Hi, I tried to run frogbot on my poetry project (see https://github.com/joergsesterhenn/py-tic-tac-toe/actions/runs/3285427920/jobs/5412508082 ).

I got this error message:
/opt/hostedtoolcache/frogbot/[RELEASE]/x64/frogbot scan-pull-request 22:30:30 [Info] Running Frogbot "scan-pull-request" command 22:30:30 [Info] Auditing /home/runner/work/py-tic-tac-toe/py-tic-tac-toe 22:30:30 [Info] Detected: poetry. Error: 1 [Error] 'poetry' audit command failed: poetry install command failed: exec: "poetry": executable file not found in $PATH - Error: The process '/opt/hostedtoolcache/frogbot/[RELEASE]/x64/frogbot' failed with exit code 1

There seems to be some support for poetry but then poetry seems to be missing from the frogbot image.

Can I somehow install it in a previous step? or could you change frogbot to execute poetry using abatilo/actions-poetry@v2 ?
Is there some way to make this work?

Is your feature request related to a problem? Please describe.
When multiple CVE are found for the same direct dependency, multiple MR are created, with the same fix.

Describe the solution you'd like to see
If multiple MR are fixing the same direct dependency, only one should be created.

Describe alternatives you've considered
Manually remove one of the two MR.

Additional context
Example with a project with Django dependency to "4.1.0", which has two CVE that are is fixed in "4.1.7".

$ frogbot scan-and-fix-repos
08:41:22 [Info] Frogbot version: 2.6.0
08:41:22 [Debug] Downloading frogbot-config.yml from target my-group/test / django-demo-app / main
08:41:22 [Debug] Reading config from file system. Looking for .frogbot/frogbot-config.yml
08:41:22 [Debug] frogbot-config.yml wasn't found in /builds/cicd-common/frogbot/.frogbot/frogbot-config.yml. Searching for it in upstream directories
08:41:22 [Debug] Retrieving frogbot-config.yml failed with: config file is missing: frogbot-config.yml wasn't found in the Frogbot directory and its subdirectories. Assuming all the configuration is stored as environment variables
08:41:22 [Info] Running Frogbot "scan-and-fix-repos" command
08:41:22 [Debug] Usage Report: Sending info...
08:41:22 [Debug] Sending HTTP GET request to: https://jfrog.ourdomain/artifactory/api/system/version
08:41:22 [Debug] Created temp working directory:  /tmp/jfrog.cli.temp.-1678693282-179587785
08:41:22 [Debug] Downloading my-group/test/django-demo-app , branch: main to: /tmp/jfrog.cli.temp.-1678693282-179587785
08:41:22 [Debug] Artifactory response: 200 
08:41:22 [Debug] JFrog Artifactory version is: 7.55.2
08:41:22 [Debug] Sending HTTP POST request to: https://jfrog.ourdomain/artifactory/api/system/usage
08:41:22 [Debug] Usage Report: Artifactory response: 200 
08:41:22 [Debug] Usage Report: Usage info sent successfully.
08:41:22 [Info] django-demo-app downloaded successfully, starting with repository extraction
08:41:22 [Info] extracted repository successfully
08:41:22 [Debug] Repository download completed
08:41:22 [Info] Auditing project: /tmp/jfrog.cli.temp.-1678693282-179587785
08:41:22 [Info] Detected: poetry.
08:41:22 [Debug] Running "poetry install"
08:41:36 [Debug] Sending HTTP GET request to: https://jfrog.ourdomain/xray/api/v1/system/version
08:41:36 [Info] JFrog Xray version is: 3.67.9
08:41:36 [Info] Scanning module ...
08:41:36 [Debug] Sending HTTP POST request to: https://jfrog.ourdomain/xray/api/v1/scan/graph?scan_type=dependency
08:41:37 [Info] Waiting for scan to complete...
08:41:37 [Debug] Sending HTTP GET request to: https://jfrog.ourdomain/xray/api/v1/scan/graph/d8d156ca-6ee1-4266-40d7-0b297db6e52e?include_vulnerabilities=true
08:41:37 [Debug] Get Dependencies Scan results... (Attempt 1)
08:41:42 [Debug] Sending HTTP GET request to: https://jfrog.ourdomain/xray/api/v1/scan/graph/d8d156ca-6ee1-4266-40d7-0b297db6e52e?include_vulnerabilities=true
08:41:42 [Info] Xray scan completed
08:41:42 [Debug] Upload Scan to GitLab is currently unsupported.
08:41:42 [Info] Found 2 vulnerable dependencies with fix versions
08:41:42 [Debug] Created temp working directory: /tmp/jfrog.cli.temp.-1678693302-807964792
08:41:42 [Info] Cloning repository with these details:
Clone url: https://gitlab.ourdomain/my-group/test/django-demo-app.git remote name: origin, branch: refs/heads/main
08:41:42 [Debug] Project cloned from https://gitlab.ourdomain/my-group/test/django-demo-app.git to /tmp/jfrog.cli.temp.-1678693302-807964792
08:41:42 [Info] -----------------------------------------------------------------
08:41:42 [Info] Start fixing Django with 4.1.7
08:41:42 [Info] Creating branch: frogbot-Django-dac15f3245623e152ec5a946b7d4eac0
08:41:42 [Debug] Running 'poetry add Django==4.1.7'
08:41:56 [Debug] Running 'poetry update'
08:42:07 [Info] Checking if there are changes to commit
08:42:07 [Info] Running git add all and commit
08:42:07 [Info] Pushing fix branch: frogbot-Django-dac15f3245623e152ec5a946b7d4eac0
08:42:08 [Info] Creating Pull Request form: frogbot-Django-dac15f3245623e152ec5a946b7d4eac0  to: main
08:42:08 [Debug] creating new merge request: [ Frogbot] Upgrade Django to 4.1.7
08:42:08 [Info] Running git checkout to base branch: main
08:42:08 [Info] -----------------------------------------------------------------
08:42:08 [Info] Start fixing django with 4.1.7
08:42:09 [Info] Creating branch: frogbot-django-54007012d6a36ea8eeea9a214904c0ab
08:42:09 [Debug] Running 'poetry add django==4.1.7'
08:42:16 [Debug] Running 'poetry update'
08:42:26 [Info] Checking if there are changes to commit
08:42:26 [Info] Running git add all and commit
08:42:26 [Info] Pushing fix branch: frogbot-django-54007012d6a36ea8eeea9a214904c0ab
08:42:27 [Info] Creating Pull Request form: frogbot-django-54007012d6a36ea8eeea9a214904c0ab  to: main
08:42:27 [Debug] creating new merge request: [ Frogbot] Upgrade django to 4.1.7
08:42:27 [Info] Running git checkout to base branch: main
08:42:27 [Info] Frogbot "scan-and-fix-repos" command finished successfully 

This creates two MR in the repository:

Is your feature request related to a problem? Please describe.
Frogbot does not support Air-Gapped environments.

Describe the solution you'd like to see
Allow downloading Frogbot, extractors, and project dependencies from Artifactory.

Describe alternatives you've considered
N/A

Additional context
This is just a suggestion.
Let's split the solutions into 2 parts:

1. Download Frogbot and extractors from Artifactory -
   A. Create a virtual repository in releases.jfrog.io containing frogbot and oss-release-local
   B. Create a new script getFrogbot.sh and upload it to the frogbot repository. The script should support an environment variable FROGBOT_REMOTE_REPO and the regular frogbot connection details variables. Suggestion - users can put this script in an accessible place. It is better if this script will have a version.
   C. Add support for FROGBOT_REMOTE_REPO env var in frogbot to download Maven and Gradle extractors.
2. Download dependencies from Artifactory - support the same project yaml files as the CLI does. Ignore the server ID and read only the resolution server. Additionally, for simplicity, we can allow users who like to provide FROGBOT_RESOLUTION_REPO variable to download dependencies from Artifactory.

Hey I get differing results based on the URL I choose, so im a little confused to which one I should use

If JF_GIT_API_ENDPOINT is set to https://github.somecompany.com/api/v3/ then I get this error

[2022-12-14T04:38:07.819Z] 04:38:07 [Info] 
[2022-12-14T04:38:07.819Z] Auditing base branch: somerepo release
[2022-12-14T04:38:07.819Z] 04:38:07 [Debug] Created temp working directory: /tmp/jfrog.cli.temp.-1670992687-3585851041
[2022-12-14T04:38:07.819Z] 04:38:07 [Debug] Downloading somecompany/some-repo from branch:<release>
[2022-12-14T04:38:07.819Z] 04:38:07 [Error] unexpected status code: 404 Not Found
script returned exit code 1

If JF_GIT_API_ENDPOINT is set to https://github.somecompany.com then I get this error

[2022-12-14T04:10:36.994Z] 04:10:36 [Info] Xray scan completed
[2022-12-14T04:10:36.994Z] 04:10:36 [Info] Note: no context was provided, so no policy could be determined to scan against.
[2022-12-14T04:10:36.995Z] You can get a list of custom violations by providing one of the command options: --watches, --repo-path or --project.
[2022-12-14T04:10:36.995Z] Read more about configuring Xray policies here: https://www.jfrog.com/confluence/display/JFROG/Creating+Xray+Policies+and+Rules
[2022-12-14T04:10:36.995Z] All vulnerabilities detected will be included in the output JSON.
[2022-12-14T04:10:36.995Z] 04:10:36 [Warn] upload code scanning failed with: GET https://github.somecompany.com/login?return_to=https%3A%2F%2Fgithub.somecompany.com%2Frepos%2Fsomecompany%2Fsome-repo%2Fcommits%3Fpage%3D1%26per_page%3D1%26sha%3Drelease: 406  []
[2022-12-14T04:10:36.995Z] 04:10:36 [Info] Found 7 vulnerable dependencies with fix versions
[2022-12-14T04:10:36.995Z] 04:10:36 [Debug] Created temp working directory: /tmp/jfrog.cli.temp.-1670991036-1063396961
[2022-12-14T04:10:36.995Z] 04:10:36 [Error] 'git clone release from https://github.somecompany.com/somecompany/some-repo.git' failed with error: authorization failed script returned exit code 1

build is for dotnet core, and Linux x64.

And, based on which one I should use, any ideas on how do I fix the error that I get above?

Is your feature request related to a problem? Please describe.
I would like to be able to pass a maven option on-the-fly e.g. -DdisableX=true

(currently our builds try and extract a git branch from the working directory, and it seems that the base branch audit is downloaded as an archive and untarred and results in bare code- we can disable this on the fly e.g. -DdisableX=true, but can't find a way to pass this into frogbot job)

Describe the solution you'd like to see

A JF_MAVEN_ARGS env var to pass options specific to the frogbot run

Describe alternatives you've considered

• MAVEN_ARGS is not supported until maven version 4.x.x - https://maven.apache.org/configure.html
• Options can be set in .mvn/maven.config but I don't want to generally apply those options to all builds.
• copying in maven.config with an earlier workflow step doesn't get used when auditing the base branch

Additional context
Add any other context or screenshots about the feature request here.

Describe the solution you'd like to see
Support for reporting on ruby gem updates is added.

Additional context
Ruby is currently supported by xray and it would be helpful if frogbot also supported it.

i am evaluating frogbot to scan GitHub PR with basic config:

export JF_URL=https://frogbotv230.jfrog.io
export JF_USER=xxxxxx
export JF_PASSWORD=AKxxxxxxxxxxxxxxxxxx
export JF_GIT_PROVIDER=github
export JF_GIT_TOKEN=ghp_N4T2xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
export JF_GIT_OWNER=xxxxxx
export JF_GIT_REPO=xxxxxxxx

with jenkins stages:
stage('Download Frogbot') {
steps {
sh """ curl -fLg "https://releases.jfrog.io/artifactory/frogbot/v2/[RELEASE]/getFrogbot.sh" | sh"""
}
}
stage('Scan Pull Requests') {
steps {
sh "./frogbot scan-pull-requests"
}
}
stage('Scan and Fix Repos') {
steps {
sh "./frogbot scan-and-fix-repos"
}
}
}

and using basic frogbot-config.yaml file in root folder of project.

but scan stage failed with error:
ERROR: Package 're-id-service' requires a different Python: 3.6.9 not in '>=3.9'

any help would be appreciated.

Is your feature request related to a problem? Please describe.
We're requesting to add the ability to ignore “dev dependencies” in Frogbot. This feature is already implemented for the jf audit jfrog-cli command.

--dep-type             [Default: all] Defines npm dependencies type. Possible values are: all, devOnly and prodOnly

Describe the solution you'd like to see
Add a property to allow this in the frogbot-config.yml file.

Describe alternatives you've considered
N/A

Additional context
Add any other context or screenshots about the feature request here.

We Followed similar pattern for Dotnet Project and Kinda getting below pasted error

19:09:20 [Info] Running Frogbot "scan-pull-request" command 
19:09:21 [Info] Auditing project: /home/runner/work/test/test
Error: 1 [Error] audit command in /home/runner/work/test/test failed:
could not determine the package manager / build tool used by this project.
Error: The process '/opt/hostedtoolcache/frogbot/[RELEASE]/x64/frogbot' failed with exit code 1

It would be good to have enough documentation for Dotnet.
My Github action workflows looks like below:

name: "Frogbot Scan Pull Request"
on:
  pull_request_target:
    types: [opened, synchronize]
permissions:
  pull-requests: write
  contents: read
jobs:
  scan-pull-request:
    runs-on: ubuntu-latest
    # A pull request needs to be approved, before Frogbot scans it. Any GitHub user who is associated with the
    # "frogbot" GitHub environment can approve the pull request to be scanned.
    environment: frogbot
    steps:
      - uses: actions/checkout@v2
        with:
          ref: ${{ github.event.pull_request.head.sha }}

      # Install prerequisites
      - uses: actions/setup-dotnet@v2
        with:
          dotnet-version: "6.0.x"

      - uses: jfrog/frogbot@v2
        env:
          JF_URL: 
          JF_ACCESS_TOKEN: ${{ secrets.ARTIFACTORY_DEPLOYER }}
          JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          JF_INCLUDE_ALL_VULNERABILITIES: "TRUE"
          JF_REQUIREMENTS_FILE: "test/test.sln"

Regards
Sri

Could someone assist me to resolve the following issue

[main] INFO org.jfrog.build.extractor.maven.BuildDeploymentHelper - Artifactory Build Info Recorder: deploy artifacts set to false, artifacts will not be deployed...
[main] INFO org.jfrog.build.extractor.maven.BuildDeploymentHelper - Artifactory Build Info Recorder: publish build info set to false, build info will not be published...
[main] INFO org.apache.maven.cli.event.ExecutionEventLogger - ------------------------------------------------------------------------
[main] INFO org.apache.maven.cli.event.ExecutionEventLogger - BUILD SUCCESS
[main] INFO org.apache.maven.cli.event.ExecutionEventLogger - ------------------------------------------------------------------------
[main] INFO org.apache.maven.cli.event.ExecutionEventLogger - Total time: 1.164 s
[main] INFO org.apache.maven.cli.event.ExecutionEventLogger - Finished at: 2022-05-11T07:22:47+02:00
[main] INFO org.apache.maven.cli.event.ExecutionEventLogger - ------------------------------------------------------------------------
Error: 7 [Error] invalid character '<' looking for beginning of value
Error: The process '/data/github_action/actions-runner/_work/_tool/frogbot/[RELEASE]/x64/frogbot' failed with exit code 1

We are doing POC of this new feature in our organization to help our projects. We are not sure why it is failing. Followed GitHub installation procedure.

To Reproduce
Steps to reproduce the behavior

Expected behavior
A clear and concise description of what you expected to happen.

Screenshots

Versions

Frogbot version: jfrog/frogbot@v1
Operating system: Ubuntu 18
JFrog Artifactory version: Enterprise Plus 7.33.12
JFrog Xray version: xray-server:3.30.2

Thanks in advance.

My Frogbot version is 2.1.5

when use frogbot in gitlab with the feature "Pull requests opening",it will hang on branch creation until it times out after 1 hour

How to troubleshoot this ，Is there any way to debug ？

Sometimes it will report an error：

[Error] failed while trying to fix and create PR for: org.apache.logging.log4j:log4j-core with version: 2.8.2 with error: mvn command failed: exit status 1

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
I would like to use JFrog XRay to scan Pull Requests.
The source code repository containing multiple projects with different programming languages (dotnet, Angular, ...), so called mono-repo:

This can be dozens projects per repository. Currently frogbot seems to be prepared only for exactly one JF_PROJECT_WORKING_DIR and JF_INSTALL_DEPS_CMD. We are aware that we could have separate workflows for each project.
But you can image that its frustrating or even not usable when you have dozens of projects, dozens of scans must be approved manually and dozens separate comments are added to the Pull Request

Describe the solution you'd like to see
A solution to have only ONE scan for a Pull Request of a repository containing different projects with multiple languages as shown above. For example JF_PROJECT_WORKING_DIR and JF_INSTALL_DEPS_CMD could support comma separated values to specify multiple projects with multiple install commands

If you need more information don't hesitate to contact me. Many thanks in advance,
Philipp

Hello, my workflow is...

name: Frogbot Scan and Fix
on:
  push:
permissions:
  contents: write
  pull-requests: write
  security-events: write
jobs:
  create-fix-pull-requests:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2
    - name: Setup NodeJS
      uses: actions/setup-node@v3
      with:
        node-version: "16.x"
    - uses: jfrog/frogbot@v2
      env:
        JF_INSTALL_DEPS_CMD: npm ci --legacy-peer-deps
        JF_URL: https://na.artifactory.taas.kyndryl.net/
        JF_GIT_API_ENDPOINT: https://github.kyndryl.net/api/v3
        JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        JF_ACCESS_TOKEN: ${{ env.JF_TOKEN }}

Allow GitHub Actions to create and approve pull requests checked
We are facing:

10:05:24 [Info] Creating branch: frogbot-moment-33a86fc7fc0e1cfbe5636bdf4c66e95f
Error: 7 [Error] failed while trying to fix and create PR for: moment with version: 2.29.4 with error: npm install [email protected] command failed: exit status 1
...
10:05:28 [Info] Creating branch: frogbot-terser-bd0ab704e2f11528b2588cddd3a649c9
Error: 1 [Error] failed while trying to fix and create PR for: terser with version: 4.8.1 with error: npm install [email protected] command failed: exit status 1

I got the below error, I used the github action template for Python package scanning

/opt/hostedtoolcache/frogbot/[RELEASE]/x64/frogbot scan-pull-request
  [14](https://github.com/telia-company/cirrus-ml-experimentation/runs/8191097884?check_suite_focus=true#step:5:15):37:39 [Info] Running Frogbot "scan-pull-request" command 
  14:37:39 [Info] Auditing /runner/_work/cirrus-ml-experimentation/cirrus-ml-experimentation
  Error: 9 [Error] could not determine the package manager / build tool used by this project.
  Error: The process '/opt/hostedtoolcache/frogbot/[RELEASE]/x64/frogbot' failed with exit code [1](https://github.com/telia-company/cirrus-ml-experimentation/runs/8191097884?check_suite_focus=true#step:9:1)

Is your feature request related to a problem? Please describe.
When Frogbot creates a Merge Request to fix vulnerable dependencies, it only says "Upgrade to " and a link to Frogbot readme.

Describe the solution you'd like to see
It would be great to have a link to which CVE is fixed by the Merge Request in the description (and eventually also the vulnerability severity).

This would allow us to have a better idea how urgent the MR is, and also to retroactively view which CVE were fixed in our repositories.

Describe alternatives you've considered
None

Additional context
None

How can I configure jfrogbot so that it uses the Gradle wrapper specified by our project instead of reverting back to the inexistent gradle binary? See the sample error I am receiving in my gitlab-ci output:

16:58:07 [Info] Running Frogbot "create-fix-pull-requests" command 
16:58:07 [Info] Auditing /builds/pare/my-sandbox
16:58:07 [Info] Detected: gradle.
16:58:07 [Info] Running gradle...
16:58:07 [Info] The build-info-extractor jar is not cached locally. Downloading it now...
 You can set the repository from which this jar is downloaded. Read more about it at https://www.jfrog.com/confluence/display/CLI/CLI+for+JFrog+Artifactory#CLIforJFrogArtifactory-DownloadingtheMavenandGradleExtractorJARs
16:58:07 [Info] Downloading build-info-extractor from https://releases.jfrog.io/artifactory/oss-release-local/org/jfrog/buildinfo/build-info-extractor-gradle/4.28.2/build-info-extractor-gradle-4.28.2-uber.jar
16:58:07 [Error] 'gradle' audit command failed:
exec: "gradle": executable file not found in $PATH
Cleaning up project directory and file based variables
00:01
ERROR: Job failed: exit code 1

Describe the solution you'd like to see
I would be great to be able to configure some assignees or reviewers in the repo's frogbot-config.yml, that would be set by frogbot when it creates a Merge Request to fix a vulnerability (when running the scan-and-fix mode).

This way, the repos owners could be triggered when a vulnerability is discovered on a dependency of the project.

Describe alternatives you've considered

Additional context

Describe the bug

frogbot scan-pull-requests throws stack trace when scanning a pip project

To Reproduce

• Create a python project with requirements.txt
• Set environment variables for communication with Artifactory and Git provider, including pointing at the git repo for the python project
• Run frogbot scan-pull-requests

Expected behavior

Frogbot to run without crashing

Screenshots

-bash-4.2$ env JF_GIT_API_ENDPOINT="http://stash.example.com/rest" JF_GIT_OWNER=INFRA JF_GIT_REPO=xray-test  JF_URL=https://artifactory.dev.example.com ./frogbot scan-pull-requests
10:09:34 [🔵Info] Running Frogbot "scan-pull-requests" command 
10:09:34 [🔵Info] Auditing /tmp/jfrog.cli.temp.-1663319374-3547796160
10:09:34 [🔵Info] Detected: pip.
10:09:37 [🚨Error] pip Audit command failed: failed running command: '/tmp/jfrog.cli.temp.-1663319374-2082447499/venvdir/bin/python python /data/jenkins/.jfrog/dependencies/pip/5/pipdeptree.py --json' with error: exit status 1 - Traceback (most recent call last):
  File "/data/jenkins/.jfrog/dependencies/pip/5/pipdeptree.py", line 874, in <module>
    sys.exit(main())
  File "/data/jenkins/.jfrog/dependencies/pip/5/pipdeptree.py", line 822, in main
    user_only=args.user_only)
  File "/data/jenkins/.jfrog/dependencies/pip/5/pipdeptree.py", line 801, in get_installed_distributions
    from pip._internal.utils import misc
ImportError: No module named _internal.utils

10:09:37 [🚨Error] pip Audit command failed: failed running command: '/tmp/jfrog.cli.temp.-1663319374-2082447499/venvdir/bin/python python /data/jenkins/.jfrog/dependencies/pip/5/pipdeptree.py --json' with error: exit status 1 - Traceback (most recent call last):
  File "/data/jenkins/.jfrog/dependencies/pip/5/pipdeptree.py", line 874, in <module>
    sys.exit(main())
  File "/data/jenkins/.jfrog/dependencies/pip/5/pipdeptree.py", line 822, in main
    user_only=args.user_only)
  File "/data/jenkins/.jfrog/dependencies/pip/5/pipdeptree.py", line 801, in get_installed_distributions
    from pip._internal.utils import misc
ImportError: No module named _internal.utils

Versions

• Frogbot version: 2.3.2
• Operating system: CentOS 7.7
• JFrog Artifactory version: 7.41.7
• JFrog Xray version (version 3.29.0 or above is required):3.54.5
• python2: 2.7.5 (pip 8.1.2)
• python3: 3.6.8 (pip 9.0.3)

Additional context

Pip itself appears to be working fine. Packages can be installed inside user context or new virtualenvs without issue.

Describe the bug

In Frogbot version 2.5.2 the download of a config file was implemented. Since then it is no longer possible for us to run frogbot in our pipeline, because it no longer uses the environment variables and always looks for this config file.
In the code of the merge request you can see that normally there should be a fallback to the environment variables if no config file is given. In the documentation it is not described where this configuration file comes from, how to generate it or how the config should look like. Could you add documentation for this?

Current behavior

08:05:33 [Error] GET https://gitlab.blub.de/api/v4/projects/project/my-service/repository/files/.frogbot/frogbot-config.yml: 404 {message: 404 File Not Found}

Reproduction steps

Set the frogbot version to 2.5.2.
Run frogbot scan-pull-request

Expected behavior

If no configuration file is specified, the environment variables set in gitlab-ci.yml should be used.

JFrog Frogbot version

2.5.2

Package manager info

Maven (pom.xml)

Git provider

GitLab

JFrog Frogbot configuration yaml file

no response

Operating system type and version

CIS Ubuntu 20 04 LTS

JFrog Xray version

3.62.4

Hi,

We are finding that the Frogbot scans are a lot slower than the equivalent scans/reports in the Xray UI. For instance a Frogbot scan takes ~13 minutes and the Xray UI takes ~10-30 seconds for the same artifact.

What resources are recommended and what parameters/options can we tune to improve Frogbot performance please?

Thanks!

Describe the bug
I can't scan yarn projects

To Reproduce
Given the Jenkins pipeline:

pipeline {
    agent {
        docker {
            image 'node:16'
        }
    }

    parameters {
        string name: 'project', trim: true, description: 'Bitbucket project'
        string name: 'repo', trim:true, description: 'Bitbucket repository'
        string name: 'deps_cmd', trim:true, description: 'The command that installs the project dependencies'
        booleanParam name: 'all_vulns', description: 'Displays all existing vulnerabilities'
    }

    environment {
        JF_ACCESS_TOKEN=credentials("JF_ACCESS_TOKEN_XRAY")
        JF_GIT_API_ENDPOINT="https://bitbucket.redacted.org/rest"
        JF_GIT_PROVIDER="bitbucketServer"
        JF_GIT_TOKEN=credentials("JF_GIT_TOKEN")
        JF_URL=credentials("JF_URL")
    }

   stages {
        stage('Download Frogbot') {
            steps {
                sh """curl -fLg "https://releases.jfrog.io/artifactory/frogbot/v2/2.1.3/getFrogbot.sh" | sh"""
            }
        }

        stage ('Scan Pull Requests') {
            steps {
                withEnv(["JF_INSTALL_DEPS_CMD=$params.deps_cmd", 
                         "JF_GIT_OWNER=$params.project", 
                         "JF_GIT_REPO=$params.repo",
                         "JF_INCLUDE_ALL_VULNERABILITIES=$params.all_vulns"]) {
                    sh "./frogbot scan-pull-requests"
                }
            }
        }
    }
}

parameter JF_INSTALL_DEPS_CMD is yarn install

Getting this error output:

+ ./frogbot scan-pull-requests
13:06:43 [Info] Running Frogbot "scan-pull-requests" command 
13:06:45 [Info] Auditing /tmp/jfrog.cli.temp.-1658322404-2045215346
13:06:45 [Info] Executing 'yarn' [install] at  /tmp/jfrog.cli.temp.-1658322404-2045215346
13:09:11 [Info] Detected: Yarn.
panic: runtime error: slice bounds out of range [1:0]

goroutine 1 [running]:
github.com/jfrog/build-info-go/build/utils.(*YarnDependency).Name(...)
	/root/go/pkg/mod/github.com/jfrog/[email protected]/build/utils/yarn.go:183
github.com/jfrog/jfrog-cli-core/v2/xray/audit/yarn.getXrayDependencyId(0x0)
	/root/go/pkg/mod/github.com/jfrog/jfrog-cli-core/[email protected]/xray/audit/yarn/yarn.go:67 +0xb5
github.com/jfrog/jfrog-cli-core/v2/xray/audit/yarn.parseYarnDependenciesMap(0xc00003c150, 0x100b0b8)
	/root/go/pkg/mod/github.com/jfrog/jfrog-cli-core/[email protected]/xray/audit/yarn/yarn.go:54 +0x10c
github.com/jfrog/jfrog-cli-core/v2/xray/audit/yarn.buildYarnDependencyTree()
	/root/go/pkg/mod/github.com/jfrog/jfrog-cli-core/[email protected]/xray/audit/yarn/yarn.go:46 +0xf7
github.com/jfrog/jfrog-cli-core/v2/xray/audit/yarn.AuditYarn({{0x0, 0x0}, {0x0, 0x0}, {0x0, 0x0, 0x0}, {0xe8412e, 0xa}, 0x0, ...}, ...)
	/root/go/pkg/mod/github.com/jfrog/jfrog-cli-core/[email protected]/xray/audit/yarn/yarn.go:18 +0x33
github.com/jfrog/jfrog-cli-core/v2/xray/commands/audit/generic.GenericAudit({{0x0, 0x0}, {0x0, 0x0}, {0x0, 0x0, 0x0}, {0xe8412e, 0xa}, 0x0, ...}, ...)
	/root/go/pkg/mod/github.com/jfrog/jfrog-cli-core/[email protected]/xray/commands/audit/generic/auditmanager.go:42 +0x3a5
github.com/jfrog/frogbot/commands.runInstallAndAudit({{0x0, 0x0}, {0x0, 0x0}, {0x0, 0x0, 0x0}, {0xe8412e, 0xa}, 0x0, ...}, ...)
	/var/opt/jfrog/pipelines/data/release_frogbot/runs/954228/steps/Release/7407400/dependencyState/resources/frogbotGit/commands/scanpullrequest.go:178 +0x1db
github.com/jfrog/frogbot/commands.auditSource({{0x0, 0x0}, {0x0, 0x0}, {0x0, 0x0, 0x0}, {0xe8412e, 0xa}, 0x0, ...}, ...)
	/var/opt/jfrog/pipelines/data/release_frogbot/runs/954228/steps/Release/7407400/dependencyState/resources/frogbotGit/commands/scanpullrequest.go:122 +0x192
github.com/jfrog/frogbot/commands.scanPullRequest(0xc0004a3558, {0x101d2a0, 0xc00029a6c0})
	/var/opt/jfrog/pipelines/data/release_frogbot/runs/954228/steps/Release/7407400/dependencyState/resources/frogbotGit/commands/scanpullrequest.go:38 +0xec
github.com/jfrog/frogbot/commands.downloadAndScanPullRequest({0x30, {{0xc0000d3780, 0x36}, {0xc0002dae44, 0x9}}, {{0xc0002daf50, 0xf}, {0xc0002daf94, 0x9}}}, 0xc0000d4800, ...)
	/var/opt/jfrog/pipelines/data/release_frogbot/runs/954228/steps/Release/7407400/dependencyState/resources/frogbotGit/commands/scanpullrequests.go:130 +0x3ed
github.com/jfrog/frogbot/commands.scanAllPullRequests(0xc0000d4800, {0x101d2a0, 0xc00029a6c0})
	/var/opt/jfrog/pipelines/data/release_frogbot/runs/954228/steps/Release/7407400/dependencyState/resources/frogbotGit/commands/scanpullrequests.go:37 +0x297
github.com/jfrog/frogbot/commands.ScanAllPullRequestsCmd.Run(...)
	/var/opt/jfrog/pipelines/data/release_frogbot/runs/954228/steps/Release/7407400/dependencyState/resources/frogbotGit/commands/scanpullrequests.go:17
github.com/jfrog/frogbot/commands.Exec({0xff55c0, 0x1716828}, {0xe9c913, 0xc000280880})
	/var/opt/jfrog/pipelines/data/release_frogbot/runs/954228/steps/Release/7407400/dependencyState/resources/frogbotGit/commands/commands.go:28 +0x1d5
github.com/jfrog/frogbot/commands.GetCommands.func3(0xc0002e6360)
	/var/opt/jfrog/pipelines/data/release_frogbot/runs/954228/steps/Release/7407400/dependencyState/resources/frogbotGit/commands/commands.go:62 +0x32
github.com/urfave/cli/v2.(*Command).Run(0xc0002e6360, 0xc0002807c0)
	/root/go/pkg/mod/github.com/urfave/cli/[email protected]/command.go:169 +0x6be
github.com/urfave/cli/v2.(*App).RunContext(0xc000133380, {0x1006f10, 0xc0000c4000}, {0xc0000b4000, 0x2, 0x2})
	/root/go/pkg/mod/github.com/urfave/cli/[email protected]/app.go:341 +0x89c
github.com/urfave/cli/v2.(*App).Run(...)
	/root/go/pkg/mod/github.com/urfave/cli/[email protected]/app.go:247
main.ExecMain()
	/var/opt/jfrog/pipelines/data/release_frogbot/runs/954228/steps/Release/7407400/dependencyState/resources/frogbotGit/main.go:27 +0x158
main.main()
	/var/opt/jfrog/pipelines/data/release_frogbot/runs/954228/steps/Release/7407400/dependencyState/resources/frogbotGit/main.go:16 +0x1e

Other projects (golang, java) can be scanned normally (with their specific docker agent).

Expected behavior
yarn projects can be scanned.

Versions

• Frogbot version: 2.1.3
• Operating system: linux
• JFrog Artifactory version: 7.37.14
• JFrog Xray version (version 3.29.0 or above is required): 3.52.4

Is your feature request related to a problem? Please describe.
In a brand new repo, it is initialized with no package manager configuration. e.g.

$ git status
On branch develop
Your branch is up to date with 'origin/develop'.

nothing to commit, working tree clean
$ ls
README.md

Where the PR introduces the pom.xml, frogbot fails because no package manager is found in base branch:

10:36:19 [Debug] Downloading xxx-my-org/yyy-my-repo from branch:<develop>
10:36:19 [Debug] Downloading repository completed
10:36:19 [🔵Info] Auditing project:
10:36:19 [🚨Error] could not determine the package manager / build tool used by this project.

Describe the solution you'd like to see
Option to ignore missing package manager in base branch (and assume list of dependencies is empty), or generate warning instead of error.

Describe alternatives you've considered
First option is to not configure frogbot until pom is added to repo. However this poses the problem that the initial commit of pom.xml might introduce issues which are not found by frogbot, as they are not new issues in subsequent frogbot runs.

Additional context
Add any other context or screenshots about the feature request here.

I have to say I'm a little disappointed.
We try the FrogBot on Azure DevOps, but it shows, that there is lot of configuration for each project and in the end it is the same process as for build process, which we primary focus on set-up (so duplication).

The current Frogbot running is also high resource consumption according to the number of pull requests and the length of the build time.

What I would like to see?
It should be easy to set-up as global settings for all projects, even when thay dont have yet JFrog in build pipeline.
I expect functionality similar to JFrog Xray in IDE, where JFrog just takes the connection, components and show the results. No other settings is required. (for example from pom file, or requirement.txt file or cproj file )

I have enabled debug logging in the github workflow and see those logs:

##[debug]Starting: Run jfrog/frogbot@v2
##[debug]Loading inputs
##[debug]Loading env
Run jfrog/frogbot@v2
::group::Frogbot
Frogbot

However I see only info level logging from frogbot:

  14:09:57 [Info] Detected: maven.
  14:09:57 [Info] Running Mvn...

and a failure like so:

  [main] INFO org.apache.maven.cli.event.ExecutionEventLogger - ------------------------------------------------------------------------
  [main] INFO org.apache.maven.cli.event.ExecutionEventLogger - BUILD SUCCESS
  [main] INFO org.apache.maven.cli.event.ExecutionEventLogger - ------------------------------------------------------------------------
  [main] INFO org.apache.maven.cli.event.ExecutionEventLogger - Total time:  18.028 s
  [main] INFO org.apache.maven.cli.event.ExecutionEventLogger - Finished at: 2022-11-04T14:10:17Z
  [main] INFO org.apache.maven.cli.event.ExecutionEventLogger - ------------------------------------------------------------------------
  Error: 7 [Error] 'maven' audit command failed:
  server response: 404 Not Found
  <html>
  <head><title>404 Not Found</title></head>
  <body>
  <center><h1>404 Not Found</h1></center>
  </body>
  </html>
  
  Error: The process '/github-actions/hostedtoolcache/frogbot/[RELEASE]/x64/frogbot' failed with exit code 1
  ::endgroup::

I see a bunch of debug level logging in the code:

	clientLog.Debug("Created temp working directory:", wd)

but don't see those logged out anywhere....

Is your feature request related to a problem? Please describe.
We areworking on closed environment (no internet) and want to use the frogbot on our azure devops 2020 on premise that would connect to our on-premise Jfrog server (xray+artifactory)

Describe the solution you'd like to see
add azure devops git to the guthub\gitlab\bitbucket options

Describe alternatives you've considered

Describe the bug
"The call to request() in index.js on line 1468 uses an unencrypted protocol instead of an encrypted protocol to communicate with the server."

To Reproduce
From the Fortify tool we found the below issue while scanning the repository.

Expected behavior
No critical issues reported.

Screenshots
NA
Versions

• Frogbot version: 2.1.2
• Operating system:
• JFrog Artifactory version:
• JFrog Xray version:

Additional context
All communication over HTTP, FTP, or gopher is unauthenticated and unencrypted. It is therefore subject to compromise, especially in the mobile environment where devices frequently connect to unsecured, public, wireless networks using WiFi connections.

Example 1: The following example reads data using the HTTP protocol (instead of using HTTPS).
var http = require('http');
...
http.request(options, function(res){
...
});
...

The incoming http.IncomingMessage object,res, may have been compromised as it is delivered over an unencrypted and unauthenticated channel.

Is your feature request related to a problem? Please describe.
Some of our project use the conventional commits message style. When frogbot creates a MR, the commits don't follow this convention.

Describe the solution you'd like to see
Allowing the user to enable a certain commits style in the frogbot-config.yml, or to configure the commit messages prefix (e.g. fix(deps):)

Describe alternatives you've considered
Manually editing the commit message when merging the MR.

Will be awesome to have support for SBT packet management https://www.scala-sbt.org/index.html.

Is this in the plans? We are using this very actively.

Thanks guys!

Describe the bug
A clear and concise description of what the bug is.

[main] INFO org.jfrog.build.extractor.maven.BuildDeploymentHelper - Artifactory Build Info Recorder: deploy artifacts set to false, artifacts will not be deployed...
[main] INFO org.jfrog.build.extractor.maven.BuildDeploymentHelper - Artifactory Build Info Recorder: publish build info set to false, build info will not be published...
[main] INFO org.apache.maven.cli.event.ExecutionEventLogger - ------------------------------------------------------------------------
[main] INFO org.apache.maven.cli.event.ExecutionEventLogger - BUILD SUCCESS
[main] INFO org.apache.maven.cli.event.ExecutionEventLogger - ------------------------------------------------------------------------
[main] INFO org.apache.maven.cli.event.ExecutionEventLogger - Total time: 3.466 s
[main] INFO org.apache.maven.cli.event.ExecutionEventLogger - Finished at: 2022-04-21T07:55:09Z
[main] INFO org.apache.maven.cli.event.ExecutionEventLogger - ------------------------------------------------------------------------
07:55:09 [Info] Scanning module com.example:demo:0.0.1-SNAPSHOT...
07:55:09 [Info] Waiting for scan to complete...
07:55:14 [Info] Auditing frogbot-test master
07:55:15 [Error] GET https://gitlab.com/api/v4/projects/root/frogbot-test/repository/archive.tar.gz: 401 {message: 401 Unauthorized}

To Reproduce
Steps to reproduce the behavior

Expected behavior
A clear and concise description of what you expected to happen.

Screenshots
If applicable, add screenshots to help explain your problem.

Versions

• Frogbot version:
• Operating system:
• JFrog Artifactory version:
• JFrog Xray version:

Additional context
Add any other context about the problem here.

Is it possible to use frogbot without github advanced security in GH enterprise?

get this error at the moment:

  Error: 2 [Error] upload code scanning failed with: POST https://my.github.enterprise/api/v3/repos/org/repo1/code-scanning/sarifs: 403 Advanced Security must be enabled for this repository to use code scanning. []
  Error: The process '/github-actions/actions-runner/_work/_tool/frogbot/[RELEASE]/x64/frogbot' failed with exit code 1

seems like it would be useful to have a flag for disabling this functionality:
2d3b55c#diff-d8b6807ea777814b68ce9cf71f8f78e2afd9dfd682ec923567710b840d43e341R31

(not sure if anything else requires GHAS...?)

Is your feature request related to a problem? Please describe.
We are using JFrog XRay in our Org to scan the docker images for OSS Issues. Jfrog has suggested us to use FrogBot as a Shift-left security feature. We did an analysis on the Frogbot features and noted a few improvements are required to leverage the Frogbot features. JFrog Xray provides CVSS Score for each of the OSS Issues identified. We use the same CVSS Score for prioritising the fixing of OSS Issues. For Ex: We have picked CVSS Score=10 as the top most priority for us to fix. Now when we try to use Frogbot, it does not provide us CVSS Score information and hence we are unable to leverage its features.

Describe the solution you'd like to see
We expect a CVSS_v3 Score against each OSS Issue in the Frogbot report. Same is already available in JFrog XRay vulnerability report.

Describe alternatives you've considered
NA

Additional context
NA

Describe the bug

When Frogbot tries to apply a remediation and create a PR, it doesn't use the JF_WORKING_DIR environment variable.

Current behavior

022-12-08T22:54:00.2572103Z 22:54:00 [Info] JFrog Xray version is: 3.61.5
2022-12-08T22:54:00.2573048Z 22:54:00 [Info] Scanning module com.example:multi-module-library:3.0.0...
2022-12-08T22:54:00.6906700Z 22:54:00 [Info] Waiting for scan to complete...
2022-12-08T22:54:01.2769030Z 22:54:01 [Info] Xray scan completed
2022-12-08T22:54:01.2769451Z 22:54:01 [Info] Note: no context was provided, so no policy could be determined to scan against.
2022-12-08T22:54:01.2770194Z You can get a list of custom violations by providing one of the command options: --watches, --repo-path or --project.
2022-12-08T22:54:01.2770764Z Read more about configuring Xray policies here: https://www.jfrog.com/confluence/display/JFROG/Creating+Xray+Policies+and+Rules
2022-12-08T22:54:01.2771245Z All vulnerabilities detected will be included in the output JSON.
2022-12-08T22:54:01.9045736Z 22:54:01 [Info] Found 1 vulnerable dependencies with fix versions
2022-12-08T22:54:03.6144703Z 22:54:03 [Info] -----------------------------------------------------------------
2022-12-08T22:54:03.6145548Z 22:54:03 [Info] Start fixing org.apache.camel:camel-ldap with 3.14.6
2022-12-08T22:54:03.7230746Z 22:54:03 [Info] Creating branch: frogbot-org.apache.camel_camel-ldap-77492e313a8b7198cf626f35a1bc4942
2022-12-08T22:54:07.0362324Z 22:54:07 [Error] failed while trying to fix and create PR for: org.apache.camel:camel-ldap with version: 3.14.6 with error: mvn command failed: exit status 1
2022-12-08T22:54:07.0363070Z [INFO] Scanning for projects...
2022-12-08T22:54:07.0364068Z [INFO] Downloading from central: https://repo.maven.apache.org/maven2/org/apache/maven/plugins/maven-clean-plugin/2.5/maven-clean-plugin-2.5.pom
...
2022-12-08T22:54:07.0417960Z [INFO] Downloading from central: https://repo.maven.apache.org/maven2/org/codehaus/mojo/versions-maven-plugin/2.13.0/versions-maven-plugin-2.13.0.jar
2022-12-08T22:54:07.0418807Z [INFO] Downloaded from central: https://repo.maven.apache.org/maven2/org/codehaus/mojo/versions-maven-plugin/2.13.0/versions-maven-plugin-2.13.0.jar (416 kB at 6.5 MB/s)
2022-12-08T22:54:07.0419227Z [INFO]
2022-12-08T22:54:07.0419604Z [INFO] ------------------< org.apache.maven:standalone-pom >-------------------
2022-12-08T22:54:07.0420007Z [INFO] Building Maven Stub Project (No POM) 1
2022-12-08T22:54:07.0420429Z [INFO] --------------------------------[ pom ]---------------------------------
2022-12-08T22:54:07.0420868Z [INFO] ------------------------------------------------------------------------
2022-12-08T22:54:07.0421161Z [INFO] BUILD FAILURE
2022-12-08T22:54:07.0421532Z [INFO] ------------------------------------------------------------------------
2022-12-08T22:54:07.0421827Z [INFO] Total time: 2.199 s
2022-12-08T22:54:07.0422352Z [INFO] Finished at: 2022-12-08T22:54:07Z
2022-12-08T22:54:07.0422752Z [INFO] ------------------------------------------------------------------------
2022-12-08T22:54:07.0423724Z [ERROR] Failed to execute goal org.codehaus.mojo:versions-maven-plugin:2.13.0:use-dep-version (default-cli): Goal requires a project to execute but there is no POM in this directory (/tmp/jfrog.cli.temp.-1670540041-4076773722). Please verify you invoked Maven from the correct directory. -> [Help 1]
2022-12-08T22:54:07.0424308Z [ERROR]
2022-12-08T22:54:0

Reproduction steps

1. fork this project : https://github.com/cyan21/java-demo/tree/test-bot
2. configure Frogbot and set JF_WORKING_DIR: src/library/ in the yaml file

Expected behavior

The PR should be opened when setting the JF_WORKING_DIR

JFrog Frogbot version

using jfrog/frogbot@v2 action but the logs shows latest ...

Package manager info

using actions/setup-java@v3 action : java-version=11, distribution=temurin java-package: jdk

Git provider

GitHub

JFrog Frogbot configuration yaml file

name: "Frogbot"
on:
push:
branches:
- "test-bot"
permissions:
contents: write
pull-requests: write
security-events: write
jobs:
create-fix-pull-requests:
runs-on: ubuntu-latest
environment: frogbot
steps:
- uses: actions/checkout@v2
with:
ref: ${{ github.event.pull_request.head.sha }}

  # Install prerequisites
  - name: Set up Java
    uses: actions/setup-java@v3
    with:
      java-version: "11"
      distribution: "temurin"

  - uses: jfrog/frogbot@v2
    env:
      JF_URL: ${{ secrets.JF_URL }}
      JF_USER: ${{ secrets.JF_USER }}
      JF_PASSWORD: ${{ secrets.JF_PASSWORD }}
      JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      JF_WORKING_DIR: src/library/ 
      JF_INCLUDE_ALL_VULNERABILITIES: "TRUE"

Operating system type and version

ubuntu-22.04

JFrog Xray version

3.61.5

Is your feature request related to a problem? Please describe.
Yarn 2 template is missing.

Describe the solution you'd like to see
We should test Frogbot and add the needed template.

Describe alternatives you've considered
None

Additional context
None

When running the scanner; I get a considerable number of these from time to time

[2022-12-14T05:05:51.206Z] 05:05:51 [Debug] Sending HTTP GET request to: https://artifactory.somecompany.com/xray/api/v1/scan/graph/f3a51409-45f7-43ea-4ede-fc5d49732016?include_vulnerabilities=true
[2022-12-14T05:05:51.633Z] 05:05:51 [Debug] Get Dependencies Scan results... (Attempt 1)
[2022-12-14T05:05:57.185Z] 05:05:56 [Debug] Sending HTTP GET request to: https://artifactory.somecompany.com/xray/api/v1/scan/graph/f3a51409-45f7-43ea-4ede-fc5d49732016?include_vulnerabilities=true
[2022-12-14T05:05:57.185Z] 05:05:56 [Debug] Get Dependencies Scan results... (Attempt 2)
[2022-12-14T05:06:02.721Z] 05:06:01 [Debug] Sending HTTP GET request to: https://artifactory.somecompany.com/xray/api/v1/scan/graph/f3a51409-45f7-43ea-4ede-fc5d49732016?include_vulnerabilities=true
[2022-12-14T05:06:02.721Z] 05:06:02 [Debug] Get Dependencies Scan results... (Attempt 3)
[2022-12-14T05:06:07.210Z] 05:06:07 [Debug] Sending HTTP GET request to: https://artifactory.somecompany.com/xray/api/v1/scan/graph/f3a51409-45f7-43ea-4ede-fc5d49732016?include_vulnerabilities=true
[2022-12-14T05:06:07.645Z] 05:06:07 [Debug] Get Dependencies Scan results... (Attempt 4)
[2022-12-14T05:06:13.194Z] 05:06:12 [Debug] Sending HTTP GET request to: https://artifactory.somecompany.com/xray/api/v1/scan/graph/f3a51409-45f7-43ea-4ede-fc5d49732016?include_vulnerabilities=true
[2022-12-14T05:06:13.194Z] 05:06:12 [Debug] Get Dependencies Scan results... (Attempt 5)
[2022-12-14T05:06:18.773Z] 05:06:17 [Debug] Sending HTTP GET request to: https://artifactory.somecompany.com/xray/api/v1/scan/graph/f3a51409-45f7-43ea-4ede-fc5d49732016?include_vulnerabilities=true
[2022-12-14T05:06:18.773Z] 05:06:18 [Debug] Get Dependencies Scan results... (Attempt 6)
[2022-12-14T05:06:23.250Z] 05:06:23 [Debug] Sending HTTP GET request to: https://artifactory.somecompany.com/xray/api/v1/scan/graph/f3a51409-45f7-43ea-4ede-fc5d49732016?include_vulnerabilities=true
[2022-12-14T05:06:23.683Z] 05:06:23 [Debug] Get Dependencies Scan results... (Attempt 7)
[2022-12-14T05:06:29.249Z] 05:06:28 [Debug] Sending HTTP GET request to: https://artifactory.somecompany.com/xray/api/v1/scan/graph/f3a51409-45f7-43ea-4ede-fc5d49732016?include_vulnerabilities=true
[2022-12-14T05:06:29.249Z] 05:06:28 [Debug] Get Dependencies Scan results... (Attempt 8)
[2022-12-14T05:06:33.721Z] 05:06:33 [Debug] Sending HTTP GET request to: https://artifactory.somecompany.com/xray/api/v1/scan/graph/f3a51409-45f7-43ea-4ede-fc5d49732016?include_vulnerabilities=true
[2022-12-14T05:06:34.154Z] 05:06:34 [Debug] Get Dependencies Scan results... (Attempt 9)
[2022-12-14T05:06:39.714Z] 05:06:39 [Debug] Sending HTTP GET request to: https://artifactory.somecompany.com/xray/api/v1/scan/graph/f3a51409-45f7-43ea-4ede-fc5d49732016?include_vulnerabilities=true
[2022-12-14T05:06:39.714Z] 05:06:39 [Debug] Get Dependencies Scan results... (Attempt 10)
[2022-12-14T05:06:45.274Z] 05:06:44 [Debug] Sending HTTP GET request to: https://artifactory.somecompany.com/xray/api/v1/scan/graph/f3a51409-45f7-43ea-4ede-fc5d49732016?include_vulnerabilities=true
[2022-12-14T05:06:45.274Z] 05:06:44 [Debug] Get Dependencies Scan results... (Attempt 11)
[2022-12-14T05:06:50.830Z] 05:06:49 [Debug] Sending HTTP GET request to: https://artifactory.somecompany.com/xray/api/v1/scan/graph/f3a51409-45f7-43ea-4ede-fc5d49732016?include_vulnerabilities=true
[2022-12-14T05:06:50.830Z] 05:06:50 [Debug] Get Dependencies Scan results... (Attempt 12)
[2022-12-14T05:06:55.306Z] 05:06:55 [Debug] Sending HTTP GET request to: https://artifactory.somecompany.com/xray/api/v1/scan/graph/f3a51409-45f7-43ea-4ede-fc5d49732016?include_vulnerabilities=true
[2022-12-14T05:06:55.733Z] 05:06:55 [Debug] Get Dependencies Scan results... (Attempt 13)
[2022-12-14T05:07:01.290Z] 05:07:00 [Debug] Sending HTTP GET request to: https://artifactory.somecompany.com/xray/api/v1/scan/graph/f3a51409-45f7-43ea-4ede-fc5d49732016?include_vulnerabilities=true
[2022-12-14T05:07:01.290Z] 05:07:00 [Debug] Get Dependencies Scan results... (Attempt 14)

Sometimes it just works and gets through to the next issue - other times this will just carry on. If I kill the build and run it again, it seems to work.

Build is for dotnet core, and Linux x64.

Is there something you think I could do to fix this? as I've seen it go all the way to attempt 100+

Our developers are complaining of too many emails for MRs due to the Frogbot comments when no vulnerabilities are found. Now whilst I don't agree with them entirely about this as I think it's important to have the status on the MR even when nothing bad is found, we need happy developers.

So please could you implement a flag, maybe something like JF_SUCCESS_COMMENT with a boolean value true/false that would disable the commenting on MRs if no vulnerabilities are found?

Thanks!
James

Describe the bug
Getting authentication required errors when frogbot tries to create a PR when finds vulnerabilities.
I have tried with the run github token ( ${{ secrets.GITHUB_TOKEN }} ) and with a personal token with all the required permissions and I get the same error

To Reproduce
Use the below workflow for a maven project

name: "Frogbot Fix"
on:
  push:
    branches:
      - 'main'
      - 'master'
      - 'feature-*'
permissions:
  contents: write
  pull-requests: write
jobs:
  create-fix-pull-requests:
    runs-on: [ self-hosted ]
    steps:
      - uses: actions/checkout@v2
      - name: Set up Java
        uses: actions/setup-java@v3
        with:
          java-version: "8"
          distribution: "corretto"
          cache: 'maven'
      - name: Set up Maven
        uses: stCarolas/[email protected]
        with:
          maven-version: 3.5.2
      - uses: jfrog/[email protected]
        env:
          JF_URL: ${{ secrets.JFROG_URL }}
          JF_USER: ${{ secrets.IMAGE_REGISTRY_USER }}
          JF_PASSWORD: ${{ secrets.IMAGE_REGISTRY_PASSWORD }}
          JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Expected behavior
Create a PR for each vulnerability found

Screenshots
Logs:

 23:00:37 [Info] Waiting for scan to complete...
  23:00:42 [Info] Xray scan completed
  23:00:42 [Info] Found 5 vulnerable dependencies with fix versions
  23:00:43 [Info] -----------------------------------------------------------------
  23:00:43 [Info] Start fixing org.apache.cxf:cxf-rt-frontend-jaxrs with 3.0.16
  Error: 3 [Error] failed while trying to fix and create PR for: org.apache.cxf:cxf-rt-frontend-jaxrs with version: 3.0.16 with error: authentication required
  23:00:43 [Info] Running git checkout to base branch: refs/heads/feature-GITACT-325-Jfrog-revisit-create-pr-to-fix-vulnerabilities
  23:00:43 [Info] -----------------------------------------------------------------
  23:00:43 [Info] Start fixing junit:junit with 4.13.1
  Error: 3 [Error] failed while trying to fix and create PR for: junit:junit with version: 4.13.1 with error: authentication required
  23:00:43 [Info] Running git checkout to base branch: refs/heads/feature-GITACT-325-Jfrog-revisit-create-pr-to-fix-vulnerabilities
  23:00:43 [Info] -----------------------------------------------------------------
  23:00:43 [Info] Start fixing ch.qos.logback:logback-classic with 1.2.0
  Error: 3 [Error] failed while trying to fix and create PR for: ch.qos.logback:logback-classic with version: 1.2.0 with error: authentication required
  23:00:43 [Info] Running git checkout to base branch: refs/heads/feature-GITACT-325-Jfrog-revisit-create-pr-to-fix-vulnerabilities
  23:00:43 [Info] -----------------------------------------------------------------
  23:00:43 [Info] Start fixing ch.qos.logback:logback-core with 1.2.0
  Error: 3 [Error] failed while trying to fix and create PR for: ch.qos.logback:logback-core with version: 1.2.0 with error: authentication required
  23:00:43 [Info] Running git checkout to base branch: refs/heads/feature-GITACT-325-Jfrog-revisit-create-pr-to-fix-vulnerabilities
  23:00:44 [Info] -----------------------------------------------------------------
  23:00:44 [Info] Start fixing com.fasterxml.jackson.core:jackson-databind with 2.12.6
  Error: 4 [Error] failed while trying to fix and create PR for: com.fasterxml.jackson.core:jackson-databind with version: 2.12.6 with error: authentication required
  23:00:44 [Info] Running git checkout to base branch: refs/heads/feature-GITACT-325-Jfrog-revisit-create-pr-to-fix-vulnerabilities
  23:00:44 [Info] Frogbot "create-fix-pull-requests" command finished successfully

Versions

• Frogbot version: v2.1.2
• Operating system: linux/amd64
• JFrog Artifactory version: 7.38.8
• JFrog Xray version (version 3.29.0 or above is required):

Additional context
Add any other context about the problem here.

Describe the bug
When using the Frogbot scan with Maven project and there is also a .jfrog/projects//maven.yaml file that points to a private registry, the cli-core will try to use the maven.yaml server ID which is not recognized by Github Actions and will lead to error:

Error: 2 [Error] Server ID arti-test: URL is required.

To Reproduce
Used the template
Add maven.yaml file such as follows:

version: 1
type: maven
resolver:
serverId: my-saas
snapshotRepo: libs-snapshots
releaseRepo: libs-releases
deployer:
serverId: my-saas
snapshotRepo: libs-snapshots
releaseRepo: libs-releases

Expected behavior
Frogbot should not throw an error about that.

Versions

• Frogbot version: 2.1.2
• JFrog Artifactory version: 7.38.8
• JFrog Xray version: 3.48.2

Describe the bug

Running frogbot scan-pull-request in GitLab ci job ends with an error.
The issue is related to using the Gradle Artifactory plugin.
The same issue happens with jfrog-cli command jf audit.
But with setting the config option jf gradle-config --uses-plugin it works. As described in jfrog/jfrog-cli#1404

Current behavior

Error:

An exception occurred applying plugin request [id: 'com.jfrog.artifactory', version: '4.29.4']
> Failed to apply plugin 'com.jfrog.artifactory'.
   > Cannot cast object 'org.jfrog.gradle.plugin.artifactory.dsl.ArtifactoryPluginConvention@da6fc6c' with class 'org.jfrog.gradle.plugin.artifactory.dsl.ArtifactoryPluginConvention' to class 'org.jfrog.gradle.plugin.artifactory.dsl.ArtifactoryPluginConvention'

Reproduction steps

Use Gradle Artifactory plugin in the project
Set jf gradle-config --uses-plugin
Run frogbot scan-pull-request

Expected behavior

The option --uses-plugin is applied to frogbot the same as for jfrog-cli

JFrog Frogbot version

2.4.1

Package manager info

Gradle 7.6

Git provider

GitLab

JFrog Frogbot configuration yaml file

No response

Operating system type and version

Alpine Linux 3.17

JFrog Xray version

No response

Is your feature request related to a problem? Please describe.
When a PR is opened, and changes are requested by approvers, there can be quite a few additional commits to the PR branch. This results in many repeating frogbot comments on the PR

Describe the solution you'd like to see
Check if comment is a duplicate and suppress in that case.

Describe alternatives you've considered
Open to suggestions...

Additional context
Add any other context or screenshots about the feature request here.

“PR fix” can only fix to the nearest version at a time, why not fix the highest version directly

The risk of scanning 4 fastjson after MR, the repair version includes 1.2.60, 1.2.61, 1.2.69, 1.2.83, why can't it be directly repaired to 1.2.83, but need to raise 4 PRs from 1.2.60 to 1.2.83

Describe the bug

We have an on-prem GitLab instance running on "gitlab.ourdomain".
When running the command scan-and-fix-repos and vulnerabilities are found, frogbot tries to clone the repository without using JF_GIT_API_ENDPOINT to construct the clone URL

Current behavior

Here is the output of our CI:

$ env | grep "JF"
JF_URL=https://jfrog.ourdomain
JF_GIT_OWNER=my-group/test
JF_GIT_REPO=demo-app
JF_GIT_API_ENDPOINT=https://gitlab.ourdomain
JF_GIT_TOKEN=[MASKED]
JF_USER=gitlab
JF_GIT_PROVIDER=gitlab
JF_PASSWORD=[MASKED]
JF_GIT_BASE_BRANCH=main

$ frogbot scan-and-fix-repos
09:49:52 [Debug] Downloading frogbot-config.yml from target my-group/test / demo-app / main
09:49:53 [Info] Running Frogbot "scan-and-fix-repos" command 
09:49:53 [Debug] Usage Report: Sending info...
09:49:53 [Debug] Sending HTTP GET request to: https://jfrog.ourdomain/artifactory/api/system/version
09:49:53 [Debug] Created temp working directory:  /tmp/jfrog.cli.temp.-1678265393-192215614
09:49:53 [Debug] Downloading my-group/test/demo-app , branch: main to: /tmp/jfrog.cli.temp.-1678265393-192215614
09:49:53 [Debug] Artifactory response: 200 
09:49:53 [Debug] JFrog Artifactory version is: 7.41.13
09:49:53 [Debug] Sending HTTP POST request to: https://jfrog.ourdomain/artifactory/api/system/usage
09:49:53 [Debug] Usage Report: Artifactory response: 200 
09:49:53 [Debug] Usage Report: Usage info sent successfully.
09:49:53 [Info] demo-app downloaded successfully, starting with repository extraction
09:49:53 [Info] extracted repository successfully
09:49:53 [Debug] Repository download completed
09:49:53 [Info] Auditing project: /tmp/jfrog.cli.temp.-1678265393-192215614
09:49:53 [Info] Detected: poetry.
09:49:53 [Debug] Running "poetry install"
09:50:08 [Debug] Sending HTTP GET request to: https://jfrog.ourdomain/xray/api/v1/system/version
09:50:08 [Info] JFrog Xray version is: 3.57.6
09:50:08 [Info] Scanning module ...
09:50:08 [Debug] Sending HTTP POST request to: https://jfrog.ourdomain/xray/api/v1/scan/graph?scan_type=dependency
09:50:09 [Info] Waiting for scan to complete...
09:50:09 [Debug] Sending HTTP GET request to: https://jfrog.ourdomain/xray/api/v1/scan/graph/b8066348-8c14-492e-7fb0-13d21a2f3fd7?include_vulnerabilities=true
09:50:09 [Debug] Get Dependencies Scan results... (Attempt 1)
09:50:14 [Debug] Sending HTTP GET request to: https://jfrog.ourdomain/xray/api/v1/scan/graph/b8066348-8c14-492e-7fb0-13d21a2f3fd7?include_vulnerabilities=true
09:50:14 [Info] Xray scan completed
09:50:14 [Debug] Upload Scan to GitLab is currently unsupported.
09:50:14 [Info] Found 2 vulnerable dependencies with fix versions
09:50:14 [Debug] Created temp working directory: /tmp/jfrog.cli.temp.-1678265414-3030771806
09:50:14 [Info] Cloning repository with these details:
Clone url: https://gitlab.com/my-group/test/demo-app.git remote name: origin, branch: refs/heads/main
09:50:14 [Error] repository demo-app returned the following error: 
'git clone main from https://gitlab.com/my-group/test/demo-app.git' failed with error: authentication required

Reproduction steps

Set the environment variable JF_GIT_API_ENDPOINT to gitlab instance URL, and run the command scan-and-fix-repos on a repository with vulnerabilities.

Expected behavior

The repo 'clone_url' should be 'https://gitlab.ourdomain/my-group/test/demo-app.git' instead of 'https://gitlab.com/my-group/test/demo-app.git'

JFrog Frogbot version

2.5.9

Package manager info

poetry - pyproject.toml

Git provider

GitLab

JFrog Frogbot configuration yaml file

- params:
    # Git parameters
    git:
      # [Mandatory]
      # Name of the git repository to scan
      repoName: demo-app

      # [Mandatory]
      # List of branches to scan
      branches:
        - main

Operating system type and version

RHEL 8.6

JFrog Xray version

3.57.6

Describe the bug

I have self-hosted Gitlab and Artifactory, and am trying to integrate frogbot in a Java repo built with Maven. I have the scan-pull-request working on a branch MR, and it shows multiple vulnerabilities with a fix version. For example

Running the create-fix-pull-request command doesn't seem to be finding any of these vulnerabilities (with fixed versions)

Current behavior

When I try to run the create-fix-pull-requests command locally from a working copy of the branch (new repo, the master branch is empty still), it says there are no vulnerable dependencies with fix versions. But when I pull the scan report via the xray/api/v1/scan/graph that's in the frogbot output, the JSON response includes multiple fixed versions.

19:37:47 [Debug] Sending HTTP GET request to: https://repo.example.com/xray/api/v1/system/version
19:37:47 [🔵Info] JFrog Xray version is: 3.47.3
19:37:47 [🔵Info] Scanning module com.example.myproject:foolib:1.0-SNAPSHOT...
19:37:47 [Debug] Sending HTTP POST request to: https://repo.example.com/xray/api/v1/scan/graph?scan_type=dependency
19:37:47 [🔵Info] Waiting for scan to complete...
19:37:47 [Debug] Sending HTTP GET request to: https://repo.example.com/xray/api/v1/scan/graph/ac58a7a1-8d65-4df7-69dd-ce251552cba4?include_vulnerabilities=true
19:37:48 [Debug] Get Dependencies Scan results... (Attempt 1)
19:37:53 [Debug] Sending HTTP GET request to: https://repo.example.com/xray/api/v1/scan/graph/ac58a7a1-8d65-4df7-69dd-ce251552cba4?include_vulnerabilities=true
19:37:53 [🔵Info] Xray scan completed
19:37:53 [Debug] Upload Scan to GitLab is currently unsupported.
19:37:53 [🔵Info] Didn't find vulnerable dependencies with existing fix versions for foolib
19:37:53 [🔵Info] Frogbot "create-fix-pull-requests" command finished successfully 

/work # jq -r '.vulnerabilities[].components[].fixed_versions' report.json
[
  "[1.21-RC1]"
]
[
  "[1.21-RC1]"
]
[
  "[1.21]"
]
[
  "[1.21]"
]
[
  "[1.21]"
]
[
  "[1.21]"
]
[
  "[2.7]"
]
[
  "[2.5]"
]
[
  "[1.11.3]"
]

Reproduction steps

No response

Expected behavior

The set of vulnerable dependencies with fixed versions identified in the scan-pull-request command should have MR's opened to update to the identified fixed version.

JFrog Frogbot version

2.6.1

Package manager info

Maven 3.8.6, pom.xml

Git provider

GitLab

JFrog Frogbot configuration yaml file

No response

Operating system type and version

alpine:3.17

JFrog Xray version

3.47.3

Frogbot for pull requests scans for NPM in GitHub actions fails with exit code 1, without no debug logs. Hence unable to identify issue.

Hello, is there any way to use frogbot without Advanced Security?

Run jfrog/frogbot@v2
...
09:20:35 [Warn] upload code scanning failed with: POST https://github.kyndryl.net/api/v3/repos/org-for-tests/back/code-scanning/sarifs: 403 Advanced Security must be enabled for this repository to use code scanning. []

Describe the bug
When trying to run locally, I am seeing an error where scan-pull-requests is trying to pull comments for an issue that doesn't exist and failing.

To Reproduce
This is using github enterprise server, and running the frogbot locally

√ frogbot % go run main.go scan-pull-requests
13:57:11 [Info] Running Frogbot "scan-pull-requests" command
13:57:11 [Debug] Usage Report: Sending info...
13:57:11 [Debug] Sending HTTP GET request to: https://my.jfrog/artifactory/api/system/version
13:57:11 [Debug] Artifactory response: 200 OK
13:57:11 [Debug] JFrog Artifactory version is: 7.41.12
13:57:11 [Debug] Sending HTTP POST request to: https://my.jfrog/artifactory/api/system/usage
13:57:11 [Debug] Usage Report: Artifactory response: 200 OK
13:57:11 [Debug] Usage Report: Usage info sent successfully.
13:57:11 [Error] GET https://my.github.enterprise/api/v3/repos/org1/repo1/issues/12345/comments: 404 Not Found []
13:57:11 [Error] GET https://my.github.enterprise/api/v3/repos/org1/repo1/issues/12345/comments: 404 Not Found []
exit status 1

Expected behavior
Would get as far as scanning a pull request

Versions

• Frogbot version: v2
• Operating system :s- JFrog Artifactory version:

√ frogbot % sw_vers
ProductName:	macOS
ProductVersion:	12.6
BuildVersion:	21G115

• JFrog Xray version (version 3.29.0 or above is required): 7.41.12

Additional context
Add any other context about the problem here.

Is there a possibility to support integration for other CI frameworks in the future?

Is your feature request related to a problem? Please describe.
Docker artifacts are not currently listed as supported. Request for Docker artifact scanning to be supported.

Describe the solution you'd like to see
Add support for Docker artifacts to FrogBot

Describe alternatives you've considered
Dependbot and jfrog cli

Additional context
Teams would like to standardize on FrogBot for pre-merge scanning but Docker artifacts are a blocker.

Describe the bug

I created a setup of yarn2 using the workflow you guys provided. And it's seems like JF_USER is undefined even tho it's set up.

To Reproduce
Just do your starter flow

Expected behavior
The run will go as planned

Screenshots

Versions

• Frogbot version: v2.3.2
• Operating system: Linux (runner)
• JFrog Artifactory version:
• JFrog Xray version (version 3.29.0 or above is required):

Additional context
I looked in your code I didn't see any place that you are setting up JF_USER in your env.
I also tried to supply JF_USER in:

1. workflow context
2. job context
3. action context

Describe the bug

I'm trying to use the frogbot GitHub action and at the end of the build I can't access the report file generated. I get a 404 file not found error.
The same project with the command jf xr audit-mvn generates the expected report.

The project that I am using is:
Basic maven project: https://github.com/ixchelruiz/app
Github action: https://github.com/ixchelruiz/app/actions/runs/2185445703

At the end of the build on "[scan-pull-request]" I get the following error:

[main] INFO org.jfrog.build.extractor.maven.BuildDeploymentHelper - Artifactory Build Info Recorder: publish build info set to false, build info will not be published...
[465](https://github.com/ixchelruiz/app/runs/6066751313?check_suite_focus=true#step:4:465)
  [main] INFO org.apache.maven.cli.event.ExecutionEventLogger - ------------------------------------------------------------------------
[466](https://github.com/ixchelruiz/app/runs/6066751313?check_suite_focus=true#step:4:466)
  [main] INFO org.apache.maven.cli.event.ExecutionEventLogger - BUILD SUCCESS
[467](https://github.com/ixchelruiz/app/runs/6066751313?check_suite_focus=true#step:4:467)
  [main] INFO org.apache.maven.cli.event.ExecutionEventLogger - ------------------------------------------------------------------------
[468](https://github.com/ixchelruiz/app/runs/6066751313?check_suite_focus=true#step:4:468)
  [main] INFO org.apache.maven.cli.event.ExecutionEventLogger - Total time:  5.889 s
[469](https://github.com/ixchelruiz/app/runs/6066751313?check_suite_focus=true#step:4:469)
  [main] INFO org.apache.maven.cli.event.ExecutionEventLogger - Finished at: 2022-04-18T18:42:34Z
[470](https://github.com/ixchelruiz/app/runs/6066751313?check_suite_focus=true#step:4:470)
  [main] INFO org.apache.maven.cli.event.ExecutionEventLogger - ------------------------------------------------------------------------
[471](https://github.com/ixchelruiz/app/runs/6066751313?check_suite_focus=true#step:4:471)
  Error: 4 [Error] Server response: 404 
[472](https://github.com/ixchelruiz/app/runs/6066751313?check_suite_focus=true#step:4:472)
  {
[473](https://github.com/ixchelruiz/app/runs/6066751313?check_suite_focus=true#step:4:473)
    "errors": [
[474](https://github.com/ixchelruiz/app/runs/6066751313?check_suite_focus=true#step:4:474)
      {
[475](https://github.com/ixchelruiz/app/runs/6066751313?check_suite_focus=true#step:4:475)
        "status": 404,
[476](https://github.com/ixchelruiz/app/runs/6066751313?check_suite_focus=true#step:4:476)
        "message": "File not found."
[477](https://github.com/ixchelruiz/app/runs/6066751313?check_suite_focus=true#step:4:477)
      }
[478](https://github.com/ixchelruiz/app/runs/6066751313?check_suite_focus=true#step:4:478)
    ]
[479](https://github.com/ixchelruiz/app/runs/6066751313?check_suite_focus=true#step:4:479)
  }
[480](https://github.com/ixchelruiz/app/runs/6066751313?check_suite_focus=true#step:4:480)
  Error: The process '/opt/hostedtoolcache/frogbot/[RELEASE]/x64/frogbot' failed with exit code 1

To Reproduce
Use
Basic maven project: https://github.com/ixchelruiz/app
Github action: https://github.com/ixchelruiz/app/actions/runs/2185445703

Expected behavior
Report is generated and added in the comments exactly as the report generated on the Jfrog cli
jf xr audit-mvn

Screenshots
If applicable, add screenshots to help explain your problem.

Versions

• Frogbot version: v1
• Operating system: Apple M1 Max
• JFrog Artifactory version: 2.15.0
• JFrog Xray version: 3.45.1

My local setup (jfrog CLI ) same configuration ( tokens ) WORKS

jf config show

Server ID:			Default-Server
JFrog platform URL:		https://ixchelr.jfrog.io/
Artifactory URL:		https://ixchelr.jfrog.io/artifactory/
Distribution URL:		https://ixchelr.jfrog.io/distribution/
Xray URL:			https://ixchelr.jfrog.io/xray/
Mission Control URL:		https://ixchelr.jfrog.io/mc/
Pipelines URL:			https://ixchelr.jfrog.io/pipelines/
Password:			***
Access token:			***
Refresh token:			***
Default:			true

GitHub actions configuration -- DOESNT WORK

Run jfrog/frogbot@v1
[2](https://github.com/ixchelruiz/app/runs/6066751313?check_suite_focus=true#step:4:2)
  with:
[3](https://github.com/ixchelruiz/app/runs/6066751313?check_suite_focus=true#step:4:3)
    version: latest
[4](https://github.com/ixchelruiz/app/runs/6066751313?check_suite_focus=true#step:4:4)
  env:
[5](https://github.com/ixchelruiz/app/runs/6066751313?check_suite_focus=true#step:4:5)
    JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/11.0.14-1/x[6](https://github.com/ixchelruiz/app/runs/6066751313?check_suite_focus=true#step:4:6)4
6
    JF_URL: ***
[7](https://github.com/ixchelruiz/app/runs/6066751313?check_suite_focus=true#step:4:7)
    JF_GIT_TOKEN: ***
[8](https://github.com/ixchelruiz/app/runs/6066751313?check_suite_focus=true#step:4:8)
    JF_ACCESS_TOKEN: ***
[9](https://github.com/ixchelruiz/app/runs/6066751313?check_suite_focus=true#step:4:9)
Frogbot

Additional context
Add any other context about the problem here.

Is your feature request related to a problem? Please describe.

Frogbot automated fix pull requests can be more informative and may look even better :)

Describe the solution you'd like to see
I suggest the following changes to the created PR:

1. Replace the current PR description with a more informative description that includes for example data from Xray, info on the fixed version changes, etc.
2. Remove the Frogbot prefix from the commit title. The committer is always @JFrog-Frogbot and it has a nice profile picture.

Additional context