I use ‘jfrog xr am’ to scan source code，It can only report the dependency security issue，but it can‘t report transitive dependency security issue，but it can be found in xray，why？

[liwei2151284]

I use ‘jfrog xr am’ to scan source code，It can only report the dependency security issue，but it can‘t report transitive dependency security issue，but it can be found in xray，why？

[liwei2151284]

[eyalbe4]

@liwei2151284 - The jfrog xr am command scans all of your project depedencies - both direct and transitive (indirect). The command output displays only vulnerable dependencies (and allows filtering them out according to your Xtay policy). Can you therefore ellaborate more about the issue you're seeing? Which vulnerable depedencies do you not see as part of the command output?

[liwei2151284]

@eyalbe4 Thank you for answering my question I use “jfrog xr am” without "--watch", maybe means it can report all of the secruity issues.but I can only see the direct dependency issues.

My pom file： If I use 'jfrog xr am' ,my scan report: Dependancy tree: If I use 'jfrog xr s xxx.jar',my scan report all security issues:

My source code: https://github.com/liwei2151284/Guestbook-microservices-k8s/tree/master/gateway-service

[eyalbe4]

@liwei2151284 - It looks like dependencies such as ch.qos.logback:logback-core are indeed packed inside your getway-service.jar. And by running jfrog xr s getway-service.jar, Xray identified these packed depedencies and their vulnerabilities. I can see though that ch.qos.logback:logback-core is not included in the dependencies tree output yuo shared. Is it indeed not there, or you just haven't shared the entire output? If it is not there there, could it be that these depedencies make into your getway-service.jar from somewhere else during your build? If they do, then the jfrog xr am command, which does not build the code, but just compiles it with maven to find its dependencies, can't be aware of them. Please let us know what you think.

[liwei2151284]

@eyalbe4 Thanks for answering my question This is all my dependency tree，you can see logback-core is in it.

[sverdlov93]

Hi @liwei2151284, thanks again for reporting this issue and also for the detailed logs. We managed to reproduce and hopefully fix this issue in jfrog/jfrog-cli-core#257 The fix may be included in the next release. We'll keep you updated.

[sverdlov93]

Hi @liwei2151284, We just released JFrog CLI 2.6.2 which fixes this issue. We'd appreciate your feedback on it. Sorry for the inconvenience caused by this.

[liwei2151284]

Hi @sverdlov93 Thank you very much ,I've already upgrade JFrog CLI 2.6.2, and it worked well.