JFrog Xray – not just another security vulnerabilities scanner.

We have just officially launched JFrog Xray, and were already asked by customers why we think JFrog Xray should be used instead of $YOUR_FAVORITE_SECURITY_SCANNING_TOOL. Is Xray like Black Duck? Maybe it’s like Docker Security Scanning? Maybe it’s similar to Sonatype Nexus Component Intelligence?


Before getting into the list of differences, there is a huge conceptual shift to make. Xray is not just another security database with a trivial scanner. It’s a Universal Binary Impact Analysis product. The capability for recursive analysis is what makes Xray unique, and it is open and universal to connect to your security and license database or any other metadata. Not sure what I mean? Keep reading and it will all make sense by the end of this post.

So now, after we successfully established that Xray is in a different category than a traditional security vulnerabilities scanner such as Sonatype Nexus Component Intelligence or Docker Security Scanner, let’s compare apples to oranges to better understand why Xray dramatically changes the way you think about binary impact analysis:

1. It’s not only about security vulnerabilities. Impact analysis should be universal.

It’s true that fear sells (ask some politicians), but as Dr. Roy Schestowitz precisely puts it, we don’t sell FUD. There are many different metrics you want to understand and be alerted about regarding your components – license compliance, runtime performance issues, bugs, architectural decisions, outdated components, and there are even completely ad-hoc rules you want to apply like detecting components that have your competitors’ IP. And yes, security vulnerabilities as well.

Xray uses internal metadata sources combined with external metadata sources to which it connects, to provide you with truly universal impact analysis.

2. What about containers?! Not all software in the world is Java (or NuGet or npm). Impact analysis should be universal.

Java dominates the software world (more or less), but today, it’s hard to find an organization that does only Java. Polyglot programming is the new “normal” and then there’s DevOps that brings other type of software to the developer’s plate – Docker, RPM, YUM, Vagrant. A tool that can only scan Java components is so… 2005?

Currently, Xray is able to scan Java JARs and WARs, Nuget packages, Python eggs, npm packages, RPM and Debian packages and, of course, Docker images. Soon enough, Xray will support all the package types supported in the most comprehensive artifact repository in the world – JFrog Artifactory.

Xray Ecosystem

3. One database can’t know it all, and yet, impact analysis should be universal

No database in the world can contain all the metadata you need for comprehensive impact analysis – all the security vulnerabilities for all the components of different types, all the licenses, all the versions, and of course no database in the world can contain your proprietary decision-making metadata. Also, there are different approaches to impact analysis that might fit other organizations, but not yours (for example, are you OK with the fingerprints of your dependencies being sent to the cloud?).

Xray provides you with the freedom of choice – you can use Xray’s internal database of security vulnerabilities, licenses and component versions for a zero-configuration experience. And since we designed Xray to be generic, our partners have already built the integration so you can connect any number of external tools like Black Duck, WhiteSource, and Aqua (stay tuned more is coming) if they better suit your needs . JFrog will also continue to add more metadata providers to integrate with Xray. But what about the custom metadata? Through an open REST API, Xray provides you with a simple way to hook any decision-making mechanism into Xray and see how it affects your applications.

4. Components aren’t flat. Impact analysis should be universal.

So, for example,Nexus Component Intelligence is capable of scanning Java components. Or, let’s take Docker Security Scanner. It can only scan Docker images. But what about a Java component inside a Docker image, in an RPMor Debian package, or in a gzipped archive? Nope. In Nexus Component Intelligence’s world, the components can only exist in a stand-alone, flat structure.

The real world is different. Components are included in each other like the Russian Dolls; a JAR within a WAR, within a Debian package, within a Docker image, within a Vagrant box. And Xray, as a universal tool knows how to crack those packages open, discover what’s inside, and index those components recursively.

5. You need company-wide impact analysis and it should be universal.

Imagine if Xray discovered a runtime bug in one of the Nuget packages running inside a Docker container, in one of the production environments of one of the projects inside your organization (by now you know it can). Wouldn’t it be dreamy if your colleagues in other projects also knew about all the components that are affected by this bug?

That’s something else you can do with Xray that you can’t do with Nexus Component Intelligence or similar tools – company-wide impact analysis. Once Xray is connected to all Artifactory instances running in the different projects and organizations across your company, it builds a truly Universal Component Graph and can run the impact analysis on all the components within your company that can be affected by the single component in question.

Well, I’m sure you got the idea by now. You need your impact analysis to be universal, and you can only get that with JFrog Xray.

To round off the whole story, JFrog Artifactory 4.11 was co-released with JFrog Xray and these two products are tightly integrated complementing each other. Artifactory, the only truly universal artifact repository, provides all your binary artifacts and the metadata that comes with them, and JFrog Xray, the only product that can hook into any number of external feeds and truly offers universal impact analysis, gives you a complete picture of all issues and vulnerabilities infecting binary artifacts of any format across your organization.

So go ahead, give it a try today! Download the Xray free trial here.

Download the latest version of Artifactory here, and if you need one, get a free trial license here.

Learn more about Artifactory vs Sonatype.