The recently released JFrog Xray versions 3.31 & 3.32 have brought to the table a raft of new capabilities designed to improve and streamline your workflows, productivity and user experience.
The new features, detailed below, solidify Xray as the optimum universal software composition analysis (SCA) solution for JFrog Artifactory that’s trusted by developers and DevSecOps teams to identify and eliminate open source software vulnerabilities and license compliance violations from their Software Distribution.
Xray Reports Clone
This new feature, which requires Artifactory 7.23.x and above, lets you quickly and efficiently create a clone of an existing report in Xray Reports to reuse a report and its defined settings and configurations, saving you lots of time when recreating reports that you use often.
With this new hot upgrade capability, you can upgrade any Xray High Availability (HA) installation easily and without having to turn off all the secondary nodes. By completing an Xray HA upgrade with zero downtime, you boost your team’s productivity.
Set a Grace Period before Failing Build
If a CI server requests a build to be scanned, and a watch you’ve set up triggers a violation, Xray will indicate that the build job should fail.
Failing builds is a common practice to secure CI builds and prevent violations from entering your CI/CD pipeline. However, you may not always want to fail the build. For example, some violations are not showstoppers, and you can look into them later without stopping the build creation.
In these cases, you can set a grace period for a number of days according to your needs. During the grace period, the build will not fail and all violations will be ignored. An automatic Ignore Rule is created for the grace period with the following criteria:
- On the specific vulnerability/license
- On the specific component
- On any version of the specific build
- On the specific policy
- On the specific watch
Once the grace period ends, the ignore rule is deleted, and if the build contains violations, it will fail. This capability is only available if the watch is defined with build as target type.
For more detailed information, see Creating Xray Policies and Rules.
Grace Period REST API Support
Enhanced Xray Dependency Scanning and On-Demand Binary Scanning
Shifting left means catching and fixing vulnerabilities and license violations as early as possible in your SDLC, including before developers check in code. Performing on-demand scanning of either your source code dependencies or binaries before committing to Artifactory is the ultimate shift-left tactic. Here are some reasons why you need this use case:
- Not all of your binaries or builds are stored in Artifactory
- You discover vulnerabilities/licensing violations before uploading to Artifactory
- A security person may need to scan a binary sent to them for verification
- Organizations may want to only deploy approved binaries into Artifactory
The recently introduced Xray Dependencies and Xray On-Demand Binary scanning capabilities now include the option to ignore violations. In the JSON report of each scan, an Ignore Rule URL is included in the results, enabling you to create ignore rules for violations in the report, as described in Ignore Rules.
New Filter in Watches
Starting from Xray version 3.31.x and above, you can filter the Watches list in the Watches page in Xray to narrow down and display only Watches that are relevant to you. When you select the Filter button in the top-right corner, the filter dropdown list appears, with an array of different options. Configure the filtering options to display the Watches or Watch data you want to see.
For more information, see Configuring Xray Watches.
Filter Ignore Rules
Now you can use an array of different filtering options to narrow down the list of Ignore Rules using different criteria. That way, you’ll only see Ignore Rules that are relevant to you. After selecting the Filter button in the top-right corner, the filter dropdown appears and you can configure the options to display the Ignore Rules or Ignore Rules data you want to see.
[Note: The new features mentioned above require Artifactory version 7.25.x and higher.]
For more information, see Ignore Rules.
Ignore Rules REST API Enhancement
If you and your team are working together using JFrog Projects and the REST API, we have a great new feature that will allow you to sort the Get Ignore Rules REST API by project. This can streamline your workflows while working with REST APIs and Ignore Rules in JFrog Projects.
These exciting new features are available now for Xray users. Don’t have a JFrog account yet? You can easily get free access to Artifactory and Xray in two ways: A 30-day free trial with our Self Hosted option, or a permanent free subscription with our Cloud option, which also includes JFrog Pipelines, our CI/CD orchestration solution.