mavensecuritydependenciesartifactoryjfrog-xray

JFrog XRay vulnerability analysis - how to find suggested upgrade path


I am working with JFrog XRay, which has scanned our Artifactory and identified a vulnerability in a third party library which is a depdendency of my application.

From the component scan, I click on the CVE number and get this information

**Details**
 Summary [CVE-XXX-YYY] Improper Input Validation
 Type Security
 Severity Critical
 ....
 Infected Component __internal component__
 Source Version 1.2.3 

However there is no suggested "resolution". For example, "upgrade to 1.2.4" or "upgrade to 2.0.1".

Ideally I dont want to have to install all versions of this component and scan them individually.

And in this case the "References" links are not so helpful.

Any advice on the proper workflow to find a safe upgrade to a vulnerable component identified in JFrog Xray would be most helpful here.


Solution

  • The fix version is not always available when a new vulnerability is reported in the NVD, that's why Jfrog Xray does not always show it, in case that the fix version is not available, options are :

    1. if the vulnerable software versions have a range (1.2,1.5] then fixed version can any version before 1.2 include or any version after 1.5

    2. if the vulnerable software versions have an open range above, example (1.2,) then fixed version can any version before 1.2 and include

    3. if the vulnerable software versions have an open range below, example:(,1.2) then fixed version can any version after 1.2 and include

    Note: The best will be to look for the 'fix version' field where it specifies exactly the version that fixes the problem if it's not specified, the above can give guides to some level.

    Jfrog Xray will report 'fix version' only if the information is available on the source (where the vulnerability was reported)