Configuring Artifactory to work with JFrog Xray involves the following three main steps:
In addition, JFrog Xray should be properly configured as described in Configuring Xray in the JFrog Xray User Guide
The connection between Artifactory and Xray is established by Xray which creates a user with "admin" privileges called xray in Artifactory in order to access the data it needs to perform its different analyses and functions.
For details, please refer to Connecting to Artifactory in the JFrog Xray User Guide.
For Xray to analyze the artifacts in your installation efficiently, it first needs to index them in its database. If Xray were to index and analyze all of the artifacts in your Artifactory installation, that could cause excessive processing and cluttered component graphs which may obscure the significant components you are really interested in. Therefore, to let you focus on the most important artifacts in your Artifactory installation, Xray will only analyze artifacts from repositories you mark for indexing. There is no need to specify builds; all builds are automatically indexed by Xray.
Repositories marked for indexing by Xray are found in the Admin module under Configuration | JFrog Xray
To enable analysis of repositories in general, you first need to globally enable Xray by setting the Enable Xray Integration checkbox.
Once repositories are marked for analysis, Xray will index (and reindex) their artifacts based on different triggers such as adding, deleting and moving artifacts. Artifacts in all builds are indexed automatically by JFrog Xray and re-indexed each time a new build is created.
There are two ways to specify repositories whose artifacts should be indexed:
To specify a specific repository for indexing, in the repository Basic configuration, under Xray Integration, check Enable Indexing in Xray.
The Xray Integration screen displays the repositories that have been enabled for indexing. To add more repositories for indexing, click Add.
From the list of Available Repositories select the repositories you wish to add for indexing and click "Save".
Previous to version 5.10, download blocking for unscanned artifacts or artifacts with vulnerabilities of a given severity, was configured in Artifactory.
From version 5.10 this configuration has been removed from Artifactory, and instead, is available in JFrog Xray version 1.12 and above.
To prevent potentially harmful artifacts from being used by developers, an administrator can configure JFrog Xray to prevent them from being downloaded from Artifactory. For more details, please refer to Download Blocking in the JFrog Xray User Guide.
If download blocking is configured in JFrog Xray, you can override this behavior with the following two settings in Artifactory under Admin | Xray Configuration:
Allow downloads when Xray is unavailable
|By default, if Xray becomes unavailable to Artifactory for any reason, all artifact downloads are blocked. Setting this checkbox overrides this behavior and allows download of artifacts.|
Allow downloads of blocked artifacts
|JFrog Xray may block different artifacts for download from Artifactory according to Watches defined in Xray's configuration. Setting this checkbox overrides this behavior and allows download of artifacts even if they have been blocked by Xray.|
Block Unscanned Artifacts Download Timeout (Sec)
The max time a download request will be pending Xray to complete scanning the artifact.
When a repository is configured to block downloads of unscanned artifacts, this setting will make every download request connection remain open for the time configured (in seconds), allowing Xray sufficient time to scan the artifact and then return the artifact or block it based on scan results.
Important: make sure the client you are using to download artifacts from Artifactory is set with a high
For Advanced Users:
The time interval for Artifactory to send scan requests to Xray can be configured using the following system property.
This system property determines the interval between each artifact's events submission from Artifactory to Xray. When downloading a newly added artifact, an event is created in Artifactory, and this event is sent to Xray notifying it of a new artifact that needs to be scanned. In order for the block unscanned timeout to have enough time to get full scan results, Xray needs to be quickly notified that a new scan needs to be made, thus this system property needs to be changed to 10 seconds.
Note that an increase/tuning the Tomcat HTTP connection pool may be needed in order to support high load of connections while waiting for a scan to be completed.
Once JFrog Artifactory and JFrog Xray have been configured to work together, artifacts will be indexed for analysis on an ongoing basis according to different events that happen in Artifactory. To set up the initial database of artifacts Xray, you need to invoke indexing manually. For details, please refer to Indexing Artifacts in the JFrog Xray User Guide.