JFrog XRay vulnerability analysis - how to find suggested upgrade path










0















I am working with JFrog XRay, which has scanned our Artifactory and identified a vulnerability in a third party library which is a depdendency of my application.



From the component scan, I click on the CVE number and get this information



**Details**
Summary [CVE-XXX-YYY] Improper Input Validation
Type Security
Severity Critical
....
Infected Component __internal component__
Source Version 1.2.3


However there is no suggested "resolution". For example, "upgrade to 1.2.4" or "upgrade to 2.0.1".



Ideally I dont want to have to install all versions of this component and scan them individually.



And in this case the "References" links are not so helpful.



Any advice on the proper workflow to find a safe upgrade to a vulnerable component identified in JFrog Xray would be most helpful here.










share|improve this question


























    0















    I am working with JFrog XRay, which has scanned our Artifactory and identified a vulnerability in a third party library which is a depdendency of my application.



    From the component scan, I click on the CVE number and get this information



    **Details**
    Summary [CVE-XXX-YYY] Improper Input Validation
    Type Security
    Severity Critical
    ....
    Infected Component __internal component__
    Source Version 1.2.3


    However there is no suggested "resolution". For example, "upgrade to 1.2.4" or "upgrade to 2.0.1".



    Ideally I dont want to have to install all versions of this component and scan them individually.



    And in this case the "References" links are not so helpful.



    Any advice on the proper workflow to find a safe upgrade to a vulnerable component identified in JFrog Xray would be most helpful here.










    share|improve this question
























      0












      0








      0








      I am working with JFrog XRay, which has scanned our Artifactory and identified a vulnerability in a third party library which is a depdendency of my application.



      From the component scan, I click on the CVE number and get this information



      **Details**
      Summary [CVE-XXX-YYY] Improper Input Validation
      Type Security
      Severity Critical
      ....
      Infected Component __internal component__
      Source Version 1.2.3


      However there is no suggested "resolution". For example, "upgrade to 1.2.4" or "upgrade to 2.0.1".



      Ideally I dont want to have to install all versions of this component and scan them individually.



      And in this case the "References" links are not so helpful.



      Any advice on the proper workflow to find a safe upgrade to a vulnerable component identified in JFrog Xray would be most helpful here.










      share|improve this question














      I am working with JFrog XRay, which has scanned our Artifactory and identified a vulnerability in a third party library which is a depdendency of my application.



      From the component scan, I click on the CVE number and get this information



      **Details**
      Summary [CVE-XXX-YYY] Improper Input Validation
      Type Security
      Severity Critical
      ....
      Infected Component __internal component__
      Source Version 1.2.3


      However there is no suggested "resolution". For example, "upgrade to 1.2.4" or "upgrade to 2.0.1".



      Ideally I dont want to have to install all versions of this component and scan them individually.



      And in this case the "References" links are not so helpful.



      Any advice on the proper workflow to find a safe upgrade to a vulnerable component identified in JFrog Xray would be most helpful here.







      maven security dependencies artifactory jfrog-xray






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Nov 15 '18 at 14:25









      vikingstevevikingsteve

      26k1179117




      26k1179117






















          1 Answer
          1






          active

          oldest

          votes


















          1














          The fix version is not always available when a new vulnerability is reported in the NVD, that's why Jfrog Xray does not always show it, in case that the fix version is not available, options are :



          1. if the vulnerable software versions have a range (1.2,1.5] then fixed version can any version before 1.2 include or any version after 1.5


          2. if the vulnerable software versions have an open range above, example (1.2,) then fixed version can any version before 1.2 and include


          3. if the vulnerable software versions have an open range below, example:(,1.2) then fixed version can any version after 1.2 and include


          Note: The best will be to look for the 'fix version' field where it specifies exactly the version that fixes the problem
          if it's not specified, the above can give guides to some level.



          Jfrog Xray will report 'fix version' only if the information is available on the source (where the vulnerability was reported)






          share|improve this answer























          • Thanks Chen. May I ask, did you learn about the above from using Xray yourself?

            – vikingsteve
            Nov 22 '18 at 12:42











          • using and working with Jfrog Xray and investigating the world of vulnerabilities databases

            – Chen Keinan
            Nov 22 '18 at 13:07











          • Thanks Chen. PS. see you in Heroes of the Storm!

            – vikingsteve
            Nov 22 '18 at 13:39










          Your Answer






          StackExchange.ifUsing("editor", function ()
          StackExchange.using("externalEditor", function ()
          StackExchange.using("snippets", function ()
          StackExchange.snippets.init();
          );
          );
          , "code-snippets");

          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "1"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













          draft saved

          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53321583%2fjfrog-xray-vulnerability-analysis-how-to-find-suggested-upgrade-path%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          1














          The fix version is not always available when a new vulnerability is reported in the NVD, that's why Jfrog Xray does not always show it, in case that the fix version is not available, options are :



          1. if the vulnerable software versions have a range (1.2,1.5] then fixed version can any version before 1.2 include or any version after 1.5


          2. if the vulnerable software versions have an open range above, example (1.2,) then fixed version can any version before 1.2 and include


          3. if the vulnerable software versions have an open range below, example:(,1.2) then fixed version can any version after 1.2 and include


          Note: The best will be to look for the 'fix version' field where it specifies exactly the version that fixes the problem
          if it's not specified, the above can give guides to some level.



          Jfrog Xray will report 'fix version' only if the information is available on the source (where the vulnerability was reported)






          share|improve this answer























          • Thanks Chen. May I ask, did you learn about the above from using Xray yourself?

            – vikingsteve
            Nov 22 '18 at 12:42











          • using and working with Jfrog Xray and investigating the world of vulnerabilities databases

            – Chen Keinan
            Nov 22 '18 at 13:07











          • Thanks Chen. PS. see you in Heroes of the Storm!

            – vikingsteve
            Nov 22 '18 at 13:39















          1














          The fix version is not always available when a new vulnerability is reported in the NVD, that's why Jfrog Xray does not always show it, in case that the fix version is not available, options are :



          1. if the vulnerable software versions have a range (1.2,1.5] then fixed version can any version before 1.2 include or any version after 1.5


          2. if the vulnerable software versions have an open range above, example (1.2,) then fixed version can any version before 1.2 and include


          3. if the vulnerable software versions have an open range below, example:(,1.2) then fixed version can any version after 1.2 and include


          Note: The best will be to look for the 'fix version' field where it specifies exactly the version that fixes the problem
          if it's not specified, the above can give guides to some level.



          Jfrog Xray will report 'fix version' only if the information is available on the source (where the vulnerability was reported)






          share|improve this answer























          • Thanks Chen. May I ask, did you learn about the above from using Xray yourself?

            – vikingsteve
            Nov 22 '18 at 12:42











          • using and working with Jfrog Xray and investigating the world of vulnerabilities databases

            – Chen Keinan
            Nov 22 '18 at 13:07











          • Thanks Chen. PS. see you in Heroes of the Storm!

            – vikingsteve
            Nov 22 '18 at 13:39













          1












          1








          1







          The fix version is not always available when a new vulnerability is reported in the NVD, that's why Jfrog Xray does not always show it, in case that the fix version is not available, options are :



          1. if the vulnerable software versions have a range (1.2,1.5] then fixed version can any version before 1.2 include or any version after 1.5


          2. if the vulnerable software versions have an open range above, example (1.2,) then fixed version can any version before 1.2 and include


          3. if the vulnerable software versions have an open range below, example:(,1.2) then fixed version can any version after 1.2 and include


          Note: The best will be to look for the 'fix version' field where it specifies exactly the version that fixes the problem
          if it's not specified, the above can give guides to some level.



          Jfrog Xray will report 'fix version' only if the information is available on the source (where the vulnerability was reported)






          share|improve this answer













          The fix version is not always available when a new vulnerability is reported in the NVD, that's why Jfrog Xray does not always show it, in case that the fix version is not available, options are :



          1. if the vulnerable software versions have a range (1.2,1.5] then fixed version can any version before 1.2 include or any version after 1.5


          2. if the vulnerable software versions have an open range above, example (1.2,) then fixed version can any version before 1.2 and include


          3. if the vulnerable software versions have an open range below, example:(,1.2) then fixed version can any version after 1.2 and include


          Note: The best will be to look for the 'fix version' field where it specifies exactly the version that fixes the problem
          if it's not specified, the above can give guides to some level.



          Jfrog Xray will report 'fix version' only if the information is available on the source (where the vulnerability was reported)







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Nov 22 '18 at 12:33









          Chen KeinanChen Keinan

          461




          461












          • Thanks Chen. May I ask, did you learn about the above from using Xray yourself?

            – vikingsteve
            Nov 22 '18 at 12:42











          • using and working with Jfrog Xray and investigating the world of vulnerabilities databases

            – Chen Keinan
            Nov 22 '18 at 13:07











          • Thanks Chen. PS. see you in Heroes of the Storm!

            – vikingsteve
            Nov 22 '18 at 13:39

















          • Thanks Chen. May I ask, did you learn about the above from using Xray yourself?

            – vikingsteve
            Nov 22 '18 at 12:42











          • using and working with Jfrog Xray and investigating the world of vulnerabilities databases

            – Chen Keinan
            Nov 22 '18 at 13:07











          • Thanks Chen. PS. see you in Heroes of the Storm!

            – vikingsteve
            Nov 22 '18 at 13:39
















          Thanks Chen. May I ask, did you learn about the above from using Xray yourself?

          – vikingsteve
          Nov 22 '18 at 12:42





          Thanks Chen. May I ask, did you learn about the above from using Xray yourself?

          – vikingsteve
          Nov 22 '18 at 12:42













          using and working with Jfrog Xray and investigating the world of vulnerabilities databases

          – Chen Keinan
          Nov 22 '18 at 13:07





          using and working with Jfrog Xray and investigating the world of vulnerabilities databases

          – Chen Keinan
          Nov 22 '18 at 13:07













          Thanks Chen. PS. see you in Heroes of the Storm!

          – vikingsteve
          Nov 22 '18 at 13:39





          Thanks Chen. PS. see you in Heroes of the Storm!

          – vikingsteve
          Nov 22 '18 at 13:39



















          draft saved

          draft discarded
















































          Thanks for contributing an answer to Stack Overflow!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid


          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.

          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53321583%2fjfrog-xray-vulnerability-analysis-how-to-find-suggested-upgrade-path%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          這個網誌中的熱門文章

          How to read a connectionString WITH PROVIDER in .NET Core?

          Node.js Script on GitHub Pages or Amazon S3

          Museum of Modern and Contemporary Art of Trento and Rovereto