Search


Cloud customer?
Upgrade in MyJFrog >


Working with an older version?

JFrog Artifactory 6.x
JFrog Xray 2.x
JFrog Mission Control 3.x
JFrog Distribution 1.x
JFrog Enterprise+ (Pre-Platform Release)




Overview

Xray scanning requires Artifactory Pro X, Enterprise with Xray, or an Enterprise+ license.

JFrog Xray scans and displays Xray data in the JFrog Platform providing radical transparency about any infected components or license breaches in your software. Xray data is located within each of your resource pages allowing you to quickly review the status of for your scanned resources - Packages,  Package VersionsBuildsArtifacts or Release Bundles.

If need be you can drill down to gain radical transparency about any infected components or license breaches in your software as described in the following section.

Page Contents


Analyzing Detailed Scanned Data on Resources

Each of the scanned resources - packages, builds, artifacts and Release Bundles contains the following set of Xray sub tabs and a list of actions. 

The Xray Data sub tabs are:

  • Violations: These are violations to filters defined on a watch. They are only reported for the root component, not for its dependencies.
  • Security: Known security vulnerabiliites for the selected component.
  • Licenses: OSS licenses used by the component.
  • Decedents: Components that the selected component includes (depends on).
  • Ascendents: Components that include (depend on) the selected component.

The following sections describe the Xray Data sub tabs displaying the Packages resource as an example. Please note the tabs are identical for builds, artifacts and Release Bundles.

Violations

Displays the violations detected on the package version based on the watches and associated policies set by the users. You can view the vulnerability severity, type and the associated policies. To view a components and its dependencies, click on the Component icon. You can choose to ignore all violations detected on a watch or a single violation in cases whereby a violation is low priority, or needs to be whitelisted or dealt with in future versions. For more information, see Ignoring Violations on a Watch.

 

Security

Displays the known security vulnerabilities for the selected package version and the effected versions and fixed versions that do not contain the vulnerability.

To examine the details of a violation, click the violation in the list to display the Issues Details popup.

Licenses

Displays the licenses is assigned to a specific version and triggers violations in case it matches criteria of any existing Watches. Click on the License to view the license attached to the components.

Descendents

Displays the components that the selected component includes (depends on).

Ancestors

Displays components that include (depend on) the selected component.


Xray Actions

Scanning for Violations

To initiate a manual scan on your package version, select Scan for Violations from the Actions list.


Assigning Custom Issues

A security vulnerability created by a user is tagged as a Custom issue and can be deleted by users assigned with the Manage Xray Metadata permission.

Assigning Custom Licenses

A license created by a user is tagged as a Custom license and can be deleted by 

From the Actions list, select Assign a Custom License to assign a Custom licences on a component in your version. 

Select a license from a predefined list of licenses.

Click Save. A manual scan is triggered to update the license list.

Exporting Xray Data

Using the Actions menu, you can export full details for the selected component and version including violations, security issues and licenses. From the Xray Data tab on the package versions page, select Export Data from the Actions list.

In the following Export data popup, specify if you want to export violation, licenses or security parameters that should be exported and the export format.

The file is downloaded to your local drive.

Below are some examples of exported files in different formats.

  You can also automate exporting component details using the Export Component Details REST API endpoint.


  • No labels
Copyright © 2020 JFrog Ltd.