Build Summary

Xray REST APIs

Products
JFrog Xray
Content Type
REST API
ft:sourceType
Paligo

Description: Provides details about any build specified by build identifier (name + number)

Security: Requires a valid user with "Read" permission

Usage: GET /xray/api/v2/summary/build?build_name=<build name>&build_number=<build number>

Produces: application/json

Path Parameters:

Name

Type

Required/Optional

Description

build_name

string

Required

The name of the build to retrieve details for.

build_number

string

Required

The number of the build to retrieve details for.

Query Parameters: None

Request Body: None

Response Body:

Name

Type

Description

build

BuildObj

Details about the specified build.

issues

array[IssuesObj]

List of issues found in the build.

licenses

array[LicenseObj]

List of licenses associated with the build.

operational_risks

array[OperationalRiskObj]

List of operational risks associated with the build.

errors

array[ErrorsObj]

List of errors, if any.

BuildObj

Name

Type

Description

name

string

The name of the build.

component_id

string

The component ID of the build.

pkg_type

string

The type of package.

path

string

The path of the build.

sha256

string

The SHA256 hash of the build.

IssuesObj:

Name

Type

Description

issue_id

string

The ID of the issue.

summary

string

A summary of the issue.

description

string

A description of the issue.

issue_type

string

The type of the issue.

severity

string

The severity of the issue.

provider

string

The provider of the issue.

cves

array[CvesObj]

List of Common Vulnerabilities and Exposures (CVEs) associated with the issue.

created

string

The date and time the issue was created.

impact_path

array [string]

The path of the impacted file or resource.

extended_information

ExtendedInfoObj

Additional information about the issue. As of Xray version 3.42.3

component_physical_paths

array[string]

Array of paths indicating the physical location of the component related to the issue

applicability_details

array [ApplicabilityDetailsObj]

Applicability details

CvesObj:

Name

Type

Description

cve

string

The Common Vulnerabilities and Exposures (CVE) ID.

cwe

array [string]

List of Common Weakness Enumeration (CWE) IDs associated with the CVE.

cvss_v2

string

The CVSS version 2 score and metrics.

cvss_v3

string

The CVSS version 3 score and metrics.

ExtendedInfoObj:

Name

Type

Description

short_description

string

A brief description providing additional context. Field is markdown text.

full_description

string

A detailed description providing comprehensive information. Field is markdown text.

jfrog_research_severity

string

The severity of the issue according to JFrog's research.

jfrog_research_severity_reasons

array[SeverityReasonObj]

Reasons for the JFrog research severity assessment.

name

string

The reason for the severity assessment.

is_positive

boolean

Indicates whether the reason contributes positively to the severity assessment.

remediation

string

Recommended remediation steps for the issue. Field is markdown text.

SeverityReasonObj:

Name

Type

Description

name

string

The reason for the severity assessment.

is_positive

boolean

Indicates whether the reason contributes positively to the severity assessment.

ApplicabilityDetailsObj

Name

Type

Description

component_id

string

Component id of the artifact

source_comp_id

string

Component id of the vulnerable package

vulnerability_id

string

Cve id

result

string

Contextual Analysis result. Possible values: not_scanned, applicable, not_applicable, undetermined, rescan_required, upgrade_required, not_covered

ApplicabilityObj

Name

Type

Description

scanner_available

boolean

Indicates whether a scanner is available to check the applicability of the issue

component_id

string

Identifier for the component or environment where the issue is applicable

source_comp_id

string

Identifier for the source component or environment where the issue was detected

cve_id

string

Identifier for the CVE associated with the issue

scan_status

integer

Status of the scan (e.g., 1 for successful, 0 for unsuccessful)

applicability

boolean

Indicates whether the issue is applicable to the specified component or environment

scanner_explanation

string

Explanation provided by the scanner regarding the applicability check

evidence

array[EvidenceObj]

Evidence or additional information related to the applicability check

info

string

Additional information about the applicability of the issue

details

array[DetailsObj]

Additional details or notes regarding the applicability of the issue

EvidenceObj:

Name

Type

Description

column_names

array[string]

Names of the columns in the evidence data

rows

array[array[string]]

Rows of evidence data, each containing specific details about the issue

DetailsObj:

Name

Type

Description

file_path

string

File path or location where the issue was detected

details

string

Detailed information about the applicability of the issue

LicensesObj:

Name

Type

Description

name

string

The name of the license.

full_name

string

The full name of the license.

more_info_url

array [string]

URLs with more information about the license.

components

array [string]

Components associated with the license.

OperationalRisksObj:

Name

Type

Description

component_id

string

The component ID associated with the operational risk.

risk

string

The level of risk associated with the component.

risk_reason

string

The reason for the risk assessment.

is_eol

boolean

Indicates if the component is at its End of Life (EOL).

eol_message

string

A message related to the component's EOL status.

latest_version

string

The latest version of the component.

newer_versions

integer

The number of newer versions available.

cadence

integer

The frequency of updates for the component.

commits

string

The number of commits for the component.

committers

string

The number of committers for the component.

released

string

The release date of the component.

ErrorsObj:

Name

Type

Description

identifier

string

Unique identifier for the error

error

string

Description of the error

Response Codes:

Status code

Description

200

OK

400

Missing build name or build number

Example response with CVE Research and Enrichment:

{
  "build": {
    "name": "exmplae_build",
    "component_id": "exmplae_build:1.0.0",
    "pkg_type": "Build",
    "path": "default/builds/exmplae_build",
    "sha256": "ff55b68d5f507aeaa2253f9506fd9ea847cbb29e1858edfe67d9153650698b12"
  },
  "issues": [
    {
      "issue_id": "XRAY-95701",
      "summary": "A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.",
      "description": "A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.",
      "issue_type": "security",
      "severity": "Critical",
      "provider": "JFrog",
      "cves": [
        {
          "cve": "CVE-2020-1747",
          "cwe": [
            "CWE-20",
            "CWE-20"
          ],
          "cvss_v2": "10.0/CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C",
          "cvss_v3": "9.8/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
        }
      ],
      "created": "2020-03-25T00:00:00.669Z",
      "impact_path": [
        "default/builds/example_build/example/latest/sha256__4918dff128ffe9fdb453e4c25c904c6c1bcbec34da8bcaa9921b154f4c891e2e.tar.gz/root/.cache/pip/wheels/ab/da/46/2f3778bfc6d5ec360917e3eeff42bade7d0497ad6879b1c05c/PyYAML-3.10-cp36-cp36m-linux_x86_64.whl"
      ],
      "extended_information": {
        "short_description": "Insufficient input validation in the PyYAML library allows unauthenticated network attackers to perform code execution when parsing a crafted YAML file.",
        "full_description": "The [PyYAML](https://pypi.org/project/PyYAML/) library is a Python YAML parser, and it is widely used in connected devices. \r\n\r\nAttackers can trigger the exploit by supplying a crafted YAML file to the `full_load` method or a `load` method that uses `Loader=FullLoader` (which is the default). A public [Exploit (PoC)](https://gist.github.com/adamczi/23a3b6d4bb7b2be35e79b0667d6682e1) exists which demonstrates remote code execution, making this vulnerability likely to be exploited in practice.\r\n\r\nThe library implementation has a [prototype pollution](https://shieldfy.io/security-wiki/prototype-pollution/introduction-to-prototype-pollution/) issue in the `construct_python_object_apply()` function in the `lib/yaml/constructor.py` module, used by the `full_load()` method and the `FullLoader` loader. This allows an attacker to create a property for an object created from the loaded file. The constructor does not check the attribute for conflicts; for example, it is possible to create an `extend` attribute when an `extend` method already exists in an object. This can be exploited to replace the `extend` method with the insecure `yaml.unsafe_load()` function, which is later invoked by `construct_python_object_apply()` and executes a malicious YAML payload. \r\n\r\nThe [official solution]() provides a blacklist of properties and attributes that cannot be redefined, such as the `extend` method and all special methods (`__set__`, `__setitem__`, etc.). In addition, the `README` file is updated with a request to use the `safe_load()` function and `SafeLoader` loader for all untrusted input. It is still possible to use the `UnsafeLoader`, and the fix does not completely solve the problem, as shown by the later CVE-2020-14343.\r\n\r\nThe vulnerability was discovered by [Riccardo Schirone](https://github.com/ret2libc).",
        "jfrog_research_severity": "Critical",
        "jfrog_research_severity_reasons": [
          {
            "name": "The CVE can be remotely exploited",
            "is_positive": false
          },
          {
            "name": "The CVE has an exploit published",
            "is_positive": false
          },
          {
            "name": "The CVE has reasonable prerequisites for exploitation",
            "is_positive": false
          },
          {
            "name": "The CVE results in severe effects",
            "is_positive": false
          }
        ],
        "remediation": "##### Development upgrade\n\n- Upgrade the component to any of the suggested fixed versions.\n\n##### Development mitigations\n\n* Apply the official [patch](https://github.com/yaml/pyyaml/pull/386/commits/6f675f711a807af61233355c6d127a3a2e412dbe). This is not recommended, as this version can still have other vulnerabilities.\n\n##### Deployment mitigations \n\n* Use `yaml.safe_load()` or the `SafeLoader` loader for all inputs."
      }
    }
  ],
  "licenses": [
    {
      "name": "Unknown",
      "full_name": "Unknown license",
      "more_info_url": [
        "Unknown link"
      ],
      "components": [
        "deb://ubuntu:bionic:grep:3.1-2build1",
        "deb://ubuntu:bionic:passwd:1:4.5-1ubuntu2"
      ]
    }
  ],
  "errors": []
}

Example response with Component Physical Path

{
  "build": {
    "name": "proj-docker-build",
    "component_id": "[proj-build-info]/proj-docker-build:14",
    "pkg_type": "Build",
    "path": "default/proj-build-info/proj-docker-build",
    "sha256": "1515db44689ca12c77c1b846c562fcaa40c26a5cc96153776752c96de01ea2f7"
  },
  "issues": [
    {
      "issue_id": "XRAY-79479",
      "summary": "In Apache ActiveMQ 5.0.0 - 5.15.8, unmarshalling corrupt MQTT frame can lead to broker Out of Memory exception making it unresponsive.",
      "description": "In Apache ActiveMQ 5.0.0 - 5.15.8, unmarshalling corrupt MQTT frame can lead to broker Out of Memory exception making it unresponsive.",
      "issue_type": "security",
      "severity": "High",
      "provider": "JFrog",
      "cves": [
        {
          "cve": "CVE-2019-0222",
          "cwe": [
            "CWE-94"
          ],
          "cvss_v2": "5.0/CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "cvss_v3": "7.5/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
        }
      ],
      "created": "2019-03-31T00:00:00.273Z",
      "impact_path": [
        "default/proj-build-info/proj-docker-build/bill.jar/META-INF/maven/org.fusesource.mqtt-client/mqtt-client/pom.xml",
        "default/proj-build-info/proj-docker-build/bill.jar/META-INF/maven/org.apache.activemq/activemq-mqtt/pom.xml"
      ],
      "components": [
        {
          "component_id": "org.fusesource.mqtt-client:mqtt-client",
          "fixed_versions": [
            "[1.15]"
          ]
        },
        {
          "component_id": "org.apache.activemq:activemq-mqtt",
          "fixed_versions": [
            "[5.15.9]"
          ]
        }
      ],
      "component_physical_paths": [
        "bill.jar/META-INF/maven/org.fusesource.mqtt-client/mqtt-client/pom.xml",
        "bill.jar/META-INF/maven/org.apache.activemq/activemq-mqtt/pom.xml"
      ]
    }
  ],
  "errors": []
}

Example response with Operational Risk:

{
  "build": {
    "name": "test",
    "component_id": "test:2",
    "pkg_type": "Build",
    "path": "default/builds/test",
    "sha256": "c9c5b7926184065a8cdabe1e2f28e52b269d4a50adb6b24f84c0dc9211530506"
  },
  "issues": [],
  "licenses": [],
  "operational_risks": [
    {
      "component_id": "gav://org.datanucleus:datanucleus-core:3.0.4",
      "risk": "High",
      "risk_reason": "Health",
      "is_eol": null,
      "eol_message": "",
      "latest_version": "6.0.0-m4",
      "newer_versions": 120,
      "cadence": 1,
      "commits": null,
      "committers": null,
      "released": "2012-12-12T20:02:00Z"
    }
  ],
  "errors": []
}

Example response with Contextual Analysis details:

{
    "build": {
        "name": "build-name",
        "component_id": "build-name:2",
        "pkg_type": "Build",
        "path": "default/builds/build-name",
        "sha256": "0a928e76e0485001d763e20ce262c256b3ab341fb44716073f2064b3490ef1b4"
    },
    "issues": [
        {
            "issue_id": "XRAY-141173",
            "summary": "Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.",
            "description": "Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.",
            "issue_type": "security",
            "severity": "High",
            "provider": "JFrog",
            "cves": [
                {
                    "cve": "CVE-2021-22112",
                    "cwe": [
                        "CWE-269",
                        "NVD-CWE-noinfo"
                    ],
                    "cvss_v2": "9.0/CVSS:2.0/AV:N/AC:L/Au:S/C:C/I:C/A:C",
                    "cvss_v3": "8.8/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
                }
            ],
            "created": "2021-02-24T00:00:00.138Z",
            "impact_path": [
                "default/builds/build-name/student-services-security-0.0.1-20230711.143048-1.jar/BOOT-INF/lib/spring-security-web-5.2.2.RELEASE.jar"
            ],
            "applicability": ...,
            "applicability_details": [
                {
                    "component_id": "gav://com.in28minutes.springboot:student-services-security:0.0.1-SNAPSHOT",
                    "source_comp_id": "gav://org.springframework.security:spring-security-web:5.2.2.RELEASE",
                    "vulnerability_id": "CVE-2021-22112",
                    "result": "not_applicable"
                }
            ],
            "component_physical_paths": [
                "student-services-security-0.0.1-20230711.143048-1.jar/BOOT-INF/lib/spring-security-web-5.2.2.RELEASE.jar"
            ]
        }
    ],
    "errors": []
}