Add dependencies to build info

[niklaskotowski]

I have a zipped artifact consisting of cpp source files without any cpp package manager, thus xray is not able to identify any libraries inside it.

However, I know precisely which libraries are linked into source code and their version.
Can i somehow include library and version infos in the build info? And instruct xray to compare given infos with an underlying cve database independent of files in the artifact?

[yahavi]

Hi @Niklas-6804,

Mind giving us some more details about your use case? Could you let us know which tools you're using, describe the error you're encountering, and perhaps share a few screenshots?

Appreciate it!

[niklaskotowski]

Hi @yahavi,

First of all, this is no bug, rather a question about how to include additional information in the build info.

I am using gradle to deploy maven artifacts. An exemplary artifact is a zip consisting of cpp source files and dlls.
The dlls have certain dependencies which are linked dynamically and thus not contained in this.

One example for this is openssl, which is linked into a dll part of the zip but not included itself.
Is there any possibility to encode this in the build info and enable jfrog xray to scan given "dependencies" and attach found cve's ?

[artifact] is a .zip and contains {.cpp, .h, .dll, ...}
[.dll] links to {openssl, boost, ...}

deploy [artifact] -----> "artifact is deployed to jfrog artifacory"
-----> "xray reads build info and starts lookup for given libraries"
-----> deployed [artifact + cve report]

I am quite new in this field so excuse my ignorance.
Thanks for taking your time to solve my issue.

[yahavi]

Thanks for sharing your use case, @Niklas-6804.
How do you create the build info? Are you using the JFrog CLI, Gradle Artifactory plugin, or Jenkins Artifactory plugin?...

[niklaskotowski]

I am using the gradle artifactory plugin @yahavi.

[niklaskotowski]

@yahavi do you have any idea how I could solve my issue?

[yahavi]

@Niklas-6804
You can give the JFrog CLI jf rt build-add-dependencies command a try by following these steps:

1. Configure the Gradle project by running jf gradle-config with the --uses-plugin flag set to true.
2. Make sure to set the environment variables JFROG_CLI_BUILD_NAME and JFROG_CLI_BUILD_NUMBER with some values.
3. Execute the artifactoryPublish command with the "jf" prefix like this: jf gradle artifactoryPublish.
4. Use the jf rt build-add-dependencies command. For instance, you can run jf rt build-add-dependencies "*" as an example.
5. Finally, publish the build information using the command: jf rt build-publish.

Feel free to let me know if you need any further clarification or assistance!

[niklaskotowski]

Thanks @yahavi,
That solved a few problems, however, somehow local build info, artifact, and build info publication are not linked when published.

For steps 3-5, I set a build name and number explicitly to enforce a connection.

Is there anything I am missing?

tldr: After publishing, jfrog artifactory webui shows a new build with empty build info and an empty published modules slot.

[niklaskotowski]

Any idea, how I can fix this last step @yahavi?