I am using JFrog Xray to scan for security issues in my project. There is a vulnerability issue CVE-2016-1000027 with critical level need to resolve. But I want JFrog ignore this vulnerability issue when Xray scan. Anyone who know how to help me ignore it? Thanks.
Asked
Active
Viewed 447 times
1
-
1There is documentation on ignore rules: https://www.jfrog.com/confluence/display/JFROG/Ignore+Rules. Does this cover your needs? – Eldad Assis Jul 11 '22 at 04:45
-
@EldadAssis thanks, I may try like this documentation – Einz Jul 11 '22 at 04:48
2 Answers
1
Please follow the official JFrog Xray Ignore Rules. It has details on this.
Note that an ignore rule should be a temporary flag until a resolution is found. Keep your software safe!
Eldad Assis
- 10,464
- 11
- 52
- 78
-
I connected with IT team, this solution is applied with violations issue, this issue is from security tab and it does not allow to ignore any issues. – Einz Jul 19 '22 at 07:52
-
We have a similar requirement. There can always be reasons why ignoring a vulnerability can make sense (vulnerable functionality not exposed to the outside but cannot be removed internally, issue mitigated in some other way, etc.). It seems one needs to click through the Artifactory GUI in order to configure such whitelist. This is a disruption of the GitOps workflow and something we would strongly like to avoid. – Alexander Stumpf Aug 29 '23 at 15:24
0
Xray does not offer the option to ignore Issues. It allows you to ignore Violations.
The logic goes somewhat like this:
- The dependency you are using has Security Issues. Assuming no false positives, this is a fact. It does not make sense to ignore an issue because an issue by itself does not change the behavior of Artifactory/Xray in any way, so there is no reason to ignore it.
- Security Issures are then used by the Policies you set up. These Policies determine how the behavior should change when an issue is encountered. You could make an argument that ignoring a policy violation might make sense at first glance, but again, a Policy doesn't yet do anything, so there is nothing to ignore.
- Then there are Watches. Basically, a Watch takes a Policy and applies it to a repository, or build, or bundle. This is what finally changes the behavior (probably blocking a Download or similar), and you can choose to ignore violates for one or all Watches at once.
So now that we have these building blocks you will see why ignoring an Issue makes little sense because it can be used in different contexts and hiding it will "lie" to the user. Even if you determine the Issue is a false positive, does not apply to you or is impossible to circumvent (maybe there is no fix yet, or the latest version breaks your project and you need to release it right now), that does not change the fact that there is a Security Issue present. It makes far more sense to ignore the Violation because that is really what you are doing - you aren't saying "I'm just gonna ignore this issue exists", you are saying "I accept this issue exists, but choose to ignore that it violates the rules I set in place".
TL;DR: No, you cannot ignore a Security Issue. But you probably don't want to anyways.
MrThaler
- 124
- 8