NuGet with JFrog Artifactory - Host Rule Implementation

This article details the instructions to successfully configure our repo integrations with your NuGet private registries that are hosted in JFrog Artifactory. NuGet private registries can be accessed by authentication via a password or token. This will allow our repo integrations to scan your private NuGet packages for vulnerabilities and compliance.

Option 1: Generating a JFrog token

1. Within the JFrog platform Artifactory, navigate to your Administration > User Management > Access Tokens setting:

   

2. Click + Generate Token:

   

3. In the Generate Token window, select the Scoped Token option and fill in the settings as seen here:

   1. Description: can be any value

   2. Token scope: Admin

   3. User name: can be any value

   4. Service: All

   5. Expiration time: Never

      

4. Click on Generate. Copy the Username you defined and the token that is generated:

   

Option 2: Using your JFrog password

1. Within the JFrog platform Artifactory, navigate to the repository where your NuGet packages are located

2. Click on Set Me Up in the top-right corner of the page:

   

3. Make sure the correct repository is selected within the Set Up a NuGet Client window

4. In the Configure tab, enter your password and click on Insert:

   

5. Depending on your NuGet API version, follow one of the options below:

   1. For NuGet API v3 (Artifactory default): Copy the -password value under the NuGet CLI configuration section:

      

   2. For NuGet API v2: Copy the -password value under the NuGet CLI configuration (API v2) section:

      

      
      

Encrypting the JFrog token or password

For Mend-Hosted repo integrations (GitHub.com, Bitbucket Cloud, and Azure Repos)

1. Navigate to our Mend's Repository Integration Secrets Encryption page

2. Each secret you encrypt must be scoped to a GitHub org, Bitbucket Cloud Workspace, or Azure project, and its use will be restricted to those within the app. There are the following fields on the encryption page:

   1. Organization\Group - required; your GitHub org, Bitbucket Cloud Workspace, or your Azure project to which secrets are to be scoped

   2. Repository - optional; your GitHub or Azure repository to which secrets are to be scoped

   3. Raw value - required; your JFrog token that was created earlier in Option 1, or your JFrog password from Option 2

3. Click on Encrypt. This will create an encrypted value, which is the result of the encryption to be used in the integration

4. Copy this encrypted value

For Self-Hosted repo integrations (GitHub Enterprise, Bitbucket Server and Data Center, and GitLab)

Follow the steps outlined below to generate encryption for each of the Self-Hosted repo integrations:

• Mend for GitHub Enterprise | Handling Private Registries and Authenticated Repositories

• Mend for Bitbucket Server and Data Center | Handling Private Registries and Authenticated Repositories

• Installing Mend for GitLab | Handling Private Registries and Authenticated Repositories

1. When generating a secret, there are the following fields on the encryption page:

   1. Organization\Group - required; your GitHub org, GitLab group, or Bitbucket group to which secrets are to be scoped

   2. Repository - optional; your repository to which secrets are to be scoped

   3. Raw value - required; your JFrog token that was created earlier in Option 1, or your JFrog password from Option 2

2. Click on Encrypt. This will create an encrypted value, which is the result of the encryption to be used in the integration

3. Copy this encrypted value

Where can I find the matchHost URL for NuGet?

The URL that is to be used for the matchHost setting in the hostRules can be found by following these steps:

1. Within the JFrog platform Artifactory, navigate to the repository where your NuGet packages are located

2. Click on Set Me Up in the top-right corner of the page:

   

3. Make sure the correct repository is selected within the Set Up a NuGet Client window

4. In the Configure tab, enter your password and click on Insert:

   

5. Depending on your NuGet API version, follow one of the options below:

   1. For NuGet API v3 (Artifactory default): Your matchHost setting will be your -Source value under the NuGet CLI configuration section:

      

   2. For NuGet API v2: Your matchHost setting will be your -Source value under the NuGet CLI configuration (API v2) section:

      

NOTE: When looking into the Artifactory repo’s General tab, the URL to file will look something like this:
https://<JFrog_Instance>/artifactory/<JFrog_Repo_Name>/

This is not the correct URL for the matchHost setting. We need the specific repository URL under the Configure tab (from the steps mentioned above).

For NuGet API v3 (Artifactory default):

• Artifactory adds the needed api/nuget/v3 values to the URL. This is the correct matchHost URL if using v3:
  https://<JFrog_Instance>/artifactory/api/nuget/v3/<JFrog_Repo_Name>/

For NuGet API v2:

• Artifactory adds the needed api/nuget values to the URL. This is the correct matchHost URL if using v2:
  https://<JFrog_Instance>/artifactory/api/nuget/<JFrog_Repo_Name>/

More information on NuGet repos + Artifactory logic can be found in Artifactory’s documentation here.

Applying the hostRules

Within your repo-config.json (if you have a global setup) or, in your .whitesource file (if you are configuring at the repo level), include the following required hostRules settings:

• matchHost - The URL of the JFrog repository where your NuGet packages are located. NOTE: You should have one rule for each JFrog repository where your NuGet packages are located - meaning there can be multiple hostRules

• hostType - nuget

• userName -

  • When using a token (Option 1), this will be the Username value that was set when you created the JFrog token

  • When using a password (Option 2), this will be the email address of your JFrog account

• token or password - The encrypted value that was generated

hostRules Examples

token Example (using NuGet API v3):

{
  "hostRules": [
    {
      "matchHost": "https://<JFrog_Instance>/artifactory/api/nuget/v3/<JFrog_Repo_Name>",
      "hostType": "nuget",
      "userName": "hostrules",
      "encrypted": {
        "token": "3f832f2983yf89hsd98ahadsjfasdfjaslf............"
      }
    }
  ]
}

token Example (using NuGet API v2):

{
  "hostRules": [
    {
      "matchHost": "https://<JFrog_Instance>/artifactory/api/nuget/<JFrog_Repo_Name>",
      "hostType": "nuget",
      "userName": "hostrules",
      "encrypted": {
        "token": "3f832f2983yf89hsd98ahadsjfasdfjaslf............"
      }
    }
  ]
}

password Example (using NuGet API v3):

{
  "hostRules": [
    {
      "matchHost": "https://<JFrog_Instance>/artifactory/api/nuget/v3/<JFrog_Repo_Name>",
      "hostType": "nuget",
      "userName": "engineers@mend.io",
      "encrypted": {
        "password": "p278djfdsi9832jnfdshufwji2r389fdskj........."
      }
    }
  ]
}

password Example (using NuGet API v2):

{
  "hostRules": [
    {
      "matchHost": "https://<JFrog_Instance>/artifactory/api/nuget/<JFrog_Repo_Name>",
      "hostType": "nuget",
      "userName": "engineers@mend.io",
      "encrypted": {
        "password": "p278djfdsi9832jnfdshufwji2r389fdskj........."
      }
    }
  ]
}