Get the most of your .Net Builds

Give your .Net ecosystem the full power of DevOps running on AWS – The JFrog Platform covers the full application lifecycle of .NET builds from developer fingertips through distribution to consumers while covering application security, vulnerability analysis and artifact flow control. In this webinar will see how you can configure your .NET builds on AWS, so that they take full advantage of JFrog Platform for managing the lifecycle of your .NET artifacts.

We’ll review:

  • How to configure AWS to integrate with the JFrog Platform
  • How to build, package and deploy artifacts and control their lifecycle
  • Security scanning for .NET with JFrog Xray

More Resources

Transcription: 
Hello and welcome everybody! Today we are going to talk about how to get the most of your dotnet builds with the chatbook platform before we’ll start a little bit about myself. My name is Batel Zohar and I’m a developer advocated at JFrog. Before that I was part of the support team and the high that solution team here and as you can see in the picture I have an amazing doggy name Banjo and before a few months we just adopted another beautiful baby named Seoul and if you want to get a hold of me later or just send me your doggy’s pictures I’m pretty available.

You can find me on twitter at patelzor you can also email me at vitality jfrog.com and i’m always happy to help so please please do not hesitate to reach out if you need something now i think we can start so let’s talk a bit about the jfrog platform we’re trying to provide an end-to-end platform that provide you the ability to control anything everything in one place from your pipeline to your distribution we can also scale up very quickly we support h and different environments so we can easily scale up and add more and more notes according to our needs be super universal so we can we can support any binary any stack and any devops tool and i’m gonna show you some of these practices during this session we also have a continuous security so we can easily scan the binaries like we are going to do today and scan our net files and our nougat packages and see how it’s working and we also hybrid and multi-cloud so we support oss through multi-cloud from uh for multi-configuration with sas and on-prem and we integrated our integrated ecosystem support more than 50 technologies partner hosted offering all public clouds so this jfrog platform will look like that we have jfk artifactory that help us to store and managing packages globally then we can easily scan those packages with the j4 x-ray and make sure that we won’t have any security issues or licenses issues and then we can easily distribute them to our edge nodes behind all of this we can control and monitoring everything with jfrog mission control and insight that help us to analyze intelligence metrics and monitoring our services configuration and much more and for our ci cd we can easily use jfrog pipelines that’s written in yaml and it’s pretty straightforward and it can show you some stuff later on to see how it’s working but basically we’re providing a solution from our source code repository to our edge to our distribution the deploy real-time incremental updates

 

so the first thing that i want to show you here is five reasons to use binary repository manager when developing with nougat so as you may know for dotnet developers microsoft supported mechanism for sharing code which is nougat that defines how packages for dotnet are created hosted and consumed today we are going to talk a bit about binary repository manager and why we should use it so first we can speak about long and network intensive build processes offline access to packages and metadata sharing internal and external nuget packages searching for packages based on different criteria and stability and reliability of system hosting nougat pictures if you want to find all the reasons you can easily click on the link that i just put here and get some uh so our papers about why and how to use a binary repository manager when we’re developing with nougat so let’s start with the first one reduce network traffic and optimize bill since much of your code is likely assembled rather than build you want to make sure that your usage of packages download from nougat gallery is optimized it makes no sense for two or two hundred developers using the same package to download it separately artifactory is in intermediately between developers and the nougat gallery and handles it as a remote repository once a package has been downloaded artifactory storage in a local cache upon receiving subsequent to requested artifactory performs a smart check some search for the requested packages and if it already has been downloaded then the local cache copy is provided therefore any package is only downloaded once and it then locally available to all other developers in the organization that reducing the network traffic of course and naturally this is a transparent to individual developers once the nougat client is configured to access packages for artifactory the developer can get with what she does the best and leave the packages management to artifactory so if we look at the network traffic from the point of view of a build server the benefits are clear a typical project may need tens or if not in hundreds of packages from nougat gallery for this server to build these packages all the packages must be downloaded and made available to the server environment which may guarantee megabytes or even gigabytes right of data traffic to the network downloading all these required packages take a significant amount of time in delays and build processes by catching all those packages locally the build process is much quicker and it’s increased much less networking so as you can see here we have dependencies everywhere and basically we have all the dependencies in one place that is kind of a caching mechanism and we can control this cache repository too and configure whenever we would like to keep them and how many different version we would like to have so this is the first reason why we should use a binary repository manager the second is reliable access to nougat gallery so as dotnet developers nougat gallery is in valuable research that you need on a regular basis but since sugar gallery is a remote resource what do you do if it goes down or if there is any issues with our network and what happened if you are actually a build server right we’re trying to run our build we’re having some network issues what’s happening right now so in that case artifactory provides rich and extensive support for nougat api and is therefore transparent to the developers working with nougat gallery so artifactory and the nougat gallery is just another remote repository so when we are requested to a nuget package or metadata artifactory can provide it from the local cache effectively screen you from any issues with the gallery and the network you will always have access to the packages in your system and your bills and you won’t help by any issues in the network or anything that just happening because it’s already cache therefore we may want to use artifactory like that so we have our nuget clients that trying to get directly from nougat gallery as you can see here that’s what we had before we have we using rtfactory but whenever we’re using artifactory artifactory we’ll know how to do all the smarting mechanism right over here and show me basically keeping it on the cache and my bl server will go directly to artifactory and try to get the metadata and this is the second reason why we would like to use a binary repository manager for reproducible bills bugs detected or issues however you refer them they hunt us right we will find bugs everywhere and sometimes they only turn up after we have released them to the word and then fixing them becomes urgent right we need to make sure we are doing it as soon as possible and we won’t have any issues whenever we’re trying to fix a bug and or want to add another bug but then to debugging issue we won’t be to be able to reproduce the specific release on which is found right we want to make sure that we can easily find it and reproduce it and fix it given the models we develop and download along with all the in using dependencies and build environment that might be daunting task so artifactory provides a building version tracking by storing executive build information which make it easy to fully reproduce in any build so basically our information stored included specific package versions dependencies system properties environment variables the user information timestamp and much more but artifactory gives you even more than that with the building build the tool you can compare builds and therefore know exactly what change and where to introduce the version which is bug or was reproduced so in this demo i’m going to show you how to track the build info and why it’s so easy to do that so this is another reason why we should use a binary repository manager

 

so let’s talk a bit about the building for as you can see here we having all the environment variable i have i can find it under the environment tab i can click on the building for json and get a very large json file with all of the information of the build i can find a model and we’ll deep dive to it in in our demo another reason is security and access control so every organization need to implement security policy so that people can only access internal resources that are authorized to use but how you control what people in your organization download from nougat gallery for example or any other external resource how do you control which external resources are accessed in the first place and then how do you control where people in the organization put different packages they downloaded or working on artifactory can provide you a security and access control and different level from complete repository down to a single artifact and from a group for any size of down single developer at the first line defense artifactory support virtual repositories by going through virtual repository you can ensure that your developers only access reliable third-party resources that have been approved you can also optimize package resolution by defining the underlying repository order to this artifact into this repository and we’ll first look at a local repository for example and then go to the remote repository cache and then go to try to find it on the remote repository and therefore we are getting most of our repository binaries locally and we can easily get them very quickly so for the developer it’s simple just request the package by name and artifactory will safely optimally access it according to your organization policy for more fine grained access control artifactory also provides flexible mechanism to define excludes and include pattern for download using regular expression so think about it that we found any specific dependencies that we don’t want to use in our organization we want to make sure that none of our developers can download it and we want to block them so in a simple configuration inside my repository i can configure and include or exclude patterns but with a regex explanation to make sure that nobody will use them

 

so to ensure developers can deploy release targets to a cure repository but only authorized QA staff we we can easily ensure that by release candidates we that’s met the required standard and we can promote it from a release to dev repository to production and so on now if virtual repository wasn’t clear enough i’ll try to explain a bit more so a virtual repository is an encapsulate any number of the local and remote repository and represent them as a unified repository accessed by a single url so when packages requested are resolved from underlying repositories in the order which they are defined in a virtual repository so i’m going to show you that in our demo and this is another reason why we should use a binary repository manager

 

last but not least is the smart search for packages using build number and custom properties artifactory provides you the flexible search capabilities that let you find packages based on combination of properties such as name version timestamp checksum and much more artifactory also provide you some common building searches so for example you can ask artifactory for the latest version of any package without having specific particular version number artifactory knows how to compare all the different version of the package in any of the repository and provided latest one available artifactory can also build search takes a step further and lets you search for packages by bill number very much like using version tag assigned to a source file in source code control system so this pretty powerful feature enables you to find all specific artifacts that went into a build according to the build number but the full power of smart search comes with flexibility that artifactory provide you with custom properties that you can assign to the package so think about it that i can easily add a property whenever i’m passing some testers in specific package or in specific build that i just created and then i can create very very complicated queries that find me this package another cool feature about it is the checksum bait search so we can search for a package by its checksum which is pretty powerful too and artifactory take a unique method of sorting file by their checksum so even if a package has been renamed move or even deployed outside our organization we can trace it back to the original version and obtain its complete complete build information so we can simply run the package first of the checksum tool and run checksum search id factory to retrieve the original version this is another reason why we should use the binary repository manager now let’s talk a bit about the jfox cli jfoxcli is an open source project written in go the and the gfx cli tool provide a simple interface that help you to interact with all jfrog products so for example in one command i can download the whole repository or upload the whole directory to artifactory and not only that i can generate access token and scan some builds with our x-ray tool and even create a release bundle to distribute it in the future with distribution so i can do almost everything with our jfox cli and i’m going to show you how to do that so why we should use the jfox cli first of all connection details storage and it’s easily integrated with the cloud we have file operation we can easily get some metadata information file specs of course i can create a file spec that help me to send some queries and package managers integration and building for can easily manage with the cli and we’re going to do that today and it’s tight integrated with the jfk platform so everything is supported also with the cli

 

i think now it’s a great time for a demo so let’s start our project so my demo is based on this project in our Github which is available under JFrog project example and ms build example you can easily go here fork it and clone and try to test it

 

okay so basically our example in Github includes two project m speed library and then build example ms bill example we’ll use msp library as a dependency so the first thing that we would like to do is to run the build so let’s go to the small script that I just created here you can see it’s right over here let’s go back there all right and here let’s cut the build satge it’s basically creating my build so let’s just run it

 

okay cool it’s a success now let’s see what we have under my publish one i’m basically just publishing to Artifactory so we’ll be able to reuse those dependencies so let’s just run the publish one here

 

okay great we have our dependencies and as you can see here I’m uploading two files over here and the the dll and the pdb and of course we can configure it to upload only one of them because we’re using jfox cli commands we can easily control it and let’s talk a bit about the command that’s running here you can see that we’re using jfobrt which means j4rt factory upload pretty straightforward where we would like to find the files where we would like to upload the files to msbn local and msb library and minus minus flat false means that we would like to to save our structure the file system is structure and the build name it will be msb library build number and just generate something of course we can control it and change it in the future and here we can find the building frame for the building for information so let’s click here and just open it really quick

 

and you can see that we have two files here’s right let’s click on that we have the msp library dll and then spill library pdb and we have the building for json we have the channel like i promised we have the information and everything we need now let’s go back here

 

let’s go to the ms field example and just run the same let’s create a build

 

and let’s publish the information

 

so you can see that i’m uploading different artifacts and we have a different build info so we can take this one and talk a bit about the build info

 

so now i have six artifacts and i have the caching two and the dll and i have a different building for json because we have more files and we can easily add more information we can also check the permissions of the users that can go to this build and let’s talk a bit about the cs approach let’s open it and code cs

 

and spill samples cs approach

 

so we basically have some simple jfox cli commands here as you can see here upload artifacts using jfrog rt upload with the path and the path to the repository destination we have the upload command over here with the with the flex that we just added the flat one so we can easily control it and change it according to our needs publish building flow and again here there’s another the the create it’s collecting the building fun here is the publishing build info and another nice thing that we can easily add very quickly is scan our build since our x-ray providing me the ability to scan our binaries and make sure that we won’t have any security vulnerability i can easily add the scan command that basically search for the build as you can see here jfrog rt build scan by bill name and bill number and in case that we configure any policy to block the bill the bill downloads or just control it or notify someone whenever we found any security vulnerability it will apply it and make sure that we are safe and secure now let’s talk a bit more about the cli and i can also have the ability to send some curve command with the cli which is very cool so whenever i’m using jfrog rt curl i can easily send a direct curl command to artifactory so i don’t need to write everything so if i want to get the information the build information very quickly i can do that by that so let’s find my build you can see it’s called msc build here is the number and i can easily run the curve command through the cli all of the available artifactory curve commands so it’s very easy it’s very very powerful feature i love this feature actually because i can just run everything in one place i don’t need another terminal i don’t need anything else i can just do that through here so we can also add some properties during the build and we can have the the information about my packages also here so whenever i’m clicking on archi factory let’s go back here to the platform i can find my and my nougat packages so let’s take any on it for example you can see the information about the package you can see that it scans we have we scanned we have four different version let’s take one of them we won’t have any vulnerabilities but in case that it was part of a build i will see the build information too i can see the repositories that contain it and the x-ray data so you can see that it found the license that it’s using the mit license and we have actually one testing security issues here i guess that i just added custom information here to have something that related to the package let’s take another one this is cantu also no vulnerabilities all right so let’s take this you know vulnerabilities wow everything it’s so perfect let’s take the docker image here so here’s my x-ray data and it’s actually a critical one so i can easily click on the data here i can see the artifact the attach components which watch is related to it and a quick summary about the vulnerability so exactly the same for any nougat packages so we’ll see a quick summary of the information about this then the package and why we have security issues i see the description the vulnerable version so in case that we have fixed version i will also see that in x-ray and can change it very quickly so this is was our scanning let’s go back to the packages really quick so let’s take this one just taking one of the packages i can also go to the tree really quickly and get the information about this this package so as you can see here when i’m clicking on the package info i have the version i have the authors the owner licenses description and they will generate it automatically because we are basically having everything inside here and our we are scanning it to our key factory so we have the tracers and dynamic time and anything we need and we talked a bit about properties right so we also have some built-in properties like the copyright authors owners and so on and of course the version of the package so i can easily add some properties and create some queries in the future like saying if it’s past qa sure and then whenever i create it and once you create diff between builds and get some more information i can easily add the property to to make sure that i pass the test for example a specific test that we just added and so on so everything is pretty straightforward i have everything in front of me and i have the pipelines that created it too if it’s created by our cicd by pipelines so you can get it too another cool feature that we have in x-rays to create a report so i can create a report in x-ray by a specific package type so let’s say that i would like to have a nougat report that contains vulnerabilities or licenses or just violations i can go to specific repositories so i can find my ms build here and i can filter it by specific components or artifacts specific cve or when it’s published and whenever i have the report i can easily just send it to someone from my our security team and so on right i can easily share it and now let’s talk a bit about the x-ray settings very quick so whenever we want to scan for some binaries we can create a new policy let’s call it nougat policy and here is my rule so i can find define it by specific severity by specific score i can notify some people like you can see here by triggering a web book or notified to the deployer or a specific email address here’s the blocking that i said we can easily block the download of specific files so let’s just add a blocking here

 

and yeah name it nuget policy

 

after i created it i need a watch right i need to find what where where to look for so let’s create a nougat watch and here’s the repository i want to find everything that’s related to ms build of course i can also filter it by regex so whenever we are adding more and more repositories i can just scan them automatically which is nice and here is the policy here is my nougat policy that we just define and we can create and get more violation and more information about my packages

 

and i think that’s it for today let’s just summary everything very quick so we have dependencies right we want to make sure that we can control our dependencies we have our

 

yeah sorry for that we have our artifactory to access nougat gallery and create kind of a proxy to make sure that everything is in one place we have bugs everywhere so in order to define them we have the building for this help me to find the specific version that having the bug and from there to fix them i want to make sure that we are secured here and with a smart mechanism so now it’s some time for some questions thank you so much for joining us today and please write us on the chat and would love to answer

 

thank you so so much and have a great day

Release Fast Or Die