Package Management

JFrog Artifactory Documentation

ft:sourceType
Paligo

Overview

The JFrog Platform brings the universal nature of Artifactory to full force with advanced package management for all major packaging formats in use today. As the only repository with a unique architecture that includes a filestore layer and a separate database layer, Artifactory is the only repository manager that can natively support current package formats as well as any new format that may arise from time to time.

With a paradigm of single-type repositories, all repositories are assigned a type upon creation allowing efficient indexing to allow any client or dependency manager to work directly with Artifactory transparently as its natural repository.

The Packages view in the Application module provides easy access to information about all the packages in your repositories and supports:

Supported Package Types

The JFrog Platform supports the following package formats with new formats added regularly as the need arises.

Package Type

Description

Alpine Linux

Use Artifactory to gain full control of your deployment and resolution process of Alpine Linux (*.apk) packages.

Bower

Boost your front-end development by hosting your own Bower components and proxying the Bower registry in Artifactory.

Cargo

Enhance your capabilities for configuration management with Cargo using all the benefits of a repository manager.

Chef

Enhance your capabilities for configuration management with Chef using all the benefits of a repository manager.

CocoaPods

Speed up development with Xcode and CocoaPods with fully-fledged CocoaPods repositories.

Conan

Artifactory is the only secure, private repository for C/C++ packages with fine-grained access control.

Conda

Artifactory natively supports Conda repositories for Python, R, Ruby, Lua, Scala, Java, JavaScript, C/ C++, FORTRAN.

CRAN

Deploy and resolve CRAN packages for the R language using dedicated CRAN repositories.

Debian

Host and provision Debian packages complete with GPG signatures.

Docker

Host your own secure private Docker registries and proxy external Docker registries such as Docker Hub.

Git LFS

Optimize your workflow when working with large media files and other binary resources.

Go Registry

Build Go projects while resolving dependencies through Artifactory, and then publish the resulting Go packages into a secure, private Go registry

Gradle

Resolve dependencies from and deploy build output to Gradle repositories when running Gradle builds.

Helm

Manage your Helm Charts in Artifactory and gain control over deployments to your Kubernetes cluster.

Maven

Artifactory is both a source for Maven artifacts needed for a build, and a target to deploy artifacts generated in the build process.

npm

Host your own node.js packages, and proxy remote npm repositories like npmjs.org through Artifactory.

NuGet

Host and proxy NuGet packages in Artifactory, and pull libraries from Artifactory into your various Visual Studio .NET applications.

Opkg

Optimize your work with OpenWrt using Opkg repositories. Proxy the official OpenWrt repository and cache remote .ipk files.

P2

Proxy and host all your Eclipse plugins via an Artifactory P2 repository, allowing users to have a single access point for all Eclipse updates.

PHP Composer

Provision Composer packages from Artifactory to the Composer command line tool, and access Packagist and other remote Composer metadata repositories.

Pub Repositories

Artifactory natively supports Dart packages, giving you full control of your deployment and resolution process of Flutter, Angular Dart, and general Dart programs.

Puppet

Configuration management meets repository management with Puppet repositories in Artifactory.

PyPI

Host and proxy PyPI distributions with full support for pip.

RPM

Distribute RPMs directly from your Artifactory server, acting as a fully-featured YUM repository.

RubyGems

Use Artifactory to host your own gems and proxy remote gem repositories like rubygems.org.

SBT

Resolve dependencies from and deploy build output to SBT repositories when running SBT builds.

Swift

Artifactory natively supports a dedicated Swift registry, giving you full control of the deployment and resolution process of your Swift packages and the dependencies.

Terraform

A fully-fledged Terraform repository solution giving you full control of your deployment and resolve process of Terraform Modules, Providers, and Backend packages.

Vagrant

Securely host your Vagrant boxes in local repositories.

VCS

Consume source files packaged as binaries.

Inspecting Packages

The Packages page provides easy access to information about all the packages in your repositories.

You have quick access to the most important summary information about the latest package versions and you can easily drill down for more details about previous versions. Filters and sorting features are available for your convenience, as well as cross-reference links to the Builds and Artifacts pages.

For some package types, you can download packages and copy installation commands when drilling down into a package.

To view information about packages, from the Application module, go to Artifactory| Packages.

packages list.png

Filtering the Package List

Initially, by default, each panel contains information about the last version of the package. In the initial view, the list includes all the available package types, sorted by lexical order according to the package name by default, in descending order. The user can sort and filter the list. The user's new sort and filter setting become the new default.

To change the sort criteria, click the drop-down arrow and select one of the following sort options:

  • Name: Name of package

  • Downloads: Number of times package was downloaded

To toggle the sort order, click the arrow to the right of the sort option list.

filter.png

Viewing Package Information

In the Packages list, the package summary information is displayed, with the package name and logo in the left top corner, and the creation date of the latest version and its version number. The following information is displayed in the upper right of the panel.

Field

Description

License

Name of the license covering the package

Versions

Number of versions of the package

Xray

Indicates the status of the Xray scan.

For more information, see Xray Security and Compliance.

Xray scanning requires Pro X, Enterprise with Xray, or an Enterprise+ license.

Downloads

Total number of times the package (in its various versions) has been downloaded

Tags

Metadata tags (available only for npm and NuGet)

Click on a Package to view the Package versions.

In the Versions section, use the View By toggle to select one of the following views:

  • List: Displays information about the package versions.

  • Graph: Displays security and license violations informations from JFrog Xray with the number of downloads per version.

    For more information, see Xray Security and Compliance.Software Composition Analysis

    Xray scanning requires Pro X, Enterprise with Xray, or an Enterprise+ license.

package versions information.png

The List option displays the following information about the package versions:

Field

Description

Version

Package version numbers

Repositories

Name of repositories that contain the package version

Digest

The package's SHA 256 digest (available only for Docker)

Last Modified

Date when the package version was last modified

Downloads

Number of times package version was downloaded

Xray Status

The following Xray status indicators are displayed:

  • Severity of the package vulnerability (Low / Medium / High)

  • Not Scanned

  • No Vulnerabilities

  • Pending Scan

For more information, see Xray Security and Compliance.Software Composition Analysis

Xray scanning requires Pro X, Enterprise with Xray, or an Enterprise+ license.

NPM Packages Only

For npm package types, the Packages Versions Level npm ang Copy Command Box.pngappears to the right of the package name. For details, see Adding Packages to Projects.

Viewing Xray Data on Packages

Note

Required JFrog Subscriptions

image (23).png FREE PRO TEAM ENTERPRISE ENTER.+ Selfhosted.png PRO PRO X ENTERPRISE ENTER.+

Xray scanning requires Pro X, Enterprise with Xray, or an Enterprise+ license.

In the Package list view, you can quickly and periodically review the status of your security and compliance for all your scanned packages on your indexed resources to gain information about the Xray scan status and assigned licences on the latest version of the package.

viewing_scanned_packages.png

From the list view, you can toggle to the Graph tab to view a graph displaying a breakdown according of security or license violations according to severity.

graph package view for xray.png

Viewing Package Version Information

Click on the version number to view details about a particular package version, in the detailed table.

The information in the summary section, in the top panel, now displays summary information about the selected package version.

To download the package version to your computer, click Download, located on the right, below the summary information. For more information, see Downloading Package Versions.

The detailed table now appears with the following tabs and information:

Readme

Applies to npm packages. Contains readme documentation.

Packages Versions npm ang Readme.png

Builds

In the Build section, use the View toggle to select one of the following views:

  • Produced By: Displays information about the builds that produced the package versions.

  • Used By: Displays information about the builds that used the package versions as dependencies.

The information includes the name, number, and creation date of each build. Click on the build name to open the Build page with the full information about the build.

Packages Versions npm ang Builds.png

Xray Data

Xray scanning requires Pro X, Enterprise with Xray, or an Enterprise+ license.

For more information, see Viewing Xray data on Package Versions.

Docker Layers

Applies to Docker packages. Lists the layer related information.

Docker Layers.png

Distribution

Requires an Enterprise+ license.

Displays the Release Bundles containing the package version, the Release Bundle Distribution status and when they were last updated. Click the Release Bundle Name to view the Bundle in the Distribution page.

Packages Versions npm ang Distribute.png

Repositories

Displays where the package versions exist in Artifactory. The locations are indicated by the repository names and the full paths to the packages in Artifactory. Enter version numbers or repository names to filter the list.

Click on the path to open the Artifact Repository Browser, showing the location of the package in the Tree view.

packages_repositories_tab.png

Viewing Xray Data on Package Versions

Selecting a package version displays detailed Xray data information.

In the top pane, you can view the Xray severity and license assigned to the version.

Under the Xray Data tab, you can view these dedicated Xray related tabs with the option to run a set of actions on the version. For detailed information on each tab, see Analyzing Resource Scan Results.Analyzing Resource Scan Results

xray data on package version with tabs.png

Under the Xray Data tab, you can view these dedicated Xray related tabs with the option to run a set of actions on the version. For detailed information on each tab, see Analyzing Resource Scan Results.Analyzing Resource Scan Results

Downloading Package Versions

To download a package to your computer from the version-level information page, select the version and click Download, located on the right below the summary information.

Adding Packages to Projects

Note

Only available for npm packages.

It is usually more convenient to use the copy command button than using the Download button.

To add the latest version of package to a project, click Packages Versions Level npm ang Copy Command Box.png. The command displayed in the text box is copied to the clipboard. Paste the command into the command line on your terminal. Execute the command line to automatically add the latest version of the package to the package.json file.

When the version-level information is displayed, select a specific version and click Packages copy command box B.png to copy the command for the selected version to the clipboard. Continue as described above to add the version of the package to the package.json file.