Deep Recursive Scanning
JFrog Xray starts with your primary software component, and then recursively drills down to identify its dependencies, and then the dependencies’ dependencies, and so on down to any level, until every single component that is a part of your software, whether directly or indirectly, has been identified. Xray supports a variety of major packaging formats in use today including Docker, Debian, RPM, NuGet, JAR files, Npm, PyPI and Bower. In fact, as an open and flexible package-agnostic tool, Xray can accommodate new formats that may come on the scene from time to time and provide the same level of deep recursive scanning as with currently available package formats.
Once all components and dependencies have been identified, Xray cross-references them with any number of feeds and databases of known vulnerabilities, and alerts you if any component compromises your software.