Description: Provides details about any artifact specified by path identifiers or checksum.
Security: Requires a valid user with "Read" permission.
Usage: POST /xray/api/v1/summary/artifact
Consumes: application/json
Produces: application/json
Path Parameters: None
Query Parameters: None
Request Body:
Name | Type | Required/Optional | Description |
---|---|---|---|
| array | Either | Array of artifact paths to provide the summary for. The path must start with the |
| array | Either | Array of checksums SHA-256 or SHA-1 of the artifacts to provide the summary for. |
Response body:
Name | Type | Description |
---|---|---|
| array[ArtifactObj] | Array of artifact details |
| array[ErrorsObj] | Array of error details if any |
ArtifactObj:
Name | Type | Description |
---|---|---|
| General information about the artifact | |
| array[IssuesObj] | Array of issues related to the artifact |
| array[LicenseObj] | Array of licenses associated with the artifact |
| array[OperationalRiskObj] | Array of operational risks associated with the artifact |
GeneralObj:
Name | Type | Description |
---|---|---|
| string | Unique identifier for the component |
| string | Name of the artifact |
| string | Path to the artifact |
| string | Type of the artifact package (e.g., "Docker") |
| string | SHA-256 checksum of the artifact |
IssuesObj:
Name | Type | Description |
---|---|---|
| string | Unique identifier for the issue |
| string | Summary of the issue |
| string | Detailed description of the issue |
| string | Type of the issue (e.g., "security") |
| string | Severity level of the issue (e.g., "High") |
| string | Provider of the issue (e.g., "JFrog") |
| string | Timestamp indicating when the issue was created |
| array[string] | Array of paths indicating the impact of the issue |
| array[CVEObj] | Array of CVEs associated with the issue |
| Additional information about the issue. As of Xray version 3.42.3 | |
| array[ApplicabilityObj] | Array of applicability details |
| array [ApplicabilityDetailsObj] | Applicability details |
| array[string] | Array of paths indicating the physical location of the component related to the issue |
CVEObj:
Name | Type | Description |
---|---|---|
| string | CVE identifier |
| array[string] | Array of CWEs associated with the CVE |
| string | CVSS version 2 score |
| string | CVSS version 3 score |
ExtendedInfoObj:
Name | Type | Description |
---|---|---|
| string | A brief description of the issue. Field is markdown text. |
| string | Full description of the issue. Field is markdown text. |
| string | Severity of the issue according to JFrog research |
| array[SeverityReasonObj] | Reasons for the severity assigned by JFrog research |
| string | Remediation steps for the issue. Field is markdown text. |
SeverityReasonObj:
Name | Type | Description |
---|---|---|
| string | The reason for the severity assessment. |
| string | Detailed explanation supporting the severity assessment. |
| boolean | Indicates whether the reason contributes positively to the severity assessment. |
ApplicabilityDetailsObj
Name | Type | Description |
---|---|---|
| string | Component id of the artifact |
| string | Component id of the vulnerable package |
| string | Cve id |
| string | Contextual Analysis result. Possible values:
|
ApplicabilityObj:
Name | Type | Description |
---|---|---|
| boolean | Indicates whether a scanner is available to check the applicability of the issue |
| string | Identifier for the component or environment where the issue is applicable |
| string | Identifier for the source component or environment where the issue was detected |
| string | Identifier for the CVE associated with the issue |
| integer | Status of the scan (e.g., 1 for successful, 0 for unsuccessful) |
| boolean | Indicates whether the issue is applicable to the specified component or environment |
| string | Explanation provided by the scanner regarding the applicability check |
| array[EvidenceObj] | Evidence or additional information related to the applicability check |
| string | Additional information about the applicability of the issue |
| array[DetailsObj] | Additional details or notes regarding the applicability of the issue |
EvidenceObj:
Field Name | Type | Description |
---|---|---|
| array[string] | Names of the columns in the evidence data |
| array[array[string]] | Rows of evidence data, each containing specific details about the issue |
DetailsObj:
Field Name | Type | Description |
---|---|---|
| string | File path or location where the issue was detected |
| string | Detailed information about the applicability of the issue |
LicensesObj:
Name | Type | Description |
---|---|---|
| string | Name of the license |
| string | Full name of the license |
| array[string] | Array of URLs providing more information about the license |
| array[string] | Array of components covered by the license |
OperationalRiskObj:
Name | Type | Description |
---|---|---|
| string | Identifier for the component |
| string | Level of risk associated with the component |
| string | Reason for the risk assessment |
| boolean | Flag indicating if the component is end-of-life |
| string | Message about the end-of-life status of the component |
| string | Latest version of the component available |
| integer | Number of newer versions available for the component |
| integer | Cadence of new releases for the component |
| integer | Number of commits for the component |
| integer | Number of committers for the component |
| string | Timestamp indicating when the component was released |
ErrorsObj:
Name | Type | Description |
---|---|---|
| string | Unique identifier for the error |
| string | Description of the error |
Response Codes:
Status code | Description |
---|---|
200 | OK |
415 | Failed to parse JSON |
Example Request:
{ "checksums": ["d160c68ed8879ae42756e159daec1dd7ecfd53b6192321656b72715e20d46dd2"] }
Example Response:
{ "artifacts": [ { "general": { "name": "moment-2.29.3.tar.gz", "component_id": "moment-2.29.3.tar.gz", "pkg_type": "Generic", "path": "default/npm-local/moment-2.29.3.tar.gz", "sha256": "8240b88c4879b771bdc2ab571fe26d8c10dc92f0e1c130ae468a01ef8d57fe52" }, "issues": [ { "issue_id": "XRAY-230778", "summary": "moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.", "description": "### Impact\n\n* using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs\n* noticeable slowdown is observed with inputs above 10k characters\n* users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks\n\n### Patches\nThe problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking.\n\n### Workarounds\nIn general, given the proliferation of ReDoS attacks, it makes sense to limit the length of the user input to something sane, like 200 characters or less. I haven't seen legitimate cases of date-time strings longer than that, so all moment users who do pass a user-originating string to constructor are encouraged to apply such a rudimentary filter, that would help with this but also most future ReDoS vulnerabilities.\n\n### References\nThere is an excellent writeup of the issue here: https://github.com/moment/moment/pull/6015#issuecomment-1152961973=\n\n### Details\nThe issue is rooted in the code that removes legacy comments (stuff inside parenthesis) from strings during rfc2822 parsing. `moment(\"(\".repeat(500000))` will take a few minutes to process, which is unacceptable.", "issue_type": "security", "severity": "High", "provider": "JFrog", "cves": [ { "cve": "CVE-2022-31129", "cwe": [ "CWE-1333", "CWE-400" ], "cvss_v2": "5.0/CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P", "cvss_v3": "7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "created": "2022-07-12T00:00:00.828Z", "impact_path": [ "default/npm-local/moment-2.29.3.tar.gz/moment-2.29.3/Moment.js.nuspec" ], "extended_information": { "short_description": "ReDoS in moment.js could lead to a denial of service when handling untrusted strings.", "full_description": "[`moment`](https://momentjs.com/) is a JavaScript library that enables parsing of date and time strings.\n\nIn `moment`'s exported function, a vulnerability exists when trying to parse a date string. A maliciously crafted string that is parsed by `moment` may lead to excessive CPU consumption and ultimately a denial of service. More specifically, the regex used is `/\\([^)]*\\)|[\\n\\t]/g`, and after finding the first `(`, the regex engine will try to match all subsequent substrings until `)` is found.", "jfrog_research_severity": "Medium", "jfrog_research_severity_reasons": [ { "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", "description": "An attacker must find remote input that propagates to the `moment` exported function", "is_positive": true }, { "name": "The issue has an exploit published", "description": "Public exploit demonstrated ReDoS", "is_positive": false }, { "name": "The issue has a detailed technical explanation published, that can aid in exploit development", "is_positive": false } ] }, "applicability": null, "component_physical_paths": [ "moment-2.29.3/Moment.js.nuspec" ] }, { "issue_id": "XRAY-230783", "summary": "moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.", "description": "### Impact\n\n* using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs\n* noticeable slowdown is observed with inputs above 10k characters\n* users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks\n\n### Patches\nThe problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking.\n\n### Workarounds\nIn general, given the proliferation of ReDoS attacks, it makes sense to limit the length of the user input to something sane, like 200 characters or less. I haven't seen legitimate cases of date-time strings longer than that, so all moment users who do pass a user-originating string to constructor are encouraged to apply such a rudimentary filter, that would help with this but also most future ReDoS vulnerabilities.\n\n### References\nThere is an excellent writeup of the issue here: https://github.com/moment/moment/pull/6015#issuecomment-1152961973=\n\n### Details\nThe issue is rooted in the code that removes legacy comments (stuff inside parenthesis) from strings during rfc2822 parsing. `moment(\"(\".repeat(500000))` will take a few minutes to process, which is unacceptable.", "issue_type": "security", "severity": "High", "provider": "JFrog", "cves": [ { "cve": "CVE-2022-31129", "cwe": [ "CWE-1333", "CWE-400" ], "cvss_v2": "5.0/CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P", "cvss_v3": "7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "created": "2022-07-12T00:00:00.797Z", "impact_path": [ "default/npm-local/moment-2.29.3.tar.gz/moment-2.29.3/package.json" ], "extended_information": { "short_description": "ReDoS in moment.js could lead to a denial of service when handling untrusted strings.", "full_description": "[`moment`](https://momentjs.com/) is a JavaScript library that enables parsing of date and time strings.\n\nIn `moment`'s exported function, a vulnerability exists when trying to parse a date string. A maliciously crafted string that is parsed by `moment` may lead to excessive CPU consumption and ultimately a denial of service. More specifically, the regex used is `/\\([^)]*\\)|[\\n\\t]/g`, and after finding the first `(`, the regex engine will try to match all subsequent substrings until `)` is found.", "jfrog_research_severity": "Medium", "jfrog_research_severity_reasons": [ { "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", "description": "An attacker must find remote input that propagates to the `moment` exported function", "is_positive": true }, { "name": "The issue has an exploit published", "description": "Public exploit demonstrated ReDoS", "is_positive": false }, { "name": "The issue has a detailed technical explanation published, that can aid in exploit development", "is_positive": false } ] }, "applicability": null, "component_physical_paths": [ "moment-2.29.3/package.json" ] } ], "licenses": [ { "name": "MIT", "full_name": "MIT License", "more_info_url": [ "https://opensource.org/licenses/MIT", "http://www.opensource.org/licenses/MIT", "http://www.opensource.org/licenses/mit-license.php", "https://spdx.org/licenses/MIT", "https://spdx.org/licenses/MIT.html" ], "components": [ "npm://moment:2.29.3", "nuget://Moment.js:2.29.3" ] } ], "operational_risks": [ { "component_id": "npm://moment:2.29.3", "risk": "High", "risk_reason": "Health", "is_eol": null, "eol_message": "", "latest_version": "2.29.4", "newer_versions": 1, "cadence": 1, "commits": null, "committers": null, "released": "2022-04-17T18:27:04Z" } ] } ] }
Example of successful response with CVE Research and Enrichment:
{ "artifacts": [ { "general": { "name": "example_app:latest", "component_id": "example_app:latest", "pkg_type": "Docker", "path": "default/docker_containers/example/latest/", "sha256": "063a3067cb61add7ad3280bcccccea3c4efe4f16cf2beef27900f8045e3a0" }, "issues": [ { "issue_id": "XRAY-97724", "summary": "** DISPUTED ** An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely.", "description": "** DISPUTED ** An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely.", "issue_type": "security", "severity": "High", "provider": "JFrog", "cves": [ { "cve": "CVE-2018-20225", "cwe": [ "CWE-20" ], "cvss_v2": "6.8/CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P", "cvss_v3": "7.8/CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" } ], "created": "2020-05-11T00:00:00.784Z", "impact_path": [ "default/docker_containers/example/latest/sha256__063a3067cb61add7ad3280bcccccea3c4efe4f16cf2beef27900f8045e3a0.tar.gz/pip:9.0.1" ], "extended_information": { "short_description": "pip could download private packages from a public PyPI repository leading to code execution", "full_description": "This vulnerability has been disputed by the maintainers of pip as the described behavior, while potentially insecure, is the intended one. If pip is executed with the `--extra-index-url` when using a private PyPI repository, an attacker could cause pip to download a private package (for example one named `private_package`) by adding a package with the same name (`private_package`) in the public PyPI repository. This would lead to remote code execution as pip will download the public package that could contain malicious code. This is similar to the dependency confusion attack from 2021 by Alex Birsan. However, this isn't considered a vulnerability in itself in pip, and there is no plan to patch or change it.", "jfrog_research_severity": "Medium", "jfrog_research_severity_reasons": [ { "name": "The CVE can't be remotely exploited", "is_positive": true }, { "name": "This CVE has been disputed by the vendor", "description": "Pip maintainers, and others such as [RHEL](https://access.redhat.com/security/cve/cve-2018-20225) do not consider this a vulnerability as it is the intended behaviour", "is_positive": true }, { "name": "The CVE was marked as unimportant by the [Debian tracker](https://security-tracker.debian.org/tracker/CVE-2018-20225)", "is_positive": true } ], "remediation": "##### Deployment mitigations\r\n\r\nDo not use the `--extra-index-url` flag with pip and consider using version pinning for deployments." } } ], "licenses": [ { "name": "Unknown", "full_name": "Unknown license", "more_info_url": [ "Unknown link" ], "components": [ "deb://ubuntu:bionic:perl-base:5.26.1-6ubuntu0.5", "deb://ubuntu:bionic:libss2:1.44.1-1ubuntu1.3" ] } ] } ] }
Example response with Component Physical Path:
{ "artifacts": [ { "general": { "name": "artifactory-pro:7.29.80", "component_id": "artifactory-pro:7.29.80", "pkg_type": "Docker", "path": "default/docker-local-a/artifactory-pro/7.29.80/", "sha256": "4704b659a183fecc786783e826537978249f2dd2d6665b434340dc7cc75016a9" }, "issues": [ { "issue_id": "XRAY-191997", "summary": "In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.", "description": "In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.", "issue_type": "security", "severity": "Medium", "provider": "JFrog", "cves": [ { "cve": "CVE-2021-28170", "cwe": [ "CWE-20" ], "cvss_v2": "5.0/CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:P/A:N", "cvss_v3": "5.3/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" } ], "created": "2021-12-14T00:00:00.537Z", "impact_path": [ "default/docker-local-b/artifactory-pro/7.29.80/sha256__8ab79a3097a73eb8104022347b7535a8b84ba1b2dcabeb96359c7ed26e8a22f6.tar.gz/opt/jfrog/artifactory/app/artifactory/tomcat/webapps/artifactory.war/WEB-INF/lib/jakarta.el-3.0.3.jar", "default/docker-local-b/artifactory-pro/7.29.80/sha256__8ab79a3097a73eb8104022347b7535a8b84ba1b2dcabeb96359c7ed26e8a22f6.tar.gz/opt/jfrog/artifactory/app/misc/tomcat/mc.war/WEB-INF/lib/jakarta.el-3.0.3.jar" ], "component_physical_paths": [ "sha256__8ab79a3097a73eb8104022347b7535a8b84ba1b2dcabeb96359c7ed26e8a22f6.tar.gz/opt/jfrog/artifactory/app/artifactory/tomcat/webapps/artifactory.war/WEB-INF/lib/jakarta.el-3.0.3.jar", "sha256__8ab79a3097a73eb8104022347b7535a8b84ba1b2dcabeb96359c7ed26e8a22f6.tar.gz/opt/jfrog/artifactory/app/misc/tomcat/mc.war/WEB-INF/lib/jakarta.el-3.0.3.jar" ] } ] } ] }
Example response with Operational Risk object:
{ "artifacts": [ { "general": { "name": "datanucleus-core-3.0.4.jar", "component_id": "org.datanucleus:datanucleus-core:3.0.4", "pkg_type": "Maven", "path": "default/generic-local/datanucleus-core-3.0.4.jar", "sha256": "5a30df15b3de7c0c349c76e33c12d3f5142a92e81e3fe827e723ba13c662de92" }, "issues": [], "licenses": [], "operational_risks": [ { "component_id": "gav://org.datanucleus:datanucleus-core:3.0.4", "risk": "High", "risk_reason": "Health", "is_eol": null, "eol_message": "", "latest_version": "6.0.0-m4", "newer_versions": 120, "cadence": 1, "commits": null, "committers": null, "released": "2012-12-12T20:02:00Z" } ] } ] }
Example response with Contextual Analysis:
{ "artifacts": [ { "general": { "name": "student-services-security-0.0.1-20230711.143048-1_34dca0.jar", "component_id": "com.in28minutes.springboot:student-services-security:0.0.1-SNAPSHOT", "pkg_type": "Maven", "path": "default/maven-local/student-services-security-0.0.1-20230711.143048-1_34dca0.jar", "sha256": "f2f04c0408e3cf4d09231481a5903fab0bb818e350f58ab0b3d7e84646708274" }, "issues": [ { "issue_id": "XRAY-92904", "summary": "The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564.", "description": "The Alias feature in SnakeYAML 1.18 allows entity expansion during a load operation, a related issue to CVE-2003-1564.", "issue_type": "security", "severity": "High", "provider": "JFrog", "cves": [ { "cve": "CVE-2017-18640", "cwe": [ "CWE-776" ], "cvss_v2": "5.0/CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P", "cvss_v3": "7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "created": "2019-12-19T00:00:00.460Z", "impact_path": [ "default/maven-local/student-services-security-0.0.1-20230711.143048-1_34dca0.jar/BOOT-INF/lib/snakeyaml-1.25.jar" ], "extended_information": { "short_description": "Exponential entity expansion in SnakeYAML leads to denial of service when parsing untrusted YAML data.", "full_description": "[SnakeYAML](https://bitbucket.org/snakeyaml/snakeyaml/) is a popular Java-based YAML parsing that provides a high-level API for serialization and deserialization of YAML documents.\n\nWhen loading a YAML document, SnakeYAML uses recursion to parse Aliases from the document.\n\nIt was discovered that a crafted YAML file containing an exponential entity expansion using the Alias feature can lead to denial of service due to memory exhaustion. This type of attack is called a [Billion laughs attack](https://en.wikipedia.org/wiki/Billion_laughs_attack).\n\nTo exploit this issue, an attacker must find remote input that propagates into the `Yaml.load()` method. Note that the issue can be exploited even if the `Yaml` class is initialized with a `SafeConstructor`:\n```\nYaml yaml = new Yaml(new SafeConstructor());\nyaml.load(external_data);\n```\nA PoC was published [here](https://web.archive.org/web/20210324100907/https://bitbucket.org/asomov/snakeyaml/issues/377/allow-configuration-for-preventing-billion)", "jfrog_research_severity": "High", "jfrog_research_severity_reasons": [ { "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", "description": "An attacker must find remote input that propagates into the `Yaml.load()` method. Note that the issue can be exploited even if the `Yaml` class is initialized with a `SafeConstructor` or with a `Constructor` that accepts an explicit type only.", "is_positive": true }, { "name": "The prerequisites for exploiting the issue are either extremely common or nonexistent (always exploitable)", "description": "It is highly likely that SnakeYAML will be used to parse externally-supplied YAML data.", "is_positive": false }, { "name": "The issue has an exploit published", "description": "PoC demonstrates denial of service.", "is_positive": false } ], "remediation": "##### Development mitigations\n\nWrap SnakeYAML's `load` method with exception handling -\n```java\ntry {\n\tString parsed = yaml.load(strYaml);\n}\ncatch(StackOverflowError e) {\n\tSystem.err.println(\"ERROR: Stack limit reached\");\n}\n```" }, "applicability": ..., "applicability_details": [ { "component_id": "gav://com.in28minutes.springboot:student-services-security:0.0.1-SNAPSHOT", "source_comp_id": "gav://org.yaml:snakeyaml:1.25", "vulnerability_id": "CVE-2017-18640", "result": "not_applicable" } ], "component_physical_paths": [ "BOOT-INF/lib/snakeyaml-1.25.jar" ] } ] } ] }
Example Error Response:
{ "artifacts": [], "errors": [ { "identifier": "default/npm-local/moment-2.229.3.tar.gz", "error": "Artifact doesn't exist or not indexed/cached in Xray" } ] }