Xray
JFrog Xray Container Scanning integration
This CLI is able to sync asset, scans and vulnerabilities from a folder containing Xray JSON files.
xray
- Import a folder of .json files and sync assets, vulnerabilities and scans to RegScale.
Xray Processing Workflow
The CLI will process each Xray .json file and load assets, vulnerabilities and scans to RegScale.
import_xray
Import Xray .json file scans and assets to RegScale
Required parameters
-
regscale_ssp_id
The ID number from RegScale of the System Security Plan, required. -
folder_path
The full folder path where the Xray .json files are located.
Additional Information:
The CLI provides detailed logging throughout the process to indicate progress and to provide troubleshooting in case of issues.
File Format
Below is an example of a JFrog Xray JSON File, with a single CVE. Please note impacted_artifact
is a required field.
[
{
"vulnerable_component": "gav://org.springframework:spring-web:5.3.30",
"impacted_artifact": "docker://activemq:5.18.3-68-linux-arm64v8",
"path": "pd-docker-stable/activemq/5.18.3-68-linux-arm64v8/",
"summary": "Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.",
"severity": "Critical",
"references": [
"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1000027",
"https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-579669626",
"https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-582313417",
"https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-744519525",
"https://raw.githubusercontent.com/distributedweaknessfiling/cvelist/master/2016/1000xxx/CVE-2016-1000027.json",
"https://security-tracker.debian.org/tracker/CVE-2016-1000027",
"https://spring.io/blog/2022/05/11/spring-framework-5-3-20-and-5-2-22-available-now",
"https://www.tenable.com/security/research/tra-2016-20"
],
"issue_id": "XRAY-XXXXX",
"provider": "JFrog",
"cves": [
{
"cve": "CVE-2016-1000027",
"cvss_v2_score": 7.5,
"cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P",
"cvss_v3_score": 9.8,
"cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"cvss2_max_score": 7.5,
"cvss3_max_score": 9.8,
"fixed_versions": [
"6.0.0"
]
}
]
Example Commands
Import Xray scans to SSP #16 in RegScale using the files located in the xray_scans folder.
regscale xray import_xray --regscale_ssp_id 16 --folder_path /home/my_user/data/xray_scans
NOTE: See All Scanner Integrations for information about how this updates Issues/POAMs
Updated about 1 month ago