Why am I not seeing any vulnerabilities on an artifact or when generating an Xray report or looking at the results in the IDE-plugin but I do see licenses?
Usually, the reason is not having a DB-Sync.
Xray is working by comparing component checksums to a global database that contains publicly known vulnerabilities and vulnerabilities that were discovered by the JFrog security team only operational risks and licenses. Separately Xray is checking the local files and searching for licenses there.
If you’re not seeing any vulnerabilities but only licenses it usually means that Xray found licenses in the local file and is comparing to an empty database and therefore you need to trigger a db-sync.
Important: Before triggering a db-sync make sure your Xray machine has the required resources to work:
Minimum of 6 CPUs 24GB RAM and 500GB disk space with SSD and at least 3000 IOPS.
See more details in our system requirements documentation.
You can trigger DB-Sync by following the steps in the below screenshots:
For more information on starting Xray you may go to the following article XRAY: Xray 3.X Quickstart.