Applying Policies on Scanned Artifacts

XRAY: Updating an Xray Watch with History Scan

Patrick Russell

When Xray scans an artifact for the first time, it recursively decompresses and calculates the checksums of the binary file. This process will find the components of that artifact (e.g., Xray can detect a JAR file inside of a ZIP binary). At the conclusion of the scan, the binary file's checksums are saved in Xray's database. The artifact only needs to be downloaded and scanned once during this process. More information is available HERE.

By itself, this process will not detect vulnerabilities or license issues. As there are many things you might want to look for when scanning a binary, JFrog has developed a system to efficiently determine what should be done with Xray scan results. It uses watches to track specific artifacts and allows actions to be applied to these tracked files through the creation of policies and rules. This takes place during the analysis phase of a scan, after a given binary has been indexed and persisted to the database. Typically, this is a once-and-done action (or after a database sync for new vulnerabilities) after a binary file is scanned. However, what if you need to change the results or unblock numerous files?

To implement a new watch or apply a new policy, you'll need to trigger a history scan. This is done by clicking the Apply on Existing Content button in Xray’s Watches menu:

User-added image

Triggering a history scan will cause Xray to do a deep dive into your database. As Xray has already scanned the items in the watched repository, it will need to search the database for a given artifact's checksum to see if a particular watch policy applies. As this is a database and system-intensive operation, you can’t run a history scan on watches that use All Artifacts or All Builds resources. Doing so will force Xray to rescan an entire instance of Artifactory, which is inefficient and should be avoided.

A best practice is to avoid setting blocking policies on any of your All Artifacts/All Builds watches, as it's difficult to disable this functionality. Such watches should only be used to track violations using a generic, Generate Violation policy.

More information on the best way to execute your initial setup of Xray can be found HERE.