Versions Compared

Old Version 12

changes.mady.by.user Vincent Jansen

Saved on

compared with

New Version Current

changes.mady.by.user Vincent Jansen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Note

Jfrog has announced the sunset of jcenter/bintray which means we are switching from jcenter to maven central as source of our binaries

Table of Contents

Connecting to the Blueriq Artifactory

Blueriq provides the artifacts from every release via an Artifactory as a remote repository. A customer that wants to automate their build process or needs to create their own custom plugins and wants an automated process to retrieve the latest Blueriq dependencies can use this repository to retrieve them. Blueriq will provide a service account to customers meant to be used in an Artifactory or other binary repository manager at their side. To acquire a service account please contact: support@blueriq.com. A customer can create accounts for their employees at their binary repository manager. 

Blueriq provides an Artifactory containing Blueriq artifacts which are updated every releases. A customer can use this Artifactory in its automated build process to use the latest Blueriq artifacts. Customers can request access by e-mailing support (support@blueriq.com).

If you have access to the Blueriq Artifactory you need to configure your Maven settings.xml. This file is located in the Maven home folder, which is usually located at <user home folder>\.m2.

Instructions

Copy the contents below to your settings.xml and replace USERNAME and ENCRYPTED PASSWORD with the appropriate values.

<?xml version="1.0" encoding="UTF-8"?> <settings xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.1.0 http://maven.apache.org/xsd/settings-1.1.0.xsd" xmlns="http://maven.apache.org/SETTINGS/1.1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <servers> <server> <username>USERNAME</username> <password>ENCRYPTED PASSWORD</password> <id>blueriq-artifactory</id> </server> </servers> <profiles> <profile> <id>blueriq_artifactory</id> <repositories> <repository> <snapshots> <enabled>false</enabled> </snapshots> <id>blueriq-artifactory</id> <name>libs-release</name> <url>https://artifactory.blueriq.com/artifactory/libs-release</url> </repository> <repository> <snapshots> <enabled>false</enabled> </snapshots> <id>central</id> <name>bintray</name> <url>http://jcenter.bintray.com</url> </repository> </repositories> <pluginRepositories> <pluginRepository> <snapshots> <enabled>false</enabled> </snapshots> <id>blueriq-artifactory</id> <name>plugins-release</name> <url>https://artifactory.blueriq.com/artifactory/libs-release</url> </pluginRepository> <pluginRepository> <snapshots> <enabled>false</enabled> </snapshots> <id>central</id> <name>bintray-plugins</name> <url>http://jcenter.bintray.com</url> </pluginRepository> </pluginRepositories> </profile> </profiles> <activeProfiles> <activeProfile>blueriq_artifactory</activeProfile> </activeProfiles> </settings>
UI Text Box
typenote

The ENCRYPTED PASSWORD is an encrypted version of your password that you can use in configuration files without exposing your actual password. If you do not have an encrypted password, you can generate it by logging in to the Artifactory and going to your Profile Page. There you can enter your password and press unlock to generate the encrypted password.

Code Block
languagexml
titlesettings.xml

service account provided by Blueriq is not meant to be distributed to users directly and should never be used in the settings.xml of any user/build job. Unfortunately misusage of this account means we will have to disable the service account.


The service account can be used to add https://artifactory.blueriq.com/artifactory/libs-release-R14/ as an remote repository in the binary repository manager of a customer. We also kindly yet urgently request customers to cache the binaries not created by Blueriq at their own from maven central. Please order the remote repositories in such a way that our repository is only checked for the existence of artifacts created by Blueriq.

Image Added

Security: include/exclude pattern for blueriq artifactory (CVE-2021-24105)

To ensure Blueriq artifacts are the official released artifacts from Blueriq please exclude the following packages from other maven repositories. When this is not done it is possible for an attacker to upload artifacts to a different maven repositories which will have higher precedents then our artifacts and will be downloaded instead of the official released artifacts.

Packages of artifacts that should not be downloaded from other repositories then the blueriq artifactory:

  • com.blueriq
  • nl.everest
  • ibex.ibex


It is also a best practice to have a include pattern to our maven artifactory which should contain only the following packages, this way our artifactory will not be asked for (your internal) artifacts we do not serve:

  • com.blueriq
  • nl.everest
  • ibex.ibex
  • org.jfrog.artifactory.client