3. Policies and Watches:

XRAY: Xray 3.X Quickstart

Raphael Zaafrani
Below I will give a simple overview of Policies and Watches. You can find more detailed information in this article: "Creating Xray Policies and Rules".

Policies are contextless sets of security or license compliance rules. They decide what to flag in a scan.
To get started and create a new policy, in the UI navigate to Administration → Xray → Watches & Policies  and select New Policy

User-added image
There you will have the choice between three types of policies.
User-added image

Each type of policy will have its own specific set of rules:

1. Security:

Set of rules relating to vulnerability analysis.
  • Minimal Severity (Minor, Major, Critical, All): The minimal security vulnerability severity as it is in the JFrog vulnerabilities database. If the artifact or build contains a vulnerability with the selected severity or higher, the rule will meet the criteria, the automatic actions will be executed, and the policy will stop processing.
  • CVSS Score (1-10): The CVSS score range to apply to the rule. This is used for a fine-grained control, rather than using the predefined severities. The score range is based on CVSS v3 scoring, and CVSS v2 score if CVSS v3 score is not available.
  • Generate violations only when fixed versions are available: Xray will not generate violations for issues that do not contain a fixed version. If a fixed version is available later, the violation will be generated. 

2. License:

Set of rules letting you decide what type of license you allow or ban in your builds.
  • Allowed Licenses: Specifies an Allow List of OSS licenses that may be attached to a component. If a component has an OSS license outside the specified Allow List, The rule will meet the criteria, a violation will be generated, automatic actions will be executed, and the policy will stop processing.
  • Banned Licenses: Specifies a Block List of OSS licenses that may not be attached to a component. If a component has any of the OSS licenses specified, the rule will meet the criteria, a violation will be generated, automatic actions will be executed, and the policy will stop processing.
  • Disallow Unknown License: Specifies the wanted behavior for components whose license cannot be determined. A violation will be triggered if a component with an unknown license is found.

3. Operational Risk:

Components Operational Risk is the risk of using outdated or inactive open source software components in your projects.
  • Minimal Risk (High, Medium, Low): Preset risk values. Learn more about it here.
  • Custom Condition:
    • Use between (AND/OR): Boolean operator between the following rules.  
    • Is End-Of-Life: Did the developer of the OSS package declare that development has stopped or the package is obsolete.
    • Release age greater than (in months): If the package has been released for at least X months.
    • Number of releases since greater than: If the OSS package has seen at least X since the current version.
    • Release cadence less than (per year): If fewer than X releases have been published per year.
    • Number of commits less than (per year): If the package has had fewer than X commits per year.
    • Number of committers less than (per year): If the package has had contributions from fewer than X developers.
    • Risk Severity (Low, Medium, High):  At least matching the calculated risk value.

Each of those rules can have automatic actions when triggered.

User-added image
User-added image
Refer to this article for more information on automatic actions.

Now that your policies are set up, you can create watches to scan your artifacts and enforce the rules we've just set.

To create a watch, in the same UI menu as the policies, navigate to Watches and select New watch.
User-added image

Here simply select an option under "Manage Resources". There you will see only the repositories and builds indexed in step 2 so revert back to that step if you do not see the resource you're looking for.

Once you have selected the desired resources, assign the previously created policies by selecting "Manage Policies"
There you will be able to select one or more policies for your watch to use when scanning artifacts.

User-added image
And you are done! Now that your watch has been successfully set up, every upload to the selected resources will be automatically scanned and flagged as described in the policies assigned to the watch.

If you'd like to scan data that was already present in the resources before the watch was set up, simply click "Apply on Existing Content" to run a historic scan on the Watch's targets.

User-added image