What’s New with JFrog Xray and DevSecOps

As we look to improve the quality and capabilities of the JFrog DevOps Platform, especially in the world of DevSecOps, we have added powerful new features to further enhance the award-winning JFrog Xray.

The capabilities detailed below cement Xray’s position as a universal software composition analysis (SCA) solution trusted by developers and DevSecOps teams globally to quickly and continuously identify open source software vulnerabilities and license compliance violations. 

Conan and C/C++ Support

Xray scans Conan packages, as well as C and C++ builds, deployed to JFrog Artifactory, the industry’s only universal repository  manager and container registry. Conan, a dependency and package manager for C and C++ languages, is free and open-source, and works in all OS platforms. It integrates with all build systems like CMake and Visual Studio, as well as proprietary ones. A powerful Conan feature is its ability to create and manage pre-compiled binaries for any platform and configuration.

Xray supports these four main use cases for Conan and C/C++:

  • Xray scans packages downloaded from ConanCenter to Artifactory
  • Xray scan packages built with Conan that are uploaded to Artifactory
  • If you’re building a Conan package and integrating Xray into your CI process, Xray will scan those Conan builds
  • Even if you’re not using Conan, Xray will scan your C++ builds

CVSS v3 Support

The Common Vulnerability Scoring System (CVSS) is an open industry standard for assessing the severity of software security vulnerabilities. The scoring algorithm assigns severity scores to security vulnerabilities using several metrics that endeavour to approximate the ease and impact of the exploit. Xray collects the scores and severities from two different sources:

  • NVD: The National Vulnerability Database contains known vulnerabilities with their respective CVSS score
  • OS Package Security Advisory: Some open source operating systems have their own security trackers with further analysis of the software vulnerability inside the operating system package 

Score Range and Severity Levels

The goal is to allow you to prioritize responses and resources according to the level of the threat. Scores range from 0 to 10, with 10 being the highest severity. CVSS v3 also provides a severity description as follows:

  • Critical
  • High
  • Medium
  • Low
  • Unknown

The security rules you set in Xray are measured against the CVSS v3 score or severity level for triggering violations, as described in Creating Xray Policies and Rules. Xray will continue to support CVSS v2 scoring, but will only use it if the CVSS v3 score is not available. 

Red Hat Security Scanning Certification

JFrog Xray has been certified by Red Hat as a partner integrated in their Red Hat Partner Vulnerability Scanner Certification Program. Being certified ensures that the security vulnerability and license compliance data identified by JFrog Xray is accurate and consistent with expected results for Red Hat packages, enabling accurate risk assessments based on trusted, certified sources. This means that enterprises using RPM packages can confidently use the JFrog Platform as their DevSecOps platform. 

In addition to the Vulnerability Scanner Certification for Xray, the  JFrog Platform has also been certified for:

  • Red Hat Certified OpenShift Operator (for JFrog Artifactory and JFrog Xray) to enhance customer installation and automation
  • Red Hat Certified UBI Container Image (for JFrog Artifactory) for additional assurance of greater reliability, security and performance of the underlying operating system that Artifactory runs on

These exciting new features are just the latest enhancements we’ve made to Xray, whose functionality we’re extending at a swift rate, as DevOps security becomes critical for enterprises. Stay tuned for more important announcements related to Xray and the JFrog Platform’s capabilities for DevSecOps!