Appearance
JFrog Curation Overview
- Current Blocked Matrix
- Packages Catalog
- For additional support, please see Submitting an ServiceNow ticket or Find Additional Support
JFrog Curation addresses the threat of software supply chain attacks by enabling organizations to ensure packages are vetted before they are included in their software. JFrog Curation works as a complement to Xray by enforcing a set of rules that determine which packages cannot be accessed by developers. These rules prevent packages with potential security or licensing problems from being downloaded from a public repository to your remote repository.
JFrog Curation is a policy-driven process. Whenever developers attempt to download a software package from a curated public repository to a remote repository in their organization, the package is checked against the relevant curation policy based on the Common Vulnerability Scoring System and either approved or rejected based on the conditions defined in the policy. If multiple relevant policies exist, the package is checked against each of them and will be blocked if it fails any one of them. Only if the package is approved by all relevant policies is it downloaded to the remote repository.
⚠️ Warning:
All packages utilized by your team, especially open-source software integrated into your projects, must adhere to the FOSSA process. Your team is solely responsible for ensuring FOSSA compliance for these packages. The JFrog Admin team is not liable for any failure to comply with FOSSA.
What is Common Vulnerability Scoring System (CVSS Score)?
CVSS stands for the Common Vulnerability Scoring System. It's a way to evaluate and rank reported vulnerabilities in a standardized and repeatable way. The goal of CVSS is to help you compare vulnerabilities in different applications – and from different vendors - in a standardized, repeatable, vendor agnostic approach.
CVSS generates a score from 0 to 10 based on the severity of the vulnerability. A score of 0 means the vulnerability is less significant than the highest vulnerability with a score of 10, if you're only using CVSS. By using CVSS to prioritize vulnerabilities, you can focus on the most critical ones first and reduce the overall risk to your organization.
CVSS values have been grouped as well into the rankings that you may have seen, of Critical, High, Medium, and Low.For CVSS v3, they are as follows:
| CVSS Base Score | CVSS Severity Level |
|---|---|
| 0 | None |
| 0.1 - 3.9 | Low |
| 4.0 - 6.9 | Medium |
| 7.0 - 8.9 | High |
| 9.0 - 10.0 | Critical |
For additional infomamtion, visit JFrog Security Research
Current Blocked Matrix
| JFrog Repository Name | Internet URL | Repo Type | JFrog URL | Curation Blocked Policies |
|---|---|---|---|---|
| maven-central | https://repo1.maven.org/maven2/ | maven2 | jfrog-maven-central | malicious-block |
| npmjs | https://registry.npmjs.org | npm | jfrog-npmjs | malicious-block |
| pypi-org | https://files.pythonhosted.org | pypi | jfrog-pypi-org | malicious-block |
| docker-hub-remote | https://registry-1.docker.io | docker | jfrog-docker-hub-remote | malicious-block |
| conan-io | https://center.conan.io | conan | jfrog-conan | malicious-block |
| public-go-golang-org-remote | https://proxy.golang.org | golang | jfrog-golang | malicious-block |
| nuget-v3 | https://www.nuget.org | nuget | jfrog-nuget | malicious-block |
| rubygems-org | https://rubygems.org | rubygems | jfrog-rubygems | malicious-block |
Packages Catalog:
JFrog Catalog is a comprehensive "search engine" for software packages, providing developers and DevSec teams with rich, structured data on open-source software (OSS) packages to help identify vulnerabilities, understand operational risks, and make informed decisions about package usage. You can get to our Ford JFrog Package Catalog from the UI and JFrog Catalog have detail documentation on what you can do and how to use it.
