Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add curation support for Maven and Pip #93

Merged
merged 9 commits into from
Apr 21, 2024
Merged

add curation support for Maven and Pip #93

Changes from 6 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
b22f9e1
add curation support for maven
asafambar Feb 28, 2024
8848c7a
fix
asafambar Feb 29, 2024
1273612
Update jfrog-applications/jfrog-cli/cli-for-jfrog-curation.md
asafambar Feb 29, 2024
83d01c7
Merge branch 'jfrog:main' into curation_mvn
asafambar Apr 10, 2024
1ee852e
fix
asafambar Apr 10, 2024
012fd65
fix
asafambar Apr 17, 2024
5ddc2b2
fix
asafambar Apr 21, 2024
af17abb
Merge remote-tracking branch 'origin/main' into curation_mvn
asafambar Apr 21, 2024
8ac8be2
fix
asafambar Apr 21, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
63 changes: 46 additions & 17 deletions jfrog-applications/jfrog-cli/cli-for-jfrog-curation.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,37 +1,64 @@
# CLI for JFrog Curation
# JFrog CLI curation-audit command (for JFrog Curation project audit)

## Overview

JFrog Curation enables you to block malicious or risky open-source packages entering your software supply chain. What can you do with Curation?
JFrog Curation defends your software supply chain, enabling early blocking of malicious or risky open-source packages before they even enter. Seamlessly identify harmful, vulnerable, or risky packages, ensuring increased security, compliance, and developer productivity.

* Track the open-source packages downloaded by your organization to gain centralized visibility and control.
* Prevent harmful packages from getting into your software development pipelines.
* Protect against known and unknown threats, allowing only trusted software packages into your SDLC.
* Create policies to block packages with known vulnerabilities, malicious code, operational risk, or license compliance issues.
For more information see: https://jfrog.com/curation/

For more information on JFrog Curation and how to set it up, see the JFrog Curation general documentation at https://jfrog.com/help.
"The 'curation-audit' is a JFrog CLI command designed for developers to scan their projects and identify third-party dependencies that violate the restrictions set by the Curation service. This command provides detailed insights into the specific package policies that are being violated, leading to their blockage by the Curation service. Additionally, when feasible, 'curation-audit' may suggest alternative versions of the packages that comply with the Curation policies."

JFrog Curation requires [Xray version 3.78.9](https://jfrog.com/help/r/jfrog-release-information/xray-3.78.9) and above, and [Artifactory version 7.63.5](https://jfrog.com/help/r/jfrog-release-information/artifactory-7.63) and above. It also requires Enterprise X and Enterprise + subscriptions.
## Supported package managers & build systems

For a full list of the package managers and build systems supported by the curation-audit command and the required Artifactory and Xray versions to use it please see: https://jfrog.com/help/r/jfrog-curation/jfrog-curation-support-matrix

curation-audit command supported package managers and build systems:
* Npm (npm)
* Maven (mvn) - Requires xray 3.92 and above, and Artifactory 7.82 and above
* Pip (pip) - Requires xray 3.92 and above, and Artifactory 7.82 and above
***

### Commands

Audit your Project with JFrog Curation
Audit your Project with JFrog CLI curation-audit command

### Setup:

Prerequisites:

Make sure your JFrog Artifactory admin configured the curated remote repository you are using during your build process. For more information refer your Artifactory admin to:
https://jfrog.com/help/r/jfrog-curation/configure-curation-pass-through

1. **Connect JFrog CLI to JFrog Platform**

**Note**
Connect the JFrog CLI to your JFrog Platform instance by running the following command:

> The **curation-audit** command currently only supports npm projects.
```
jf c add
```

The **jf curation-audit** command enables developers to scan project dependencies to find packages that were blocked by the JFrog curation service. This command provides developers with more detailed information, such as whether the blocked package is the project’s direct dependency or is a transitive dependency. This information helps developers to resolve blocked packages more efficiently as they will be able to make a more informative decision based on what Policy violation occurred and what exactly needs to be resolved.
- When prompted for the access token, use the token generated from Artifactory. For more details, refer to the [JFrog CLI documentation](https://docs.jfrog-applications.jfrog.io/jfrog-applications/jfrog-cli/configurations/jfrog-platform-configuration#adding-and-editing-configured-servers).

For each blocked package the CLI provides the violated Curation Policies. The command builds a deep dependencies graph for the project, and requests the Curation status by a HEAD request for each node in the tree. It uses the package manager that is used in the project to build the dependencies graph.
```
jf c show
```

Before running the command, do the following:
- It should present Artifactory server just added (with default true)
</br></br>
2. **Configure JFrog CLI for Project**</br>
Ensure your project is configured in the JFrog CLI with the repository you would like to resolve dependencies from. Here are details for each package manager:

1. Connect the JFrog CLI to your JFrog Platform instance by running the **jf c add** command.
2. Ensure your project is configured in the JFrog CLI with the repository you would like to resolve dependencies from. Set the repository with the **jf npmc** command inside the project directory.\
\
- **NPM:**

- Set the resolved repository using the [**jf npmc**](https://docs.jfrog-applications.jfrog.io/jfrog-applications/jfrog-cli/cli-for-jfrog-artifactory/package-managers-integration#setting-npm-repositories) command inside the project directory.

- **MAVEN:**

- Set the resolved repository using the [**jf mvnc**](https://docs.jfrog-applications.jfrog.io/jfrog-applications/jfrog-cli/cli-for-jfrog-artifactory/package-managers-integration#setting-maven-repositories) command inside the project directory.

- **PIP:**

- Set the resolved repository using the [**jf pipc**](https://docs.jfrog-applications.jfrog.io/jfrog-applications/jfrog-cli/cli-for-jfrog-artifactory/package-managers-integration#setting-python-repository) command inside the project directory (The only package installer supported for now by Python is "pip").

#### Commands Params

Expand All @@ -43,6 +70,7 @@ Before running the command, do the following:
| --format | <p>[Default: table]<br><br>Defines the output format of the command. Acceptable values are: table and json.</p> |
| --working-dirs | <p>[Optional]<br><br>A comma separated list of relative working directories, to determine the audit targets locations.</p> |
| --threads | <p>[Default: 10]<br><br>The number of parallel threads used to determine the curation status for each package in the project tree.</p> |
| --requirements-file | <p>[Optional] [Pip]<br><br>Defines pip requirements file name. For example: 'requirements.txt'</p> |


#### Example 1
Expand All @@ -68,3 +96,4 @@ Audit the project in the current directory using 5 threads to check the packages
```
jf curation-audit --threads=5
```

Loading