Comments (21)
Hey @yalamarthisr, at the moment, we do not support resolving dependencies through Artifactory on Frogbot. However, this feature is currently in development and should be released soon. I'll keep you updated.
from frogbot.
@yalamarthisr -
The frogbot/frogbot-config.yml
file is the way to go in any case. It includes information that Frogbot needs, like your git repository name and branches to scan. Also, once Frogbot will have the ability to restore dependencies from Artifactory, Frogbot will use the information about the working dir and install command (dotnet restore
for example) stored in the frogbot/frogbot-config.yml
file.
from frogbot.
Sure @yalamarthisr.
If you'd like Frogbot to scan every pull request without the need to approve the scan by one of the project maintainers, the scanned repository must be private (not have public access). If the project is public, the approval step cannot be removed.
from frogbot.
Hey @yalamarthisr, Frogbot detects the project's technology by looking for relevant package descriptors. Is there a .sln/.csproj file in the root repository of your project?
BTW, by looking at your yaml file, it seems that you didn't configure your JFrog Platform URL. The JF_REQUIREMENTS_FILE isn't relevant for .NET projects, it's relevant for Pip projects. If you want to use another working directory, please read about the frogbot-config.yml file.
from frogbot.
@omerzi Thank you for the reply. I wantedly removed the Platform URL before pasting it here. I am reading through the following
frogbot/docs/templates/.frogbot/frogbot-config.yml
Lines 27 to 30 in 5bd50f6
Thanks
Sri
from frogbot.
@yalamarthisr,
Adding to @omerzi message, you do have the option of installing jfrog-cli and running the "jf restore" command insode the GitHub workflow just before running Forgbot. This will work. Since however Frogbot will support restoring the depedencies from Artifactory really soon, you can also wait a bit for Forgbot to support this. This functionality will become available by the end of the month, but most probably sooner.
We're here to assist you with any follow-up question.
from frogbot.
@eyalbe4, in this case I don't think I should use .frogbot/frogbot-config.yml file right?.
from frogbot.
@eyalbe4 @eyalbe4 Thank you. I am able to scan my repo. this Is there anyway that we can automate this with out manually approve to scan the repo?.
from frogbot.
@yalamarthisr,
We're happy to hear that Frogbot works for you now!
By deleting the environment section from your workflow, every new PR will be automatically scanned by Frogbot, without the need for approval.
Please note that for security reasons, Frogbot will enforce this approval step by failing the scan, if your GitHub repository is public.
Let us know if you have follow-up questions or suggestions.
from frogbot.
@eyalbe4 Thank you!!! I didn't get this statement well.
Please note that for security reasons, Frogbot will enforce this approval step by failing the scan, if your GitHub repository is public.
from frogbot.
@eyalbe4 Apologies I am asking multiple questions on this. Is there a way we can also see these results or scan lists in our Jfrog artifactory UI under the Xray Tab.
from frogbot.
Hi @omerzi, @eyalbe4 Is there any way we can see the vulnerabilities reported to under Jfrog Xray in UI.
from frogbot.
@yalamarthisr,
Sorry for the late response for your last question. We encourage you to ask any question here. We're happy to assist here. Frogbot scans are currently not in the shows in the JFrog Xray UI, but this is something that we're considering adding in the future. Please share with us your needs in terms of the scans visibility.
from frogbot.
Hi @eyalbe4, we have a branch specified in .frogbot/frogbot-config.yaml like
- params:
git:
repoName: test
branches:
- main
which means it only scans the vulnerabilities in main?. when a PR is raised to main branch it is scanning only main branch instead the branch from where PR is raised. How can we achieve something like this?.
from frogbot.
Hi @omerzi, I have restored the dependencies and even built the code. Initially it was scanning all the projects and in the end getting this error. If possible can I get some help here. Thanks
20:10:57 [Info] test downloaded successfully, starting with repository extraction
20:11:01 [Info] extracted repository successfully
20:11:01 [Info] Auditing project: C:\Users\RUNNER~1\AppData\Local\Temp\jfrog.cli.temp.-1678479057-1584659595\CoreServices
20:11:01 [Info] Detected: nuget, dotnet.
Error: 6 [Error] audit command in C:\Users\RUNNER~1\AppData\Local\Temp\jfrog.cli.temp.-1678479057-1584659595\CoreServices failed:
'nuget' audit command failed:
No dependencies were found. Please try to build your project and re-run the audit command.
Error: The process 'C:\hostedtoolcache\windows\frogbot\[RELEASE]\x64\frogbot.exe' failed with exit code 1
from frogbot.
As for your first question about the Pull Requests Scanning functionality -
Pull requests, regardless of target branch / branches configured (the "main" branch is the target in your case), the pull request's source branch will be scanned. Frogbot is looking for vulnerabilities on the source branch, not the target branch.
As for the following error you received -
No dependencies were found. Please try to build your project and re-run the audit command.
it looks like the project dependencies aren't cached locally when Frogbot starts scanning the project. Did you configure the installCommand
in your frogbot-config.yml?
from frogbot.
@eyalbe4 Thank you for the response. Since we needed to install dependencies from artifactory I installed my dependencies and event built the code in frogbot-scan-pr.yaml workflow and not in .frogbot/frogbot-config.yml. If I use installCommand and How can I authenticate artifactory?. It's strange that I am not getting above error when I add includeAllVulnerabilities: true
in frogbot-config.yaml.
We had a case where our dev tried to fix the Vulnerabilities we found in the dependencies. His feature branch has fix and after he raised a PR to main the frogbot scan ran and It still shows the vulnerabilities from main and not from the source/feature branch.
from frogbot.
@yalamarthisr,
We have just published a new release of Frogbot, which allows downloading all the project dependencies from Artifactory, without having to install them before Frogbot gets executed. You'll need to set the repository
property with the name of the Artifactory repository from which the project dependencies should be downloaded inside your frogbot-config.yml file. Make sure to set the installCommand
as well.
Will you be able to try this out and let us know if this resolve the below error for you, regardless of whether the includeAllVulnerabilities: true
property is set?
No dependencies were found. Please try to build your project and re-run the audit command.
Let us know if you encounter other issues.
from frogbot.
@eyalbe4 Thank you. I will try that out. we also see something strange in the jfrog xray UI we have seen no vulnerabilites for elastic APM package and in the frogbot scan results we can see the same dependency as vulnerability. attached the images.
from frogbot.
@yalamarthisr,
The Elastic.Apm.NetCoreAll was found vulnerable by Frogbot, because Forgbot found that it uses a vulnerable dependency named System.Net.Security. Let us check this further and we'll let you know what we see.
from frogbot.
@yalamarthisr
That's actually right.
Elastic.Apm.NetCoreAll
is indeed not vulnerable by itself and that is what you see on the UI.
Xray's Ui shows vulnerabilities assigned directly to the component.
Frogbot runs a dependency tree scan and scans all direct and sub dependencies.
You can see on the frogbot table that the vulnerable dependency is system.net.security
and the direct dependency that brings system.net.security
to your project is Elastic.Apm.NetCoreAll
.
from frogbot.
Related Issues (20)
- Produce SARIF report and exit
- CVE severity reported in Frogbot pull request does not match the GHSA HOT 1
- scan-repository - invalid character '\x1b' looking for beginning of value HOT 7
- does frogbot download dependencies that are required? HOT 1
- Try to update to RC (release candidate) version instead of fixed version HOT 2
- How does frogbot decide when to create a pull request? HOT 2
- [Urgent] : Use frogbot-config.yml in Project HOT 9
- Does frogbot require Advanced Security? HOT 4
- Add Support for Swift Package Scanning
- The latest version of FrogBot is not detecting DotNet and NuGet
- Generate PR comment from published buildinfo
- Maven scan-repository fails in air-gapped environment HOT 2
- Does the PR scan open new PRs? HOT 1
- Duplicate Dependencies in Scan output HOT 1
- Scan-and-fix PR needs to resolve from Artifactory for all package managers
- scan-multiple-repositories always clones source repo on Azure DevOps HOT 3
- Avoid creating PRs HOT 1
- [dotnet] Support for Central Package Management
- v2.19.9 Frogbot unable to pull snapshot dependencies
- Error occured to integrate frogbot using jenkins HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from frogbot.