Open niklaskotowski opened 9 months ago
Hi @Niklas-6804,
Mind giving us some more details about your use case? Could you let us know which tools you're using, describe the error you're encountering, and perhaps share a few screenshots?
Appreciate it!
Hi @yahavi,
First of all, this is no bug, rather a question about how to include additional information in the build info.
I am using gradle to deploy maven artifacts. An exemplary artifact is a zip consisting of cpp source files and dlls. The dlls have certain dependencies which are linked dynamically and thus not contained in this.
One example for this is openssl, which is linked into a dll part of the zip but not included itself. Is there any possibility to encode this in the build info and enable jfrog xray to scan given "dependencies" and attach found cve's ?
[artifact] is a .zip and contains {.cpp, .h, .dll, ...} [.dll] links to {openssl, boost, ...}
deploy [artifact] -----> "artifact is deployed to jfrog artifacory" -----> "xray reads build info and starts lookup for given libraries" -----> deployed [artifact + cve report]
I am quite new in this field so excuse my ignorance. Thanks for taking your time to solve my issue.
Thanks for sharing your use case, @Niklas-6804. How do you create the build info? Are you using the JFrog CLI, Gradle Artifactory plugin, or Jenkins Artifactory plugin?...
I am using the gradle artifactory plugin @yahavi.
@yahavi do you have any idea how I could solve my issue?
@Niklas-6804 You can give the JFrog CLI jf rt build-add-dependencies command a try by following these steps:
--uses-plugin
flag set to true.artifactoryPublish
command with the "jf" prefix like this: jf gradle artifactoryPublish.jf rt build-add-dependencies "*"
as an example.Feel free to let me know if you need any further clarification or assistance!
Thanks @yahavi, That solved a few problems, however, somehow local build info, artifact, and build info publication are not linked when published.
For steps 3-5, I set a build name and number explicitly to enforce a connection.
Is there anything I am missing?
tldr: After publishing, jfrog artifactory webui shows a new build with empty build info and an empty published modules slot.
Any idea, how I can fix this last step @yahavi?
I have a zipped artifact consisting of cpp source files without any cpp package manager, thus xray is not able to identify any libraries inside it.
However, I know precisely which libraries are linked into source code and their version. Can i somehow include library and version infos in the build info? And instruct xray to compare given infos with an underlying cve database independent of files in the artifact?