JFrog XRay vulnerability analysis - how to find suggested upgrade path
I am working with JFrog XRay, which has scanned our Artifactory and identified a vulnerability in a third party library which is a depdendency of my application.
From the component scan, I click on the CVE number and get this information
**Details**
Summary [CVE-XXX-YYY] Improper Input Validation
Type Security
Severity Critical
....
Infected Component __internal component__
Source Version 1.2.3
However there is no suggested "resolution". For example, "upgrade to 1.2.4" or "upgrade to 2.0.1".
Ideally I dont want to have to install all versions of this component and scan them individually.
And in this case the "References" links are not so helpful.
Any advice on the proper workflow to find a safe upgrade to a vulnerable component identified in JFrog Xray would be most helpful here.
maven security dependencies artifactory jfrog-xray
asked Nov 15 '18 at 14:25
vikingstevevikingsteve
26k1179117
add a comment |
I am working with JFrog XRay, which has scanned our Artifactory and identified a vulnerability in a third party library which is a depdendency of my application.
From the component scan, I click on the CVE number and get this information
**Details**
Summary [CVE-XXX-YYY] Improper Input Validation
Type Security
Severity Critical
....
Infected Component __internal component__
Source Version 1.2.3
However there is no suggested "resolution". For example, "upgrade to 1.2.4" or "upgrade to 2.0.1".
Ideally I dont want to have to install all versions of this component and scan them individually.
And in this case the "References" links are not so helpful.
Any advice on the proper workflow to find a safe upgrade to a vulnerable component identified in JFrog Xray would be most helpful here.
maven security dependencies artifactory jfrog-xray
asked Nov 15 '18 at 14:25
vikingstevevikingsteve
26k1179117
add a comment |
I am working with JFrog XRay, which has scanned our Artifactory and identified a vulnerability in a third party library which is a depdendency of my application.
From the component scan, I click on the CVE number and get this information
**Details**
Summary [CVE-XXX-YYY] Improper Input Validation
Type Security
Severity Critical
....
Infected Component __internal component__
Source Version 1.2.3
However there is no suggested "resolution". For example, "upgrade to 1.2.4" or "upgrade to 2.0.1".
Ideally I dont want to have to install all versions of this component and scan them individually.
And in this case the "References" links are not so helpful.
Any advice on the proper workflow to find a safe upgrade to a vulnerable component identified in JFrog Xray would be most helpful here.
maven security dependencies artifactory jfrog-xray
asked Nov 15 '18 at 14:25
vikingstevevikingsteve
26k1179117
I am working with JFrog XRay, which has scanned our Artifactory and identified a vulnerability in a third party library which is a depdendency of my application.
From the component scan, I click on the CVE number and get this information
**Details**
Summary [CVE-XXX-YYY] Improper Input Validation
Type Security
Severity Critical
....
Infected Component __internal component__
Source Version 1.2.3
However there is no suggested "resolution". For example, "upgrade to 1.2.4" or "upgrade to 2.0.1".
Ideally I dont want to have to install all versions of this component and scan them individually.
And in this case the "References" links are not so helpful.
Any advice on the proper workflow to find a safe upgrade to a vulnerable component identified in JFrog Xray would be most helpful here.
maven security dependencies artifactory jfrog-xray
maven security dependencies artifactory jfrog-xray
asked Nov 15 '18 at 14:25
vikingstevevikingsteve
26k1179117
asked Nov 15 '18 at 14:25
vikingstevevikingsteve
26k1179117
asked Nov 15 '18 at 14:25
vikingstevevikingsteve
26k1179117
asked Nov 15 '18 at 14:25
vikingstevevikingsteve
26k1179117
asked Nov 15 '18 at 14:25
vikingstevevikingsteve
26k1179117
26k1179117
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
The fix version is not always available when a new vulnerability is reported in the NVD, that's why Jfrog Xray does not always show it, in case that the fix version is not available, options are :
if the vulnerable software versions have a range (1.2,1.5] then fixed version can any version before 1.2 include or any version after 1.5
if the vulnerable software versions have an open range above, example (1.2,) then fixed version can any version before 1.2 and include
if the vulnerable software versions have an open range below, example:(,1.2) then fixed version can any version after 1.2 and include
Note: The best will be to look for the 'fix version' field where it specifies exactly the version that fixes the problem
if it's not specified, the above can give guides to some level.
Jfrog Xray will report 'fix version' only if the information is available on the source (where the vulnerability was reported)
answered Nov 22 '18 at 12:33
Chen KeinanChen Keinan
461
Thanks Chen. May I ask, did you learn about the above from using Xray yourself?
– vikingsteve
Nov 22 '18 at 12:42
using and working with Jfrog Xray and investigating the world of vulnerabilities databases
– Chen Keinan
Nov 22 '18 at 13:07
Thanks Chen. PS. see you in Heroes of the Storm!
– vikingsteve
Nov 22 '18 at 13:39
add a comment |
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53321583%2fjfrog-xray-vulnerability-analysis-how-to-find-suggested-upgrade-path%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
The fix version is not always available when a new vulnerability is reported in the NVD, that's why Jfrog Xray does not always show it, in case that the fix version is not available, options are :
if the vulnerable software versions have a range (1.2,1.5] then fixed version can any version before 1.2 include or any version after 1.5
if the vulnerable software versions have an open range above, example (1.2,) then fixed version can any version before 1.2 and include
if the vulnerable software versions have an open range below, example:(,1.2) then fixed version can any version after 1.2 and include
Note: The best will be to look for the 'fix version' field where it specifies exactly the version that fixes the problem
if it's not specified, the above can give guides to some level.
Jfrog Xray will report 'fix version' only if the information is available on the source (where the vulnerability was reported)
answered Nov 22 '18 at 12:33
Chen KeinanChen Keinan
461
Thanks Chen. May I ask, did you learn about the above from using Xray yourself?
– vikingsteve
Nov 22 '18 at 12:42
using and working with Jfrog Xray and investigating the world of vulnerabilities databases
– Chen Keinan
Nov 22 '18 at 13:07
Thanks Chen. PS. see you in Heroes of the Storm!
– vikingsteve
Nov 22 '18 at 13:39
add a comment |
The fix version is not always available when a new vulnerability is reported in the NVD, that's why Jfrog Xray does not always show it, in case that the fix version is not available, options are :
if the vulnerable software versions have a range (1.2,1.5] then fixed version can any version before 1.2 include or any version after 1.5
if the vulnerable software versions have an open range above, example (1.2,) then fixed version can any version before 1.2 and include
if the vulnerable software versions have an open range below, example:(,1.2) then fixed version can any version after 1.2 and include
Note: The best will be to look for the 'fix version' field where it specifies exactly the version that fixes the problem
if it's not specified, the above can give guides to some level.
Jfrog Xray will report 'fix version' only if the information is available on the source (where the vulnerability was reported)
answered Nov 22 '18 at 12:33
Chen KeinanChen Keinan
461
Thanks Chen. May I ask, did you learn about the above from using Xray yourself?
– vikingsteve
Nov 22 '18 at 12:42
using and working with Jfrog Xray and investigating the world of vulnerabilities databases
– Chen Keinan
Nov 22 '18 at 13:07
Thanks Chen. PS. see you in Heroes of the Storm!
– vikingsteve
Nov 22 '18 at 13:39
add a comment |
The fix version is not always available when a new vulnerability is reported in the NVD, that's why Jfrog Xray does not always show it, in case that the fix version is not available, options are :
if the vulnerable software versions have a range (1.2,1.5] then fixed version can any version before 1.2 include or any version after 1.5
if the vulnerable software versions have an open range above, example (1.2,) then fixed version can any version before 1.2 and include
if the vulnerable software versions have an open range below, example:(,1.2) then fixed version can any version after 1.2 and include
Note: The best will be to look for the 'fix version' field where it specifies exactly the version that fixes the problem
if it's not specified, the above can give guides to some level.
Jfrog Xray will report 'fix version' only if the information is available on the source (where the vulnerability was reported)
answered Nov 22 '18 at 12:33
Chen KeinanChen Keinan
461
The fix version is not always available when a new vulnerability is reported in the NVD, that's why Jfrog Xray does not always show it, in case that the fix version is not available, options are :
if the vulnerable software versions have a range (1.2,1.5] then fixed version can any version before 1.2 include or any version after 1.5
if the vulnerable software versions have an open range above, example (1.2,) then fixed version can any version before 1.2 and include
if the vulnerable software versions have an open range below, example:(,1.2) then fixed version can any version after 1.2 and include
Note: The best will be to look for the 'fix version' field where it specifies exactly the version that fixes the problem
if it's not specified, the above can give guides to some level.
Jfrog Xray will report 'fix version' only if the information is available on the source (where the vulnerability was reported)
answered Nov 22 '18 at 12:33
Chen KeinanChen Keinan
461
answered Nov 22 '18 at 12:33
Chen KeinanChen Keinan
461
answered Nov 22 '18 at 12:33
Chen KeinanChen Keinan
461
answered Nov 22 '18 at 12:33
Chen KeinanChen Keinan
461
461
Thanks Chen. May I ask, did you learn about the above from using Xray yourself?
– vikingsteve
Nov 22 '18 at 12:42
using and working with Jfrog Xray and investigating the world of vulnerabilities databases
– Chen Keinan
Nov 22 '18 at 13:07
Thanks Chen. PS. see you in Heroes of the Storm!
– vikingsteve
Nov 22 '18 at 13:39
add a comment |
Thanks Chen. May I ask, did you learn about the above from using Xray yourself?
– vikingsteve
Nov 22 '18 at 12:42
using and working with Jfrog Xray and investigating the world of vulnerabilities databases
– Chen Keinan
Nov 22 '18 at 13:07
Thanks Chen. PS. see you in Heroes of the Storm!
– vikingsteve
Nov 22 '18 at 13:39
Thanks Chen. May I ask, did you learn about the above from using Xray yourself?
– vikingsteve
Nov 22 '18 at 12:42
Thanks Chen. May I ask, did you learn about the above from using Xray yourself?
– vikingsteve
Nov 22 '18 at 12:42
using and working with Jfrog Xray and investigating the world of vulnerabilities databases
– Chen Keinan
Nov 22 '18 at 13:07
using and working with Jfrog Xray and investigating the world of vulnerabilities databases
– Chen Keinan
Nov 22 '18 at 13:07
Thanks Chen. PS. see you in Heroes of the Storm!
– vikingsteve
Nov 22 '18 at 13:39
Thanks Chen. PS. see you in Heroes of the Storm!
– vikingsteve
Nov 22 '18 at 13:39
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53321583%2fjfrog-xray-vulnerability-analysis-how-to-find-suggested-upgrade-path%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
