[].cvss_v2_score | 6.4 | |
violations[].cves[].cvss_v3_score | 9.1 | |
violations[].cves[].cvss_v2_vector | CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:P | |
violations[].cves[].cvss_v3_vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H | |
violations[].references | Links for more information. | |
violations[].fail_build | Indicates if this violation fails a build. | true |
violations[].license_key | Apache-2.0 | |
violations[].license_name | The Apache Software License, Version 2.0 | |
vulnerabilities | List of vulnerabilities discovered on the scanned graph. | |
vulnerabilities[].cves | List of CVE objects. | |
vulnerabilities[].summary | Summary of the vulnerability. | |
vulnerabilities[].severity | Medium Critical | |
vulnerabilities[].vulnerable_components | List of vulnerable components the lowest level in the artifact graph | |
vulnerabilities[].components | List of vulnerable components the lowest level in the artifact graph. | |
licenses | List of licenses | |
licenses[].license_key | Apache-2.0 | |
licenses[].license_name | The Apache Software License, Version 2.0 | |
licenses[].components | Map of components with this license, where the key is component ID. | |
licenses[].custom | Indicated if this is this a custom license. | false |
licenses[].references | Links for more information |
Known Limitations
- Java scripts which are not part of an npm package will not be identified in this scan. Once uploaded to Artifactory it will be fully detected.
- Conan and Docker packages are not supported at the moment. Conan and Docker scan is available when uploaded to Artifactory and will be supported in the on-demand binary scan in later versions.