conan-extensions icon indicating copy to clipboard operation
conan-extensions copied to clipboard

Published 20 hours ago verified publisher icon conan-io

jfrog xray report generation on consumed packages

Open psamadda opened this issue 2 years ago • 2 comments

What is your question?

I have created a conan package from examples2/tutorial/creating_packages/add_requires. When I upload the package in the conan package type repository in jfrog server, the xray report is not showing any security/vulnerability issue in the consumed package(fmt in this case). But xray scan is reporting issues if I push fmt package individually. Does the xray report not generated on consumed packages or libs? If yes, what I am missing?

conan_pkg_info fmt hello_pkg

Have you read the CONTRIBUTING guide?

  • [ ] I've read the CONTRIBUTING guide

psamadda avatar Sep 06 '23 06:09 psamadda

Hi @psamadda

XRay way to have information about dependencies is uploading the "buildInfo" json file to the server, as the server side does not automatically parse and analyze the dependencies and transitive dependencies of every package upload.

There are tools in the conan-extensions repo to create the buildInfo. I am moving this ticket to that repo, please have a look to: https://github.com/conan-io/conan-extensions/tree/main/extensions/commands/art

memsharded avatar Sep 07 '23 10:09 memsharded

Just wanted to update this issue to confirm that the XRay scan report is generated for builds when using the build-info. See comment https://github.com/conan-io/conan-extensions/issues/100#issuecomment-2122884944 for more information

danimtb avatar May 24 '24 09:05 danimtb