Conan and C/C++ Support in Xray

JFrog Artifactory Documentation

ft:sourceType
Paligo
Overview

Xray can scan Conan packages deployed to Artifactory. Xray can also scan C/C++ dependencies as part of a build.

Note

Requires Artifactory version 7.17.4 and above.

Conan
Packages

Xray scans Conan packages the same way it scans other package types. Xray data will only be displayed for the conanmanifest.txt file. An optional vendor field can be added in the Conan recipe file to prevent false positives.

Builds

Conan artifacts and dependencies can be provided as part of the BuildInfo using the conan_build_info command.

C/C++ Builds

Xray supports scanning C/C++ packages as build-dependencies only. The following steps are required:

  • Create a build-info listing all the C/C++ packages you want to scan. Refer to the Build-info Creation example.

  • Upload the build to Artifactory, and perform an Xray scan.

For more information, see the Build Upload REST API .Build Upload

Note

This process requires creating and uploading C/C++ build-info manually in accordance with the build-info schema. It also requires the listing of all the C/C++ libraries to be scanned. For each component you need to provide name and version; vendor is optional.

In the BuildInfo, do the following:

  1. Specify a cpp module, and set cpp as the modules type.

  2. In the dependencies section, list all of the cpp components of your build. Each cpp component must contain:

    • Sha1

    • ID: Consists of the component's vendor, name and version, in the form: "[vendor]:name:version". Please note that the 'vendor' field is optional.

C/C++ Info Example:

{
   "version": "1.0.1",
   "name": "MyBuildName",
   "number": "42",
   "type": "GENERIC",
   "started": "2021-01-19T15:47:52.000Z",
   "buildAgent": {
       "name": "Private builder",
       "version": "1.0"
   },
   "modules": [
       {
           "id": "<MODULE-ID>",
           "type": "cpp",
           "dependencies": [
               {
                   "sha1": "<SHA1>",
                   "md5": "<MD5>",
                   "id": "<vendor1>:<name1>:<version1>",
                   "type": "cpp"
               },
               {
                   "sha1": "<SHA1>",
                   "md5": "<MD5>",
                   "id": "<vendor2>:<name2>:<version2>",
                   "type": "cpp"
               }
           ]
       }
   ]
}

Build-info Creation Example :

# Choose between A or B or C (depending where your dependencies are located) :
# # A. add Build info dependencies located on the local disk
# ##### jfrog rt bad myLibs/ cpp_build 1
# # B. add Build info dependencies located in Artifactory
# ##### jfrog rt bad mcy-cpp-deps/ --from-rt=true cpp_build 1
# # C. add Build info dependencies by downloading them from Artifactory
# #### jfrog rt dl mcy-cpp-deps/ cpp_build 1 

# generate Build info and save it as JSON file
jfrog rt bp --dry-run=true  cpp_build 1 > build_info.json 

# the following command will :
# 1. add type=cpp to the module
# 2. add type=cpp for each dependency
# 3. update the component id for each dependency 
jq '.modules[] += {"type":"cpp"}' build_info.json |\
jq '.modules[].dependencies[] += {"type":"cpp"}'  |\
jq '(.modules[].dependencies[] | select(.id == "Poco.dll" ) | .id)    |= "poco:1.8.0"' |\
jq '(.modules[].dependencies[] | select(.id == "libcurl.dll" ) | .id) |= "haxx:libcurl:7.70.0"' |\
jq '(.modules[].dependencies[] | select(.id == "sqlite.dll" ) | .id)  |= "sqlite:3.15.1"' |\
jq '(.modules[].dependencies[] | select(.id == "zlib.dll" ) | .id)    |= "zlib:1.2.0"' > build_info_xray.json 

# upload build info
jfrog rt curl -XPUT /api/build -H "Content-Type: application/json" -T build_info_xray.json