Customize Xray DevSecOps With Private Data

For some organizations, even the best isn’t quite enough. That’s why JFrog Xray provides a way for you to specify your own additional data, to detect even more sensitive issues in your binaries before they can reach production.

JFrog Xray is a tool for DevSecOps teams to gain insight into the open source components used in their applications. Through deep recursive scanning of binaries in your Artifactory repositories, Xray identifies security vulnerabilities and helps assure license compliance with the policies of your organization. With this additional metadata, Xray enables an automated response to violations, such as preventing a download or failing a build.

Out of the box, Xray uses data from industry-leading sources, including Risk Based Security’s VulnDB to determine whether a package or artifact contains a certain vulnerability. VulnDB offers the most complete vulnerability intelligence available for DevSecOps, with nearly 90,000 more vulnerabilities than the frequently used CVE database (as of September, 2019).

With such comprehensive DevSecOps data to start with, why would you want to add your own? There are several reasons a company or developer might want to do this: 

  • You may consider something to be a vulnerability that Xray’s data sources do not.. 
  • You may have access to information about software components not included in Xray’s  data sources. 
  • You may have private (not OSS) libraries for which you have tracked vulnerabilities and want to include in your Xray security scans.

For such use-cases, Xray supports custom integrations of your own vulnerabilities data. With a custom integration, you can enable Xray to look at an external source for additional information about vulnerabilities and licenses. Just like JFrog’s first-party data source, if your server provides information about a software component, Xray will apply the security and license compliance policies you have specified.

Creating a Custom Integration

Adding a custom integration to Xray is very straightforward, and you can learn all the details, as well as try the files from our Xray custom integration demo on GitHub. For those already familiar with Xray technology, we’ll hit the highlights of that demo here. 

There are two pieces to set up:

  • Your custom integration REST API
  • JFrog Xray

Running the Demo Server

From the root of the project, run the server.  The API Key is determined by you, and used by Xray to authenticate with your RESTful API.

go run main.go (<api-key>) [<path-to-db-file>]

Xray Setup

Open the integrations view from the admin panel in the sidebar to create a new integration.

Select custom integration and configure the integration.

Generating a Security Violation

The demo comes with a `json` file for a database. New components can be added to this file to trigger security violations.

 {
    "component_id": ,
    "licenses": [
      {
        "version": ,
        "licenses": [
          "Apache 2.0"
        ]
      }
    ],
    "vulnerabilities": [
      {
        "version": ,
        "source_id": "0"
      }
    ]
  }

 

In Xray, scans can be manually triggered for a component. Users can also leverage Policies and Watches, which will enforce specific behaviors when a violation occurs.

Try It Out

We encourage you to explore the Xray Integration in the GitHub project and guide and run this example custom integration on your own.

If you haven’t even tried Xray yet for DevSecOps, sign up for a free trial of Xray for on-prem or cloud.