We want to prevent downloading artifacts without build info with a user plugin in our on-prem Artifactory installation. We are struggling to find a connection between the Request and the corresponding BuildInfo.
import org.artifactory.request.Request
import org.artifactory.repo.RepoPath
download {
beforeDownloadRequest { Request request, RepoPath repoPath ->
if (isRelease(repoPath.repoKey)) {
log.warn "Is a release artifact"
// How to verify build info here??
}
}
}
def isRelease(String repoKey) {
return repoKey in ["libs-release-local"]
}
Using the Artifactory Query Language you can find builds based on an artifact, and if the result is empty, then there is no such a build: https://www.jfrog.com/confluence/display/JFROG/Artifactory+Query+Language
For example: builds.find({"module.artifact.item.name": "artifactory.war"})
Also artifacts linked to a build will have a property "build.number" and "build.name", so that's one way to approach it
The proper solution would be to use JFrog Xray. You can then set scans for your builds, so that all artifacts part of a build will get scanned (plus you get security and license compliance checks there too), and then block the download of unscanned artifacts
Lastly, when you create a build you can also promote it, for instance from "staging" to "release" and on that operation copy or move the artifacts to a repository that is build-release only.
The properties "build.name" and "build.number" are likely the best way for what you are trying to do.