Deep Recursive Scan Through All Layers of a Gradle Package
Xray recursively peels away the different layers of your Gradle packages and their dependencies ensuring that every software artifact that is included in your software has been scanned for issues and vulnerabilities.
When a vulnerability is detected, Xray shows you all the Gradle packages that contain the infected artifact so you can instantly understand the impact that any vulnerable layer has on all packages in your system.
Even when packages uploaded to your Gradle repositories in Artifactory are given a clean bill of health, Xray continues to scan them to make sure they are not infected with any new vulnerabilities that are registered with Xray’s global vulnerability database.
As scaling complexity grows, the need for composition analysis becomes more important. Xray allows you to drill down or zoom out within your entire components graph and identify the real impact of every violation found. This can help you reduce the cost, time, and risk of delivering changes by allowing for more incremental updates to applications in production. Xray high availability allows you to create an active-active cluster of Xray instances that are easy to install and maintain. Scale your Xray environment to an unlimited number of nodes, that share the load through a load balancer, ensuring optimal performance and uptime. Seamlessly and instantly synchronize all data, configuration, cached objects and scheduled job changes across all cluster nodes.
Through Xray’s integration with common CI servers, you can stop infected builds from ever getting to your repositories. During the build process, Xray will notify your CI server if an infected artifact is being included in your Gradle packages so the build can be halted before completion.
Using the JFrog IDEA Plugin, Xray scans Gradle projects right in the developer's IDE providing information on Gradle components and their dependencies. This allows the developer to make an informed decision on whether to use a component or not before it gets entrenched in the organization's product. Then, during CI/CD, Xray can stop builds that include infected components, and in production, Xray continuously scans production systems for any new issues and vulnerabilities that have been discovered. Effectively, Xray covers the full lifecycle of components in the software supply chain.