Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JAS scan - return scanner result when applicability is false #288

Open
yannc21 opened this issue Jan 15, 2025 · 0 comments
Open

JAS scan - return scanner result when applicability is false #288

yannc21 opened this issue Jan 15, 2025 · 0 comments
Labels
feature request New feature or request

Comments

@yannc21
Copy link

yannc21 commented Jan 15, 2025

Is your feature request related to a problem? Please describe.
When running jf docker scan <imageName>:<imageTag> --format=simplejson, we do get the applicability for a CVE and when it's false, we might want to return the reason of the "non applicability"

Describe the solution you'd like to see
As behind the scene, we're calling the Xray api GET /api/v1/scan/graph/<scanID>?include_vulnerabilities=true which returns a field info that we should return as well

here is the result of the Xray api :

{
  "artifacts": [
    { ...},
      "issues": [
        {
          "issue_id": "XRAY-607947",
           ...    
          "applicability": [
            {
              "scanner_available": true,
              "component_id": "docker://webapi:1.0.1-alpine",
              "source_comp_id": "alpine://3.8:zlib:1.2.11-r1",
              "cve_id": "CVE-2018-25032",
              "scan_status": 1,
              "applicability": false,
              "scanner_explanation": "<p>The scanner checks whether the vulnerable function <code>deflateInit2</code> is called.</p>", 
              "evidence": null,
              "info": "The vulnerable function deflateInit2 is never called",
              "details": null
            }
          ],

We could improve the current response of the jf docker scan with a new attribute called scannerResult in vulnerabities[*].cves[*].applicability

{
  "vulnerabilities": [
    {
      "severity": "High",
      "impactedPackageName": "3.8:zlib",
      "impactedPackageVersion": "1.2.11-r1",
      "impactedPackageType": "Alpine",
      "components": [
        {
          "name": "sha256__d9ff549177a94a413c425ffe14ae1cc0aa254bc9c7df781add08e7d2fba25d27.tar",
          "version": ""
        }
      ],
      "summary": "zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.",
      "applicable": "Not Applicable",
      "fixedVersions": [
        "[1.2.11-r4]"
      ],
      "cves": [
        {
          "id": "CVE-2018-25032",
          "cvssV2": "5.0",
          "cvssV3": "7.5",
          "applicability": {
            "status": "Not Applicable",
            "scannerDescription": "The scanner checks whether the vulnerable function `deflateInit2` is called."
            "scannerResult": "The vulnerable function deflateInit2 is never called",
          }
        }
      ],
    }
   ]

We would need to update the Applicability struct and set the info field in the GetCveApplicabilityField()

Describe alternatives you've considered
NA

Additional context
NA
@yannc21 yannc21 added the feature request New feature or request label Jan 15, 2025
@yannc21 yannc21 changed the title JAS scan - return scanner explanation when applicability is false JAS scan - return scanner result when applicability is false Jan 15, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature request New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@yannc21