XRAY: Continuous Impact Analysis

XRAY: Continuous Impact Analysis

AuthorFullName__c
David Kahan
articleNumber
000006032
ft:sourceType
Salesforce
FirstPublishedDate
2024-02-11T08:39:13Z
lastModifiedDate
2024-02-11
VersionNumber
1

Xray incorporates a built-in Impact Analysis process that assesses how a vulnerability in one component affects all others. This analysis is updated upon the inclusion of new security vulnerabilities marked with a High Profile CVE in the database. The impact analysis process identifies all artifacts affected by the new vulnerability and they are added to the Xray scan report. 
If a newly discovered High Profile CVE meets the criteria of a Watch and a Policy, a new violation will subsequently be generated. This may trigger automatic actions if configured in a policy rule.
For our Saas product, new vulnerabilities are added to Xray database every 3-4 hours at which point the impact analysis process will be triggered.

For self-hosted customers, the impact analysis process will be initiated with each daily database sync update.

It's important to note that the impact analysis process operates exclusively on indexed artifacts with scans whose retention period has not yet expired.

In addition, this procedure is effective only for recently identified vulnerabilities. In case there are withdrawn CVEs or new security vulnerabilities not marked as High Profile, a rescan will be required to update the component.