Components Operational Risk

JFrog Security Documentation

JFrog Xray
Content Type
User Guide

JFrog Xray's Operational Risk feature provides you with additional data on OSS components that will help you gain insights into the risk level of the components in use.

What is Components Operational Risk?

Components Operational Risk is the risk of using outdated or inactive open source software components in your projects.

How Does This Feature Help Identify the Risk?

This feature helps you identify the operational risk your projects may have by using outdated open source software components. It can also work as an early indicator of any slowness in open source project activity or projects that may not be actively maintained.

How Does it Work?

JFrog Xray tracks the following Operational Risk data for a given open-source component:

  • End-of-Life (EOL): Determines whether the OSS component in use is obsolete or declared end-of-life by the author.

  • Version Age: The age of the OSS component in use in months.

  • Number of New Versions: Number of new versions released after the current version. For example, if you are using version 2.3.4 and there have been three new releases 2.3.5, 2.4.1 and 2.4.2, the value would be 3.

  • Health of the OSS Project: A boolean value that shows whether the OSS project is healthy or not. This is computed using the following parameters:

    • Release cadence per year: Number of GA releases including patches, dot releases, and so on.

    • Number of commits per year: Total number of commits in the last 12 months.

    • Number of committers per year: Total number of committers in the last 12 months.

Important Notes Regarding Operational Risk

  • This feature requires Artifactory version 7.37.x and above.

  • This feature requires JFrog CLI version 2.15.x and above.

  • This feature is only supported for npm and Maven packages.