Vulnerability Contextual Analysis

JFrog Security Documentation

Products
JFrog Xray
Content Type
User Guide
ft:sourceType
Paligo

Subscription Information

This feature is supported with the Enterprise X or Enterprise+ license, with the Advanced Security Add-on.

JFrog Security and the JFrog research team's continuous effort to enhance security is introducing an additional capability: Vulnerability Contextual Analysis. JFrog Xray previously released a powerful capability, the JFrog Security CVE Research and Enrichment feature, that helps you with enhanced analysis on CVE findings in a way that allows you to focus on the most important issues with the capability of finding the best resources invested in fixing them. Vulnerability Contextual Analysis is an extension to that capability, ensuring Xray's analysis findings are as focused as possible.

The Issue

When Xray scans your packages, it can potentially find thousands of vulnerabilities. Thus, developers will have to sift through these long lists of vulnerabilities to identify their relevance and in some cases, it can be hard to pinpoint where to start, as many of these vulnerabilities may not affect your artifacts. This process is erroneous and time-consuming.

The Solution

Vulnerability Contextual Analysis uses the artifact context to eliminate false positive reports on vulnerabilities that are not applicable. This process involves automated scanners running on top of the container to find reachable paths for the analyzed vulnerabilities. Xray automatically validates some high and very high-impact vulnerabilities, such as vulnerabilities that have prerequisites for exploitations, and provides contextual analysis information for these vulnerabilities, to assist you in figuring out which vulnerabilities are applicable to a specific artifact.

What are the Benefits of Vulnerability Contextual Analysis?

  • Analyzes the finished code the way an attacker would. Know what issues are exploitable and their potential impact.

  • Tests an issue in the context of the complete artifact, also within a build or Release Bundle.

  • Enables action and remediation in the context of the actual artifact, build or Release Bundle.

Note

Important details in regard to the Contextual Analysis feature:

  • Supported packages:

    • Docker

    • OCI

    • Maven ( Xray version 3.77.4)

    • Rust with cargo auditable build (Xray version 3.79.x)

    • .NET binaries in Docker containers (Xray version 3.95.4)

  • Covers hundreds of CVEs with support for JavaScript, Python, and compiled binaries: Java, Kotlin, C/C++ and Golang. ( Java supports only Uber JAR. See the example here for creating an Uber JAR)