Shift Your IDE Left With Xray Plugins

“Forewarned is forearmed,” cautions the old proverb, and that truth coined in the 16th century is even more apt for DevSecOps in the 21st. The earlier you know about vulnerabilities, the better you can avoid making them part of your software.

That’s the same principle behind a “Shift Left”DevSecOpsstrategy. Rather than waiting for testers to catch vulnerabilities in built applications, developers take greater responsibility for keeping risky dependencies out of what they build.

But how is the developer supposed to know what dependencies are safe and which have problems? The public repository Maven Central has over 270,000 available modules and counting, all updated at a different pace. The Node.js registry npm has over 350,000 packages. Even with avulnerabilities scanning tool likeJFrog Xrayto help, how can you be alert to problems at the time you code?

AnIDE integrationfor Xray from JFrog can help.

Scanning for DevSecOps

If you use JFrog Xray, you’re already on your way to shifting DevSecOps left.Xray performs automated scans of the dependencies from package managers you use, including Maven, Gradle, and npm, and identifies which ones contain known vulnerabilities.Xray uses the VulnDB database,the most comprehensive and up-to-date vulnerability intelligenceavailable, created and maintained by Risk Based Security.Maven Central has over 270,000 available modules, npm has over 350,000. How is the developer supposed to know what dependencies are safe?Click To Tweet

Xray also identifies the applicable licenses of each dependency, so organizations can avoid using code whose license doesn’t comply with theirpolicies.

Because Xray is integrated withthe artifact repository Artifactory, you can always see in Artifactory’s dashboard which dependencies held in your proxy repositories have vulnerabilities, and how severe a risk they pose. An administrator can also configure JFrog Xray to block potentially harmful artifacts from being downloaded from Artifactory, to prevent their use.

Choose an IDE Integration

To bring those decisions nearer to developers, JFrog provides plugins for some of the most commonly used IDEs that bring Xray’s scanning results right into your coding editor. So you can see, at the moment that you choose your dependencies, whether your choice will introduce a risk and help you make an informed decision.

TheJFrog Xray plugin for IntelliJ IDEAandJFrog Visual Studio Extensionhave already been available and helping developers shift-left. Nowusers of the Eclipse IDE have a plugin from JFrogas well. With this release, shifting left awareness of security and license concerns is easier on three of the most popular IDEs.

How it Works

To understand how these work, let’s look at the newest plugin, for Eclipse.

You can find theJFrog Eclipse IDE Plugin in the Eclipse Marketplace. To install the plugin, you can drag theInstallbutton to your Eclipse window.

Once installed, you canconnect the plugin to your instance of JFrog Xray by setting its URL and login credentials in itsPreferences. When finished, you can clickTest Connectionto confirm the settings work, thenApplythe settings.

Once you open theJFrogtab in Eclipse, you can see all of theIssuesthat Xray has identified in dependency components. You can filter the results to show only those matching theSeverityof the risk.

In theLicenses Infotab you can identify and filter for the licenses that apply to each component.

Beyond Development

Of course, choosing safe dependencies is only the first step in a DevSecOps strategy. A package thought safe today may be discovered to be vulnerable later, or a later version of the package might introduce new risks.

That’s why JFrog Xray performs continuous impact analysis of what’s held in your Artifactory repositories. It regularly scans and analyzes components, even those long since deployed to production, and provides alerts and notifications for newly discovered vulnerabilities. It also performsdeep recursive scanningof your binaries, recursively drilling down to analyze even the smallest binary component that affects your software.

It’s all part of bringing greater awareness of security violations to the developer, who is the most immediately able to act on the issue. Problems get resolved more quickly, and both the company and its customers stay protected.

The developer’s workbench is the first line of defense for DevSecOps. JFrog’s Xray integrations for popular IDEs like Eclipse are one way we’re helping to bring shifting left out of the shadows.