JFrog CLI Secrets Revealed

By Yahav Itzhak , Senior Developer @ JFrog

May 11, 2022

5 min read

JFrog CLI is an open-source command-line tool that allows you to run CI builds with Artifactory and performs all kinds of Xray scans. Using this tool improves your builds’ traceability, and security, and makes them run faster.  

One doesn’t have to use the JFrog CLI to use Artifactory and Xray. All REST APIs are public and available in the documentation. However, in this blog, I’ll explain why using JFrog CLI is better than cURL – security-wise, easiness, and performance-wise.

Security

Security should always be a top consideration. Let’s describe some of the security features hidden in the JFrog CLI.

Token refresh mechanism 
One way to get a better defense against man-in-the-middle attacks is using short-lived expiring access tokens, instead of using passwords. Passwords have no restrictions and neither any time limitations and are therefore considered less safe. If a password was provided to the configuration, the CLI automatically generates hourly access tokens to use when communicating with Artifactory.  Read more about it here: https://www.jfrog.com/confluence/display/CLI/JFrog+CLI#JFrogCLI-AddingandEditingConfiguredServers

Checksum verification
Using the generic download command `jf rt download…`, the CLI automatically checks the checksums of downloaded artifacts. If there is a checksum mismatch, it fails the download.

ZipSlip defense mechanism
If a malicious archive was downloaded from Artifactory, the CLI can prevent extracting it in your system by making sure that all files will be extracted only under the target directory. Read more about it in the following pull request: https://github.com/jfrog/jfrog-client-go/pull/433

Ease of use

The JFrog CLI was first introduced in 2016. Since then it has become more and more popular and powerful. The purpose is to make an intuitive and easy experience.

File Specs
Querying artifacts in Artifactory is not an easy task. You may need to upload files, download artifacts, copy or move artifacts from one repository to another, set properties on an artifact, and so on. For that reason, a human-readable language was invented.

File spec is a JSON language that allows performing operations from/to Artifactory. For example, to download all files in repo/dir1/dir2/* except files that ends with “.zip”, use the following spec:

filespec.json:

Run the following command:
jf rt dl -—spec=filespec.json

Another example – to set the property “status=integration-tests-passed” on builds “my_build_name_1/4” and “my_build_name_2/5”, use the following spec:

Run the following command:
jf rt sp status=integration-tests-passed --spec=filespec.json

Read more about file specs, including their schema validation here:
https://www.jfrog.com/confluence/display/CLI/CLI+for+JFrog+Artifactory#CLIforJFrogArtifactory-UsingFileSpecs

 

Easy configuration
To configure your JFrog platform connection details in the JFrog CLI, you don’t have to remember to set all of the services’ URLs. Instead, the CLI can get in one configuration command only the platform base URL:

Interactive config:
jf c add [server-id]
jf c add <server-id>

Headless config in CI servers:

If the JFrog CLI runs in a CI server, you can provide the connection details by flags:
jf c add —-url=https://acme.jfrog.io —-user=froggy —-password=super-secret

Read more about it here: https://www.jfrog.com/confluence/display/CLI/JFrog+CLI#JFrogCLI-AddingandEditingConfiguredServers

Easy installation
Instead of downloading the CLI to the current working directory, you can download and install the CLI in one command.

See all available installations options here: https://jfrog.com/getcli

Shell completion
The JFrog CLI supports shell completion in Bash, Zsh, and Fish.
Learn more about it here: https://www.jfrog.com/confluence/display/CLI/JFrog+CLI#JFrogCLI-ShellAuto-Completionhttps://jfrog.com/blog/jfrog-cli-completes-you

Autocorrection
In case of a typo mistake, the CLI uses the Levenshtein distance algorithm to help you to fix the typo:
~ jf rt dwnload
'jf rt dwnload' is not a jf command. See --help
The most similar command is:
jf rt download

Read more about this feature in this pull request: https://github.com/jfrog/jfrog-cli/pull/1367

High Performance and Stability

The JFrog CLI is highly optimized to talk with Artifactory, not only on the client-side but also on the server-side – it knows how to build the AQL search queries in order to get the results in a minimum amount of time and with a minimal server load.

Checksum upload/download
Before downloading a file, the CLI check whether it is existing or not in the download path. If it does, it skips the download. Same for upload.

Chunked and parallel downloads
Downloading big files may be a big problem in some scenarios. The CLI helps to mitigate this issue by providing chunked and parallel downloads. During a download of a big file, the download process splits the download into 3 chunks. Each one of the chunks is downloaded concurrently. In case of a failure in one of the chunks, it performs a retry only in the failed chunk

Conclusion

The JFrog CLI is a smart and sophisticated tool. This article mentioned some of its “hidden” features. All of the code is available at https://github.com/jfrog/jfrog-cli. We encourage you to help us improve it by contributing code and sharing your feedback.

Speakers

Yahav Itzhak

Yahav Itzhak

Senior Software Engineer

Yahav Itzhak is a Senior Software Engineer at JFrog. As part of the Ecosystem team, he develops free open-source IDE and CI integrations. Yahav is also a proud open source contributor and a Linux enthusiast who strongly believe that open-source projects can bring value to everyone. His contributions can be found at https://github.com/yahavi