As part of our ongoing efforts to offer you the most comprehensive and advanced SDLC protection capabilities, JFrog continues to boost the capabilities of our Xray security and compliance product.
In this blog, we offer an overview of recent Xray improvements, all aimed at helping you fortify your software, reduce risk, scale security, streamline compliance and accelerate releases with confidence.
Read on to learn all about our latest advances in areas including SBOM (software bill of materials), git repo scanning, vulnerability data, Jira integration and threat contextual analysis.
Threat Contextual Analysis
Security threats aren’t all created equal. Some are critical, others present less of a risk. In an ideal world, you’d fix every single vulnerability, misconfiguration and compliance violation in your SDLC – but given time and resource constraints, that’s unrealistic. Thus, you must prioritize which threats you remediate first. That’s where contextual analysis is key.
Xray now scans your binaries intelligently, taking context into account. It looks not just at a binary or image, but rather employs a holistic approach that examines their environment, including criteria such as configuration relevancy, existence of patches, and compilation flags to find out if a CVE applies. Using this contextual threat analysis, Xray helps you pinpoint your most critical security gaps, so that you can prioritize accordingly and address them right away.
When you quickly and continuously detect and fix your most critical security and compliance flaws, you can release software faster and confidently, and prevent issues from cropping up unexpectedly and slowing down your pipeline.
Enhanced Vulnerability Data
Another new Xray capability that helps DevOps teams better assess and prioritize risks is one we call CVE Research and Enrichment. It augments vulnerabilities’ publicly available data with exclusive information from JFrog’s security research team.
Every disclosed vulnerability is assigned a CVE (Common Vulnerabilities and Exposures) number, along with a severity rating, and they get listed in the National Vulnerability Database (NVD.) That information is available to everybody.
But JFrog customers get access to a deeper technical overview and a proprietary JFrog severity score, so that they can better understand CVEs’ risk and prioritize their remediation. This JFrog information includes prerequisites for exploitation and detailed technical mitigation solutions.
Here’s more information about this capability.
Git Repo Scanning
Through integrations with Version Control Systems (VCS) providers, such as GitHub, Bitbucket and GitLab, Xray now scans a Git repository, identifies the OSS dependencies in it, and detects vulnerabilities and license compliance violations. Customers can define policies to trigger specific actions, including alerting about violations, failing pull requests, and creating fix-pull requests for dependency upgrades.
By helping developers detect security and compliance issues within the UI of their preferred tools, JFrog is boosting your team’s capabilities to shift left and fix problems early and often in the DevOps cycle.
Unquestionably, the Software Bill of Materials, or SBOM, has become a critical DevSecOps piece, because it provides deep and comprehensive visibility into which components make up a piece of software.
In fact, last year’s White House Executive Order on Improving the Nation’s Cybersecurity highlighted the SBOM’s importance as “a formal record containing the details and supply chain relationships of various components used in building software” and stressing that “obtaining an SBOM, and using it to analyze known vulnerabilities are crucial in managing risk.”
That’s why we continue to bolster Xray’s SBOM capabilities, with the latest being support for the SPDX and CycloneDX standard formats. Xray, which creates SBOMs with a machine-readable inventory of software components and dependencies, now lets you export SBOMs in both of these standard formats.
SPDX, an ISO/IEC-approved standard, is popular for open source projects, while CycloneDX is a lightweight standard designed for application security use cases and supply chain component analysis.
These new capabilities will further help DevOps teams have control and visibility into their software components, their dependencies, and associated risks.
A new, easy-to-configure integration with Atlassian’s Jira lets you automatically create Jira tickets based on security violations detected by Xray. Getting these notifications in the Jira UI will make it easier and more convenient for developers who already use Jira to track and manage tickets for other types of bugs in their code.
By not having to toggle over to Xray, you’ll be able to quickly assess, prioritize and address the detected security and compliance issues, minimizing their potential impact and ensuring you’re releasing software that’s safe and compliant.
More To Come!
Stay tuned for many more significant enhancements to Xray, as we strive to provide you with the most robust security and compliance features designed specifically for developer, DevOps and security teams and their particular needs. Our mission is to help you continuously and seamlessly protect your entire SDLC, from code creation to distribution, so that you can secure and release software faster.