Have a question? Want to report an issue? Contact JFrog support

Skip to end of metadata
Go to start of metadata

Overview

The Components module implements a content-driven workflow allowing you to single out relevant components you are interested in and drill down to expose greater detail so you can understand their state. This is done using the following main steps:

  1. Search 
    Enhanced search lets you single out components based on a variety of parameters.

  2. Drill down 
    Once Xray has found all components that match your search query, you can select the one that interests you and drill down to get more details about it

  3. Examine violations and metadata 
    After drilling down into specific component, you can then examine all the violations detected for each version of that component and get detailed information about the violoation and about all other components in your system that are affected by it.

Page contents

 


Searching for Components

At the top of the Components module you can enter a variety of parameters to search for specific components. Click search to run the query.

Search Components

Contains Text
A free-text term to search for in the name of the component
Last Updated
Specifies when the component was last modified in Xray. You can select one of the preset time ranges, or specify a custom range.
Component Type
Specifies whether you are searching for a Package, a Build or a File or
Package Type
Restricts search results to the specified package type
Min Severity
Only components with vulnerabilities with the specified severity and above will be displayed

Search Results

Components

The search results are displayed in a table showing the following parameters

Type
Indicates if the component is a package, a build or a file
Name
The name of the component
Latest Version
The latest version of the component where applicable ("files" don't have versions)
Last Updated
Indicates when the component was last modified in Xray (e.g., last indexed or status changed)
Issues
The number of issues detected in the component
Status
Indicates the highest severity of any of the issues found for the component. "Normal" means no issues were found.

Component Details

To drill down and view the details about a component, click its name in the list of search results. The Component Details view is split up into three panels:

  • Summary Strip
  • Versions Panel
  • Details Panel

Component Details

Summary Strip

The strip at the top of the Component Details view varies slightly depending on whether the component is a package, a build or a file, and displays a summary of the components most basic information.

Package

Package Summary Strip

For a package, the summary strip displays:

  • The package type logo for quick and easy identification
  • Latest Version: The latest version of the package that is available. The "Internal" version shows the latest version that is hosted by your Artifactory instance, and "Public" shows the latest version that is publicly available on the external web.
  • Created: The package's creation date
  • Last Updated: Last time the package was indexed or modified
  • Status: The highest severity of any vulnerability found in the package
Build

Build Summary Strip

For a build, the summary strip displays:

  • The logo of the CI server that ran the build with a link for direct and easy access to the build in Artifactory
  • Status: The highest severity of any vulnerability found in the build
  • Last Updated: Last time the build was indexed or modified
  • Created: The build's creation date
  • Latest Version: The latest version of the build that is available. 
File

File Summary Strip

For a file, the summary strip displays:

  • A file icon
  • Status: The higher of the highest severity watch violation and highest severity of any vulnerability found in the file
  • Last Updated: Last time the file was indexed or modified
  • Created: The file's creation date

Versions Panel

The Versions panel displays all the versions of the selected component that have been indexed by Xray. Select any of these versions to display detailed information about them. If publicly available versions of the selected component are available, Xray will display the Include Public checkbox. When set, Xray will also display those versions in the list, however, note that when selecting one of these versions, Xray may not be able to display additional  information.

Specific Versions

 Select any version displayed in the Versions panel to get a list of issues detected in that specific version.

List of Versions

 

Details Panel

The details panel displays several details about the selected component including:

Details Panel

  • Violations: These are violations to filters defined on a watch. They are only reported for the root component, not for its dependencies.
  • Security: Known security vulnerabiliites for the selected component
  • Licenses: OSS licenses used by the component
  • Locations: Locations where the files of the component can be found
  • Descendants: Components that the selected component includes (depends on)
  • Ancestors: Components that include (depend on) the selected component

To focus on specific violations, you may filter the list displayed using the Filter by Summary field.

Infected Versions

The Violations  tab of the Details panel provides the set of versions that are infected with the violation. The set can include a range of versions and specific versions in any combination. For example, "2.0ga, 2.0_rc9, 2.0_rc10, 2.0_rc11, 2.0.1, 2.1.0 ≤ version ≤ 2.1.0.1".

Remediation

The Fix Versions tab of the Details panel provides remediation information for the violation. This field indicates in which version of the selected components the violation has been fixed giving you the opportunity to upgrade to that version and thus remedy the violation.

Actions Menu

The Actions menu in the Details panel lets you perform the following actions on the selected component:

Scan for Violations: Scans the current component for violations

Assign Custom Issue: Lets you specify a custom issue and assign it to the component:

Assign Custom Issue

Issue Title
A descriptive title for the issue.
Component ID
The ID of the component to which the issue was assigned.
Issue Description
A more description of the issue.
Severity
The issue severity
Type
The issue type
Properties
Allows you to add custom properties to the issue

Assign a Custom License: Lets you assign a custom license to a component:

Assign Custom License

A license created by a user is tagged as a Custom license and can be deleted by users assigned with the Manage Components permission. The custom license is assigned to a specific version and is propagated to parent components and is part of their license list. It triggers an impact analysis and generates violoations in case it matches criteria of any existing Watches. 

 The new license is included in the scan the next time a security report is generated. 

Delete License

More Info

The Locations tab allows you to easily navigate from Xray directly to the component in Artifactory, by hovering over the component and clicking on More Info.


Getting Your Component License Reports

  1. Click Components and run the filter to search for your builds or required artifacts associated with the build.
  2. Click Licenses tab in the Details area.
  3. Click Export.
  4. In the Export as dialog, select the target report format: CSV or JSON.


    The file is downloaded to your local drive.

    CSV format report example


    JSON format report example

 


 

Examining Violations

To examine the details of a violation, click the violoation in the list displayed on the Component Details panel to display the Violoation Details popup.

Issue Details

The Impact panel of the Violoation Details popup provides a list of all components which are impacted by this violation. Select any component in the list to view the full hierarchy of components affected.


Watch the Screencast

Watch this screencast to learn how to use Xray's component-centric navigation.

  • No labels