I am looking for an REST API/AQL that can be used to generate the number of artifacts blocked for download as part of the XRAY watch violations in JFROG
As per this publicly available page, the REST API is not available at the moment which can reveal the artifacts that are not downloadable because of vulnerabilities.
When we download an artifact that is having a vulnerability, then Xray can indicate if the artifact is not downloadable because of vulnerabilities init.
Related
I'm setting up a new atrifactory installation for the first time in my life. Downloaded the tar and extraceted it ok. Got some firewall rules in place to allow https to jcenter.bintray.com. After an initial refresh I see loads of artifacts in the com tree that must come from jcenter, so all seems fine, but when I preform simple maven tasks like mvn help:active-profiles I only get warnings and errors that indicate that none of the relevant stuff is available from my artifactory.
I have accessed the firewall logs and I found no outgoing traffic from my artifactory server to anything that's not permitted. What have I missed? My artifactory is OSS version 7.5.7 rev 705070900.
Artifactory remote repositories are not working as a mirror or the external repository they are pointing at.
Remote Artifactory repositories are proxying the external repository, which means that you have to actively request for artifacts. When requesting for an artifact, Artifactory will request it from the external repository and cache it inside Artifactory. Farther requests for a cached artifact will be served from Artifactory without the need to go out to the external repository.
The list of artifacts we are seeing, are ones which are available in the external repository. This is a feature is called remote browsing and available for some of the package types supported by Artifactory.
I found the issue, sort of. For reasons I now understand I have plugin repositories. I added the true source for the plugins to my list of plugin repositories, and that solved the issue for me.
I am using JFrog CLI (jfrog rt download) to download build reports from Artifactory that are published there by GitLab CI in unpacked state in order to allow unhindered html reports browsing.
However it takes extremely long (10-20 minutes) because of just how many small files there are.
I see that Artifactory has REST API to download whole repository folder content in one swoop as a single archive.
But I am not able to find any way to do the same using JFrog CLI.
Am I missing something or is there truly no way to download whole folder content as an archive using JFrog CLI?
P.S.: I am aware that there is a configuration option on Artifactory that supposedly allows to browse contents of archives, but there are reasons (organizational and technical) preventing me from using it
Using the CLI you can increase the "--threads" value. I have seen a massive improvement when downloading a directory with lots of small files when increasing the number of threads.
I use JFrog XRay v1.10.1 with Artifactory v5.2.1 (both PRO versions).
I cannot found in the XRay documentation (and Google) how XRay automatically re-scan artifacts that have not changed in Artifactory when the vulnerabilities database is updated.
What is the re-scan policy followed by XRay ?
Thanks in advance :)
Xray keeps a graph of all the scanned component and the relationships between them, for example if a certain Java library is part of a war file.
When a new vulnerability is added to the database, Xray will check if the effected component appears in the dependency graph and if so will check how it impact the rest of the graph. For example if a debian package inside a Docker image is found to be effected Xray will also mark the Docker image as impacted. This is called impact analysis in the Xray terminology.
This is explained in the documentation in the watches section.
I'm wondering how other Artifactory Admins do that so here's my question:
We're starting to use Artifactory to manage our artifacts. Internal as well as external artifacts. The external artifacts are all available in an internal repository. This is so because of a conversion from a file based repository to Artifactory.
Now this is starting to cause issues and I'm wondering how others are managing the external dependencies? As an Artifactory Administrator I want to be sure that my developers only use artifacts which have the correct license so I don't want to have a "feel free to download everything from the internet" culture.
I want to provide some sort of a "whitelisted and approved" set of external Artifacts.
Is this possible using Artifactory OSS or do we manually download the artifacts from a remote repository and deploy it to our local repository?
Thank you in advance!
this can be done with writing a user plugin but it will require a PRO version of Artifactory. You can see here examples to a governance control plugin that was written in the past.
With OSS version you can't reject downloads of users based on license.
Hope that answer your question.
In my internal Sonatype Nexus, on the routing tab of a repository (Codehaus Snapshots for example) is says
--- Publishing ---
| Status: Not published
| Message: Discovery in progress or unable to discover remote content (see discovery status).
I am able to Browse Remote, but unable to Browse Index.
What exactly is meant by the term "published"?
Is this repo not available to my maven clients? They use <mirrorOf>* and get all artifacts from Nexus.
This seems a brain dead question. I've looked here, and in the Sonatype book, online sonatype documentation, and scraped Google, to no avail.
This message means that the proxy's remote does not publish routing information, and that Nexus either wasn't able to crawl the remote's HTML directory listing, or is still in the process of doing so.
Have a look here for a description of how the routing feature works in Nexus:
https://support.sonatype.com/entries/30645946-How-does-Automatic-Routing-work-
Regarding search indexes, not all sites publish them. They are entirely optional, a lack of a search index will not impact artifact downloads through the proxy.
To see if the remote publishes search indexes add this path to the remote's URL and see if it can be downloaded:
.index/nexus-maven-repository-index.properties