Closed etingertal closed 3 years ago
Seeing similar behavior with jfrog xr scan
command
Expected behavior: Same results for all commands
Actual behavior: No vulnerabilities are reported with the --watches
flag
JFrog CLI version: 2.1.1 Artifactory version: 7.21.12 Xray version: 3.29.0
sophiet-mac:jfrog-cli sophiet$ ./jfrog xr scan "debug-2.6.8.tgz"
[Info] [Thread 2] Indexing file: debug-2.6.8.tgz
The full scan results are available here: /var/folders/rj/c5kk2nk11r58tm88_jg7428c0000gn/T/jfrog.cli.temp.-1628529133-755840038
Note: no context was provided, so no policy could be determined to scan against.
You can get a list of custom violations by providing one of the command options: --watches, --target-path or --project.
Read more about configuring Xray policies here: https://www.jfrog.com/confluence/display/JFROG/Creating+Xray+Policies+and+Rules
Below are all vulnerabilities detected.
Vulnerabilities
┌──────────┬──────────────────┬──────────┬──────┬────────────────┬───────────┬───────────┬────────────────┬──────┬──────┬────────────┐
│ SEVERITY │ IMPACTED PACKAGE │ IMPACTED │ TYPE │ FIXED VERSIONS │ COMPONENT │ COMPONENT │ CVE │ CVSS │ CVSS │ ISSUE ID │
│ │ │ PACKAGE │ │ │ │ VERSION │ │ V2 │ V3 │ │
│ │ │ VERSION │ │ │ │ │ │ │ │ │
├──────────┼──────────────────┼──────────┼──────┼────────────────┼───────────┼───────────┼────────────────┼──────┼──────┼────────────┤
│ Medium │ debug │ 2.6.8 │ npm │ [4.3.1] │ debug │ 2.6.8 │ CVE-2017-16137 │ 5.0 │ 5.3 │ XRAY-72687 │
│ │ │ │ │ [3.2.7] │ │ │ │ │ │ │
│ │ │ │ │ [3.1.0] │ │ │ │ │ │ │
│ │ │ │ │ [2.6.9] │ │ │ │ │ │ │
└──────────┴──────────────────┴──────────┴──────┴────────────────┴───────────┴───────────┴────────────────┴──────┴──────┴────────────┘
sophiet-mac:jfrog-cli sophiet$ ./jfrog xr scan "debug-2.6.8.tgz" --watches "general-repo-watch"
[Info] [Thread 2] Indexing file: debug-2.6.8.tgz
The full scan results are available here: /var/folders/rj/c5kk2nk11r58tm88_jg7428c0000gn/T/jfrog.cli.temp.-1628529144-267761353
Security Violations
┌───────────────────────────────────┐
│ No security violations were found │
└───────────────────────────────────┘
License Compliance Violations
┌─────────────────────────────────────────────┐
│ No license compliance violations were found │
└─────────────────────────────────────────────┘
sophiet-mac:jfrog-cli sophiet$ ./jfrog xr scan "debug-2.6.8.tgz" --watches "general-repo-watch" --format=json
[Info] [Thread 2] Indexing file: debug-2.6.8.tgz
[
{
"scan_id": "d15459b2-f6be-4a22-654e-15f8482bddd8",
"violations": [
{
"summary": "The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.",
"severity": "Medium",
"type": "security",
"watch_name": "general-repo-watch",
"issue_id": "XRAY-72687",
"cves": [
{
"cve": "CVE-2017-16137",
"cvss_v2_score": "5.0",
"cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P",
"cvss_v3_score": "5.3",
"cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
}
],
"references": [
"https://nodesecurity.io/advisories/534",
"https://github.com/visionmedia/debug/pull/504",
"https://github.com/visionmedia/debug/issues/501"
],
"ignore_url": "http://JFROG_URL:8082/ui/admin/xray/policiesGovernance/ignore-rules?comp_id=npm%3A%2F%2Fdebug%3A2.6.8\u0026have_more_comps=false\u0026issue_id=XRAY-72687\u0026path=debug-2.6.8.tgz\u0026show_popup=true\u0026type=security\u0026watch_id=5c06df1de1507d871532eddd\u0026watch_name=general-repo-watch"
}
],
"component_id": "npm://debug:2.6.8",
"package_type": "Npm",
"status": "completed"
}
]
Thanks for reporting this issue. It appears that the fix will be applied on Xray's side. We'll update here when the fix will become available.
The issue is happening only if there are ignore rules for any component, Fixed in Xray version 3.31.x Thanks :)
Describe the bug audit-mvn (in front of Xray 3.29.0) is not displaying results in table format when specifying a watch, but do when it's JSON format
To Reproduce Run: 'jfrog xr audit-mvn --watches "WATCH_NAME"' (In this case had 16 violations)
Expected behavior Show same results in both formats
Screenshots n/a
Versions
Additional context n/a