Overview
As part of JFrog's shift left efforts to aid developers, Xray also provides the capability to scan your sources dependencies using the JFrog CLI for vulnerabilities and licenses violations. With this feature, before a developer even checks-in the code they can scan for security or license violations saving valuable time to address these issues. Using a simple command line tool, you can scan a source directory that can be run anywhere and anytime, providing a faster scan, without the need to compile, test or deploy to Artifactory. This enables you to detect vulnerabilities in your dependencies as early as possible.
Once you run the command successfully, Xray scans your dependencies the same way it would when run against artifacts in Artifactory repositories. For more information, see Xray Security and Compliance. The CLI returns a detailed scan results report that contains the details of vulnerabilities and violations discovered in your dependency tree.
This is only supported for Maven, Gradle, and npm packages. Starting from JFrog CLI version 2.4.0 PyPI and Go packages are supported. |
Setting Up Xray Dependencies Scan
- Install Xray
- Install JFrog CLI version 2.1.0
How Does it Work?
Step 1 - Trigger the JFrog CLI
Trigger the JFrog CLI in a directory containing the source files.
Step 2 - Run the JFrog CLI Command
Supported commands in the JFrog CLI: (links to the section in cli)
Auditing an Npm Project: The
audit-npmcommand audits an npm project, by generating a dependency tree for the sources, and scans it with Xray. The command should be executed while inside the root directory of the project.Auditing Maven Projects: The
audit-mvncommand audits Maven projects, by generating a dependency tree for the sources, and scans it with Xray. The command should be executed while inside the root directory of the project.Auditing Gradle Projects: The
audit-gradlecommand audits Gradle projects, by generating a dependency tree for the sources, and scans it with Xray. The command should be executed while inside the root directory of the project.- Auditing Pip Projects: The The
audit-pipcommand audits Pip projects, by generating a dependency tree for the sources, and scans it with Xray. The command should be executed while inside the root directory of the project. - Auditing Go Projects: The
audit-gocommand audits Go projects, by generating a dependency tree for the sources, and scans it with Xray. The command should be executed while inside the root directory of the project.
Run the scan command with the relevant command options. You can view scan results for the following:
- Vulnerabilities
- Violations
- Licenses
By default, the scan returns vulnerabilities data found in your dependencies. To retrieve violations data, use one of the following methods:
Watches - Select Watches to apply to the scan.
Repo Path - Provide a target destination path in Artifactory, and Watches will be determined by the path.
Project - Select a Project by project key, and use all Watches defined for the Project.
Take note, that if you run the scan using one of these command options, the scan results will only show violations data and not vulnerabilities data. To view vulnerabilities data, run the scan without these options.
Step 3 - View Results
The results are displayed in table format.
You can also view results in JSON format for automation purposes and to view more scan results data by using the following command option:
--format=json |
{
"scan_id": "11148acb-f8d4-4640-56e4-db312cb5ba0c",
"violations": [
{
"summary": "Apache Commons IO FileNameUtils.normalize Path Traversal Remote File Disclosure Weakness",
"severity": "Medium",
"type": "security",
"components": {
"gav://commons-io:commons-io:2.2": {
"fixed_versions": [
"[2.7]"
],
"impact_paths": [
[
{
"component_id": "gav://de.is24.common:appmon4j-agent:1.53"
},
{
"component_id": "gav://de.is24.common:appmon4j-agent:1.53",
"full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar"
},
{
"component_id": "gav://commons-io:commons-io:2.2",
"full_path": "META-INF/maven/commons-io/commons-io/pom.xml"
}
]
]
}
},
"watch_name": "Sec-Watch",
"issue_id": "XRAY-78200",
"ignore_url": "http://jfrog.com/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=11148acb-f8d4-4640-56e4-db312cb5ba0c&issue_id=XRAY-78200&show_popup=true&type=security&watch_name=Sec-Watch",
"cves": [
{
}
],
"references": [
"https://issues.apache.org/jira/browse/IO-556"
],
},
{
"severity": "Medium",
"type": "security",
"components": {
"gav://commons-io:commons-io:2.2": {
"fixed_versions": [
"[2.7]"
],
"impact_paths": [
[
{
"component_id": "gav://de.is24.common:appmon4j-agent:1.53"
},
{
"component_id": "gav://de.is24.common:appmon4j-agent:1.53",
"full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar"
},
{
"component_id": "gav://commons-io:commons-io:2.2",
"full_path": "META-INF/maven/commons-io/commons-io/pom.xml"
}
]
},
"watch_name": "Sec-Watch",
"issue_id": "XRAY-172728",
"ignore_url": "http://jfrog.com/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=11148acb-f8d4-4640-56e4-db312cb5ba0c&issue_id=XRAY-172728&show_popup=true&type=security&watch_name=Sec-Watch",
"cves": [
{
"cve": "CVE-2021-29425",
"cvss_v2_score": "5.0",
"cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N",
"cvss_v3_score": "5.3",
"cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
}
],
"references": [
"https://issues.apache.org/jira/browse/IO-556",
"https://lists.apache.org/thread.html/rc359823b5500e9a9a2572678ddb8e01d3505a7ffcadfa8d13b8780ab%40%3Cuser.commons.apache.org%3E"
],
},
{
"severity": "High",
"type": "license",
"components": {
"gav://org.slf4j:slf4j-api:1.7.5": {
"impact_paths": [
[
{
"component_id": "gav://de.is24.common:appmon4j-agent:1.53"
},
{
"component_id": "gav://de.is24.common:appmon4j-agent:1.53",
"full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar"
},
{
"component_id": "gav://org.slf4j:slf4j-api:1.7.5",
"full_path": "META-INF/maven/org.slf4j/slf4j-api/pom.xml"
}
]
]
}
},
"watch_name": "Sec-Watch",
"ignore_url": "http://jfrog.com/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=11148acb-f8d4-4640-56e4-db312cb5ba0c&issue_id=MIT&show_popup=true&type=security&watch_name=Sec-Watch",
"references": [
"http://www.opensource.org/licenses/MIT",
"http://www.opensource.org/licenses/mit-license.php",
"https://spdx.org/licenses/MIT",
"https://spdx.org/licenses/MIT.html"
],
"license_key": "MIT",
"license_name": "The MIT License",
}
],
"licenses": [
{
"license_key": "Apache-2.0",
"components": {
"gav://commons-io:commons-io:2.2": {
"impact_paths": [
[
{
"component_id": "gav://de.is24.common:appmon4j-agent:1.53"
},
{
"component_id": "gav://de.is24.common:appmon4j-agent:1.53",
"full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar"
},
{
"component_id": "gav://commons-io:commons-io:2.2",
"full_path": "META-INF/maven/commons-io/commons-io/pom.xml"
}
]
]
},
"gav://commons-lang:commons-lang:2.6": {
"impact_paths": [
[
{
"component_id": "gav://de.is24.common:appmon4j-agent:1.53"
},
{
"component_id": "gav://de.is24.common:appmon4j-agent:1.53",
"full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar"
},
{
"component_id": "gav://commons-lang:commons-lang:2.6",
"full_path": "META-INF/maven/commons-lang/commons-lang/pom.xml"
}
]
]
},
"gav://de.is24.common:appmon4j-agent:1.53": {
"impact_paths": [
[
{
"component_id": "gav://de.is24.common:appmon4j-agent:1.53"
},
{
"component_id": "gav://de.is24.common:appmon4j-agent:1.53",
"full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar"
},
{
"component_id": "gav://de.is24.common:appmon4j-agent:1.53",
"full_path": "META-INF/maven/de.is24.common/appmon4j-agent/pom.xml"
}
],
[
{
"component_id": "gav://de.is24.common:appmon4j-agent:1.53"
}
],
[
{
"component_id": "gav://de.is24.common:appmon4j-agent:1.53"
},
{
"component_id": "gav://de.is24.common:appmon4j-agent:1.53",
"full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar"
}
]
]
},
"gav://de.is24.common:appmon4j-core:1.53": {
"impact_paths": [
[
{
"component_id": "gav://de.is24.common:appmon4j-agent:1.53"
},
{
"component_id": "gav://de.is24.common:appmon4j-agent:1.53",
"full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar"
},
{
}"http://www.opensource.org/licenses/Apache-2.0",
{
"impact_paths": [
]"status": "completed""violations": [
"severity": "Medium",
"type": "security",
{
"component_id": "gav://de.is24.common:appmon4j-agent:1.53",
],
},
"type": "security",
"components": {
{
"component_id": "gav://de.is24.common:appmon4j-agent:1.53",
"cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N",
}"https://lists.apache.org/thread.html/rc359823b5500e9a9a2572678ddb8e01d3505a7ffcadfa8d13b8780ab%40%3Cuser.commons.apache.org%3E"
],
},
{
},
{
"references": [
"https://spdx.org/licenses/MIT.html""license_name": "The MIT License",
}"gav://commons-io:commons-io:2.2": {
},
"full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar""impact_paths": [
"component_id": "gav://de.is24.common:appmon4j-agent:1.53""full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar"
},
"gav://de.is24.common:appmon4j-agent:1.53": {
{
"component_id": "gav://de.is24.common:appmon4j-agent:1.53"
},
{
"component_id": "gav://de.is24.common:appmon4j-agent:1.53",
"component_id": "gav://de.is24.common:appmon4j-agent:1.53"[
{
"component_id": "gav://de.is24.common:appmon4j-agent:1.53",
[
{
"component_id": "gav://de.is24.common:appmon4j-core:1.53",
"full_path": "META-INF/maven/de.is24.common/appmon4j-core/pom.xml"
}
]
]
}
},
"references": [
"http://www.opensource.org/licenses/Apache-2.0",
"http://www.opensource.org/licenses/apache2.0.php",
"https://spdx.org/licenses/Apache-2.0",
"https://spdx.org/licenses/Apache-2.0.html",
"http://www.apache.org/licenses/LICENSE-2.0",
"https://licenses.nuget.org/Apache-2.0",
"http://licenses.nuget.org/Apache-2.0",
"https://raw.githubusercontent.com/aspnet/AspNetCore/2.0.0/LICENSE.txt",
"http://raw.githubusercontent.com/aspnet/AspNetCore/2.0.0/LICENSE.txt"
]
},
{
"license_key": "MIT",
"components": {
"gav://org.slf4j:slf4j-api:1.7.5": {
"impact_paths": [
[
{
"component_id": "gav://de.is24.common:appmon4j-agent:1.53"
},
{
"component_id": "gav://de.is24.common:appmon4j-agent:1.53",
"full_path": "./usr/lib/appmon4j/appmon4j-agent-jar-with-dependencies.jar"
},
{
"component_id": "gav://org.slf4j:slf4j-api:1.7.5",
"full_path": "META-INF/maven/org.slf4j/slf4j-api/pom.xml"
}
]
]
}
},
"references": [
"http://www.opensource.org/licenses/MIT",
"http://www.opensource.org/licenses/mit-license.php",
"https://spdx.org/licenses/MIT",
"https://spdx.org/licenses/MIT.html"
]
}
],
"component_id": "gav://de.is24.common:appmon4j-agent:1.53",
"package_type": "Maven",
"status": "completed"
}
}
|
| Field Name | Description | Example |
|---|---|---|
artifact_name | The name of the artifact. | jenkins-war-2.289.1.war |
component_id | Component ID in JFrog Component Format Standards. | |
package_type | Type of the artifact package. | Maven |
repo_path | The repo path as it was provided in the scan request. | default/maven-local-repo/org/jenkins-ci/main/jenkins-war/2.289.1/ |
scan_id | Unique scan ID. | 4f811ab8-51a2-4baf-61d3-3a277aaa8066 |
status | Scan status. If a scan is pending, completed or failed. | pending failed completed |
violations | A list of minimal violations. | |
violations[].summary | ||
violations[].severity | Medium Critical | |
violations[].type | Security or license. | security |
violations[].components | Map of violating component the lowest level in the artifact graph. The Key is component ID. | |
violations[].components[].impact_paths | List of impact paths. Each impact path is a JSON array by itself, indicating the path from the artifact in the scan to the vulnerable component in the graph. | |
violations[].components[].impact_paths[][].component_id | The component ID in the current impact path node. | |
violations[].components[].impact_paths[][].full_path | The file path of the current component, relative to the previous component in the list. The first component (which is the artifact itself) will not have full_path filled. | META-INF/maven/commons-httpclient/commons-httpclient/pom.xml |
violations[].components[].fixed_versions | Versions of the component in which this violation is not effective anymore. | ["[4.0.9-2+deb9u4]", "[4.0.10-3+deb9u4]"] |
violations[].watch_name | Watch that created the violation. | cloud-watch |
violations[].issue_id | Xray issue ID. | XRAY-73704 |
violations[].ignore_url | Violation Ignore Rule Creation URL. | http://jfrog.com/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=11148acb-f8d4-4640-56e4-db312cb5ba0c&issue_id=MIT&show_popup=true&type=security&watch_name=Sec-Watch |
violations[].cves | List of CVE objects. | |
violations[].cves[].cve | CVE ID. | CVE-2018-9116 |
violations[].cves[].cvss_v2_score | 6.4 | |
violations[].cves[].cvss_v3_score | 9.1 | |
violations[].cves[].cvss_v2_vector | CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:P | |
violations[].cves[].cvss_v3_vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H | |
violations[].references | Links for more information. | |
violations[].fail_build | Indicates if this violation fails a build. | true |
violations[].license_key | Apache-2.0 | |
violations[].license_name | The Apache Software License, Version 2.0 | |
vulnerabilities | List of vulnerabilities discovered on the scanned graph. | |
vulnerabilities[].cves | List of CVE objects. | |
vulnerabilities[].summary | Summary of the vulnerability. | |
vulnerabilities[].severity | Medium Critical | |
vulnerabilities[].vulnerable_components | List of vulnerable components, the lowest level in the artifact graph | |
vulnerabilities[].components | List of vulnerable components, the lowest level in the artifact graph. | |
licenses | List of licenses | |
licenses[].license_key | Apache-2.0 | |
licenses[].license_name | The Apache Software License, Version 2.0 | |
licenses[].components | Map of components with this license, where the key is component ID. | |
licenses[].custom | Indicated if this is a custom license. | false |
licenses[].references | Links for more information |