The JFrog Eclipse plugin adds JFrog Xray scanning of Maven, Gradle, and npm project dependencies to your Eclipse IDE. It allows developers to view panels displaying vulnerability information about the components and their dependencies directly in their Eclipse IDE. With this information, a developer can make an informed decision on whether to use a component or not before it gets entrenched into the organization’s product.
The plugin filter allows you view the scanned results according to issues or licenses.
The JFrog Eclipse Plugin code is available on Github.
Installation and Setup
To install and work with the plugin:
JFrog Xray version 184.108.40.206 and above.
Go to Help | Install New Software,click Add and then click Archive.
Choose the plugin zip file you downloaded and click Add.
Configuring the Plugin
Connecting to JFrog Xray
Once the plugin is successfully installed, connect the plugin to your instance of JFrog Xray.
Go to Eclipse (Preferences), click JFrog Xray.
Set your JFrog Xray URL and login credentials.
Test your connection to Xray using the Test Connection button.
Scanning Gradle Projects
Behind the scenes, the JFrog plugin executes a Gradle script, which creates the dependencies tree of the project. The plugin reads the Gradle configuration defined in Eclipse. This configuration is added to Eclipse by the Buildship plugin You can access this configuration by going in Preferences | Gradle | Gradle distribution
If the Gradle configuration is not set, then Gradle Wrapper will be used. If the project does not include the Gradle Wrapper configuration, Gradle will be automatically downloaded.
Using the Plugin
Open JFrog tab
To open the plugin tab click on Window | Show View | Other | Security | JFrog.
Scanning and Viewing the Results
JFrog Xray automatically performs a scan when the plugin first loaded on startup.
To manually invoke a scan:
Click Refresh in the JFrog plugin.
View the scanned results in the plugin.
Filtering Xray Scanned Results
The JFrog plugin provides the following filter to narrow down the scanned results to view exactly what you need:
Severity: Displays issues according to specific severities.
License: Displays components according to specific licenses.