JFrog Curation Notification for MS Teams

The JFrog Notification Bot notifies users through MS Teams if the package being downloaded violates the curation policies. More information about these policies can be found in our JFrog Curation Overview. For generic CDSID, the notification will be sent to the Manager identity. Notifications help developers become aware of vulnerable packages being downloaded into the Ford environment and mitigate them. Notifications are sent by JFrogPlatform Proxy (P.) via Workflows for Teams.

Current Policies With Notification Enabled

Package Type	Vulnerabilities Level	Blocked/Dry-Run
All	Malicious	Blocked
Pypi, Go, Conan, NuGet, Gems	Critical (CVE with CVSS score of 9 or above)	Dry-Run

Dry-Run Mode

No packages will be blocked during this dry run - this phase is for awareness only and should not impact your development workflow.

What Should I Do After Received The Notification?

1. Check the package name and version being detected with Vulnerability:

   

2. Open the Click Here For Curation Pacakge Details URL to view more information about the package.

   

3. From the Curation Package Catalog (URL above), click on the CVE ID and check the Fix Version.

   

4. Update your package to the recommended Fix Version.

   • For Java/Gradle/Maven projects: You would typically modify your build.gradle or pom.xml file to specify the new, fixed version of the dependency.
   • For Node.js projects: You would update your package.json file and then run npm install or yarn install.
   • For Python projects: You might update your requirements.txt file and run pip install -r requirements.txt.
   • For other systems: This could involve downloading and installing a new binary, running an update command, or applying a patch.