Using the latest JFrog products?
JFrog Platform User Guide
JFrog Xray 2.x Documentation
To get the latest version, go to the JFrog Unified Platform
Searching for Components
At the top of the Components module you can enter a variety of parameters to search for specific components. Click search to run the query.
|A free-text term to search for in the name of the component.|
|Specifies when the component was last modified in Xray. You can select one of the preset time ranges, or specify a custom range.|
|Specifies whether you are searching for a Package, a Build or a File.|
|Restricts search results to the specified package type.|
|Only components with vulnerabilities with the specified severity and above will be displayed.|
|Only components scanned and detected to include the specified CVE will be displayed.|
The search results are displayed in a table showing the following parameters
|Indicates if the component is a package, a build or a file|
|The name of the component|
|The latest version of the component where applicable ("files" don't have versions)|
|Indicates when the component was last modified in Xray (e.g., last indexed or status changed)|
|Indicates the highest severity of any of the issues found for the component. .|
To drill down and view the details about a component, click its name in the list of search results. The Component Details view is split up into three panels:
- Summary Strip
- Versions Panel
- Details Panel
The strip at the top of the Component Details view varies slightly depending on whether the component is a package, a build or a file, and displays a summary of the components most basic information.
For a package, the summary strip displays:
- The package type logo for quick and easy identification
- Latest Version: The latest version of the package that is available. The "Internal" version shows the latest version that is hosted by your Artifactory instance, and "Public" shows the latest version that is publicly available on the external web.
- Created: The package's creation date
- Last Updated: Last time the package was indexed or modified
- Status: The scan status which may be one of the following:
- Pending Scan - The component has been indexed by Artifactory, but has not yet been scanned by Xray
- Scanned - No Issues - The component has been scanned and no security vulnerabilities were found
- Low, Medium or High - The highest severity of any vulnerability found in the package
For a build, the summary strip displays:
- The logo of the CI server that ran the build with a link for direct and easy access to the build in Artifactory
- Status: The highest severity of any vulnerability found in the build
- Last Updated: Last time the build was indexed or modified
- Created: The build's creation date
- Latest Version: The latest version of the build that is available.
For a file, the summary strip displays:
- A file icon
- Status: The higher of the highest severity watch violation and highest severity of any vulnerability found in the file
- Last Updated: Last time the file was indexed or modified
- Created: The file's creation date
The Versions panel displays all the versions of the selected component that have been indexed by Xray. Select any of these versions to display detailed information about them. If publicly available versions of the selected component are available, Xray will display the Include Public checkbox. When set, Xray will also display those versions in the list, however, note that when selecting one of these versions, Xray may not be able to display additional information.
Select any version displayed in the Versions panel to get a list of issues detected in that specific version.
The details panel displays several details about the selected component including:
- Violations: These are violations to filters defined on a watch. They are only reported for the root component, not for its dependencies.
- Security: Known security vulnerabiliites for the selected component.
- Licenses: OSS licenses used by the component.
- Locations: Locations in Artifactory where the files of the component can be found along with an indication of which of the files are responsible for a violation.
- Descendants: Components that the selected component includes (depends on).
- Ancestors: Components that include (depend on) the selected component.
To focus on specific violations, you may filter the list displayed using the Filter by Summary field.
For root components, to avoid screen clutter, you can choose to ignore violations by selecting the Ignore All Violations link.
Ignore Once: Removes the current violations displayed for the selected version of the component.
Ignore Permanently: Removes the violations currently displayed and does not display them in the future.
The Violations tab of the Details panel provides the set of versions that are infected with the violation. The set can include a range of versions and specific versions in any combination. For example,
"2.0ga, 2.0_rc9, 2.0_rc10, 2.0_rc11, 2.0.1, 2.1.0 ≤ version ≤ 18.104.22.168".
The Fix Versions tab of the Details panel provides remediation information for the violation. This field indicates in which version of the selected components the violation has been fixed giving you the opportunity to upgrade to that version and thus remedy the violation.
The Actions menu in the Details panel lets you perform the following actions on the selected component:
Scan for Violations: Scans the current component for violations
Assign Custom Issue: Lets you specify a custom issue and assign it to the component:
|A descriptive title for the issue.|
|The ID of the component to which the issue was assigned.|
|A more description of the issue.|
|The issue severity|
|The issue type|
|Allows you to add custom properties to the issue|
Assign a Custom License: Lets you assign a custom license to a component:
A license created by a user is tagged as a Custom license and can be deleted by users assigned with the Manage Components permission. The custom license is assigned to a specific version and is propagated to parent components and is part of their license list. It triggers an impact analysis and generates violations in case it matches criteria of any existing Watches.
The new license is included in the scan the next time a security report is generated.
The Locations tab allows you to easily navigate from Xray directly to the component in Artifactory, by hovering over the component and clicking on More Info.
Exporting Component Details
Using the Actions menu, you can export full details for the selected component and version including violations, security issues and licenses. From the Details screen Actions menu, select Export Data.
In the following Select Data to Export popup, specify the component parameters that should be exported and the export format.
The file is downloaded to your local drive.
Below are some examples of exported files in different formats.
You can also automate exporting component details using the Export Component Details REST API endpoint.
To examine the details of a violation, click the violation in the list displayed on the Component Details panel to display the Violation Details popup.
The Impact panel of the Violoation Details popup provides a list of all components which are impacted by this violation. Select any component in the list to view the full hierarchy of components affected.
Watch the Screencast
Watch this screencast to learn how to use Xray's component-centric navigation.