Jfrog xray is not detecting CVE-2022-21724 for postgresql jar , In our application we are using postgresql-42.2.18.jar above CVE is not detecting.
Thanks and Regards,
S Sathish
9840809251
I have deployed the same artifact in Artifactory and scanned it with Xray. I was able to see the mentioned CVE in it. Kindly make sure that Xray database sync is up to date. After that, select the artifact and click on "Scan for violations" in the Actions tab and share the screenshot here.
Related
I am using JFrog Xray to scan for security issues in my project. There is a vulnerability issue CVE-2016-1000027 with critical level need to resolve. But I want JFrog ignore this vulnerability issue when Xray scan.
Anyone who know how to help me ignore it?
Thanks.
Please follow the official JFrog Xray Ignore Rules. It has details on this.
Note that an ignore rule should be a temporary flag until a resolution is found. Keep your software safe!
Good Morning all,
Anyone using JFrog here?
I need some basic guidance on how to scan a repository with Xray. It's currently returning zero violations but I'm not sure if it is even scanning at all
Please check the below points and make sure you have configured it in Xray.
Xray DB sync is up to date. Link for more details-> https://www.jfrog.com/confluence/display/JFROG/Configuring+Xray#ConfiguringXray-SynchronizingtheDatabase
Indexing of repositories/builds is enabled. Link for more details-> https://www.jfrog.com/confluence/display/JFROG/Configuring+Xray#ConfiguringXray-IndexingResources
Watches and policies are created and configured to the Artifactory repository or build. Link for more details-> https://www.jfrog.com/confluence/display/JFROG/Configuring+Xray#ConfiguringXray-CreatingWatchesandPolicies
Below are the video link to create Watches and policies.
https://www.youtube.com/watch?v=yfoBmuaRkGI
https://www.youtube.com/watch?v=88hwwMJsS58
I hope the above information will be helpful to configure Xray for the repository or build and check for violations.
Before going forward, I realize this question is too broad. But I couldn't figure out the proper verbiage to search either here in SO or on GOOGLE.
If this question is a duplicate, then please excuse me in advance and provide me the link to the original question.
Problem :
We are working on creating testing framework. One of the requirements is to publish a report at the end of the testing phase with build information. We need to provide information like who committed the latest change we are testing, what is the build version we are using for testing etc.
In our current setup, We are using github as SCM. Whenever there is a commit to the SCM, a build is triggered on Jenkins and if the build is successful, the jar is deployed to JFrog Artifactory. I am trying to come up with a gradle script to get the necessary information.
Any pointers to the following questions are highly appreciated:
Which plugin can I use to retrieve the info for a SNAPSHOT jar from Artifactory?
Which plugin can I use to retrieve Jenkins build info using the build number retrieved from Q1?
Not sure this is what you were asking for, but have you looked into the Artifactory Build Info file?
The Artifactory Jenkins Plugin can collect build information for you and publish that information to the Artifactory server (If you choose to "collect and publish build info").
The build information can then be viewed on the artifactory server and also fetched using a simple REST call.
HTH,
Or
i have laravel 5.3 project files in developement phase long way to go on live. now one more developer joined me with this. i want share my project via github version control so that we both work on same project without any conflictions. can anyone help me with this how to do it ?
As of now this is not go to the live server.
I am assuming you know git-branching
Also check this
Git branch strategy for small dev team
I want to enable sonar with git but is it neccesary that first pull the project from git repository using hudson or something else and then sonar will analyse the code periodically on hudson .am I right means my steps :
1.Pull project from git using hudson.
2.Sonar on hudson will analyse the code and send the updates.?
or directly we can use git+sonar how it works ,can anybody guide me to get it work.
Yes, you need first to pull your project from GitHub, and then launch a Sonar analysis on your local copy (Sonar needs the file to exist on the file system to be able to analyse them).
So you can pull your project manually or obvioulsy using a CI server like Jenkins/Hudson.
The good news, yesterday (2015-07-08) SonarQube has launched a Github Pluging, every time a pull request is submitted, the CI system launches a SonarQube preview analysis.
Reference:
http://www.sonarqube.org/github-pull-request-analysis-helps-fix-the-leak/