JFrog has announced the launch of JFrog Xray, which provides visibility into the contents of software components. JFrog Xray is a universal impact analysis product, to provide companies with understanding about their container images, software packages and binary artifacts, providing insight into the huge volume and variety of components that development teams share in the software build and distribution process.
The technology solves a problem for companies as they increase their use of container technology and make open source part of their development strategies. With so many open source components available, it has become extremely difficult, if not impossible, for application builders to know pertinent information about each one and avoid security issues, such as the Heartbleed bug in the OpenSSL cryptographic software library that put user passwords on many popular websites at risk.
JFrog Xray analyzes the relationships between binary artifacts across an entire organization and the impact that one component has on any other. In addition to security vulnerabilities, JFrog Xray can also analyze the potential impact of performance issues or architectural changes.
JFrog Xray is a fully automated platform with a REST API allowing integration and automation with an organization’s CI/CD pipeline, and enabling other inspection and security tools to fit into the full build-to- production automated flow.
JFrog Xray includes the VersionEye technology and database. VersionEye is a startup company based in Mannheim, Germany whose platform helps improve developer productivity through a system that tracks open source libraries and alerts developers in real time to key information such as security vulnerabilities, license violations and outdated dependencies.
The platform offers the following functionality:
- Impact analysis that indicates how production and continuous integration (CI) environments are impacted.
- A full dependencies graph on which users can easily zoom in to find vulnerability or compliance issues.
- An open API that enables integration with all current and future types of component-scanning technology to allow custom scanning capabilities for performance, quality, popularity or any other criteria required.
- A universal solution that integrates with vulnerability and license compliance databases such as VersionEye, Black Duck and WhiteSource.
- Integration with a user’s registry and repository to allow full sync through all the CI/CD flow.