JFrog GoCenter includes free vulnerability scanning of your Go modules using JFrog Xray technology. GoCenter provides you the CVE ID, severity level and a brief description of each issue. Go module vulnerability information is also available for free in VSCode with the JFrog Extension. For more advanced security and compliance features, checkout JFrog Xray.
GoCenter and JFrog Xray
Xray scans every Go Module in GoCenter (deprecated) and identifies security vulnerabilities in each module and version without you having to do a thing! When you land on a specific module page, you’ll know if there is a vulnerability in that module version if a warning triangle exists next to the security tab or on the dependency page. Clicking on the warning triangle will direct you to the security page that provides specific information about each vulnerability including the CVE number, severity, and description. Xray in GoCenter is a snapshot of Xray’s full capabilities.
Immutable Go Modules & Dependency Informatoin
CVE, Severity, Description
Advanced Features with
Xray in GoCenter gives you the visibility you need to understand the vulnerabilities found. For advanced features including known remediation information, you’ll want to utilize the full version of Xray! Here are some of the main features and benefits you’ll get when utilizing the full version of JFrog Xray:
Robust Support of Go
With the new GoCenter integration, vulnerability scanning for Go Modules is now supported. Additionally, Artifactory as your binary repository manager also supports using Go and GoCenter as a proxy. In fact, if your Go Modules are being deployed inside a Docker container, Xray can be used to scan your Docker image for any known vulnerabilities.
Universal Security & Compliance
Xray supports all major package types, understands how to unpack them, and uses recursive scanning to see into all of the underlying layers and dependencies of components, even those packaged in Docker images, and zip files.
Native Integration with Artifactory
Xray is the only Software Composition Analysis (SCA) solution that natively integrates with Artifactory optimizing scanning performance, and providing unified operation and a single pane of glass view into all of the information about your artifacts including security and compliance status.
Want to try the full JFrog Xray experience? Take a Free Xray Trial
Leading Vulnerability Intelligence
Gain confidence in your Software Distribution with the most timely and comprehensive vulnerability intelligence VulnDB, coupled with other metadata sources of vulnerabilities, license compliance, component versions and others to mitigate false positives.
JFrog IDE extensions
You can use JFrog IDE extensions to identify vulnerable packages as soon as you define them in your dependencies in your code. IDE support includes: Visual Studio Code, Visual Studio, Eclipse IDE and IntelliJ IDEA.
Open for Integration and Automation
In addition to being integrated with VulnDB and other sources of OSS component version and vulnerability intelligence, it is also open to integration with other databases and tools. Using Xray’s REST API, customers can integrate Xray with their own DevOps tools ecosystem for easy automation.
Open for Different Issue Types
Xray is not limited to security vulnerabilities; it can receive any type of information about software component that can help you make decisions. For example, you can provide Xray with information about components that have performance issues or severe defects and the impact that these components have on your software.
Deep Recursive Scanning
Xray performs a deep scan of artifacts, recursively going through dependencies at any level and creating a graph of relationships between software components. For example, when analyzing a Docker image, if Xray finds that it contains a Java application it will also analyze all the .jar files used in this application.
Stopping Vulnerable Packages and use Xray for License Compliance
One of the most celebrated features of Xray is the ability to monitor your Go Modules for vulnerabilities and set “watchers” to automatically fail a build if a vulnerable package has been found. You can also set up watchers to scan for open source licenses and stop builds if your project or dependencies are missing one. This makes license compliance a breeze.
Impact Analysis Graph
Xray listens to all providers currently streaming feeds regarding issues. If any provider notifies Xray of a new issue with an artifact, Xray looks up the artifact in its database. If the artifact is already in the database, Xray analyzes how an issue in one component affects all others in your company and displays the chain of impact in a component graph. Xray will perform an impact analysis to determine all the artifacts in Artifactory that are ultimately affected by the issue by virtue of their including the problematic artifact. The results are displayed in an impact analysis graph.
By using the JFrog extension in VSCode, you will have direct access to a free vulnerability scanning solution for your Go modules that will vastly accelerate development. Without you needing to do anything special, vulnerability scanning of your open source and 3rd party module dependencies will happen automatically in the background, and as you import new modules in the editor, VSCode with GOCenter will display new vulnerability information right away.
With this extension, GoCenter will automatically provide you with all of the vulnerable module license information, the number of issues and severity level, and links to additional metadata; all from from within Visual Studio Code. If you’d like advanced security features such as remediation information, The VS Code extension is already setup to use JFrog Xray, which you can get a free trial of here:
