I am using JFrog Xray to scan for security issues in my project. There is a vulnerability issue CVE-2016-1000027 with critical level need to resolve. But I want JFrog ignore this vulnerability issue when Xray scan.
Anyone who know how to help me ignore it?
Thanks.
Please follow the official JFrog Xray Ignore Rules. It has details on this.
Note that an ignore rule should be a temporary flag until a resolution is found. Keep your software safe!
Related
I am trying to configure dependabot.yml to get security updates for GitHub Actions.
I followed the Configuring Dependabot security updates documentation. During the configuration I had the following issues:
I did not understand if I need to enable in Code security and analysis the Dependabot alerts and Dependabot security updates along with creating the dependabot.yml.
I did not understand why Dependabot was not able to identify the security vulnerability in my action. I am testing with some-natalie/ghas-to-csv#v1 action, which has a GHSA.
I did not understand from About Dependabot security updates documentation what is the frequency that the vulnerabilities are checked and turned into alerts / PRs.
Perhaps the configuration did not work (yet) because Dependabot has not even identified the vulnerability, therefore has not created the updating PR.
Can you help me understand why is my configuration not working? Or if it's not supported?
All Dependabot features build on top of the Software Composition Analysis feature (first button to enable in that list) and that is the reason why that needs to be enabled.
It then checks ONLY the dependencies of your repo that it finds through parsing the manifest files in the repos
For security alerts and PRs you do not need to commit a Dependabot.yml file. That file is only needed for version updates.
Lastly Dependabot does not check security vulnerabilities in your code, only for dependencies! If you want to run static code analysis on your own code, you try CodeQL and other SAST tools (static code analysis tools.
Team is fixing the issues in SonarQube for each scan, is there any possibility to create the bugs automatically in ADO with the Sonar issues ? here we would like to validate whether team has fixed the issues or not and while fixing any new issues rises for every scan in the azure pipeline ?
We just want to track the work in ADO automatically not a manual approach ? if there is any possibility please help the steps to perform.
Regards,
Mohan
Jfrog xray is not detecting CVE-2022-21724 for postgresql jar , In our application we are using postgresql-42.2.18.jar above CVE is not detecting.
Thanks and Regards,
S Sathish
9840809251
I have deployed the same artifact in Artifactory and scanned it with Xray. I was able to see the mentioned CVE in it. Kindly make sure that Xray database sync is up to date. After that, select the artifact and click on "Scan for violations" in the Actions tab and share the screenshot here.
Good Morning all,
Anyone using JFrog here?
I need some basic guidance on how to scan a repository with Xray. It's currently returning zero violations but I'm not sure if it is even scanning at all
Please check the below points and make sure you have configured it in Xray.
Xray DB sync is up to date. Link for more details-> https://www.jfrog.com/confluence/display/JFROG/Configuring+Xray#ConfiguringXray-SynchronizingtheDatabase
Indexing of repositories/builds is enabled. Link for more details-> https://www.jfrog.com/confluence/display/JFROG/Configuring+Xray#ConfiguringXray-IndexingResources
Watches and policies are created and configured to the Artifactory repository or build. Link for more details-> https://www.jfrog.com/confluence/display/JFROG/Configuring+Xray#ConfiguringXray-CreatingWatchesandPolicies
Below are the video link to create Watches and policies.
https://www.youtube.com/watch?v=yfoBmuaRkGI
https://www.youtube.com/watch?v=88hwwMJsS58
I hope the above information will be helpful to configure Xray for the repository or build and check for violations.
I managed to make SonarCloud inspect internal pull requests and write comments on each line where issues are found (https://docs.travis-ci.com/user/sonarcloud/#Activation-for-internal-pull-requests).
The Sonarqube Github plugin (https://docs.sonarqube.org/display/PLUG/GitHub+Plugin) makes the PR fail if there's a critical or blocker issue:
if no blocker no critical issues were found, the check is green -
otherwise it is red to raise attention.
I'd like to make the check red even for issues with lower severity (e.g., "major") but I found no setting...
is that possible at all?
thanks in advance
Unfortunately, the GitHub Plugin does not have such feature.