Scan Build V1

Xray REST APIs

Products
JFrog Xray
Content Type
REST API
ft:sourceType
Paligo

Description: Invokes scanning of a build that was uploaded to Artifactory as requested by a CI server.

Notes: Requires the "Manage Xray Metadata" role to be set on the User or Group level.

Security: Requires Manage Xray Metadata permissions.

Usage: POST /xray/api/v1/scanBuild

Consumes: application/json

Produces: application/json

Path Parameters: None

Query Parameters: None

Request Body:

Name

Type

Required/Optional

Description

buildName

string

mandatory

Name of the build

buildNumber

string

mandatory

Build number

rescan

boolean

optional

Flag to rescan the artifact

filters

FiltersObj

optional

Filters object for specifying scanning options

project

string

optional

The project key that the build belongs to

FiltersObj:

Name

Type

Required/Optional

Description

includeLicenses

boolean

optional

Flag to include licenses

Response Body:

Name

Type

Description

summary

SummaryObj

Summary object of the scan result

alerts

array[AlertObj]

An array of alert details generated from the scan

licenses

array[LicenseObj]

Array of license details from the scan

SummaryObj:

Name

Type

Description

total_alerts

number

Total number of alerts generated from the scan

fail_build

boolean

Flag indicating if the build failed

message

string

Message with more information regarding the scan

more_details_url

string

Link to all created Alerts in Xray

AlertObj:

Name

Type

Description

created

string

Creation time of the Alert

top_severity

string

Top severity of the Alert

watch_name

string

Name of the Watch that caused the Alert

issues

array[IssueObj]

An array of issues included in the Alert

IssueObj:

Name

Type

Description

severity

string

The severity of the issue

type

string

Type of the issue

Possible values: Security, License, Operational_Risk

provider

string

Provider of the issue

created

string

The creation time of the issue

summary

string

Summary of the issue

description

string

Description of the issue

cve

string

Common Vulnerabilities and Exposures Identifier

impacted_artifacts

array [ImpactedArtifactObj]

An array of impacted artifacts

applicability_details

array [ApplicabilityDetailsObj]

Applicability details

ImpactedArtifactObj:

Name

Type

Description

name

string

Name of the impacted artifact

display_name

string

Display name of the impacted artifact

path

string

Path of the impacted artifact

pkg_type

string

Package type of the impacted artifact

sha256

string

SHA-256 hash of the impacted artifact

depth

integer

Depth of the impacted artifact

parent_sha

string

SHA-256 of the impacted artifact

infected_files

array[InfectedFileObj]

Array of infected files in the impacted artifact

InfectedFileObj:

Name

Type

Description

name

string

Name of the infected file

path

string

Path of the infected file

sha256

string

SHA256 hash of the infected file

component_id

string

ID of the component related to the infected file

depth

integer

Depth of the infected file

parent_sha

string

SHA-256 of the infected file Parent

display_name

string

Display name of the infected file

LicenseObj:

Name

Type

Description

name

string

Name of the license

components

array[string]

Array of build’s components IDs with this license

full_name

string

Full name of the license

more_info_url

array[string]

An array of links to more information about this license

ApplicabilityDetailsObj

Name

Type

Description

component_id

string

Component id of the artifact

source_comp_id

string

Component id of the vulnerable package

vulnerability_id

string

Cve id

result

string

Contextual Analysis result.

Possible values: not_scanned, applicable, not_applicable, undetermined, rescan_required, upgrade_required, not_covered

Response Codes:

Status code

Description

200

Build scanned

415

Failed to parse scan build request

400

Request is missing mandatory fields

403

No valid license was found

500

Failed to get Artifactory instance data

500

Failed to check watches

500

Failed to send build to scan

Example Request:

{
 "buildName": "example-build",
 "buildNumber": "4",
 "rescan": true,
 "filters": {
    "includeLicenses": true
}

Example Request - Project build:

{
  "buildName": "build-name",
  "buildNumber": "8",
  "project": "myproject"
}

Example Successful Response - build in Project scope:

{
  "summary": {
    "total_alerts": 2,
    "fail_build": true,
    "message": "Build test-project number 3 was scanned by Xray and 2 Alerts were generated",
    "more_details_url": "https://example.jfrog.io/ui/scans-list/builds-scans/test-project/scan-descendants/3?version=3&package_id=build%3A%2F%2F%5Btest-project-key-build-info%5D%2Ftest-project&build_repository=test-project-key-build-info&component_id=build%3A%2F%2F%5Btest-project-key-build-info%5D%2Ftest-project%3A3&page_type=security-vulnerabilities&exposure_status=to_fix"
  },
  "alerts": [
    {
      "schema_version": "",
      "created": "2024-02-24T22:06:39.979Z",
      "top_severity": "Critical",
      "watch_name": "project-watch",
      "issues": [
        {
          "severity": "Critical",
          "type": "Security",
          "provider": "JFrog",
          "created": "2024-02-24T22:06:39.979Z",
          "summary": "By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.",
          "description": "By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.",
          "impacted_artifacts": [
            {
              "name": "test-project",
              "display_name": "[test-project-key-build-info]/test-project:3",
              "path": "default/test-project-key-build-info/test-project",
              "pkg_type": "Build",
              "sha256": "3fe6ac318de3717969b1df85f87404c52ee7d0056a335de0277fcea53351aa3f",
              "sha1": "",
              "depth": 0,
              "parent_sha": "3fe6ac318de3717969b1df85f87404c52ee7d0056a335de0277fcea53351aa3f",
              "infected_files": [
                {
                  "name": "log4j-1.2.17.jar",
                  "path": "",
                  "sha256": "a2234476879b9e76f99a561f3d9da243684edb54b0b44ef7c0cf7a1a3d1e6776",
                  "component_id": "gav://log4j:log4j:1.2.17",
                  "depth": 0,
                  "parent_sha": "3fe6ac318de3717969b1df85f87404c52ee7d0056a335de0277fcea53351aa3f",
                  "display_name": "log4j:log4j:1.2.17"
                }
              ]
            }
          ],
          "cve": "CVE-2022-23305"
        },
        {
          "severity": "Critical",
          "type": "Security",
          "provider": "JFrog",
          "created": "2024-02-24T22:06:39.993Z",
          "summary": "Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.",
          "description": "Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions 1.2 up to 1.2.17.\n\nUsers are advised to migrate to `org.apache.logging.log4j:log4j-core`.",
          "impacted_artifacts": [
            {
              "name": "test-project",
              "display_name": "[test-project-key-build-info]/test-project:3",
              "path": "default/test-project-key-build-info/test-project",
              "pkg_type": "Build",
              "sha256": "3fe6ac318de3717969b1df85f87404c52ee7d0056a335de0277fcea53351aa3f",
              "sha1": "",
              "depth": 0,
              "parent_sha": "3fe6ac318de3717969b1df85f87404c52ee7d0056a335de0277fcea53351aa3f",
              "infected_files": [
                {
                  "name": "log4j-1.2.17.jar",
                  "path": "",
                  "sha256": "a2234476879b9e76f99a561f3d9da243684edb54b0b44ef7c0cf7a1a3d1e6776",
                  "component_id": "gav://log4j:log4j:1.2.17",
                  "depth": 0,
                  "parent_sha": "3fe6ac318de3717969b1df85f87404c52ee7d0056a335de0277fcea53351aa3f",
                  "display_name": "log4j:log4j:1.2.17"
                }
              ]
            }
          ],
          "cve": "CVE-2019-17571"
        }
      ]
    }
  ],
  "licenses": [
    {
      "name": "Apache-2.0",
      "full_name": "Apache License 2.0",
      "more_info_url": [
        "https://www.apache.org/licenses/LICENSE-2.0",
        "https://opensource.org/licenses/Apache-2.0",
        "http://www.opensource.org/licenses/Apache-2.0",
        "http://www.opensource.org/licenses/apache2.0.php",
        "https://spdx.org/licenses/Apache-2.0",
        "https://spdx.org/licenses/Apache-2.0.html",
        "http://www.apache.org/licenses/LICENSE-2.0",
        "https://licenses.nuget.org/Apache-2.0",
        "http://licenses.nuget.org/Apache-2.0",
        "https://raw.githubusercontent.com/aspnet/AspNetCore/2.0.0/LICENSE.txt",
        "http://raw.githubusercontent.com/aspnet/AspNetCore/2.0.0/LICENSE.txt"
      ],
      "components": [
        "gav://log4j:log4j:1.2.17"
      ]
    }
  ]
}













{
    "summary": {
        "total_alerts": 2,
        "fail_build": true,
        "message": "Build build-name number 2 was scanned by Xray and 2 Alerts were generated",
        "more_details_url": "https://artifactory.jfrog.io/ui/scans-list/builds-scans/build-name/scan-descendants/2?version=2&package_id=build%3A%2F%2Fbuild-name&build_repository=artifactory-build-info&component_id=build%3A%2F%2Fbuild-name%3Abe0583&page_type=security-vulnerabilities&exposure_status=to_fix"
    },
    "alerts": [
        {
            "schema_version": "",
            "created": "2024-02-29T04:56:51.205Z",
            "top_severity": "Critical",
            "watch_name": "watch-name",
            "issues": [
                {
                    "severity": "High",
                    "type": "Security",
                    "provider": "JFrog",
                    "created": "2024-03-04T20:00:09.227Z",
                    "summary": "In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service (DoS) attack if Spring MVC is used together with a reverse proxy cache.",
                    "description": "In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service (DoS) attack if Spring MVC is used together with a reverse proxy cache.\n\nSpecifically, an application is vulnerable if all of the conditions are true:\n\n* The application has Spring MVC auto-configuration enabled. This is the case by default if Spring MVC is on the classpath.\n* The application makes use of Spring Boot's welcome page support, either static or templated.\n* Your application is deployed behind a proxy which caches 404 responses.\n\nYour application is NOT vulnerable if any of the following are true:\n\n* Spring MVC auto-configuration is disabled. This is true if WebMvcAutoConfiguration is explicitly excluded, if Spring MVC is not on the classpath, or if spring.main.web-application-type is set to a value other than SERVLET.\n* The application does not use Spring Boot's welcome page support.\n* You do not have a proxy which caches 404 responses.\n\n\nAffected Spring Products and Versions\n\nSpring Boot\n\n3.0.0 to 3.0.6 2.7.0 to 2.7.11 2.6.0 to 2.6.14 2.5.0 to 2.5.14\n\nOlder, unsupported versions are also affected\nMitigation\n\nUsers of affected versions should apply the following mitigations:\n\n* 3.0.x users should upgrade to 3.0.7+\n* 2.7.x users should upgrade to 2.7.12+\n* 2.6.x users should upgrade to 2.6.15+\n* 2.5.x users should upgrade to 2.5.15+\n\nUsers of older, unsupported versions should upgrade to 3.0.7+ or 2.7.12+.\n\nWorkarounds: configure the reverse proxy not to cache 404 responses and/or not to cache responses to requests to the root (/) of the application.",
                    "impacted_artifacts": [
                        {
                            "name": "build-name",
                            "display_name": "build-name:2",
                            "path": "default/builds/build-name",
                            "pkg_type": "Build",
                            "sha256": "5242d3177c47ec81429f1348e004f2e26c3a219cdc20edadd8c5d12e084400e1",
                            "sha1": "",
                            "depth": 0,
                            "parent_sha": "5242d3177c47ec81429f1348e004f2e26c3a219cdc20edadd8c5d12e084400e1",
                            "infected_files": [
                                {
                                    "name": "spring-boot-autoconfigure-2.2.6.RELEASE.jar",
                                    "path": "",
                                    "sha256": "b84273b4a4ca10acd9619de50882bd793d031d65efde2f3286c0f0566ec756c2",
                                    "component_id": "gav://org.springframework.boot:spring-boot-autoconfigure:2.2.6.RELEASE",
                                    "depth": 0,
                                    "parent_sha": "5242d3177c47ec81429f1348e004f2e26c3a219cdc20edadd8c5d12e084400e1",
                                    "display_name": "org.springframework.boot:spring-boot-autoconfigure:2.2.6.RELEASE"
                                }
                            ]
                        }
                    ],
                    "cve": "CVE-2023-20883",
                    "applicability": [
                        {
                            "scanner_available": true,
                            "component_id": "gav://com.in28minutes.springboot:student-services-security:0.0.1-SNAPSHOT",
                            "source_comp_id": "gav://org.springframework.boot:spring-boot-autoconfigure:2.2.6.RELEASE",
                            "cve_id": "CVE-2023-20883",
                            "scan_status": 1,
                            "applicability": true,
                            "scanner_explanation": "<p>The scanner checks whether the annotations <code>@EnableAutoConfiguration</code> or <code>@SpringBootApplication</code> are applied to any class.</p>\n<p>For determining the applicability of this CVE, an additional condition (that the scanner currently does not check) should be verified: The Spring application is deployed behind a proxy that caches 404 (\"Page Not Found\") HTTP responses.</p>",
                            "evidence": [
                                {
                                    "column_names": [
                                        "Path",
                                        "Location",
                                        "Issue Found"
                                    ],
                                    "rows": [
                                        [
                                            "/BOOT-INF/classes/com/in28minutes/springboot/StudentServicesApplication.class",
                                            "StudentServicesApplication",
                                            "The vulnerable @SpringBootApplication class annotation is used"
                                        ]
                                    ]
                                }
                            ],
                            "info": "The vulnerable @SpringBootApplication class annotation is used",
                            "details": [
                                {
                                    "file_path": "/BOOT-INF/classes/com/in28minutes/springboot/StudentServicesApplication.class",
                                    "details": "Location: StudentServicesApplication, Issue Found: The vulnerable @SpringBootApplication class annotation is used"
                                }
                            ]
                        }
                    ],
                    "applicability_details": [
                        {
                            "component_id": "gav://com.in28minutes.springboot:student-services-security:0.0.1-SNAPSHOT",
                            "source_comp_id": "gav://org.springframework.boot:spring-boot-autoconfigure:2.2.6.RELEASE",
                            "vulnerability_id": "CVE-2023-20883",
                            "result": "applicable"
                        }
                    ]
                },
                {
                    "severity": "High",
                    "type": "Security",
                    "provider": "JFrog",
                    "created": "2024-02-29T04:56:51.215Z",
                    "summary": "In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.",
                    "description": "In FasterXML jackson-databind before 2.12.7.1 and in 2.13.x before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.",
                    "impacted_artifacts": [
                        {
                            "name": "build-name",
                            "display_name": "build-name:2",
                            "path": "default/builds/build-name",
                            "pkg_type": "Build",
                            "sha256": "fb32d42470fc88649240f336e145b90b5387d9650ca68f6f00e4fd8dc8d3bdb4",
                            "sha1": "",
                            "depth": 0,
                            "parent_sha": "fb32d42470fc88649240f336e145b90b5387d9650ca68f6f00e4fd8dc8d3bdb4",
                            "infected_files": [
                                {
                                    "name": "jackson-databind-2.10.3.jar",
                                    "path": "",
                                    "sha256": "50eec40443f387be50a409186165298aaadbb6c4d4826d319720e245714600d2",
                                    "component_id": "gav://com.fasterxml.jackson.core:jackson-databind:2.10.3",
                                    "depth": 0,
                                    "parent_sha": "fb32d42470fc88649240f336e145b90b5387d9650ca68f6f00e4fd8dc8d3bdb4",
                                    "display_name": "com.fasterxml.jackson.core:jackson-databind:2.10.3"
                                }
                            ]
                        }
                    ],
                    "cve": "CVE-2022-42004",
                    "applicability": [
                        {
                            "scanner_available": true,
                            "component_id": "gav://com.in28minutes.springboot:student-services-security:0.0.1-SNAPSHOT",
                            "source_comp_id": "gav://com.fasterxml.jackson.core:jackson-databind:2.10.3",
                            "cve_id": "CVE-2022-42004",
                            "scan_status": 1,
                            "applicability": false,
                            "scanner_explanation": "<p>This scanner checks whether or not an <code>ObjectMapper</code> object has enabled the vulnerable <code>DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS</code> functionality. If it has, the scanner checks if any of the following vulnerable functions are called with external input:</p>\n<ul>\n<li><code>ObjectMapper.readTree()</code></li>\n<li><code>ObjectMapper.readValue()</code></li>\n<li><code>ObjectMapper.readValues()</code></li>\n</ul>",
                            "evidence": null,
                            "info": "The vulnerable functions ObjectMapper.enable/ObjectMapper.configure never set the vulnerable enum DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS to true",
                            "details": null
                        }
                    ],
                    "applicability_details": [
                        {
                            "component_id": "gav://com.in28minutes.springboot:student-services-security:0.0.1-SNAPSHOT",
                            "source_comp_id": "gav://com.fasterxml.jackson.core:jackson-databind:2.10.3",
                            "vulnerability_id": "CVE-2022-42004",
                            "result": "not_applicable"
                        }
                    ]
                }
            ]
        }
    ],
    "licenses": [
        {
            "name": "CDDL-1.0",
            "full_name": "Common Development and Distribution License 1.0",
            "more_info_url": [
                "https://opensource.org/licenses/cddl1",
                "http://www.opensource.org/licenses/cddl1.php",
                "https://spdx.org/licenses/CDDL-1.0",
                "https://spdx.org/licenses/CDDL-1.0.html",
                "http://www.opensource.org/licenses/cddl1"
            ],
            "components": [
                "gav://org.apache.tomcat.embed:tomcat-embed-core:9.0.33"
            ]
        }
    ]
}