Indexing Resources
To avoid a lengthy and intensive analysis processes, Xray does not automatically analyze all the resources in the system but allows you to manually select therepositories, builds and release bundlesto be indexed.To configure your indexed resources, seeIndexing Xray Resources.
Synchronizing the Database
Using a firewall?
If you are using a firewall, to allow the database sync to complete successfully, you need to add the following URLs to your firewall's whitelist:
To test the ability to sync, run the following REST API endpoint:
https://jxray.jfrog.io/api/v1/system/ping
For Xray to scan your indexed artifacts it must ingest data on issues and vulnerabilities from the primary feed that comes from theglobal database servermaintained by JFrog.There are two ways to synchronize Xray with the global database server:
Online:In online mode, Xray synchronizes with the global database server automatically on a daily basis through an internet connection
Offline:In offline mode, you manually download files from the global database server and then upload them to Xray
To configure synchronization with the global database server, in theAdministrationmodule, selectXray | Database Sync.
The Xray indexing process will only start after the initial DB sync process is completed.
Online Synchronization
To get started right away so Xray can scan your artifacts, you may invoke the initial synchronization manually by selectingStart Syncin theStatuspanel. From then on, Xray will synchronize issues and vulnerabilities regularly and automatically, once a day.
Offline Synchronization
For RPM installations theUpdatesfolder is under theDatafolder:
- ${XRAY_HOME}/xray/data/updates/component
- ${XRAY_HOME}/xray/data/updates/vulnerability
If, for any reason, you do not want to maintain a live internet connection to the global database server, selectOfflinein theSync Modepanel to get detailed instructions on how to get the latest data available.
Version compatibility with JFrog CLI
An offline database synchronization requires the use ofJFrog CLI.
Configuring Webhooks
One of the options when configuring Watches is to have them invoke webhooks which are proprietary URLs you can define to perform custom actions as a result of a violation being issued.
Webhooks are configurable in theAdministrationmodule underXray | Webhooks.
JFrog Cloud New Interface (Beta)
On the taskbar, click
(Platform Configurations), and selectXray Settings > Webhooks. To learn more, clickhere.
JFrog Cloud New Interface (Beta)
On the taskbar, click(Platform Configurations), and selectXray Settings > Webhooks. To learn more, clickhere.
To add a webhook, clickNew Webhook.
General |
|
Webhook Name |
An identifier for the webhook. This is the name that will be used by anyWatchesthat want to invoke the webhook in case of a violation |
URL |
The URL that this webhook invokes. For details of the payload provided by Xray to the webhook, please refer to Webhook Payload. |
Description |
A free text description. |
Use Proxy |
Set the webhook to go through the predefined proxy. For more information, seeManaging Proxies. |
Basic Auth |
|
User Name/Password |
A username and password as required by the webhook. |
Custom Headers |
Any custom headers that may need to be added to invoke the webhook. |
Adding Custom Integrations
Xray integrations are configured in theAdministrationmodule in theIntegrationspage and displays the integrations you have configured and connected to.
JFrog Cloud New Interface (Beta)
On the taskbar, click(Platform Configurations), and selectXray Settings > Integrations. To learn more, clickhere.
JIRA Integration with Xray
This Jira Integration allows you to automatically create Jira tickets for violations found by Xray in your configured Jira Projects. For more information, seeXray Jira Integration.
Vulnerability Feeds
JFrog Xray is open for integration with any number of issue and vulnerability providers. This gives you the opportunity to add analyses from different providers with whom you may have an account, or even to create your own provider and display information such as performance issues, known defects or any other information offered by your provider.
To enable this, you'll need to build the following two REST endpoints and configure them in the Xray integrations page.
Building the Integration Endpoints
In order to enable your custom integration, you need to build and run two REST endpoints.
1. Check Authentication
Request an indication to whether a provided api key is valid. This API should be exposed by the feed provider.
Request header
apiKey: “some-api-key-which-is-unique-for-a-specific-customer”
GET /api/checkauth
{ "valid": true, "error": "" }
{ "valid": false, "error": "User api key is invalid" }
2. Request for components information
This API will allow Xray to request for information about one or more components, each identified by a unique component id, from the feed provider. The API will be implemented by the feed provider.
Request
The request payload will contain unique identifiers of the components Xray would like to get information about.
In addition Xray will provide a context to the request, this can be a project id or another identifier. If the 3rd party service allows its users to define policies per project, this will allow to answer the request in the context of those policies. For example, if the 3rd party service allows creating policies for OSS license compliance per project, Xray may get a response with a license vulnerability if the queried component is violating the policy.
POST /api/componentinfo
apiKey: "some-api-key-which-is-unique-for-a-specific-customer"
{ "components": [ { "component_id": "gav://ant:ant:1.6.5", "blobs": [ "97282a3b066de4ee4c9409979737f3911f95ceab" ] } ], "context": "project_id" }
Response
{ "components": [ { "component_id": "gav://ant:ant:1.6.5", "licenses": [ "Apache 2.0" ], "provider": "the feed provider", "vulnerabilities": [ { "cve": "CVE-2012-2098", "type": "security", "source_id": "unique id of the reported issue", "summary": "Algorithmic complexity vulnerability", "description": "Algorithmic complexity vulnerability in the sorting algorithms in bzip2 compressing stream", "cvss_v2": "7.9", "url": "http://more.info", "publish_date": "2015-11-03T07:30:51.991+00:00", "references": [ "http://archives.neohapsis.com/archives/bugtraq/2012-05/0130.html" ] } ] } ] }
Configuring the Integration Endpoints
To configure your endpoints, go to theAdministrationmodule in theXray | Integrationspage and clickNew Integration.
JFrog Cloud New Interface (Beta)
On the taskbar, click(Platform Configurations), and selectXray Settings > Integrations. To learn more, clickhere.
To add and connect to a custom provider, set theEnabledcheckbox and enter the following parameters:
- TheIntegration Vendorname
- ADescriptionfor the vendor
- TheAPI Keyyou received from the provider
- TheURLXray uses to check if a component it is scanning is registered with the provider.
The URL should lead to therequest for components informationREST endpoint - The测试URLyou can use to test your API key with the provider using the "测试" button.
The Test URL should lead to theCheck AuthenticationREST endpoint - TheURL to an iconyou can optionally display for the vendor
Creating Watches and Policies
Policies and Watches allow you to enforce your organization governance standards:
- Set up your Policies and Rulesto reflect standard governance behaviour specifications for your organization. Xray supports security and compliance policies types.
- Create Watchesto define the scope of the resources on which to run the relevant policies. Watches monitor resources, such as repositories, builds andRelease Bundles, and enforces the policies assigned to them on these resources.
- Examine Violationscreated by Xray once a detected vulnerability or license breach meets the criteria of a policy rule.
- Actions that you have set within the policy will run if a violation is detected such as blocking a download, failing a build, or preventing the distribution of a Release Bundle.
Advanced Settings
Advanced Settings apply only to Self-Hosted environments.
x光是建立在一组microservices性能rm its actions in the realm of indexing artifacts, communicating with Artifactory, managing events and notifications and so on.
To configure these settings, in theAdministrationmodule, go toXray Security and Compliance| Advancedand clickSettings.
JFrog Cloud New Interface (Beta)
On the taskbar, click(Platform Configurations), and selectXray Settings > Compliance Licenses. To learn more, clickhere.
The following advanced configurations are available:
- Basic Settings: allows enabling Xray, configuring the behaviour when it is unavailable and for blocked artifacts.
- System Parameters: (Self-Hosted only) provides system settings.
- Queue Workers: (Self-Hosted only) provides several parameters for tweaking Xray performance by changing the number of workers performing the different tasks. Starting from Artifactory version 7.12 and above, the Queue Workers setting is no longer available through the UI, and is only supported throughREST API.
Note: Adjusting these parameters may affect your system's performance, please contactJFrog Supportfor additional information.
Basic Settings |
|
Xray Enabled |
Indicates that Xray is enabled on the JFrog Platform and is set by default when Xray is installed. |
Allow download and distribute when Xray is unavailable |
Allows downloading artifacts from Artifactory and distributing Release Bundles to Edge Nodes when the Xray service is unavailable. |
Allow downloads of blocked artifacts |
Allows downloading all artifacts, including artifacts that have been blocked for download by Xray. |
Block Unscanned Artifacts Download Timeout (Sec) |
The max time a download request will be pending Xray to complete scanning the artifact. When a repository is configured to block downloads of unscanned artifacts, this setting will make every download request connection remain open for the time configured (in seconds), allowing Xray sufficient time to scan the artifact and then return the artifact or block it based on scan results. Important: make sure the client you are using to download artifacts from Artifactory is set with a high This is also relevant when using aSmart Remote Repository, whereAdvanced → Socket Timeout (MS)should be set to a high value. For Advanced Users: The time interval for Artifactory to send scan requests to Xray can be configured using the followingsystem property.
This system property determines the interval between each artifact's events submission from Artifactory to Xray. When downloading a newly added artifact, an event is created in Artifactory, and this event is sent to Xray notifying it of a new artifact that needs to be scanned. In order for the block unscanned timeout to have enough time to get full scan results, Xray needs to be quickly notified that a new scan needs to be made, thus this system property needs to be changed to 10 seconds. Note that an increase/tuning theTomcat HTTP connection poolmay be needed in order to support high load of connections while waiting for a scan to be completed. |
| System Parameters | |
SSL Insecure |
Toggles enablement of skipping Xray's self-signed certificate validation |
Mail Without SSL |
当反对切换使用传输层安全性necting to the mail server |
Send Anonymous Statistics |
Improves the Xray optimization by sending anonymous usage statistics. |
Max Disk Usage |
Percentage of disk usage tolerated by Xray. When reaching the specified value, Xray will NOT download packages for indexing |
Monitor Sampling Interval |
Interval for executing monitoring jobs on CPU, Disk Usage, restarts, etc. |
Job Interval |
Interval for running node specific jobs |
Queue Parameters |
|
Index |
The number of workers managing indexing of artifacts. |
Persist |
The number of workers managing persistent storage needed to build the artifact relationship graph. |
Alert |
The number of workers managing alerts. |
Analysis |
The number of workers involved inscanning analysis. |
Impact Analysis |
The number of workers involvedinImpact Analysistodetermine how a component with a reported issue impacts others in the system. |
Notification |
The number of workers managing notifications. |
System Parameters |
|
SSL Insecure |
Toggles enablement of skipping Xray's self-signed certificate validation |
Mail Without SSL |
当反对切换使用传输层安全性necting to the mail server |
Max Disk Usage |
Percentage of disk usage tolerated by Xray. When reaching the specified value, Xray will NOT download packages for indexing |
Monitor Sampling Interval |
Interval for executing monitoring jobs on CPU, Disk Usage, restarts, etc. |
Queue Message Max TTL |
Number of retries to be accepted in the Message Queue system |
Job Interval |
Interval for running node specific jobs |
Starting from Xray version 3.6, Xray prioritizes the scanning of new Artifacts/Builds/Release Bundles over events originating from a history scan or a full repository scan,and provides the capability to control the number of workers for new content versus history / full repository scan. To configure the number of workers, seeConfiguring the Workers Count REST API.
This requires Artifactory version 7.6 and above.
垃圾收集器(GC)
Starting from Xray 3.26.1,Xray's Garbage Collector (GC) feature enables you to avoid race conditions between delete/create events sent by Artifactory mainly when moving Artifacts and promoting images. This feature is active by default and is configurable in theXray System YAMLdeleteMode (‘gc’/‘eager’)parameter.
You can manage the Garbage Collector through a set of REST APIs, such as getting the GC status or forcing GC to run. For more information, see垃圾收集器(GC)REST APIs.
