As a popular binary software repository management tool, many organizations use JFrog Artifactory as the centralized delivery spot for builds popping out from various continuous delivery/continuous integration (CI/CD) pipelines and as a staging area for final releases just before shipment. It’s also frequently used as the source for enterprise developers to pull down open source libraries and other third-party components for their applications.
However, as supply chain attacks have become more sophisticated, enterprises need protection from numerous threats including crimeware, ransomware, and APT malware, software, container, and VM workload tampering, and compromised third-party commercial components.
RL Spectra Assure™ is a formidable countermeasure for software supply chain attacks. With RL’s newly-released integration for Artifactory, organizations now have a seamless and centralized way to scan software artifacts of all types and protect their precious software supply chain — and that of their customers.
The complex binary analysis powering Spectra Assure detects risks in software packages such as malware, tampering, vulnerabilities, and leaked secrets. Leveraging RL’s Spectra Core technology, massive file reputation database, and more than 15 years of experience in the malware space, even sophisticated nation-state attacks won’t escape detection.
Benefits of the Integration
Secure Final Releases. Spectra Assure is the ideal “final build exam” to ensure the safety of software releases. And while Spectra Assure scans often run in CI/CD pipelines, the Artifactory integration offers an enticing alternative to scanning in dozens of different pipelines across the organization. Security teams no longer need to reach out to each and every development team to convince them to add scanning to their pipelines. Instead, they can leverage the integration to scan build artifacts in Artifactory directly without needing to involve developers.
Secure Open Source. Likewise, the integration allows security teams to scan the open source packages within Artifactory. It’s very common for enterprise developers and their pipelines to pull down open source and other third-party components from Artifactory, since retrieving them from the Internet is inherently risky and typically not permitted by company policy.
Secure Third-Party Commercial Software. Enterprise software buyers can also benefit from the integration. RL has talked to organizations in which Artifactory is the location where employees download approved vendor software packages that have been assessed and are safe for deployment. Because new vulnerabilities are always being found, it is important to re-scan those approved packages periodically to ensure they are still safe. This type of use case is straightforward and seamless with RL’s Artifactory integration.
Preventing the Next Supply Chain Attack
Besides scanning, the integration with Spectra Assure can also prevent the spread of risky or unsafe packages stored in Artifactory by automatically blocking access to them. For software development teams, this is a huge benefit since Artifactory is often the staging area for software releases that are about to be delivered to customers.
The blocking feature is like an automated kill switch to halt the release of dangerous software to customers. It’s compelling to have a control in place to stop the next SolarWinds or 3CX style of attack, where malicious code was surreptitiously implanted in the build process.
The integration is not just suitable for your final build artifacts. Insecure or malicious third-party components may be lurking in your Artifactory repos. With Spectra Assure you can find them and prevent your developers from using them. In other words, Spectra Assure’s Artifactory integration can function as an artifact firewall for enterprise developers.
Dissecting the Integration
Here’s how Spectra Assure integrates with Artifactory. The integration consists of two separate pieces:
- The main piece is a Python package called rl-scan-artifactory and available on the Python Package Index (PyPI). It can be installed just like any other package using the pip package manager.
- The second piece is an Artifactory plugin we’ve developed called rlBlock. The plugin leverages the standard User Plugin framework that’s used to extend Artifactory's behavior in custom ways.
Scanning with the Spectra Assure Command Line Interface (CLI)
Here’s a diagram illustrating how the integration works when using the Spectra Assure CLI. In this scenario, artifacts being scanned do not leave the customer’s environment.
The worker machine is equipped with the CLI and a local package store. The rl-scan-artifactory PyPi package is installed on the machine as well.
In step 1, the script is launched, connects to Artifactory via the REST API, downloads the first artifact to be scanned, and saves it to a temporary location.
In step 2, the script initiates a CLI-based scan on the artifact. As part of the scan, threat intelligence data is retrieved from RL’s massive file reputation database. Upon completion the script retrieves the overall status of either pass or fail, which depends on the policy configured. It also generates pertinent reports such as the Spectra Assure SAFE report, the CycloneDX SBOM, and others as needed.
In step 3, the script uploads the generated reports to Artifactory and sets a number of properties on the scanned artifact. The property names begin with “RL” for easy recognition. Most important is the RL.scan-status property with a value of either “pass” or “fail”.
Here’s a screenshot of a binary artifact (HxDSetup_2.5.0.exe - a Windows installer) in Artifactory that failed the Spectra Assure safety check.
Steps 1 to 3 are repeated until all artifacts in the target repository have been scanned. If there are hundreds of artifacts in the repository, the integration methodically loops through them, analyzing each one until finished. With that in mind, RL recommends targeting just one or two repositories at the outset, to limit run time.
The left side of the diagram illustrates the blocking capability of the plugin. This is the kill switch. The black arrow represents a requesting entity, such as a developer or a CI/CD pipeline, attempting to download an artifact. Assuming it’s been analyzed by Spectra Assure and the scan status is “fail,” the plugin blocks the download by returning an HTTP 403 (“Forbidden”) response code along with a message indicating the artifact is unsafe.
And just like that, Spectra Assure has stopped the spread of a potentially dangerous software artifact.
Scanning with the Spectra Assure Portal
Here's a second diagram illustrating how the integration works when using the Spectra Assure Portal. With this deployment option, the worker machine only needs to have rl-scan-artifactory installed. Artifacts are uploaded to the customer’s Spectra Assure SaaS Portal and the scanning takes place there.
The main difference compared to the CLI option occurs in step 2, where artifacts are uploaded instead of being scanned on the worker machine. The script waits for the scan to finish and then sets properties on the artifact in step 3. Another difference here is that scan reports are not uploaded to Artifactory. Instead, a direct link to the SAFE report in Spectra Assure Portal is set as a property. Other reports, such as the CycloneDX and SPDX-compliant SBOMs, are available from within the Portal.
The Spectra Assure Artifactory integration requires outbound connectivity to ReversingLabs. This is true whether scanning is done with the CLI or Portal. Connectivity through a proxy is supported in both cases.
Passing, Failing, and Blocking
Spectra Assure includes nearly 300 policies covering many aspects of software security. Customers decide which ones cause a failing scan. This is done via policy configuration, and our pre-defined SAFE Levels make it easy to choose the most appropriate configuration for your organization’s risk appetite. Level 1 equates to the bare minimum for security, while level 5 is a much more stringent policy resulting in higher assurance.
The policy configuration is an important factor that determines whether or not access to an artifact is blocked. The blocking action is handled by the rlBlock plugin. Like any Artifactory plugin, it is loaded when Artifactory starts up and can also be hot-reloaded via a REST API call.
Here’s how the plugin works, using the example binary HxDSetup_2.5.0.exe that we saw earlier. Before allowing a download to occur, the plugin checks for the existence of the RL.scan-status property on the artifact. If the property exists and its value is “fail,” the plugin blocks the download, if it’s configured to do so (blocking is customer-configurable).
Using Postman to send an API request to Artifactory to retrieve HxDSetup_2.5.0.exe, for example, the plugin intercepted the request and returned a 403 error along with the message “Blocking download of my-release-candidates/HxDSetup_2.5.0.exe due to failed ReversingLabs assessment.” This is visible in the screenshot from Postman below.
The Bottom Line: Stop Risky Software from Spreading
Spectra Assure’s complex binary analysis surfaces deep insight into all types of software packages and uncovers a vast array of software risks — including malware and tampering — that other security solutions miss.
The Artifactory integration offers a new way to operationalize Spectra Assure by centralizing a method to scan build artifacts, and by checking the safety of open source and other third-party components that enterprise developers use in their applications.
Software development organizations that use Artifactory will especially benefit from the Spectra Assure integration because it arms them with the power to identify vulnerable or malware-infected releases, preventing delivery to unsuspecting customers.
