WHY YOU NEED JFROG XRAY PREMIUM
Modern applications commonly consist of 90% open source software (OSS) dependencies, exposing your code to potential hidden security vulnerabilities and even expensive and complex license compliance issues. Neither of these problems are desirable outcomes for any company to deal with.
Ensuring license compliance in OSS dependencies is a growing concern for legal teams and CEOs alike. No-one wants to be on the receiving end of a failed audit, or an expensive Intellectual Property or license infringement case. Knowing what OSS is being used, by who and in which builds and production releases is of primary concern.
We are all painfully aware of the cost of security breaches. You only have to think back to the recent SolarWinds breach, or further back to the notorious Equifax hack, which cost them Billions. Not only that there is also the risk of being out of compliance with software licenses, which can land you in a complex and expensive intellectual property battle. Not to mention that you could be subject to an audit of your software and a failed audit can be subject to steep fines, depending on the industry you’re in.
“Xray allows us to be able to scan through all the different Docker layers and find out what binaries are actually being included in here; and that way we have a process in place that we can actually go and notify a team and help them understand that there are vulnerabilities in your build pack.”
Brad Becktell DevOps Engineer, Kroger
WHAT JFROG XRAY PREMIUM DOES FOR YOU
The premium version of Xray keeps the unique deep recursive scanning, the ability to unpack and understand all the major package types, and the ability to see into all the underlying layers, binaries & dependencies of Docker Container images. JFrog Xray Premium extends your ability to protect against those unforeseen pitfalls with two major improvements:
- Leading Vulnerability Intelligence
- Automated License Compliance
LEADING VULNERABILITY INTELLIGENCE
Xray Premium benefits from the industry leading vulnerability intelligence VulnDB that is provided by Risk Based Security. Their database is meticulously maintained and updated every time a new vulnerability is discovered. VulnDB is derived from a proprietary search engine and through the analysis of thousands of disclosed vulnerabilities by their world-renowned research team.
Not only does it cast a wider net for you, it also brings you awareness of any new vulnerabilities much sooner than the NVD. This is critical for you to stay ahead in the fight to keep your code clean of any vulnerabilities or license problems.
- Gain confidence with the most timely and comprehensive vulnerability intelligence VulnDB
- Most comprehensive intelligence on the market with over 247,000 vulnerabilities, covering products of 27,000 vendors, including vulnerabilities not found in CVE/NVD
- Extended Vulnerability Metadata with each vulnerability containing an extended classification system and CVSS metrics to provide ratings for remediation and prioritization
AUTOMATED LICENSE COMPLIANCE
Xray Premium provides the ability to define and automate license compliance policies to identify the usage of a component that does not comply with your organization’s legal guidelines. Different mitigation behavior can be set based on the context of the type of license and where the component is being used.
Upon detection of license violations, Xray Premium can notify users in several different ways including: sending emails, Slack messages, creating a Jira ticket or through any other system via Webhooks. Besides creating violations and notifications the system lets you setup enforcement actions, including blocking the download of a binary, failing a build and preventing the distribution of a Release Bundle. Safeguard your production software releases with Xray Premium, your biggest security and compliance ally in the world of DevSecOps.