Description: Provides details about any build specified by build identifier (name + number)
Security: Requires a valid user with "Read" permission
Usage: GET /xray/api/v2/summary/build?build_name=<build name>&build_number=<build number>
Produces: application/json
Path Parameters:
Name | Type | Required/Optional | Description |
---|---|---|---|
| string | Required | The name of the build to retrieve details for. |
| string | Required | The number of the build to retrieve details for. |
Query Parameters: None
Request Body: None
Response Body:
Name | Type | Description |
---|---|---|
| Details about the specified build. | |
| array[IssuesObj] | List of issues found in the build. |
| array[LicenseObj] | List of licenses associated with the build. |
| array[OperationalRiskObj] | List of operational risks associated with the build. |
| array[ErrorsObj] | List of errors, if any. |
BuildObj
Name | Type | Description |
---|---|---|
| string | The name of the build. |
| string | The component ID of the build. |
| string | The type of package. |
| string | The path of the build. |
| string | The SHA256 hash of the build. |
IssuesObj:
Name | Type | Description |
---|---|---|
| string | The ID of the issue. |
| string | A summary of the issue. |
| string | A description of the issue. |
| string | The type of the issue. |
| string | The severity of the issue. |
| string | The provider of the issue. |
| array[CvesObj] | List of Common Vulnerabilities and Exposures (CVEs) associated with the issue. |
| string | The date and time the issue was created. |
| array [string] | The path of the impacted file or resource. |
| Additional information about the issue. As of Xray version 3.42.3 | |
| array[string] | Array of paths indicating the physical location of the component related to the issue |
| array [ApplicabilityDetailsObj] | Applicability details |
CvesObj:
Name | Type | Description |
---|---|---|
| string | The Common Vulnerabilities and Exposures (CVE) ID. |
| array [string] | List of Common Weakness Enumeration (CWE) IDs associated with the CVE. |
| string | The CVSS version 2 score and metrics. |
| string | The CVSS version 3 score and metrics. |
ExtendedInfoObj:
Name | Type | Description |
---|---|---|
| string | A brief description providing additional context. Field is markdown text. |
| string | A detailed description providing comprehensive information. Field is markdown text. |
| string | The severity of the issue according to JFrog's research. |
| array[SeverityReasonObj] | Reasons for the JFrog research severity assessment. |
| string | The reason for the severity assessment. |
| boolean | Indicates whether the reason contributes positively to the severity assessment. |
| string | Recommended remediation steps for the issue. Field is markdown text. |
SeverityReasonObj:
Name | Type | Description |
---|---|---|
| string | The reason for the severity assessment. |
| boolean | Indicates whether the reason contributes positively to the severity assessment. |
ApplicabilityDetailsObj
Name | Type | Description |
---|---|---|
| string | Component id of the artifact |
| string | Component id of the vulnerable package |
| string | Cve id |
| string | Contextual Analysis result. Possible values: not_scanned, applicable, not_applicable, undetermined, rescan_required, upgrade_required, not_covered |
ApplicabilityObj
Name | Type | Description |
---|---|---|
| boolean | Indicates whether a scanner is available to check the applicability of the issue |
| string | Identifier for the component or environment where the issue is applicable |
| string | Identifier for the source component or environment where the issue was detected |
| string | Identifier for the CVE associated with the issue |
| integer | Status of the scan (e.g., 1 for successful, 0 for unsuccessful) |
| boolean | Indicates whether the issue is applicable to the specified component or environment |
| string | Explanation provided by the scanner regarding the applicability check |
| array[EvidenceObj] | Evidence or additional information related to the applicability check |
| string | Additional information about the applicability of the issue |
| array[DetailsObj] | Additional details or notes regarding the applicability of the issue |
EvidenceObj:
Name | Type | Description |
---|---|---|
| array[string] | Names of the columns in the evidence data |
| array[array[string]] | Rows of evidence data, each containing specific details about the issue |
DetailsObj:
Name | Type | Description |
---|---|---|
| string | File path or location where the issue was detected |
| string | Detailed information about the applicability of the issue |
LicensesObj:
Name | Type | Description |
---|---|---|
| string | The name of the license. |
| string | The full name of the license. |
| array [string] | URLs with more information about the license. |
| array [string] | Components associated with the license. |
OperationalRisksObj:
Name | Type | Description |
---|---|---|
| string | The component ID associated with the operational risk. |
| string | The level of risk associated with the component. |
| string | The reason for the risk assessment. |
| boolean | Indicates if the component is at its End of Life (EOL). |
| string | A message related to the component's EOL status. |
| string | The latest version of the component. |
| integer | The number of newer versions available. |
| integer | The frequency of updates for the component. |
| string | The number of commits for the component. |
| string | The number of committers for the component. |
| string | The release date of the component. |
ErrorsObj:
Name | Type | Description |
---|---|---|
| string | Unique identifier for the error |
| string | Description of the error |
Response Codes:
Status code | Description |
---|---|
200 | OK |
400 | Missing build name or build number |
Example response with CVE Research and Enrichment:
{ "build": { "name": "exmplae_build", "component_id": "exmplae_build:1.0.0", "pkg_type": "Build", "path": "default/builds/exmplae_build", "sha256": "ff55b68d5f507aeaa2253f9506fd9ea847cbb29e1858edfe67d9153650698b12" }, "issues": [ { "issue_id": "XRAY-95701", "summary": "A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.", "description": "A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.", "issue_type": "security", "severity": "Critical", "provider": "JFrog", "cves": [ { "cve": "CVE-2020-1747", "cwe": [ "CWE-20", "CWE-20" ], "cvss_v2": "10.0/CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C", "cvss_v3": "9.8/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "created": "2020-03-25T00:00:00.669Z", "impact_path": [ "default/builds/example_build/example/latest/sha256__4918dff128ffe9fdb453e4c25c904c6c1bcbec34da8bcaa9921b154f4c891e2e.tar.gz/root/.cache/pip/wheels/ab/da/46/2f3778bfc6d5ec360917e3eeff42bade7d0497ad6879b1c05c/PyYAML-3.10-cp36-cp36m-linux_x86_64.whl" ], "extended_information": { "short_description": "Insufficient input validation in the PyYAML library allows unauthenticated network attackers to perform code execution when parsing a crafted YAML file.", "full_description": "The [PyYAML](https://pypi.org/project/PyYAML/) library is a Python YAML parser, and it is widely used in connected devices. \r\n\r\nAttackers can trigger the exploit by supplying a crafted YAML file to the `full_load` method or a `load` method that uses `Loader=FullLoader` (which is the default). A public [Exploit (PoC)](https://gist.github.com/adamczi/23a3b6d4bb7b2be35e79b0667d6682e1) exists which demonstrates remote code execution, making this vulnerability likely to be exploited in practice.\r\n\r\nThe library implementation has a [prototype pollution](https://shieldfy.io/security-wiki/prototype-pollution/introduction-to-prototype-pollution/) issue in the `construct_python_object_apply()` function in the `lib/yaml/constructor.py` module, used by the `full_load()` method and the `FullLoader` loader. This allows an attacker to create a property for an object created from the loaded file. The constructor does not check the attribute for conflicts; for example, it is possible to create an `extend` attribute when an `extend` method already exists in an object. This can be exploited to replace the `extend` method with the insecure `yaml.unsafe_load()` function, which is later invoked by `construct_python_object_apply()` and executes a malicious YAML payload. \r\n\r\nThe [official solution]() provides a blacklist of properties and attributes that cannot be redefined, such as the `extend` method and all special methods (`__set__`, `__setitem__`, etc.). In addition, the `README` file is updated with a request to use the `safe_load()` function and `SafeLoader` loader for all untrusted input. It is still possible to use the `UnsafeLoader`, and the fix does not completely solve the problem, as shown by the later CVE-2020-14343.\r\n\r\nThe vulnerability was discovered by [Riccardo Schirone](https://github.com/ret2libc).", "jfrog_research_severity": "Critical", "jfrog_research_severity_reasons": [ { "name": "The CVE can be remotely exploited", "is_positive": false }, { "name": "The CVE has an exploit published", "is_positive": false }, { "name": "The CVE has reasonable prerequisites for exploitation", "is_positive": false }, { "name": "The CVE results in severe effects", "is_positive": false } ], "remediation": "##### Development upgrade\n\n- Upgrade the component to any of the suggested fixed versions.\n\n##### Development mitigations\n\n* Apply the official [patch](https://github.com/yaml/pyyaml/pull/386/commits/6f675f711a807af61233355c6d127a3a2e412dbe). This is not recommended, as this version can still have other vulnerabilities.\n\n##### Deployment mitigations \n\n* Use `yaml.safe_load()` or the `SafeLoader` loader for all inputs." } } ], "licenses": [ { "name": "Unknown", "full_name": "Unknown license", "more_info_url": [ "Unknown link" ], "components": [ "deb://ubuntu:bionic:grep:3.1-2build1", "deb://ubuntu:bionic:passwd:1:4.5-1ubuntu2" ] } ], "errors": [] }
Example response with Component Physical Path
{ "build": { "name": "proj-docker-build", "component_id": "[proj-build-info]/proj-docker-build:14", "pkg_type": "Build", "path": "default/proj-build-info/proj-docker-build", "sha256": "1515db44689ca12c77c1b846c562fcaa40c26a5cc96153776752c96de01ea2f7" }, "issues": [ { "issue_id": "XRAY-79479", "summary": "In Apache ActiveMQ 5.0.0 - 5.15.8, unmarshalling corrupt MQTT frame can lead to broker Out of Memory exception making it unresponsive.", "description": "In Apache ActiveMQ 5.0.0 - 5.15.8, unmarshalling corrupt MQTT frame can lead to broker Out of Memory exception making it unresponsive.", "issue_type": "security", "severity": "High", "provider": "JFrog", "cves": [ { "cve": "CVE-2019-0222", "cwe": [ "CWE-94" ], "cvss_v2": "5.0/CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P", "cvss_v3": "7.5/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "created": "2019-03-31T00:00:00.273Z", "impact_path": [ "default/proj-build-info/proj-docker-build/bill.jar/META-INF/maven/org.fusesource.mqtt-client/mqtt-client/pom.xml", "default/proj-build-info/proj-docker-build/bill.jar/META-INF/maven/org.apache.activemq/activemq-mqtt/pom.xml" ], "components": [ { "component_id": "org.fusesource.mqtt-client:mqtt-client", "fixed_versions": [ "[1.15]" ] }, { "component_id": "org.apache.activemq:activemq-mqtt", "fixed_versions": [ "[5.15.9]" ] } ], "component_physical_paths": [ "bill.jar/META-INF/maven/org.fusesource.mqtt-client/mqtt-client/pom.xml", "bill.jar/META-INF/maven/org.apache.activemq/activemq-mqtt/pom.xml" ] } ], "errors": [] }
Example response with Operational Risk:
{ "build": { "name": "test", "component_id": "test:2", "pkg_type": "Build", "path": "default/builds/test", "sha256": "c9c5b7926184065a8cdabe1e2f28e52b269d4a50adb6b24f84c0dc9211530506" }, "issues": [], "licenses": [], "operational_risks": [ { "component_id": "gav://org.datanucleus:datanucleus-core:3.0.4", "risk": "High", "risk_reason": "Health", "is_eol": null, "eol_message": "", "latest_version": "6.0.0-m4", "newer_versions": 120, "cadence": 1, "commits": null, "committers": null, "released": "2012-12-12T20:02:00Z" } ], "errors": [] }
Example response with Contextual Analysis details:
{ "build": { "name": "build-name", "component_id": "build-name:2", "pkg_type": "Build", "path": "default/builds/build-name", "sha256": "0a928e76e0485001d763e20ce262c256b3ab341fb44716073f2064b3490ef1b4" }, "issues": [ { "issue_id": "XRAY-141173", "summary": "Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.", "description": "Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.", "issue_type": "security", "severity": "High", "provider": "JFrog", "cves": [ { "cve": "CVE-2021-22112", "cwe": [ "CWE-269", "NVD-CWE-noinfo" ], "cvss_v2": "9.0/CVSS:2.0/AV:N/AC:L/Au:S/C:C/I:C/A:C", "cvss_v3": "8.8/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" } ], "created": "2021-02-24T00:00:00.138Z", "impact_path": [ "default/builds/build-name/student-services-security-0.0.1-20230711.143048-1.jar/BOOT-INF/lib/spring-security-web-5.2.2.RELEASE.jar" ], "applicability": ..., "applicability_details": [ { "component_id": "gav://com.in28minutes.springboot:student-services-security:0.0.1-SNAPSHOT", "source_comp_id": "gav://org.springframework.security:spring-security-web:5.2.2.RELEASE", "vulnerability_id": "CVE-2021-22112", "result": "not_applicable" } ], "component_physical_paths": [ "student-services-security-0.0.1-20230711.143048-1.jar/BOOT-INF/lib/spring-security-web-5.2.2.RELEASE.jar" ] } ], "errors": [] }