Overview
Proxy settings are relevant for requests for WhiteSource servers only. Proxy for remote repository requests is not supported.
This topic describes how the JFrog Artifactory plugin integrates with WhiteSource. The plugin adds additional information to the Artifactory artifacts and updates WhiteSource. Once invoked, all the artifacts' metadata on the Artifactory will be uploaded to the WhiteSource inventory.
Artifactory instance is mapped to WhiteSource product.
Artifactory repositories will be mapped to WhiteSource projects.
Policies will be enforced and policy details will be added to the artifacts property tab: WSS-Action (Approve/Reject) and WSS-Policy-Details.
Additional data for each artifact will be added to the property tab: WSS-Licenses, WSS-Description, WSS-Homepage and WSS-Vulnerabilities.
The plugin is licensed under the Apache 2.0 license.
NOTES
The WhiteSource inventory will be updated only when using a cron-based job, if the
updateWss
property is set to true.Artifactory editions not supported by the Groovy-based User Plugins are not supported by WhiteSource.
Scanning of Docker repositories is not supported.
Scanning of virtual repositories is not supported.
The recommended integration method for the JFrog Artifactory is using the Unified Agent.
Updates in Artifactory: The plugin updates Artifactory repositories with no more than 10,000 artifacts.
Updates in WhiteSource: The plugin updates WhiteSource with repositories with no more than 2,000 artifacts.
How the Artifactory Plugin Works
The Artifactory plugin works in the following modes:
Cron-based job: When invoked, repository artifacts will be updated in WhiteSource and additional data will be added to the property tab of each artifact.
After create: In this mode, when a new artifact is uploaded to Artifactory, WhiteSource policies are triggered and additional data is added to the property tab of the artifact. This mode is controlled by the
triggerAfterCreate
property.Before download: In this mode, only WhiteSource policy-approved artifacts will be downloaded from remote or local repositories. This mode is controlled by the
triggerBeforeDownload
(for downloading from local repositories) andtriggerBeforeRemoteDownload
(for downloading from remote repositories) properties.
Downloading the Plugin
Latest Plugin Version | File | Features | Release Date | MD5 |
---|---|---|---|---|
21.12.1 | 2021-12-26 | FD435A4B3C7D2EAC3D07DC5FA6774789 |
Previous Plugin Versions
Installing the Plugin
NOTE: For details on how to migrate from a previous version of the Artifactory Plugin earlier than 21.12.1, see Migrating the Artifactory Plugin.
Artifactory Version <= 6.x
Download the zip file and extract it.
Replace the
whitesource-artifactory-plugin.properties
andwhitesource-artifactory-plugin.groovy
files under${ARTIFACTORY_HOME}/etc/plugins
.Create a new
lib
folder under:${ARTIFACTORY_HOME}/etc/plugins
.Place the new
whitesource-artifactory-plugin-VERSION.jar
file in theplugins/lib
directory.Update the
whitesource-artifactory-plugin.properties
file with the appropriate parameters (see Cron Scheduling Example and General Parameters).Schedule the cron job in the
whitesource-artifactory-plugin.groovy
file (see Cron Scheduling Example).Restart Artifactory.
Artifactory Version >= 7.x
Download the zip file and extract it.
Replace the
whitesource-artifactory-plugin.properties
andwhitesource-artifactory-plugin.groovy
files under${ARTIFACTORY_HOME}/var/etc/artifactory/plugins
Create a new
lib
folder under${ARTIFACTORY_HOME}/var/etc/artifactory/plugins
.Place the new
whitesource-artifactory-plugin-VERSION.jar
file in theplugins/lib
directory.Update the
whitesource-artifactory-plugin.properties
file with the appropriate parameters (see Cron Scheduling Example and General Parameters).Schedule the cron job in the
whitesource-artifactory-plugin.groovy
file (see Cron Scheduling Example).Restart Artifactory.
Configuring the Plugin
Properties File Example
// whitesource-artifactory-plugin properties file wssUrl="" // wssUrl="http://localhost:8080/agent" // Organization Token: apiKey="<your WSS api key>" // UserKey Token: Unique identifier of user, can be generated from the profile page in your whitesource account. //userKey="<your WSS user key>" // Product Name - represents Artifactory instance, Artifactory repository represents project // In order to map repository to a product in WhiteSource mark this field as comment productName="<your Artifactory representing name>" // Check Policices. will check only delta between WSS and current files checkPolicies=false // check all files all the time. if true that checkpolicies must also be true forceCheckAllDependencies=false // update WSS updateWss=false // update WSS regardless of the check policies result forceUpdate=false // Names of the repositories in the Artifactory to scan repoKeys=["repo1","repo2","repo3"] // Proxy Settings useProxy=false //proxyHost="127.0.0.1" //proxyPort=3128 //proxyUser="" //proxyPass="" // The type of files that will be extracted and their content will be checked archiveIncludes = ["war", "ear", "zip"] // archiveExtractionDepth=2 // Once the archive was extracted, which files within it should be checked includesRepositoryContent=["m", "mm", "js", "php", "jar", "zip"] // Whether to run beforeDownload/beforeRemoteDownload/afterCreate methods (defaults to true) //triggerBeforeDownload=false //triggerBeforeRemoteDownload=false //triggerAfterCreate=false
General Parameters
Attribute | Type | Description | Required | Additional Information |
---|---|---|---|---|
wssUrl | String | URL for sending the request. Use the ‘WhiteSource Server URL' which can be retrieved from your Profile page on the 'Server URLs' panel. Then, add the '/agent’ path to it. For example: "https://saas.whitesourcesoftware.com/agent". | No. | |
apiKey | String | Unique identifier of the organization. This can be retrieved from the Integration page in your WhiteSource account. | Yes | |
userKey | String | Unique identifier of the user. This can be generated from the Profile page in your WhiteSource account. | Yes | Supported since version 18.5.1 |
productName | String | Represents the Artifactory instance and product in WhiteSource. Comment this field to map the repository to the product in WhiteSource (project will also represent the repository). | No | |
checkPolicies | Boolean | Whether or not to send the check policies request to WhiteSource. | No | |
forceCheckAllDependencies | Boolean | Used only if
| No | Supported since version 1.0.3 |
updateWss | Boolean | Whether or not to send an update to WhiteSource. | Yes | Supported since version 1.0.6 |
forceUpdate | Boolean | Whether or not to update the organization inventory regardless of policy violations. | No. The default value is false. | Supported since version 1.0.3 |
repoKeys | Array | The list of the repositories to scan. | Yes | |
useProxy | boolean | Whether or not to use proxy settings. | Yes | |
proxyHost | String | Proxy host URL. | No | |
proxyPort | Integer | Proxy port. | No | |
proxyUser | String | Proxy user name if it exists. | No | |
proxyPass | String | Proxy password if it exists. | No | |
archiveIncludes | String | Comma separated list specifying the types of files that will be extracted. | No. | Supported since version 1.0.3 |
archiveExtractionDepth | String | Drill down hierarchy level in archive files. | No, the default value is 2. | Supported since version 19.4.2 |
includesRepositoryContent | String | Comma separated list specifying which files to include in the scan once the archive is extracted according to the parameters in: archiveIncludes | No | Required since version 1.0.3 |
triggerBeforeDownload | Boolean | Whether or not to trigger the downloading of WhiteSource policy-approved artifacts from local repositories. | No, the default value is true. | Supported since version 18.10.3 |
triggerBeforeRemoteDownload | Boolean | Whether or not to trigger the downloading of WhiteSource policy-approved artifacts from remote repositories. | No, the default value is true. | Supported since version 21.12.1 |
triggerAfterCreate | Boolean | Whether or not to trigger the When a new artifact is uploaded to Artifactory, WhiteSource policies are triggered and additional data is added to the property tab of the artifact. | No, the default value is true. | Supported since version 18.10.3 |
The extraction depth of the Artifactory Plugin for archived files is currently set to the first level. The Unified Agent has an extraction depth of up to seven levels.
Cron Scheduling Example
This example demonstrates how to configure a schedule for scanning the Artifactory repositories.
Open the
whitesource-artifactory-plugin.groovy
file in a txt editor.To configure the interval at which the Artifactory repositories are scanned, modify the
def scanRepositoriesCron = "0 0 0 * * ?"
string in the plugin groovy file.
/** * scanRepositoriesCron (java.lang.String) - A valid cron expression used to schedule job runs. * Modify this parameter to configure the desired schedule to scan your artifactory repositories. * See README.md for examples. */ def scanRepositoriesCron = "0 0 0 * * ?" jobs { scanRepositories(cron: scanRepositoriesCron) { pluginAgent.runRepositoriesScan() } }
scanRepositoriesCron parameters (from left to right):
1 - seconds, 2 - Minutes, 3 - Hours, 4 - Day-of-Month, 5 - Month, 6 - Day-of-Week, 7 - Year (optional field).
Examples:
"0 42 10 * * ?" - Build a trigger that will fire daily at 10:42 am.
"0 0/2 8-17 * * ?" - Build a trigger that will fire every other minute, between 8am and 5pm, every day.
For more details, see Cron expression.
Plugin Log Levels
The default log level for the plugin is "warn". To change the plugin log level, add the following to ${ARTIFACTORY_HOME}/etc/logback.xml
:
<logger name="whitesource-artifactory-plugin"> <level value="info"/> </logger>