Jfrog Xray Reports

Question

1.Is X-ray report generation possible using API Calls at the disired page in the Jfrog artifactory? 2.Scenario:Application dev team uploads the Build/Repository of their application into the Jfrog artifactory an xray scans it automatomatically. Suppose if we find vunerable Jars in perticular build -question-"can we corelate the vunerable jars to the respective builds and depedend builds and extract the same information in the report?? For Example: Vunerable Jar 'X' is used by build1 but the artifactory contains N no of Builds. can we fetch the information if the same Vunerable Jar 'X' is used by multiple other build present in the artifactory. And is there any other way to intimate the build owners about this Vulnerable Jar 'X' which might be used on their application or Build.

Answer 1

1. Yes - This is documented in the Xray REST API documentation under the Reports section.
2. Yes, this is also specified in the Reports documentation, you can define the required scope and select multiple builds or repositories. As for notifying build owners - This can be done by creating a rule for the policy that contains automatic action with the ability to inform the deployer and the watch recipients. This is triggered when there is a violation of the policy (which was previously created) Xray will generate a violation (for example jar X contains vulnerability with severity high)and it does not meet the policy and then Xray will generate notifications. See relevant documentation.

Answer 2

Please find the answers to your queries below.

1. Yes, the report generation is possible through API calls made against the Xray service. [Xray REST API - Reports]
2. For the collection of data in accordance with the scenarios described in the second query, I believe this API call would be helpful.