“Forewarned is forearmed,” cautions the old proverb, and that truth coined in the 16th century is even more apt for DevSecOps in the 21st. The earlier you know about vulnerabilities, the better you can avoid making them part of your software.
That’s the same principle behind a “Shift Left” DevSecOps strategy. Rather than waiting for testers to catch vulnerabilities in built applications, developers take greater responsibility for keeping risky dependencies out of what they build.
But how is the developer supposed to know what dependencies are safe and which have problems? The public repository Maven Central has over 270,000 available modules and counting, all updated at a different pace. The Node.js registry npm has over 350,000 packages. Even with a vulnerabilities scanning tool like JFrog Xray to help, how can you be alert to problems at the time you code?
An IDE integration for Xray from JFrog can help.
Scanning for DevSecOps
If you use JFrog Xray, you’re already on your way to shifting DevSecOps left. Xray performs automated scans of the dependencies from package managers you use, including Maven, Gradle, and npm, and identifies which ones contain known vulnerabilities. Xray uses the VulnDB database, the most comprehensive and up-to-date vulnerability intelligence available, created and maintained by Risk Based Security.Maven Central has over 270,000 available modules, npm has over 350,000. How is the developer supposed to know what dependencies are safe? Click To Tweet
Xray also identifies the applicable licenses of each dependency, so organizations can avoid using code whose license doesn’t comply with their policies.
Because Xray is integrated with the artifact repository Artifactory, you can always see in Artifactory’s dashboard which dependencies held in your proxy repositories have vulnerabilities, and how severe a risk they pose. An administrator can also configure JFrog Xray to block potentially harmful artifacts from being downloaded from Artifactory, to prevent their use.
Choose an IDE Integration
To bring those decisions nearer to developers, JFrog provides plugins for some of the most commonly used IDEs that bring Xray’s scanning results right into your coding editor. So you can see, at the moment that you choose your dependencies, whether your choice will introduce a risk and help you make an informed decision.
The JFrog Xray plugin for IntelliJ IDEA and JFrog Visual Studio Extension have already been available and helping developers shift-left. Now users of the Eclipse IDE have a plugin from JFrog as well. With this release, shifting left awareness of security and license concerns is easier on three of the most popular IDEs.
How it Works
To understand how these work, let’s look at the newest plugin, for Eclipse.
You can find the JFrog Eclipse IDE Plugin in the Eclipse Marketplace. To install the plugin, you can drag the Install button to your Eclipse window.
Once installed, you can connect the plugin to your instance of JFrog Xray by setting its URL and login credentials in its Preferences. When finished, you can click Test Connection to confirm the settings work, then Apply the settings.
Once you open the JFrog tab in Eclipse, you can see all of the Issues that Xray has identified in dependency components. You can filter the results to show only those matching the Severity of the risk.
In the Licenses Info tab you can identify and filter for the licenses that apply to each component.
Of course, choosing safe dependencies is only the first step in a DevSecOps strategy. A package thought safe today may be discovered to be vulnerable later, or a later version of the package might introduce new risks.
That’s why JFrog Xray performs continuous impact analysis of what’s held in your Artifactory repositories. It regularly scans and analyzes components, even those long since deployed to production, and provides alerts and notifications for newly discovered vulnerabilities. It also performs deep recursive scanning of your binaries, recursively drilling down to analyze even the smallest binary component that affects your software.
It’s all part of bringing greater awareness of security violations to the developer, who is the most immediately able to act on the issue. Problems get resolved more quickly, and both the company and its customers stay protected.
The developer’s workbench is the first line of defense for DevSecOps. JFrog’s Xray integrations for popular IDEs like Eclipse are one way we’re helping to bring shifting left out of the shadows.