Versions Compared

Old Version 89

changes.mady.by.user Angela Ruhstorfer

Saved on

compared with

New Version 90

changes.mady.by.user Angela Ruhstorfer

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Table of Contents

Overview

Info

Proxy settings are relevant for requests for Mend servers only. Proxy for remote repository requests is not supported.

This topic describes how the JFrog Artifactory plugin integrates with Mend. The plugin adds additional information to the Artifactory artifacts and updates Mend.  Once invoked, all the artifacts' metadata on the Artifactory will be uploaded to the Mend inventory. The Artifactory plugin supports two use cases, our SCA and Supply Chain Defender (SCD).

...

Attribute

Type

Description

Required

Additional Information

wssUrl

String

URL for sending the request.

Use the ‘Mend Server URL' which can be retrieved from your Profile page on the 'Server URLs' panel. Then, add the '/agent’ path to it. For example: "https://saas.whitesourcesoftware.com/agent".

No.
Defaults to https://saas.whitesourcesoftware.com/agent


apiKey

String

Unique identifier of the organization. This can be retrieved from the Integration page in your Mend account.

Yes


userKey

String

Unique identifier of the user. This can be generated from the Profile page in your Mend account.

Yes

Supported since version 18.5.1

productName

String

Represents the Artifactory instance and product in Mend.

Comment this field to map the repository to the product in Mend (project will also represent the repository).

No


checkPolicies

Boolean

Whether or not to send the check policies request to Mend.

No


forceCheckAllDependencies



Boolean

Used only if checkPolicies is set to true.

  • Setting forceCheckAllDependencies to true will force check all policies for all dependencies introduced to the Mend projects.

  • Setting forceCheckAllDependencies to false or not using it at all will check only the new dependencies introduced to the Mend projects.

No

Supported since version 1.0.3

updateWss

Boolean

Whether or not to send an update to Mend.

Yes

Supported since version 1.0.6

forceUpdate

Boolean

Whether or not to update the organization inventory regardless of policy violations.

No. The default value is false.

Supported since version 1.0.3

repoKeys

Array

The list of the repositories to scan.

Yes


useProxy

boolean

Whether or not to use proxy settings.

Yes


proxyHost

String

Proxy host URL.

No


proxyPort

Integer

Proxy port.

No 


proxyUser

String

Proxy user name if it exists.

No 


proxyPass

String

Proxy password if it exists.

No 


archiveIncludes

String

Comma separated list specifying the types of files that will be extracted.

No.
The default list includes the following:
jar, war, ear, egg, zip, whl, sca, sda, gem, tar.gz, tar, tgz, tar.bz2, rpm, rar.

Supported since version 1.0.3

archiveExtractionDepth

String

Drill down hierarchy level in archive files.
Max value is 7.

No, the default value is 2.

Supported since version 19.4.2

includesRepositoryContent

String

Comma separated list specifying which files to include in the scan once the archive is extracted according to the parameters in:

Code Block
archiveIncludes

No

Required since version 1.0.3

triggerBeforeDownload

Boolean

Whether or not to enforce a Mend policy check on downloaded artifacts from local repositories. When enabled, only Mend policy-approved artifacts will be downloaded.

No, the default value is true.

Supported since version 18.10.3

triggerBeforeRemoteDownload

Boolean

Whether or not to enforce a Mend policy check on downloaded artifacts from remote repositories. When enabled, only Mend policy-approved artifacts will be downloaded.

No, the default value is true.

Supported since version 21.12.1

triggerAfterCreate

Boolean

Whether or not to trigger the afterCreate method.

When a new artifact is uploaded to Artifactory, Mend policies are triggered and additional data is added to the property tab of the artifact.

No, the default value is true.

Supported since version 18.10.3

Info

The extraction depth of the Artifactory Plugin for archived files is currently set to the first level. The Unified Agent has an extraction depth of up to seven levels.

Cron Scheduling Example

This example demonstrates how to configure a schedule for scanning the Artifactory repositories.

...

Code Block
[WARN] beforeRemoteDownload - Rejected package even-more-externals:3.0.0 request - Diffend status: LibraryQueryResponse{status='blocked'}

...

For both NPM and Ruby, you will receive a 403 http status code as the requested package is being blocked:

NPM:

...

...

NPM:
======
E403
403 Forbidden - GET http://
In most cases, you or one of your dependencies are requesting
a package version that is forbidden by your security policy, or
on a server you do not have access to.


Ruby:
======
ERR: While executing gem . . . (Gem::RemoteFetcher::FetchError)
  bad response 403 (http://)

Cron-Ruby:

...

Cron-based Job:

The following messages will be displayed when a “blocked” package is detected during a cron scan:

Code Block
[INFO] - DiffendAgent - START - Cron artifacts scan
[WARN] - checkArtifacts - Bad Package - Action needed for PackageInfo{npm:even-more-externals:3.0.0}
[INFO] - move - START - move artifact npm-demo-remote-cache:even-more-externals/-/even-more-externals-3.0.0.tgz into quarantine-repo
[INFO] - move - END - Success moving artifact npm-demo-remote-cache:even-more-externals/-/even-more-externals-3.0.0.tgz into quarantine-repo
[INFO] - DiffendAgent - End - Cron artifacts scan

...

(SCD) Non-supported repository:

...