Table of Contents
About this ExtensionThe cost of remediating a vulnerability is akin to the cost of fixing a bug. The earlier you remediate a vulnerability in the release cycle, the lower the cost. The extension allows developers to find and fix security vulnerabilities in their projects and to see valuable information about the status of their code by continuously scanning it locally with the JFrog Platform. What security capabilities do we provide?🌟 BasicSoftware Composition Analysis (SCA)Scans your project dependencies for security issues and shows you which dependencies are vulnerable. If the vulnerabilities have a fix, you can upgrade to the version with the fix in a click of a button.CVE Research and EnrichmentFor selected security issues, get leverage-enhanced CVE data that is provided by our JFrog Security Research team. Prioritize the CVEs based on:
You can learn more about enriched CVEs here. Check out what our research team is up to and stay updated on newly discovered issues by clicking on this link: https://research.jfrog.com 🌟 AdvancedRequires Xray version 3.66.5 or above and Enterprise X / Enterprise+ subscription with Advanced DevSecOps. Vulnerability Contextual AnalysisUses the code context to eliminate false positive reports on vulnerable dependencies that are not applicable to the code. Vulnerability Contextual Analysis is currently supported for Python, Java and JavaScript code.Secrets DetectionPrevents the exposure of keys or credentials that are stored in your source code.Infrastructure as Code (IaC) ScanSecures your IaC files. Critical to keeping your cloud deployment safe and secure.🌟 Additional Perks
The extension also applies JFrog File Spec JSON schema on the following file patterns: 🛡️ Supported Packages
Getting Started
Install the JFrog extension in VS CodeThe extension is available to install from the VS Code extensions marketplace. after installing the JFrog extension tab Connecting VS Code to Your JFrog PlatformIf you don't have a JFrog Platform instance, create a free instance in the cloud by running one of the following commands in your terminal.MacOS and Linux using cUrl
Windows using PowerShell
The commands will do the following:
Once the JFrog Extension is installed in VS Code, click on the JFrog tab: This will open the Sign in page: Fill in your connection details and click on the Note: If you would like to use custom URLs for Artifactory or Xray, click on 'Advanced'. You can also choose other option to authenticate with your JFrog Platform instance: Connect Using SSOTo sign in using SSO, follow these steps:
Connect Using JFrog CLI Connection DetailsIf JFrog CLI is installed on your machine and is configured with your JFrog Platform connection details, then you should see the message popup in the Sigh in page: Connect Using Environment VariablesYou may set the connection details using the following environment variables. VS Code will read them after it is launched.
Once the above environment variables are configured, you can expect to see a message popup in the Sigh in page: Note: For security reasons, it is recommended to unset the environment variables after launching VS Code. Using the ExtensionThe extension offers two modes, Local and CI. The two modes can be toggled by pressing on their respective buttons that will appear next to the components tree.
Severity IconsThe icon demonstrates the top severity issue of a selected component and its transitive dependencies. The following table describes the severities from highest to lowest:
The Local ViewGeneralThe JFrog VS Code Extension enables continuous scans of your project with the JFrog Platform. The security related information will be displayed under the Local view. It allows developers to view vulnerability information about their dependencies and source code in their IDE. With this information, you can make an informed decision on whether to use a component or not before it gets entrenched into the organization’s product. scan your workspace by clicking the Scan/Rescan button, the Software Composition Analysis (SCA)Each descriptor file (like pom.xml in Maven, go.mod in Go, etc.) displayed in the JFrog Panel contains vulnerable dependencies, and each dependency contains the vulnerabilities themselves. Each file node in the tree is interactive. Click and expand it to view its children noded and navigate to the corresponding file in the IDE editor for better visibility. Upon navigating to a file, the extension will highlight the vulnerable line, making it easier to locate the specific issue In addition the locations with vulnerabilities will be marked in the editor. By clicking on the light bulb icon next to a vulnerable location in the editor, you can instantly jump to the corresponding entry in the tree view. Clicking on a CVE in the list will open the location with the issue in the editor and a vulnerability details view. This view contains information about the vulnerability, the vulnerable component, fixed versions, impact paths and much more.
Update a vulnerable direct dependency to a fixed version directly from the vulnerable location at the editor using quick fix
When Xray watches are enabled and a vulnerability is detected, a closed eye icon will appear next to the vulnerability line in the JFrog extension. By clicking on this icon, you can initiate the process of creating an Ignore Rule in Xray.
CVE Research and EnrichmentFor selected security issues, get leverage-enhanced CVE data that is provided by our JFrog Security Research team. Prioritize the CVEs based on:
Check out what our research team is up to and stay updated on newly discovered issues by clicking on this link. Vulnerability Contextual Analysis
Xray automatically validates some high and very high impact vulnerabilities, such as vulnerabilities that have prerequisites for exploitations, and provides contextual analysis information for these vulnerabilities, to assist you in figuring out which vulnerabilities need to be fixed. Vulnerability Contextual Analysis data includes:
Secrets Detection
Detect any secrets left exposed inside the code. to prevent any accidental leak of internal tokens or credentials. To ignore detected secrets, you can add a comment which includes the phrase jfrog-ignore above the line with the secret. Infrastructure as Code (IaC) Scan
Scan Infrastructure as Code (Terraform) files for early detection of cloud and infrastructure misconfigurations. The CI ViewThe CI view of the extension allows you to view information about your builds directly from your CI system. This allows developers to keep track of the status of their code, while it is being built, tested and scanned as part of the CI pipeline, regardless of the CI provider used. This information can be viewed inside JFrog VS Code Extension, from the JFrog Panel, after switching to CI mode. The following details can be made available in the CI view.
How Does It Work?The CI information displayed in VS Code is pulled by the JFrog Extension directly from JFrog Artifactory. This information is stored in Artifactory as part of the build-info, which is published to Artifactory by the CI server. Read more about build-info in the Build Integration documentation page. If the CI pipeline is also configured to scan the build-info by JFrog Xray, the JFrog VS Code Extension will pull the results of the scan from JFrog Xray and display them in the CI view as well. Setting Up Your CI PipelineBefore VS Code can display information from your CI in the CI View, your CI pipeline needs to be configured to expose this data. Read this guide which describes how to configure your CI pipeline. Setting Up the CI ViewSet your CI build name in the Build name pattern field at the Extension Settings. This is the name of the build published to Artifactory by your CI pipeline. You have the option of setting * to view all the builds published to Artifactory. After your builds were fetched from Artifactory, press on the Builds Extension SettingsTo open the extension settings, use the extension settings icon:
Apply Xray Policies to your ProjectsYou can configure the JFrog VS-Code extension to use the security policies you create in Xray. Policies enable you to create a set of rules, in which each rule defines security criteria, with a corresponding set of automatic actions according to your needs. Policies are enforced when applying them to Watches. If you'd like to use a JFrog Project that is associated with the policy, follow these steps:
If however your policies are referenced through an Xray Watch or Watches, follow these steps instead:
Exclude Paths from ScanBy default, paths containing the words Proxy ConfigurationIf your JFrog environment is behind an HTTP/S proxy, follow these steps to configure the proxy server:
Proxy AuthorizationIf your proxy server requires credentials, follow these steps:
Basic authorization
Access token authorization
Example
settings.json:
Behind the Scenes - Software Composition Analysis (SCA)Go ProjectsBehind the scenes, the JFrog VS Code Extension scans all the project dependencies, both direct and indirect (transitive), even if they are not declared in the project's go.mod. It builds the Go dependencies tree by running Maven ProjectsThe JFrog VS Code Extension builds the Maven dependencies tree by running Important notes:
Npm ProjectsBehind the scenes, the extension builds the npm dependencies tree by running Important:
To have your project dependencies scanned by JFrog Xray, make sure the npm CLI is installed on your local machine and that it is in your system PATH.
In addition, the project dependencies must be installed using Exclude Development Dependencies During ScanDevelopment dependencies are scanned by default. You can exclude them by choosing Yarn v1 ProjectsBehind the scenes, the extension builds the Yarn dependencies tree by running Important:
Pypi ProjectsBehind the scenes, the extension builds the Pypi dependencies tree by running
.NET ProjectsFor .NET projects which use NuGet packages as dependencies, the extension displays the NuGet dependencies tree, together with the information for each dependency. Behind the scenes, the extension builds the NuGet dependencies tree using the NuGet deps tree npm package. Important:
TroubleshootingChange the log level to 'debug', 'info', 'warn', or 'err' in the Extension Settings. View the extension log:
LicenseThe extension is licensed under Apache License 2.0. Building and Testing the SourcesPreconditions
To build the extension from sources, please follow these steps:
After the build finishes, you'll find the vsix file in the jfrog-vscode-extension directory. The vsix file can be loaded into VS-Code To run the tests:
Code ContributionsWe welcome community contribution through pull requests. Guidelines
|