Scanning Dependencies in your sources using JFrog CLI and Xray

Scanning Dependencies in your sources using JFrog CLI and Xray

Security vulnerabilities and license violations should be found as early as possible and the earlier in the SDLC, the better.

As part of the “Shift Left” vision, JFrog CLI and Xray now allow scanning dependencies directly from sources, on-demand, using a simple command line.

This functionality allows benefiting from the same JFrog Xray vulnerability and license scanning capabilities, even before deployment to JFrog Artifactory. This enhancement helps organizations comply with their security policies and standards by ensuring development teams only upload scanned and violation free binaries to Artifactory.

Scanning of dependencies in sources  is available as part of the new v2 version of JFrog CLI, with source scanning support for Maven, Gradle and npm packages. Go and Pip package support will be available soon!

Did you know? JFrog CLI is a compact and smart client that works with Artifactory, Xray, Distribution and Mission Control, to provide powerful features for your automation scripts in a readable and reliable manner.
Check out JFrog CLI Cheat Sheet >

Before you start

Here’s what you’ll need:

Steps to Scan

The scan can be done in one of two ways. Either as an individual scan directly on sources, or a scan as part of a build, prior to the deployment phase. In both cases, we’ll start by configuring your JFrog platform on JFrog CLI.

Configure Server with JFrog CLI

Run $ jfrog c add anywhere on your machine to configure your platform details.

Configure Server with JFrog CLI

Run $ jfrog rt ping to validate your connection.

Option 1: Run the Audit Command

Scan the sources on-demand, not as part of a build.

Run the audit command from the top-level directory that contains your source files.

Each of the supported package managers has its own audit command.

For example, to perform a scan of Maven projects in your source code and report all vulnerabilities:

$ jfrog xr audit-mvn

The Gradle and npm corresponding commands will be:

$ jfrog xr audit-gradle or $ jfrog xr audit-npm.

By default, the scan returns vulnerability data found in all of your dependencies. To retrieve the violation data, with a specific watches configuration, repository path, or project, you will need to use one of the following command options:

  • –watches – followed by a comma separated list of Xray watches.
  • –repo-path – followed by the target repo path.
  • –project – followed by a project key.

Take note, that if you run the scan using one of these command options, the scan results will only show violations data and not vulnerability data. To view the vulnerability data, run the scan without these options.

By default, the results will be shown in a table format.

Scan results - vulnerability data

The results can be returned in a JSON format for automation purposes. To modify the format type, provide the format option: –format=json.

View additional options by providing the –help option in your terminal, or read about the available commands in the JFrog CLI documentation.

Option 2: Conditional Upload – Maven and Gradle

In this approach, all files are scanned on the local system prior to the upload, as part of the build process using JFrog CLI. If any of the files are found to be vulnerable, the upload is skipped.

To configure JFrog CLI for a build, including choosing the resolution and deployment repositories and other build options, use the corresponding package manager config command from the top-level directory of your project:

$ jfrog rt mvn-config or $ jfrog rt gradle-config.

Conditional Upload - Maven and Gradle

By default the configuration command will run interactively. Set the CI=TRUE environment variable to use non-interactively.

Read about the configuration and build commands here, or view with the –help option.

Once the build is configured, run the build command with the appropriate goals/tasks and options, and provide the –scan option to use the conditional upload.

For example:

$ jfrog rt mvn clean install --scan
$ jfrog rt gradle clean build --scan

Behind the Scenes

JFrog CLI provides this integration with Xray by downloading an indexer component from the latter (only occurs on first use or after an update).

On a requested scan, the CLI assembles a hierarchy dependency tree and provides it to the indexer, which in turn replies with the vulnerability/violation results.

Keep Exploring

There is much more that can be done with JFrog CLI, find out more in  the documentation. You can even develop and share your own plugins!

The JFrog CLI project and its dependencies are all open source. Ask questions or let us know what other functionality you’d like to see, in the project’s Github issues section.

Get Started with JFrog CLI.