Scan C/C++ Builds

JFrog Artifactory Documentation


Xray supports scanning C/C++ packages as build-dependencies only. The following steps are required:

  • Create a build-info listing all the C/C++ packages you want to scan. Refer to the Build-info Creation example.

  • Upload the build to Artifactory, and perform an Xray scan.

For more information, see the Build Upload REST API .Build Upload


This process requires creating and uploading C/C++ build-info manually in accordance with the build-info schema. It also requires the listing of all the C/C++ libraries to be scanned. For each component you need to provide name and version; vendor is optional.

In the BuildInfo, do the following:

  1. Specify a cpp module, and set cpp as the modules type.

  2. In the dependencies section, list all of the cpp components of your build. Each cpp component must contain:

    • Sha1

    • ID: Consists of the component's vendor, name and version, in the form: "[vendor]:name:version". Please note that the 'vendor' field is optional.

C/C++ Info Example:

   "version": "1.0.1",
   "name": "MyBuildName",
   "number": "42",
   "type": "GENERIC",
   "started": "2021-01-19T15:47:52.000Z",
   "buildAgent": {
       "name": "Private builder",
       "version": "1.0"
   "modules": [
           "id": "<MODULE-ID>",
           "type": "cpp",
           "dependencies": [
                   "sha1": "<SHA1>",
                   "md5": "<MD5>",
                   "id": "<vendor1>:<name1>:<version1>",
                   "type": "cpp"
                   "sha1": "<SHA1>",
                   "md5": "<MD5>",
                   "id": "<vendor2>:<name2>:<version2>",
                   "type": "cpp"

Build-info Creation Example :

# Choose between A or B or C (depending where your dependencies are located) :
# # A. add Build info dependencies located on the local disk
# ##### jfrog rt bad myLibs/ cpp_build 1
# # B. add Build info dependencies located in Artifactory
# ##### jfrog rt bad mcy-cpp-deps/ --from-rt=true cpp_build 1
# # C. add Build info dependencies by downloading them from Artifactory
# #### jfrog rt dl mcy-cpp-deps/ cpp_build 1 

# generate Build info and save it as JSON file
jfrog rt bp --dry-run=true  cpp_build 1 > build_info.json 

# the following command will :
# 1. add type=cpp to the module
# 2. add type=cpp for each dependency
# 3. update the component id for each dependency 
jq '.modules[] += {"type":"cpp"}' build_info.json |\
jq '.modules[].dependencies[] += {"type":"cpp"}'  |\
jq '(.modules[].dependencies[] | select(.id == "Poco.dll" ) | .id)    |= "poco:1.8.0"' |\
jq '(.modules[].dependencies[] | select(.id == "libcurl.dll" ) | .id) |= "haxx:libcurl:7.70.0"' |\
jq '(.modules[].dependencies[] | select(.id == "sqlite.dll" ) | .id)  |= "sqlite:3.15.1"' |\
jq '(.modules[].dependencies[] | select(.id == "zlib.dll" ) | .id)    |= "zlib:1.2.0"' > build_info_xray.json 

# upload build info
jfrog rt curl -XPUT /api/build -H "Content-Type: application/json" -T build_info_xray.json