top | item 46909898

(no title)

stroebs | 24 days ago

I’m a fairly heavy user of the JFrog platform with Enterprise+, Xray, their new Curation license, and my org is spending in excess of $500k/year on Artifact storage. Not including my time babysitting it. I’d love to see the end of it, and I hope you manage to build a community around this.

Part of the reason we pay the big license fee is so we have someone to turn to when it inevitably breaks because we’ve used it in a way nobody has before. In Jan last year we were using 30TB of artifact storage in S3. That’s 140TB today.

Where do you get your CVE data? Would built artifacts have their CVEs updated after the fact? Do you have blocking policies on artifacts based on CVEs, licenses, artifact age, etc?

discuss

bsgeraci|24 days ago

I am using the openscap and trivia. Can you add a discussion to my github about some of this. I would love some of your feedback on what you need on your level. I need to check the update mechanism so we are keeping the database up to date. I also want a way to keep it up to date when it is airgapped, not everyones use case but one I have delt with at my jobs.

I still need to put some e2e testing on those policies. https://demo.artifactkeeper.com/security/policies here is a demo and you can add a policy. Again that one I need to make a series of end to end testing but that was designed in mind :) I really want a staging area and promotion of packages after scans.

On my list of things to do.

stroebs|24 days ago

I'll carve out some time to add a discussion as I've become quite passionate about artifact storage in the last 18 months as a result of having to look after this behemoth. Air-gapping is also pretty important - JFrog supports granular proxy specification by repo.

It's a great start. What I can say is that granularity of CVE's in policies will become important for larger consumers. We have about 4.5mn artifacts so even getting CVSSv3 10's blocked was a challenge, let alone 9.8.

raphinou|24 days ago

I looked at your profile but didn't seen any contact info, hence this comment. I'm working on a fully open source multisig solution for artifact authentication. I would be interested to have your opinion and if you see opportunities for such a project in companies as the one you work for now to make the project financially sustainable. Can you contact me? (Email in my profile)

Edit: the project if anyone reading this is interested: http://github.com/asfaload/asfaload (looking for feedback!)

eyeris|24 days ago

Since the cve data is from Trivy/Grype, that should be osv.dev

M0r13n|24 days ago

JFrogs platform is fairly robust. Only time will tell if this project can keep up. I highly doubt it's more than a fancy-looking prototype at this stage

gjvc|24 days ago

tell me mr armchair general, what have you done that's worth talking about?

moezd|24 days ago

Unfortunately I'm also in the same camp, with SBOM generation, Xray, Curation, the whole shebang. I couldn't find these in the docs as well, which would matter in my case.

bsgeraci|24 days ago

Ok updated docs https://artifactkeeper.com/docs/security/scanning/

SHould have info on the CVE, please leave some issues on the repository if you want to see more infromatoin on the actual dashbaord/ui :)

Thanks for the feedback!

bsgeraci|24 days ago

I will add some todo's for me. I know how important this is.