Pre-requisite
Jfrog version 3.80 and above
Valid user with the roles Privileged user
For your convenience you can also Disable UI Access and unable Can Update Profile options.
used API calls:
Product | API Call | Permission Required | Use in Vulcan |
ARTIFACTORY |
| Requires a privileged user (can be anonymous) | Get repositories names |
ARTIFACTORY |
| Requires a privileged user | Get Folder Info |
ARTIFACTORY |
| Requires a privileged user | Get File Info |
XRAY |
| Requires a user with the Manage Reports role | Generate Vulnerabilities Report |
XRAY |
| Requires a user with the Manage Reports role | Get Report Details By ID |
XRAY |
| Requires a user with the Manage Reports role | Get Vulnerabilities Report Content |
XRAY |
| Requires a user with the Manage Reports role | Delete report |
XRAY |
| Requires a valid user with the "Read" permission | Get Issue Events |
Configuring JFrog Xray Connector
In the Connectors page, click on Add a Connector.
Click on JFrog connector.
Fill in the relevant fields:
Server URL - URL of your organization's JFrog Xray account. Please note that the syntax should be as https://[ADDRESS] and not https://[ADDRESS/ (no "/" at the end)
Username - User with required permissions to access the JFrog account. See Pre-requisite section for more information.
Password - Password match to username
Click on Create
Viewing data from JFrog Xray in Vulcan
Vulcan provides the option to remediate vulnerabilities from 2 different angels:
Assets
Vulnerabilities
Assets
The data from JFrog Xray will be displayed under Code Projects - This tab gathers all data that came from SAST and SCA tools. To filter only JFrog Xray data, simply use the Search Bar.
Clicking on each project will open its Asset Card where you can view in detailed the project's data, including - All related vulnerabilities, components, and details of projects and correlated data from other sources.
If you want to view a specific vulnerability, click on it and get a representation of that vulnerability and its details.
Vulnerabilities
Each violation of type security in JFrox Xray is a vulnerability in Vulcan.
You can view all data from JFrog Xray in Vulnerabilities. In order to filter only JFrog Xray data, simply use the Search Bar
The name of the vulnerability is determined by the CWE name of the top risk CSV related to the vulnerability.
You can start the remediation process by clicking on a vulnerability and view all details fetched from your JFrog Xray account.
All the data from JFrog Xray including description, CVEs, affected packages and more are in Vulcan.
Click on Take Action if you wish to open a ticket and assign it to a specific team or share your findings via Slack channels or emails.