Security vulnerabilities and license violations should be identified as early as possible, and the sooner in the SDLC, the better.
As part of the secure "shift left," the JFrog CLI and Xray now allow dependencies to be scanned on demand directly from the source using simple commands.
This enhancement helps organizations comply with their security policies and standards by ensuring that development teams upload only scanned and non-compliant binaries to Artifactory.
Dependency scanning in source code is available as part of the new v2 release of the JFrog CLI, which supports Maven, Gradle, and npm packages. Support for Go and Pip packages is coming soon!
Do you know? The JFrog CLI is a flexible and intelligent client that works with Artifactory, Xray, Distribution, and Mission Control to provide powerful functionality for your automation scripts in a readable and reliable manner.
Before you begin, you need to:
The JFrog CLI (version 2.1.0 or later) is installed. Use the installer of your choice to get the JFrog CLI.
Install JFrog Artifactory and Xray (Xray version 3.29.0 or later)
Maven, Gradle, or npm installation, corresponding to the source of the scan.
You can scan in one of two ways. Before the deployment phase, scan the sources separately, or as part of the build. In both cases, we'll start by configuring your JFrog platform on the JFrog CLI.
Use the JFrog CLI to configure the server
Run $jfrog c add anywhere on your machine to configure your platform details.
Run a $jfrog rt ping to verify your connection.
Option 1: Run the scan command
Scan the source code on demand, not as part of the build. Run the audit command from the top-level directory that contains the source files. Each supported package manager has its own audit commands. For example, to scan a Maven project in source code and report all vulnerabilities:
$ jfrog xr audit-mvn
The corresponding commands for Gradle and npm are:
$ jfrog xr audit-gradle 或 $ jfrog xr audit-npm。
By default, the scan returns vulnerability data found in all dependencies. To retrieve violation data using a specific Watch configuration, repository path, or project, you need to use one of the following command options:
–watches – Followed by a comma-separated list of Xray watches
–repo-path – followed by the target repo path
–project – followed by a project key
Note that if you run a scan using one of these command options, the scan results will show only the violation data and not the vulnerability data. To view vulnerability data, run a scan without these options.
By default, the results are displayed in a tabular format.
For automation purposes, you can return results in JSON format. To modify the format type, provide the format option: –format=json.
View other options by providing the –help option in the terminal, or read the available commands in the JFrog CLI documentation.
Option 2: Conditional upload - Maven and Gradle
In this approach, as part of the build process using the JFrog CLI, scan all files on the local system before uploading. If any files are found to be vulnerable, the upload is skipped.
To configure the JFrog CLI for your build, including selecting a parsing and deployment repository and other build options, use the appropriate package manager configuration command in the project's top-level directory: $jfrog rt mvn-config or $jfrog rt gradle-config.
By default, the configuration command runs interactively. Set the CI=TRUE environment variable to non-interactive use.
Read about configuration and build commands here, or use the –help option to view it.
After configuring the build, run the build command with the appropriate targets/tasks and options, and provide the –scan option to use conditional upload.
For example:
$ jfrog rt mvn clean install --scan
$ jfrog rt gradle clean build --scan
The JFrog CLI provides integration with Xray by downloading indexer components from Xray( which occur only after the first use or update).
When a scan is requested, the CLI assembles a hierarchical dependency tree and provides it to an indexer, which in turn responds to the vulnerability/breach results.
More can be done using the JFrog CLI, learn more in the documentation. You can even develop and share your own plugins!
The JFrog CLI project and its dependencies are open source. Ask a question in the Github Issues section of the project or let us know about other features you'd like to see.
JFrog CLI document address:
https://www.jfrog.com/confluence/display/CLI/JFrog+CLI?ivk_sa=1024320u