You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When running jf audit, the JFrog CLI will show an Undetermined result for vulnerabilities that do not have a CVE ID (only have an XRAY ID), even if contextual scanning of these vulnerabilities is supported when identified by their respective XRAY ID
Current behavior
The CLI only adds CVE IDs to the generated configuration YAML that is passed to applicabilityScanConfig. If a detected vulnerability only has an XRAY-ID (no CVE ID) then it is not passed to be scanned by the contextual analysis.
mkdir jackson_test
cd jackson_test
unzip ../jackson-rce-via-spel.zip
jf audit --extended-table
Note that the following vulnerabilities have an "Undetermined" contextual analysis -
XRAY-122085
XRAY-122084
XRAY-138371
Expected behavior
The CLI should add XRAY-IDs (when required) to the generated configuration YAML that is passed to applicabilityScanConfig. Specifically the relevant fields are CveWhitelist and IndirectCveWhitelist.
When the XRAY-IDs are passed, the applicability manager will know to return the correct response
In the example above, the following XRAY IDs should show up as "Not Applicable" (instead of "Undetermined") -
- XRAY-122085
- XRAY-122084
- XRAY-138371
JFrog CLI-Core version
2.47.3
JFrog CLI version (if applicable)
2.52.2
Operating system type and version
Linux - Ubuntu 22.04
JFrog Artifactory version
No response
JFrog Xray version
No response
The text was updated successfully, but these errors were encountered:
Describe the bug
When running
jf audit
, the JFrog CLI will show anUndetermined
result for vulnerabilities that do not have a CVE ID (only have an XRAY ID), even if contextual scanning of these vulnerabilities is supported when identified by their respective XRAY IDCurrent behavior
The CLI only adds CVE IDs to the generated configuration YAML that is passed to
applicabilityScanConfig
. If a detected vulnerability only has an XRAY-ID (no CVE ID) then it is not passed to be scanned by the contextual analysis.Reproduction steps
Download jackson-rce-via-spel.zip
Run -
Expected behavior
The CLI should add XRAY-IDs (when required) to the generated configuration YAML that is passed to
applicabilityScanConfig
. Specifically the relevant fields areCveWhitelist
andIndirectCveWhitelist
.For example -
When the XRAY-IDs are passed, the applicability manager will know to return the correct response
In the example above, the following XRAY IDs should show up as "Not Applicable" (instead of "Undetermined") -
- XRAY-122085
- XRAY-122084
- XRAY-138371
JFrog CLI-Core version
2.47.3
JFrog CLI version (if applicable)
2.52.2
Operating system type and version
Linux - Ubuntu 22.04
JFrog Artifactory version
No response
JFrog Xray version
No response
The text was updated successfully, but these errors were encountered: