Vulnerability Scans

When you update software on your edge devices, you need to know that the content you are sending to the devices is secure. Your update flows and deployments in JFrog Connect are automatically scanned for security vulnerabilities using JFrog Xray, JFrog’s solution for software composition analysis. Xray is integrated with Connect and JFrog Artifactory to provide an easy and proactive solution for identifying security vulnerabilities in open-source and other third-party software.

Scan of Update Content

When you upload content (including Docker images, release bundles, and other artifacts) to Artifactory, Xray scans the content to analyze it for common vulnerabilities and exposures (CVEs).

Once you have created an update flow using the Deploy Containers, the Artifacts, or the Release Bundle action, Connect displays information in the Update Flows tab about the results of the Xray scan for CVEs. (Connect uses the Artifactory path that you specified in the flow action to locate the content and its corresponding Xray analysis.) The most severe vulnerability found in the scan is displayed in the Update Flows table in the CVE Severity Column.

When you hover over the severity in the column, a popup appears showing the number of vulnerabilities found at each severity level.

Vulnerability Drill-down

To get more information about the specific vulnerabilities, click the severity (or the arrow) in the CVE Severity column. The Scans List page in Xray appears, where you can view analysis info and go to details about specific vulnerabilities. (For example, to drill down to a specific vulnerability, click a section of the Severity ring chart or click Applicable in the Applicability chart.)

Vulnerabilities at Deployment Time

Connect also displays the current CVE Severities when the content is actually deployed.

Once the deployment is run, these are displayed in the Deployments tab and serve as an indication of the vulnerability status of the content that was actually downloaded to your devices.

Updates

The results of Xray scans can change over time, for example, if Xray discovers new vulnerabilities in the content. Therefore, Connect obtains new scan analysis information and refreshes the CVE Severities display in the Update Flow and Deployment tabs. If there has been a change in severity, this is indicated in the CVE Severity column with an arrow, as shown below.

The CVEs are updated as follows:

• CVEs in update flows (Update Flow tab) are updated every 24 hours, for 30 days after the flow has been created or deployed.

• CVEs in deployments (Deployments tab) are updated every 24 hours, for 90 days after deployment.

Feature Limitations

When the Scan is Not Applicable

Xray will not run scans in the following conditions:

• The update flow uses update parameters. In this case, “Dynamic Update Flow” will appear in the CVE Severities column.

• The content is not in Artifactory, for example, if some other repository manager is used or the content is not in a repository at all. In this case, “Not Applicable - Source” will appear in the CVE Severities column.

Release Bundles

• For release bundles, Connect supports global release bundles only. For example, bundles within Artifactory projects are not supported.

• For release bundles, Connect will get scan results only from the default (main) JFrog Platform Deployment (JPD).

What’s Next?

Learn how to create an update flow that will deploy containers to your edge devices.