When you would like to restrict the artifacts downloaded by the user from Artifactory Local or Remote repositories based on security vulnerabilities, you could achieve this use case with the help of Xray. There are two levels of protection by blocking downloads in the Xray Rules of the Policy.
Block the downloads from the Artifactory repository by enabling Xray indexing and marking them for scan in a watch by setting block unscanned Artifacts in corresponding rules of the policy. And also block the download of artifacts based on the severity level set on the policy watch defined in Xray. Please find the below detailed scenarios:
A. Set block download, which blocks suspected artifacts with violations from being downloaded, which gives you finer control over which artifacts should be blocked if any. The issues discovered in artifacts are graded with a severity level: low, high, medium, or critical.
Whichever of these settings you choose to utilize, as soon as you set them, Xray is triggered to scan and any components that don’t pass the credit check will be blocked right away.
And to avoid confusion about why they’re not able to download, Artifactory displays a notification about blocked artifacts in the UI and also gives an informative error message for REST API calls that fail because an artifact has been blocked.
Below screenshot and REST API output for reference:
% curl -uadmin -XGET "http://artifactory.com/artifactory/test-block-unscanned-artifacts/commons-io-2.2.jar"
Enter host password for user 'admin':
{
"errors" : [ {
"status" : 403,
"message" : "Artifact download request rejected: commons-io-2.2.jar was not downloaded due to the download blocking policy configured in Xray for test-block-unscanned-artifacts."
} ] And also you can monitor in the Artifactory logs why these artifacts failed to download:
Artifactory-service.log
[jfrt ] [ERROR] [29abc3f8c904e1da] [o.a.r.d.DbLocalRepo:247 ] [http-nio-8081-exec-5] - Artifact download request rejected: commons-io-2.2.jar was not downloaded due to the download blocking policy configured in Xray for test-block-unscanned-artifacts. [jfrt ] [WARN ] [29abc3f8c904e1da] [.r.ArtifactoryResponseBase:144] [http-nio-8081-exec-5] - Sending HTTP error code 403: Artifact download request rejected: commons-io-2.2.jar was not downloaded due to the download blocking policy configured in Xray for test-block-unscanned-artifacts.
B. When you enable Block Unscanned Artifacts Download, when this option is set, the artifacts cannot be downloaded until they have been indexed and scanned by Xray.
For example below screenshot shadows as the packages are not scanned and the download of artifacts failed.
curl -u admin -XGET "http://artifactory.com/artifactory/test-block-unscanned-artifacts/log4j-core-2.17.2.jar" { "errors" : [ { "status" : 403, "message" : "Artifact download request rejected: hsqldb.jar was not downloaded due to the download blocking policy configured in Xray for test-block-unscanned-artifacts." } ] }%
Artifactory-service.log:
[jfrt ] [ERROR] [3f5eddfe9ed3f267] [o.a.r.d.DbLocalRepo:247 ] [http-nio-8081-exec-1] - Artifact download request rejected:.log4j-core-2.17.2.jar was not downloaded due to the download blocking policy configured in Xray for test-block-unscanned-artifacts. [jfrt ] [WARN ] [3f5eddfe9ed3f267] [.r.ArtifactoryResponseBase:144] [http-nio-8081-exec-1] - Sending HTTP error code 403: Artifact download request rejected: log4j-core-2.17.2.jarwas not downloaded due to the download blocking policy configured in Xray for test-block-unscanned-artifacts.
Additionally, if you wish to block/restrict certain artifacts being downloaded from remote/local repositories then you could also use the include/exclude patterns for the repositories to block the download of specific artifacts. Please find the below article for more information.
https://jfrog.com/blog/include-and-exclude-patterns
https://jfrog.com/knowledge-base/how-to-use-include-exclude-patterns