JFrog Xray Support

When a "latest version" is detected, its artifact ID and file path are recorded and used as a filter on the list of vulnerabilities in the JFrog Xray report.

When using the contents of the Xray report to detect the most recent version, SRM will take each affected artifact ID and split it on its last : (colon) character. Text up to this character will be used as the package ID, and text after that character will be used as the package version.

SRM will take each artifact ID, its file path, and scan time for the artifact, and group this information together based on the parsed package ID. For each group, the entry with the most recent scan time will be used as the "latest version" for the given package ID.

When using the Active Search method, SRM will use the Scans List - Get Package Versions API to find the most recent version for each affected artifact. This requires detecting the correct package ID for the artifact, which is the most time-intensive part of this process.

For each file name found in the JFrog Xray report, SRM will make a request to the Scans List - Get Artifacts API, filtering to the file name and a creation time of ±1 hour of its scan date. If an entry is found with a matching file path, it will be associated with the entry's packageId for later reference.

For any artifacts whose package ID was not resolved, SRM will create a set of "candidate" package IDs based on the artifact ID. While JFrog artifact IDs do have a standard format, it's not guaranteed that the IDs will be "fully formed." For example, there may be an RPM artifact with an artifact ID of rpm://7:rpm-python:7:4.11.3-43.el7, or it may present the artifact as rpm://rpm-python:4.11.3-43.el7 depending on the Artifactory configuration. The candidate package IDs for an artifact ID will be permutations of a subset of the artifact ID, for example 7:rpm-python:7, rpm-python:7, rpm-python.

SRM combines the list of known package IDs and candidate IDs and uses the Get Package Versions API for each package ID. SRM collects pages of package versions and, for each artifact associated with the tested package ID, checks for an API response which matches the artifact ID and file path. This ensures that SRM is reading from the correct list of package versions for a given artifact. SRM will collect these pages until all associated artifacts are resolved, or the received versions are older than the oldest artifact associated with the tested package ID. For artifacts that were matched, their latest version is set to the most recent entry from the beginning of the list of versions provided by the JFrog Xray API.

SRM continues querying for package versions of each potential package ID, updating its list of associated unresolved artifacts, until a latest version is discovered for all artifacts or all options are exhausted. For remaining artifacts that have a known package ID but an unresolved version, SRM uses the scan date from the JFrog Xray report to find the most recent version. For artifacts with an unresolved version and do not have a known package ID, their results will be included without filtering.

This process gives SRM an updated list of "latest artifacts" to filter by. SRM then reads the JFrog Xray report and only ingests results for artifacts whose artifact ID and file path exist in this list.