XRay fails to detect vulnerability in NuGet package dependency

0
votes

I created a test NuGet package which specifies a dependency on jQuery 1.4.2. XRay correctly detects the security issues on jQuery when uploaded to my Artifactory NuGet server. However, when I upload my test NuGet package which lists jQuery 1.4.2 as a dependency, XRay does not flag my package as a vulnerable.

1) Tested that jQuery 1.4.2 Nuget package in my Artifactory server is correctly detected as vulnerable.

2) Added a dependency to my test package that list jQuery 1.4.2. (I suspected a case-sensitivity issue so I also tried a lowercase dependency as "jquery").

3) Tried other known vulnerable packages besides jQuery

<?xml version="1.0" encoding="utf-8"?>
<package xmlns="http://schemas.microsoft.com/packaging/2010/07/nuspec.xsd">
<metadata>
    <id>RogerCruz.VulnerabilitiesGalore</id>
    <title>VulnerabilitiesGalore</title>
    <version>1.0.4.0</version>
    <owners>Roger Cruz</owners>
    <authors>Roger Cruz</authors>
    <releaseNotes>A package that depends on known vulnerable packages.  Use this to test vulnerability scanners.</releaseNotes>
    <requireLicenseAcceptance>false</requireLicenseAcceptance>
    <description>Test package with known vulnerabilities</description>
    <copyright>Copyright Roger Cruz</copyright>
    <dependencies>
        <dependency id="jQuery" version="[1.4.2]"/>
    </dependencies>
</metadata>
<files>
</files>
</package>

These are the commands I am using to create my test NuGet package and to push them to the Artifactory+XRay cloud trial instances.

nuget.exe pack VulnerabilitiesGalore.nuspec
nuget push .\RogerCruz.VulnerabilitiesGalore.1.0.4.nupkg -Source Trial

Artifactory reports my test package to have one dependency. You can see the following property when browsing the package.

nuget.dependency  jQuery:[1.4.2]:

In all of my test tries, XRay is not detecting my test package (RogerCruz.VulnerabilitiesGalore) as vulnerable despite having a specified dependency on jQuery 1.4.2 which is vulnerable.

My expectation is that it should have detected it because of this statement:

"Deep Recursive Scan Through All Layers of a NuGet package Xray recursively peels away the different layers of your NuGet packages and their dependencies ensuring that every software artifact that is included in your software has been scanned for issues and vulnerabilities. "

Src: https://jfrog.com/integration/nuget-xray/

1
jfrog-xray
Which version of Xray you've tried? and give more details about watches and policies based on that I can tell what is happening.Tatarao Vana

1 Answers

5
votes

The package RogerCruz.VulnerabilitiesGalore doesn't include jQuery:1.4.2 in it. It`s related to it as a direct runtime dependency as shown in the .nuspec descriptor file.

Deep Recursive Scan means the relation of the package physically inside another package. for example: if the RogerCruz.VulnerabilitiesGalore package would include jQuery:1.4.2 in it, then JFrog Xray would detect it as vulnerable and recursively scan it by opening package by package like peeling an onion.

A proper use case in the scenario above is building the RogerCruz.VulnerabilitiesGalore by itself or use it as a dependency of another project. At build time the direct dependency jQuery:1.4.2 will be resolved from the remote repository and JFrog Xray will be able to scan it.

In order to achieve full scanning of NuGet projects and it`s transitive dependencies, I would recommend building your project with JFrog CLI

JFrog Xray will know how to analyze the build-info produced by it, scan the project and its dependencies (include transitive)