USER MANAGEMENT
Get Users
Description: Gets a list of all users in the system or a specific user
API Version: v1
Notes: This API is deprecated.
Security: Requires an admin user
Usage: GET /users
Produces: application/json
Sample Response:
[
{
"name": "user1",
"password": "",
"email": "user1@company.com",
"admin": true,
"blocked": false
},
{
"name": "user2",
"password": "",
"email": "user2@company.com",
"admin": false,
"blocked": false
}
]
Response Codes:
200: Success
404: Use with id {id} does not exist
500: Failed to serialize user data
500: Failed to retrieve user
500: Failed to retrieve user {id}
Get User
Description: Gets a specific user
API Version: v1
Notes: This API is deprecated.
Security: Requires an admin user
Produces: application/json
Sample Response:
{
"name": "user1",
"password": "",
"email": "user1@company.com",
"admin": true,
"blocked": false
}
Response Codes:
200: Success
404: Use with id {id} does not exist
500: Failed to serialize user data
500: Failed to retrieve user
500: Failed to retrieve user {id}
ISSUES
Create Issue Event
Description: Allows adding a custom issue
API Version: v1
Security: Requires a valid user with the "Manage Xray Metadata" permission
Usage: POST /events
Produces: application/json
Consumes: application/json
Sample Payload:
{
"id": "XRAY-787",
"type": "Security",
"provider": "JFrog",
"package_type": "maven",
"severity": "High",
"components": [
{
"id": "aero:aero",
"vulnerable_versions": [
"[0.2.3]"
]
}
],
"cves": [
{
"cve": "CVE-2017-1000386",
"cvss_v2": "2.4"
}
],
"summary": "A very important custom issue",
"description": "A very important custom issue",
"sources": [
{
"source_id": "CVE-2017-1000386"
}
]
}
Sample Response:
{
"id": "XRAY-787",
"package_type": "maven",
"type": "security",
"provider": "JFrog",
"summary": "A very important custom issue",
"description": "A very important custom issue",
"severity": "High",
"created": "2019-12-17T15:29:31.95835098Z",
"cves": [
{
"cve": "CVE-2017-1000386",
"cvss_v2": "2.4"
}
],
"sources": [
{
"source_id": "CVE-2017-1000386"
}
],
"components": [
{
"id": "aero:aero",
"vulnerable_versions": [
"[0.2.3]"
],
"fixed_versions": null
}
],
"modified": "2019-12-17T15:29:31.95835098Z",
"edited": "2019-12-17T15:29:31.972920491Z"
}
Update Issue Event
Description: Allows an issue vendor to update an issue event
Security: Requires a valid user with the "Manage Xray Metadata" permission
Usage: PUT /events/{id}
Consumes: application/json
Sample Payload:
{
"id": "XRAY-787",
"type": "Security",
"provider": "JFrog",
"package_type": "maven",
"severity": "High",
"components": [
{
"id": "aero:aero",
"vulnerable_versions": [
"[0.2.3]"
]
}
],
"cves": [
{
"cve": "CVE-2017-1000386",
"cvss_v2": "2.4"
}
],
"summary": "new summary",
"description": "updated description",
"sources": [
{
"source_id": "CVE-2017-1000386"
}
]
}
Response:
Should return updated object.
Get Issue Events V1
Description: Gets an issue created by a vendor
Security: Requires a valid user with the "Read" permission.
Note: This API is deprecated in Xray version 3.51.0.
Usage: GET /events/{id}
Produces: application/json
Sample Response:
{
"id": "XRAY-787",
"type": "security",
"source_id": "CVE-2017-1000386",
"severity": "High",
"provider": "JFrog",
"created": "2019-12-17T15:36:33.654Z",
"modified": "2019-12-17T15:36:33.654Z",
"updated": "2019-12-17T15:36:33.654Z",
"description": "updated description",
"summary": "new summary",
"components": [
{
"component_id": "gav://aero:aero:0.2.3"
}
],
"properties": {
"cve": "CVE-2017-1000386",
"cvss_v2": "2.4",
"cvss_v3": ""
}
}
Get Issue Events V2
Description: Gets an issue created by a vendor.
Security: Requires a valid user with the "Read" permission. Premium Vulnerability Database details is only available with an Enterprise and Enterprise+ subscription.
Since: Xray 3.51.0
Usage: GET /api/v2/events/{id}
Produces: application/json
curl -v -uadmin:Password@1 -XGET http://localhost:8000/api/v2/events/XRAY-115734
{
"id": "XRAY-115734",
"package_type": "alpine",
"type": "security",
"provider": "JFrog",
"summary": "Libxml2 xmlreader.c xmlTextReaderFreeProp() Function IDREF Attributes Handling Use-after-free Unspecified Issue",
"description": "Libxml2 contains a use-after-free error in the xmlTextReaderFreeProp() function in xmlreader.c that is triggered when handling IDREF attributes. This may allow a context-dependent attacker to dereference already freed memory and have an unspecified impact.",
"severity": "High",
"leading_severity": {
"severity": "Critical",
"source": "CVSS V3 from RBS"
},
"created": "2020-08-04T15:43:17.217+05:30",
"cves": [
{
"cvss_v2": "9.3/AV:N/AC:M/Au:N/C:C/I:C/A:C",
"cvss_v3": "9.8/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"sources": [
{
"name": "VulnDB",
"source_id": "231389",
"url": "https://vulndb.cyberriskanalytics.com/vulnerabilities/231389"
}
],
"components": [
{
"id": "3.2:py-libxml2",
"vulnerable_versions": [
"(,)"
],
"fixed_versions": null,
"vulnerable_ranges": [
{
"vulnerable_versions": [
"(,)"
],
"fixed_versions": null,
"container_affected_cpes": null
}
]
},
{
"id": "3.0:py-libxml2",
"vulnerable_versions": [
"(,)"
],
"fixed_versions": null,
"vulnerable_ranges": [
{
"vulnerable_versions": [
"(,)"
],
"fixed_versions": null,
"container_affected_cpes": null
}
]
},
{
"id": "2.1:libxml2",
"vulnerable_versions": [
"(,)"
],
"fixed_versions": null,
"vulnerable_ranges": [
{
"vulnerable_versions": [
"(,)"
],
"fixed_versions": null,
"container_affected_cpes": null
}
]
}
Garbage Collector (GC)
Garbage Collector Status
Description: Returns the current status of the Garbage Collector.
Security: Requires an admin user.
Usage: GET /api/v1/gc/status
Produces: application/json
{
"is_running" : true/false,
“last_time_started” : Date,
“last_time_ended” : Date,
"last_successful_run" : Date,
“Last_state”: “running”/“succeeded”/”failed”/”aborted”
"last_error": "cause error if there is"
}
Response Codes:
200: ok
500: failed to retrieve current settings
401: unauthorized
403: forbidden
Get GC Configuration
Description: Returns the current configurations of the Garbage Collector.
Security: Requires an admin user.
Usage: GET /api/v1/configuration/gc
Produces: application/json
{
"scheduler_enabled": true/false,
"scheduler_period_minutes" : int,
"max_duration_seconds" : int,
"max_retry_count" : int,
"Idle_listener_enabled" : true/false,
"Idle_listener_gc_duration_seconds" : int,
"Idle_listener_sampling_rate_seconds" : int
}
Response Codes:
200: ok
500: failed to retrieve current settings
401: unauthorized
403: forbidden
Set GC Configuration
Description: Sets the Garbage Collector configuration.
Security: Requires an admin user.
Usage: PUT /api/v1/configuration/gc
Produces: application/json
{
"scheduler_enabled": true/false,
"scheduler_period_minutes" : int,
"max_duration_seconds" : int,
"max_retry_count" : int,
"Idle_listener_enabled" : true/false,
"Idle_listener_gc_duration_seconds" : int,
"Idle_listener_sampling_rate_seconds" : int
}
{
"info" : "Garbage collector configurations successfully updated"
}
Response Codes:
200: ok
500: failed to update Garbage Collector configuration
400: parsing error/max_duration is below 60; period is below 60; max_retry_count is below 3
401: unauthorized
403: forbidden
Force GC to Run
Description: Forces the Garbage Collector to run.
Security: Requires an admin user.
Usage: POST /api/v1/gc/start
Produces: application/json
{
"max_duration_seconds" : int
}
{
"info" : "Garbage collector successfully triggered"
}
Response Codes:
200: ok
500: failed to trigger Garbage Collector
400: parsing error/max_duration is below 60
409: system YAML parameter deleteMode is not set to 'gc'
401: unauthorized
403: forbidden
Abort GC
Description: Forces the Garbage Collector to stop if running.
Security: Requires an admin user.
Usage: POST /api/v1/gc/abort
Produces: application/json
{
"info" : "Garbage collector stop signal was triggered"
}
Response Codes:
200: ok
500: failed to trigger Garbage Collector
401: unauthorized
403: forbidden
WATCHES
Xray REST API v2
The following endpoints related to Watches use the JFrog Xray REST API v2 introduced in Xray version 2.4. If you are using an older version of Xray, please refer to the corresponding endpoints under WATCHES-v1.
Create Watch
Description: Creates a new Watch
API Version: v2
Security: Requires the "Manage Watches" role to be set on the User or Group level.
Notes: For Xray version 3.21.2 and above with Projects, a Project Admin with Manage Security Assets privilege can create a Watch using this REST API in the scope of a project, by using the additional query parameter projectKey. A Watch can include both Global and Project Policies.
Usage: POST /watches
Consumes: application/json
Produces: application/json
Response Codes:
201: Success - Watch has been successfully created
415: Failed to parse request
400: invalid watch
403: No permissions for watch
409: Watch with name {name} already exists
500: Failed to create watch
Sample Usage:
Sample 1 - Watch a Repository
POST api/v2/watches
{
"general_data": {
"name": "vuln-prod",
"description": "This is a new watch created using API V2",
"active": true
},
"project_resources": {
"resources": [
{
"type": "repository",
"bin_mgr_id": "art-prod-eu",
"name": "libs-release-local",
"filters": [
{
"type": "regex",
"value": ".*"
}
]
}
]
},
"assigned_policies": [
{
"name": "medium_policy",
"type": "security"
}
]
},
"watch_recipients":["galba@myemail.com","umac@youremail.com"]
}
Sample 2 - Watch All Repositories
POST api/v2/watches
{
"general_data": {
"name": "all-repositories",
"description": "This is a new watch created using API V2",
"active": true
},
"project_resources": {
"resources": [
{
"type": "all-repos",
"filters": [
{
"type": "package-type",
"value": "Docker"
},
{
"type": "package-type",
"value": "Debian"
}
]
}
]
},
"assigned_policies": [
{
"name": "critial_issues",
"type": "security"
}
]
},
"watch_recipients":["name@myemail.com","umac@youremail.com"]
}
Sample 3 - Watch a Build
POST api/v2/watches
{
"general_data": {
"name": "specific-build-watch",
"description": "This is a new watch created using API V2",
"active": true
},
"project_resources": {
"resources": [
{
"type": "build",
"bin_mgr_id": "art-prod-eu",
"name": "release-pipeline"
}
]
},
"assigned_policies": [
{
"name": "critial_issues",
"type": "security"
},
{
"name": "block_policy",
"type": "security"
}
]
},
"watch_recipients":["name@myemail.com","umac@youremail.com"]
}
Sample 4- Watch all Builds
{
"general_data": {
"name": "build-watch",
"description": "This is a new watch created using API V2",
"active": true
},
"project_resources": {
"resources": [
{
"type": "all-builds",
"bin_mgr_id": "default",
"filters": [
{
"type": "ant-patterns",
"value":{
"ExcludePatterns": ["a*","b*"],
"IncludePatterns": ["ab*"]
}
}
]
}
]
},
"assigned_policies": [
{
"name": "test-license-policy-allowed-12956",
"type": "license"
}
],
"watch_recipients":["galba@myemail.com","umac@youremail.com","galba@myemail.com"]
}
Sample 5 - Create a Watch in Projects
POST api/v2/watches?projectKey=<project_key>
Sample 6- Watch Projects by Project Key
POST api/v2/watches {
"general_data": {
"name": "single_project_watch",
"description": "This is a new watch created using API V2",
"active": true
},
"project_resources": {
"resources": [
{
"type": "project",
"bin_mgr_id": "default",
"name": "<project-key#1>"
}
]
},
"assigned_policies": [
{
"name": "medium_policy",
"type": "security"
}
],
"watch_recipients": [
"galba@myemail.com",
"umac@youremail.com"
]
}
Sample 7 - Watch All Projects
POST api/v2/watches
{
"general_data": {
"name": "vuln-prod",
"description": "This is a new watch created using API V2",
"active": true
},
"project_resources": {
"resources": [
{
"type": "all-projects",
"bin_mgr_id": "art-prod-eu",
}
]
}
]
},
"assigned_policies": [
{
"name": "medium_policy",
"type": "security"
}
]
},
"watch_recipients":["galba@myemail.com","umac@youremail.com"]
}
Sample 8 - Watch Projects with Include/Exclude Patterns on Project Key
POST api/v2/watches {
"general_data": {
"name": "vuln-prod",
"description": "This is a new watch created using API V2",
"active": true
},
"project_resources": {
"resources": [
{
"type": "all-projects",
"bin_mgr_id": "default",
"filters": [
{
"type": "ant-patterns",
"value": {
"ExcludePatterns": [
"a*",
"b*"
],
"IncludePatterns": [
"ab*"
]
}
}
]
}
]
},
"assigned_policies": [
{
"name": "medium_policy",
"type": "security"
}
],
"watch_recipients": [
"galba@myemail.com",
"umac@youremail.com"
]
}
Sample 9 - Create Watch with Jira Integration Enabled
{
"general_data": {
"name": "testwatch5",
"description": "This is a new watch created using API V2",
"active": true
},
"project_resources": {
"resources": [
{
"type": "repository",
"bin_mgr_id": "default",
"name": "testrepo",
"filters": [
{
"type": "regex",
"value": ".*"
}
]
}
]
},
"assigned_policies": [
{
"name": "testpolicy",
"type": "security"
}
],
"create_ticket_enabled":true,
"ticket_profile":"test",
"watch_recipients":["galba@myemail.com","umac@youremail.com"]
}
Update Watch
Description: Updates a Watch.
Note: This will overwrite the previous Watch configurations and replace them with the updated parameters.
API Version: v2
Security: Requires the "Manage Watches" role to be set on the User or Group level.
Notes: For Xray version 3.21.2 and above with Projects, a Project Admin with Manage Security Assets privilege can update a Watch using this REST API in the scope of a project, by using the additional query parameter projectKey. A Watch can include both Global and Project Policies.
Usage: PUT /watches/{name}
Consumes: application/json
Produces: application/json
Sample usage:
PUT api/v2/watches/{watch_name}
{
"general_data": {
"description": "This is a new watch created using API V2",
"active": true
},
"project_resources": {
"resources": [
{
"type": "all-repos",
"filters": [
{
"type": "package-type",
"value": "Docker"
},
{
"type": "package-type",
"value": "Debian"
}
]
}
]
},
"assigned_policies": [
{
"name": "critial_issues",
"type": "security"
}
],
"create_ticket_enabled":true,
"ticket_profile":"test",
"watch_recipients":["galba@myemail.com","umac@youremail.com"]
}
PUT api/v2/watches/proj-wath?projectKey=<project_key>
Response Codes:
200: Success. Watch was successfully updated
400: Failed to update watch: Watch name is empty
403: Failed to update watch: no permissions
404: Failed to update watch. Watch not found
415: Failed to parse request
500: Failed to update watch
500: Failed to reload block download cache
Get Watches
Description: Gets a list of all watches in the system
API Version: v2
Security: Requires the "Manage Watches" role to be set on the User or Group level.
Notes: For Xray version 3.21.2 and above with Projects, a Project Admin with Manage Security Assets privilege can get a list of Watches using this REST API in the scope of a project, by using the additional query parameter projectKey. A Watch can include both Global and Project Policies. You can not update the project_key parameter.
Usage: GET /watches
Produces: application/json
Sample Response:
GET api/v2/watches
[
{
"general_data": {
"id": "5bbe364b0fe4dc29f64c25aa",
"name": "specific-build-watch",
"description": "This is a new watch created using API V2",
"active": true
},
"project_resources": {
"resources": [
{
"type": "build",
"bin_mgr_id": "art-prod-eu",
"name": "release-pipeline"
}
]
},
"assigned_policies": [
{
"name": "critial_issues",
"type": "security"
},
{
"name": "block_policy",
"type": "security"
}
]
},
{
"general_data": {
"id": "6f2s864b0fe4dc29f64r5z9m",
"name": "all-repositories",
"description": "This is a new watch created using API V2",
"active": true
},
"project_resources": {
"resources": [
{
"type": "all-repos",
"filters": [
{
"type": "package-type",
"value": "Docker"
},
{
"type": "package-type",
"value": "Debian"
}
]
}
]
},
"assigned_policies": [
{
"name": "critial_issues",
"type": "security"
}
]
},
{
"general_data": {
"id": "56sdf564b0fe4dc29f64cdfs564",
"name": "vuln-prod",
"description": "This is a new watch created using API V2",
"active": true
},
"project_resources": {
"resources": [
{
"type": "repository",
"bin_mgr_id": "art-prod-eu",
"name": "libs-release-local",
"filters": [
{
"type": "regex",
"value": ".*"
}
]
}
]
},
"assigned_policies": [
{
"name": "medium_policy",
"type": "security"
}
]
}
]
GET api/v2/watches?projectKey=<project_key>
[
{
"general_data": {
"id": "5bbe364b0fe4dc29f64c25aa",
"name": "specific-build-watch",
"description": "This is a new watch created using API V2",
"active": true,
"project_key": "myproj"
},
"project_resources": {
"resources": [
{
"type": "build",
"bin_mgr_id": "art-prod-eu",
"name": "release-pipeline"
}
]
},
"assigned_policies": [
{
"name": "critial_issues",
"type": "security"
},
{
"name": "block_policy",
"type": "security"
}
]
}
]
Response Codes:
200: Success - Watches retrieved
500: Failed to get Watch
Get Watch
Description: Gets a named watch
API Version: v2
Security: Requires the "Manage Watches" role to be set on the User or Group level.
Notes: For Xray version 3.21.2 and above with Projects, a Project Admin with Manage Security Assets privilege can get a list of Watches using this REST API in the scope of a project, by using the additional query parameter projectKey. A Watch can include both Global and Project Policies.
Usage: GET /watches/{name}
Produces: application/json
Sample Response:
GET api/v2/watches/vuln-prod
{
"general_data": {
"id": "56sdf564b0fe4dc29f64cdfs564",
"name": "vuln-prod",
"description": "This is a new watch created using API V2",
"active": true
},
"project_resources": {
"resources": [
{
"type": "repository",
"bin_mgr_id": "art-prod-eu",
"name": "libs-release-local",
"filters": [
{
"type": "regex",
"value": ".*"
}
]
}
]
},
"assigned_policies": [
{
"name": "medium_policy",
"type": "security"
}
]
}
GET api/v2/watches/proj-watch?projectKey=<project_key>
{
"general_data": {
"id": "56sdf564b0fe4dc29f64cdfs564",
"name": "proj-watch",
"description": "This is a new watch created using API V2",
"active": true,
"project_key": "myproj"
},
"project_resources": {
"resources": [
{
"type": "repository",
"bin_mgr_id": "art-prod-eu",
"name": "libs-release-local",
"filters": [
{
"type": "regex",
"value": ".*"
}
]
}
]
},
"assigned_policies": [
{
"name": "medium_policy",
"type": "security"
}
]
}
Delete Watch
Description: Deletes a Watch
API Version: v2
Security: Requires the "Manage Watches" role to be set on the User or Group level.
Notes: For Xray version 3.21.2 and above with Projects, a Project Admin with Manage Security Assets privilege can delete Watches using this REST API in the scope of a project, by using the additional query parameter projectKey. A Watch can include both Global and Project Policies.
Produces: application/json
Usage: DELETE /watches/{name}
Response Codes:
200: Success - Watch deleted
403: Failed to delete Watch
404: Watch not found
500: Failed to get Watch for delete
500: Failed to update block download cache
Get Ignored Violations
Description: Gets a list of all Ignored violations on a watch.
API Version: v1
Notes: Setting pagination parameters are optional. You can get the list sorted using order_by according to severity or updated.
The default values are:
- limit = 500
- offset = 1
- order_by = updated
Security: Requires the "Manage Watches" role to be set on the User or Group level.
Notes:
- For Xray version 3.21.2 and above with Projects, a Project Admin with Manage Security Assets privilege can gets a list of all Ignored violations on a Watch using this REST API in the scope of a project, by using the additional query parameter projectKey.
- Starting from Xray version 3.42.3, JFrog Security CVE Research and Enrichment data is supported. Important notes:
- The following fields are markdown texts
- short_description
- full_description
- remediation
- Extended information fields will not appear to Free Tier users.
- The following fields are markdown texts
Usage: GET /violations/ignored/ {watch_name}
Produces: application/json
Get api/v1/violations/ignored/{watch_name}?limit={limit}&order_by={order_by}&offset={offset}
{
"violations_count": 1,
"violations": [
{
"violation_id": "5ddd31eb9c0a3c25fe242bdd",
"description": "The Apache Software License, Version 2.0",
"severity": "High",
"type": "License",
"infected_components": [
"gav://commons-lang:commons-lang:2.4",
"gav://commons-io:commons-io:1.2",
"gav://commons-collections:commons-collections:3.2",
"gav://org.apache.wicket:wicket:1.3.7"
],
"created": "2019-11-26T18:03:37+02:00",
"watch_name": "watch_all",
"matched_policies": [
{
"policy": "hgh",
"rule": "hi",
"is_blocking": false
}
],
"issue_id": "Apache-2.0",
"ignore_rule_info": {
"ignore_rule_type": "Ignore Permanently",
"author": "admin",
"created": 1574846905
}
}
]
Get api/v1/violations/ignored/proj-watch?projectKey=<project_key>&?limit={limit}&order_by={order_by}&offset={offset}
{
"violations_count": 1,
"violations": [
{
"violation_id": "1467958130936188928",
"description": "basic/unit-name.c in systemd prior to 246.15, 247.8, 248.5, and 249.1 has a Memory Allocation with an Excessive Size Value (involving strdupa and alloca for a pathname controlled by a local attacker) that results in an operating system crash.",
"severity": "Medium",
"type": "Security",
"infected_components": [
"deb://debian:bullseye:libudev1:247.3-3",
"deb://debian:bullseye:libsystemd0:247.3-3"
],
"created": "2021-12-06T22:44:26+02:00",
"watch_name": "AllSeverityWatch",
"matched_policies": [
{
"policy": "AllSeverityPolicy",
"rule": "AllSeveritiyRule",
"is_blocking": false,
"is_ignored": true
}
],
"issue_id": "XRAY-179888",
"impacted_artifacts": [
"default/containers/pktvisor/latest/"
],
"ignore_rule_info": {
"id": "d8af732b-7ca0-442d-7baf-45c11e2ca847",
"ignore_rule_type": "Ignore Permanently",
"author": "admin",
"created": 1638823637,
"notes": "TestRemedationInVulnerabilityIgnoreRule",
"is_expired": false
},
"extended_information": {
"short_description": "Insufficient bounds checking in basic/unit-name in systemd allows local attackers to perform denial of service by mounting a filesystem with a very long path",
"full_description": "[systemd]( https://systemd.io/) is a software suite that provides an array of system components for Linux-based operating systems. Its main aim is to unify service configuration and behavior across Linux distributions.\r\n\r\nWhen systemd parses the `/proc/self/mountinfo` file, each mountpoint is passed to `mount_setup_unit()` which eventually calls `unit_name_path_escape()`.\r\n`unit_name_path_escape()` uses `strdupa` which allows a local attacker to exhaust kernel stack memory before string length restrictions are applied, leading to OS denial of service.\r\n\r\nTo exploit this, an attacker will have to create nested directories such that the total path length exceeds 4MB.\r\n\r\nThis vulnerability is exploitable only if the kernel supports unprivileged user namespaces (`CONFIG_USER_NS`).",
"jfrog_research_severity": "High",
"jfrog_research_severity_reasons": [
{
"name": "The CVE has an exploit published",
"is_positive": false
}
],
"remediation": "##### Development upgrade\n\n- Upgrade the component to any of the suggested fixed versions.\n\n##### Development mitigation\nApply this [patch]( https://github.com/systemd/systemd-stable/commit/764b74113e36ac5219a4b82a05f311b5a92136ce) and build from source.\n\n##### Deployment mitigation\nSet /proc/sys/kernel/unprivileged_userns_clone to 0 - to prevent an attacker from mounting a long directory in user namespace.\n\nSet /proc/sys/kernel/unprivileged_bpf_disabled to 1 – to prevent an attacker from loading ebpf program into kernel.\n\nNote: these mitigations apply for the exploit that was detailed in the [technical writeup]( https://packetstormsecurity.com/files/163621/Sequoia-A-Deep-Root-In-Linuxs-Filesystem-Layer.html)\nbut might not be applicable for other techniques."
}
}
]
}
POLICIES - v2
Create Policy
Description: Creates a new policy.
Security: Requires the "Manage Policies" role to be set on the User or Group level.
Notes: For Xray version 3.21.2 and above with Projects, a Project Admin with Manage Security Assets privilege can create a policy using this REST API in the scope of a project, by using the additional query parameter projectKey.
API Version: V.2
Usage: POST api/v2/policies
Consumes: application/json
Produces : application/json
Security Example 1: Setting a 'min_severity' criteria
{
"name": "sec_policy",
"description": "This is a security policy",
"type": "security",
"rules": [
{
"name": "sec_rule",
"criteria": {
"min_severity": "medium"
},
"actions": {
"webhooks": [
"sec_webhook"
],
"block_download": {
"active": true,
"unscanned": true
},
"block_release_bundle_distribution": true,
"fail_build": true,
"notify_deployer": true,
"notify_watch_recipients": true
},
"priority": 1
}
]
}
Security Example 2 - Setting a 'cvss_range' criteria
{
"name": "sec_policy",
"description": "",
"type": "security",
"rules": [
{
"name": "sec_rule",
"criteria": {
"cvss_range": {
"from": 2.7,
"to": 7.1
}
},
"actions": {
"webhooks": [
"sec_webhook"
],
"block_download": {
"active": true,
"unscanned": true
},
"block_release_bundle_distribution": true,
"fail_build": true
},
"priority": 1
}
]
}
Security Example 3 - Exclude Violations with No Available Fixed Version
The fix_version_dependant, can be set together with a CVSS range.
"name": "sec_policy",
"description": "This is a security policy",
"type": "security",
"rules": [
{
"name": "sec_rule",
"criteria": {
"min_severity": "medium"
"fix_version_dependant": true,
},
"actions": {
"webhooks": [
"sec_webhook"
],
"block_download": {
"active": true,
"unscanned": true
},
"block_release_bundle_distribution": true,
"fail_build": true,
"notify_deployer": true,
"notify_watch_recipients": true
},
"priority": 1
}
]
}
License Example 1 - Setting an 'allowed_licenses' criteria
{
"name": "lic_policy",
"description": "License policy",
"type": "license",
"rules": [
{
"name": "lic_rule",
"criteria": {
"allowed_licenses": [
"Apache-1.0",
"Apache-2.0"
],
"allow_unknown": true
},
"actions": {
"webhooks": [],
"block_download": {
"active": true,
"unscanned": true
},
"block_release_bundle_distribution": true,
"fail_build": true,
"custom_severity": "high"
},
"priority": 1
}
]
}
License Example 2 - Setting 'banned_licenses' criteria
{
"name": "lic_policy",
"description": "License policy",
"type": "license",
"rules": [
{
"name": "lic_rule",
"criteria": {
"banned_licenses": [
"Apache-1.0",
"Apache-2.0"
],
"allow_unknown": true
},
"actions": {
"webhooks": [],
"block_download": {
"active": true,
"unscanned": true
},
"block_release_bundle_distribution": true,
"fail_build": true,
"custom_severity": "high"
},
"priority": 1
}
]
}
License Example 3 - Setting ‘multi permissive licenses’ criteria
{
"name": "lic_policy",
"description": "License policy",
"type": “license",
"rules": [
{
"name": "lic_rule",
“criteria": {
"banned_licenses": [
"Apache-1.0",
"Apache-2.0"
],
"allow_unknown": true,
"multi_license_permissive": true
},
"actions": {
"webhooks": [],
"block_download": {
"active": true
"unscanned": true
},
"block_release_bundle_distribution": true,
"fail_build": true,
"custom_severity": "high"
},
"priority": 1
}
]
}
Example 4 - Projects Sample Usage
POST api/v2/policies?projectKey=<project_key>
Example 5 - Policy with Jira Integration Enabled
{
"name": "sec_policy5",
"description": "This is a security policy",
"type": "security",
"rules": [
{
"name": "testrule1",
"criteria": {
"min_severity": "medium"
},
"actions": {
"webhooks": [
],
"block_download": {
"active": true,
"unscanned": true
},
"block_release_bundle_distribution": true,
"fail_build": true,
"notify_deployer": true,
"notify_watch_recipients": true,
"create_ticket_enabled":false
},
"priority": 1
}
]
}
{
"name": "operational_risk_policy_1",
"description": "Operational Risk policy with minimal risk rule",
"type": “operational_risk",
"rules": [
{
"name": "op_risk_minimal_risk_rule",
“criteria": {
"op_risk_min_risk": "High", // (default), valid values: [Low,Medium,High]
},
"actions": {
"webhooks": [],
"block_download": {
"active": true
"unscanned": true
},
"fail_build": true
},
"priority": 1
}
]
}
{
"name": "operational_risk_policy_2",
"description": "Operational Risk policy with a custom risk rule",
"type": “operational_risk",
"rules": [
{
"name": "op_risk_custom_rule",
“criteria": {
"op_risk_custom": {
“use_and_condition”: false,// (default) determines if ALL defined conditions should be met for the rule to match, or only 1 of them is enough
“is_eol”: flase, // (default) match if the component is defined as ‘end of life’
“commits_less_than”: 10,// match if the amount of commits is less than this value, valid values: [10,25,50,100]
“newer_versions_greater_than”: 5,// match if the amount of newer version is higher than this value, valid values: [1,2,3,4,5]
“committers_less_than”: 5,// match if the amount of committers is less than this value, valid values: [1,2,3,4,5]
“release_date_greater_than_months”: 5,// match if the time since the release date is greater then this value in months, valid values: [6,12,18,24,30,36]
“release_cadence_per_year_less_than”: 3,// match if the yearly release cadence is less than this value, valid values: [1,2,3,4,5]
“risk”: Low, // (default) if the rule is matched, produce a violation with this risk value, valid values: [Low,Medium,High]
}
},
"actions": {
"webhooks": [],
"block_download": {
"active": true
"unscanned": true
},
"fail_build": true
},
"priority": 1
}
]
}
Response Codes:
200: Success - Policy created
{
"info": "Policy {pName} has been created successfully"
}
400 - One or more fields are missing/invalid
409 - Policy {pName} already exists
500 - Failed to create policy
Update Policy
Description: Updates an existing policy.
Security: Requires the "Manage Policies" role to be set on the User or Group level.
Notes: For Xray version 3.21.2 and above with Projects, a Project Admin with Manage Security Assets privilege can update a Policy using this REST API in the scope of a project, by using the additional query parameter projectKey. A project_key can not be updated.
Usage: PUT api/v2/policies/{policy_name}
Consumes: application/json
{
"name": "sec_policy",
"description": "Security policy",
"type": "security",
"rules": [
{
"name": "sec_rule",
"criteria": {
"min_severity": "medium"
},
"actions": {
"webhooks": [
"sec_webhook"
],
"block_download": {
"active": true,
"unscanned": true
},
"block_release_bundle_distribution": true,
"fail_build": true,
"notify_deployer": true,
"create_ticket_enabled":false
},
"priority": 1
}
]
}
PUT api/v2/policies/{policy_name}?projectKey=<project_key>
Response Codes:
200: Success - Policy updated
{
"info": "Policy {pName} has been edited successfully"
}
400 - One or more fields are missing/invalid.
404 - Policy {pName} does not exist.
500 - Failed to update policy.
Delete Policy
Description: Deletes an existing policy.
Security: Requires the "Manage Watches" role to be set on the User or Group level.
Notes: For Xray version 3.21.2 and above with Projects, a Project Admin with Manage Security Assets privilege can delete a Policy using this REST API in the scope of a project, by using the additional query parameter projectKey.
Usage: DELETE api/v2/policies/{policy_name}
{
"Policy {policy_name} was deleted successfully"
}
DELETE api/v2/policies/{policy_name}?projectKey=<project_key>
Get Policies
Description: Gets a list of all policies in the system or a specific policy
Security: Requires the Read Policies role to be set on the User or Group level.
Notes: For Xray version 3.21.2 and above with Projects, a Project Admin with Manage Security Assets privilege can get a list of Global and Project Policies using this REST API in the scope of a project, by using the additional query parameter projectKey.
Usage:GET api/v2/policies
Produces: application/json
[
{
"name": "sec-policy",
"type": "security",
"description": "edited",
"author": "admin",
"rules": [
{
"name": "sec_rule",
"priority": 1,
"actions": {
"webhooks": [
"sec_webhook"
],
"fail_build": true,
"block_download": {
"unscanned": true,
"active": true
},
"block_release_bundle_distribution": true
},
"criteria": {
"min_severity": "all severities"
}
}
],
"created": "2019-12-19T09:17:09.562Z",
"modified": "0001-01-01T00:00:00Z"
}
]
GET api/v2/policies?projectKey=<project_key>
[
{
"name": "sec-policy",
"type": "security",
"description": "edited",
"author": "admin",
"project_key": "myproj",
"rules": [
{
"name": "sec_rule",
"priority": 1,
"actions": {
"webhooks": [
"sec_webhook"
],
"fail_build": true,
"block_download": {
"unscanned": true,
"active": true
},
"block_release_bundle_distribution": true
},
"criteria": {
"min_severity": "all severities"
}
}
],
"created": "2019-12-19T09:17:09.562Z",
"modified": "0001-01-01T00:00:00Z"
}
]
Response Codes:
200: Success
500: Failed to get policies.
Get Policy
Description: Gets a list of all policies in the system or a specific policy
Security: Requires the "Manage Policies" role to be set on the User or Group level.
Notes: For Xray version 3.21.2 and above with Projects, a Project Admin with Manage Security Assets privilege can get a list of Global and Project Policies using this REST API in the scope of a project, by using the additional query parameter projectKey.
Usage:GET api/v2/policies/{policy_name}
Produces: application/json
{
"name": "sec-policy",
"type": "security",
"description": "edited",
"author": "admin",
"rules": [
{
"name": "sec_rule",
"priority": 1,
"actions": {
"webhooks": [
"sec_webhook"
],
"fail_build": true,
"block_download": {
"unscanned": true,
"active": true
},
"block_release_bundle_distribution": true
},
"criteria": {RE
"min_severity": "all severities"
}
}
],
"created": "2019-12-19T09:17:09.562Z",
"modified": "0001-01-01T00:00:00Z"
}
GET api/v2/policies/{policy_name}?projectKey=<project_key>
{
"name": "sec-policy",
"type": "security",
"description": "edited",
"author": "admin",
"project_key": "myproj",
"rules": [
{
"name": "sec_rule",
"priority": 1,
"actions": {
"webhooks": [
"sec_webhook"
],
"fail_build": true,
"block_download": {
"unscanned": true,
"active": true
},
"block_release_bundle_distribution": true
},
"criteria": {
"min_severity": "all severities"
}
}
],
"created": "2019-12-19T09:17:09.562Z",
"modified": "0001-01-01T00:00:00Z"
}
Response Codes:
200 - Success
400 - One or more fields are missing or invalid.
404 - Policy {pName} does not exist.
500 - Failed to get policy with name {pName}
POLICIES - v1
Create Policy
Description: Creates a new policy.
Security: Requires the "Manage Policies" role to be set on the User or Group level.
Usage: POST /policies
Consumes: application/json
Produces : application/json
-- Example 1
{
"name": "securityPolicy",
"type": "security",
"description": "some description",
"rules": [
{
"name": "securityRule",
"priority": 1,
"criteria": {
"min_severity": "High"
},
"actions": {
"mails": [
"mail1@example.com",
"mail2@example.com"
],
"fail_build": true,
"block_download": {
"unscanned": true,
"active": true
}
}
}
]
}
-- Example 2
{
"name": "licensesPolicy",
"type": "license",
"description": "some description",
"rules": [
{
"name": "LicenseRule",
"priority": 1,
"criteria": {
"allowed_licenses": [
"0BSD",
"AAL"
],
"allow_unknown": true
}
}
]
}
-- Example 3
{
"name": "securityPolicy",
"type": "security",
"description": "some description",
"rules": [
{
"name": "SLA_ rule",
"criteria": { … },
"actions": {
"webhooks": [],
"mails": [],
"block_download": { … },
"block_release_bundle_distribution": false,
"notify_watch_recipients": false,
"notify_deployer": true
"fail_build": true,
"build_failure_grace_period_in_days": 5
}
}
}
]
}
Response Codes:
201: Success - Policy created
415: Failed to parse the request
400: Policy is not valid. Check mandatory fields
409: Policy with name {name} already exists
Update Policy
Description: Updates an existing policy.
Security: Requires the "Manage Policies" role to be set on the User or Group level.
Usage: PUT /policies/{policy_name}
Consumes: application/json
{
"name": "sec_policy",
"description": "Security policy",
"type": "security",
"rules": [
{
"name": "sec_rule",
"criteria": {
"min_severity": "medium"
},
"actions": {
"webhooks": [
"sec_webhook"
],
"block_download": {
"active": true,
"unscanned": true
},
"block_release_bundle_distribution": true,
"fail_build": true
},
"priority": 1
}
]
}
{
"info": "Policy edited successfully"
}
Response Codes:
200: Success - Policy updated
415: Failed to parse the request
400: Policy is not valid. Check mandatory fields
404: Policy not found
Delete Policy
Description: Deletes an existing policy.
Security: Requires the "Manage Watches" role to be set on the User or Group level.
Usage: DELETE /policies/{policy_name}
{
"info": "Policy policy_name was deleted successfully"
}
Response Codes:
200: Success - policy deleted
404: Policy not found
500: Failed to delete policy
Get Policies
Description: Gets a list of all policies in the system or a specific policy
Security: Requires the "Manage Policies" role to be set on the User or Group level.
Usage: Get /policies
Produces: application/json
[
{
"name": "sec-policy",
"type": "security",
"description": "edited",
"author": "admin",
"rules": [
{
"name": "sec_rule",
"priority": 1,
"actions": {
"webhooks": [
"sec_webhook"
],
"fail_build": true,
"block_download": {
"unscanned": true,
"active": true
},
"block_release_bundle_distribution": true
},
"criteria": {
"min_severity": "all severities"
}
}
],
"created": "2019-12-19T09:17:09.562Z",
"modified": "0001-01-01T00:00:00Z"
}
]
Get Policy
Description: Gets a list of all policies in the system or a specific policy
Security: Requires the "Manage Policies" role to be set on the User or Group level.
Usage: Get /policies/{policy_name}
Produces: application/json
[
{
"name": "sec-policy",
"type": "security",
"description": "edited",
"author": "admin",
"rules": [
{
"name": "sec_rule",
"priority": 1,
"actions": {
"webhooks": [
"sec_webhook"
],
"fail_build": true,
"block_download": {
"unscanned": true,
"active": true
},
"block_release_bundle_distribution": true
},
"criteria": {
"min_severity": "all severities"
}
}
],
"created": "2019-12-19T09:17:09.562Z",
"modified": "0001-01-01T00:00:00Z"
}
]
Assign Policy to Watches
Description: Assign a policy to watches
Security: Requires the "Manage Watches" role to be set on the User or Group level.
Notes: For Xray version 3.21.2 and above with Projects, a Project Admin with Manage Security Assets privilege can assign a Policy to Watches using this REST API in the scope of a project, by using the additional query parameter projectKey.
Usage: POST /api/v1/policies/{policy_name}/assign
Consumes: application/json
Produces: application/json
{
"watches": [
"watch_name"
]
}
POST /api/v1/policies/{policy_name}/assign?projectKey=<project_key>
Response Codes:
200: Success - Policy assigned
400: Unsuccessful
REPOSITORY CONFIGURATION
Update Repositories Configurations
Description: Updates repository configurations.
Since: 3.41.4
Security: Requires a user with admin permissions.
Usage: PUT api/v1/repos_config
Consumes: application/json
{
"repo_name": "xray-dev",
"repo_config":{
"vuln_contextual_analysis":true,
"retention_in_days":80
},
"repo_paths_config":{
"patterns":[
{
"include":"core/**",
"exclude":"core/external/**",
"index_new_artifacts":true,
"retention_in_days":45
}
],
"all_other_artifacts":{
"index_new_artifacts":true,
"retention_in_days":60
}
}
}
{
"info": "Repository configuration has been updated successfully"
}
Response Codes:
403: Forbidden
401: Unauthorized
400: Failed to decode request
500: Internal Server Error
Get Repositories Configurations
Description: Retrieves repository configurations.
Since: 3.41.4
Security: Requires a user with admin permissions.
Usage: GET api/v1/repos_config/{repo_name}
Consumes: application/json
{
"repo_config":{
"vuln_contextual_analysis":true,
"retention_in_days":80
},
"repo_paths_config":{
"patterns":[
{
"include":"core/**",
"exclude":"core/external/**",
"index_new_artifacts":true,
"retention_in_days":45
}
],
"all_other_artifacts":{
"index_new_artifacts":true,
"retention_in_days":60
}
}
}
Response Codes:
403: Forbidden
401: Unauthorized
500: Internal Server Error
SCANNING
Scan Artifact
Description: Invokes scanning of an artifact
Security: Requires a valid user with the "Manage Xray Metadata" permission
Usage: POST /api/v1/scanArtifact"
Consumes: application/json
Sample Request:
{
"componentID": "docker://image_name:image_tag"
}
Sample Response:
{
"info": "Scan of artifact is in progress"
}
Response Codes:
200: Scan of artifact is in progress
415: Failed to parse artifact
500: Failed to write message to the queue
Scan Build V1
Description: Invokes scanning of a build that was uploaded to Artifactory as requested by a CI server
Security: Requires the "Manage Xray Metadata" role to be set on the User or Group level.
Usage: POST /api/v1/scanBuild
Consumes: application/json
Produces: wild card
{
"artifactory_Id": "artifactory-id",
"buildName": "build-name",
"buildNumber": "8",
"rescan": true, //this is for scanning the artifact even if it was already scanned - scanned will be performed only if there is no other scan of this build name and number in progress
"filters": {
"includeLicenses": true //in order to get also the licenses
}
}
{
"artifactory_Id": "artifactory-id",
"buildName": "build-name",
"buildNumber": "8",
"project": "<project_key>"
}
{
"summary": {
"fail_build": <true | false>,
"message": <message with more information regarding the fail/success>,
"more_details_url": <link to all created Alerts in Xray>,
"total_alerts": <number of alerts generated from the scan>
},
"alerts": [ <alert details>
{
"created": <creation time of the Alert>,
"issues": [ <the issues the Alert includes>
{
"created": <creation time of the issue>,
"cve": "",
"description": <issue description>,
"impacted_artifacts": [
{
"depth": "int",
"display_name": "",
"infected_files": [
{
"component_id": "",
"depth": "int",
"details": [
{
"banned_licenses": [
{
"alert_type": "",
"description": "",
"id": {},
"severity": "",
"summary": ""
}
],
"child": "ImpactedFile",
"vulnerabilities": [
{
"alert_type": "",
"description": "",
"id": {},
"severity": "",
"summary": ""
}
]
}
],
"display_name": "",
"name": "",
"parent_sha": "",
"path": "",
"pkg_type": "",
"sha1": "",
"sha256": ""
}
],
"name": "",
"parent_sha": "",
"path": "",
"pkg_type": "",
"sha1": "",
"sha256": ""
}
],
"provider": <issue provider>,
"severity": <issue severity>,
"summary": <issue summary>,
"type": <issue type>
}
],
"top_severity": <Alert's top severity>,
"watch_name": <name of the Watch which caused the Alert>
}
],
"licenses": [
{
"name": <license name>
"components": [<names of build components with this license>],
"full_name": <license full name>,
"more_info_url": [<links to more information about this license>],
}
]
}
{
"summary": {
"Total_alerts": <number of alerts generated from the scan>,
"fail_build": <true | false>,
"message": <message with more information regarding the fail/success>,
"more_details_url": <link to all created Alerts in Xray>
},
"alerts": [
{
"created": <creation time of the Alert>,
"top_severity": <Top_severity>,
"watch_name": "<watch_name>,
"issues": [
{
"severity": "Low",
"type": "Operational_Risk",
"provider": "JFrog",
"created": "2022-03-21T16:06:19.485Z",
"summary": "Custom Rule",
"description": "Custom Rule",
"impacted_artifacts": [
{
"name": "test",
"display_name": "test:1",
"path": "default/builds/test",
"pkg_type": "Build",
"sha256": "f33dc9012526711ad2b332252d5aaf20fc5a7d02169094fb0c3b1396713271ad",
"sha1": "",
"depth": 0,
"parent_sha": "f33dc9012526711ad2b332252d5aaf20fc5a7d02169094fb0c3b1396713271ad",
"infected_files": [
{
"name": "flink-sequence-file-1.11.3.jar",
"path": "",
"sha256": "8308dd8c95b58138165d6c596c079b408cd844c94a8173b28f9bc86be083f3ca",
"component_id": "gav://org.apache.flink:flink-sequence-file:1.11.3",
"depth": 0,
"parent_sha": "f33dc9012526711ad2b332252d5aaf20fc5a7d02169094fb0c3b1396713271ad",
"display_name": "org.apache.flink:flink-sequence-file:1.11.3"
}
]
}
]
},
]
}
Response Codes:
200: Build scanned
415: Failed to parse scan build request
400: Request is missing mandatory fields
403: No valid license was found
500: Failed to get Artifactory instance data
500: Failed to check watches
500: Failed to send build to scan
Scan Build V2
Description: Invokes scanning of a build that was uploaded to Artifactory as requested by a CI server.
Security: Requires the "Manage Xray Metadata" role to be set on the User or Group level.
Notes: Starting from Xray version 3.42.3, JFrog Security CVE Research and Enrichment data is supported. Important notes:
- The following fields are markdown texts
- short_description
- full_description
- remediation
- Extended information fields will not appear to Free Tier users.
Usage: POST /api/v2/ci/build (invokes the scanning of a build)
GET /api/v2/ci/build/{build_name}/{build_number}[?include_vulnerabilities={true|false}] (Gets the build scan results)
Consumes: application/json
Produces: wild card
{
"build_name": "my-build",
"build_number": "8"
}
{
"info": "Scan of build name 'my-build', build number '8' is in progress"
}
{
"build_name": "mybuild",
"build_number": "4",
"project": "ecosys",
"status": "completed",
"more_details_url": "http://localhost:8046/xray/ui/builds/mybuild/4/1641386839295/xrayData?buildRepo=ecosys-build-info&projectKey=ecosys",
"fail_build": false,
"violations": [],
"vulnerabilities": [
{
"cves": [
{
"cvss_v2_score": "10.0",
"cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C",
"cvss_v3_score": "9.8",
"cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"summary": "Netty codec/src/main/java/io/netty/handler/codec/compression/Lz4FrameEncoder.java Lz4FrameEncoder::finishEncode() Function Buffer Overflow",
"severity": "Critical",
"components": {
"gav://io.netty:netty-codec:4.1.53.Final": {
"package_name": "io.netty:netty-codec",
"package_version": "4.1.53.Final",
"package_type": "maven",
"fixed_versions": [
"[4.1.66.Final]"
],
"infected_versions": [
"(,4.1.66.Final)"
],
"impact_paths": [
[
{
"component_id": "build://[ecosys-build-info]/mybuild:4"
},
{
"component_id": "generic://sha256:97c77dd8ef40cbdb5fdaff24f8853101a5db6fa819d16966d251c972c543b507/bill.jar"
},
{
"component_id": "gav://io.netty:netty-codec:4.1.53.Final"
}
]
]
}
},
"issue_id": "XRAY-179837",
"references": [
"https://netty.io/news/2021/07/16/4-1-66-Final.html",
"https://github.com/netty/netty/pull/11429",
"https://github.com/netty/netty/commit/194a81ff4f0304d928bbcfd57ff3e961e12ac8d4"
],
"is_high_profile": false,
"provider": "JFrog",
"edited": "2022-01-05T11:20:26Z"
}
]
}
{
"build_name": "my-build",
"build_number": "14",
"project": "projA"
}
{
"build_name": "mybuild",
"build_number": "4",
"project": "proj",
"status": "completed",
"more_details_url": "http://localhost:8046/xray/ui/builds/mybuild/4/1641386839295/xrayData?buildRepo=ecosys-build-info&projectKey=proj",
"fail_build": true,
"violations": [
{
"cves": [
{
"cve": "CVE-2021-43618",
"cvss_v2_score": "5.0",
"cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P",
"cvss_v3_score": "7.5",
"cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"summary": "GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms.",
"severity": "Low",
"components": {
"deb://ubuntu:focal:libgmp10:2:6.2.0+dfsg-4": {
"package_name": "ubuntu:focal:libgmp10",
"package_version": "2:6.2.0+dfsg-4",
"package_type": "debian",
"impact_paths": [
[
{
"component_id": "build://[proj-build-info]/proj-docker-build:8"
},
{
"component_id": "docker://ubuntu:4",
"full_path": "/ubuntu/4/manifest.json"
},
{
"component_id": "generic://sha256:7b1a6ab2e44dbac178598dabe7cff59bd67233dba0b27e4fbd1f9d4b3c877a54/sha256__7b1a6ab2e44dbac178598dabe7cff59bd67233dba0b27e4fbd1f9d4b3c877a54.tar.gz",
"full_path": "sha256__7b1a6ab2e44dbac178598dabe7cff59bd67233dba0b27e4fbd1f9d4b3c877a54.tar.gz"
},
{
"component_id": "deb://ubuntu:focal:libgmp10:2:6.2.0+dfsg-4",
"full_path": "libgmp10:2:6.2.0+dfsg-4"
}
]
]
}
},
"issue_id": "XRAY-190339",
"references": [
"https://gmplib.org/list-archives/gmp-bugs/2021-September/005077.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43618"
],
"type": "security",
"watch_name": "w0w",
"fail_build": true,
"is_high_profile": true,
"policies": null,
"updated": "",
"extended_information": {
"short_description": "A signed comparison issue in glibc's memcpy() on ARMv7 lead to unspecified impact",
"full_description": "When supplying a negative value as the length parameter for the `memcpy()` function on ARMv7, a signed comparison issue causes the program to copy less bytes than intended. Specifically, the number of copied bytes will always be smaller than 64.\r\n\r\nThis can cause undefined behavior instead of crashing (due to the expected huge buffer copy).\r\n\r\nA context-dependent attacker could use this vulnerability to exploit other types of vulnerabilities, such as remote code execution (which may normally not be exploitable) in applications which use the vulnerable function.\r\nDue to the highly-context-dependent nature of this issue, it is most likely to be exploited as part of a targeted attack only.",
"jfrog_research_severity": "Low",
"jfrog_research_severity_reasons": [
{
"name": "The CVE can be remotely exploited",
"is_positive": false
},
{
"name": "The CVE has no exploit published",
"is_positive": true
},
{
"name": "The CVE has difficult prerequisites for exploitation",
"description": "Fully controllable length to memcpy",
"is_positive": true
},
{
"name": "The impact is highly contextual",
"is_positive": true
}
]
}
}
],
"vulnerabilities": [
{
"cves": [
{
"cve": "CVE-2021-43618",
"cvss_v2_score": "5.0",
"cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P",
"cvss_v3_score": "7.5",
"cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"summary": "GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms.",
"severity": "Low",
"components": {
"deb://ubuntu:focal:libgmp10:2:6.2.0+dfsg-4": {
"package_name": "ubuntu:focal:libgmp10",
"package_version": "2:6.2.0+dfsg-4",
"package_type": "deb",
"infected_versions": [
"(,)"
],
"impact_paths": [
[
{
"component_id": "build://[proj-build-info]/proj-docker-build:8"
},
{
"component_id": "docker://ubuntu:4"
},
{
"component_id": "generic://sha256:7b1a6ab2e44dbac178598dabe7cff59bd67233dba0b27e4fbd1f9d4b3c877a54/sha256__7b1a6ab2e44dbac178598dabe7cff59bd67233dba0b27e4fbd1f9d4b3c877a54.tar.gz"
},
{
"component_id": "deb://ubuntu:focal:libgmp10:2:6.2.0+dfsg-4"
}
]
]
}
},
"issue_id": "XRAY-190339",
"references": [
"https://gmplib.org/list-archives/gmp-bugs/2021-September/005077.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43618"
],
"is_high_profile": true,
"provider": "JFrog",
"edited": "2021-12-14T10:57:50+02:00",
"extended_information": {
"short_description": "A signed comparison issue in glibc's memcpy() on ARMv7 lead to unspecified impact",
"full_description": "When supplying a negative value as the length parameter for the `memcpy()` function on ARMv7, a signed comparison issue causes the program to copy less bytes than intended. Specifically, the number of copied bytes will always be smaller than 64.\r\n\r\nThis can cause undefined behavior instead of crashing (due to the expected huge buffer copy).\r\n\r\nA context-dependent attacker could use this vulnerability to exploit other types of vulnerabilities, such as remote code execution (which may normally not be exploitable) in applications which use the vulnerable function.\r\nDue to the highly-context-dependent nature of this issue, it is most likely to be exploited as part of a targeted attack only.",
"jfrog_research_severity": "Low",
"jfrog_research_severity_reasons": [
{
"name": "The CVE can be remotely exploited",
"is_positive": false
},
{
"name": "The CVE has no exploit published",
"is_positive": true
},
{
"name": "The CVE has difficult prerequisites for exploitation",
"description": "Fully controllable length to memcpy",
"is_positive": true
},
{
"name": "The impact is highly contextual",
"is_positive": true
}
]
}
}
]
{
"build_name": "test",
"build_number": "2",
"status": "completed",
"more_details_url": "http://localhost:8046/xray/ui/builds/test/2/1648117400418/xrayData?buildRepo=artifactory-build-info",
"fail_build": true,
"violations": [
{
"components": {
"gav://org.datanucleus:datanucleus-core:3.0.4": {
"package_name": "org.datanucleus:datanucleus-core",
"package_version": "3.0.4",
"package_type": "maven",
"impact_paths": [
[
{
"component_id": "build://test:2"
},
{
"component_id": "gav://org.datanucleus:datanucleus-core:3.0.4",
"full_path": "datanucleus-core-3.0.4.jar"
}
]
]
}
},
"risk": "Low",
"risk_reason": "Custom Rule",
"released": "2012-12-12T20:02:00.689Z",
"latest_version": "6.0.0-m4",
"newer_versions": 120,
"cadence": 1,
"issue_id": "d3c3dcfc1576633da237136c14ba52e0c4282dda2a0e9646090cd78717e41258",
"type": "operational_risk",
"severity": "Low",
"watch_name": "or-watch",
"fail_build": true,
"policies": null,
"updated": ""
}
]
}
Response Codes:
415: Failed to parse scan build request
400: Request is missing mandatory fields
403: No valid license was found
403: Permission denied
200: Build %v is not selected for indexing
200: No Xray “Fail build in case of a violation” policy rule has been defined on this build. The Xray scan will run in parallel to the deployment of the build and will not obstruct the build. To review the Xray scan results, see the Xray Violations tab in the UI.
200: Scan of build %v is in progress
Scan Status
Description: Returns the scan status for Packages, Builds, and Release Bundles.
Since: 3.34.1
Security: Requires a valid user with the "Read" permissions.
Usage: POST /xray/api/v1/scan/status
Packages: POST /xray/api/v1/scan/status/artifact
{
"repository_pkg_type": "Npm",
"path": "npm-local/static-module-3.0.4.tar.gz",
"sha256": "b0a887f6e5c16134b7d1280c2150d38811357642d56c622c6f7f6b239f668608",
"sha1": "2ed14fc6f7899d089cd5a2b880121d9467c32d46"
}
Builds: POST /xray/api/v1/scan/status/build
{
"name":"test-build",
"version":"1"
}
{
"name":"test-build",
"project":"proj1",
"version":"1"
}
Release Bundles: POST /xray/api/v1/scan/status/releaseBundle
{
"name":"test-release-bundle",
"version":"1"
}
If the build belongs to non-default Release Bundle repository:
{
"name":"test-build",
"repository":"repo",
"version":"1"
}
Returned Statuses:
{
"status": "failed"/"not supported"/"in progress"/"not scanned"/"scanned"
}
In the case the returned status is failed, for Self-Hosted installations only, users with Admin permissions have an additional step and reason parameters:
{
"status": "failed"
"Step": "scan/persist",
"reason": "failed to process message …..."
}
Scan Now
Description: Enables you to index resources on-demand, even those that were not marked for indexing
Security: Requires an Admin user.
Usage: POST /api/v2/index
Note: Not supported for Builds.
{
"repo_path":"local-maven-repo/org/jenkins-ci/main/jenkins-war/2.289.1/jenkins-war-2.289.1.war"
}
{
"sent_to_reindex": {
"artifacts": [
{
"repository": "local-maven-repo",
"path": "org/jenkins-ci/main/jenkins-war/2.289.1/jenkins-war-2.289.1.war"
}
]
}
}
Response Codes:
200-Success
400- Failure
Delete On-Demand Scan Results
Description: Deletes on-demand scanning results using the JFrog CLI.
Since: 3.40.0
Security: Requires a valid user with Read permissions.
Usage: POST /api/v1/on_demand/delete
Consumes: application/json
curl --location --request POST 'http://localhost:8083/xray/api/v1/on_demand/delete' \
--header 'Authorization: Basic YWRtaW46cGFzc3dvcmQ=' \
--header 'Content-Type: application/json' \
--data-raw '{
"scan_ids": [
"4edeec13-b7ef-4e5f-64d9-7a60c5145084"
]
}
Release Bundle Details
Description: Returns license and security violations found in a Release Bundle.
Security: Requires an Admin user.
Usage: GET /api/v1/details/release_bundle/{name}/{version}?include_violations={boolean}
Parameters: “include_violations” (default - true)
{
status: "ALLOWED"/"BLOCKED"/"IN_PROGRESS"/"NOT_INDEXED"/"NOT_MARKED_FOR_INDEX","NOT_FOUND_IN_ARTIFACTORY"
violations: {
license: [{...}],
security: [{...}],
op_risk: [{...}]
}
}
Response Codes:
200- Ok
400- Bad request
500- Internal server error
Scans List - Get Repositories
Description: Get a list of repositories that contain at least one scanned artifact.
Security: Requires a valid user with "Read" permissions.
Usage: GET api/v1/repos?order_by=&direction=&number_of_rows=&offset=&search={string}&indexed_artifact_start={int}&indexed_artifact_end={int}&repo={string}
Produces: application/json
Parameters:
- Required: None
- Optional:
order_by: By which column to order the results.
Allowed values:repo - This is the default
indexed_artifact
search: Free text search.
repo
latest_artifact
indexed_artifact_start: Return records with the minimum specified artifact count.
indexed_artifact_end: Return records with the maximum specified artifact count.
- direction: The direction by which to order the results (either ascending or descending):
- asc
- desc
- number_of_rows: The number of entries to return.
- offset: A value returned by the API. It needs to be passed to the API to get the next page. A value of -1 means that the last page was reached.
Sample Response:
{
"data": [
{
"repo": "DEBs",
"indexed_artifact": 358,
"latest_artifact": "libgdbm-compat4_1.14.1-6_amd64.deb",
"package_type": "Debian",
"created_at": "2022-07-31T08:55:50Z"
}
],
"offset": -1
}
Response Codes:
200: Success
400: Bad request
500: Internal server error
Scans List - Get Artifacts
Description: Get a list of artifacts for a specific repository.
Security: Requires a valid user with "Read" permissions.
Usage: GET api/v1/artifacts?order_by=&direction=&number_of_rows=&offset=&search={string}&created_start={datetime}&created_end={datetime}&repo={repo}
Produces: application/json
Parameters:
- Required:
- repo: The repository key for which to get artifacts.
- Optional:
order_by: By which column to order the results.
Allowed values:created - This is the default
size
name
repo_path
search: Free text search.
repo_path
created_start: Return only records created after the specified time (in RFC 3339 format).
created_end: Return only records created before the specified time (in RFC 3339 format).
- direction: The direction by which to order the results (either ascending or descending):
- asc
- desc
- number_of_rows: The number of entries to return.
- offset: A value returned by the API. It needs to be passed to the API to get the next page. A value of -1 means that the last page was reached.
Sample Response:
{
"data": [
{
"name": "bash_4.3-11+deb8u2_i386.deb",
"repo_path": "/deb/bash_4.3-11+deb8u2_i386.deb",
"package_id": "deb://bash",
"version": "4.3-11+deb8u2",
"sec_issues": {
"high": 2,
"low": 8,
"medium": 3,
"total": 13
},
"size": "1.13 MB",
"violations": 0,
"created": "2022-07-31T12:06:00+03:00",
"deployed_by": "admin",
"repo_full_path": "DEBs/deb/bash_4.3-11+deb8u2_i386.deb"
}
],
"offset": -1
}
Response Codes:
200: Success
400: Bad request
500: Internal server error
Scans List - Get Builds
Description: Get a list of builds scanned by Xray.
Security: Requires a valid user with "Read" permissions.
Usage: GET api/v1/builds?order_by=&direction=&number_of_rows=&offset=&search={string}&number_of_versions_start={int}&number_of_versions_end={int}
Produces: application/json
Parameters:
- Required: None
- Optional:
order_by: By which column to order the results.
Allowed values:updated_at - This is the default
created_at
name
number_of_versions
search: Free text search.
name
number_of_versions_start: Return builds with the minimum specified versions count.
number_of_versions_end: Return builds with the maximum specified versions count.
- direction: The direction by which to order the results (either ascending or descending):
- asc
- desc
- number_of_rows: The number of entries to return.
- offset: A value returned by the API. It needs to be passed to the API to get the next page. A value of -1 means that the last page was reached.
Sample Response:
{
"data": [
{
"name": "build",
"build_repository": "artifactory-build-info",
"latest_version": "1.1",
"latest_build_time": "2022-07-31T13:16:31+03:00",
"number_of_versions": 2,
"created_at": "2022-07-31T13:16:31+03:00",
"updated_at": "2022-07-31T13:16:31+03:00",
"created_by": "admin"
}
],
"offset": -1
}
Response Codes:
200: Success
400: Bad request
500: Internal server error
Scans List - Get Build Versions
Description: Get a list of build versions scanned by Xray.
Security: Requires a valid user with "Read" permissions.
Usage: GET api/v1/builds/{buildName}/versions?order_by=&direction=&number_of_rows=&offset=&search={string}&created_at_start{datetime}&created_at_end={datetime}&build_repository={string}
Produces: application/json
Parameters:
- Required:
- build_repository: The value of the relevant field for the required build.
- Optional:
order_by: By which column to order the results.
Allowed values:created_at - This is the default
version
search: Free text search.
component_id
created_at_start: Return only records created after the specified time (in RFC 3339 format).
created_at_end: Return only records created before the specified time (in RFC 3339 format).
- direction: The direction by which to order the results (either ascending or descending):
- asc
- desc
- number_of_rows: The number of entries to return.
- offset: A value returned by the API. It needs to be passed to the API to get the next page. A value of -1 means that the last page was reached.
Sample Response:
{
"data": [
{
"version": "1.0",
"sec_issues": {
"total": 0
},
"violations": 0,
"created_at": "2022-07-31T13:16:31+03:00",
"status": "",
"ci_server": "",
"build_agent": "GENERIC/2.17.0",
"agent": "jfrog-cli-go/2.17.0",
"component_id": "build://build:1.0",
"package_id": ""
}
],
"offset": -1
}
Response Codes:
200: Success
400: Bad request
500: Internal server error
Scans List - Get Packages
Description: Get a list of builds scanned by Xray.
Security: Requires a valid user with "Read" permissions.
Usage: GET api/v1/packages?order_by=&direction=&number_of_rows=&offset=&search={string}&number_of_versions_start={int}&number_of_versions_end={int}&package_type={choice}
Produces: application/json
Parameters:
- Required: None
- Optional:
order_by: By which column to order the results.
Allowed values:updated_at - This is the default
- created_at
- name
- number_of_versions
- package_type
licenses
search: Free text search.
name
- package_type
- licenses
number_of_versions_start: Return builds with the minimum specified versions count.
number_of_versions_end: Return builds with the maximum specified versions count.
- package_type: Comma-separated list of package types. Returns only packages of the specified type.
- direction: The direction by which to order the results (either ascending or descending):
- asc
- desc
- number_of_rows: The number of entries to return.
- offset: A value returned by the API. It needs to be passed to the API to get the next page. A value of -1 means that the last page was reached.
Sample Response:
{
"data": [
{
"name": "apacheds",
"package_type": "rpm",
"number_of_versions": 2,
"licenses": "Apache-2.0,ASL 2.0,ImageMagick,MIT,Xnet",
"description": "",
"created_at": "2022-07-31T11:57:34+03:00",
"updated_at": "2022-08-04T13:43:40+03:00"
}
],
"offset": 1
}
Response Codes:
200: Success
400: Bad request
500: Internal server error
Scans List - Get Package Versions
Description: Get a list of package versions scanned by Xray.
Security: Requires a valid user with "Read" permissions.
Usage: GET api/v1/packages/{packageName}/versions?order_by=&direction=&number_of_rows=&offset=&search={string}&updated_at_start{datetime}&updated_at_end={datetime}
Produces: application/json
Parameters:
- Required: None
- Optional:
order_by: By which column to order the results.
Allowed values:created_at - This is the default
version
search: Free text search.
version
- repositories
updated_at_start: Return only records updated after the specified time (in RFC 3339 format).
updated_at_end: Return only records updated before the specified time (in RFC 3339 format).
- direction: The direction by which to order the results (either ascending or descending):
- asc
- desc
- number_of_rows: The number of entries to return.
- offset: A value returned by the API. It needs to be passed to the API to get the next page. A value of -1 means that the last page was reached.
Sample Response:
{
"data": [
{
"version": "1:1.1.1g-15.fc33",
"repositories": "RPMs",
"package_id": "rpm://openssl",
"sec_issues": {
"critical": 7,
"high": 12,
"low": 32,
"medium": 89,
"total": 140
},
"violations": 0,
"updated_at": "2022-07-31T11:57:37+03:00",
"downloads": 0,
"description": "",
"paths": [
"/rpm/openssl-1.1.1g-15.fc33.src.rpm"
]
}
],
"offset": -1
}
Response Codes:
200: Success
400: Bad request
500: Internal server error
Scans List - Get Release Bundles
Description: Get a list of release bundles scanned by Xray.
Security: Requires a valid user with "Read" permissions.
Usage: GET api/v1/release_bundles?order_by=&direction=&number_of_rows=&offset=&created_start={datetime}&created_end={datetime}&number_of_versions_start={int}&number_of_versions_end={int}
Produces: application/json
Parameters:
- Required: None
- Optional:
order_by: By which column to order the results.
Allowed values:created - This is the default
- bundle_name
- latest_version
number_of_versions
number_of_versions_start: Return release bundles with the minimum specified versions count.
number_of_versions_end: Return release bundles with the maximum specified versions count.
created_start: Return only records created after the specified time (in RFC 3339 format).
- created_end: Return only records created before the specified time (in RFC 3339 format).
- direction: The direction by which to order the results (either ascending or descending):
- asc
- desc
- number_of_rows: The number of entries to return.
- offset: A value returned by the API. It needs to be passed to the API to get the next page. A value of -1 means that the last page was reached.
Sample Response:
{
"data": [
{
"bundle_name": "myrb",
"number_of_versions": 2,
"latest_version": "2.0",
"package": "releaseBundle://myRB",
"created": 1649235896243,
"type": "releaseBundle"
}
],
"offset": -1
}
Response Codes:
200: Success
400: Bad request
500: Internal server error
Scans List - Get Release Bundle Versions
Description: Get a list of release bundle versions scanned by Xray.
Security: Requires a valid user with "Read" permissions.
Usage: GET api/v1/release_bundle_versions?order_by=&direction=&number_of_rows=&offset=&created_on_start={datetime}&created_on_end={datetime}&package={package}
Produces: application/json
Parameters:
- Required:
- package: The relevant value from the target release bundle.
- Optional:
order_by: By which column to order the results.
Allowed values:created_on - This is the default
version
- size
created_on_start: Return only records created after the specified time (in RFC 3339 format).
created_on_end: Return only records created before the specified time (in RFC 3339 format).
- direction: The direction by which to order the results (either ascending or descending):
- asc
- desc
- number_of_rows: The number of entries to return.
- offset: A value returned by the API. It needs to be passed to the API to get the next page. A value of -1 means that the last page was reached.
Sample Response:
{
"data": [
{
"version": "2.0",
"size": "0.00 B",
"violations": 0,
"created_on": "1649235896791",
"sec_issues": {
"total": 0
},
"sha256": "d59422279fa5c4e1cb398e51066adf5fdc45cd1cea5f2634b444757c3d49f6fe",
"package_id": "releaseBundle://myRB"
}
],
"offset": -1
}
Response Codes:
200: Success
400: Bad request
500: Internal server error
REPORTS
Generate Vulnerabilities Report
Description: Generates a Vulnerabilities report with data defined by scope and filters. This request starts the report generation process which runs in the background. The returned report ID is used in other requests that require it such as Get Report Content, Delete Report, etc.
Since: 3.8
Security: Requires a user with the Manage Reports role.
Notes: For Xray version 3.21.2 and above with Projects, a Project Admin with Manage Security Assets privilege can generate a Vulnerabilities report using this REST API in the scope of a project, by using the additional query parameter projectKey.
Usage: POST api/v1/reports/vulnerabilities
{
"name": "report1",
"resources": {
"repositories": [
{
"name": "libs-release-local"
},
{
"name": "plugins-release-local",
"include_path_patterns": [
"*folder1/*path"
]
},
{
"name": "ext-release-local",
"include_path_patterns": [
"folder1/path/*",
"folder2/path*"
],
"exclude_path_patterns": [
"folder1/path2/*",
"folder2/path2*"
]
}
],
"builds": {
"names": [
"art-docker-test",
"art-docker-prod"
],
"include_patterns": [
"release*",
"feat*ure"
],
"exclude_patterns": [
"snapshots*",
"test*"
],
"number_of_latest_versions": 5
},
"release_bundles": {
"names": [
"art-pkg",
"xray_pkg"
],
"include_patterns": [
"release*",
"feat*ure"
],
"exclude_patterns": [
"snapshots*",
"test*"
],
"number_of_latest_versions": 5
},
"projects": {
"names": [
"test1",
"test2"
],
"include_key_patterns": [
"test*",
],
"number_of_latest_versions": 5
}
},
"filters": {
"vulnerable_component": "*vulnerable:component*",
"impacted_artifact": "some://impacted*artifact",
"has_remediation": false,
"cve": "CVE-1234-1234",
"issue_id": "XRAY-1234",
"severities": [
"High",
"Medium"
],
"cvss_score": {
"min_score": 6.3,
"max_score": 9
},
"published": {
"start": "2020-06-29T12:22:16Z",
"end": "2020-06-29T12:22:16Z"
},
"scan_date": {
"start": "2020-06-29T12:22:16Z",
"end": "2020-06-29T12:22:16Z"
}
}
}
{
"report_id": 23,
"status": "pending"
}
POST /api/v1/reports/vulnerabilities?projectKey=<project_key>
Generate Due Diligence Report
Description: Generates a Due Diligence report with data defined by scope and filters. This request starts the report generation process which runs in the background. The returned report ID is used in other requests that require it such as Get Report Content, Delete Report, etc.
Since: 3.9
Security: Requires a user with the Manage Reports role.
Notes: For Xray version 3.21.2 and above with Projects, a Project Admin with Manage Security Assets privilege can generate a Due Diligence report using this REST API in the scope of a project, by using the additional query parameter projectKey.
Usage: POST api/v1/reports/licenses
{
"name": "report1",
"resources": {
"repositories": [
{
"name": "libs-release-local"
},
{
"name": "plugins-release-local",
"include_path_patterns": [
"*folder1/*path"
]
},
{
"name": "ext-release-local",
"include_path_patterns": [
"folder1/path/*",
"folder2/path*"
],
"exclude_path_patterns": [
"folder1/path2/*",
"folder2/path2*"
]
}
],
"builds": {
"names": [
"art-docker-test",
"art-docker-prod"
],
"include_patterns": [
"release*",
"feat*ure"
],
"exclude_patterns": [
"snapshots*",
"test*"
],
"number_of_latest_versions": 5
},
"release_bundles": {
"names": [
"art-pkg",
"xray_pkg"
],
"include_patterns": [
"release*",
"feat*ure"
],
"exclude_patterns": [
"snapshots*",
"test*"
],
"number_of_latest_versions": 5
},
"projects": {
"names": [
"test1",
"test2"
],
"include_key_patterns": [
"test*",
],
"number_of_latest_versions": 5
}
},
"filters": {
"component": "*gav:component*",
"artifact": "some://impacted*artifact",
"unknown": false,
"unrecognized": true,
"license_names": [
"Apache",
"MIT"
"AFL"
],
"license_patterns": [
"*Apache*",
"The Apache*"
"AFL*"
],
"scan_date": {
"start": "2020-06-29T12:22:16Z",
"end": "2020-06-29T12:22:16Z"
}
}
}
{
"report_id": 43,
"status": "pending"
}
POST api/v1/reports/licenses?projectKey=<project_key>
Generate Violations Report
Description: Generates a Violations report with data defined by scope and filters. This request starts the report generation process which runs in the background. The returned report ID is used in other requests that require it such as Get Report Content, Delete Report, etc.
Since: 3.11
Security: Requires a user with the Manage Reports role.
Notes: For Xray version 3.21.2 and above with Projects, a Project Admin with Manage Security Assets privilege can generate a Violations report using this REST API in the scope of a project, by using the additional query parameter projectKey.
Usage: POST /api/v1/reports/violations
Parameters: All filter parameters are optional.
{
"name": "ViolationsReport",
"resources": {
"repositories": [
{
"name": "libs-release-local"
},
{
"name": "plugins-release-local",
"include_path_patterns": [
"*folder1/*path"
]
},
{
"name": "ext-release-local",
"include_path_patterns": [
"folder1/path/*",
"folder2/path*"
],
"exclude_path_patterns": [
"folder1/path2/*",
"folder2/path2*"
]
}
],
"builds": {
"names": [
"art-docker-test",
"art-docker-prod"
],
"include_patterns": [
"release*",
"feat*ure"
],
"exclude_patterns": [
"snapshots*",
"test*"
],
"number_of_latest_versions": 5
},
"release_bundles": {
"names": [
"art-pkg",
"xray_pkg"
],
"include_patterns": [
"release*",
"feat*ure"
],
"exclude_patterns": [
"snapshots*",
"test*"
],
"number_of_latest_versions": 5
},
"projects": {
"names": [
"test1",
"test2"
],
"include_key_patterns": [
"test*",
],
"number_of_latest_versions": 5
}
},
"filters": {
"type": "security|license|operational_risk",
"watch_names": [
"NameOfWatch1",
"NameOfWatch2"
],
"watch_patterns": [
"WildcardWatch*"
],
"component": "*vulnerable:component*",
"artifact": "some://impacted*artifact",
"policy_names": [
"NameOfPolicy"
],
"severities": [
"High",
"Medium"
],
"updated": {
"start": "2020-01-02T15:00:00Z",
"end": "2020-12-15T00:00:00Z"
},
"security_filters": {
"cve": "CVE-2020-10693",
"issue_id": "XRAY-87343",
"cvss_score": {
"min_score": 6.3,
"max_score": 9
},
"summary_contains": "kernel",
"has_remediation": false
},
"license_filters": {
"unknown": false,
"unrecognized": true,
"license_names": [
"Apache",
"MIT",
"AFL"
],
"license_patterns": [
"*Apache*",
"AFL*"
]
}
}
}
{
"report_id": 43,
"status": "pending"
}
POST /api/v1/reports/violations?projectKey=<project_key>
Generate Operational Risk Report
Description: Generates an Operational Risk report with data defined by scope and filters. This request starts the report generation process which runs in the background. The returned report ID is used in other requests that require it such as Get Report Content, Delete Report, etc.
Since: 3.49.0
Security: Requires a user with the Manage Reports role.
Notes: For Xray version 3.21.2 and above with Projects, a Project Admin with Manage Security Assets privilege can generate an Operational Risk report using this REST API in the scope of a project, by using the additional query parameter projectKey.
Usage: POST api/v1/reports/operationalRisks
{
"name": "report1",
"resources": {
"repositories": [
{
"name": "libs-release-local"
},
{
"name": "plugins-release-local",
"include_path_patterns": [
"*folder1/*path"
]
},
{
"name": "ext-release-local",
"include_path_patterns": [
"folder1/path/*",
"folder2/path*"
],
"exclude_path_patterns": [
"folder1/path2/*",
"folder2/path2*"
]
}
],
"builds": {
"names": [
"art-docker-test",
"art-docker-prod"
],
"include_patterns": [
"release*",
"feat*ure"
],
"exclude_patterns": [
"snapshots*",
"test*"
],
"number_of_latest_versions": 5
},
"release_bundles": {
"names": [
"art-pkg",
"xray_pkg"
],
"include_patterns": [
"release*",
"feat*ure"
],
"exclude_patterns": [
"snapshots*",
"test*"
],
"number_of_latest_versions": 5
},
"projects": {
"names": [
"test1",
"test2"
],
"include_key_patterns": [
"test*",
],
"number_of_latest_versions": 5
}
},
"filters": {
"component": "*gav:component*",
"artifact": "some://impacted*artifact",
"risks": [
"Low",
"Medium",
"High",
],
"scan_date": {
"start": "2020-06-29T12:22:16Z",
"end": "2020-06-29T12:22:16Z"
}
}
}
{
"report_id": 48,
"status": "pending"
}
POST api/v1/reports/operationalRisks?projectKey=<project_key>
Get Reports List
Description: Get a list of reports that were generated.
Since: 3.8
Security: Requires a user with the Manage Reports role.
Notes: For Xray version 3.21.2 and above with Projects, a Project Admin with Manage Security Assets privilege can get a list of reports using this REST API in the scope of a project, by using the additional query parameter projectKey.
Usage: POST api/v1/reports
Usage Note: Setting pagination parameters are mandatory. The list of parameters include:
- Direction: asc/desc
- Page_num: Starting from 1 to any number of pages.
- Num_of_rows: Starting from 1 to any number of rows that are included in a page.
- Order_by: name, type, author, start_time, and status.
POST .../api/v1/reports?direction=asc&page_num=2&num_of_rows=10&order_by=name
{
"filters" : {
"name" : "admin", //substring
"status" : ["completed"],
"report_type": ["license | vulnerability"| operational_risk”],
"author" : "admin", //substring
"start_time_range" : {
"start": "2020-06-29T12:22:16Z",
"end": "2020-06-29T12:22:16Z"
},
"end_time_range" : {
"start": "2020-06-29T12:22:16Z",
"end": "2020-06-29T12:22:16Z"
}
}
}
{
"total_reports": 100,
"reports": [
{
"id": 1234,
"name": "vul_report_1",
"status": "completed", //running, pending, complete, aborted, failed
"total_artifacts": 1000,
"num_of_processed_artifacts": 10,
"progress": 1,
"number_of_rows": 10,
"start_time": "1970-01-01T02:00:00+02:00",
"end_time": "1970-01-01T03:00:00+02:00",
"error": "error message in case of failure",
"author": "user who initiated the report",
"report_type": "license | vulnerability | operational_risk"
}
]
}
POST /api/v1/reports?direction=asc&page_num=2&num_of_rows=10&order_by=name&projectKey=<project_key
{
"total_reports": 100,
"reports": [
{
"id": 1234,
"name": "vul_report_1",
"status": "completed", //running, pending, complete, aborted, failed
"total_artifacts": 1000,
"num_of_processed_artifacts": 10,
"progress": 1,
"number_of_rows": 10,
"start_time": "1970-01-01T02:00:00+02:00",
"end_time": "1970-01-01T03:00:00+02:00",
"error": "error message in case of failure",
"author": "user who initiated the report",
"report_type": "license | vulnerability | operational_risk",
"project_key": "myproj"
}
]
}
Get Vulnerabilities Report Content
Description: Get specific content in a Vulnerabilities report.
Since: 3.8
Security: Requires a user with the Manage Reports role.
Notes: For Xray version 3.21.2 and above with Projects, a Project Admin with Manage Security Assets privilege can get specific content in a Vulnerabilities report. using this REST API in the scope of a project, by using the additional query parameter projectKey.
Usage: POST api/v1/reports/vulnerabilities/{id}}
Mandatory Pagination Parameters: You can order by
- severity
- published
- cve
- vulnerable_component
- impacted_artifact
- path
- fixed_versions
- package_type
- provider
- cvss2
- cvss3
- summary
POST .../api/v1/reports/vulnerabilities/21?direction=asc&page_num=2&num_of_rows=10&order_by=summary
{
"total_rows": 100,
"rows" :[
{
"cves" : [
{
"cve" : "CVE-2015-8902",
"cvss_v2_score": 4.3,
"cvss_v2_vector": "CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:N/A:P",
"cvss_v3_score": 5.5,
"cvss_v3_vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
},
{
"cve" : "CVE-2016-8902",
"cvss_v2_score": 5.3,
"cvss_v2_vector": "CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:N/A:P",
"cvss_v3_score": 6.5,
"cvss_v3_vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
}
],
"summary": "Algorithmic complexity vulnerability",
"severity": "High",
"vulnerable_component": "source",
"impacted_artifact": "artifact",
"path": "repo1/folder1/artifact",
"fixed_versions": [
"2.3",
"2.4", "2.5"
],
"published": "1970-01-01T03:00:00+02:00",
"issue_id": "XRAY-1234",
"package_type": "maven",
"provider": "JFrog",
"description": "Algorithmic complexity vulnerability",
"references": [
"github.com",
"nvd.com"
]
}
]
}
POST /api/v1/reports/vulnerabilities/21?direction=asc&page_num=2&num_of_rows=10&order_by=summary?projectKey=<project_key>
Get Due Diligence Report Content
Description: Get specific content in a Due Diligence report.
Since: 3.9
Security: Requires a user with the Manage Reports role.
Notes: For Xray version 3.21.2 and above with Projects, a Project Admin with Manage Security Assets privilege can get specific content in a Due Diligence report. using this REST API in the scope of a project, by using the additional query parameter projectKey.
Usage: POST /api/v1/reports/licenses/{id}
Mandatory Pagination Parameters: You can order by
- license
- artifact
- component
- unknown_license
- path
- unrecognized
- artifact_scan_time
- custom, license_name
POST .../api/v1/reports/licenses?direction=asc&page_num=2&num_of_rows=10&order_by=license
{
"total_rows": 100,
"rows" :[
{
"license": "MIT",
"license_name" : "The MIT License",
"component": "deb://debian:buster:glibc:2.28-10,
"artifact": "docker://redis:latest-07142020122937",
"path": "repo1/folder1/artifact",
"artifact_scan_time": "2020-07-14T09:32:00Z",
"unknown" : false,
"unrecognized" : false,
"custom" : false,
"references": [
"https://spdx.org/licenses/AFL-1.1.html",
"https://spdx.org/licenses/AFL-1.1"
]
}
]
}
POST /api/v1/reports/licenses?direction=asc&page_num=2&num_of_rows=10&order_by=license?projectKey=<project_key>
Get Violations Report Content
Description: Get specific content in a Violations report.
Since: 3.11
Security: Requires a user with the Manage Reports role.
Notes: For Xray version 3.21.2 and above with Projects, a Project Admin with Manage Security Assets privilege can get specific content in a Violations report. using this REST API in the scope of a project, by using the additional query parameter projectKey.
Usage: POST /api/v1/reports/violations/{id}
Mandatory Pagination Parameters: You can order by
type
summary
severity
updated
impacted_artifact
path
vulnerable_component
cves
cvss2_max_score
cvss3_max_score
POST /api/v1/reports/violations?page_num=2&num_of_rows=10&order_by=field1&direction=asc
{
"total_rows": 6,
"rows": [
{
"type": "security",
"vulnerable_component": "lodash",
"impacted_artifact": "docker://docker-violations:latest",
"path": "docker-local/docker-violations/latest/",
"watch_id": "45b397d9097293612f5c037e",
"watch_name": "HighVulnWatch",
"summary": "Lodash Package for Node.js lodash.js baseSet() Function Prototype Pollution DoS",
"policy_names": ["HighVuln"],
"severity": "High",
"package_type": "npm",
"issue_id": "XRAY-121295",
"updated": "2020-08-31T16:01:42.64+03:00",
"published": "2020-01-01T00:00:00+03:00",
"artifact_scan_time": "2020-01-01T00:00:00+03:00",
"references": [],
"cves": [
{
"cvss_v2_score": 7.1,
"cvss_v2_vector": "CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:N/A:C"
}
],
"cvss2_max_score": 7.1,
]
},
{
"type": "license",
"vulnerable_component": "gav://io.netty:netty-handler-proxy:4.1.48.Final",
"impacted_artifact": "generic://sha256:06bde4ed74044d133fce9d596258ec57c7e42023df5e3e542209a488347eb340/jfrog-artifactory-oss-7.7.3-linux.tar.gz",
"path": "generic-local/jfrog-artifactory-oss-7.7.3-linux.tar.gz",
"watch_id": "4db8cec50cd846fd4de117c7",
"watch_name": "AnyWatchLicense",
"summary": "The Apache Software License, Version 2.0",
"policy_names": ["BanApacheLicense2","BanApacheLicense"],
"severity": "High",
"package_type": "maven",
"updated": "2020-09-03T22:11:09.865+03:00",
"published": null,
"artifact_scan_time": "1970-01-01T02:00:00+02:00",
"references": [],
"license_name": "Apache-2.0"
},
]
}
POST /api/v1/reports/violations?page_num=2&num_of_rows=10&order_by=field1&direction=asc?projectKey=<project_key>
Get Operational Risk Report Content
Description: Get specific content in an Operational Risk report.
Since: 3.49.0
Security: Requires a user with the Manage Reports role.
Notes: For Xray version 3.21.2 and above with Projects, a Project Admin with Manage Security Assets privilege can get specific content in an Operational Risk report. using this REST API in the scope of a project, by using the additional query parameter projectKey.
Usage: POST /api/v1/reports/operationalRisks/{id}
Mandatory Pagination Parameters: You can order by
risk
artifact
component
released
is_eol
cadence
commits
committers
POST .../api/v1/reports/operationalRisks?direction=asc&page_num=2&num_of_rows=10&order_by=risk
{
"total_rows": 100,
"rows" :[
{
"component": "deb://debian:master:abc:2.28-10",
"artifact": "docker://redis:latest-07142020122937",
"path": "repo/dir/file",
"artifact_scan_time": "2021-01-01T01:00:00+02:00",
"risk": "High",
"risk_reason": "",
"released": "2005-01-01T03:00:00+02:00",
"version": "2.28-10",
"latest_version": "1.2.3"
"newer_versions": "10,
"is_eol": "true,
"eol_message": "unsupported",
"cadence": "5",
"committers": "10",
"commits": "7",
"project_keys": ["proj1","proj2"],
]
}
Get Report Details By ID
Description: Get a report's details by using a specific report ID.
Since: 3.8
Security: Requires a user with the Manage Reports role.
Notes: For Xray version 3.21.2 and above with Projects, a Project Admin with Manage Security Assets privilege can get a report's details by using a specific report ID using this REST API in the scope of a project, by using the additional query parameter projectKey.
Usage: GET api/v1/reports/{id}
{
"id": 1234,
"name": "vul_report_1",
"status": "completed", //running, pending, complete, aborted, failed
"total_artifacts": 1000,
"num_of_processed_artifacts": 10,
"progress": 1,
"number_of_rows": 10,
"start_time": "1970-01-01T02:00:00+02:00",
"end_time_estimation": "1970-01-01T03:00:00+02:00",
"error": "error message in case of failure",
"Author": "user who initiated the report",
"report_type": "license | vulnerability | operational_risk"
}
GET api/v1/reports/7?projectKey=<project_key>
{
"id": 1234,
"name": "vul_report_1",
"status": "completed", //running, pending, complete, aborted, failed
"total_artifacts": 1000,
"num_of_processed_artifacts": 10,
"progress": 1,
"number_of_rows": 10,
"start_time": "1970-01-01T02:00:00+02:00",
"end_time_estimation": "1970-01-01T03:00:00+02:00",
"error": "error message in case of failure",
"Author": "user who initiated the report",
"report_type": "license | vulnerability | operational_risk",
"project_key": "myproj"
}
Export
Description: Export a report and its' data to a PDF, JSON, or CSV file.
Since: 3.8
Security: Requires a user with the Manage Reports role.
Notes: For Xray version 3.21.2 and above with Projects, a Project Admin with Manage Security Assets privilege can export a report using this REST API in the scope of a project, by using the additional query parameter projectKey.
Usage: GET /api/v1/reports/export/{id:.*}
Note that report ID can be retrieved using the GetReportsList REST API.
Usage Note: There are two mandatory query parameters that need to be provided:
- File_name: The desired file name for download (without a suffix)
- Format: pdf| json | csv
GET api/v1/reports/export/{15}?file_name=vuln_report_1&format=pdf
GET api/v1/reports/export/15?file_name=vuln_report_1&format=pdf&projectKey=<project_key>
Response:
A ZIP file stream contains the file with the following name convention: <file_name>.pdf|json|csv.
The response stream does not display a filename, but only contents inside it.
Delete
Description: Delete report.
Since: 3.8
Security: Requires a user with the Manage Reports role.
Notes: For Xray version 3.21.2 and above with Projects, a Project Admin with Manage Security Assets privilege can delete a report using this REST API in the scope of a project, by using the additional query parameter projectKey.
Usage: DELETE /api/v1/reports/{id:.*}
DELETE /api/v1/reports/{10}
DELETE /api/v1/reports/10?projectKey=<project_key>
"report deleted successfully"
Abort
Description: Abort report generation.
Since: 3.8
Security: Requires a user with the Manage Reports role.
Notes: For Xray version 3.21.2 and above with Projects, a Project Admin with Manage Security Assets privilege can abort a report using this REST API in the scope of a project, by using the additional query parameter projectKey.
Usage: POST /api/v1/reports/abort/{id:.*}
POST /api/v1/reports/abort/{21}
POST /api/v1/reports/abort/21?projectKey=<project_key>
BINARY MANAGERS
Get Binary Manager
Description: Gets the details of the specified connected Artifactory instance
Notes: This API is deprecated from version 3.x.
Security: Requires a valid user
Usage: GET /binMgr/{id}
Sample usage:
GET /binMgr/###art12
{
"binMgrUrl": "http://localhost:8081/artifactory",
"binMgrId": "###art12",
"binMgrDesc": "",
"version": "4.x-SNAPSHOT",
"proxy_enabled": false
}
Response Codes:
200: Artifactory model
400: Path parameter is missing
401: Bad Credentials
500: Failed to obtain response
Get Repos Indexing Configuration
Description: Gets the indexed and not indexed repositories in a given binary manger
Security: Requires an admin user
Notes: For Xray version 3.21.2 and above with Projects, a Project Admin with Index Resources privilege can get the indexed and not indexed repositories in a given binary manger using this REST API in the scope of a project, by using the additional query parameter projectKey.
Usage: GET /api/v1/binMgr/{id}/repos
Consumes: application/json
Response codes:
200: List of Artifactory repositories
401: Bad Credentials
500: Failed to obtain response
Sample usage:
{
"bin_mgr_id": "default",
"indexed_repos": [
{
"name": "docker-local",
"type": "local",
"pkg_type": "Docker"
}
],
"non_indexed_repos": [
{
"name": "debian-local",
"type": "local",
"pkg_type": "Debian"
}
]
}
Get Builds Indexing Configuration
Description: Gets the indexed and not indexed builds in a given binary manager.
Security: Requires an admin user
Notes: For Xray version 3.21.2 and above with Projects, a Project Admin with Index Resources privilege can get the indexed and not indexed builds in a given binary manger using this REST API in the scope of a project, by using the additional query parameter projectKey.
Usage: GET /api/v1/binMgr/{id}/builds
Consumes: application/json
Response codes:
200: List of Artifactory builds
401: Bad Credentials
500: Failed to obtain response
Sample usage:
{
"bin_mgr_id": "default",
"indexed_builds": [
"build1",
"build2"
],
"non_indexed_builds": [
"build3",
"build4"
]
}
Add Builds to Indexing Configuration
Description: Adds new builds to the list of builds selected for indexing by only providing the new build names.
Since: 3.8.2
Security: Requires a user with admin permissions
Notes: For Xray version 3.21.2 and above with Projects, a Project Admin with Index Resources privilege can add new builds to the list of builds selected for indexing using this REST API in the scope of a project, by using the additional query parameter projectKey.
Usage: POST api/v1/binMgr/builds
Consumes: application/json
Produces: application/json
Sample Usage:
POST api/v1/binMgr/builds
{
"names": ["build1","build2","build1","build4","build4"]
}
Response Codes:Sample Request:
401 - Unauthorized
403 - Forbidden
400 - Failed to set build names to index : Got invalid request
500 - Failed to set build names to index
Update Repos Indexing Configuration
Description: Update the indexed and not indexed repositories in a given binary manger
Security: Requires an admin user
Notes: For Xray version 3.21.2 and above with Projects, a Project Admin with Index Resources privilege can update the indexed and not indexed repositories in a given binary manger using this REST API in the scope of a project, by using the additional query parameter projectKey.
Usage: PUT /api/v1/binMgr/{id}/repos
Consumes: application/json
Response codes:
200: Success
Sample usage:
{
"indexed_repos": [
{
"name": "docker-local",
"type": "local",
"pkg_type": "Docker"
}
],
"non_indexed_repos": [
{
"name": "debian-local",
"type": "local",
"pkg_type": "Debian"
}
]
}
Response:
{
"info": "Repositories list has been successfully sent to Artifactory"
}
Update Builds Indexing Configuration
Description: Updates the indexed and not indexed builds in a given binary manager
Security: Requires an admin user
Notes: For Xray version 3.21.2 and above with Projects, a Project Admin with Index Resources privilege can update the indexed and not indexed builds in a given binary manger using this REST API in the scope of a project, by using the additional query parameter projectKey.
Usage: PUT /api/v1/binMgr/{id}/builds
Consumes: application/json
Response codes:
200: Success
Sample usage:
{
"indexed_builds": [
"build1",
"build2"
]
}
Response:
{
"info": "Repositories list has been successfully sent to Artifactory"
}
Force Reindex
Description: Reindexes existing artifacts for missing components.
Notes: The repositories and builds need to be configured for indexing in Xray prior to running the command.
The reindexing process only adds missing files or components and does not remove existing ones.
The number of max entities that can be reindexed is limited to 1000 and is set as the default value. This value can be changed by setting the maxEntitiesToReindex parameter in the Xray System YAML file Xray System YAML.
Security: Requires an admin user
Usage: POST /api/v1/forceReindex
Consumes: application/json
{
"artifactory_id": "art1AWS",
"artifacts": [
{
"repository": "myDebian", // repository is a mandatory parameter, either path or sha256 or both should be provided - if both are provided we compare the given sha256 to the actual sha256 and fail if they are incompatible
"path": "/aaa/bb/ccc.deb",
"sha256": "aa146bx"
}
],
"builds": [
{
"name": "myb", // both build name and build number must be provided
"number": "12"
}
]
}
Sample response
{
"sent_to_reindex": {
"artifacts": [
{
"repository": "myDebian",
"path": "aaa/bb/ccc",
"sha256": "aa146bx"
}
],
"builds": [
{
"name": "myb",
"number": "12"
}
]
},
}
COMPONENTS
Find Component by Name
Description: Search for a component by name - applicable only for components synced from the JFrog Global database to Xray
Security: Requires a valid user with the "Read" permission
Usage: GET /component/{component_name}
Produces: application/json
Sample Response:
{
"component": "4:kdegames-devel",
"package_type": "rpm",
"name": "kdegames-devel",
"description": "Development files for the KDE gaming libraries.Install kdegames-devel if you wish to develop or compile games for the KDE desktop.",
"created": "2017-11-19T09:24:12.065Z",
"modified": "2017-11-19T10:13:19.946Z",
"sources": [
{
"name": "archive-centos",
"url": "http://vault.centos.org/",
"updated": "2017-11-19T09:24:11.995Z"
}
],
"versions": [
{
"version": "6:3.3.1-2",
"released": "0001-01-01T00:00:00Z",
"licenses": [
"GPL-3.0"
],
"files": [
{
"name": "kdegames-devel-3.3.1-2.i386.rpm",
"sha256": "f256373977e2705e521e06c85f6f49cefcd6c74c8a0fa18dec2eb1bcefe7e4b4",
"sha1": "d184ba4bd8e205fda0ba29b7f1db39b91174b1ef",
"md5": "7b246aeef791ad549e78cda2c3c72a40"
}
]
}
]
}
"versions": [
{
"version": "7.6",
"released": "2020-07-17T11:20:00Z",
"licenses": [
"Apache-2.0"
],
"files": [
{
"name": "consent-core-api-7.6.jar",
"sha256": "9be98a8b61db29e9660952fc041ffb3937a508eba686619f367e2b601345f2a8",
"sha1": "7f32c9a9d228e1f14a7d298fe0d424d2e3309b05"
}
],
"op_risk": {
"risk": "High",
"risk_reason": "Number of new versions",
"newer_versions": 80
}
},
Response Codes:
200: Component found
400: Failed to resolve component mapping
500: Failed to get component by name
Find Component by CVE
Description: Search for a component by the CVEs it contains directly
Security: Requires a valid user with "Admin" permissions. For Xray 3.8 and above, this only requires a valid user with the "Manage Reports" role.
Usage: POST api/v1/component/searchByCves
Consumes: application/json
{
"cves": [
"CVE-2018-1999002"
]
}
Produces: application/json
[
{
"cve_details": "CVE-2018-1999002",
"components": [
{
"name": "org.jenkins-ci.main:jenkins-core",
"package_type": "Maven",
"version": "2.60.3",
"link": "http://localhost:8046/xray/web/#/component/details/gav:~2F~2Forg.jenkins-ci.main:jenkins-core/2.60.3"
}
]
}
]
Sample usage:
POST api/v1/component/searchByCves
{
"cves": ["CVE-2017-15708","CVE-2017-15709"]
}
Sample Response:
[
{
"cve_details": "CVE-2017-15708",
"components": [
{
"name": "commons-collections:commons-collections",
"package_type": "Maven",
"version": "3.2.1",
"link": "http://10.1.16.130:8000/web/#/component/details/gav:~2F~2Fcommons-collections:commons-collections/3.2.1"
}
]
},
{
"cve_details": "CVE-2017-15709",
"components": []
}
]
Response Codes
200: valid response
415: Failed to parse request
400: Got invalid CVE
500: Failed to search components by cves
Find CVEs by Component
Description: Search for CVEs by the infected components
Security: Requires a valid user with "Admin" permissions. For Xray 3.8 and above, this only requires a valid user with the "Manage Reports" role.
Usage: POST api/v1/component/searchCvesByComponents
Consumes: application/json
{
"components_id": ["<component ID>"]
}
Produces: application/json
[
{
"component": "<Component ID>",
"cves": [
"<CVE ID>"
]
},
{
"component": "c2",
"error": "Failed to get component",
"cves": []
}
]
Sample Usage:
POST api/v1/component/searchCvesByComponents
{
"components_id": ["gav://commons-collections:commons-collections:3.2.1","c2"]
}
Sample Response:
[
{
"component": "gav://commons-collections:commons-collections:3.2.1",
"cves": [
"CVE-2017-15708"
]
},
{
"component": "c2",
"error": "Failed to get component",
"cves": []
}
]
Response Codes
200: Valid response
415: Failed to parse request
500: Failed to search CVEs of components
Get Component List Per Watch
Description: Gets a list of components associated with a specific watch.
API Version: v2
Security: Requires a valid user with "Admin" permissions. For Xray 3.8 and above, this only requires a valid user with the "Manage Reports" role.
Usage: GET api/v2/component/data/{watch_name}?limit=(?)offset=(?)from=(?)to=(?)
Produces: application/json
Sample Response:
Get/api/v2/component/data/w1?limit=8&offset=0&from=2017-06-10T12:44:00&to=2020-06-10T12:44:00
[
{
"checksum": "cf7274c79120c6420e2563292e4c54ee3abf1a7924a22cd3ff29ec686dc97ed0",
"repo": "generic-local",
"path": "/",
"package_name": "generic://sha256:cf7274c79120c6420e2563292e4c54ee3abf1a7924a22cd3ff29ec686dc97ed0/cli.zip"
},
{
"checksum": "cec571c6f2578e3388339c97cf6706d64e877742d040f315206d2f5c09f68c0b",
"repo": "python-local",
"path": "/",
"package_name": "pypi://getversion",
"version": "0.5.7"
}
]
Get Artifact Dependency Graph
Description: Get the complete dependency graph for an artifact
Security: Requires a valid user with the "Read" permission
Usage: POST /dependencyGraph/artifact
Consumes: application/json
Artifactory ID
The artifactory_id parameter is no longer required in Xray version 3.x, this parameter (also within a path) will be ignored.
{
"path": "<artifactory-name/repo-name/path>"
}
Produces: application/json
{
"artifact":{
"name": "<The name of the artifact who's graph we are obtaining>",
"path": "<artifactory-name/repo-name/path>",
"pkg_type": "<Package type>",
"sha256": "<Artifact's SHA256 checksum>",
"sha1": "<Artifact's SHA1 checksum>",
"component_id": "<The component ID>"
},
"components":[
{
"component_name":"<Dependency component name>",
"component_id":"<Dependency Component ID>",
"package_type":"<Dependency component package type>",
"version":"<Dependency component version>",
"created":"<ISO8601 (yyyy-MM-dd'T'HH:mm:ss.SSSZ)>",
"modified":"<ISO8601 (yyyy-MM-dd'T'HH:mm:ss.SSSZ)>",
"components":[<Next level dependencies of the dependency component>]
}]
}
Sample Usage:
POST /dependencyGraph/artifact
{
"path": "/Artifactory/pnnl/goss/goss-core-client/0.1.7/goss-core-client-0.1.7-sources.jar"
}
{
"artifact":{
"name": "artifactory-pro.zip",
"path": "art2/ext-release-local/",
"pkg_type": "Generic",
"sha256": "d160c68ed8879ae42756e159daec1dd7ecfd53b6192321656b72715e20d46dd2",
"sha1": "",
"component_id": "gav://org.artifactory.pro:artifactory-pro-war:4.14.0"
},
"components":[
{
"component_name":"some-component-1.1",
"component_id":"pip://some-component:1.1",
"package_type":"pip",
"version":"1.1",
"created":"2008-06-09T16:50:19Z",
"modified":"2015-07-26T17:49:47Z",
"components":[]
},
{
"component_name":"some-component-1.2",
"component_id":"pip://some-component:1.2",
"package_type":"pip",
"version":"1.2",
"created":"2008-06-09T16:50:19Z",
"modified":"2015-07-26T17:49:47Z",
"components":[
{
"component_name":"Jinja2.7.2",
"component_id":"pip://Jinja2:2.7.2",
"package_type":"pip",
"version":"2.7.2",
"created":"2008-06-09T16:50:19Z",
"modified":"2015-07-26T17:49:47Z",
"components":[]
}
]
}
]
}
Response Codes:
200: Success
400: Artifact '<PATH>' doesn't exist or isn't indexed in Xray
401: Bad credentials
415: Failed to parse request
Compare Artifacts
Description: Compares two artifacts and produces the difference between them
Security: Requires a valid user with the "Read" permission
Usage: POST /dependencyGraph/artifactDelta
Consumes: application/json
Artifactory ID
The artifactory_id parameter is no longer required in Xray version 3.x, this parameter (also within a path) will be ignored.
{
"source_artifact_path":"<artifactory/repo/path>",
"target_artifact_path":"<artifactory/repo/path>"
}
Produces:
{
"source_artifact":{
"name": "<The name of the source artifact we are comparing>",
"path": "<artifactory-name/repo-name/path>",
"pkg_type": "<Package type>",
"sha256": "<Artifact's SHA256 checksum>",
"sha1": "<Artifact's SHA1 checksum>",
},
"target_artifact":{
"name": "<The name of the target artifact we are comparing>",
"path": "<artifactory-name/repo-name/path>",
"pkg_type": "<Package type>",
"sha256": "<Artifact's SHA256 checksum>",
"sha1": "<Artifact's SHA1 checksum>",
},
"removed":[
{
"component_name":"<Component name only found in source artifact>",
"component_id":"<Dependency Component ID only found in source artifact>",
"package_type":"<Dependency component package type>",
"version":"<Dependency component version>",
"created":"<ISO8601 (yyyy-MM-dd'T'HH:mm:ss.SSSZ)>",
"modified":"<ISO8601 (yyyy-MM-dd'T'HH:mm:ss.SSSZ)>"
}
],
"added":[
{
"component_name":"<Component name only found in target artifact>",
"component_id":"<Dependency Component ID only found in target artifact>",
"package_type":"<Dependency component package type>",
"version":"<Dependency component version>",
"created":"<ISO8601 (yyyy-MM-dd'T'HH:mm:ss.SSSZ)>",
"modified":"<ISO8601 (yyyy-MM-dd'T'HH:mm:ss.SSSZ)>",
}
],
"unchanged":[
{
"component_name":"<Component name only found in both artifacts>",
"component_id":"<Dependency Component ID only found in both artifacts>",
"package_type":"<Dependency component package type>",
"version":"<Dependency component version>",
"created":"<ISO8601 (yyyy-MM-dd'T'HH:mm:ss.SSSZ)>",
"modified":"<ISO8601 (yyyy-MM-dd'T'HH:mm:ss.SSSZ)>",
}
]
}
Sample Usage:
POST /dependencyGraph/artifactDelta
{
"source_artifact_path":"/pnnl/goss/goss-core-client/0.1.7/goss-core-client-0.1.7-sources.jar",
"target_artifact_path":"/pnnl/goss/goss-core-client/0.1.8/goss-core-client-0.1.8-sources.jar",
}
{
"source_artifact":{
"name": "artifactory-pro.zip",
"path": "art2/ext-release-local/",
"pkg_type": "Generic",
"sha256": "d160c68ed8879ae42756e159daec1dd7ecfd53b6192321656b72715e20d46dd2",
"sha1": ""
},
"target_artifact":{
"name": "artifactory-pro.zip",
"path": "art2/ext-release-local/",
"pkg_type": "Generic",
"sha256": "d160c68ed8879ae42756e159daec1dd7ecfd53b6192321656b72715e20d46dd2",
"sha1": ""
},
"removed":[
{
"component_name":"some-component-1.1",
"component_id":"pip://some-component:1.1",
"package_type":"pip",
"version":"1.1",
"created":"2008-06-09T16:50:19Z",
"modified":"2015-07-26T17:49:47Z"
}
],
"added":[
{
"component_name":"Jinja2.7.2",
"component_id":"pip://Jinja2:2.7.2",
"package_type":"pip",
"version":"2.7.2",
"created":"2008-06-09T16:50:19Z",
"modified":"2015-07-26T17:49:47Z"
}
],
"unchanged":[
{
"component_name":"Apache1.4",
"component_id":"gav://apache:1.4",
"package_type":"maven",
"version":"1.4",
"created":"2008-06-09T16:50:19Z",
"modified":"2015-07-26T17:49:47Z"
}
]
}
Response Codes:
200: Success
400: Artifact '<PATH>' doesn't exist or isn't indexed in Xray
401: Bad Credentials
415: Failed to parse request
Get Build Dependency Graph
Description: Get the complete dependency graph for a build
Security: Requires a valid user with the "Read" permission
Usage: POST /dependencyGraph/build
Consumes: application/json
{
"artifactory_id":"<Artifactory instance name>",
"build_name":"<Build name>",
"build_number":"<Build number>"
}
Produces: application/json
{
"build":{
"name": "<The name of the build who's graph we are obtaining>",
"path": "<artifactory-name/repo-name/path>",
"pkg_type": "<Package type>",
"sha256": "<Artifact's SHA256 checksum>",
"component_id": "<The component ID>"
},
"components":[
{
"component_name":"<Dependency component name>",
"component_id":"<Dependency Component ID>",
"package_type":"<Dependency component package type>",
"version":"<Dependency component version>",
"created":"<ISO8601 (yyyy-MM-dd'T'HH:mm:ss.SSSZ)>",
"modified":"<ISO8601 (yyyy-MM-dd'T'HH:mm:ss.SSSZ)>",
"components":[]
}]
}
Sample Usage:
POST /dependencyGraph/build
{
"artifactory_instance":"myInstance",
"build_name":"someBuild",
"build_number":"someNumber"
}
{
"build": {
"name": "my-build",
"path": "art2/ext-release-local/",
"pkg_type": "Generic",
"sha256": "d160c68ed8879ae42756e159daec1dd7ecfd53b6192321656b72715e20d46dd2",
"component_id": "gav://org.artifactory.pro:artifactory-pro-war:4.14.0"
},
"components":[
{
"component_name":"some-component-1.1",
"component_id":"pip://some-component:1.1",
"package_type":"pip",
"version":"1.1",
"created":"2008-06-09T16:50:19Z",
"modified":"2015-07-26T17:49:47Z",
"components":[]
},
{
"component_name":"some-component-1.2",
"component_id":"pip://some-component:1.2",
"package_type":"pip",
"version":"1.2",
"created":"2008-06-09T16:50:19Z",
"modified":"2015-07-26T17:49:47Z",
"components":[
{
"component_name":"Jinja2.7.2",
"component_id":"pip://Jinja2:2.7.2",
"package_type":"pip",
"version":"2.7.2",
"created":"2008-06-09T16:50:19Z",
"modified":"2015-07-26T17:49:47Z",
"components":[]
}
]
}
]
}
Response Codes:
200: Success
400: Build '<PATH>' doesn't exist or isn't indexed in Xray
400: Missing build name
400: Missing build number
400: Missing Artifactory ID
401: Bad credentials
415: Failed to parse request
Compare Builds
Description: Compares two builds and produces the difference between them
Security: Requires a valid user with the "Read" permission
Usage: POST /dependencyGraph/buildDelta
Consumes: application/json
Artifactory ID
The artifactory_id parameter is no longer required in Xray version 3.x, this parameter (also within a path) will be ignored.
{
"source_artifactory_id":"<First instance name>",
"source_build_name":"<First build name>",
"source_build_number":"<First build number>",
"target_artifactory_id":"<Second instance name>",
"target_build_name":"<Second build name>",
"target_build_number":"<Second build number>"
}
Produces: application/json
{
"source_build":{
"name": "<The name of the source build we are comparing>",
"path": "<artifactory-name/repo-name/path>",
"pkg_type": "<Package type>",
"sha256": "<Build's SHA256 checksum>",
"component_id": "<Build's component ID>",
},
"target_build":{
"name": "<The name of the target build we are comparing>",
"path": "<artifactory-name/repo-name/path>",
"pkg_type": "<Package type>",
"sha256": "<Build's SHA256 checksum>",
"component_id": "<Build's component ID>",
},
"removed":[
{
"component_name":"<Component name only found in source build>",
"component_id":"<Dependency Component ID only found in source build>",
"package_type":"<Dependency component package type>",
"version":"<Dependency component version>",
"created":"<ISO8601 (yyyy-MM-dd'T'HH:mm:ss.SSSZ)>",
"modified":"<ISO8601 (yyyy-MM-dd'T'HH:mm:ss.SSSZ)>"
}
],
"added":[
{
"component_name":"<Component name only found in target build>",
"component_id":"<Dependency Component ID only found in target build>",
"package_type":"<Dependency component package type>",
"version":"<Dependency component version>",
"created":"<ISO8601 (yyyy-MM-dd'T'HH:mm:ss.SSSZ)>",
"modified":"<ISO8601 (yyyy-MM-dd'T'HH:mm:ss.SSSZ)>",
}
],
"unchanged":[
{
"component_name":"<Component name only found in both builds>",
"component_id":"<Dependency Component ID only found in both builds>",
"package_type":"<Dependency component package type>",
"version":"<Dependency component version>",
"created":"<ISO8601 (yyyy-MM-dd'T'HH:mm:ss.SSSZ)>",
"modified":"<ISO8601 (yyyy-MM-dd'T'HH:mm:ss.SSSZ)>",
}
]
}
Sample Usage:
POST /dependencyGraph/buildDelta
{
"origin_build_artifactory_instance":"my-instance",
"origin_build_name":"someOriginBuild",
"origin_build_number":"111",
"target_build_artifactory_instance":"my-instance",
"target_build_name":"someTargetBuild",
"target_build_number":"222",
}
{
"source_build":{
"name": "my-build",
"path": "art2/ext-release-local/",
"pkg_type": "Generic",
"sha256": "d160c68ed8879ae42756e159daec1dd7ecfd53b6192321656b72715e20d46dd2",
"component_id": "gav://org.artifactory.pro:artifactory-pro-war:4.14.0"
},
"target_build":{
"name": "my-build",
"path": "art2/ext-release-local/",
"pkg_type": "Generic",
"sha256": "d160c68ed8879ae42756e159daec1dd7ecfd53b6192321656b72715e20d46dd2",
"component_id": "gav://org.artifactory.pro:artifactory-pro-war:4.14.0"
},
" removed":[
{
"component_name":"some-component-1.1",
"component_id":"pip://some-component:1.1",
"package_type":"pip",
"version":"1.1",
"created":"2008-06-09T16:50:19Z",
"modified":"2015-07-26T17:49:47Z"
}
],
"added":[
{
"component_name":"Jinja2.7.2",
"component_id":"pip://Jinja2:2.7.2",
"package_type":"pip",
"version":"2.7.2",
"created":"2008-06-09T16:50:19Z",
"modified":"2015-07-26T17:49:47Z"
}
],
"unchanged":[
{
"component_name":"Apache1.4",
"component_id":"gav://apache:1.4",
"package_type":"maven",
"version":"1.4",
"created":"2008-06-09T16:50:19Z",
"modified":"2015-07-26T17:49:47Z"
}
]
}
Response Codes:
200: Success
400: The build with the provided identifier doesn't exist or isn't indexed in Xray
401: Bad credentials
415: Failed to parse request
Export Component Details
Description: Export component details.
Security: Requires a valid user with "Read" permission
Usage: POST component/exportDetails
Consumes: application/json
Sample Request:
{
"violations": true | false,
"include_ignored_violations": true | false,
"license": true | false,
"security": true | false,
"exclude_unknown": true | false,
"component_name": "abrade:abrade:0.0.1",
"package_type": "maven",
"output_format": "pdf | csv | json | json_full",
"sha_256" : "1314223523643634",
"spdx": true | false,
"spdx_format": "json | tag:value | xlsx",
"cyclonedx": true | false,
"cyclonedx_format": "json | xml"
}
Response:
[] byte stream to file
200: Success
400: Invalid request payload
403: No Permission to component
500: Failed to export component details
SECURITY
Enable TLS Certificate for RabbitMQ
Description: Adds the TLS Certificate on RabbitMQ
Security: Requires an admin user
Usage: PUT /api/v1/configuration/systemParameters
Consumes: application/json
Sample Output:
PUT /api/v1/configuration/systemParameters
{
"sslInsecure": false,
"maxDiskDataUsage": 80,
"monitorSamplingInterval": 300,
"mailNoSsl": false,
"messageMaxTTL": 7,
"jobInterval": 86400,
"allowSendingAnalytics": true,
"httpsPort": 443,
"enableTlsConnectionToRabbitMQ": true,
"httpClientMaxConnections": 50,
"httpClientMaxIdleConnections": 20,
"jsFilesBatch": 20
}
INTEGRATIONS
Get Integration Configuration
Description: Retrieves integrations configured into the system
Security: Requires an admin user
Usage: GET /integration
Produces: application/json
Sample usage:
GET /integration
[
{
"vendor": "whitesource",
"api_key": "4a547ccd-fdf0-4ac4-8ec2-259ce91c1633",
"enabled": <true|false>,
"context": "project_id",
"url": "https://saas.whitesourcesoftware.com/xray",
"description": "WhiteSource provides a simple yet powerful open source security and licenses management solution. More details at http://www.whitesourcesoftware.com.",
"test_url": "https://saas.whitesourcesoftware.com/xray/api/checkauth"
}
]
Response Codes:
200: Integration data retrieved successfully
500: Failed to retrieve integration data
Add Integration Configuration
Description: Add an integration configuration
Security: Requires an admin user
Usage: POST /integration
Consumes: application/json
{
"vendor": ""
"api_key": "",
"enabled": <true|false>,
"context": "",
"url": "",
"description": "",
"test_url": ""
}
Sample usage:
POST /integration
{
"vendor": "whitesource",
"api_key": "12345",
"enabled": true,
"context": "project_id",
"url": "https://saas.whitesourcesoftware.com/xray",
"description": "WhiteSource provides a simple yet powerful open source security and licenses management solution. More details at http://www.whitesourcesoftware.com.",
"test_url": "https://saas.whitesourcesoftware.com/xray/api/checkauth"
}
Response Codes:
200: Integration data successfully added
500: Failed to register integration data
Update Integration Configuration
Description: Updates the integration configuration
Security: Requires an admin user
Usage: PUT /integration/{name}
Consumes: application/json
{
"vendor": "",
"api_key": "",
"enabled": <true|false>,
"context": "",
"url": "",
"description": "",
"test_url": ""
}
Response Codes:
200: Integration data successfully Updated
500: Failed to register integration data
Delete Integration Configuration
Description: Delete integration configuration
Security: Requires an admin user
Usage: DELETE /integration/{name}
Produces: application/json
Sample usage:
DELETE /integration/whitesource
Response Codes:
200: Integration deleted successfully
400: Vendor name is missing
500: Failed to delete integration
SUMMARY
Build Summary
Description: Provides details about any build specified by build identifier (name + number)
Security: Requires a valid user with "Read" permission
Notes: Starting from Xray version 3.42.3, JFrog Security CVE Research and Enrichment data is supported. Important notes:
- The following fields are markdown texts
- short_description
- full_description
- remediation
- Extended information fields will not appear to Free Tier users.
Usage: GET /summary/build?build_name=<build name>&build_number=<build number>
Produces: application/json
{
"artifacts": [
{
"general": {
"component_id": "",
"name": "",
"path": "",
"pkg_type": "",
"sha256": ""
},
"issues": [
{
"created": "",
"description": "",
"impact_path": [
{}
],
"issue_type": "",
"provider": "",
"severity": "",
"summary": ""
}
],
"licenses": [
{
"components": [
"sets.SetInterface"
],
"full_name": "",
"more_info_url": [
""
],
"name": ""
}
]
}
],
"errors": [
{
"error": "",
"identifier": ""
}
]
}
{
"build": {
"name": "exmplae_build",
"component_id": "exmplae_build:1.0.0",
"pkg_type": "Build",
"path": "default/builds/exmplae_build",
"sha256": "ff55b68d5f507aeaa2253f9506fd9ea847cbb29e1858edfe67d9153650698b12"
},
"issues": [{
"issue_id": "XRAY-95701",
"summary": "A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.",
"description": "A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.",
"issue_type": "security",
"severity": "Critical",
"provider": "JFrog",
"cves": [
{
"cve": "CVE-2020-1747",
"cwe": [
"CWE-20",
"CWE-20"
],
"cvss_v2": "10.0/CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C",
"cvss_v3": "9.8/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"created": "2020-03-25T00:00:00.669Z",
"impact_path": [
"default/builds/example_build/example/latest/sha256__4918dff128ffe9fdb453e4c25c904c6c1bcbec34da8bcaa9921b154f4c891e2e.tar.gz/root/.cache/pip/wheels/ab/da/46/2f3778bfc6d5ec360917e3eeff42bade7d0497ad6879b1c05c/PyYAML-3.10-cp36-cp36m-linux_x86_64.whl"
],
"extended_information": {
"short_description": "Insufficient input validation in the PyYAML library allows unauthenticated network attackers to perform code execution when parsing a crafted YAML file.",
"full_description": "The [PyYAML](https://pypi.org/project/PyYAML/) library is a Python YAML parser, and it is widely used in connected devices. \r\n\r\nAttackers can trigger the exploit by supplying a crafted YAML file to the `full_load` method or a `load` method that uses `Loader=FullLoader` (which is the default). A public [Exploit (PoC)](https://gist.github.com/adamczi/23a3b6d4bb7b2be35e79b0667d6682e1) exists which demonstrates remote code execution, making this vulnerability likely to be exploited in practice.\r\n\r\nThe library implementation has a [prototype pollution](https://shieldfy.io/security-wiki/prototype-pollution/introduction-to-prototype-pollution/) issue in the `construct_python_object_apply()` function in the `lib/yaml/constructor.py` module, used by the `full_load()` method and the `FullLoader` loader. This allows an attacker to create a property for an object created from the loaded file. The constructor does not check the attribute for conflicts; for example, it is possible to create an `extend` attribute when an `extend` method already exists in an object. This can be exploited to replace the `extend` method with the insecure `yaml.unsafe_load()` function, which is later invoked by `construct_python_object_apply()` and executes a malicious YAML payload. \r\n\r\nThe [official solution]() provides a blacklist of properties and attributes that cannot be redefined, such as the `extend` method and all special methods (`__set__`, `__setitem__`, etc.). In addition, the `README` file is updated with a request to use the `safe_load()` function and `SafeLoader` loader for all untrusted input. It is still possible to use the `UnsafeLoader`, and the fix does not completely solve the problem, as shown by the later CVE-2020-14343.\r\n\r\nThe vulnerability was discovered by [Riccardo Schirone](https://github.com/ret2libc).",
"jfrog_research_severity": "Critical",
"jfrog_research_severity_reasons": [
{
"name": "The CVE can be remotely exploited",
"is_positive": false
},
{
"name": "The CVE has an exploit published",
"is_positive": false
},
{
"name": "The CVE has reasonable prerequisites for exploitation",
"is_positive": false
},
{
"name": "The CVE results in severe effects",
"is_positive": false
}
],
"remediation": "##### Development upgrade\n\n- Upgrade the component to any of the suggested fixed versions.\n\n##### Development mitigations\n\n* Apply the official [patch](https://github.com/yaml/pyyaml/pull/386/commits/6f675f711a807af61233355c6d127a3a2e412dbe). This is not recommended, as this version can still have other vulnerabilities.\n\n##### Deployment mitigations \n\n* Use `yaml.safe_load()` or the `SafeLoader` loader for all inputs."
}
}],
"licenses": [
{
"name": "Unknown",
"full_name": "Unknown license",
"more_info_url": [
"Unknown link"
],
"components": [
"deb://ubuntu:bionic:grep:3.1-2build1",
"deb://ubuntu:bionic:passwd:1:4.5-1ubuntu2",
]
}
],
"errors": []
}
{
"build": {
"name": "proj-docker-build",
"component_id": "[proj-build-info]/proj-docker-build:14",
"pkg_type": "Build",
"path": "default/proj-build-info/proj-docker-build",
"sha256": "1515db44689ca12c77c1b846c562fcaa40c26a5cc96153776752c96de01ea2f7"
},
"issues": [
{
"issue_id": "XRAY-79479",
"summary": "In Apache ActiveMQ 5.0.0 - 5.15.8, unmarshalling corrupt MQTT frame can lead to broker Out of Memory exception making it unresponsive.",
"description": "In Apache ActiveMQ 5.0.0 - 5.15.8, unmarshalling corrupt MQTT frame can lead to broker Out of Memory exception making it unresponsive.",
"issue_type": "security",
"severity": "High",
"provider": "JFrog",
"cves": [
{
"cve": "CVE-2019-0222",
"cwe": [
"CWE-94"
],
"cvss_v2": "5.0/CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P",
"cvss_v3": "7.5/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"created": "2019-03-31T00:00:00.273Z",
"impact_path": [
"default/proj-build-info/proj-docker-build/bill.jar/META-INF/maven/org.fusesource.mqtt-client/mqtt-client/pom.xml",
"default/proj-build-info/proj-docker-build/bill.jar/META-INF/maven/org.apache.activemq/activemq-mqtt/pom.xml"
],
"components": [
{
"component_id": "org.fusesource.mqtt-client:mqtt-client",
"fixed_versions": [
"[1.15]"
]
},
{
"component_id": "org.apache.activemq:activemq-mqtt",
"fixed_versions": [
"[5.15.9]"
]
}
],
"component_physical_paths": [
"bill.jar/META-INF/maven/org.fusesource.mqtt-client/mqtt-client/pom.xml",
"bill.jar/META-INF/maven/org.apache.activemq/activemq-mqtt/pom.xml"
]
}
],
"errors": []
}
{
"build": {
"name": "test",
"component_id": "test:2",
"pkg_type": "Build",
"path": "default/builds/test",
"sha256": "c9c5b7926184065a8cdabe1e2f28e52b269d4a50adb6b24f84c0dc9211530506"
},
"issues": [],
"licenses": [],
"operational_risks": [
{
"component_id": "gav://org.datanucleus:datanucleus-core:3.0.4",
"risk": "High",
"risk_reason": "Health",
"is_eol": null,
"eol_message": "",
"latest_version": "6.0.0-m4",
"newer_versions": 120,
"cadence": 1,
"commits": null,
"committers": null,
"released": "2012-12-12T20:02:00Z"
}
],
"errors": []
}
Response Codes:
200: Obtained artifact build summary
400: Missing build name or build number
Artifact Summary
Description: Provides details about any artifact specified by path identifiers or checksum.
Notes:
- Supported checksums are SHA-256 and SHA-1.
Starting from Xray version 3.42.3, JFrog Security CVE Research and Enrichment data is supported. Important notes:
- The following fields are markdown texts
- short_description
- full_description
- remediation
- Extended information fields will not appear to Free Tier users.
- The following fields are markdown texts
Security: Requires a valid user with "Read" permission.
Usage: POST /summary/artifact
Consumes: application/json
Artifactory ID
The artifactory_id parameter is no longer required in Xray version 3.x, this parameter (also within a path) will be ignored.
{
"checksums": [
""
],
"paths": [
""
]
}
Produces: application/json
{
"artifacts": [
{
"general": {
"component_id": "",
"name": "",
"path": "",
"pkg_type": "",
"sha256": ""
},
"issues": [
{
"created": "",
"description": "",
"impact_path": [
{}
],
"issue_type": "",
"provider": "",
"severity": "",
"summary": ""
}
],
"licenses": [
{
"components": [
"sets.SetInterface"
],
"full_name": "",
"more_info_url": [
""
],
"name": ""
}
]
}
],
"errors": [
{
"error": "",
"identifier": ""
}
]
}
Sample Usage:
POST /summary/artifact
{
"checksums":["d160c68ed8879ae42756e159daec1dd7ecfd53b6192321656b72715e20d46dd2"]
}
Response
{
artifacts: [
"general": {
"name": "artifactory-pro.zip",
"path": "art2/ext-release-local/",
"pkg_type": "Generic",
"sha256": "d160c68ed8879ae42756e159daec1dd7ecfd53b6192321656b72715e20d46dd2",
"component_id": "gav://org.artifactory.pro:artifactory-pro-war:4.14.0"
},
"issues":[
{
"summary":"FileSystemBytecodeCache in Jinja2 2.7.2 does not properly create temporary directories",
"description":"this is the description of the issue",
"issue_type":"security",
"severity":"Medium",
"provider":"JFrog",
"created":"2016-10-26T11:15:51.17Z",
"impact_path": [
"xray-artifactory/maven-1000/com/atlassian/aui/auiplugin/0.0.5-9-0-snapshot-035-do-not-use/Jinja2-2.7.2"
]
}
],
"licenses":[
{
"name":"MIT",
"full_name":"The MIT License",
"more_info_url":"https://opensource.org/licenses/MIT",
"components":[
"some-component-1",
"some-component-2",
"some-component-3"
]
},
{
"name":"AGPL-3.0",
"full_name":"GNU AFFERO GENERAL PUBLIC LICENSE, Version 3",
"more_info_url":"https://opensource.org/licenses/AGPL-3.0",
"components":[
"some-component-4",
"some-component-5"
]
},
{
"name":"unknown",
"components":[
"some-component-6",
"some-component-7"
]
}
],
errors: [
{
identifier: "4e39f19212597312ee02db873847bcb12c17cc639898bd2fd9b6a4aff16690e5",
error: "Artifact doesn't exist or not indexed in Xray"
}
]
}
{
"artifacts": [
{
"general": {
"name": "example_app:latest",
"component_id": "example_app:latest",
"pkg_type": "Docker",
"path": "default/docker_containers/example/latest/",
"sha256": "063a3067cb61add7ad3280bcccccea3c4efe4f16cf2beef27900f8045e3a0"
},
"issues": [
{
"issue_id": "XRAY-97724",
"summary": "** DISPUTED ** An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely.",
"description": "** DISPUTED ** An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely.",
"issue_type": "security",
"severity": "High",
"provider": "JFrog",
"cves": [
{
"cve": "CVE-2018-20225",
"cwe": [
"CWE-20"
],
"cvss_v2": "6.8/CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P",
"cvss_v3": "7.8/CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
}
],
"created": "2020-05-11T00:00:00.784Z",
"impact_path": [
"default/docker_containers/example/latest/sha256__063a3067cb61add7ad3280bcccccea3c4efe4f16cf2beef27900f8045e3a0.tar.gz/pip:9.0.1"
],
"extended_information": {
"short_description": "pip could download private packages from a public PyPI repository leading to code execution",
"full_description": "This vulnerability has been disputed by the maintainers of pip as the described behavior, while potentially insecure, is the intended one. If pip is executed with the `--extra-index-url` when using a private PyPI repository, an attacker could cause pip to download a private package (for example one named `private_package`) by adding a package with the same name (`private_package`) in the public PyPI repository. This would lead to remote code execution as pip will download the public package that could contain malicious code. This is similar to the dependency confusion attack from 2021 by Alex Birsan. However, this isn't considered a vulnerability in itself in pip, and there is no plan to patch or change it.",
"jfrog_research_severity": "Medium",
"jfrog_research_severity_reasons": [
{
"name": "The CVE can't be remotely exploited",
"is_positive": true
},
{
"name": "This CVE has been disputed by the vendor",
"description": "Pip maintainers, and others such as [RHEL](https://access.redhat.com/security/cve/cve-2018-20225) do not consider this a vulnerability as it is the intended behaviour",
"is_positive": true
},
{
"name": "The CVE was marked as unimportant by the [Debian tracker](https://security-tracker.debian.org/tracker/CVE-2018-20225)",
"is_positive": true
}
],
"remediation": "##### Deployment mitigations\r\n\r\nDo not use the `--extra-index-url` flag with pip and consider using version pinning for deployments."
}
}
],
"licenses": [
{
"name": "Unknown",
"full_name": "Unknown license",
"more_info_url": [
"Unknown link"
],
"components": [
"deb://ubuntu:bionic:perl-base:5.26.1-6ubuntu0.5",
"deb://ubuntu:bionic:libss2:1.44.1-1ubuntu1.3",
]
}
]
}
]
}
{
"artifacts": [
{
"general": {
"name": "artifactory-pro:7.29.80",
"component_id": "artifactory-pro:7.29.80",
"pkg_type": "Docker",
"path": "default/docker-local-a/artifactory-pro/7.29.80/",
"sha256": "4704b659a183fecc786783e826537978249f2dd2d6665b434340dc7cc75016a9"
},
"issues": [
{
"issue_id": "XRAY-191997",
"summary": "In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.",
"description": "In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.",
"issue_type": "security",
"severity": "Medium",
"provider": "JFrog",
"cves": [
{
"cve": "CVE-2021-28170",
"cwe": [
"CWE-20"
],
"cvss_v2": "5.0/CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:P/A:N",
"cvss_v3": "5.3/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
}
],
"created": "2021-12-14T00:00:00.537Z",
"impact_path": [
"default/docker-local-b/artifactory-pro/7.29.80/sha256__8ab79a3097a73eb8104022347b7535a8b84ba1b2dcabeb96359c7ed26e8a22f6.tar.gz/opt/jfrog/artifactory/app/artifactory/tomcat/webapps/artifactory.war/WEB-INF/lib/jakarta.el-3.0.3.jar",
"default/docker-local-b/artifactory-pro/7.29.80/sha256__8ab79a3097a73eb8104022347b7535a8b84ba1b2dcabeb96359c7ed26e8a22f6.tar.gz/opt/jfrog/artifactory/app/misc/tomcat/mc.war/WEB-INF/lib/jakarta.el-3.0.3.jar"
],
"component_physical_paths": [
"sha256__8ab79a3097a73eb8104022347b7535a8b84ba1b2dcabeb96359c7ed26e8a22f6.tar.gz/opt/jfrog/artifactory/app/artifactory/tomcat/webapps/artifactory.war/WEB-INF/lib/jakarta.el-3.0.3.jar",
"sha256__8ab79a3097a73eb8104022347b7535a8b84ba1b2dcabeb96359c7ed26e8a22f6.tar.gz/opt/jfrog/artifactory/app/misc/tomcat/mc.war/WEB-INF/lib/jakarta.el-3.0.3.jar"
]
}
]
}
]
}
{
"artifacts": [
{
"general": {
"name": "datanucleus-core-3.0.4.jar",
"component_id": "org.datanucleus:datanucleus-core:3.0.4",
"pkg_type": "Maven",
"path": "default/generic-local/datanucleus-core-3.0.4.jar",
"sha256": "5a30df15b3de7c0c349c76e33c12d3f5142a92e81e3fe827e723ba13c662de92"
},
"issues": [],
"licenses": [],
"operational_risks": [
{
"component_id": "gav://org.datanucleus:datanucleus-core:3.0.4",
"risk": "High",
"risk_reason": "Health",
"is_eol": null,
"eol_message": "",
"latest_version": "6.0.0-m4",
"newer_versions": 120,
"cadence": 1,
"commits": null,
"committers": null,
"released": "2012-12-12T20:02:00Z"
}
]
}
]
}
Response Codes:
200: Obtained artifact summary
415: Failed to parse JSON
SYSTEM
Resend Artifacts Metadata
Description: Resend artifact metadata to the Metadata Server
Since: 3.10.3
Security: Requires an admin user
Usage: POST api/v1/mds/migration
Note: Requires the following two parameters
- repo: Name of the repository, has to be an existing repo marked for scanning.
- path: Repository path
curl http://10.70.30.82:8082/xray/api/v1/mds/migration -H "Content-Type: application/json" -d '{"repo":"npm-local", "path":"/1/"}
{"info":"Migration has been started"}
Create Bundle
Description: Create support bundle
Security: Requires an admin user
Usage: POST /system/support/bundle
Consume: application/json
Produce: application/json
Sample Usage:
POST /system/support/bundle
{
"name":"support_bundle_issue1",
"description":"support bundle for issue 1",
"parameters":{
"configuration":true,
"system":true,
"logs":{
"end_date":"2019-05-15T16:32:04+03:00",
"include":true,
"start_date":"2019-05-15T16:32:04+03:00"
},
"thread_dump":{
"count":1,
"interval":1000
}
}
}
{
"id": "01DT79NXGJBM4G0KMTEEMZ9FN0",
"artifactory": {
"service_id": "jfrt@01dsqzccvew5dr0j75eq6b1tnv",
"bundle_url": "http://<host>:<port>/artifactory/api/archive/download/jfrog-support-bundle/01DT79NXGJBM4G0KMTEEMZ9FN0/jfxr/jfxr@01dsr2hbsef4c1et00cj2mnzkn?archiveType=zip"
}
}
Get System Monitoring Status
Description: Gets system monitoring status
Security: Requires an admin user
Usage: GET /monitor
Produces: application/json
Sample usage:
GET /monitor
{
"problems": [
{
"severity": "warning",
"services": [
"analysis",
"event",
"indexer",
"xray_server"
],
"problem": "No connection to Artifactory instance ###art12"
}
]
}
Response Codes:
200: System monitoring status was sent
500: Failed to marshal object to json
Ping Request
Description: Sends a ping request
Security: Requires a valid user
Usage: GET /api/v1/system/ping
Produces: application/json
Sample usage:
GET /api/v1/system/ping
{"status":"pong"}
Response Codes:
200: Ping successful
Get Version
Description: Gets the Xray version and revision you are running
Security: Requires a valid user
Usage: GET /api/v1/system/version
Produces: application/json
{
"xray_version":"<version number>",
"xray_revision":"<revision number>"
}
Sample Usage:
GET /api/v1/system/version
{
"xray_version":"1.4",
"xray_revision":"b3034"
}
Response Codes:
200: Got version info successfully
Metrics
Description: Get system metrics data.
Since: 3.8
Security: Requires an admin user. Available only for on-prem customers.
Usage: GET api/v1/metrics
# HELP app_disk_used_bytes Used bytes for app home directory disk device
# TYPE app_disk_used_bytes gauge
app_disk_used_bytes 3.47563655168e+11 1594190659312
# HELP app_disk_free_bytes Free bytes for app home directory disk device
# TYPE app_disk_free_bytes gauge
app_disk_free_bytes 1.38795900928e+11 1594190659312
# HELP app_self_metrics_calc_seconds Total time to collect all metrics
# TYPE app_self_metrics_calc_seconds gauge
app_self_metrics_calc_seconds 0.052461418 1594190659312
# HELP app_self_metrics_total Count of collected metrics
# TYPE app_self_metrics_total gauge
app_self_metrics_total 17 1594190659312
# HELP db_connection_pool_in_use_total The number of connections currently in use
# TYPE db_connection_pool_in_use_total gauge
db_connection_pool_in_use_total 0 1594190659312
# HELP db_connection_pool_idle_total The number of idle connections
# TYPE db_connection_pool_idle_total gauge
db_connection_pool_idle_total 5 1594190659312
# HELP go_memstats_heap_in_use_bytes Process go heap bytes in use
# TYPE go_memstats_heap_in_use_bytes gauge
go_memstats_heap_in_use_bytes 5.7597952e+07 1594190659312
# HELP go_memstats_heap_allocated_bytes Process go heap allocated bytes
# TYPE go_memstats_heap_allocated_bytes gauge
go_memstats_heap_allocated_bytes 5.3492992e+07 1594190659312
# HELP go_memstats_heap_idle_bytes Process go heap idle bytes
# TYPE go_memstats_heap_idle_bytes gauge
go_memstats_heap_idle_bytes 7.4129408e+07 1594190659312
# HELP go_memstats_heap_objects_total Process go heap number of objects
# TYPE go_memstats_heap_objects_total gauge
go_memstats_heap_objects_total 426224 1594190659312
# HELP go_memstats_heap_reserved_bytes Process go heap reserved bytes
# TYPE go_memstats_heap_reserved_bytes gauge
go_memstats_heap_reserved_bytes 1.3172736e+08 1594190659312
# HELP go_memstats_gc_cpu_fraction_ratio Process go cpu used by gc. value is between 0 and 1
# TYPE go_memstats_gc_cpu_fraction_ratio gauge
go_memstats_gc_cpu_fraction_ratio 2.103941598027732e-05 1594190659312
# TYPE sys_cpu_ratio gauge
sys_cpu_ratio 0.2537313432835821 1594190659312
# HELP sys_load_1 Host load average in the last minute
sys_load_1 2.91 1594190659312
# HELP sys_load_5 Host load average in the last 5 minutes
sys_load_5 4.22 1594190659312
# HELP sys_load_15 Host load average in the last 15 minutes
sys_load_15 3.9 1594190659312
# HELP sys_memory_used_bytes Host used virtual memory
# TYPE sys_memory_used_bytes gauge
sys_memory_used_bytes 1.0906873856e+10 1594190659312
# HELP sys_memory_free_bytes Host free virtual memory
# TYPE sys_memory_free_bytes gauge
sys_memory_free_bytes 2.051506176e+09 1594190659312
# HELP jfxr_db_sync_started_before_seconds Seconds that passed since the last Xray DB sync started running
jfxr_db_sync_started_before_seconds 1730.505649843 1612187458132
# HELP jfxr_db_sync_running_total DB sync total running time
jfxr_db_sync_running_total 0 1623046336551
# HELP jfxr_db_sync_ended_analyze_before_seconds Seconds that passed since DB sync completed sending all impact analysis messages
jfxr_db_sync_ended_analyze_before_seconds 140274.549095 1623046336551
# HELP jfxr_db_sync_ended_persist_before_seconds Seconds that passed since completed persisting new updates to the database
jfxr_db_sync_ended_persist_before_seconds 140274.549095 1623046336551
# HELP jfxr_data_artifacts_total{package_type="deb"} Total number of Xray scanned artifacts by package type
jfxr_data_artifacts_total{package_type="deb"} 1 1612187458132
# HELP jfxr_data_components_total{package_type="go"} Total number of Xray scanned components by package type
jfxr_data_components_total{package_type="go"} 1 1612187458132
# HELP jfxr_performance_server_up_time_seconds Seconds that passed since Xray server has started on the particular node
jfxr_performance_server_up_time_seconds 1730.505649843 1612187458132
IGNORE RULES
Get Ignore Rules
Description: Returns all Ignore Rules by specific filters.
Since: 3.11
Security: Requires a valid user with the "Manage Watches" permission.
Notes: For Xray version 3.21.2 and above with Projects, a Project Admin with the Manage Assets privilege can get a list of Ignore Rules using this REST API in the scope of a project, by using the additional query parameter projectKey.
Usage: GET /api/v1/ignore_rules
Parameters:
"vulnerability"/"license"/"policy"/"watch"/"component_name"/"component_version"/
"artifact_name"/"artifact_version"/"build_name"/"build_version"/
"release_bundle_name"/"release_bundle_version"/"docker_layer"
Pagination Parameters:
"order_by""direction""page_num""num_of_rows""expires_before""expires_after""project_key"
http://10.70.30.82:8082/xray/api/v1/ignore_rules?artifact_name=artifact&artifact_version=2&artifact_path=/myRepo
{
"data":
[
{
"id": string,
"created": Date,
"author": string,
"notes": string,
"expires_at": Date,
"ignore_filters": {
"vulnerabilities": [
"Vuln1",
"Vuln2"
],
"licenses": [
],
"watches": [
"Watch1",
"Watch2"
],
"components": [
{name:"docker://redis"},
{name:"Comp2", version: "2.6"},
{name:"Comp3", version: "1.03"}
]
}
],
"total_count": 1
}
GET /api/v1/ignore_rules?expires_before=2021-01-03T00:00:00Z
GET /api/v1/ignore_rules?expires_after=2021-01-01T00:00:00Z
GET /api/v1/ignore_rules?expires_after=2021-01-01T00:00:00Z&expires_before=2021-01-03T00:00:00Z
GET api/v1/ignore_rules?artifact_name=artifact&artifact_version=2&artifact_path=/myRepo&project=<project_key>
GET api/v1/ignore_rules?projectKey=<project_key>
Response Codes:
500 - Failed to get ignore rules
401 - Unauthorized
403 - Forbidden
Get Ignore Rule
Description: Returns a single Ignore Rule by its ID.
Since: 3.11
Security: Requires a valid user with the "Manage Watches" permission.
Notes: For Xray version 3.21.2 and above with Projects, a Project Admin with the Manage Assets privilege can get an Ignore Rule using this REST API in the scope of a project, by using the additional query parameter projectKey.
Usage: GET /api/v1/ignore_rules/{id}
{
"id": string,
"created": Date,
"author": string,
"notes": string,
"expires_at": Date,
"ignore_filters": {
"vulnerabilities": [
"Vuln1",
"Vuln2"
],
"licenses": [
],
"watches": [
"Watch1",
"Watch2"
],
"components": [
{name:"docker://redis"},
{name:"Comp2", version: "2.6"},
{name:"Comp3", version: "1.03"}
]
}
}
GET /api/v1/ignore_rules/{id}?projectKey=<project_key>
{
"id": string,
"created": Date,
"author": string,
"notes": string,
"expires_at": Date,
"project_key":"myproj",
"ignore_filters": {
"vulnerabilities": [
"Vuln1",
"Vuln2"
],
"licenses": [
],
"watches": [
"Watch1",
"Watch2"
],
"components": [
{name:"docker://redis"},
{name:"Comp2", version: "2.6"},
{name:"Comp3", version: "1.03"}
],
"projects": [
"myproj"
],
}
}
Response Codes:
200 - OK
500 - Failed to get ignore rules
401 - Unauthorized
403 - Forbidden
Create Ignore Rule
Description: Create an Ignore Rule.
Since: 3.11
Security: Requires a valid user with the "Manage Watches" permission.
Notes: For Xray version 3.21.2 and above with Projects, a Project Admin with the Manage Assets privilege can create Ignore Rules using this REST API in the scope of a project, by using the additional query parameter projectKey. Wildcards are not supported for artifact names.
Usage: POST /api/v1/ignore_rules
Parameters:
“vulnerabilities”/“licenses”/“cves”/“policies”/“watches”/“docker-layers” - []string
["Value 1", "Value 2", ...]
“release-bundles”/“builds”/“components” - []{name(string), version(string)} (name - must)
[{"name": test, "version": number},...]
“artifacts” - []{name(string), version(string), path(string)} (name - must)
[{"name": test, "version": number, "path": path},...]
“operational_risk” - []string
Note: Only ‘Any’ is supported for this parameter
[“any”]
Functionality level | Objective | Scope | Source |
|---|---|---|---|
Filters | “vulnerabilities” “licenses” “cves” “operational_risk” | “policies” “watches” | “builds” “release-bundles” “docker-layers” “artifacts” “components” |
Ignore filters:
{
"notes": "ignore any license for any version of alpine for the base layer within all 'myApp' builds",
"ignore_filters": {
"licenses":[
"any"
],
"builds": [
{
"name":"myApp"
}
],
"components": [
{
"name":"docker://alpine"
}
],
"docker-layers": [
"0503825856099e6adb39c8297af09547f69684b7016b7f3680ed801aa310baaa"
]
}
}
{
"notes": "ignore 'CVE-2016-2168' when watch is 'tstWatch'",
"ignore_filters": {
"cves":[
"CVE-2016-2168"
],
"watches":[
"tstWatch"
]
}
}
{
"notes": "ignore 'CVE-2016-2168' until the expiration date set'",
"expires_at": "2020-06-29T00:00:00Z",
"ignore_filters": {
"cves":[
"CVE-2016-2168"
],
"watches":[
"tstWatch"
]
}
}
{
"notes": "ignore 'XRAY-12345' for component 'rpm://juice' of version '6.0.0",
"ignore_filters": {
"vulnerabilities":[
"XRAY-12345"
],
"components":[
{
"name":"rpm://juice",
"version":"6.0.0"
}
]
}
}
{
"notes": "ignore any violation for 'tstRB' release-bundle",
"ignore_filters": {
"vulnerabilities":[
"any"
],
"licenses":[
"any"
],
"release-bundles":[
{
"name":"tstRB"
}
]
}
}
{
"notes": "ignore any violation for 'gav://dev' artifact only under repo 'devRepo' when violation sources are any version of 'go://gosu' or 'rpm://juice'",
"ignore_filters": {
"vulnerabilities":[
"any"
],
"licenses":[
"any"
],
"artifacts":[
{
"name":"gav://dev",
"path":"devRepo/"
}
],
"components":[
{
"name":"go://gosu"
},
{
"name":"rpm://juice"
}
]
}
}
{
"notes": string,
"ignore_filters": {
"vulnerabilities": [
"any"
],
"licenses": [
"any"
],
"artifacts": [
{name:"docker://redis", version: "any", path: "/testRepo"}
]
}
}
{
"notes": "ignore Operational Risk violations for artifact 'gav://org.jfrog.ignored:ignored-core' of version '2.0.0",
"ignore_filters": {
"operational_risk":[
"any"
],
"artifacts":[
{
"name":"gav://org.jfrog.ignored:ignored-core",
"version":"2.0.0"
}
]
}
}
successfully added ignore rule with id: {id}
Projects Filter:
Note: Add project field to Builds filter, a Build without a project is referred to as a Global Build.
{
"notes": "ignore any license for any version of alpine for the base layer within all 'myApp' builds",
"ignore_filters": {
"licenses":[
"any"
],
"builds": [
{
"name":"myApp", "project":"projA"
}
],
"components": [
{
"name":"docker://alpine"
}
],
"projects": [
"projA",
"projB"
]
}
}
Response Codes:
201 - successfully created ignore rule id: {ignore_rule_id}
500 - Failed to create ignore rule
400 - Parsing/validation error
401 - Unauthorized
403 - Forbidden
415 - Unsupported media type
Delete Ignore Rule
Description: Delete an Ignore Rule and restore violations associated with this rule. Since Xray 3.13 the "restore_violations" parameter has been deprecated.
Since: 3.11
Security: Requires a valid user with the "Manage Watches" permission.
Notes: For Xray version 3.21.2 and above with Projects, a Project Admin with the Manage Assets privilege can delete Ignore Rules using this REST API in the scope of a project, by using the additional query parameter projectKey.
Usage: DELETE /api/v1/ignore_rules/{id}
http://10.70.30.82:8082/xray/api/v1/ignore_rules/d6192775-9320-42ec-7a98-4a860f01f02b?restore_violations=true
Response Codes:
204 - No content
500 - Failed to delete ignore rule
404 - Ignore rule not found
401 - Unauthorized
403 - Forbidden
VIOLATIONS
Get Violations
Description: Gets the Xray violations based on a set of search criteria
Security: Requires a user with Read permissions.
Notes: Starting from Xray version 3.42.3, JFrog Security CVE Research and Enrichment data is supported. Important notes:
- The following fields are markdown texts
- short_description
- full_description
- remediation
- Extended information fields will not appear to Free Tier users.
Usage: POST /api/v1/violations
Consumes: application/json
Sample usage (all of the filter fields are optional):
POST /api/v1/violations
{
"filters": {
"name_contains": "Denial of service attack",
"violation_type": "Security",
"watch_name": "watch",
"min_severity": "Medium",
"created_from": "2018-06-06T12:22:16+03:00"
},
"pagination": {
"order_by": "updated",
"limit": 25,
"offset": 1
}
}
POST /api/v1/violations
{
"filters": {
"violation_type": "Operational_Risk",
"watch_name": "watch",
"min_severity": "Medium",
},
"pagination": {
"order_by": "updated",
"limit": 25,
"offset": 1
}
}
Sample response:
{
"total_violations": 295,
"violations": [
{
"description": "Amazon Digital Services License",
"severity": "High",
"type": "License",
"infected_component": [
"generic://sha256:72daef35b54f95a97e7da5ae2dd7cccecc71183788656083f35fdf6e0ca5a24f/opkg-4.3.54.jar"
],
"created": "2018-05-29T17:30:49+03:00",
"watch_name": "watch_license",
"issue_id": "ADSL",
"violation_details_url": "localhost:8000/api/v1/violations?watch_id=5b163b41ab1bdddbb2e16492&issue_id=XRAY-60763",
"impacted_artifacts": [
"arti1/libs-release-local/jfrog-artifactory-pro-5.9.0.zip"
]
},
{
"description": "If a user of Commons-Email (typically an application programmer) passes unvalidated input as the so-called \"Bounce Address\", and that input contains line-breaks, then the email details (recipients, contents, etc.) might be manipulated.",
"severity": "Low",
"type": "Security",
"infected_component": [
"gav://org.apache.commons:commons-email:1.1"
],
"created": "2018-06-06T12:21:18+03:00",
"watch_name": "all",
"issue_id": "XRAY-60829",
"violation_details_url": "localhost:8000/api/v1/violations?watch_id=5b163b41ab1bdddbb2e16492&issue_id=XRAY-60829",
"impacted_artifacts": [
"arti1/libs-release-local/jfrog-artifactory-pro-5.9.0.zip"
]
}
]
}
{
"total_violations": 1,
"violations": [{
"description": "urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.",
"severity": "Critical",
"type": "Security",
"infected_components": [
"pypi://urllib3:1.22"
],
"created": "2021-11-30T06:40:10+02:00",
"watch_name": "MyFirstWatch",
"issue_id": "XRAY-74787",
"violation_details_url": "http://localhost:8046/xray/api/v1/violations?watch_id=7c64876c5e206011ed08ce25&issue_id=XRAY-74787&comp_id=build:%2F%2Fexample-build:3.10.0",
"impacted_artifacts": [
"default/builds/example-build"
],
"extended_information": {
"short_description": "An information leak in urllib3 can lead to authentication bypass via leaked HTTP authorization client credentials",
"full_description": "urllib3 does not remove the `Authorization` HTTP header when following redirects (even cross-origin redirects, that differ in host, port, or scheme)\r\n\r\nThis issue can be exploited when a client is using `urllib3` and the following conditions apply:\r\n1. The client uses some kind of HTTP authorization (`Basic`, `Digest`, etc.)\r\n2. The client initially contacts an HTTPS server\r\n3. The HTTPS server redirects the client to a non-HTTP server\r\n4. The attacker can sniff the data between the client and the HTTP server (possibly by using a MitM attack)\r\n\r\nThe issue is not relevant if the client originally contacts an HTTP server, since the `Authorization` header can be sniffed by an attacker from the original connection, regardless of this CVE.\r\n\r\nRed Hat also updated the original CVSS analysis, which was downgraded to [7.5](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)",
"jfrog_research_severity": "Medium",
"jfrog_research_severity_reasons": [
{
"name": "The CVE can be remotely exploited",
"is_positive": false
},
{
"name": "The CVE has a published technical writeup",
"is_positive": false
},
{
"name": "The CVE has no exploit published",
"is_positive": true
},
{
"name": "The CVE has difficult prerequisites for exploitation",
"description": "See CVE details for more information",
"is_positive": true
},
{
"name": "The initial CVSS was disputed by Red Hat, and downgraded to 7.5",
"is_positive": true
}
]
}
}
]
}
{
"total_violations": 1,
"violations": [
{
"description": "Number of new versions and Version Age",
"severity": "High",
"type": "Operational_Risk",
"infected_components": [
"gav://joda-time:joda-time:2.9.9"
],
"created": "2022-03-24T14:54:42+02:00",
"watch_name": "OpRiskWatch",
"issue_id": "1ea7a8e0904b4a6c1a837e8ab437e0892dd00ad203814f3b9edfd2a3d8be3b88",
"violation_details_url": "http://test.jfrog.io/xray/api/v1/violations?watch_id=8d5a6d7364154c5c2455993a&issue_id=1ea7a8e0904b4a6c1a837e8ab437e0892dd00ad203814f3b9edfd2a3d8be3b88&comp_id=gav:%2F%2Forg.jruby:jruby-complete:9.2.0.0",
"impacted_artifacts": [
"default/generic-local/jruby-complete-9.2.0.0.jar"
],
"component_physical_paths": [
"META-INF/maven/joda-time/joda-time/pom.xml"
],
"applicability": null,
"operational_risk": {
"risk": "High",
"risk_reason": "Number of new versions and Version Age",
"is_eol": null,
"eol_message": "",
"latest_version": "2.10.13",
"newer_versions": 14,
"cadence": 3,
"commits": null,
"committers": null,
"released": "2017-03-23T15:33:00+02:00"
}
]
}
List Ignored Violations
Description: Returns ignored violations by filters.
Since: 3.11
Security: Requires a valid user with the "Manage Watches" permission.
Usage: POST /api/v1/violations/ignored
Parameters:
“vulnerabilities”/“licenses”/“cves”/“policies”/“watches”/“docker-layers” - []string
“release-bundles”/“builds”/“components” - []{name(string), version(string)} (name - must)
“artifacts” - []{name(string), version(string), path(string)} (name - must)
Pagination:
"order_by","offset", "limit"
Ignore filters:
Functionality level | Objective | Scope | Source |
|---|---|---|---|
Filters | “vulnerabilities” “licenses” “cves” | “policies” “watches” | “builds” “release-bundles” “docker-layers” “artifacts” “components” |
{
"vulnerabilities":[
"vuln1",
"vuln2"
],
"artifacts": [
{
"name": "docker://redis"
}
],
"docker-layers":[
"4c5fa3a86e3b1d07979ff011af3b58481e519faa6ee27eb23622a6fe0"
]
}
{
"data": [
{
"violation_id": "1323291645094375424",
"issue_id": "AGPL-3.0",
"type": "License",
"created": "2020-11-02T17:51:28+02:00",
"watch_name": "w",
"description": "GNU AFFERO GENERAL PUBLIC LICENSE v3",
"severity": "High",
"impacted_artifact": {
"name": "generic://sha256:4c5fa3a86e3b1d07979ff011af3b58481e519faa6ee27eb23622a6fe00d89935/jfrog-artifactory-pro-6.0.0.zip",
"path": "example-repo-local/jfrog-artifactory-pro-6.0.0.zip"
},
"matched_policies": [
{
"policy": "pl",
"rule": "l",
"is_blocking": false
}
],
"ignore_rule_details": {
"id": "a11b59c0-a94e-4d99-4135-74dda0e0c354",
"author": "admin",
"created": "2020-11-02T17:53:41+02:00",
"notes": "license"
"expires_at": "2020-12-29T00:00:00Z",
"deleted_by": "admin",
"deleted_at": "2020-12-28T00:00:00Z"
}
},
{
"violation_id": "1323291688811606016",
"issue_id": "XRAY-100646",
"type": "Security",
"created": "2020-11-02T17:51:38+02:00",
"watch_name": "w",
"provider": "JFrog",
"description": "FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2).",
"severity": "Medium",
"properties": [
{
"Cve": "CVE-2020-14062",
"Cwe": [
"CWE-502"
],
"CvssV2": "6.8/CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P",
"CvssV3": "8.1/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"impacted_artifact": {
"name": "generic://sha256:4c5fa3a86e3b1d07979ff011af3b58481e519faa6ee27eb23622a6fe00d89935/jfrog-artifactory-pro-6.0.0.zip",
"path": "example-repo-local/jfrog-artifactory-pro-6.0.0.zip"
},
"matched_policies": [
{
"policy": "ps",
"rule": "s",
"is_blocking": false
}
],
"ignore_rule_details": {
"id": "d33d30d1-a775-41f2-6e0d-c2955d496ab1",
"author": "admin",
"created": "2020-11-02T17:53:57+02:00",
"notes": "sec1"
}
}
],
"total_count": 2
}
Response Codes:
200 - OK
500 - Failed to get ignored violations
400 - Parsing/validation error
401 - Unauthorized
403 - Forbidden
Restore Ignored Violations
Description: Restores violations that were ignored by an Ignore Rule by violation ID.
Since: 3.16
Security: Requires a valid user with the "Manage Watches" permission.
Usage: POST /api/v1/violations/restore
{
"ids:" ["id1", "id2"]
}
200:Success
IMPORT & EXPORT
Export Xray Settings
Description: Exports user-defined settings to zip file under the following path: <XRAY_HOME>/backup/config/<SERVICE_ID>_xray_exported_config_<TIMESTAMP>.zip.
For Xray 2.x versions, it is mandatory to specify the source Binary management (instance_id) when exporting watches, ignore rules, and indexed resources. This REST API is supported from Xray version 2.11.0.
Related Dependencies:
- Exporting watches requires exporting policies.
- Exporting ignored rules requires exporting watches.
API Version: v1
Security: Requires an admin user
Usage: POST /api/v1/configuration/export
Consumes: application/json
Produces : application/json
Sample Usage:
POST api/v1/configuration/export
{
# Export all configurations
"export_all" : false (default, supported from Xray 3.41.4),
# Specifying specific entities to export
"policies" : false (default),
"watches" : false (default),
"ignore_rules" : false (default),
"custom_licenses" : false (default),
"custom_issues" : false (default),
"webhooks" : false (default),
"indexed_resources" : false (default),
"ticketing_integrations" : false (default, supported from Xray 3.41.4),
# Pre Xray 3.x
"mail_server" : false (default, not supported for Xray 3.x),
"proxy_config": false (default, not supported for Xray 3.x),
"instance_id" : “” (default, not required for Xray 3.x)
}
Sample Response:
{
"info": "Successfully exported config to file <SERVICE_ID>_xray_exported_config_<TIMESTAMP>.zip under {XRAY_HOME}/backup/config"
}
Response Codes:
200: Success.
400: Got an invalid request
500: Failed to export config file.
Import Xray Configurations
Description: Imports user-defined configurations from the exported zip file.
For Xray 2.x versions, you must specify the new Artifactory instance that the new Xray instance will work with.
Related Dependencies:
-Importing watches requires importing policies.
-Importing ignored rules requires importing watches.
API Version: v1
Security: Requires an admin user
Usage: POST /api/v1/configuration/import
Sample Usage:
POST /api/v1/configuration/import
{
"src_path" : “” (default, directory or zip file path under /backup/config)
"instance_id" : “” (default, the new instance id connected to Xray - not required in Xray 3.x)
}
Sample Response:
{
"info": "Successfully imported config from path <directory or zip file path under /backup/config>"
}
Response Codes:
200: Success - settings imported.
400: Got an invalid request.
500: Failed to import configuration.
MIGRATION
On-Demand Migration
Description: Triggers data migration on-demand.
Since: 3.18.0
Notes: The retrigger flag was introduced in Xray version 3.38.5.
Security: Requires a user with Admin permissions.
Usage: POST /api/v1/migration/trigger/{name}[?retrigger=true]
POST /api/v1/migration/trigger/version_misclassification_fix?retrigger=true
Response Codes:
- 200 success- migration was triggered
- 400 bad request- migration is not registered as on-demand migration
- 409 status conflict- migration was completed and the ‘retrigger’ boolean flag was not passed
- 500- internal server error
Deprecated REST APIs
The following APIs have been deprecated in Artifactory 7.X. Click the link to view the supported command in Artifactory 6.x.
Back to Top
