In this article you will find:

  1. Pre-requisite
  2. How to configure JFrog Xray in Vulcan platform
  3. How to view data from JFrog Xray in Vulcan platform

1. Pre-requisite

  • Jfrog version 3.80 and above
  • Valid user with the roles Manage Watches and Manage Reports
  • For your convenience you can also Disable UI Access and unable Can Update Profile options.
  • used API calls:

Product

API Call

Permission Required

Use in Vulcan

ARTIFACTORY

/api/repositories

Requires a privileged user (can be anonymous)

Get repositories names

ARTIFACTORY

/api/storage/{repoKey}/{folder-path}

Requires a privileged user

Get Folder Info

ARTIFACTORY

/api/storage/{repoKey}/{filePath}

Requires a privileged user

Get File Info

XRAY

/api/v1/reports/vulnerabilities

Requires a user with the Manage Reports role

Generate Vulnerabilities Report

XRAY

/api/v1/reports/{id}

Requires a user with the Manage Reports role

Get Report Details By ID

XRAY

/api/v1/reports/vulnerabilities/{id}

Requires a user with the Manage Reports role

Get Vulnerabilities Report Content

XRAY

/api/v1/reports/{id:.*}

Requires a user with the Manage Reports role

Delete report

XRAY

/events/{id}

Requires a valid user with the "Read" permission

Get Issue Events

2. Configuring JFrog Xray Connector

In the Connectors page, click on Add a Connector.

Click on JFrog connector.

Fill in the relevant fields:
Server URL - URL of your organization's JFrog Xray account. Please note that the syntax should be as https://[ADDRESS] and not https://[ADDRESS/ (no "/" at the end)
Username - User with required permissions to access the JFrog account. See Pre-requisite section for more information.
Password - Password match to username

Click on Create

3. Viewing data from JFrog Xray in Vulcan

Vulcan provides the option to remediate vulnerabilities from 2 different angels:

  • Assets
  • Vulnerabilities

Assets

The data from JFrog Xray will be displayed under Code Projects  - This tab gathers all data that came from SAST and SCA tools. To filter only JFrog Xray data, simply use the Search Bar.

Clicking on each project will open its Asset Card where you can view in detailed the project's data, including - All related vulnerabilities, components, and details of projects and correlated data from other sources.


If you want to view a specific vulnerability, click on it and get a representation of that vulnerability and its details.

Vulnerabilities
Each violation of type security in JFrox Xray is a vulnerability in Vulcan.
You can view all data from JFrog Xray in Vulnerabilities.  In order to filter only JFrog Xray data, simply use the Search Bar
The name of the vulnerability is determined by the CWE name of the top risk CSV related to the vulnerability.

You can start the remediation process by clicking on a vulnerability and view all details fetched from your JFrog Xray account.
All the data from JFrog Xray including description, CVEs, affected packages and more are in Vulcan.

Click on Take Action if you wish to open a ticket and assign it to a specific team or share your findings via Slack channels or emails.

Did this answer your question?