Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

audit: Vulnerabilities without a CVE-ID are not scanned by Contextual Analysis #1071

Open
srmish-jfrog opened this issue Dec 11, 2023 · 0 comments
Labels
bug Something isn't working

Comments

@srmish-jfrog
Copy link
Contributor

srmish-jfrog commented Dec 11, 2023

Describe the bug

When running jf audit, the JFrog CLI will show an Undetermined result for vulnerabilities that do not have a CVE ID (only have an XRAY ID), even if contextual scanning of these vulnerabilities is supported when identified by their respective XRAY ID

Current behavior

The CLI only adds CVE IDs to the generated configuration YAML that is passed to applicabilityScanConfig. If a detected vulnerability only has an XRAY-ID (no CVE ID) then it is not passed to be scanned by the contextual analysis.

Reproduction steps

  1. Download jackson-rce-via-spel.zip

  2. Run -

mkdir jackson_test
cd jackson_test
unzip ../jackson-rce-via-spel.zip
jf audit --extended-table
  1. Note that the following vulnerabilities have an "Undetermined" contextual analysis -
  • XRAY-122085
  • XRAY-122084
  • XRAY-138371

Expected behavior

The CLI should add XRAY-IDs (when required) to the generated configuration YAML that is passed to applicabilityScanConfig. Specifically the relevant fields are CveWhitelist and IndirectCveWhitelist.

For example -

cve-whitelist:
        - CVE-2020-11619
       ...
        - XRAY-122085
        - XRAY-122084
        - XRAY-138371

When the XRAY-IDs are passed, the applicability manager will know to return the correct response

In the example above, the following XRAY IDs should show up as "Not Applicable" (instead of "Undetermined") -
- XRAY-122085
- XRAY-122084
- XRAY-138371

JFrog CLI-Core version

2.47.3

JFrog CLI version (if applicable)

2.52.2

Operating system type and version

Linux - Ubuntu 22.04

JFrog Artifactory version

No response

JFrog Xray version

No response

@srmish-jfrog srmish-jfrog added the bug Something isn't working label Dec 11, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

1 participant