JFrog Visual Studio Code ExtensionTable of Contents
About this ExtensionGeneralThe cost of remediating a vulnerability is akin to the cost of fixing a bug. The earlier you remediate a vulnerability in the release cycle, the lower the cost. JFrog Xray is instrumental in flagging components when vulnerabilities are discovered in production systems at runtime, or even sooner, during the development. The JFrog VS Code Extension adds JFrog Xray scanning of project dependencies to your VS Code IDE. It allows developers to view panels displaying vulnerability information about the components and their dependencies directly in their VS Code IDE. With this information, a developer can make an informed decision on whether to use a component or not before it gets entrenched into the organization’s product. Don't have JFrog Xray? Start for free. Supported Features
Free Go Modules Security Scanning and Metadata from GoCenter (deprecated)As of February 28, 2021, GoCenter has been sunset. This integration has been removed. Learn more: https://jfrog.com/blog/into-the-sunset-bintray-jcenter-gocenter-and-chartcenter/ Viewing and Updating Project DependenciesView the dependencies used by the project in a tree, where the direct dependencies are at the top.
The JFrog extension automatically triggers a scan of the project's dependencies whenever a change is detected after building the code.
To invoke a scan manually, click on the Refresh View the security information for a depedency by hovering over it in the editor.
You can also navigate from the depedency declaration directly into the tree view. This allows you to see transitive (indirect) depedencies.
Search for a dependency in the tree:
View the issues associated with direct and transitive (indirect) dependencies.
Update a vulnerable dependency to a fixed version:
To filter the dependencies viewed, click on the Filter Navigate from the tree view to a depedency's declaration in the editor.
General ConfigurationConfiguring JFrog XrayConnect to JFrog Xray by clicking on the green Connect The extension also support connecting to JFrog Xray using environment variables. Note: For security reasons, it is recommended to unset the environment variables after launching VS Code.
Proxy ConfigurationIf your JFrog Xray instance is behind an HTTP/S proxy, follow these steps to configure the proxy server:
Proxy AuthorizationIf your proxy server requires credentials, follow these steps:
Example
settings.json:
Scan after dependencies changeThe JFrog VS-Code extension can trigger an Xray scan after a change in go.sum or package-lock.json. This feature is disabled by default. You can enable it in the Extension Settings. Exclude Paths from ScanBy default, paths containing the words Extension SettingsTo open the extension settings, use the following VS Code menu command:
Go ProjectsBehind the scenes, the JFrog VS Code Extension scans all of the project dependencies, both direct and indirect (transitive), even if they are not declared in the project's go.mod. It builds the Go dependencies tree by running Maven ProjectsExcluding transitive dependency in pom.xmlTo exclude a transitive dependency from your project, click on the "Exclude dependency" button in the dependencies tree.
Behind the ScenesThe JFrog VS Code Extension builds the Maven dependencies tree by running Important notes:
Npm ProjectsBehind the scenes, the extension builds the npm dependencies tree by running Important:
To have your project dependencies scanned by JFrog Xray, make sure the npm CLI is installed on your local machine and that it is in your system PATH.
In addition, the project dependencies must be installed using Pypi ProjectsBehind the scenes, the extension builds the Pypi dependencies tree by running
.NET ProjectsFor .NET projects which use NuGet packages as depedencies, the extension displays the NuGet depedencies tree, together with the information for each depedency. Important:
TroubleshootingView the extension log:
LicenseThe extension is licensed under Apache License 2.0. Building and Testing the SourcesTo build the extension sources, please follow these steps:
After the build finishes, you'll find the vsix file in the jfrog-vscode-extension directory. The vsix file can be loaded into VS-Code To run the tests:
Code ContributionsWe welcome community contribution through pull requests. Guidelines
|