What's New?Connect Agent ReleasesBook a DemoPricing

Vulnerability Scans

JFrog Xray integration with JFrog Connect automatically scans your update content for security vulnerabilities and displays the CVE severities in your update flows, runs, and device artifacts.

When you update software on your edge devices, you need to know that the content you are sending to the devices is secure. Your update flows, runs, and artifacts in JFrog Connect are automatically scanned for security vulnerabilities using JFrog Xray, JFrog’s solution for software composition analysis. Xray is integrated with Connect and JFrog Artifactory to provide an easy and proactive solution for identifying security vulnerabilities in open-source and other third-party software.

Scan of Update Content

When you upload content (including Docker images, release bundles, and other artifacts) to Artifactory, Xray scans the content to analyze it for common vulnerabilities and exposures (CVEs).

Once you have created an update flow using the Deploy Containers, the Artifacts, or the Release Bundle action, Connect displays information in the Update Flows tab about the results of the Xray scan for CVEs. (Connect uses the Artifactory path that you specified in the flow steps to locate the content and its corresponding Xray analysis.)

When you hover over the vulnerabilities in the column, a popup appears showing the number of vulnerabilities found at each severity level.

Vulnerability Drill-down

To get more information about the specific vulnerabilities, click the vulnerabilities (or the arrow) in the Vulnerabilities column. The Scans List page in Xray appears, where you can view analysis info and go to details about specific vulnerabilities. (For example, to drill down to a specific vulnerability, click a section of the Vulnerabilities ring chart or click Applicable in the Applicability chart.)

Vulnerabilities at Deployment Time

Connect also displays the current CVE Severities when the content is actually deployed.

Once the deployment is run, these are displayed in the Runs tab and serve as an indication of the vulnerability status of the content that was actually downloaded to your devices.

Updates

The results of Xray scans can change over time, for example, if Xray discovers new vulnerabilities in the content. Therefore, Connect obtains new scan analysis information and refreshes the Vulnerabilities display in the Update Flow and Deployment tabs.

The CVEs are updated as follows:

  • CVEs in update flows (Update Flows tab) are updated every 24 hours, for 30 days after the flow has been created or deployed.

  • CVEs in deployments (Runs tab) are updated every 24 hours, for 90 days after deployment.

Feature Limitations

When the Scan is Not Applicable

Xray will not run scans in the following conditions:

  • The update flow uses update parameters. In this case, “Dynamic Update Flow” will appear in the Vulnerabilities column.

  • The content is not in Artifactory, for example, if some other repository manager is used or the content is not in a repository at all. In this case, “Not Applicable - Source” will appear in the Vulnerabilities column.

Release Bundles

  • For release bundles, Connect supports global release bundles only. For example, bundles within Artifactory projects are not supported.

  • For release bundles, Connect will get scan results only from the default (main) JFrog Platform.

What’s Next?

Learn how to create an update flow that will deploy containers to your edge devices.

PreviousOn Failure Policy for StepNextDeploy Software

Was this helpful?