[stroebs]

I’m a fairly heavy user of the JFrog platform with Enterprise+, Xray, their new Curation license, and my org is spending in excess of $500k/year on Artifact storage. Not including my time babysitting it. I’d love to see the end of it, and I hope you manage to build a community around this.

Part of the reason we pay the big license fee is so we have someone to turn to when it inevitably breaks because we’ve used it in a way nobody has before. In Jan last year we were using 30TB of artifact storage in S3. That’s 140TB today.

Where do you get your CVE data? Would built artifacts have their CVEs updated after the fact? Do you have blocking policies on artifacts based on CVEs, licenses, artifact age, etc?

[bsgeraci]

I am using the openscap and trivia. Can you add a discussion to my github about some of this. I would love some of your feedback on what you need on your level. I need to check the update mechanism so we are keeping the database up to date. I also want a way to keep it up to date when it is airgapped, not everyones use case but one I have delt with at my jobs.

I still need to put some e2e testing on those policies. https://demo.artifactkeeper.com/security/policies here is a demo and you can add a policy. Again that one I need to make a series of end to end testing but that was designed in mind :) I really want a staging area and promotion of packages after scans.

On my list of things to do.

[stroebs]

I'll carve out some time to add a discussion as I've become quite passionate about artifact storage in the last 18 months as a result of having to look after this behemoth. Air-gapping is also pretty important - JFrog supports granular proxy specification by repo.

It's a great start. What I can say is that granularity of CVE's in policies will become important for larger consumers. We have about 4.5mn artifacts so even getting CVSSv3 10's blocked was a challenge, let alone 9.8.

[raphinou]

I looked at your profile but didn't seen any contact info, hence this comment. I'm working on a fully open source multisig solution for artifact authentication. I would be interested to have your opinion and if you see opportunities for such a project in companies as the one you work for now to make the project financially sustainable. Can you contact me? (Email in my profile)

Edit: the project if anyone reading this is interested: http://github.com/asfaload/asfaload (looking for feedback!)

[eyeris]

Since the cve data is from Trivy/Grype, that should be osv.dev

[M0r13n]

JFrogs platform is fairly robust. Only time will tell if this project can keep up. I highly doubt it's more than a fancy-looking prototype at this stage

[gjvc]

tell me mr armchair general, what have you done that's worth talking about?

[M0r13n]

My comment was not intended to be any criticism or to downplay the performance - quite the opposite :)

[bsgeraci]

I did not take your original comment as critiscism. Feel free to follow the repository and see how long I can keep it alive :)

[bsgeraci]

I think it is right to be skeptectial and I hope this project can prove people wrong.

[moezd]

Unfortunately I'm also in the same camp, with SBOM generation, Xray, Curation, the whole shebang. I couldn't find these in the docs as well, which would matter in my case.

[bsgeraci]

Ok updated docs https://artifactkeeper.com/docs/security/scanning/

SHould have info on the CVE, please leave some issues on the repository if you want to see more infromatoin on the actual dashbaord/ui :)

Thanks for the feedback!

[bsgeraci]

I will add some todo's for me. I know how important this is.