We are building containerized applications with Spring Boot backend and npm-based frontends. As build tool we are using Gradle with Jib. To scan our software artifacts for vulnerabilities in third-party libraries we use Jfrog's Xray. At the moment the build is processed on our CI/CD and the container-artifact is then uploaded to Artifactory and scanned by Xray.
But here's the problem: When building on CI/CD we are currently losing the information about our used npm-packages. These information are not part of the uploaded artifacts. First I was hoping to be able to upload an SBOM of our used npm-packages to Xray manually but unfortunately it's not possible. Also using Maven is not an option.
How is it meant to get this information into Jfrog's Xray? Does anyone have an idea?
Edit: Actually I'd love to do this, but with Gradle
Using Jib
The rtCreateDockerBuild step allows collecting build-info for docker images that were published to Artifactory using the JIB Maven Plugin. See our maven-jib-example on GitHub to learn how to do this. Since this example also runs maven using the Artifactory pipeline APIs, we also recommend referring to the Maven Builds with Artifactory section included in this documentation page.
