This plugin was created to analyse and visualise potential threats and risks in JFrog platforms. It is done by understanding the relations between JFrog components, and building a corresponding graph in neo4j.
Installing the latest version:
$ jfrog plugin install stechhelm
Installing a specific version:
$ jfrog plugin install stechhelm@version
Uninstalling a plugin
$ jfrog plugin uninstall stechhelm
- audit
- Flags:
- --server-id: Artifactory server ID configured using the config command [Optional]
- Example:
$ jfrog stechhelm audit - Flags:
- graph
- Flags:
- --server-id: Artifactory server ID configured using the config command [Optional]
- --verbose: Set to true to output the graph-building queries to stdout. [Optional]
- --graph-url: neo4j URL.
- --graph-user: neo4j username.
- --graph-password: neo4j password.
- --graph-database: neo4j database name.
- --graph-realm: neo4j realm. [Optional]
- --output-to-file: [Default: false] Set to true to output the graph-building queries to a file.
- --output-file-path: [Default: current workdir] Path to an output file for the graph-building queries. [Optional]
- Example:
$ jfrog stechhelm graph --graph-url="http://url.com:8080/" --graph-user=user --graph-password=pass --graph-database=default - Flags:
Here are some useful queries to use in neo4j, after creating the graph.
-
Show the whole graph:
MATCH (n1)-[r]->(n2) RETURN r, n1, n2 -
Find the shortest path - from an attacker to each vulnerable build:
MATCH p = shortestPath((x:RepoVIRTUAL)-[r2:STORES|PRODUCE|DEPENDENCY_FOR*1..10]->(b:Build)),(n)-[r3:LINKED_TO|ATTACKS*1..4]->(x) WHERE x.is_safe = "false" RETURN *
The release notes are available here.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent