jfrog-cli: XRay doesn't scan dependencies in NPM builds

I’m trying to integrate build scan feature to CI for our npm-based projects. Here’re the steps in my pipeline

script:
    - curl -fL https://install-cli.jfrog.io | sh
    - CI=true jf config add my-server --url https://my-server.jfrog.io --user ${ARTIFACTORY_USERNAME} --password ${ARTIFACTORY_PASSWORD}
    - jf npm-config --server-id-resolve my-server --server-id-deploy my-server --repo-resolve npm-local --repo-deploy npm-local
    - npm install
    - jf npm install --build-name=my-build --build-number=$CI_COMMIT_SHORT_SHA
    - jf npm publish --build-name=my-build --build-number=$CI_COMMIT_SHORT_SHA
    - jf rt build-publish my-build $CI_COMMIT_SHORT_SHA
    - jf build-scan my-build $CI_COMMIT_SHORT_SHA

I have to do plain npm install first to pull dependencies from the public registry (registry.npmjs.org) because my artifactory repo is empty and jf npm install fails with 404 error

All my dependencies are listed in package.json file and if I run npm audit it says that I have some vulnerabilities. However, when I publishing build to artifactory and scan it with an XRay, no vulnerabilities/licenses found. Looks like XRay doesn’t scan dependencies.

Is it because I download dependencies from public registry? How can I manage to scan dependencies in this case?

About this issue

  • Original URL
  • State: open
  • Created a year ago
  • Comments: 23 (9 by maintainers)

Most upvoted comments

Resurrecting this thread a bit - have experienced pretty much the same thing as the above commenters, so I put together a very limited build & package.json with an intentional vulnerability, as derived & isolated from a larger application.

Here’s the package.json:

{
  "name": "intentionally-vulnerable-app",
  "version": "1.0.1",
  "description": "An intentionally vulnerable app",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "author": "",
  "license": "ISC",
  "dependencies": {
    "unset-value": "^1.0.0"
  }
}

Here’s the npm ls --all:

intentionally-vulnerable-app@1.0.1 <path to repo>
└─┬ unset-value@1.0.0
  ├─┬ has-value@0.3.1
  │ ├── get-value@2.0.6
  │ ├── has-values@0.1.4
  │ └─┬ isobject@2.1.0
  │   └── isarray@1.0.0
  └── isobject@3.0.1

Here’s the application logic, written based on the CVE documentation given with the JSON output from jf audit:

const unset = require('unset-value');
const evilprop = process.argv[2];
const x = {}
unset({}, evilprop);
console.log(x);

Here’s the jf audit results:

SEVERITY CONTEXTUAL ANALYSIS DIRECT DEPENDENCY DIRECT DEPENDENCY VERSION IMPACTED DEPENDENCY NAME IMPACTED DEPENDENCY VERSION FIXED VERSIONS TYPE CVE
💀 Critical Undetermined unset-value 1.0.0 unset-value 1.0.0 [2.0.1] npm

Here’s the XRay dashboard for the build results:

Screenshot 2023-06-22 at 12 32 58 PM

Here’s the build & publish steps I’ve used on the CLI:

$ buildnumber=$(git rev-parse HEAD | cut -c 1-7); \
> buildname=vuln-build; \
> jf npm install --build-name=$buildname --build-number=$buildnumber; \
> jf npm publish --build-name=$buildname --build-number=$buildnumber; \
> jf rt bp $buildname $buildnumber; \
> jf bs $buildname $buildnumber --vuln

And here’s the final output from the jf bs $buildname $buildnumber --vuln:

12:47:51 [🔵Info] Scan of build vuln-build is in progress
12:47:51 [🔵Info] Waiting for Build Scan to complete...
12:47:52 [🔵Info] The scan data is available at: <build-link>

💬 The full scan results are available here:
<tmp-folder>

┌───────────────────────────────────┐
│ No security violations were found │
└───────────────────────────────────┘
┌─────────────────────────────────────────────┐
│ No license compliance violations were found │
└─────────────────────────────────────────────┘

💬 The full scan results are available here: 
<tmp-folder>

┌─────────────────────────────────────┐
│ ✨ No vulnerabilities were found ✨ │
└─────────────────────────────────────┘

I’ve also got XRay watches & policies set up to index this build and flag anything with Medium or higher severity, and fail anything with High severity or higher.

+1
shiplet on Jun 22, 2023

Just to let you know, you can add the JFROG_CLI_LOG_LEVEL on the Azure DevOps variables section: Screenshot 2023-04-27 at 17 27 23

And yeah, you should always use the = when wrapping npm (or other build tools) with jfrog cli tasks. so --loglevel=verbose is the right way here.

+1
sverdlov93 on Apr 27, 2023
Read more comments on GitHub
← jfrog-cli: Go publish ignoring files causes checksum errors
terraform-provider-artifactory: Accepted 202 error  →