The recently released JFrog Xray versions 3.31 & 3.32 have brought to the table a raft of new capabilities designed to improve and streamline your workflows, productivity and user experience.

The new features, detailed below, solidify Xray as the optimum universal software composition analysis (SCA) solution for JFrog Artifactory that's trusted by developers andDevSecOpsteams to identify and eliminate open sourcesoftware vulnerabilitiesand license compliance violations from their releases.

Xray Reports Clone

This new feature, which requires Artifactory 7.23.x and above, lets you quickly and efficiently create a clone of an existing report inXray Reportsto reuse a report and its defined settings and configurations, saving you lots of time when recreating reports that you use often.

Hot Upgrade

With this new hot upgrade capability, you can upgrade anyXray High Availability(HA) installation easily and without having to turn off all the secondary nodes. By completing an Xray HA upgrade with zero downtime, you boost your team's productivity.

Set a Grace Period before Failing Build

If a CI server requests a build to be scanned, and a watchyou've set up triggers a violation, Xray will indicate that the build job should fail.

Failing builds is a common practice to secure CI builds and prevent violations from entering yourCI/CD pipeline. However, you may not always want to fail the build. For example, some violations are not showstoppers, and you can look into them later without stopping the buildcreation.

In these cases, you can set a grace periodfor a number of days according to your needs. During the grace period, the buildwill not fail and all violations will be ignored. An automatic Ignore Ruleis created for the grace period with the following criteria:

  • On the specific vulnerability/license
  • On the specific component
  • On any version of the specific build
  • On the specific policy
  • On the specific watch

Once the grace period ends, the ignore ruleis deleted, and if the build contains violations, it will fail. This capability is only available if the watchis defined with buildas target type.

For more detailed information, seeCreating Xray Policies and Rules.

Grace Period REST API Support

A new parameter has been added to support theGrace Periodfeature in theCreate PolicyREST API.

Enhanced Xray Dependency Scanning and On-Demand Binary Scanning

Shifting left means catching and fixing vulnerabilities and license violations as early as possible in yourSDLC, including before developers check in code. Performing on-demand scanning of either your source code dependencies or binaries before committing to Artifactory is the ultimate shift-left tactic. Here are some reasons why you need this use case:

  • Not all of your binaries or builds are stored in Artifactory
  • You discover vulnerabilities/licensing violations before uploading to Artifactory
  • A security person may need to scan a binary sent to them for verification
  • Organizations may want to only deploy approved binaries into Artifactory

The recently introducedXray DependenciesandXray On-Demand Binaryscanning capabilities now include the option to ignore violations. In the JSON report of each scan, an Ignore Rule URL is included in the results, enabling you to create ignore rules for violations in the report, as described inIgnore Rules.

New Filter in Watches

Starting from Xray version 3.31.x and above, you can filter the Watches list in the Watches page in Xray to narrow down and display only Watches that are relevant to you. When you select the Filter button in the top-right corner, the filter dropdown list appears, with an array of different options. Configure the filtering options to display the Watches or Watch data you want to see.

For more information, seeConfiguring Xray Watches.

Filter Ignore Rules

Now you can use an array of different filtering options to narrow down the list of Ignore Rules using different criteria. That way, you'll only see Ignore Rules that are relevant to you. After selecting the Filter button in the top-right corner, the filter dropdown appears and you can configure the options to display the Ignore Rules or Ignore Rules data you want to see.

[Note:The new features mentioned above require Artifactory version 7.25.x and higher.]

For more information, seeIgnore Rules.

Ignore Rules REST API Enhancement

If you and your team are working together using JFrog Projects and the REST API, we have a great new feature that will allow you to sort theGet Ignore RulesREST API by project. This can streamline your workflows while working with REST APIs and Ignore Rules in JFrog Projects.

These exciting new features are available now for Xray users. Don't have a JFrog account yet? You can easily get free access to Artifactory and Xray in two ways: A 30-day free trial with our Self Hosted option, or a permanent free subscription with our Cloud option, which also includes JFrog Pipelines, our CI/CD orchestration solution.

Attachments

  • Original document
  • Permalink

Disclaimer

JFrog Ltd. published this content on 21 October 2021 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 21 October 2021 23:43:06 UTC.