HomeGuidesAPI ReferenceChangelogDiscussions
Log In

Xray

Suggest Edits

JFrog Xray Container Scanning integration

This CLI is able to sync asset, scans and vulnerabilities from a folder containing Xray JSON files.

  • xray - Import a folder of .json files and sync assets, vulnerabilities and scans to RegScale.

Xray Processing Workflow

The CLI will process each Xray .json file and load assets, vulnerabilities and scans to RegScale.

  • import_xray Import Xray .json file scans and assets to RegScale
Required parameters

  • regscale_ssp_id The ID number from RegScale of the System Security Plan, required.

  • folder_path The full folder path where the Xray .json files are located.

Additional Information:

The CLI provides detailed logging throughout the process to indicate progress and to provide troubleshooting in case of issues.

File Format

Below is an example of a JFrog Xray JSON File, with a single CVE.

[  
    {  
        "vulnerable_component": "gav://org.springframework:spring-web:5.3.30",  
        "impacted_artifact": "docker://activemq:5.18.3-68-linux-arm64v8",  
        "path": "pd-docker-stable/activemq/5.18.3-68-linux-arm64v8/",  
        "summary": "Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.",  
        "severity": "Critical",  
        "references": [  
            "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1000027",  
            "https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-579669626",  
            "https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-582313417",  
            "https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-744519525",  
            "https://raw.githubusercontent.com/distributedweaknessfiling/cvelist/master/2016/1000xxx/CVE-2016-1000027.json",  
            "https://security-tracker.debian.org/tracker/CVE-2016-1000027",  
            "https://spring.io/blog/2022/05/11/spring-framework-5-3-20-and-5-2-22-available-now",  
            "https://www.tenable.com/security/research/tra-2016-20"  
        ],  
        "issue_id": "XRAY-XXXXX",  
        "provider": "JFrog",  
        "cves": [  
            {  
                "cve": "CVE-2016-1000027",  
                "cvss_v2_score": 7.5,  
                "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P",  
                "cvss_v3_score": 9.8,  
                "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"  
            }  
        ],  
        "cvss2_max_score": 7.5,  
        "cvss3_max_score": 9.8,  
        "fixed_versions": [  
            "6.0.0"  
        ]  
    }  
]

Example Commands

Import Xray scans to SSP #16 in RegScale using the files located in the xray_scans folder.

  • regscale xray import_xray --regscale_ssp_id 16 --folder_path /home/my_user/data/xray_scans

Updated about 1 month ago