The integration between Black Duck Code Center and Artifactory offers you an automated, non-invasive approach to the open source component approval process, in addition to proactively monitoring for security vulnerabilities that may be associated with specific binary components. License, security vulnerability and approval status are pulled from the Black Duck Knowledge Base.
This chapter describes:
The add-on adds a Governance tab in Builds, allowing automation of the approval process of an existing Black Duck application in accordance with the build info.
Configuring Artifactory with Code Center
To configure Artifactory with Code Center click on the Admin tab and then go to Configuration -> Black Duck.
Additional Artifact Information
The window is divided into three sections with the information coming from the Code Center Knowledge Base:
To view the additional metadata received from the Code Center in the Tree Browser click on the Artifacts tab and then go to Browse -> Tree Browser.
From the Tree Browser select the artifact to be viewed and select the Governance tab.
NOTE! that you can click on Edit to manually edit the Code Center Component ID.
The information appearing in the Governance tab is also cached in the Properties tab and can be both searched for and edited.
Artifactory Code Center Build Integration
Builds performed in the CI Server and deployed in Artifactory can be integrated into the Code Center approval process in an automated and non-invasive approach. When a build completes successfully, Artifactory can run compliance checks and allow you to receive a report to see the current state of the build in terms of governance via the user interface.
To run the Code Center compliance checks, you must first configure the CI Server Job.
The Application Name and Application Version are mandatory fields and represent the existing Code Center application. You can optionally add the email address of where the compliance report is to be sent.
For additional information on the remaining fields, click on the ? icon on each field.
Governance Status Summary View
Once the CI Job is completed, compliance checks are run automatically.
To view the build integration of the Code Center click on the Artifacts tab and then go to Browse -> Builds and select the required build from the list. Once you have selected the required build, click the Governance tab.
The Code Center Application section displays application information as it appears in the Code Center and includes the overall approval status.
In addition, the Components and Vulnerabilities are displayed.
The Components section shows how many components were found in the BOM and created in the Code Center application. Details of their status (pending, rejected etc..) are given together with licensing details taken from the knowledge base of Black Duck.
The Vulnerabilities section displays the aggregated vulnerabilities found in the application. These details are also taken from the knowledge base of Black Duck.
Grouping and Sorting
Components can be sorted according to any field. You can also group components according to License, Status or Scope by clicking on the group icon on the column header providing you with a variety of comprehensive views of the current status of the build.
For example, the screenshot below shows the build components displayed according to various types of license.