jfrog-cli-core icon indicating copy to clipboard operation
jfrog-cli-core copied to clipboard
verified publisher icon jfrog

audit: Vulnerabilities without a CVE-ID are not scanned by Contextual Analysis

Open srmish-jfrog opened this issue 2 years ago • 0 comments

Describe the bug

When running jf audit, the JFrog CLI will show an Undetermined result for vulnerabilities that do not have a CVE ID (only have an XRAY ID), even if contextual scanning of these vulnerabilities is supported when identified by their respective XRAY ID

Current behavior

The CLI only adds CVE IDs to the generated configuration YAML that is passed to applicabilityScanConfig. If a detected vulnerability only has an XRAY-ID (no CVE ID) then it is not passed to be scanned by the contextual analysis.

Reproduction steps

  1. Download jackson-rce-via-spel.zip

  2. Run -

mkdir jackson_test
cd jackson_test
unzip ../jackson-rce-via-spel.zip
jf audit --extended-table
  1. Note that the following vulnerabilities have an "Undetermined" contextual analysis -
  • XRAY-122085
  • XRAY-122084
  • XRAY-138371

Expected behavior

The CLI should add XRAY-IDs (when required) to the generated configuration YAML that is passed to applicabilityScanConfig. Specifically the relevant fields are CveWhitelist and IndirectCveWhitelist.

For example -

cve-whitelist:
        - CVE-2020-11619
       ...
        - XRAY-122085
        - XRAY-122084
        - XRAY-138371

When the XRAY-IDs are passed, the applicability manager will know to return the correct response

In the example above, the following XRAY IDs should show up as "Not Applicable" (instead of "Undetermined") - - XRAY-122085 - XRAY-122084 - XRAY-138371

JFrog CLI-Core version

2.47.3

JFrog CLI version (if applicable)

2.52.2

Operating system type and version

Linux - Ubuntu 22.04

JFrog Artifactory version

No response

JFrog Xray version

No response

srmish-jfrog avatar Dec 11 '23 14:12 srmish-jfrog