Cloud Services

DevOps Intelligence

JFrog
Published On Nov 05, 2024 - 1:34 PM

JFrog

DevOps Intelligence supports your use of JFrog Artifactory, JFrog Security Essentials (Xray, and JFrog OSS. This page describes the configuration requirements for the JFrog suite.
To pull data from any JFrog tool, DevOps Intelligence, a connection to the JFrog portal is necessary. The following items are prerequisite:
Access Rights
: Your connection must have access to generate a report on the JFrog portal.
DevOps Intelligence requires the following information:
  • Connection Name:
    Local connection name. It could be any string and is used only for reference.
  • HostURL
    :
    JFrog Artifactory Host URL., eg.
    https://testKyndryl.jfrog.io
  • Token
    :
    Token ID can be produced via the JFrog portal by following these steps: Select the user's
    Email ID
    , select
    Edit Profile
    , and then choose
    Generate an Identity Token
    .
The identity token requires the permissions highlighted in the image below. To assign these, navigate to the JFrog portal, select the
Email ID
located in the upper right corner, and proceed to
Create user
.
To set up a new connection, go to
Admin
, followed by
IAM
, and then choose
Connections
. Select the
' button and select the
Add Connection
option.

Configuration

As a user, you will need to select the
Connection
,
Repository
, and
Release format
(for example: release-YYYY.MM.DD) that you want to track through DevOps Intelligence.
Vulnerabilities & Artifacts data will not be pulled for Repositories that have not been configured for X-Ray scan at the JFrog server.
After successfully configuring, you can view your settings in the table on the configuration page.

Sync details

Understanding the dynamics of data pulling, how X-Ray Scan Repositories work, identifying ReleaseName, and the method of Technical Service Identification are crucial to make your system perform seamlessly. Here, you'll find the explanation divided into four sections, each outlining a different aspect:
  • JFrog Artifactory
    : Only pulls
    Docker
    type data. This information can be viewed on both the
    Secure
    dashboard →
    Container Vulnerability Scan
    , and
    Build
    dashboard →
    Image Manager
    .
  • X-Ray Scan Repositories
    : Repositories enabled for X-Ray scanning will synchronize. If a service config is created for Repo1, but Repo1 is not set up for X-Ray Scan, then the entity data for that repo would not sync. This missing data would not appear on the Image Manager & Container Vulnerability Scan page.
  • ReleaseName Identification
    : This is determined by the format chosen on the service config page. If the format does not correspond to the release name, an
    unknown
    release name will be labeled. Artifacts with the "latest" version will be tagged as the
    main
    release. Artifacts with "latest-" & "master-" versions will be tagged as the
    latest
    release.
  • Technical Service Identification
    : This is determined using the repo sub-path. For instance, for the repo name 'ibmcb-docker-local,' the technical service would be 'ibmcb-docker-local/dash/bitbucket.' Please refer to the image below for better understanding.
During the Sync process, the DevOps Intelligence tool performs several tasks related to JFrog reports. Notably, the tool creates reports on the JFrog side and, after processing, deletes them. As a user, you must know not to delete these reports from the endpoint. When integrating JFrog data with DevOps Intelligence, utilizing it on a single tenant is recommended. This approach arises from JFrog's limitations on the number of report generation requests.
Sync may sometimes fail due to these restrictions at the JFrog endpoint, especially if the number of report generation requests exceeds the limit. If you encounter a sync failure caused by report limitation errors, the suggested resolution is to delete Old/User-created reports. Remember these tips to ensure seamless and effective use of the DevOps Intelligence tool.
Do you have two minutes for a quick survey?
Take Survey