Tasty Organic NuGet DevOps – From Developer to Deployment
Webinar Description:
Unleash the power of the JFrog Platform to organically enhance your NuGet development. Taking your NuGet projects and giving them the full power of Liquid Software for a real-world boost. We will cover the full life-cycle management of NuGet projects utilizing the JFrog Platform with concepts like Repository Design, Metadata, and Build Promotion. We will even splash in some DevSecOps with JFrog Xray to look for any artificial flavors or additives.
Who should attend:
NuGet Developers who are new to Artifactory or are already using Artifactory but want to learn best practices DevOps and DevSecOps engineers who are looking to use Artifactory or want to use Artifactory for their SDLC
Pre-requisites :
Basic understanding of Artifactory / NuGet knowledge
The Agenda:
- Who is JFrog
- Intro to the JFrog Platform
- SDLC and Repository Design
- Nuget and the JFrog Platform
- Update your CI using Artifactory
- Metadata & the Promotion API
- DevSecOps with Xray
Give your DotNet ecosystem the full power of DevOps
Webinar Transcript
Well, good morning, good evening, wherever you are in the world. How you doing? Welcome to another JFrog webinar. This one’s called Tasty Organic NuGet DevOps. We’re going to cover a couple things today. We’re going to go through and we’re going to talk about an introduction to what we’re talking about, which includes me. I’m going to give you a little basis behind the JFrog platform. You guys are actually going to be privy today to actually one of the first webinars using our new version of the JFrog platform, and I’ll talk about that. We’ll talk about NuGet in general.
I’m also going to be discussing things like planning, how to plan utilizing Artifactory for various methods for you to implement everything from the initial idea of ingesting binaries and other third-party NuGet packages, to producing packages, better ways to actually produce builds and put them into Artifactory, and even how to use our promotion API to promote atomic units through your system. I think it’ll be a very informative webinar. We’re also going to talk a little bit at the end about security and how making sure that everything is safe and secure. In addition to that, we’ll also talk about the next steps.
I’m not going to worry about CI today, but we’ll have a follow-up webinar probably eventually on this anyway, on how to include this into things like Azure DevOps or Jenkins, in general. But today, I want to focus more on the binary management side of it, not only the binaries that are consumed, but the ones that are produced, also. So, as stated, my name is Bill, or William, depending on how you want to call. Please follow JFrog on Twitter and, if you want, you can follow me on Twitter also @williammanning.
So let’s continue. Let’s just jump right into it, and let’s talk about everything doing binaries. So let’s start off a little bit about the basic concepts of why JFrog is what it is. In today’s environment in the world, life runs on code. Code is the key to everything we do. We say that every company is a software company, and we believe that going through everything today, better software management includes things like binaries. That’s the reason why JFrog is the company it is. We have all the various aspects of these resources out in the world that people utilize, everything from your digital lifestyle all the way down to the factories, down to smart cities. Everything runs on software, and JFrog is the platform that you can utilize for this.
One of the things that we talk about at JFrog with the platform is the idea of being able to have a consistency engine. Really, what the platform does is, in terms of DevOps or DevSecOps or just standard SDLC software development life cycle … My mouth’s a little off today. We have a solution at JFrog for basically every component behind this. The platform itself really encapsulates everything that we talk about. You have Artifactory for all your binary management, for things like the third-party transit dependencies you use. We have 27 package types that we support right out of the box, NuGet being one of them.
When we take out the package type to support it in the JFrog platform, we take it. We dissect it. We tear it apart. We look how it operationally runs. We look at its deficiencies. We look at all its cells. And then we actually match that to its repository in Artifactory. As you can see today, I’ll show you with NuGet. It’s so that those third-party tools that you’re utilizing, to it, it looks native. It looks like you’re going to NuGet Gallery, but you’re actually going to Artifactory, and we’ll talk about that.
We’ll also discuss Xray, which is in the middle here. Xray is our security, compliance, and governance tool. This allows you to go in and see if any of those third-party binaries you’re utilizing, and I’ll show you an example of this today, have anything nefarious inside. It could also be used for things like license governance, where maybe you have a certain set of criteria internally for liability where you’re only allowed to have certain licenses available for these third-party libraries that you’re doing.
Then we have Mission Control & Insight. That’s a way, if you’re a global organization, it’s a central pane of glass that you can go through and maintain and monitor all the things within the ecosystem of the JFrog platform and then also including things like CI servers, like Jenkins. At the bottom, we have Pipelines. Pipelines is our latest tool. It’s actually a CI/CD tool. Well, it’s YAML-based and container-based. It’s basically like a cloud native-style CI engine. It could also be used as a CI orchestration tool, but I’m not going to go into that too heavily.
And then, to the right hand side, we actually have Distribution and Edge. This is basically a roll-your-own CDN. This is the way for you, if you want to distribute your software out, whether it’s web services or end user components or software updates, firmware updates or whatnot. In IOT land, it gives you the ability to move that information close to the Edge and have Edge-level cache or what we would call immutable release bundles, which are combined types. So if you’re deploying a web service, you could do things like Helm charts and Docker containers as a release, digitally sign them, and make sure that they’re available where you need them the most.
Let’s go kick in to what we’re here to talk about today. We’re here to talk about NuGet development. I’m going to give a demonstration today of some things but, before I do that, I want to walk through and talk to you about what kind of support and what NuGet really means in terms of the Artifactory or, in this case, JFrog ecosystem. As I stated, the examples I give today will be available when we release this webcast as a download. But I’m using a very simple project today, nothing too complicated because I want to spend a majority of the time talking about things like best practices, implementation, also to better binary management.
So, first of all, if you’ve been working with any sort of NuGet stuff, you know that it came around in 2011. It’s public available resource is nuget.org. One of the things we’ll show today is that you can proxy those requests to nuget.org through Artifactory and that will allow you to go through and, say you have 1000 developers all using the same library pulled from NuGet Gallery, it’ll be stored once by the first time the first developer grabs it. It’ll be cached in Artifactory, and all subsequent developers will pull from that.
Just like we treat it like every other package tech that’s out there, in addition to all the standard practices you get with NuGet, you also get the ability to go in and add additional metadata, so thus making all those NuGet packages basically better for you and more applicable to your organization. We also support Version 3 now out of the box, so all the Version 3 components. It’s been out for a couple years, but we support Version 3 of NuGet. We also support Chocolatey, and we also have Symbol support.
Artifactory itself also, like I said, it allows you to go in and use any various of the NuGet clients, whether you’re using Visual Studio, whether you’re using the NuGet CLI. And then even JFrog CLI, which I’ll show you today, even has NuGet components built into it. So you can do it more natively in terms of working with Artifactory. It gives you a way to do a safe, secure method to do things like NuGet Install and all those various aspects. But I’m also going to show you how you can use the CLI tool to capture more information about the build metadata around all your NuGet packages than you’ve ever thought possible.
One of the other things you can also do is we’re going to talk about repository design today. The reason why I’m bringing that up is one of the aspects behind it is that I’m going to show you better ways to design your repository so they match your SDLC, number one. Number two, how you can proxy those third-party NuGet Gallery packages. In addition to that, I’m also going to show you how you can do cross-team dependencies inside of the NuGet projects. Now we have a ton of information available on our Wiki site, and we’ll have that all available to you. We’ll also show you how you can actually go in and hook up things, like the Symbol Server and things like that. And then, on top of that, we also have the SemVer versions support also built in.
Why would you want to use us as your NuGet Gallery? What it comes down to is we have 10 simple reasons. So, first of all, it reduces network traffic. As I stated, you can proxy your NuGet Gallery request through Artifactory, and then we store those in Artifactory itself. And then, like I said, all subsequent developers pull from Artifactory, as opposed to going externalized. This also allows you to put in things like access control and security. So I’ll show a little bit inside of Xray, our security product, where you can pre-vet out binaries before the developers actually use them.
If you’re looking at terms in terms of DevSecOps, the term is called shift left. It’s the cheapest place for ROI for evaluation of binaries before usage so that they don’t go through your entire SDLC and then find that towards the end that you have something horrible inside. We also have full Docker support. So if you wanted to deploy these things and host them inside of Docker containers, you could actually use the full Docker registry support we have in conjunction with things like the NuGet packages and builds that you produced. Also, too, because everything is stored inside of Artifactory, you can also store your proprietary packages and use things like tagging and properties to make them more relevant.
You can also use it for things like full reproducible builds. On top of that, you get the stability that you have behind Artifactory itself, and there’s end-to-end support for all major binary and package types. If you’re doing things before, and I just want to give a little quick view here that we have, your typical NuGet clients are going out to the world. They’re going out and they’re pulling from NuGet Gallery constantly. Where if you have Artifactory next to it, all requests go into Artifactory or you can apply things, like I said, metadata values and also security around it to make sure that there’s nothing nefarious being pulled into your system.
In a typical process, if you were working with Artifactory, you would have your standard version control where you check in by using GitHub or using Bitbucket or one of those. You have your tools that you utilize for those build processes. There’s many out there. CI tools are many. This allows you though to have a centralized point where not only can you pull all those dependencies that you have when you’re working with NuGet, but also all the packages that you produced. I’m going to show you the various methods today in which you can do it from a standard NuGet push to actually making it into a build and, from that build, collecting all the information around it.
And then I’m going to show you how you can promote that into something like a production repository so that other people can access this and utilize this the best they can. But before we kick off, I want to talk about some various aspects behind this, and one of the first things I want to talk about is planning. The reason why I think this is essential is that you got to look at Artifactory, actually the JFrog platform in its totality, as being something that’s more than just a place to store stuff. It’s actually a place that you can use to manage your SDLC. I always look at it as a conveyor belt for people who are producing software, so everywhere from the developer all the way down to your deployment.
As we say here, developer to deployment, code to cloud, developer to device, whatever your industry is, you have your nomenclature and technologies and stacks that you use. You have your own wording. But when it comes down to the end of the day, it’s your SDLC. You have steps in your SDLC and, during those steps, you have various aspects in which you do this. You can use Artifactory to logically organize your binaries during this process and supply metadata behind it that makes every step of that process more relevant.
It lets people, like release managers, be able to go in and query objects to release. And when they query them, they can pull back all the information about everything that’s been through the process, including things like unit testing or QA testing or security evaluations. In a typical software development life cycle, you have either the infinite loop or, in my case, I’m just showing you the vicious circle, as they call it, of software development. You have your planning. You have your analysts. You go through and do your design, your implementation, your testing, your maintenance. But the whole time you’re doing this, you have various stages.
You might call these stages something different in every company, but they’re all logically around the same idea. But one of the things that’s around this is that when, in terms of binary management, one of the things that we talk about here is the amount of binaries that you produce and by logically separating out the various stages into repository types, which I’ll get into in a few minutes, the thing is is the number of binaries decreases where you might have thousands of development builds a day, and you might only have one production release.
The number of binaries decreases over time as you go through SDLC but, at the same time, the amount of information of metadata increases. One of the pure things about Artifactory and actually the JFrog platform is the fact that we use a checksum-based storage and, because we do that, storage is cheaper. We have this metadata layer on top. As I stated and you’ll hear me say this a lot, I’m a metadata fanatic, is the fact that metadata is king. Metadata allows you to have the most relevant information to make the best decisions you can do and, to have it all sorted in a centralized location, including things like the various steps of your SDLC, really helps push that idea and those concepts. So this way you can actually become a lean, mean development machine.
So let’s talk about some best practices first. I always try to bring this up as topics because I like to reiterate to our customers, we have over 6,000 customers as a company now. We have, I think, about 75% of the Fortune 100 top 10 banks in the world, everything from food technologies down to space. We have our customers out there that utilize us for all various aspects and means, including things like IOT, web services, and whatnot. When I’m as a developer, I’ve been developing obviously from my gray hair and my white beard, I’ve been doing this for a long time. One of the aspects behind it is that I’ve really come to latch onto is things like three-tier development methods or, in my case, I love 12-factor application method.
Part of this is is that one of the key factors or things that you utilize things like Artifactory for, besides all the things like automation, being able to do clean operations, and things like that, is the fact that limiting the parity between development and production. So I’m a big believer in developing in Docker containers. I love the ability of using our promotion API to promote those builds and those containers through the various release steps so that you remove the abilities to have disparity builds between developer and production, the whole it works on my machine, it removes it, and the idea of being able to actually operate and build faster.
So the whole idea of build, release, run, release is really a key factor on where Artifactory can really help expedite that. The way you would actually have to think about this is that we’ll start off with a mentality change in this case, which is repositories. A lot of the customers I deal with, and I try to educate them the most I can, is the fact that repositories are the key to this. A lot of customers that I come into say, “We have one repository for local to store,” and I’ll talk about the repository types. “And then I have remote repositories to proxy, and that’s what I do.”
Well, the thing is is that repositories can be much more than that. Part of my job is I have another talk that you can go look at our YouTube page. It’s actually called The Five P’s, and I go into greater aspects of this. But I want to make sure that you understand what the repositories mean and how you can utilize those for your SDLC. I’m going to show you an example, actually, when I produce a very simple NuGet package that I build today to show you how I utilize that to give a full system of record of everything that I produce.
So, in Artifactory, we have repository types. Like I said, we have 27 package types that we support natively, but they’re logically separated into things. So we have local repositories. These are where you store your binaries, your builds, the files that matter to you. These are the things that you own. This is the localized repositories, and this is where I’m going to show you how you can use these local repositories to emulate your SDLC. Then you have remote repositories. Remote repositories are lazy proxies. They’re basically lazy cache of third-party repositories.
In this case, I’m going to be proxying the NuGet Gallery through Artifactory, and I’m going to show you why you’d want to do that, number one. Number two, I’ll show you all the information behind it, and I’m also going to show you other aspects in which you can actually utilize that information for better management. And then we have virtual repositories. Virtual repositories are a combination of local and remote. I’m going to show you an example of the one I’m utilizing today. That gives you the ability to do things where you can have your SDLC encapsulated into a virtual repository, but also allow things like cross-team dependencies.
I’m going to show you how you can actually add in, say, another team’s production repository as a repository in, say, your project repo so that you’re always using the latest version maybe produced for another team. An example of this, you could be creating a web application, and there’s a team that produces authentication modules for your web application. In the past, you would have to go through and to figure out a way to make sure you’re always using the latest and greatest version of that library so that your application is in adherence to the standard that you’re doing for your externalized release.
Well, in this case, I can include another team’s production repository into my build and, based on resolution order, I can always ensure that I have the latest production version of the version that that team produced. So this way I can have actually more simplistic ways to do cross-team dependencies in terms of my own product lines. So if you look here, I might have dev, QA, testing, staging, release, and I can design my repositories to emulate that actual SDLC. And because everything’s linked to metadata, you can actually go through. I’m going to show you an example of the promotion API in a second if you were to do it in terms of, say, a build step of a CI.
But also, too, I’m going to show you how you can use the JFrog CLI tool today to actually promote a binary from, say, one repo to another, and what benefits you get with that, also. So if I were to show you what a promotion API looks like if you were doing it, say, a Jenkins build example, you can see where I actually have some metadata here where I’m going through and I’m going to perform a step that says artifactory.promote. That allows me to move this binary. Either I can either copy it or I can move it into another repository and all subsequent metadata around this process and up around this build actually follows me during that process. So I have an entire evaluation stage behind that.
So let’s get started. I’m going to go build something, and I’m going to show you how that operates and how it works. Let’s continue into the next phase. So, first of all, let me show you before I even go into Artifactory. Let me show you the actual project that I’m building. So the project that I’m building today is this very simple, very easy, nothing exciting, just command line that says HelloWorld, just a HelloWorld app that can say HelloFrog,” nothing exciting about it. It’s got a couple of dependencies that I have. I’ll show you some of the dependencies that I pulled in.
If you were to look at my NuGet config, you can see where I have no resolution maybe for third-party sources that I want to utilize. So before I go into that, I want to show you just the project that I have here. I’m going to go back in. Let’s talk a little bit about the JFrog platform, the latest version. I’m going to show you one of my basic components I have around this. I’m going to show you the repositories I’ve created. Then I’m going to show you how to use our set-me-up instructions to use this. I’m going to go through. I’m going to create the package. I’m going to deploy that into Artifactory. Then I’m going to show you a better method on how you can use the CLI tool to turn that into a build that you can maintain. And then I’m going to show you the promotion API.
So let’s first jump into, here it is without further ado. This is the new version of the JFrog platform. This will be out in a couple of weeks, so it’s pretty much fresh off the press. I’m going to log into my instance. You’ll notice immediately that there’s some big changes that come about with the new version of our platform. First of all, visually from a user interface, it is a very, very different approach. We’ve actually spent a big chunk of time over the last year going through and re-architecting our product to go in. When I go in and re-architect the product, we went in .. Oh, wait. Oh my God. Hold on a sec. I’m not sharing my screen. So let’s do that.
Let’s start off with the screen-sharing thing because I thought I’d hit the button, but I guess I didn’t. So let’s see here. There we go. So let’s take a look. So let me go back and show you my project. Here’s my project, simple Visual Studio. I’ve got it open. My NuGet project is very simple. It’s a very simple command line option that I put together, nothing exciting. I wanted to keep it less complicated. This is now anti-climatic, now the way I did it. Let me log out. Here’s the new UI. Here’s the new login for the platform.
So now let me log in and let me show you what we have there. So now we have a unified approach behind all our products. In the past, we used to have all those series of products I showed you earlier, in this demonstration I talked about was that every interface was its own. We now have a unified approach to our platform itself. So now Artifactory, our Xray product, distribution pipelines are all now in the same interface. I’m going to show you some benefits behind this in a few minutes, but I’m not here to talk about an introduction to the new platform. I’m here to talk to you about how you use NuGet.
So, first of all, I said I was going to talk about repositories. So let’s talk about repositories. We have local. We have remote, and we have virtual. The one we’re going to concentrate on today, I’m going to show you I’m going to filter out is all my NuGet repos. So if you look here, I’ve got a NuGet local repo that I produced. This is where I’m actually going to be publishing my builds. This is the area where I’m going to put my NuGet packages, the proprietary ones that I have. I have a production repository in this case where I’m going to show you the promotion API where I’m actually going to promote my actual NuGet package from my local repo to my production repository so another team could use it. Then I have my remote repositories.
If you look here, I’ve got my NuGet remote repository set up here where I’m connected to nuget.org, and I’m pulling them in. But also, I’m going to show you, I’m actually going to go through and process all those NuGet packages I have through Xray through a series of rules that I have. Now I have a remote repository, and I have a local repository. The one I’m going to be utilizing today is my virtual repository. If I click in here, you can see where I’ve set up a NuGet repository. If you look, I’ve got NuGet local. I’ve got NuGet production, and I also have a NuGet remote. So I have all three encapsulated under one standard NuGet repository where I’m going to be doing all my work today.
If you look at the bottom here, I’m also going to show you that I’m actually deploying by default to my new local repository. Now I can go in here and do a series of actions, like I can go in and do include patterns, exclude patterns. I can also do things like force authentication if it’s a third-party resource that needs an authentication or whatever. But for right now, I’m just going to keep things very normalized, and this is the actual one that I’m utilizing. Well, let’s go take a look at that repository inside of Artifactory. So let’s go to the Artifact browser. If you guys have worked with Artifactory long enough, we’ve kept the browser the same way, but we’ve enhanced it.
Now let’s take a look for my NuGet local. I have it right here. But here’s my NuGet virtual repository that I have. if you look here, if you ever want to see how to implement this, it’s very straightforward. Artifactory has this little button that says set me up. When you say set me up, we actually go through and give you all the instructions on how to actually set this up to be utilized in various methods. The method we’re going to utilize today is to actually set up the NuGet CLI configuration, but you can also do it for the Version 3 for the API NuGet CLI. You can even go in and set up for Visual Studio.
Once you’ve done this and you set this up, all the standard things like NuGet Push and NuGet Install all operate normally, and you can define Artifactory as your standard source. Now, for my instance, if you look here, you can make it very normalized by saying username password. But in my case, I’m actually going to log in, and it’s going to allow me to go in and actually fill in the values that I have for my username and obfuscated password. In this case, this is my encrypted password. So let’s copy that, and let’s go over to my sources.
So here’s that project in my command line. Before, when I showed you, if you look, there’s no reference here to Artifactory. There’s no information in here that says I’m going to use Artifactory to proxy my binaries to make sure that any of those third-party sources I have are in here. So if I go back, I can paste in that NuGet command that I have that was supplied by Artifactory. If I click that, it’ll go in and successfully add it. Now if we go into here, you’ll be able to see that we actually have that information stored as part of this project.
Now let’s go back in, and let’s copy in my set API key. When I set my API key, I can go in and place it in this way, too. Now it’s been saved as part of my image source here. So now I have my project all set up. Now that I have it set up to start using Artifactory, I can even go in and let’s go take a look at NuGet Gallery if I wanted to. I can go find, say, something like Dapper. So I’ve got maybe a NuGet source I have here. Let’s go in and let’s do NuGet install. I’m going to say Dapper, and I’m going to say, source Artifactory. I do this. It’s going to go out, get that package. It’s going to proxy it through Artifactory. It’s going to come.
Now it’s going to put it into Artifactory itself. If I do an LS here, you could see that actually Dapper is now installed into my project if I want it to. If we go back into Artifactory itself and I were to do a refresh to show you inside of here, I can expand it out. There’s Dapper right here. Here’s that package that I went through, and I installed it. Now it’s actually being referenced inside. So now I’ve actually proxied this NuGet package through Artifactory, and I have a copy. This includes all the information that I have here around everything, like its dependencies. So if you look here, this actually has two solid dependencies.
Here’s all the package information. I can go in and change the ACLs if I wanted to, to say who has access to this. I can also add additional metadata properties, but I’ve collected a ton of information from the NuGet Gallery so I have a system of record that is available for everything that I’m doing around here. So this is great. Now I actually have a way for me to go in. Now say I wanted to go in and see what this also has. Well, one of the things that we’ve done is is that with the new version of our platform, we have our package viewer. Our package viewer is a way for you to go see what packages are done, so it’s like a catalog. So if I say Dapper, I can go in here. Did I spell it right? Or maybe it’s not available in here just yet. It’s not available in here just yet.
So it takes a minute sometimes for it to do it. But let’s go in and, without further ado, since we are pressed for time, I’m going to show you now. I’m going to go produce a NuGet build itself. I’m going to go in and I’m going to go grab some … I have a little helpful thing that I’ve done here. So if you take a look here, I’m going to go in and I’m actually going to build my package right here. So this is my NuGet pack. So I’m going to pack up this. By the way, you’re going to see a bunch of little errors that come here. Give it a minute.
Once this is done building, this is the exciting part. Yes, I have errors. I get it. But now I’m actually going to take this package and I’m actually going to publish this into Artifactory. So let’s go in. Let’s go push it up into Artifactory. Now I have own private build that I’m utilizing. So I’m going to take this, and I’ve uploaded it into Artifactory itself. If I do a refresh on this, you should see there’s my HelloFrog. So here’s my own NuGet package, my own proprietary NuGet package that I have, and here’s my information about it. I can do all the same things that can handle a normal package type. That’s my NuGet Virtual.
Now let’s take a look here though. So if I go in and I look at my NuGet local, you can see my NuGet local. Here’s that package itself. Now I can go through and Xray scan it, but there shouldn’t be any … There’s a violation actually I have here because I have a license value set up that says I don’t accept the Apache license, in this case. So this is just letting me know that there’s a violation. So I’ve actually scanned my own package and found a fault of my own. But this is all great. But this is all standard NuGet package that I want to save and I want to utilize. But what if I wanted more information around it? What if I wanted to do something different?
So let’s take a look. Let’s clear the view here so you can get a better perspective. Here’s that HelloWorld package I created. So say I wanted to do something different. Now I want to know everything about how this package is actually constructed. I want to store a system of records so that I know how things are being utilized. Let me go back here for a minute, and let’s do this. I’m actually going to take and I’m going to upload this package into Artifactory slightly different. In this case, I’m actually going to go through and I’m going to sign.
I’m going to upload this package, so here’s that NuGet package, up to my NuGet local, which I already have it there. It’ll allow me to overwrite because I control it. I’m going to give it a build name. I’m going to say NuGetHelloFrog, and I’m going to call it build number one. So I’m going to turn this into a build now. Now I can do this inside a visual studio, but I can also do it from the command line. So let’s do this. I’m going to use the JFrog CLI tool in this case. I’ve already configured it to talk to my instance. If I hit enter, it’s going to go through and it just uploaded it back into Artifactory. So I can manually upload this.
Well, let’s do one more thing. Let’s go collect all the information around it. So let me explain to you what this does. So the JFrog CLI has a lot of power behind it. There’s a lot of commands that you can run. You can do things, and I’m going to show you. We’re going to go through, and we’re going to collect all the GitHub information about this project because I have it checked in the GitHub. Then I’m going to collect all the build information, so all the environmental variables around it. Then I’m also going to go through and I’m going to pull in any of its dependency information. I can go through, and I’m going to publish it. And then after I publish it, I’m going to promote it.
So let me show you what that looks like. So I just upload it into Artifactory. If you look here, it says artifactory.bag HelloFrog. NuGetHelloFrog, that’s my build that I did, and build number one. Let’s hit that. Okay. I’ve now collected all the information that’s around that. Now I’m going to do BCE. Now BCE is build collect environmental information. So what I’m doing is I’m creating a build object around this build, and now let’s do that. I’ve now collected all the build information. Now we can also go in, and I’m going to say let’s go add another step in here. I’m going to say BAD. I want to collect all the information around all its dependencies.
So let’s do BAD. I don’t think I have any dependencies. Oh, BAG. Oops, I mistyped there. Let’s go back, BAD. Okay. Now last but not least, I want to publish this build into Artifactory. So I’m going to do BP. So let’s do that. I’ve now gone in, and I successfully took all that information that I collected and say I wanted to, even if I wanted to go in here and take a look and see what sort of dependencies I have. We also have built-in NuGet commands. So if you look here, I have one that says NDT that says, “Show solution dependency tree.” So maybe I go in and say Jfrog, and I say RT. I say NDT. There we go. I can actually see from this command line, the dependencies I have.
Now let’s go into Artifactory though. Here’s my build browser. Well, look it, here’s that actual build I produced. I did this from the command line. I have one version that I put in, and if I click in this version, you could see where I actually have my HelloFrog build. If I click in here, you can see here’s the NuGet. I’ll go show you in a minute. I can go click on this, and I could go bring this over and find it in the repository tree. But I also have all the environmental data around it. Here’s all the environmental information about how it was actually constructed. With Xray, I’m not scanning it currently right now. I don’t have this as a resource. But I could also do things like hook it up to JIRA and have all the JIRA ticket information here.
If I had more than one build, I can actually do a comparative analysis between the build. When I start using the promotion API, I can go in and actually have a system of record here on each day that it’s been in. Well, now I’ve taken that basic package that I have here if I click in, and now I’ve turned it from just a standard package that I have stored here. I actually now have a system of build record for each one of these. So I can go in now and I could say, “Oh look. You know what? I have all this information now, how it’s constructed, what its contents is. I’m happy with this actual build itself. Let’s go and promote it, and let’s see what information we can find out about it.”
So let’s go back to our tree for a minute. I’m going to show you that we have NuGet local and I have NuGet prod. If you look under NuGet prod, there’s nothing there right now. So let’s go in. Let’s go take this. I’m going to take this command I have right here. I’m going to copy this and bring it over to my shell. Now let me clear this again for you. Let’s paste it in and let’s go through the parameters. If you look here it says, JFrog RT BPR. Actually, in this case it’s build promotion. I set the status of a release. This could be any stage that I want. There’s a whole series of metadata that you can have around it. I’ll show you the parameters behind that in a minute.
But you could also see where I can add comments. Here’s my build. Here’s the build number, and here’s its destination. Now, if I hit that, that’s going to go through. Now it’s actually promoted that build from my local to my production. If we go back in here and I hit refresh on this local instance, you’ll notice that HelloFrog is gone. Let’s go to production for a second, and here it is in my production repository. So I can also have a copy of it. But in this case, I’m actually moving this build. If I go back to my build browser, I can show you that this build in here now actually has a release history to say that this product was actually released.
So now I actually have another effort that I can do in here. I can even go in if I wanted to. I can say, “You know what? I want to change the status of this to say instead of maybe release, maybe I want to do, say, hold.” If we do that, I can go in. If I go out and back in again, just because there’s no real refresh in this case, I can go in and this should be … Actually, I have another one done. I can go into my release, and you can see each stage that I’ve been in through this entire example. So this way I can have that system of record for everything that I’m doing. I can have the multiple versions if I wanted to, to go in and do this again.
One of the nice things is I can actually, if I wanted, I can create another build. So let’s do that actually. Let’s go back and I’m going to create a new build around this. So I have my new package. I’m going to change this to number two. All right. So I created build number two. In my case, I’m going to go collect all that information. I’m going to get the GitHub information. I just want to show you what it’s like to do a diff. So let’s go collect all the environmental and system information or two. Let’s get its dependencies.
I did the wrong button. That’s okay. Now let’s publish it, build two. If we go back in and I go to look at my build browser, let’s go back in and let’s go back to NuGetHelloFrog. You can see I have now build number two. It has no release history around this, but I can also go in if I wanted to and actually see what the current status of release is if I click in it. There shouldn’t be any changes. But if you look here, I can show you that I can do a diff between two NuGet packages, say, if something went wrong.
So if you go in and you take a look, like I said, you can also do this in terms of doing code content. I can also show you that I went in and I can also have policies that I built to actually evaluate all the binaries that I have. If I did this, one of the things that I’m doing too is I’m actually publishing all that information about any info that has a problem into my Slack. So I’m actually using Artifactory to promote information in there so I can see if there’s anything nefarious.
In addition to that, by the way, I want to show you is that under Artifactory one of the nice things we have in here, too, is that we were talking about the NuGet Gallery before. If I wanted to show my proprietary package, I could say hello, and there’s my HelloFrog NuGet package. You can see it was scanned by Xray. If I click in here, you can see I actually have, in this case, I have one version available because I haven’t promoted it into the actual usage yet. I can click in here, show you all the information on here’s the other individual builds I had before, so that’s actually part of. You can see all the Xray data behind this itself. So you can see all the information I have around that.
You can see if it’s been distributed out. So if I use this somewhere, I can do that. And then, of course, I have the repositories in which this is being referenced right now. So here’s my local repo, and here’s my production repo. I know this has been a high-level view of everything, but I just wanted to show that you can go and have a standard NuGet package you publish into Artifactory. You can convert that into a build, so you actually have more information about it. You can also go through and publish that and have it as a series of steps. So if you look here, you can see I have various statuses, and the status actually reflects where it is in the SDLC.
Now I’m going to go back to my presentation to show you some information around security and why that’s important. And then we’re going to wrap up our little talk here. So you can use us for everything from those third-party transitives. You can create your own packages. You can actually set up using repositories and share them in various methods. You can collect more information about every build that you have. You can emulate your SDLC and have that as part of your process and have a system of record and have as much metadata as is relevant to you. And then the last thing I want to talk about, of course, is I’m going to stop sharing for right now. I’m going to go back, and I’m going to show my presentation.
Am I presenting right now? I can’t tell. There we go. I should be presenting, I believe. All right. I’m going to start talking about security. I want to bring this up. I’m not sure you guys can see my … Yeah, I don’t know. Okay, so maybe I need to go … There we go. All right. I just wanted to make sure you guys could see what I’m showing. So one of the things I want to talk about is that with Artifactory and Xray, being able to make sure that your third-party binaries that you’re utilizing are safe and secure is pretty much an essential feature. What Artifactory does with Xray is it goes through it, tears apart tar gz, NuGet packages, Docker containers, and whatnot, and shows you the contents of those. So you can find out if you have anything nefarious inside of the things that you’re utilizing.
Also, too, you can do things like Docker containers. So you can actually go as full in-depth as possible, even down to dependency resolution, and show you the information embedded inside of those things that you’re utilizing to make sure that everything is safe and secure and there’s nothing nefarious internal. With Xray, we use this data to actually figure out so that you provide protection for your company and make sure that you actually have that information available to not only your developers, but your end users also to make sure that everything complies to your organization’s standard.
Lastly, one of the things I want to show is that by making it part of your security offering and the way that you actually construct and build your code really allows you to have insight into it from developer. You can make it part of your build evaluation process and also part of your release process. If you utilize one of our ID plugins, what’s nice about the ID plugin is that your developers can actually get the security data directly inside of the IDE so that they can enact on anything potentially wrong with the product or the libraries that you’re using before it even gets into your CI process, thus saving you actually a ton of money and looking like a rockstar.
This is basically the end of my talk. I just wanted to kind of bring it up. But one of the things I wanted to talk about also, too, is we have a big thing coming up in San Jose, coming up in the near future. We have our swampUP, our annual user conference. This year it’s June 22nd till the 24th. Lots of great people are attending. We have a lot of good hands-on classes. And then we also have a lot of good sponsors that show off their wares, also. You just go to swampup.jfrog.com and sign up. That’s my talk today. I hope this has been informative on why you’d want to do this, but why you’d also want to use Artifactory to store your package you produce and the builds you produce to make sure that you have everything internally and ready to go.
I hope everybody has a wonderful day. I’ll see if there’s any questions that people might have and I’ll try to answer them. If not, I see a little message here, I think. I can’t tell. You’re good. Thank you. I hope you guys enjoyed this. If there’s no other questions, there’s tons of information on our JIRA page. Please go check it out. Also too, like I said, some nice things around here, let me share my screen for a second. Please, when you get an opportunity you can go to our … Also, if you want to learn all other information, we also have our JFrog Academy, which is available publicly. JFrog Academy is a great way to learn more. You can get into greater detail on some of the topics that we had today, so everything from what Artifactory is down to administrators, DevOps, engineers, and developers, even down to security.
Also, I have a talk on devops.com if you’re in a highly-regulated environment on how to implement security around that, and also to go check out some of the other amazing videos that we have on our YouTube page for lots of information and content. Also, keep an eye out. We’re out there a lot on the road. So please go and check us out at some of the conferences that we have coming up, such as Devnexus that we have coming up in Atlanta, Georgia. And then also, too, we have some other ones coming up, and they’re on our page. I can’t remember off the top of my head because I’m awful.
That’s my talk today. Thank you, people, for attending. I hope everybody enjoyed, and that’s me. Cheers, everybody. Keep software liquid.
