This functionality allows benefiting from the same JFrog Xray vulnerability and license scanning capabilities, even before deployment to JFrog Artifactory. This enhancement helps organizations comply with their security policies and standards by ensuring development teams only upload scanned and violation free binaries to Artifactory.
Scanning of dependencies in sources is available as part of the new v2 version of JFrog CLI, with source scanning support for Maven, Gradle and npm packages. Go and Pip package support will be available soon!
|Did you know? JFrog CLI is a compact and smart client that works with Artifactory, Xray, Distribution and Mission Control, to provide powerful features for your automation scripts in a readable and reliable manner.|
|Check out JFrog CLI Cheat Sheet >|
Before you start
Here’s what you’ll need:
- JFrog CLI installed (version 2.1.0 or above). Get JFrog CLI with your installer of choice.
- JFrog self-hosted FREE subscription or JFrog cloud FREE subscription (with Xray version 3.29.0 or above)
- Maven, Gradle or npm installed, corresponding to the sources scanned.
Steps to Scan
The scan can be done in one of two ways. Either as an individual scan directly on sources, or a scan as part of a build, prior to the deployment phase. In both cases, we’ll start by configuring your JFrog platform on JFrog CLI.
Configure Server with JFrog CLI
Run $ jfrog c add <server-id> anywhere on your machine to configure your platform details.
Run $ jfrog rt ping to validate your connection.
Option 1: Run the Audit Command
Scan the sources on-demand, not as part of a build.
Run the audit command from the top-level directory that contains your source files.
Each of the supported package managers has its own audit command.
For example, to perform a scan of Maven projects in your source code and report all vulnerabilities:
$ jfrog xr audit-mvn
The Gradle and npm corresponding commands will be:
$ jfrog xr audit-gradle or $ jfrog xr audit-npm.
By default, the scan returns vulnerability data found in all of your dependencies. To retrieve the violation data, with a specific watches configuration, repository path, or project, you will need to use one of the following command options:
- –watches – followed by a comma separated list of Xray watches.
- –repo-path – followed by the target repo path.
- –project – followed by a project key.
Take note, that if you run the scan using one of these command options, the scan results will only show violations data and not vulnerability data. To view the vulnerability data, run the scan without these options.
By default, the results will be shown in a table format.
The results can be returned in a JSON format for automation purposes. To modify the format type, provide the format option: –format=json.
View additional options by providing the –help option in your terminal, or read about the available commands in the JFrog CLI documentation.
Option 2: Conditional Upload – Maven and Gradle
In this approach, all files are scanned on the local system prior to the upload, as part of the build process using JFrog CLI. If any of the files are found to be vulnerable, the upload is skipped.
To configure JFrog CLI for a build, including choosing the resolution and deployment repositories and other build options, use the corresponding package manager config command from the top-level directory of your project:
$ jfrog rt mvn-config or $ jfrog rt gradle-config.
By default the configuration command will run interactively. Set the CI=TRUE environment variable to use non-interactively.
Read about the configuration and build commands here, or view with the –help option.
Once the build is configured, run the build command with the appropriate goals/tasks and options, and provide the –scan option to use the conditional upload.
$ jfrog rt mvn clean install --scan $ jfrog rt gradle clean build --scan
Behind the Scenes
JFrog CLI provides this integration with Xray by downloading an indexer component from the latter (only occurs on first use or after an update).
On a requested scan, the CLI assembles a hierarchy dependency tree and provides it to the indexer, which in turn replies with the vulnerability/violation results.
The JFrog CLI project and its dependencies are all open source. Ask questions or let us know what other functionality you’d like to see, in the project’s Github issues section.