Continuing from my previous blog post about distributing software releases, there is an additional (just as important) security consideration that you need to take into account.
As you may already know, the Xray service represents our security and compliance service which easily integrates with Artifactory and our CI/CD service for license & security compliance.
Let’s start with licenses. One of the most important responsibilities of an open-source program is to ensure that your organization meets its legal obligations when integrating open source code with proprietary and third-party source code in your products. But we also want to make sure that we don’t have any security vulnerabilities in our code, so we can also create security policies like in the following screenshot:
Let’s explain a bit more about security and license policies. Security policies have two rules for scanning:
Minimal severity - Which is defined on the JFrog vulnerabilities database, in case that an artifact or build contains a vulnerability with the selected severity or higher.
CVSS score - The CVSS score ranges between 1 to 10 to apply to the policy.
Now on license policy, it will define a bit different by the following rules:
Allowed Licenses - To create a whitelist of OSS licenses that may be attached to a component.
Banned Licenses - Create a blacklist of OSS licenses that may not be attached to a component.
Optional Disallow Unknown License - Specifies the wanted behavior for components whose license cannot be determined. When enabling this feature a violation will be triggered if a component with an unknown license is found.
Now after we created a policy let’s add our release bundle to the indexed resources like the following screenshot:
That's it we are good to go. We can add our release bundle as part of the policy and keep our binaries :)
Top comments (0)