XRAY:如何使用JFrog XRAY块下载工件功能

Janardhana杰
2023-01-22 11:07

当您希望基于安全漏洞限制用户从Artifactory Local或Remote存储库下载的工件时,您可以借助x光.在策略的x射线规则中,通过阻止下载有两个级别的保护。

通过启用x射线索引来阻止来自Artifactory存储库的下载,并通过在策略的相应规则中设置阻止未扫描的工件来将它们标记为扫描。并且还根据在Xray中定义的策略监视上设置的严重级别阻止工件的下载。请查看以下详细场景:


A.设置块下载,它会阻止有违规行为的可疑工件被下载,这让您可以更好地控制应该阻止哪些工件(如果有的话)。工件中发现的问题按严重程度分级:低、高、中等或严重。

用户添加图片

无论您选择使用这些设置中的哪一种,只要您设置了它们,x射线就会触发扫描,任何没有通过信用检查的组件将立即被阻止。

为了避免他们无法下载的困惑,Artifactory在UI中显示了一个关于阻塞工件的通知,并为由于工件被阻塞而失败的REST API调用提供了一个信息丰富的错误消息。

以下截图和REST API输出供参考:

用户添加图片

% curl -uadmin -XGET "http://artifactory.com/artifactory/test-block-unscanned-artifacts/commons-io-2.2.jar"

输入用户“admin”的主机密码:

"errors": [{

"status": 403,

"message": "Artifact download request rejected: common -io-2.2.jar was not download because the download blocking policy configured in Xray for test-block- unscanning -artifacts."

})
你也可以在Artifactory日志中监控为什么这些工件下载失败:
Artifactory-service.log[jfrt] [ERROR] [29abc3f8c904e1da] [o.a.r.d.]DbLocalRepo:247] [http-nio-8081-exec-5] - Artifact download request rejected: common -io-2.2.jar was not download,原因是x射线中为test-block- un扫描-artifacts配置了下载阻止策略。

[jfrt] [WARN] [29abc3f8c904e1da] [.r.]ArtifactoryResponseBase:144] [http-nio-8081-exec-5] - Sending HTTP error code 403: Artifact download request rejected: commons-io-2.2.jar was not downloaded due to the download blocking policy configured in Xray for test-block-unscanned-artifacts.
B.当你启用屏蔽未扫描工件下载,当设置此选项时,工件不能下载,直到它们被索引并通过Xray扫描。
例如下面的截图阴影,因为包没有被扫描,工件下载失败。

用户添加图片
用户添加图片curl -u admin -XGET "http://artifactory.com/artifactory/test-block-unscanned-artifacts/log4j-core-2.17.2.jar"


"errors": [{

"status": 403,

"message": "Artifact download request rejected: hsqldb.jar was not download because the download blocking policy configured in Xray for test-block- unscanning -artifacts."

})

} %
Artifactory-service.log:[jfrt] [ERROR] [3f5eddfe9ed3f267] [o.a.r.d.]DbLocalRepo:247] [http-nio-8081-exec-1] - Artifact download request rejected:.log4j-core-2.17.2.jar was not download,原因是在x射线中为test-block- unscanning -artifacts配置了下载阻止策略。

[jfrt] [WARN] [3f5eddfe9ed3f267] [.r.]ArtifactoryResponseBase:144] [http-nio-8081-exec-1] - Sending HTTP error code 403: Artifact download request rejected: log4j-core-2.17.2.jarwas not downloaded due to the download blocking policy configured in Xray for test-block-unscanned-artifacts.
此外,如果您希望阻止/限制从远程/本地存储库下载的某些工件,那么您还可以使用存储库的包含/排除模式来阻止特定工件的下载。请找到下面的文章了解更多信息。
//m.si-fil.com/blog/include-and-exclude-patterns
//m.si-fil.com/knowledge-base/how-to-use-include-exclude-patterns