search

jfrog / log-analytics-splunk

JFrog Splunk Log Analytics Integration
Apache License 2.0
9 stars 9 forks source link

Xray Top Vulnerable Artifact Downloads panels don't work #21

Closed optiz0r closed 3 years ago

optiz0r commented 3 years ago
  1. The searches that power the "Top Vulnerable Artifact Downloads by XX" panels seem to have a logical problem: 
    index="jfrog_splunk"  log_source="jfrog.rt.artifactory.request" return_status=200 [search index=xray_violations impacted_artifacts{}=* | stats count by impacted_artifacts{}  | rex field=impacted_artifacts{} "default\/(?<rex_repo_path>.*)" | return 500000 $rex_repo_path] | stats count(username) by request_url | rename request_url as impacted_artifact

stats count(username) by request_url should be stats count(request_url) by username I think. this affects both the downloads by user, and downloads by ip panel.

  1. For docker images, the nested search returns strings which never appear in artifact download request URLs

For images such as reponame/team/app:1.0, the subquery search returns strings like (team/app/1.0) OR (team/app/1.0/manifest.json) Actual requests logged by artifactory during download look like: request_url: /api/docker/repo_name/v2/app/manifests/1.0.0

So the search returns no data even when vulnerable images have been downloaded.

  1. Several panels in the xray dashboard use searches containing term index="main". Since the documentation calls for the index used to be jfrog_splunk, these searches never return any data
optiz0r commented 3 years ago

For 1+2, the following search also finds downloads of impacted docker v2 paths:

By user:

index="jfrog_splunk" log_source="jfrog.rt.artifactory.request" return_status=200 [search index=xray_violations impacted_artifacts{}=* | stats count by impacted_artifacts{} | rex field=impacted_artifacts{} "default\/(?<rex_repo_path>.*)" | append [search index=xray_violations impacted_artifacts{}=* | stats count by impacted_artifacts{} | rex field=impacted_artifacts{} "default/(?P<repo_name>[^/]+)/(?P<image_name>.*)/(?P<tag_name>[^/]+)/manifest.json" | where image_name!="__unset__" | strcat repo_name "/v2/" image_name "/manifests/" tag_name rex_repo_path] | return 500000 $rex_repo_path] | stats count(request_url) by username | rename request_url as impacted_artifact

By ip:

index="jfrog_splunk" log_source="jfrog.rt.artifactory.request" return_status=200 [search index=xray_violations impacted_artifacts{}=* | stats count by impacted_artifacts{} | rex field=impacted_artifacts{} "default\/(?<rex_repo_path>.*)" | append [search index=xray_violations impacted_artifacts{}=* | stats count by impacted_artifacts{} | rex field=impacted_artifacts{} "default/(?P<repo_name>[^/]+)/(?P<image_name>.*)/(?P<tag_name>[^/]+)/manifest.json" | where image_name!="__unset__" | strcat repo_name "/v2/" image_name "/manifests/" tag_name rex_repo_path] | return 500000 $rex_repo_path] | stats count(request_url) by remote_address | rename request_url as impacted_artifact

However, the downloads-by-ip panel doesn't seem to be that useful, since the IP address of the request in jfrog.rt.artifactory.request is 127.0.0.1 (the jfrog router?)

MahithaB commented 3 years ago

@optiz0r thanks for the review. This issue has been fixed in the recent release.

peters95 commented 3 years ago

Closing per no activity and @MahithaB note it has been fixed in a recent release. Feel free to re-open if you notice any further issues.