In order to do the build using the JFrog CLI, we need to create a .NET project from Visual Studio. Please follow the instructions below -
1. Create a .NET project using this link - https://docs.microsoft.com/en-us/visualstudio/ide/create-new-project?view=vs-2019
2. After creating the project you should see the similar folder structure in the solution window of Visual Studio where you can find a folder called dependencies as shown below -
“Dependencies'' folder and then click on the “Manage Nuget Packages'' and install the required dependencies. You may also refer to this link - https://docs.microsoft.com/en-us/nuget/quickstart/install-and-use-a-package-in-visual-studio. I am currently installing the “log4net:2.0.8” package as it has vulnerabilities which will be scanned by the JFrog Xray.
Build and Publish using the JFrog CLI:
1. Install the JFrog CLI using this link - https://jfrog.com/getcli-legacy/. I am using the JFrog CLI V1.
2. Configure the JFrog CLI with the Artifactory as below -
$ ./jfrog rt config
[Warn] The "jfrog rt config" command is deprecated. Please use the "jfrog config" command instead. You can use it as follows:
The command includes the following sub-commands - "jfrog config add", "jfrog config edit", "jfrog config show", "jfrog config remove", "jfrog config import" and "jfrog config export".
Important: When switching to the new command, please replace "--url" with "--artifactory-url".
For example:
Old syntax: "jfrog rt config <server-id> --url=<artifactoryUrl>"
New syntax: "jfrog config add <server-id> --artifactory-url=<artifactory-url>"
Server ID [kayal-saas]: test-saas
JFrog platform URL [https://test.jfrog.io/]: https://test.jfrog.io
JFrog access token (Leave blank for username and password/API key):
JFrog username [sandeep]: testuser
JFrog password or API key:
Is the Artifactory reverse proxy configured to accept a client certificate? (y/n) [n]?
$ ./jfrog -version
jfrog version 1.51.1
3. Use the newly created configuration with the below command -
$ ./jfrog config use test-saas
[Info] Using server ID 'test-saas' (https://test.jfrog.io/).
4. Run the JFrog rt command to configure the "dotnet" as below -
$ ~/Downloads/jfrogcli/jfrog rt dotnetc
Configuration file already exists at
Resolve dependencies from Artifactory? (y/n) [y]?
Set Artifactory server ID [test-saas]:
Set repository for dependencies resolution (press Tab for options): k-nuget
Use NuGet V2 Protocol? (y/n) [n]?
[Info] dotnet build config successfully created.
5. Then do the "dotnet" restore as below -
$ ~/Downloads/jfrogcli/jfrog rt dotnet restore -s nuget.config --build-name="NugetTest" --build-number="1"
[Info] Running dotnet...
Determining projects to restore...
Restored /Users/testuser/Downloads/nugetTest/NugetTest/NugetTest.csproj (in 303 ms).
6. The “NugetTest.csproj” file would look like this -
<Project Sdk="Microsoft.NET.Sdk.Web">
<PropertyGroup>
<TargetFramework>netcoreapp3.1</TargetFramework>
<IsPackable>true</IsPackable>
</PropertyGroup>
<ItemGroup>
<None Remove="log4net" />
</ItemGroup>
<ItemGroup>
<PackageReference Include="log4net" Version="2.0.8" />
</ItemGroup>
</Project> 7. Then pack the file as below -
$ ~/Downloads/jfrogcli/jfrog rt dotnet pack NugetTest/NugetTest.csproj --build-name="NugetTest" --build-number="1"
[Info] Running dotnet...
Microsoft (R) Build Engine version 16.11.0+0538acc04 for .NET
Copyright (C) Microsoft Corporation. All rights reserved.
Determining projects to restore…
Restored /Users/testuser/Downloads/nugetTest/NugetTest/NugetTest.csproj (in 318 ms).
NugetTest -> /Users/testuser/Downloads/nugetTest/NugetTest/bin/Debug/netcoreapp3.1/NugetTest.dll
NugetTest -> /Users/testuser/Downloads/nugetTest/NugetTest/bin/Debug/netcoreapp3.1/NugetTest.Views.dll
Successfully created package '/Users/testuser/Downloads/nugetTest/NugetTest/bin/Debug/NugetTest.1.0.0.nupkg'.
8. Then upload the packed file “NugetTest.1.0.0.nupkg” file to Artifactory created under “bin/Debug” directory as below -
$ ~/Downloads/jfrogcli/jfrog rt u bin/Debug/NugetTest.1.0.0.nupkg k-nuget --build-name="NugetTest" --build-number="1"
Log path: /Users/testuser/.jfrog/logs/jfrog-cli.2021-10-07.23-09-49.21194.log
{
"status": "success",
"totals": {
"success": 1,
"failure": 0
}
} The file would be deployed to Artifactory and will look like below -
Scan the build using the Xray:
1. Create the policy and the rules using this link - https://www.jfrog.com/confluence/display/JFROG/Creating+Xray+Policies+and+Rules
2. Create the watch and add the repository, build, policies and rules using this link - https://www.jfrog.com/confluence/display/JFROG/Configuring+Xray+Watches 5. Once the build is added, trigger the history scan as shown below -
3. The builds or the packages should automatically be scanned as soon as it is indexed. Please follow this KB - https://jfrog.com/knowledge-base/xray-how-to-index-and-scan-all-builds-in-xray-in-the-unified-platform/ in order to index and scan all builds in Xray.
Expectation from Xray scan:
1. After following the above steps, the build is scanned properly and we could see the Xray status is showing as "Critical" for this build as shown below
2. Xray will not report any violations for the package "NugetTest.1.0.0.nupkg". It is expected behavior as the package "NugetTest.1.0.0.nupkg" only has metadata information of the package "log4net.2.0.8.nupkg" but not the physical file.
3. The Xray data for the package will be showing no violations even though the repository “k-nuget-local” is part of the watch and the history scan has been triggered for the watch.
4. The Xray scans any dependencies which are present there in the "build-info.json" file. As in the build, we can see that the dependency "log4net:2.0.8" is there, the build is scanned by the Xray and it is reporting the violation.
5. After the scan the, Xray Data for the build shows the violations as shown below -
