Contextual Analysis Statuses and Results

JFrog Security Documentation

Products
JFrog Xray
Content Type
User Guide
ft:sourceType
Paligo

Once an artifact is indexed in Xray as part of a single upload, build, or Release Bundle, Xray will validate if the artifact contains vulnerabilities that are considered to have a very high impact. If such vulnerabilities are found, Xray will run the contextual analysis and retrieve the contextual analysis results. The results consist of the following:

Vulnerability Contextual Analysis Statuses

  • Not Scanned: Initial state, the scan was invoked for the CVE.

  • Applicable: The vulnerability can be exploited in the context of the scanned artifact.

  • Not Applicable: The vulnerability cannot be exploited in the context of the scanned artifact.

  • Undetermined: The applicability cannot be determined by static analysis (e.g. the exploitation requires user interaction).

  • Rescan Required: A new scanner for this CVE is available, you need to rescan to retrieve applicability results.

  • Upgrade Required: (Self-Hosted only) The Xray version needs to be updated to receive a new scanner for this CVE. Rescan is required after the upgrade.

  • Not Covered: Scanner isn't available.

  • Technology Unsupported: The vulnerability’s package type is currently not supported.

  • Missing Context: Reachability analysis cannot determine the vulnerability’s applicability. Applicability can be determined by scanning the artifact in a Docker repository in the JFrog Platform.

Vulnerability Contextual Analysis Results

The contextual analysis results can be accessed from Scans List.

144802630.png
144802631.png
144802633.png