Configuring the Integration
Configuring Artifactory to work with JFrog Xray involves the following three main steps:
- Connecting Artifactory to JFrog Xray
- Specifying repositories whose artifacts should be indexed for analysis by Xray and configuring download blocking
- Indexing artifacts
In addition, JFrog Xray should be properly configured as described in Configuring Xray in the JFrog Xray User Guide
Connecting to JFrog Xray
The connection between Artifactory and Xray is established by Xray which creates a user with "admin" privileges called xray in Artifactory in order to access the data it needs to perform its different analyses and functions.
For details, please refer to Connecting to Artifactory in the JFrog Xray User Guide.
Specifying Repositories for Analysis
For Xray to analyze the artifacts in your installation efficiently, it first needs to index them in its database. If Xray were to index and analyze all of the artifacts in your Artifactory installation, that could cause excessive processing and cluttered component graphs which may obscure the significant components you are really interested in. Therefore, to let you focus on the most important artifacts in your Artifactory installation, Xray will only analyze artifacts from repositories you mark for indexing. There is no need to specify builds; all builds are automatically indexed by Xray.
Repositories marked for indexing by Xray are found in the Admin module under Configuration | JFrog Xray
To enable analysis of repositories in general, you first need to globally enable Xray by setting the Enable Xray Integration checkbox.
Once repositories are marked for analysis, Xray will index (and reindex) their artifacts based on different triggers such as adding, deleting and moving artifacts. Artifacts in all builds are indexed automatically by JFrog Xray and re-indexed each time a new build is created.
There are two ways to specify repositories whose artifacts should be indexed:
To specify a specific repository for indexing, in the repository Basic configuration, under Xray Integration, check Enable Indexing in Xray.
The Xray Integration screen displays the repositories that have been enabled for indexing. To add more repositories for indexing, click Add.
From the list of Available Repositories select the repositories you wish to add for indexing and click "Save".
Configuring and Overriding Download Blocking
Configuring download blocking per Artifactory version
Previous to version 5.10, download blocking for unscanned artifacts or artifacts with vulnerabilities of a given severity, was configured in Artifactory.
From version 5.10 this configuration has been removed from Artifactory, and instead, is available in JFrog Xray version 1.12 and above.
To prevent potentially harmful artifacts from being used by developers, an administrator can configure JFrog Xray to prevent them from being downloaded from Artifactory. For more details, please refer to Download Blocking in the JFrog Xray User Guide.
If download blocking is configured in JFrog Xray, you can override this behavior with the following two settings in Artifactory under Admin | Xray Configuration:
Allow downloads when Xray is unavailable
|By default, if Xray becomes unavailable to Artifactory for any reason, all artifact downloads are blocked. Setting this checkbox overrides this behavior and allows download of artifacts.|
Allow downloads of blocked artifacts
|JFrog Xray may block different artifacts for download from Artifactory according to Watches defined in Xray's configuration. Setting this checkbox overrides this behavior and allows download of artifacts even if they have been blocked by Xray.|
Once JFrog Artifactory and JFrog Xray have been configured to work together, artifacts will be indexed for analysis on an ongoing basis according to different events that happen in Artifactory. To set up the initial database of artifacts Xray, you need to invoke indexing manually. For details, please refer to Indexing Artifacts in the JFrog Xray User Guide.