<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Xray on Software Factory</title><link>/tags/xray/</link><description>Recent content in Xray on Software Factory</description><generator>Hugo</generator><language>en</language><atom:link href="/tags/xray/index.xml" rel="self" type="application/rss+xml"/><item><title>JFrog Generate SBOMs</title><link>/use/howto/secure/jfrog-generate-sboms/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>/use/howto/secure/jfrog-generate-sboms/</guid><description>&lt;p&gt;A &lt;a href="/use/practices/secure/software-composition-analysis/software-bill-of-materials/"&gt;Software Bill of Materials&lt;/a&gt;
 is a machine-readable inventory of all components,
libraries and dependencies shipped inside software.&lt;/p&gt;
&lt;p&gt;This page shows how to generate SBOMs during the development lifecycle.&lt;/p&gt;

 &lt;div class="admonition important"&gt;
 &lt;div class="admonition-header"&gt;&lt;svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"&gt;&lt;path d="M256 512A256 256 0 1 0 256 0a256 256 0 1 0 0 512zm0-384c13.3 0 24 10.7 24 24l0 112c0 13.3-10.7 24-24 24s-24-10.7-24-24l0-112c0-13.3 10.7-24 24-24zM224 352a32 32 0 1 1 64 0 32 32 0 1 1 -64 0z"/&gt;&lt;/svg&gt;
 &lt;span&gt;Important&lt;/span&gt;
 &lt;/div&gt;
 &lt;div class="admonition-content"&gt;
 &lt;p&gt;This page focuses on SBOM generation and visibility. For policy enforcement,
violation management, and license compliance, see &lt;a href="/use/tools/xray/#results-and-reporting"&gt;Xray License Scanning&lt;/a&gt;
.&lt;/p&gt;</description></item><item><title>SCA with JFrog Xray and Release Bundles for Maven Projects</title><link>/use/howto/ci-cd/jfrog-full-lifecycle-process/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>/use/howto/ci-cd/jfrog-full-lifecycle-process/</guid><description>&lt;p&gt;This page walks through building a Maven project using &lt;code&gt;jf mvn&lt;/code&gt; instead of plain &lt;code&gt;mvn&lt;/code&gt; generating
&lt;a href="/use/practices/secure/software-composition-analysis/software-bill-of-materials/"&gt;SBOM&lt;/a&gt;
 with your packages, publishing a &lt;a href="/use/tools/artifactory/#build-info"&gt;BuildInfo&lt;/a&gt;
 to Artifactory, &lt;a href="/use/tools/xray/#scanning-artifacts-stored-in-artifactory"&gt;scanning&lt;/a&gt;
 for vulnerabillities
with Xray and &lt;a href="/use/tools/xray/#policy-management"&gt;Policy&lt;/a&gt;
 enforcement, and finally packaging everything into a &lt;a href="/use/tools/artifactory/#release-bundles"&gt;Release Bundle&lt;/a&gt;
.&lt;/p&gt;

 &lt;div class="admonition note"&gt;
 &lt;div class="admonition-header"&gt;&lt;svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 576 512"&gt;&lt;path d="M0 64C0 28.7 28.7 0 64 0L224 0l0 128c0 17.7 14.3 32 32 32l128 0 0 125.7-86.8 86.8c-10.3 10.3-17.5 23.1-21 37.2l-18.7 74.9c-2.3 9.2-1.8 18.8 1.3 27.5L64 512c-35.3 0-64-28.7-64-64L0 64zm384 64l-128 0L256 0 384 128zM549.8 235.7l14.4 14.4c15.6 15.6 15.6 40.9 0 56.6l-29.4 29.4-71-71 29.4-29.4c15.6-15.6 40.9-15.6 56.6 0zM311.9 417L441.1 287.8l71 71L382.9 487.9c-4.1 4.1-9.2 7-14.9 8.4l-60.1 15c-5.5 1.4-11.2-.2-15.2-4.2s-5.6-9.7-4.2-15.2l15-60.1c1.4-5.6 4.3-10.8 8.4-14.9z"/&gt;&lt;/svg&gt;
 &lt;span&gt;How to read this page&lt;/span&gt;
 &lt;/div&gt;
 &lt;div class="admonition-content"&gt;
 &lt;p&gt;The pipeline is built incrementally — each section adds one capability on top of the
previous one.&lt;/p&gt;</description></item><item><title>JFrog Xray Vulnerability Scan</title><link>/use/howto/secure/jfrog-xray-vulnerabilties/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>/use/howto/secure/jfrog-xray-vulnerabilties/</guid><description>&lt;h2 id="overview"&gt;Overview&lt;a class="td-heading-self-link" href="#overview" aria-label="Heading self-link"&gt;&lt;/a&gt;&lt;/h2&gt;
&lt;p&gt;Xray detects known &lt;a href="/use/practices/secure/software-composition-analysis/vulnerability/"&gt;vulnerabilities&lt;/a&gt;
 (CVEs) in the components of your repositories, builds
and release bundles.&lt;/p&gt;
&lt;p&gt;It identifies each component, maps it to known vulnerabilities from public and proprietary sources
and lets you enforce security policies using &lt;strong&gt;policies&lt;/strong&gt; and &lt;strong&gt;watches&lt;/strong&gt; mechanism.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;For background on how Xray works, see &lt;a href="/use/tools/xray/"&gt;Xray Page&lt;/a&gt;
.&lt;/li&gt;
&lt;li&gt;For license compliance, see &lt;a href="/use/tools/xray/#license-compliance"&gt;Xray License Scanning&lt;/a&gt;
.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="prerequisites"&gt;Prerequisites&lt;a class="td-heading-self-link" href="#prerequisites" aria-label="Heading self-link"&gt;&lt;/a&gt;&lt;/h2&gt;
&lt;p&gt;Before you start, make sure you have:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Access to a JFrog Platform instance with &lt;strong&gt;Xray&lt;/strong&gt; enabled&lt;/li&gt;
&lt;li&gt;A dedicated &lt;strong&gt;Project&lt;/strong&gt;.&lt;/li&gt;
&lt;li&gt;A role with &lt;strong&gt;Manage Xray Data&lt;/strong&gt;, &lt;strong&gt;Manage Watches &amp;amp; Policies&lt;/strong&gt; and &lt;strong&gt;Manage Reports&lt;/strong&gt; permission
within that project.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;JFrog CLI&lt;/strong&gt; installed and configured&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="create-a-vulnerability-policy"&gt;Create a vulnerability policy&lt;a class="td-heading-self-link" href="#create-a-vulnerability-policy" aria-label="Heading self-link"&gt;&lt;/a&gt;&lt;/h2&gt;
&lt;p&gt;A policy defines what counts as a violation and what action Xray takes when one is found.&lt;/p&gt;</description></item><item><title>JFrog Xray</title><link>/use/tools/xray/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>/use/tools/xray/</guid><description>&lt;div style="display: flex; align-items: flex-start; gap: 1.5rem; margin-bottom: 1rem; max-width: 80%;"&gt;
 &lt;img src="/logo/xray-withname.svg" alt="JFrog Xray"
 width="150"
 style="flex-shrink: 0;"&gt;
 &lt;div&gt;JFrog Xray is part of the Software Factory&amp;rsquo;s &lt;strong&gt;Software Composition Analysis&lt;/strong&gt;
(&lt;a href="/use/practices/secure/software-composition-analysis/"&gt;SCA&lt;/a&gt;
) offering, available with the DevSecOps
package.
It can be used standalone via the JFrog CLI, or coupled with JFrog Artifactory for end-to-end
security and compliance management across your software supply chain.&lt;/div&gt;
&lt;/div&gt;

&lt;div class="admonition info"&gt;
 &lt;div class="admonition-header"&gt;&lt;svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"&gt;&lt;path d="M256 512A256 256 0 1 0 256 0a256 256 0 1 0 0 512zM216 336l24 0 0-64-24 0c-13.3 0-24-10.7-24-24s10.7-24 24-24l48 0c13.3 0 24 10.7 24 24l0 88 8 0c13.3 0 24 10.7 24 24s-10.7 24-24 24l-80 0c-13.3 0-24-10.7-24-24s10.7-24 24-24zm40-208a32 32 0 1 1 0 64 32 32 0 1 1 0-64z"/&gt;&lt;/svg&gt;
 &lt;span&gt;Info&lt;/span&gt;
 &lt;/div&gt;
 &lt;div class="admonition-content"&gt;
 &lt;p&gt;This page describes the tool independently of any platform-specific details.
For the service URL and other platform-specific configuration,
please refer to your &lt;a href="/get-started/platforms/"&gt;platform&amp;rsquo;s dedicated page&lt;/a&gt;
.&lt;/p&gt;</description></item></channel></rss>