XRAY: Updating an Xray Watch with History Scan

Let's say you've made a change to a watch in Xray, such as turning off ablock downloadspolicy. However, despite this, nothing is being updated and artifacts continue to be blocked. What's going on? This behavior is due to the way that Xrayscans and tracksartifacts in Artifactory. This can be corrected by applyingupdated policiesand byrescanningthe blocked artifacts.

If your build is blocked or you otherwise need to unblock artifacts quickly, tick theAllow downloadsof blocked artifacts box under Artifactory'sAdmin > JFrog Xraymenu in 6.X, and theAdmin > JFrog Xray > General Settingsmenu in 7.X:

Applying Policies on Scanned Artifacts

When Xray scans an artifact for the first time, itrecursively decompresses and calculatesthe checksums of the binary file. This process will find thecomponentsof that artifact (e.g., Xray can detect a JAR file inside of a ZIP binary). At the conclusion of the scan, the binary file's checksums aresaved in Xray's database. The artifact only needs to be downloaded and scanned once during this process. More information is availableHERE.

By itself, this process will not detectvulnerabilitiesorlicenseissues. As there are many things you might want to look for when scanning a binary, JFrog has developed a system to efficiently determine what should be done with Xrayscan results. It useswatchesto track specific artifacts and allows actions to be applied to these tracked files through the creation ofpolicies and rules. This takes place during the analysis phase of a scan, after a given binary has beenindexedandpersistedto the database. Typically, this is a once-and-done action (or after adatabase syncfor new vulnerabilities) after a binary file is scanned. However, what if you need tochange the resultsorunblock numerous files?

实现一个新的手表或应用新政策,哟u'll need to trigger ahistory scan. This is done by clicking theApply on Existing Contentbutton in Xray’sWatchesmenu:

Triggering a history scan will cause Xray to do adeep diveinto your database. As Xray has already scanned the items in the watched repository, it will need to search the database for a given artifact's checksum to see if a particular watch policy applies. As this is adatabaseandsystem-intensiveoperation, you can’t run a history scan on watches that useAll ArtifactsorAll Buildsresources. Doing so will force Xray to rescan an entire instance of Artifactory, which is inefficient and should be avoided.

Abest practiceis to avoid setting blocking policies on any of your All Artifacts/All Builds watches, as it's difficult to disable this functionality. Such watches should only be used to track violations using a generic,Generate Violationpolicy.

More information on the best way to execute yourinitial setupof Xray can be foundHERE.