Jfrog Xray

Jfrog Xray software composition analysis (SCA) solution natively integrates with Artifactory, giving developers and DevSecOps teams an easy way to proactively identify vulnerabilities on open source and license compliance violations. More information can be found at Jfrog Xray.

Integration Method: API

Tables: Vulnerability Finding (2002)

This integration supports the following events.

This integration supports the following versions.

Prerequisites

• Access to the Jfrog portal with an account that has the Global Administrator privileges. Portal URL looks like https://<hostname>.jfrog.io/.

• Access to the DataBee console.

Configuration Overview

1. Generate a Access token with the required scope to access API.

2. Add the Jfrog Xray in the DataBee console with the below parameters.

   DataBee Parameter	Jfrog Xray Parameter
   API Base URL (<hostname>)	hostname
   Token	Access Token

Jfrog Xray Configuration

1. Login to Jfrog portal.

   1. Copy the instance URL as shown below. This is the hostname required by DataBee during configuration.
       

2. Once logged in, click on Administration.

   
   

3. From left side panel, click on User management > Access Tokens then click Generate Token on the top right.
    

4. Select Scoped Token, fill ‘Description’ field and choose User from ‘Token Scope’ dropdown.
    

5. Select the username from dropdown for which access token need to be generated.
    

   Note:

   This is least privilege scope. Users will be part of readers group by default, please ensure that user for which token is generated is part of readers groups. Please refer for detailed user management guideline.

6. Uncheck All checkbox and choose Xray from ‘Service’ dropdown.
    

7. Choose Never from ‘Expiration time’ dropdown and click on Generate.
    

8. Copy the token and keep it safe since it can't be retrieved later.
    

DataBee Configuration

1. Login to the DataBee UI, navigate to Data > Data Feeds and click the Add New Data Feed button.
    

2. Search for the Jfrog Xray and click it as shown below.
    

3. Click on the API Ingest option for collection method.
    

4. Enter feed contact information and click Next.
    

5. In the configuration page, confirm the following:

   • Authorization Method: Bearer Token

   • API Base URL: this is the base URL that DataBee will interact with. Replace <hostname> placeholder with your organization instance name.

   • Token: paste the Access Token generated earlier

   • Event Types: preselected for all the event types that integration pulls.
      

6. Click Submit.

Troubleshooting Tips

• Ensure the token is pasted correctly. Since you cannot view the token after the 1^st time, re-create the token by following jfrog configuration steps, paste it on a text editor to ensure no spaces or unexpected characters are included and reconfigure the DataBee feed.

• Ensure the scope is set as required, minimum users level scope is needed.