Have a question? Want to report an issue? Contact JFrog support

Skip to end of metadata
Go to start of metadata

Overview

JFrog Xray is a universal binary analysis product that works with Artifactory to analyze software components, and reveal a variety of issues at any stage of the software application lifecycle. By scanning binary components and their metadata, recursively going through dependencies at any level, JFrog Xray provides unprecedented visibility into issues lurking in components anywhere in your organization. As a complementary product to Artifactory, JFrog Xray has access to the wealth of metadata Artifactory stores which, combined with deep recursive scanning, puts Xray in a unique position to analyze the relationships between binary artifacts and provide radical transparency into your component architecture to reveal the impact that an issue in one component has on any other.

For more information about the types of analyses that Xray performs, please refer to Watches in the JFrog Xray User Guide.

How Does It Work

For Xray to perform its analyses it needs to be connected to an instance of Artifactory in order to access its repositories and metadata. Once connected, Xray can index the artifacts in Artifactory's repositories to efficiently access them for Scanning or Impact Analysis. Since the indexing process is resource intensive, Xray does not automatically analyse all of your repositories; you need to specify which repositories should be indexed. All builds are indexed automatically.

Version Compatibility

JFrog Xray can connect to Artifactory from version 4.0 and above.

Page Contents

 

 


Configuring the Integration

Configuring Artifactory to work with JFrog Xray involves the following three main steps:

  1. Connecting Artifactory to JFrog Xray
  2. Specifying repositories whose artifacts should be indexed for analysis by Xray and configuring download blocking 
  3. Indexing artifacts

In addition, JFrog Xray should be properly configured as described in Configuring Xray in the JFrog Xray User Guide 

Connecting to JFrog Xray

The connection between Artifactory and Xray is established by Xray which creates a user with "admin" privileges called xray in Artifactory in order to access the data it needs to perform its different analyses and functions.

For details, please refer to Connecting to Artifactory in the JFrog Xray User Guide.

Specifying Repositories for Analysis

For Xray to analyze the artifacts in your installation efficiently, it first needs to index them in its database. If Xray were to index and analyze all of the artifacts in your Artifactory installation, that could cause excessive processing and cluttered component graphs which may obscure the significant components you are really interested in. Therefore, to let you focus on the most important artifacts in your Artifactory installation, Xray will only analyze artifacts from repositories you mark for indexing. There is no need to specify builds; all builds are automatically indexed by Xray.

Repositories marked for indexing by Xray are found in the Admin module under Configuration | JFrog Xray


Xray Integration

To enable analysis of repositories in general, you first need to globally enable Xray by setting the Enable Xray Integration checkbox.

Once repositories are marked for analysis, Xray will index (and reindex) their artifacts based on different triggers such as adding, deleting and moving artifacts. Artifacts in all builds are indexed automatically by JFrog Xray and re-indexed each time a new build is created.

There are two ways to specify repositories whose artifacts should be indexed:

  1. Per repository
  2. In bulk

Per Repository

To specify a specific repository for indexing, in the repository Basic configuration, under Xray Integration, check Enable Indexing in Xray.

Enable Indexing

In Bulk

The Xray Integration screen displays the repositories that have been enabled for indexing. To add more repositories for indexing, click Add.

Adding repositories for indexing

From the list of Available Repositories select the repositories you wish to add for indexing and click "Save".

Configuring and Overriding Download Blocking

Configuring download blocking per Artifactory version

 Previous to version 5.10, download blocking for unscanned artifacts or artifacts with vulnerabilities of a given severity, was configured in Artifactory.

From version 5.10 this configuration has been removed from Artifactory, and instead, is available in JFrog Xray version 1.12 and above.

To prevent potentially harmful artifacts from being used by developers, an administrator can configure JFrog Xray to prevent them from being downloaded from Artifactory. For more details, please refer to Download Blocking in the JFrog Xray User Guide. 

If download blocking is configured in JFrog Xray, you can override this behavior with the following two settings in Artifactory under Admin | Xray Configuration:


Allow downloads when Xray is unavailable
By default, if Xray becomes unavailable to Artifactory for any reason, all artifact downloads are blocked. Setting this checkbox overrides this behavior and allows download of artifacts.
Allow downloads of blocked artifacts
JFrog Xray may block different artifacts for download from Artifactory according to Watches defined in Xray's configuration. Setting this checkbox overrides this behavior and allows download of artifacts even if they have been blocked by Xray.

Indexing Artifacts

Once JFrog Artifactory and JFrog Xray have been configured to work together, artifacts will be indexed for analysis on an ongoing basis according to different events that happen in Artifactory. To set up the initial database of artifacts Xray, you need to invoke indexing manually. For details, please refer to Indexing Artifacts in the JFrog Xray User Guide. 

 



 

 

 

  • No labels