I use JFrog XRay v1.10.1 with Artifactory v5.2.1 (both PRO versions).
I cannot found in the XRay documentation (and Google) how XRay automatically re-scan artifacts that have not changed in Artifactory when the vulnerabilities database is updated.
What is the re-scan policy followed by XRay ?
Thanks in advance :)
Xray keeps a graph of all the scanned component and the relationships between them, for example if a certain Java library is part of a war file.
When a new vulnerability is added to the database, Xray will check if the effected component appears in the dependency graph and if so will check how it impact the rest of the graph. For example if a debian package inside a Docker image is found to be effected Xray will also mark the Docker image as impacted. This is called impact analysis in the Xray terminology.
This is explained in the documentation in the watches section.
