Pull XRay vulnerability data via jfrog command line client

[corey-dawson]

Artifactory is already scanning all docker images I am pushing for vulnerabilites (CVEs), however, there does not seem to be a jfrog client method to pull the vulnerability scan data. There is only xray functions to scan local docker images. However, it is impractical to have to pull down an image and rescan it when the data already exists in Artifactory. Im requesting an enhancement to be able to pull down the vulnerability xray scan data via the jfrog client per a specified image.

[lucastheisen]

This can be done with the REST api:

# assuming you have a server with a docker repo called docker-local
#   https://artifactory.example.com/docker-local
# and you published the image
#   artifactory.example.com/docker-local/myimage:latest
repo=docker-local
image_name=myimage
image_tag=latest

jf xr curl \
  --server-id platform \
  --data "{
    \"component_name\":\"${image_name}:${image_tag}\",
    \"package_type\":\"docker\",
    \"path\":\"${repo}/${image_name}/${image_tag}/manifest.json\",
    \"cyclonedx\":true,
    \"cyclonedx_format\":\"json\"
  }' \
  --header 'Content-Type: application/json' \
  --header 'Accepts: application/zip' \
  --output /tmp/res.zip \
  --request POST \
   'api/v2/component/exportDetails'

The documentation is really bad about the details, but in my experimentation it appears the keys to this function are:

• must set Accept: application/zip (not application/octet-stream)
• must have at the very least: component_name, package_type, path
  • must also have at least one export option (ie: cyclondx + cyclonedx_format)
  • should have one or more additional options (ie: vulnerabilities: true)
• must have output_format when including things other than base sbom (ie: vulnerabilities)

If you look at how the export form in the web UI groups these, it hints at the associations (like that output_format appears to be for vulns).