JFrog Catalog

JFrog Catalog

ft:sourceType
Paligo

Requires Xray version 3.82.6 and above. For Enterprise X and Enterprise + subscriptions with Software Package Curation.

JFrog Catalog is a complete list of OSS packages and CVEs that includes a collection of public and proprietary security, license, and operational risk data that helps developers to:

  • Identify vulnerabilities

  • Understand operational risks and legal liabilities

  • Understand the connection between packages, dependencies, and vulnerabilities, to provide visibility to software packages

The data in JFrog Catalog is used for analysis by other JFrog Security products in the platform as a single source of truth for OSS and can be used by you to gain visibility into the data at the core of the platform’s decision-making. The data is available for consumption using a web UI and a powerful GraphQL API, enabling flexible querying and matching and building your own flows on top of all the Catalog data.

Catalog Data

The Catalog data is enriched and well-connected according to our package model to ensure the relevant data is available and accessible for platform services and you to consume. This data is enriched and augmented with JFrog’s Security Research to provide developers and application security professionals with the necessary information. The span of the data is all actionable at the platform level.

Supported Package Type

Package Type

Name

URL

Maven

MVN Repository

https://repo1.maven.org/maven2/

npm

NPM registry

https://registry.npmjs.org

PyPI

PyPI org

https://files.pythonhosted.org

Docker*

Docker Hub

https://hub.docker.com/

Nuget

NuGet Gallery

https://www.nuget.org/

Note

Support for Docker is currently through REST API only.

Features and Capabilities

Catalog Search

Catalog offers a powerful search engine that can easily find any supported package/CVE in seconds.

Search by Package

The user can search by Package or CVE in all ecosystems or limit the search to a specific ecosystem, like Maven, for example:

catalog_packages_overview.png

Search results lead you directly to the Package details by clicking on the autocomplete or viewing the full research results by clicking the magnifying glass icon on the right side of the search box. Search history can be seen under the search bar in the latest Searched section, it is private to you.

CVE search (coming soon)

The user can search for known CVEs and explore the metadata collected and augmented by the JFrog research team.

Package Detail View

When clicking on a package, JFrog Catalog presents you with a detailed view of the package Vulnerabilities, Dependencies OpenSSF assessment, and Licenses.

catalog_packages_details_npm.png

Vulnerabilities

This tab provides information about any security risk available in this OSS.

  • Non-transitive: CVEs that are related to the specific package and not its dependencies.

  • Transitive: CVEs that are related to a package dependency

  • Enriched by JFrog, - our research team looks for the most common vulnerabilities and provides additional data for developers on how to mitigate the risk of each CVE

Dependencies

Provides all the direct and indirect dependencies. The dependencies can be seen in the table view, which lists all the components, or in the graph view (right top corner), which graphically presents all the dependencies and how they are connected.

Graph View

When clicking on “Graph”, the dependency tree is displayed, which will help you understand what additional risk you are bringing with the specific SSO.

catalog_packages_details_npm_graph.png

You can see that NPM Alfa has six dependencies, two direct and four indirect, represented in the dependency tree with the respective licenses of every package. You can explore more dependencies by clicking any package with a blue number attached, like “Pro-types” and move further up the tree.

License

List the legal requirements for this OSS.