Overview

The Components module implements a content-driven workflow allowing you to single out relevant components you are interested in and drill down to expose greater detail so you can understand their state. This is done using the following main steps:

  1. Search 
    Enhanced search lets you single out components based on a variety of parameters.

  2. Drill down 
    Once Xray has found all components that match your search query, you can select the one that interests you and drill down to get more details about it

  3. Examine violations and metadata 
    After drilling down into specific component, you can then examine all the violations detected for each version of that component and get detailed information about the violoation and about all other components in your system that are affected by it.


Searching for Components

At the top of the Components module you can enter a variety of parameters to search for specific components. Click search to run the query.

Contains Text
A free-text term to search for in the name of the component.
Last Updated
Specifies when the component was last modified in Xray. You can select one of the preset time ranges, or specify a custom range.
Component Type
Specifies whether you are searching for a Package, a Build or a File.
Package Type
Restricts search results to the specified package type.
Min Severity
Only components with vulnerabilities with the specified severity and above will be displayed.
CVE
Only components scanned and detected to include the specified CVE will be displayed.

Search Results

Components

The search results are displayed in a table showing the following parameters

Type
Indicates if the component is a package, a build or a file
Name
The name of the component
Latest Version
The latest version of the component where applicable ("files" don't have versions)
Modified
Indicates when the component was last modified in Xray (e.g., last indexed or status changed)
Status
Indicates the highest severity of any of the issues found for the component. .

Component Details

To drill down and view the details about a component, click its name in the list of search results. The Component Details view is split up into three panels:

  • Summary Strip
  • Versions Panel
  • Details Panel

Component Details

Summary Strip

The strip at the top of the Component Details view varies slightly depending on whether the component is a package, a build or a file, and displays a summary of the components most basic information.

Package

Summary Strip

For a package, the summary strip displays:

  • The package type logo for quick and easy identification
  • Latest Version: The latest version of the package that is available. The "Internal" version shows the latest version that is hosted by your Artifactory instance, and "Public" shows the latest version that is publicly available on the external web.
  • Created: The package's creation date
  • Last Updated: Last time the package was indexed or modified
  • Status: The scan status which may be one of the following:
    • Pending Scan - The component has been indexed by Artifactory, but has not yet been scanned by Xray
    • Scanned - No Issues - The component has been scanned and no security vulnerabilities were found
    • Low, Medium or High -  The highest severity of any vulnerability found in the package
Build

Build Summary Strip

For a build, the summary strip displays:

  • The logo of the CI server that ran the build with a link for direct and easy access to the build in Artifactory
  • Status: The highest severity of any vulnerability found in the build
  • Last Updated: Last time the build was indexed or modified
  • Created: The build's creation date
  • Latest Version: The latest version of the build that is available. 
File

File Summary Strip

For a file, the summary strip displays:

  • A file icon
  • Status: The higher of the highest severity watch violation and highest severity of any vulnerability found in the file
  • Last Updated: Last time the file was indexed or modified
  • Created: The file's creation date

Versions Panel

The Versions panel displays all the versions of the selected component that have been indexed by Xray. Select any of these versions to display detailed information about them. If publicly available versions of the selected component are available, Xray will display the Include Public checkbox. When set, Xray will also display those versions in the list, however, note that when selecting one of these versions, Xray may not be able to display additional  information.

 Select any version displayed in the Versions panel to get a list of issues detected in that specific version.

List of Versions


Details Panel

The details panel displays several details about the selected component including:

Details Panel

  • Violations: These are violations to filters defined on a watch. They are only reported for the root component, not for its dependencies.
  • Security: Known security vulnerabiliites for the selected component.
  • Licenses: OSS licenses used by the component.
  • Locations: Locations in Artifactory where the files of the component can be found along with an indication of which of the files are responsible for a violation.
  • Descendants: Components that the selected component includes (depends on).
  • Ancestors: Components that include (depend on) the selected component.

To focus on specific violations, you may filter the list displayed using the Filter by Summary field.

Ignoring Violations

For root components, to avoid screen clutter, you can choose to ignore violations by selecting the Ignore All Violations link.

Ignore All Violations

Ignore Once: Removes the current violations displayed for the selected version of the component.

Ignore Permanently: Removes the violations currently displayed and does not display them in the future.

Infected Versions

The Violations  tab of the Details panel provides the set of versions that are infected with the violation. The set can include a range of versions and specific versions in any combination. For example, "2.0ga, 2.0_rc9, 2.0_rc10, 2.0_rc11, 2.0.1, 2.1.0 ≤ version ≤ 2.1.0.1".

Remediation

The Fix Versions tab of the Details panel provides remediation information for the violation. This field indicates in which version of the selected components the violation has been fixed giving you the opportunity to upgrade to that version and thus remedy the violation.

Actions Menu

The Actions menu in the Details panel lets you perform the following actions on the selected component:

Scan for Violations: Scans the current component for violations

Assign Custom Issue: Lets you specify a custom issue and assign it to the component:

Assign Custom Issue

Issue Title
A descriptive title for the issue.
Component ID
The ID of the component to which the issue was assigned.
Issue Description
A more description of the issue.
Severity
The issue severity
Type
The issue type
Properties
Allows you to add custom properties to the issue

Assign a Custom License: Lets you assign a custom license to a component:

Assign Custom License

A license created by a user is tagged as a Custom license and can be deleted by users assigned with the Manage Components permission. The custom license is assigned to a specific version and is propagated to parent components and is part of their license list. It triggers an impact analysis and generates violations in case it matches criteria of any existing Watches. 

 The new license is included in the scan the next time a security report is generated. 

Delete License

More Info

The Locations tab allows you to easily navigate from Xray directly to the component in Artifactory, by hovering over the component and clicking on More Info.

Exporting Component Details

Using the Actions menu, you can export full details for the selected component and version including violations, security issues and licenses. From the Details screen Actions menu, select  Export Data.

Export Data

In the following Select Data to Export popup, specify the component parameters that should be exported and the export format.

The file is downloaded to your local drive.

Below are some examples of exported files in different formats.

 


  You can also automate exporting component details using the Export Component Details REST API endpoint.

Examining Violations

To examine the details of a violation, click the violation in the list displayed on the Component Details panel to display the Violation Details popup.

Issue Details

The Impact panel of the Violoation Details popup provides a list of all components which are impacted by this violation. Select any component in the list to view the full hierarchy of components affected.

Watch the Screencast

Watch this screencast to learn how to use Xray's component-centric navigation.

<iframe width="560" height="315" src="https://www.youtube.com/embed/hXc1LWQq9Lo" frameborder="0" allowfullscreen></iframe>