Step 1: Build and Run your Maven or Gradle project
As you already know Maven and Gradle are build systems that provide built-in capability to resolve dependencies from configurable repositories. Both are able to cache dependencies locally and download them in parallel.
- Fork the JFrog DevRel GitHub repository. Here you will find the JFrog Gradle and Maven challenge repositories, containing the Maven and Gradle projects.
Move to the project directory and run the clean install command:
$ mvn clean install
Step 2: Login to your environment
Login using the credentials provided to you by email, or any other administrator user created after login.
Step 3: Add repositories & artifacts
This step will walk you through creating a Maven/Gradle repository type and uploading your project, allowing you to use Artifactory as your artifact repository. You can then follow the instructions to create other types of repositories, such as npm, Docker, and Go.
- Navigate to the Administration Module. Expand the Repositories menu and click on the Repositories menu item.
- Create 3 new Maven/Gradle package type repositories:
- Add a new Local Repository with the Repository Key “maven-challenge-local” or “gradle-challenge-local” and keep the rest of the default settings.
- Click on the Remote tab and add a new Remote Repository with the Repository Key “maven-challenge-remote” or “gradle-challenge-remote” and keep the rest of the default settings.
- Click on the Virtual tab and add a new Virtual Repository with the Repository Key “maven-challenge” or “gradle-challenge”.
- Add the local and remote Maven/Gradle repositories you just created.
- Configure JFrog CLI, a smart client that provides a simple interface that automates access to JFrog products simplifying our automation scripts.
Configure the Artifactory server.
$ jf c add
- Take the following steps to build the project with Maven/Gradle and resolve the project dependencies from Artifactory.
- Move to the root project directory (
cd Maven_Challenge
orGradle_Challenge
directory) Configure the project's repositories.
$ jf mvn-config
or
$ jf gradle-config
Build the project with resolve the project dependencies from Artifactory.
$ jf mvn clean install -f path/to/pom-file --build-name maven-challenge --build-number 1.0.0
or
$ jf gradle clean artifactoryPublish -b path/to/build.gradle --build-name gradle-challenge --build-number 1.0.0
Publish the build info to Artifactory.
$ jf rt bp maven-challenge 1.0.0
or
$ jf rt bp gradle-challenge 1.0.0
- Move to the root project directory (
- Navigate to the Application Module, in the Platform UI, expand the Artifactory menu and click the Artifacts menu item. Here you’ll be able to see the details of your new artifacts.
Step 4: Scan for OSS security vulnerabilities & compliance
This step will walk you through defining a Policy, assigning it to a Watch, selecting a repository to monitor, and running your scan!
- Navigate to the Administration Module. Click on the Xray Security & Compliance menu and the Indexed Resources menu item.
- Add your “maven/gradle-challenge-local”, “maven/gradle-challenge-remote” repositories to your indexed resources by clicking Add a Repository.
- Define a security policy that you will later enforce in a watch.
- Navigate to the Application module, expand the Security & Compliance menu and click the Policies menu item.
- Create a new policy called “maven/gradle-security”, of type Security, with a rule called “maven/gradle-high-severities” set with High-Severities
- Navigate to the Application module, expand the Security & Compliance menu and click the Policies menu item.
- Define a watch that includes your new security policy. A watch provides context to a policy by assigning it to resources such as repositories.
- Navigate to the Application module, expand the Security & Compliance menu and click the Watches menu item.
Create a new watch called “sample-watch”, with your 2 repositories (“maven/gradle-challenge-local” and “maven/gradle-challenge-remote”) and your “maven/gradle-security” policy assigned to it by clicking Manage Policies.
Watches, Policies & Rules
Policies allow us to define security and license compliance behaviors specific to your organization. Once they are defined, they are enforced by applying them to Watches. Rules define the behaviors that we want to enforce.
Run your scan by hovering over your watch and clicking on Apply on Existing Content to manually trigger it.
The Xray scan may take some time to complete and show the vulnerabilities results. You can return to this step later to see your vulnerabilities.
- View any discovered vulnerabilities by clicking on your watch.
Congratulations! You’re all set and ready to continue exploring the JFrog Platform.
Learn More
Now that you’re familiar with the basic functionality of the JFrog Platform and the solutions included in your subscription, here are some useful resources to continue learning and exploring the Platform.
Documentation Resources
- JFrog Platform: JFrog Platform overview, Application Module, Administration Module, REST API
- JFrog Artifactory: Package Management, Browsing Artifacts, Maven Repository
- JFrog Xray: Indexing resources, Creating Xray policies and rules, Configuring Xray watches
- Administration: Identity and Access
- Tools & Integrations: CLI for JFrog Artifactory, JFrog CLI, IDE integrations
Other Resources
- Free, self-paced training for JFrog solutions at the JFrog Academy
- Get introduced to the JFrog Platform capabilities