JFrog returning No Violation Found - jfrog-xray

Good Morning all,
Anyone using JFrog here?
I need some basic guidance on how to scan a repository with Xray. It's currently returning zero violations but I'm not sure if it is even scanning at all

Please check the below points and make sure you have configured it in Xray.
Xray DB sync is up to date. Link for more details-> https://www.jfrog.com/confluence/display/JFROG/Configuring+Xray#ConfiguringXray-SynchronizingtheDatabase
Indexing of repositories/builds is enabled. Link for more details-> https://www.jfrog.com/confluence/display/JFROG/Configuring+Xray#ConfiguringXray-IndexingResources
Watches and policies are created and configured to the Artifactory repository or build. Link for more details-> https://www.jfrog.com/confluence/display/JFROG/Configuring+Xray#ConfiguringXray-CreatingWatchesandPolicies
Below are the video link to create Watches and policies.
https://www.youtube.com/watch?v=yfoBmuaRkGI
https://www.youtube.com/watch?v=88hwwMJsS58
I hope the above information will be helpful to configure Xray for the repository or build and check for violations.

Related

How to ignore one vulnerability in JFrog Xray

I am using JFrog Xray to scan for security issues in my project. There is a vulnerability issue CVE-2016-1000027 with critical level need to resolve. But I want JFrog ignore this vulnerability issue when Xray scan.
Anyone who know how to help me ignore it?
Thanks.
Please follow the official JFrog Xray Ignore Rules. It has details on this.
Note that an ignore rule should be a temporary flag until a resolution is found. Keep your software safe!

Jfrog Xray Reports

1.Is X-ray report generation possible using API Calls at the disired page in the Jfrog artifactory?
2.Scenario:Application dev team uploads the Build/Repository of their application into the Jfrog artifactory an xray scans it automatomatically. Suppose if we find vunerable Jars in perticular build -question-"can we corelate the vunerable jars to the respective builds and depedend builds and extract the same information in the report??
For Example: Vunerable Jar 'X' is used by build1 but the artifactory contains N no of Builds.
can we fetch the information if the same Vunerable Jar 'X' is used by multiple other build present in the artifactory. And is there any other way to intimate the build owners about this Vulnerable Jar 'X' which might be used on their application or Build.
Please find the answers to your queries below.
Yes, the report generation is possible through API calls made against the Xray service. [Xray REST API - Reports]
For the collection of data in accordance with the scenarios described in the second query, I believe this API call would be helpful.
Yes - This is documented in the Xray REST API documentation under the Reports section.
Yes, this is also specified in the Reports documentation, you can define the required scope and select multiple builds or repositories.
As for notifying build owners - This can be done by creating a rule for the policy that contains automatic action with the ability to inform the deployer and the watch recipients. This is triggered when there is a violation of the policy (which was previously created) Xray will generate a violation (for example jar X contains vulnerability with severity high)and it does not meet the policy and then Xray will generate notifications.
See relevant documentation.

Integration Percy visual regression testing status check with Github

I am trying to integrate Percy.io, a visual regression testing tool with Github status check.
I have signed up for free account with Percy and paid Github version.
I wanted to setup status check with Percy with each pull request as below suggested at percy doc on status check
I have integrated Percy in Github
Added rules in Github
but still don't see check on pull request.
Added same project in percy.io too
Any Idea what I am missing over here?
It's hard to be specific without knowing more about your application, however one piece that seems to be missing from your setup is a CI/CD configuration.
Basically, you need a Continuous Integration service (such as Travis, Jenkins, CircleCI or others to trigger a build for your project so that percy can capture snapshots. Did you configure one?
See the documentation here.
Here an example configuration for one of my projects. Note that how you set this up may differ if you use a different set of tools than what's in the article.

How do I disable a Github check for Google Cloud Build

I've installed the Google Cloud Build app from Github Marketplace, and enabled it on several repositories, only to discover that enabling access for those repositories automatically starts running the Google Cloud Build "check" after every PR or push to a PR. Since some of those repositories are not actually ready for Google Cloud build, I needed to turn off the checks... I used the URL mentioned in the docs to get to the page where you can select which repositories should be connected to your GCP project, and unchecked a bunch of them... this disconnected them from the project, but, surprisingly, did not disable the Github checks! So now, there are Github checks on several repositories that just result in an error because they're not connected to any projects in Cloud Build.
Surely, it is not an uncommon use case to need a way to "disable Checks" on a per-repository basis - is there any way to do that?
(If not, consider it a requested feature if there are any Google Engineers reading!) ;)
I did talk to chat support, and the only way we could figure out to remove the checks would be to uninstall Google Cloud Build completely from the entire organization, which I don't want to do because we do have some setup that I want to keep, and I don't know how much of that configuration would have to be redone if I uninstalled it completely.
Here is a screenshot of the broken check that I can't disable:
I think there are 2 steps to disable CloudBuild,
1. Disable on CloudBuild itself. For some time I kept seeing 2 builds per push made, but disabling a trigger on CloudBuild helped fix that.
2. On Github, you can configure the Cloudbuild app to monitor a specific repo on the organization level setting.
3. If you feel a lot adventurous though and it's not solved, on the project level setting, you could delete the Webhooks integration for cloudbuild, as that's what Github notifies of each build.
It can be found within GH App installations:
https://console.cloud.google.com/gcb-github-registration
Select the GH account used for your link between Cloud Build and GH, then the GCP project you want to edit.
Here connected repositories can be edited, and in the second step (Trigger settings), the "Default GitHub Checks" can be disabled.
You can also goto settings of your repository and click installations inside settings.
And then remove Google cloud build from Installed apps and authorized github apps.
Cloud Build Triggers are still in beta, and have gone through several updates since this question was posted, but it now appears that the "Github Default Checks" are no longer hidden from management. They are now explicitly offered (but not automatically created) when connecting a repo, and you can finally view and disable (or delete) individual "Github Default Checks" on the trigger management page: https://console.cloud.google.com/cloud-build/triggers
I'll leave this as unanswered, because I'm uncertain this is how it is working for everyone, or that this answer will remain true, but if it works for you, feel free to vote up the answer!
To link GCP Project to the Github repository, create a trigger by clicking on resolve link, besides Action Required and then disable the same. For me this procedure worked out.

Retrieve build info of a SNAPSHOT jar from artifactory using gradle

Before going forward, I realize this question is too broad. But I couldn't figure out the proper verbiage to search either here in SO or on GOOGLE.
If this question is a duplicate, then please excuse me in advance and provide me the link to the original question.
Problem :
We are working on creating testing framework. One of the requirements is to publish a report at the end of the testing phase with build information. We need to provide information like who committed the latest change we are testing, what is the build version we are using for testing etc.
In our current setup, We are using github as SCM. Whenever there is a commit to the SCM, a build is triggered on Jenkins and if the build is successful, the jar is deployed to JFrog Artifactory. I am trying to come up with a gradle script to get the necessary information.
Any pointers to the following questions are highly appreciated:
Which plugin can I use to retrieve the info for a SNAPSHOT jar from Artifactory?
Which plugin can I use to retrieve Jenkins build info using the build number retrieved from Q1?
Not sure this is what you were asking for, but have you looked into the Artifactory Build Info file?
The Artifactory Jenkins Plugin can collect build information for you and publish that information to the Artifactory server (If you choose to "collect and publish build info").
The build information can then be viewed on the artifactory server and also fetched using a simple REST call.
HTH,
Or