Reputation: 6868
JFrog Xray scan - reports differed from Visual studio 2019 extension
I have recently started using JFrog Xray for exe, msi, & zip scans.
I'm using a GitHub repository and for pipeline I'm using GitHub Actions
My project are on C# and hence first I tried having JFrog extension for VS2019 where it scanned all the used DLLs properly and provided the vulnerabilities.
But when I tried to execute it through WebApp - using watches and reports, it is unable to find the vulnerabilities in EXE/ZIP - stored in "JFrog Artifactory". What can be the reason for this?
Also, is there any possible way that I can make GitHub Action pipeline fail if the JFrog Xray scan find issues?
P.S.: I have made sure that watches and policies in WebApp are applied properly and getting executed on the correct target Artifactory.
UPDATE
Based on suggested answer I tried below approach to execute build-scan on artifactory.
PreRequisite details:
JFrog distribution URL: https://orgname.jfrog.io/orgartifactoryname
Jfrog path to artifactory: JFrogDistributionURL/ProjectName/Folder
Commands executed
jfrog rt c rt-server-1 --user=$username --url=$JFrogDistributionURL --apikey=$apikey
jfrog rt bs "my build name" 18
Output:
[Info] Triggered Xray build scan... The scan may take a few minutes.
[Info] Connection error: Server Response: 401 Unauthorized, reconnecting...
I also tried setting up server with --password instead on --apikey but having the same issue.
Upvotes: 0
Views: 1119
Answers (1)
Reputation: 6063
The JFrog VS extension and the JFrog Xray scan your project using 2 different methods.
JFrog VS extension builds a transitive dependency tree from the dependencies in your file system. Ultimately, the dependency tree contains all packages required to build your program. Each one of the dependencies sends to Xray for scanning.
On the other hand, scanning a build through JFrog Xray works a bit differently. The Xray scan input is the build artifacts. Using a deep recursive scan on the NuGet layers, it builds a complete picture of the package's artifacts and dependencies.
Also, is there any possible way that I can make GitHub Action pipeline fail if the JFrog Xray scan find issues?
Yes. I'm assuming you're using the JFrog CLI through setup-jfrog-cli GitHub Action:
It is actually the default behavior of jfrog rt build-scan command.
Read more about build-scan here: https://www.jfrog.com/confluence/display/CLI/CLI+for+JFrog+Artifactory#CLIforJFrogArtifactory-ScanningaPublishedBuild
Upvotes: 0
Related Questions
- Can JFrog Xray scan only Maven artifact?
- How to ignore one vulnerability in JFrog Xray
- Is JFrog Xray is available for Free Edition?
- Jfrog Xray services is Up and Running but not Reflecting in Jfrog UI
- JFrox Xray installation on Windows server
- Jfrog X-RAY API not working for "Get Reports List"
- JFrog returning No Violation Found
- JFrog XRay analyzing the wrong version
- XRay fails to detect vulnerability in NuGet package dependency
- Custom Reports in JFrog Xray?