The integration between Black Duck Code Center and Artifactory offers you an automated, non-invasive approach to the open source component approval process, in addition to proactively monitoring for security vulnerabilities that may be associated with specific binary components. License, security vulnerability and approval status are pulled from the Black Duck Knowledge Base.
This chapter describes:
- How to configure Artifactory with Code Center
- Viewing additional artifact Information
- Artifactory Code Center build integration
The add-on adds a Governance tab in Builds, allowing automation of the approval process of an existing Black Duck application in accordance with the build info.
Black Duck integration is supported for Java and NuGet
Component governance through Artifactory's integration with Black Duck is only supported for Java (using Maven, Ivy or Gradle) and NuGet artifacts. Build component governance is provided for java artifacts through our CI Server plugins for Jenkins, TeamCity or Bamboo, and the MSBuild Artifactory Plugin (usable with any CI server that supports MSBuild) respectively.
Configuring Artifactory with Code Center
To configure Artifactory with Code Center click on the Admin tab and then go to Configuration -> Black Duck.
|Server URI||URI of the Black Duck Code Center instance|
|Username||Black Duck Code Center authentication username|
|Password||Black Duck Code Center authentication password|
Network timeout in milliseconds. Default is set to 20 seconds
If Artifactory is using a proxy to access remote resources (as described in Managing Proxies), be aware that communication to Code Center will go through the same proxy.
Additional Artifact Information
The window is divided into three sections with the information coming from the Code Center Knowledge Base:
- General information including the Component Name, Version and ID together with a link to the Homepage and Description of the artifact
- Details of the license
- List of known security vulnerabilities, if any.
To view the additional metadata received from Code Center, select the component in the Artifact Repository Browser of the Artifacts module, and then select the Governance tab.
Manually editing the Component ID
The information appearing in the Governance tab is also cached in the Properties tab and can be both searched for and edited.
Artifactory Code Center Build Integration
Builds performed in the CI Server and deployed in Artifactory can be integrated into the Code Center approval process in an automated and non-invasive approach. When a build completes successfully, Artifactory can run compliance checks and allow you to receive a report to see the current state of the build in terms of governance via the user interface.
To run the Code Center compliance checks, you must first configure the CI Server Job.
The Application Name and Application Version are mandatory fields and represent the existing Code Center application. You can optionally add the email address of where the compliance report is to be sent.
For additional information on the remaining fields, click on the ? icon on each field.
Governance Status Summary View
Once the CI Job is completed, compliance checks are run automatically.
To view the build integration with Code Center, select the corresponding build from the Build Browser in the Build module, and then select the Governance tab.
The Code Center Application section displays application information as it appears in the Code Center and includes the overall approval status.
In addition, the Components and Vulnerabilities are displayed.
The Components section shows how many components were found in the BOM and created in the Code Center application. Details of their status (pending, rejected etc..) are given together with licensing details taken from the knowledge base of Black Duck.
The Vulnerabilities section displays the aggregated vulnerabilities found in the application. These details are also taken from the knowledge base of Black Duck.
Once you have updated the status in the Code Center - whether approved or rejected, click on the Governance tab again to refresh the updated information in Artifactory.
You can click on the Artifact ID to link out to the Code Center UI where you can perform other tasks such as approving or rejecting the artifact.
Grouping and Sorting
Components can be sorted according to any field. You can also group components according to License, Status or Scope by clicking on the group icon in the corresponding column header providing you with a variety of ways to view the current status of the build.
For example, the screenshot below shows the build components grouped by License.