Each descriptor file (e.g., pom.xml for Maven, go.mod for Go) contains vulnerable dependencies.
- Right-click a dependency to:
- Jump to its declaration in the descriptor file.
- Upgrade it to a fixed version (if available).
- Create an Ignore Rule in Xray (requires a JFrog Project or Watch).
- To view the details of a vulnerability, select one from the list.
Vulnerability details include:
- Vulnerable component information.
- Fixed versions.
- Impact paths and more.
CVEs Contextual Analysis
Requires Xray 3.66.5+ and an Enterprise X/Enterprise+ subscription with Advanced DevSecOps.
- Automatically validates high-impact vulnerabilities.
- Provides contextual analysis data, including:
- Status – Indicates whether a CVE is applicable.
- Breakdown – Explains why a CVE is applicable or not.
- Remediation – Offers mitigation steps from JFrog's research team.
Secrets Detection
Detects secrets exposed in the code to prevent leaks of internal tokens or credentials.
Requires Xray 3.66.5+ and an Enterprise X/Enterprise+ subscription with Advanced DevSecOps.
-
To ignore detected secrets, add a comment above the line with the secret:
plaintextCopyEdit// jfrog-ignore
Infrastructure as Code (IaC) Scanning
Requires Xray 3.66.5+ and an Enterprise X/Enterprise+ subscription with Advanced DevSecOps.
- Scans Terraform files for cloud and infrastructure misconfigurations.