JFrog Curation Malicious

• JFrog Malicious Blocked Error and Recommendation
• Jfrog Malicious Blocked Information

JFrog Malicious Blocked Error and Recommendation:

A curation blocked error from jfrog would look something like below:

• Errors Example (Gradle):

  * What went wrong:
  Execution failed for task ':compileJava'.
  > Could not resolve all files for configuration ':compileClasspath'.
    > Could not download jfrog_dummy-1.0.0.jar (io.github.andr3colonel:jfrog_dummy:1.0.0)
        > Could not get resource 'https://jfrog.ford.com/artifactory/external-proxy-group/io/github/andr3colonel/jfrog_dummy/1.0.0/jfrog_dummy-1.0.0.jar'.
          > Could not GET 'https://jfrog.ford.com/artifactory/external-proxy-group/io/github/andr3colonel/jfrog_dummy/1.0.0/jfrog_dummy-1.0.0.jar'. Received status code 403 from server: Forbidden

Here are some methods to confirm a package is being blocked by JFrog Curation:

1. Email Notification from Jfrog (noreply@jfrog.io) regarding your curation blocked error. The email would clearly state the blocked package name, type, originated repository, condition, recommendation, etc.
2. Using curl cmd:
   • Example:

   curl -H "Authorization: Bearer <TOKEN>" -O "https://jfrog.ford.com/artifactory/external-proxy-group/io/github/andr3colonel/jfrog_dummy/1.0.0/jfrog_dummy-1.0.0.jar"
   {
     "errors" : [ {
       "status" : 403,
       "message" : "package io.github.andr3colonel:jfrog_dummy:1.0.0 download was blocked by jfrog packages curation service due to the following policies violated {malicious-maven-central-block,Malicious package,Malicious package,Remove the malicious package from your project and replace it with an alternate package.}"
     } ]
    }

Email Example:

Jfrog Malicious Blocked Information:

Detects 3rd party packages that have been identified by the JFrog Security Research team as malicious. The JFrog Security Research group created scanners that continuously scan 3rd party packages for indications of malicious intent. Our detectors look for indications of infection methods (e.g. typosquatting, dependency confusion) suspicious payload actions (e.g. download and execute, dynamic code evaluation), obfuscation techniques and more. For more information, feel free to contact our research group at: research@jfrog.com