View Source

Overview

From Xray 3.0, the following 3rd party integrations will be deprecated including Black Duck, White Source, and Aqua. JFrog does not guarantee the integrations will be functional following the upgrade. Since February 2019, JFrog included RBS VulnDB as part of its out-of-the-box solution that replaces the need for 3rd party integrations.

JFrog Xray is open for integration with any number of issue and vulnerability providers and pre-configured with a number of providers out-of-the-box. In addition, you can connect to additional issue and vulnerability feeds if you have accounts with the corresponding providers. The Integrations screen in the Admin module displays the integrations you have configured and connected to.

Xray 2.x > Integrations > xray1_2intergrations.png

To add a new integration, click "Add Integration". The button will be disabled if all integrations currently available in the system have already been configured.

The Add Integration dialog shows all available integrations you can connect to, and provides the option to add a custom integration. Select the provider you wish to connect to from the list of icons displayed, or click the plus sign to add a custom integration.

Xray 2.x > Integrations > xray_integration.png

To connect to a provider, set the Enabled checkbox and enter the following parameters:

The API Key you received from the provider
The Test URL you can use to test your API key with the provider using the "Test" button.
The URL Xray uses to check if a component it is scanning is registered with the provider.

Aqua

offers a comprehensive security solution for containerized environments. If you have an account with Aqua, you may enable this feed, enter your Aqua API key, the URL of your on-prem Aqua installation and the test URL.

Xray 2.x > Integrations > remove_snyk_from_integration page.png

WhiteSource

offers a security and license management solution for your open source components. If you have an account with WhiteSource, you may enable this feed and enter your WhiteSource API key, URL and Test URL.

Xray 2.x > Integrations > white_source-integration.png

Black Duck

offers an enterprise-grade solution to automate the process of securing, managing, and ensuring license compliance for open source software in applications and containers. If you are a Black Duck customer, you may enable this feed by purchasing the standard Hub edition with the security module, enter the provided Black Duck API key, the URL of your Black Duck installation and the test URL to start using Black Duck data within Xray.

Xray 2.x > Integrations > xray_integration_blackduck.png

Adding a Custom Integration

In addition to the integrations included out-of-the-box, Xray also allows you to create custom integrations. This gives you the opportunity to add analyses from different providers with whom you may have an account, or even to create your own provider and display information such as performance issues, known defects or any other information offered by your provider.

To enable this, you'll need to build the following two REST endpoints and configure them in the Xray integrations page.

Building the Integration Endpoints

In order to enable your custom integration, you need to build and run two REST endpoints.

1. Check Authentication

Request an indication to whether a provided api key is valid. This API should be exposed by the feed provider.

Request header
apiKey: “some-api-key-which-is-unique-for-a-specific-customer”

GET /api/checkauth

{
"valid" : true,
"error" : ""
}

{
"valid" : false,
"error" : "User api key is invalid"
}

2. Request for components information

This API will allow Xray to request for information about one or more components, each identified by a unique component id, from the feed provider. The API will be implemented by the feed provider.

Request

The request payload will contain unique identifiers of the components Xray would like to get information about.
In addition Xray will provide a context to the request, this can be a project id or another identifier. If the 3rd party service allows its users to define policies per project, this will allow to answer the request in the context of those policies. For example, if the 3rd party service allows creating policies for OSS license compliance per project, Xray may get a response with a license vulnerability if the queried component is violating the policy.

apiKey: "some-api-key-which-is-unique-for-a-specific-customer"

{
	"components" : [
      {
 	 	"component_id": "gav://ant:ant:1.6.5",
		"blobs": [
			"97282a3b066de4ee4c9409979737f3911f95ceab"
		]
      }
	],
	"context" : "project_id"
}

Response

{
	"components" : [
 	{"component_id" : "gav://ant:ant:1.6.5",
	"licenses" : ["Apache 2.0"],
     "provider" : "the feed provider",
	"vulnerabilities" : [
	{
  	"cve" : "CVE-2012-2098",
	"type" : "security",
	"source_id" : "unique id of the reported issue",
  	"summary" : "Algorithmic complexity vulnerability",
  	"description" : "Algorithmic complexity vulnerability in the sorting algorithms in bzip2 compressing stream",
  	"cvss_v2" : "7.9",
  	"url" : "http://more.info",
  	"publish_date" : "2015-11-03T07:30:51.991+00:00",
  	"references" : [	"http://archives.neohapsis.com/archives/bugtraq/2012-05/0130.html"
  	]
	}
	]}
 ]
}

Configuring the Integration Endpoints

To configure your endpoints, go to the integrations page and click on the custom integration.

Custom Provider

To add and connect to a custom provider, set the Enabled checkbox and enter the following parameters:

The Vendor name
The API Key you received from the provider
The URL Xray uses to check if a component it is scanning is registered with the provider.
The URL should lead to the request for components information REST endpoint
The Test URL you can use to test your API key with the provider using the "Test" button.
The Test URL should lead to the Check Authentication REST endpoint
The URL to an icon you can optionally display for the vendor
A Description for the vendor