Cloud customer?
Start for Free >
Upgrade in MyJFrog >
What's New in Cloud >

Search





Overview

As an organization, you wish to build software securely during development, without trying to find and fix vulnerabilities after your code is compiled. Xray uses the JFrog CLI to provide on-demand binary scanning to address your needs.

  • Run ad-hoc scans for security purposes without uploading to Artficatory first. 
  • Adhere to organizational standards, whereas binaries and builds need to be approved first before uploading to Artifactory. 
  • Not all binaries are stored in Artifactory, and as a user, you want to use Xray scanning capabilities. 

You can point to a binary in your local file system and receive a report that contains a list of vulnerabilities and licenses for that binary.  The JFrog CLI encapsulates a closed source component that contains the logic of extracting a binary and composes a component graph from the binary, similar to the way Xray scans your binaries in Artifactory. For more information, see Xray Security and Compliance. The CLI returns a detailed scan results report that contains the details of vulnerabilities, violations, and licenses discovered in your binary. 


Page Contents


Setting Up On-Demand Binary Scan

  1. Install Xray
  2. Install JFrog CLI version 2.1.0

How Does it Work?

Step 1 - Trigger the JFrog CLI

Trigger the JFrog CLI  in a directory containing the binaries of a project.

Step 2 - Run the JFrog CLI Commands 

Run the JFrog CLI Commands using one of the two methods:

  • Use the existing upload command with additional parameters that will serve as a conditional upload. A conditional upload ensures that the files are scanned prior to uploading to Artifactory, and will not be uploaded if the scan contains any security issues and does not comply with the policies you set.
  • Run an independent scan command. 

Supported commands in the JFrog CLI:

Depending on the command option you use, you can view scan results for the following:

  • Vulnerabilities
  • Violations
  • Licenses

By default, the scan returns vulnerabilities data found in your dependencies. To retrieve violations data, use one of the following methods:

  • Watches - Select Watches to apply to the scan.

  • Repo Path - Provide a target destination path in Artifactory, and Watches will be determined by the path.

  • Project - Select a Project by project key, and use all Watches defined for the Project.

Take note, that if you run the scan using one of these command options, the scan results will only show violations data and not vulnerabilities data. To view vulnerabilities data, run the scan without these options. 


Step 3 - View Results

The results are displayed in table format. 

You can also view results in JSON format for automation purposes and view more scan results data by using the following command option:


--format=json
Sample Output
{
  "scan_id": "11148acb-f8d4-4640-56e4-db312cb5ba0c",
  "violations": [
    {
      "summary": "Apache Commons IO FileNameUtils.normalize Path Traversal Remote File Disclosure Weakness",
      "severity": "Medium",
      "type": "security",
      "components": {
        "gav://commons-io:commons-io:2.2": {
          "fixed_versions": [
            "[2.7]"
          ],
          "impact_paths": [
            [
              {
                "component_id": "gav://de.is24.common:appmon4j-agent:1.53"
              },
              {
                "component_id": "gav://de.is24.common:appmon4j-agent:1.53",
                "full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar"
              },
              {
                "component_id": "gav://commons-io:commons-io:2.2",
                "full_path": "META-INF/maven/commons-io/commons-io/pom.xml"
              }
            ]
          ]
        }
      },
      "watch_name": "Sec-Watch",
      "issue_id": "XRAY-78200",
      "ignore_url": "http://jfrog.com/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=11148acb-f8d4-4640-56e4-db312cb5ba0c&issue_id=XRAY-78200&show_popup=true&type=security&watch_name=Sec-Watch",
      "cves": [
        {
        }
      ],
      "references": [
        "https://issues.apache.org/jira/browse/IO-556"
      ],
    },
    {
      "severity": "Medium",
      "type": "security",
      "components": {
        "gav://commons-io:commons-io:2.2": {
          "fixed_versions": [
            "[2.7]"
          ],
          "impact_paths": [
            [
              {
                "component_id": "gav://de.is24.common:appmon4j-agent:1.53"
              },
              {
                "component_id": "gav://de.is24.common:appmon4j-agent:1.53",
                "full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar"
              },
              {
                "component_id": "gav://commons-io:commons-io:2.2",
                "full_path": "META-INF/maven/commons-io/commons-io/pom.xml"
              }
            ]
          },
          "watch_name": "Sec-Watch",
          "issue_id": "XRAY-172728",
          "ignore_url": "http://jfrog.com/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=11148acb-f8d4-4640-56e4-db312cb5ba0c&issue_id=XRAY-172728&show_popup=true&type=security&watch_name=Sec-Watch",
          "cves": [
            {
              "cve": "CVE-2021-29425",
              "cvss_v2_score": "5.0",
              "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N",
              "cvss_v3_score": "5.3",
              "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
            }
          ],
          "references": [
            "https://issues.apache.org/jira/browse/IO-556",
            "https://lists.apache.org/thread.html/rc359823b5500e9a9a2572678ddb8e01d3505a7ffcadfa8d13b8780ab%40%3Cuser.commons.apache.org%3E"
          ],
        },
        {
          "severity": "High",
          "type": "license",
          "components": {
            "gav://org.slf4j:slf4j-api:1.7.5": {
              "impact_paths": [
                [
                  {
                    "component_id": "gav://de.is24.common:appmon4j-agent:1.53"
                  },
                  {
                    "component_id": "gav://de.is24.common:appmon4j-agent:1.53",
                    "full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar"
                  },
                  {
                    "component_id": "gav://org.slf4j:slf4j-api:1.7.5",
                    "full_path": "META-INF/maven/org.slf4j/slf4j-api/pom.xml"
                  }
                ]
              ]
            }
          },
          "watch_name": "Sec-Watch",
          "ignore_url": "http://jfrog.com/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=11148acb-f8d4-4640-56e4-db312cb5ba0c&issue_id=MIT&show_popup=true&type=security&watch_name=Sec-Watch",
          "references": [
            "http://www.opensource.org/licenses/MIT",
            "http://www.opensource.org/licenses/mit-license.php",
            "https://spdx.org/licenses/MIT",
            "https://spdx.org/licenses/MIT.html"
          ],
          "license_key": "MIT",
          "license_name": "The MIT License",
        }
      ],
      "licenses": [
        {
          "license_key": "Apache-2.0",
          "components": {
            "gav://commons-io:commons-io:2.2": {
              "impact_paths": [
                [
                  {
                    "component_id": "gav://de.is24.common:appmon4j-agent:1.53"
                  },
                  {
                    "component_id": "gav://de.is24.common:appmon4j-agent:1.53",
                    "full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar"
                  },
                  {
                    "component_id": "gav://commons-io:commons-io:2.2",
                    "full_path": "META-INF/maven/commons-io/commons-io/pom.xml"
                  }
                ]
              ]
            },
            "gav://commons-lang:commons-lang:2.6": {
              "impact_paths": [
                [
                  {
                    "component_id": "gav://de.is24.common:appmon4j-agent:1.53"
                  },
                  {
                    "component_id": "gav://de.is24.common:appmon4j-agent:1.53",
                    "full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar"
                  },
                  {
                    "component_id": "gav://commons-lang:commons-lang:2.6",
                    "full_path": "META-INF/maven/commons-lang/commons-lang/pom.xml"
                  }
                ]
              ]
            },
            "gav://de.is24.common:appmon4j-agent:1.53": {
              "impact_paths": [
                [
                  {
                    "component_id": "gav://de.is24.common:appmon4j-agent:1.53"
                  },
                  {
                    "component_id": "gav://de.is24.common:appmon4j-agent:1.53",
                    "full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar"
                  },
                  {
                    "component_id": "gav://de.is24.common:appmon4j-agent:1.53",
                    "full_path": "META-INF/maven/de.is24.common/appmon4j-agent/pom.xml"
                  }
                ],
                [
                  {
                    "component_id": "gav://de.is24.common:appmon4j-agent:1.53"
                  }
                ],
                [
                  {
                    "component_id": "gav://de.is24.common:appmon4j-agent:1.53"
                  },
                  {
                    "component_id": "gav://de.is24.common:appmon4j-agent:1.53",
                    "full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar"
                  }
                ]
              ]
            },
            "gav://de.is24.common:appmon4j-core:1.53": {
              "impact_paths": [
                [
                  {
                    "component_id": "gav://de.is24.common:appmon4j-agent:1.53"
                  },
                  {
                    "component_id": "gav://de.is24.common:appmon4j-agent:1.53",
                    "full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar"
                  },
                  {
                  }"http://www.opensource.org/licenses/Apache-2.0",
                  {
                    "impact_paths": [
                    ]"status": "completed""violations": [
                      "severity": "Medium",
                      "type": "security",
                      {
                        "component_id": "gav://de.is24.common:appmon4j-agent:1.53",
                      ],
                    },
                    "type": "security",
                    "components": {
                      {
                        "component_id": "gav://de.is24.common:appmon4j-agent:1.53",
                        "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N",
                      }"https://lists.apache.org/thread.html/rc359823b5500e9a9a2572678ddb8e01d3505a7ffcadfa8d13b8780ab%40%3Cuser.commons.apache.org%3E"
                    ],
                  },
                  {
                  },
                  {
                    "references": [
                      "https://spdx.org/licenses/MIT.html""license_name": "The MIT License",
                    }"gav://commons-io:commons-io:2.2": {
                    },
                    "full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar""impact_paths": [
                      "component_id": "gav://de.is24.common:appmon4j-agent:1.53""full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar"
                    },
                    "gav://de.is24.common:appmon4j-agent:1.53": {
                      {
                        "component_id": "gav://de.is24.common:appmon4j-agent:1.53"
                      },
                      {
                        "component_id": "gav://de.is24.common:appmon4j-agent:1.53",
                        "component_id": "gav://de.is24.common:appmon4j-agent:1.53"[
                          {
                            "component_id": "gav://de.is24.common:appmon4j-agent:1.53",
                            [
                              {
                                "component_id": "gav://de.is24.common:appmon4j-core:1.53",
                                "full_path": "META-INF/maven/de.is24.common/appmon4j-core/pom.xml"
                              }
                            ]
                          ]
                        }
                      },
                      "references": [
                        "http://www.opensource.org/licenses/Apache-2.0",
                        "http://www.opensource.org/licenses/apache2.0.php",
                        "https://spdx.org/licenses/Apache-2.0",
                        "https://spdx.org/licenses/Apache-2.0.html",
                        "http://www.apache.org/licenses/LICENSE-2.0",
                        "https://licenses.nuget.org/Apache-2.0",
                        "http://licenses.nuget.org/Apache-2.0",
                        "https://raw.githubusercontent.com/aspnet/AspNetCore/2.0.0/LICENSE.txt",
                        "http://raw.githubusercontent.com/aspnet/AspNetCore/2.0.0/LICENSE.txt"
                      ]
                    },
                    {
                      "license_key": "MIT",
                      "components": {
                        "gav://org.slf4j:slf4j-api:1.7.5": {
                          "impact_paths": [
                            [
                              {
                                "component_id": "gav://de.is24.common:appmon4j-agent:1.53"
                              },
                              {
                                "component_id": "gav://de.is24.common:appmon4j-agent:1.53",
                                "full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar"
                              },
                              {
                                "component_id": "gav://org.slf4j:slf4j-api:1.7.5",
                                "full_path": "META-INF/maven/org.slf4j/slf4j-api/pom.xml"
                              }
                            ]
                          ]
                        }
                      },
                      "references": [
                        "http://www.opensource.org/licenses/MIT",
                        "http://www.opensource.org/licenses/mit-license.php",
                        "https://spdx.org/licenses/MIT",
                        "https://spdx.org/licenses/MIT.html"
                      ]
                    }
                  ],
                  "component_id": "gav://de.is24.common:appmon4j-agent:1.53",
                  "package_type": "Maven",
                  "status": "completed"
                }
              }

Field NameDescriptionExample

artifact_name

The name of the artifact. 

jenkins-war-2.289.1.war

component_id

Component ID in the JFrog Component Format Standards.

gav://org.jenkins-ci.main:jenkins-war:2.289.1

package_type

Type of the artifact package.

Maven

repo_path

The repo path as it was provided in the scan request. 

default/maven-local-repo/org/jenkins-ci/main/jenkins-war/2.289.1/

scan_id

Unique scan ID.

4f811ab8-51a2-4baf-61d3-3a277aaa8066

status

Scan status. If a scan is pending, completed or failed.


pending

failed 

completed

violations

A list of minimal violations.


violations[].summary



violations[].severity


Medium

Critical

violations[].type

Security or license.

security

violations[].components

Map of violating component the lowest level in the artifact graph. The key is the component ID.


violations[].components[].impact_paths

List of impact paths. Each impact path is a JSON array by itself, indicating the path from the artifact in scan to the vulnerable component in the graph.


violations[].components[].impact_paths[][].component_id

The component ID in the current impact path node.

gav://commons-httpclient:commons-httpclient:3.1-jenkins-2

violations[].components[].impact_paths[][].full_path

The file path of the current component, relative to the previous component in the list. The first component (which is the artifact itself) will not have full_path filled.

META-INF/maven/commons-httpclient/commons-httpclient/pom.xml

violations[].components[].fixed_versions

Versions of the component in which this violation is not effective anymore.

["[4.0.9-2+deb9u4]", "[4.0.10-3+deb9u4]"]

violations[].watch_name

Watch that created the violation.

cloud-watch

violations[].issue_id

Xray issue ID.

XRAY-73704

violations[].ignore_url

Violation Ignore Rule Creation URL.

http://jfrog.com/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=11148acb-f8d4-4640-56e4-db312cb5ba0c&issue_id=MIT&show_popup=true&type=security&watch_name=Sec-Watch

violations[].cves

List of CVE objects.


violations[].cves[].cve

CVE ID.

CVE-2018-9116

violations[].cves[].cvss_v2_score


6.4

violations[].cves[].cvss_v3_score


9.1

violations[].cves[].cvss_v2_vector


CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:P

violations[].cves[].cvss_v3_vector


CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

violations[].references

Links for more information.


violations[].fail_build

Indicates if this violation fails a build.

true

violations[].license_key


Apache-2.0

violations[].license_name


The Apache Software License, Version 2.0

vulnerabilities

List of vulnerabilities discovered on the scanned graph.


vulnerabilities[].cves

List of CVE objects.


vulnerabilities[].summary

Summary of the vulnerability.


vulnerabilities[].severity


Medium

Critical

vulnerabilities[].vulnerable_components

List of vulnerable components the lowest level in the artifact graph

["npm://highlight.js:9.18.3"]

vulnerabilities[].components

List of vulnerable components the lowest level in the artifact graph. 


licenses

List of licenses


licenses[].license_key


Apache-2.0

licenses[].license_name


The Apache Software License, Version 2.0

licenses[].components

Map of components with this license, where the key is component ID.


licenses[].custom

Indicated if this is this a custom license.

false

licenses[].references

Links for more information



Known Limitations

  • Java scripts which are not part of an npm package will not be identified in this scan. Once uploaded to Artifactory it will be fully detected.
  • Conan and Docker packages are not supported at the moment. Conan and Docker scan is available when uploaded to Artifactory and will be supported in the on-demand binary scan in later versions.
  • No labels
Copyright © 2021 JFrog Ltd.