LogoLogo
What's New?Connect Agent ReleasesBook a DemoPricing
  • Documentation
  • Developers
  • Administration
  • OVERVIEW
    • JFrog Connect Overview
      • Architecture Overview
        • Connect Agent
        • Connect & JFrog Platform
      • Plan Your Update Strategy
        • Software Update Objectives & Concepts
        • Software Update Process & Procedures
  • Get Started
    • Create JFrog Connect Account
    • Log in to JFrog Connect
    • Network Requirements
    • Register Device
  • Manage your Fleet
    • Register Devices at Scale
      • Freeze Image on Device
      • Build Image with Agent
    • Register & Update Device at Once
    • Organize Your Fleet
      • Create Project
      • Move Device between Projects
      • Create Groups
        • Add Device to Group
        • Add Many Devices to Group
        • Change Group Name
        • Delete Group
      • Tag Devices
        • Remove a Tag
      • Remove Many Devices
  • Devices
    • Fleet Overview
      • Filter Devices
      • Locate Devices
    • Device Details
      • Delete a Device
      • Block Updates with Update Trigger
    • Update Connect Agent
    • Delete Many Devices
  • Deployment
    • Create Update Flow
      • Actions
        • Run Command
        • Run Script
        • Deploy File
        • Deploy Docker
          • Use Docker Image
          • Use Docker Compose
          • Get Artifactory Parameters
        • Clone Git Repository
        • Download Artifact
          • Get Artifactory Path
        • Download Release Bundle
          • Get Artifactory Parameters for Release Bundle
        • Update Image
        • Install Debian Package
          • Get Artifactory Parameters for Debian
      • Use Update Parameters
      • On Failure & Rollback
      • Vulnerability Scans
      • Sample Use Case: Build Update Flow for Reuse
    • Deploy Software
      • Set Application & Version
      • Set Alert upon Failure
      • Set Phased Rollout
      • View Deployment Progress
        • Detailed Deployment Information
        • Abort a Deployment
      • Deploy in Groups
      • Sample Use Case: Deploy Docker Images to Devices
  • Tools
    • Remote Tools
      • Use Terminal
      • Open Port Tunnel Session
        • Access with VNC
        • Connect with SSH
        • Access Device Web Applications
      • Run Commands Remotely
        • Run Command as Non-Root User
      • Get Device Files (Fetch Files)
    • Alerts
      • Create Channel
      • Set Webhook
    • Monitor
      • Resource Monitor
      • Process Monitor
  • Releases
    • What's New?
    • Connect Agent Release Notes
  • Troubleshooting
    • Connect Server Status
    • Troubleshoot Topics
      • Device Registration
      • Terminal Troubleshooting
Powered by GitBook
On this page
  • Scan of Update Content
  • Vulnerability Drill-down
  • Vulnerabilities at Deployment Time
  • Updates
  • Feature Limitations
  • When the Scan is Not Applicable
  • Release Bundles
  • What’s Next?

Was this helpful?

Export as PDF
  1. Deployment
  2. Create Update Flow

Vulnerability Scans

JFrog Xray integration with JFrog Connect automatically scans your update content for security vulnerabilities and displays the CVE severities in your update flows and deployments.

PreviousOn Failure & RollbackNextSample Use Case: Build Update Flow for Reuse

Last updated 5 months ago

Was this helpful?

When you update software on your edge devices, you need to know that the content you are sending to the devices is secure. Your update flows and deployments in JFrog Connect are automatically scanned for security vulnerabilities using , JFrog’s solution for software composition analysis. Xray is integrated with Connect and to provide an easy and proactive solution for identifying security vulnerabilities in open-source and other third-party software.

Scan of Update Content

When you upload content (including Docker images, release bundles, and other artifacts) to Artifactory, Xray scans the content to analyze it for common vulnerabilities and exposures (CVEs).

Once you have created an using the , the , or the action, Connect displays information in the Update Flows tab about the results of the Xray scan for CVEs. (Connect uses the Artifactory path that you specified in the flow action to locate the content and its corresponding Xray analysis.) The most severe vulnerability found in the scan is displayed in the Update Flows table in the CVE Severity Column.

When you hover over the severity in the column, a popup appears showing the number of vulnerabilities found at each severity level.

Vulnerability Drill-down

Vulnerabilities at Deployment Time

Connect also displays the current CVE Severities when the content is actually deployed.

Once the deployment is run, these are displayed in the Deployments tab and serve as an indication of the vulnerability status of the content that was actually downloaded to your devices.

Updates

The results of Xray scans can change over time, for example, if Xray discovers new vulnerabilities in the content. Therefore, Connect obtains new scan analysis information and refreshes the CVE Severities display in the Update Flow and Deployment tabs. If there has been a change in severity, this is indicated in the CVE Severity column with an arrow, as shown below.

The CVEs are updated as follows:

  • CVEs in update flows (Update Flow tab) are updated every 24 hours, for 30 days after the flow has been created or deployed.

  • CVEs in deployments (Deployments tab) are updated every 24 hours, for 90 days after deployment.

Feature Limitations

When the Scan is Not Applicable

Xray will not run scans in the following conditions:

  • The content is not in Artifactory, for example, if some other repository manager is used or the content is not in a repository at all. In this case, “Not Applicable - Source” will appear in the CVE Severities column.

Release Bundles

  • For release bundles, Connect supports global release bundles only. For example, bundles within Artifactory projects are not supported.

  • For release bundles, Connect will get scan results only from the default (main) JFrog Platform Deployment (JPD).

What’s Next?

To get more information about the specific vulnerabilities, click the severity (or the arrow) in the CVE Severity column. The appears, where you can view analysis info and go to details about specific vulnerabilities. (For example, to drill down to a specific vulnerability, click a section of the Severity ring chart or click Applicable in the Applicability chart.)

The update flow uses . In this case, “Dynamic Update Flow” will appear in the CVE Severities column.

Learn how to create an update flow that will to your edge devices.

Scans List page in Xray
update parameters
deploy containers
JFrog Xray
JFrog Artifactory
update flow
Deploy Containers
Artifacts
Release Bundle