Once an artifact is indexed in Xray as part of a single upload, build, or Release Bundle, Xray will validate if the artifact contains vulnerabilities that are considered to have a very high impact. If such vulnerabilities are found, Xray will run the contextual analysis and retrieve the contextual analysis results. The results consist of the following:
Vulnerability Contextual Analysis Statuses
Not Scanned: Initial state, the scan was invoked for the CVE.
Applicable: The vulnerability can be exploited in the context of the scanned artifact.
Not Applicable: The vulnerability cannot be exploited in the context of the scanned artifact.
Undetermined: The applicability cannot be determined by static analysis (e.g. the exploitation requires user interaction).
Rescan Required: A new scanner for this CVE is available, you need to rescan to retrieve applicability results.
Upgrade Required: (Self-Hosted only) The Xray version needs to be updated to receive a new scanner for this CVE. Rescan is required after the upgrade.
Not Covered: Scanner isn't available.
Technology Unsupported: The vulnerability’s package type is currently not supported.
Missing Context: Reachability analysis cannot determine the vulnerability’s applicability. Applicability can be determined by scanning the artifact in a Docker repository in the JFrog Platform.
Vulnerability Contextual Analysis Results
The contextual analysis results can be accessed from Scans List.