sophietait
commented
3 years ago Seeing similar behavior with jfrog xr scan command
Expected behavior: Same results for all commands
Actual behavior: No vulnerabilities are reported with the --watches flag
JFrog CLI version: 2.1.1 Artifactory version: 7.21.12 Xray version: 3.29.0
sophiet-mac:jfrog-cli sophiet$ ./jfrog xr scan "debug-2.6.8.tgz"
[Info] [Thread 2] Indexing file: debug-2.6.8.tgz
The full scan results are available here: /var/folders/rj/c5kk2nk11r58tm88_jg7428c0000gn/T/jfrog.cli.temp.-1628529133-755840038
Note: no context was provided, so no policy could be determined to scan against.
You can get a list of custom violations by providing one of the command options: --watches, --target-path or --project.
Read more about configuring Xray policies here: https://www.jfrog.com/confluence/display/JFROG/Creating+Xray+Policies+and+Rules
Below are all vulnerabilities detected.
Vulnerabilities
┌──────────┬──────────────────┬──────────┬──────┬────────────────┬───────────┬───────────┬────────────────┬──────┬──────┬────────────┐
│ SEVERITY │ IMPACTED PACKAGE │ IMPACTED │ TYPE │ FIXED VERSIONS │ COMPONENT │ COMPONENT │ CVE │ CVSS │ CVSS │ ISSUE ID │
│ │ │ PACKAGE │ │ │ │ VERSION │ │ V2 │ V3 │ │
│ │ │ VERSION │ │ │ │ │ │ │ │ │
├──────────┼──────────────────┼──────────┼──────┼────────────────┼───────────┼───────────┼────────────────┼──────┼──────┼────────────┤
│ Medium │ debug │ 2.6.8 │ npm │ [4.3.1] │ debug │ 2.6.8 │ CVE-2017-16137 │ 5.0 │ 5.3 │ XRAY-72687 │
│ │ │ │ │ [3.2.7] │ │ │ │ │ │ │
│ │ │ │ │ [3.1.0] │ │ │ │ │ │ │
│ │ │ │ │ [2.6.9] │ │ │ │ │ │ │
└──────────┴──────────────────┴──────────┴──────┴────────────────┴───────────┴───────────┴────────────────┴──────┴──────┴────────────┘
sophiet-mac:jfrog-cli sophiet$ ./jfrog xr scan "debug-2.6.8.tgz" --watches "general-repo-watch"
[Info] [Thread 2] Indexing file: debug-2.6.8.tgz
The full scan results are available here: /var/folders/rj/c5kk2nk11r58tm88_jg7428c0000gn/T/jfrog.cli.temp.-1628529144-267761353
Security Violations
┌───────────────────────────────────┐
│ No security violations were found │
└───────────────────────────────────┘
License Compliance Violations
┌─────────────────────────────────────────────┐
│ No license compliance violations were found │
└─────────────────────────────────────────────┘
sophiet-mac:jfrog-cli sophiet$ ./jfrog xr scan "debug-2.6.8.tgz" --watches "general-repo-watch" --format=json
[Info] [Thread 2] Indexing file: debug-2.6.8.tgz
[
{
"scan_id": "d15459b2-f6be-4a22-654e-15f8482bddd8",
"violations": [
{
"summary": "The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.",
"severity": "Medium",
"type": "security",
"watch_name": "general-repo-watch",
"issue_id": "XRAY-72687",
"cves": [
{
"cve": "CVE-2017-16137",
"cvss_v2_score": "5.0",
"cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P",
"cvss_v3_score": "5.3",
"cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
}
],
"references": [
"https://nodesecurity.io/advisories/534",
"https://github.com/visionmedia/debug/pull/504",
"https://github.com/visionmedia/debug/issues/501"
],
"ignore_url": "http://JFROG_URL:8082/ui/admin/xray/policiesGovernance/ignore-rules?comp_id=npm%3A%2F%2Fdebug%3A2.6.8\u0026have_more_comps=false\u0026issue_id=XRAY-72687\u0026path=debug-2.6.8.tgz\u0026show_popup=true\u0026type=security\u0026watch_id=5c06df1de1507d871532eddd\u0026watch_name=general-repo-watch"
}
],
"component_id": "npm://debug:2.6.8",
"package_type": "Npm",
"status": "completed"
}
]
eyalbe4
etingertal
Describe the bug audit-mvn (in front of Xray 3.29.0) is not displaying results in table format when specifying a watch, but do when it's JSON format
To Reproduce Run: 'jfrog xr audit-mvn --watches "WATCH_NAME"' (In this case had 16 violations)
Expected behavior Show same results in both formats
Screenshots n/a
Versions
Additional context n/a