JFrog


    Cloud customer?
    Start for Free>
    Upgrade in MyJFrog >
    What's New in Cloud >





    Working with an older version?JFrog Artifactory 6.x|JFrog Xray 2.x|JFrog Mission Control 3.x|JFrog Distribution 1.x|


    Skip to end of metadata
    Go to start of metadata

    Overview

    Xray Watches are the focal point for viewing and managing your security and license violations in the JFrog Platform. Watches provide you with the flexibility you need to meet your specific security and violation requirements. You select the resources you would like to scan for security vulnerabilities and compliance and determine the actions to be taken once a security vulnerability is detected. For more information on how JFrog Xray processes watches and policies, seeHow Does Xray Scan Your Artifacts?

    How Does Xray Process Policies on a Watch?

    When scanning an artifact, Xray completes the following steps for each resource added to a Watch:

    1. Check existence:Xraychecks if the artifact exists in the resource
    2. Check filters:Xray then checks ifthe artifact matches all of the filters defined for that resource.
    3. Process Assigned Polices:Xray independently processes all of the policies in the Watch.For each assigned policy, Xray performs the following steps:
      1. Processes therulesaccording to priority.
      2. Checks thecriteriaof the rule.
      3. If the criteria are met, Xray generates aviolation, theautomatic actionsare executed and the policy is considered asprocessed. There is no need to continue to the subsequent rules in the policy.
      4. If the criteria are not met, Xray continues to thenext rule.
      5. In case none of the rules apply, the policy is considered asprocessed, and Xray continues to the next policy if one exists.


    Starting from Xray 3.21.2, the Watches configuration has been moved from the Application Module to the Administration Module in the JFrog Platform UI.

    JFrog Cloud New Interface (Beta)

    Go to Xray, and selectWatches & Policies. To learn more, clickhere.

    Page Contents

    Creating a Watch

    Prerequisite

    Set up your your policies prior to creating the Watch.For more information, seeCreating Xray Policies and Rules.

    Required permissions

    To create a Watch, you need to have theManage Watchesglobal permission configured on the user or group.

    Step 1 Configure General Watch Settings

    1. In theAdministrationmodule, selectWatches& Policiesand from theWatchestab clickNew Watch.

      JFrog Cloud New Interface (Beta)

      Go to Xray, and selectWatches & Policies. To learn more, clickhere.

    2. In theCreate New Watchpage, set the general information on the watchand assign Watch recipients on the watch.
      When selected, all the Watch recipients will receive email notifications if a policy set to notify recipient has detected a vulnerability.

      Starting from Xray 3.27.2 and above with Artifactory version 7.21.3 and above, if you are usingProjects, you can create aGlobal Watchfor Projects.


    Step 2 Assign Resources to the Watch

    Permissions Apply

    You can only see resources in a Watch if they areindexed由x光扫描,有“视图”许可n on the resource.

    You can only add resources to a Watch or remove them if they are indexed for scanning by Xray and you have "Manage" permission on the resource.

    The next step is to assign resources to a Watch. The Resources are the set of repositories and builds in the connected Artifactory services that the Watch monitors.If you are using Projects, you can select Projects as resource.

    Managing resources for a Watch involves two steps:

    1. Specifying the repositories, builds, Release Bundles, and Projects to monitor.
    2. Applying filtersto focus only on those artifacts within those repositories and builds that you are interested in.

    To assign resources on a watch:

    • In theManage Resourcessection, access each resource type and select the resources to be monitored.



    • For Projects:
    • Select the resources to be included within each resource type. You have a number of options to select the resources to be included:

      - All resources within the resource type: Set theAny Repository,Any Build,Any BundleorAny Project甲型肝炎的复选框来监控所有这些资源2022世界杯阿根廷预选赛赛程e been specified for indexing by Xray.
      Note that this setting will also apply to new repositories and builds that are created after the Watch is defined.

      - Packages: Set according to theRepo Path IncludeandRepo Path Excludepatterns.

      - Builds and Release Bundles: SelectBy NameorBy Pattern.

    - Projects: SelectBy NameorBy Pattern (project keys).

    • 你感兴趣的资源2022世界杯阿根廷预选赛赛程list of Available Resources on the left to the list of Selected Resources on the right by dragging them, or by selecting them and using the arrow icons.

    Scanning External Resources

    From version 2.6, when scanning builds for supported package formats, external (transitive) dependencies that are not directly included in the build arealsoscanned and will trigger violations if the meet the criteria specified in a Watch. Currently, the supported package formats are:Maven,NuGet,npmandGradleand scans external resources usingSHA-256.

    Step 3 Set Filters on Repositories

    The filters you define for a watch determine which artifacts in the repositories specified will generate violations and under what conditions. You can define any number of filters on each of the repositories specified for the watch, and it will only trigger a violation if an artifact meets the conditions of all of the filters defined for that resource.

    Pass through ALL filters

    You can define any number of filters for a resource, and only artifacts that pass through all of them will trigger a violation.

    1. To specify filters on repositories, select theFilterstab.
    2. Select the repository. The repository will be displayed in the right column with a list of predefined filters.
    3. Select a filter from the Filter list to apply to the repository.
      In the following example, you set a filter to trigger a violation for application/JSONs if their performance value is set to false in the docker-local repo.


    The following content filters are available:

    Name

    		 Description Example
    Name
    		 ANamefilter uses a regular expression to specify the name of an artifact. The watch will only trigger a violation if an artifact's name matches the expression.

    For example, the filter specifies that the watch should only trigger a violation for rpm files.
    Path
    		 APathfilter uses a regular expression to specify the path of an artifact in the repository. The watch will only trigger a violation if an artifact's name matches the expression. Note that the filter does not consider the repository name to be a part of the path.

    For example, the filter specifies that the watch should only trigger a violation for artifacts that have the expressions "jfrog" in their path
    Package Type
    		 A Package Type filter specifies an artifact's package type. The watch will only trigger a violation if an artifact has the specified package type.

    Mime Type
    		 A Mime Type filter specifies an artifact's mime type. The watch will only trigger a violation if an artifact has the specified mime type.

    For example, the filter specifies that the watch should trigger a violation for any artifact with an "application/json" mime type.
    Property
    		 A Property filter specifies a property annotating an artifact and its value. The watch will only trigger a violation if the property has the specified value.

    For example, the filter above specifies that the watch should trigger a violation if an artifact with a property named "performance" has the value "false".

    Step 4 Assign Policies to a Watch

    1. To assign a policy to a watch, clickManage Policiesin theAssigned Policiessection.
    2. From the list of Available Policies on the left, select the policies you want to apply to the Watch and drag them, or use the arrows to move them to the list of Selected Policies on the right.

    3. ClickSaveto assign the policies to the Watch.

      Editing a Policy

      Edits made to a policy will automatically be applied to all watches the policy is assigned to. This will take affect only for newly scanned artifacts. You can manuallyapply the watch on existing artifacts.

    Editing a Watch

    To edit a Watch select it from the list of Watches and go to theSettingstab.

    Manually Activating a Watch

    Once aWatchis created, it will scan artifacts in the specified resources when a scan-triggering event happens, and issue Violations accordingly. However, until a scan-triggering event happens, artifacts already existing in the system will not be scanned by the Watch. So, to make sure a Watch is immediately applied to the relevant artifacts, you can invoke it manually by hovering over it and selectingApply on Existing Content.

    Not available for All Repositories or All Builds

    You can only manually invoke a Watch on existing content if the Watch is defined on specific resources and not on All Repositories or All Builds



    Clicking the button pops up a dialog that lets you specify which of the resources assigned to the watch should be scanned, and a date range that defines when the artifact was last scanned by Xray.

    For example, selecting "Last 7 days" will only scan artifacts that have been scanned in the last 7 days.

    Filtering Watches

    Starting from Xray version 3.31.x and above, you can filter the Watches list in the Watches page in Xray to narrow down and display only Watches that are relevant to you. Select the Filter button, in the top-right corner, and the filter appears. Use the filtering options to display the Watches or Watch data you want to see.

    • No labels
    Copyright © 2023 JFrog Ltd.