Analyzing Detailed Scanned Data on Resources
Each of the scanned resources - packages, builds, artifacts and Release Bundles contains the following set of Xray sub tabs and a list of actions.
The Xray Data sub tabs are:
- Violations: These are violations to filters defined on a watch. They are only reported for the root component, not for its dependencies.
- Security: Known security vulnerabiliites for the selected component.
- Licenses: OSS licenses used by the component.
- Decedents: Components that the selected component includes (depends on).
- Ascendents: Components that include (depend on) the selected component.
The following sections describe the Xray Data sub tabs displaying the Packages resource as an example. Please note the tabs are identical for builds, artifacts and Release Bundles.
Displays the violations detected on the package version based on the watches and associated policies set by the users. You can view the vulnerability severity, type and the associated policies. To view a components and its dependencies, click on the Component icon. In some cases, when violations are detected, as security or legal personnel, you would like to accept or whitelist some of these violations. For more information, see Ignore Rules.
Displays the known security vulnerabilities for the selected package version and the effected versions and fixed versions that do not contain the vulnerability.
To examine the details of a violation, click the violation in the list to display the Issues Details popup.
Determining the Issue Severity Level for Operating Systems Packages
Xray initially populates data about vulnerabilities and licenses from the Xray global database server managed by JFrog. After the initial database synchronisation, Xray is then continuously synchronized with the central database for new updates on a daily basis.
When analyzing the vulnerabilities for open source operating systems packages, Xray fetches data regarding the severity of the vulnerability from two sources:
- NVD: The National Vulnerability Database which contains known vulnerabilities each with their CVSS score.
- Security Advisory: Some open source operating systems have their own security trackers with further analysis of the vulnerability inside the operating system package.
In the case where the Operating System Security Advisory contains data about the vulnerability in a package, Xray will compute the severity of the vulnerability based on this data instead of the CVSS score of the vulnerability.
The reason for that, is that the Security Advisory team of the Operating System had done further analysis to come to a more precise conclusion regarding the priority/urgency/severity of the vulnerability inside the operating system package.
To help you understand how Xray maps the information from each, we have outlined each operating system’s severity/priority and how it is presented in Xray.
Take note, that if a vulnerability's severity is unknown in the security advisory, the CVSS score will be calculated from the NVD.
Vulnerabilities source: Ubuntu CVE Tracker
Severity mapped from: Priority
Priority to Xray Severity mapping:
Unknown (will use CVSS score from NVD)
Vulnerabilities source: Debian Security Bug Tracker
Severity mapped from: Urgency
Urgency to Severity mapping:
End of Life
Unknown (will use CVSS score from NVD)
Vulnerabilities source: Red Hat Security Advisories and CVE database
Severity mapped from: Severity Rating
Red Hat Severity to Severity mapping:
Red Hat Severity
Displays the licenses is assigned to a specific version and triggers violations in case it matches criteria of any existing Watches. Click on the License to view the license attached to the components.
Displays the components that the selected component includes (depends on).
Displays only dependencies that are present within the component. Referenced dependencies that are not included in the package but are referenced in a metadata file present within the package or along side it will not be presented.
- A Maven
pom.xmllocated in the package or/and along side the package jar.
- An NPM
package.jsonwhich can be found inside the package).
Displays components that include (depend on) the selected component.
Scanning for Violations
To initiate a manual scan on your package version, select Scan for Violations from the Actions list.
Assigning Custom Issues
A security vulnerability created by a user is tagged as a Custom issue and can be deleted by users assigned with the Manage Xray Metadata permission.
Assigning Custom Licenses
A license created by a user is tagged as a Custom license and can be deleted by
From the Actions list, select Assign a Custom License to assign a Custom licences on a component in your version.
Select a license from a predefined list of licenses.
Click Save. A manual scan is triggered to update the license list.
Exporting Xray Data
Using the Actions menu, you can export full details for the selected component and version including violations, security issues and licenses. From the Xray Data tab on the package versions page, select Export Data from the Actions list.
In the following Export data popup, specify if you want to export violation, licenses or security parameters that should be exported and the export format.
The file is downloaded to your local drive.
Below are some examples of exported files in different formats.
You can also automate exporting component details using the Export Component Details REST API endpoint.