JFrog Xray is a universal binary analysis product that works with Artifactory to analyze software components, and reveal a variety of issues at any stage of the software application lifecycle. By scanning binary components and their metadata, recursively going through dependencies at any level, JFrog Xray provides unprecedented visibility into issues lurking in components anywhere in your organization. As a complementary product to Artifactory, JFrog Xray has access to the wealth of metadata Artifactory stores which, combined with deep recursive scanning, puts Xray in a unique position to analyze the relationships between binary artifacts and provide radical transparency into your component architecture to reveal the impact that an issue in one component has on any other.
For more information about the types of analyses that Xray performs, please refer to Watches in the JFrog Xray User Guide.
How Does It Work
For Xray to perform its analyses it needs to be connected to an instance of Artifactory in order to access its repositories and metadata. Once connected, Xray can index the artifacts in Artifactory's repositories to efficiently access them for Scanning or Impact Analysis. Since the indexing process is resource intensive, Xray does not automatically analyse all of your repositories; you need to specify which repositories should be indexed. All builds are indexed automatically.
JFrog Xray can connect to Artifactory from version 4.9 and above.
Configuring the Integration
Configuring Artifactory to work with JFrog Xray involves the following three main steps:
- Connecting Artifactory to JFrog Xray
- Specifying repositories whose artifacts should be indexed for analysis by Xray and configuring download blocking
- Indexing artifacts
In addition, JFrog Xray should be properly configured as described in Configuring Xray in the JFrog Xray User Guide
Connecting to JFrog Xray
The connection between Artifactory and Xray is established by Xray which creates a user with "admin" privileges called xray in Artifactory in order to access the data it needs to perform its different analyses and functions.
For details, please refer to Connecting to Artifactory in the JFrog Xray User Guide.
Specifying Repositories for Analysis
For Xray to analyze the artifacts in your installation efficiently, it first needs to index them in its database. If Xray were to index and analyze all of the artifacts in your Artifactory installation, that could cause excessive processing and cluttered component graphs which may obscure the significant components you are really interested in. Therefore, to let you focus on the most important artifacts in your Artifactory installation, Xray will only analyze artifacts from repositories your mark for indexing. There is no need to specify builds; all builds are automatically indexed by Xray.
Repositories marked for indexing by Xray are found in the Admin module under Configuration | JFrog Xray
To enable analysis of repositories in general, you first need to globally enable Xray by setting the Enable Xray Integration checkbox.
Once repositories are marked for analysis, Xray will index (and reindex) their artifacts based on different triggers such as adding, deleting and moving artifacts. Artifacts in all builds are indexed automatically by JFrog Xray and re-indexed each time a new build is created.
There are two ways to specify repositories whose artifacts should be indexed:
To specify a specific repository for indexing, in the repository Basic configuration, under Xray Integration, check Enable Indexing in Xray.
The Xray Integration screen displays the repositories that have been enabled for indexing. To add more repositories for indexing, click Add.
From the list of Available Repositories select the repositories you wish to add for indexing and click "Save".
Configuring Download Blocking
To prevent potentially harmful artifacts from being used by developers, an administrator can prevent them from being downloaded from Artifactory using the following two settings in the repository Basic configuration, under Xray Integration:
Block Unscanned Artifacts
|When checked, Artifactory will block download of artifacts from this repository until they have been scanned by JFrog Xray.|
Block Downloads With Severity Above
|When set, Artifactory will block download of artifacts that have been identified to include an issue with a severity of the degree selected at least.|
Once these parameters are set, a System Watch is created in Xray to detect artifacts that meet the set specifications and block their being downloaded.
Once JFrog Artifactory and JFrog Xray have been configured to work together, artifacts will be indexed for analysis on an ongoing basis according to different events that happen in Artifactory. To set up the initial database of artifacts Xray, you need to invoke indexing manually. For details, please refer to Indexing Artifacts in the JFrog Xray User Guide.