JFrog provides a lot of sample projects on its github page and we will take the build scan pipeline example to demonstrate CI-CD pipeline execution with respect to Artifactory and Xray. Here is the sample pipeline screenshot for your reference.
As you can see in the above screenshot, we are cloning the project examples using Git and executing maven goals(i.e clean install) against the maven-example project to build the application. To download dependencies and publish artifacts to respective repositories, we configured these details in the Artifactory configuration stage.
While building the application, the dependencies are being resolved and will be scanned by Xray for vulnerabilities. We can configure Xray policies to block any external dependencies which are vulnerable so that Artifactory will not be able to serve it to the Jenkins client. In such cases, the Jenkins build will fail. If the external dependencies don’t have vulnerabilities, the build process will continue and as a next step we will publish the build.
Later, we scan the build using Xray for any vulnerabilities and we can define policies in such a way that, fail the build if there are any vulnerabilities or display the vulnerabilities detail in build output and succeed the build.
Below is the sample output where build executes successfully even if there are vulnerabilities since we set the option ‘failBuild’ value as ‘false’.
Below is the sample output where build execution fails since there are vulnerabilities as we set the option ‘failBuild’ value as ‘true’.
Below screenshots refer to corresponding build information and Xray Metadata on the JFrog Platform end.
As you can see in the above screenshot, we are cloning the project examples using Git and executing maven goals(i.e clean install) against the maven-example project to build the application. To download dependencies and publish artifacts to respective repositories, we configured these details in the Artifactory configuration stage.
While building the application, the dependencies are being resolved and will be scanned by Xray for vulnerabilities. We can configure Xray policies to block any external dependencies which are vulnerable so that Artifactory will not be able to serve it to the Jenkins client. In such cases, the Jenkins build will fail. If the external dependencies don’t have vulnerabilities, the build process will continue and as a next step we will publish the build.
Later, we scan the build using Xray for any vulnerabilities and we can define policies in such a way that, fail the build if there are any vulnerabilities or display the vulnerabilities detail in build output and succeed the build.
Below is the sample output where build executes successfully even if there are vulnerabilities since we set the option ‘failBuild’ value as ‘false’.
Below is the sample output where build execution fails since there are vulnerabilities as we set the option ‘failBuild’ value as ‘true’.
Below screenshots refer to corresponding build information and Xray Metadata on the JFrog Platform end.