This plugin allows checking via Xray if there are any impacted artifacts on a specific env/jfrog platform.
It requires the artifacts to be already indexed by Xray.
Installing the latest version:
$ jf plugin install cve-impact-check
Installing a specific version:
$ jf plugin install cve-impact-check@version
Uninstalling a plugin
$ jf plugin uninstall cve-impact-check
If this is your first use of JFrog CLI, you will need to set up the artifactory & xray connection via the following command:
$ jf c add
-
check
- Arguments:
- issue_id - The CVE or XRAY ID of the issue.
- Flags:
- export-impacted-artifacts: Generate a report of the impacted artifacts [Default: false]
- repositories: Comma separated list of repositories to check in [Mandatory when exporting impacted artifacts]
- output: The destination output file [Default: out.json]
- server-id: The Server to connect to [Default: DEFAULT SERVER]
- Example:
$ jf cve-impact-check check CVE-2021-44228 --export-impacted-artifacts --repositories default-maven-local[Info] Checking connection to xray server... [Info] Checking impacted components... [Warn] *** Affected components in the system *** [Warn] Maven://org.apache.logging.log4j:log4j-core:2.14.1 [Warn] ***************************************** [Info] Creating a vulnerability report... [Info] Report created. Name=CVE-2021-44228_3281ab81-effc-708b-7acb-1b8f96dc830c, ID=2 [Info] Waiting for report to finish execution... [Info] Downloading report data... - Arguments:
The release notes are available here.