JFrog Artifactory Setup
The Sonatype Repository Firewall for JFrog Artifactory solution protects your development environment from risky open-source components. The plugin uses policies configured in the Firewall server to quarantine unwanted components from being served through your remote repositories.
Note
JFrog Artifactory SaaS is not supported. We do not support the following versions: 7.49.3 |7.49.5 |7.49.8 |7.55.2 |reached "Artifactory end of life" date
Artifactory’s plugin caching
JFrog Artifactory uses a plugin's timestamp against an internal cache when determine which plugin files to load. When updating the plugin or firewall.properties file, the timestamp needs to be updated as well. On Linux systems, this can be accomplished using the touch command.
touch <filename>;
Installation
A running JFrog Artifactory instance will immediately load plugins copied to the plugins directly. Avoid corrupting the installation by first extracting the plugin to a temporary directory before moving them to the plugins directory. This is not an issue when the server is shut down.
Download the latest version of the plugin and extract the contents of the plugin to a temporary folder.
Move the
lib
directory into${ARTIFACTORY_HOME}/etc/plugins
directoryMove the
nexusFirewallForArtifactory.groovy
file into${ARTIFACTORY_HOME}/etc/plugins
The zip file includes an example configuration file for the plugin and all necessary files for the operation of the plugin. The final folder structure should resemble:
JFrog Artifactory 7.x
${ARTIFACTORY_HOME} /var /etc /artifactory /plugins nexusFirewallForArtifactoryPlugin.groovy firewall.properties /lib nexus-iq-artifactory-plugin.jar
JFrog Artifactory 6.x
${ARTIFACTORY_HOME} /etc /plugins nexusFirewallForArtifactoryPlugin.groovy firewall.properties /lib nexus-iq-artifactory-plugin.jar
Rename
firewall.properties.example
tofirewall.properties
to use as a base for your configurationConfigure which repositories you would like to enable in the
firewall.properties
fileRestart the JFrogArtifactory server
Considerations
The Firewall for JFrog Artifactory plugin processes new components when the plugin was enabled. Previously downloaded components are allowed to prevent existing builds from breaking.
When quarantine is disabled, currently quarantined components are released to the repository. These components will not be re-quarantined without first deleting them from the remote repository and requesting them again.
When the plugin is installed, removing the
firewall.properties
will cause any download requests to be denied until thefirewall.properties
file is restored and JFrog Artifactory is restarted.Commenting out a repository configuration does not disable it. Use the
disabled
setting instead.Nexus Firewall for Artifactory requires the
store artifacts locally
advanced setting.Repository Firewall supports the
remote
repository type. Thevirtual
repository type is indirectly supported when it includes aremote
repository.Configure 'local' repositories as 'proprietary' to use for preventing Namespace Confusion attacks.
Configured repositories are displayed in
Repository Managers
under 'Organization and Policies
' in the Firewall server.The username must be configured in the Firewall server with the
Component Evaluator
role. Consider using a service account with user tokens.
High Availability
Install the plugin zip and the firewall.properties in the primary node of your JFrogArtifactory high-availability system
JFrogArtifactory HA will automatically synchronize the plugin and its configuration to the remaining nodes
Update the plugin configuration for JFrog Artifactory HA
Logging
The Sonatype Repository Firewall for JFrog Artifactory plugin ships with logging by default. Additional logs are available for debugging when necessary. Each time a component request is blocked is not logged to prevent excessive log entries.
JFrog Artifactory uses the Logback library for logging. To understand JFrog Artifactory logging and modify logged information, see the JFrog documentation
Add this section to the logback.xml file to increase logging for the plugin:
<logger name="com.sonatype.iq.artifactory"> <level value="debug"/> </logger>