could not determine the package manager / build tool used by this project for Dotnet Projects about frogbot HOT 21 CLOSED

Hey @yalamarthisr, at the moment, we do not support resolving dependencies through Artifactory on Frogbot. However, this feature is currently in development and should be released soon. I'll keep you updated.

from frogbot.

@yalamarthisr -
The frogbot/frogbot-config.yml file is the way to go in any case. It includes information that Frogbot needs, like your git repository name and branches to scan. Also, once Frogbot will have the ability to restore dependencies from Artifactory, Frogbot will use the information about the working dir and install command (dotnet restore for example) stored in the frogbot/frogbot-config.yml file.

from frogbot.

Sure @yalamarthisr.
If you'd like Frogbot to scan every pull request without the need to approve the scan by one of the project maintainers, the scanned repository must be private (not have public access). If the project is public, the approval step cannot be removed.

from frogbot.

Hey @yalamarthisr, Frogbot detects the project's technology by looking for relevant package descriptors. Is there a .sln/.csproj file in the root repository of your project?
BTW, by looking at your yaml file, it seems that you didn't configure your JFrog Platform URL. The JF_REQUIREMENTS_FILE isn't relevant for .NET projects, it's relevant for Pip projects. If you want to use another working directory, please read about the frogbot-config.yml file.

from frogbot.

@omerzi Thank you for the reply. I wantedly removed the Platform URL before pasting it here. I am reading through the following

Thanks
Sri

from frogbot.

@yalamarthisr,
Adding to @omerzi message, you do have the option of installing jfrog-cli and running the "jf restore" command insode the GitHub workflow just before running Forgbot. This will work. Since however Frogbot will support restoring the depedencies from Artifactory really soon, you can also wait a bit for Forgbot to support this. This functionality will become available by the end of the month, but most probably sooner.
We're here to assist you with any follow-up question.

from frogbot.

@eyalbe4, in this case I don't think I should use .frogbot/frogbot-config.yml file right?.

from frogbot.

@eyalbe4 @eyalbe4 Thank you. I am able to scan my repo. this Is there anyway that we can automate this with out manually approve to scan the repo?.

from frogbot.

@yalamarthisr,
We're happy to hear that Frogbot works for you now!
By deleting the environment section from your workflow, every new PR will be automatically scanned by Frogbot, without the need for approval.

Please note that for security reasons, Frogbot will enforce this approval step by failing the scan, if your GitHub repository is public.
Let us know if you have follow-up questions or suggestions.

from frogbot.

@eyalbe4 Thank you!!! I didn't get this statement well.
Please note that for security reasons, Frogbot will enforce this approval step by failing the scan, if your GitHub repository is public.

from frogbot.

@eyalbe4 Apologies I am asking multiple questions on this. Is there a way we can also see these results or scan lists in our Jfrog artifactory UI under the Xray Tab.

from frogbot.

Hi @omerzi, @eyalbe4 Is there any way we can see the vulnerabilities reported to under Jfrog Xray in UI.

from frogbot.

@yalamarthisr,
Sorry for the late response for your last question. We encourage you to ask any question here. We're happy to assist here. Frogbot scans are currently not in the shows in the JFrog Xray UI, but this is something that we're considering adding in the future. Please share with us your needs in terms of the scans visibility.

from frogbot.

Hi @eyalbe4, we have a branch specified in .frogbot/frogbot-config.yaml like

- params:
    git:
      repoName: test
      branches:
        - main

which means it only scans the vulnerabilities in main?. when a PR is raised to main branch it is scanning only main branch instead the branch from where PR is raised. How can we achieve something like this?.

from frogbot.

Hi @omerzi, I have restored the dependencies and even built the code. Initially it was scanning all the projects and in the end getting this error. If possible can I get some help here. Thanks

20:10:57 [Info] test downloaded successfully, starting with repository extraction
  20:11:01 [Info] extracted repository successfully
  20:11:01 [Info] Auditing project: C:\Users\RUNNER~1\AppData\Local\Temp\jfrog.cli.temp.-1678479057-1584659595\CoreServices
  20:11:01 [Info] Detected: nuget, dotnet.
  Error: 6 [Error] audit command in C:\Users\RUNNER~1\AppData\Local\Temp\jfrog.cli.temp.-1678479057-1584659595\CoreServices failed:
  'nuget' audit command failed:
  No dependencies were found. Please try to build your project and re-run the audit command.
  Error: The process 'C:\hostedtoolcache\windows\frogbot\[RELEASE]\x64\frogbot.exe' failed with exit code 1

from frogbot.

@yalamarthisr,

As for your first question about the Pull Requests Scanning functionality -
Pull requests, regardless of target branch / branches configured (the "main" branch is the target in your case), the pull request's source branch will be scanned. Frogbot is looking for vulnerabilities on the source branch, not the target branch.

As for the following error you received -

No dependencies were found. Please try to build your project and re-run the audit command.

it looks like the project dependencies aren't cached locally when Frogbot starts scanning the project. Did you configure the installCommand in your frogbot-config.yml?

from frogbot.

@eyalbe4 Thank you for the response. Since we needed to install dependencies from artifactory I installed my dependencies and event built the code in frogbot-scan-pr.yaml workflow and not in .frogbot/frogbot-config.yml. If I use installCommand and How can I authenticate artifactory?. It's strange that I am not getting above error when I add includeAllVulnerabilities: true in frogbot-config.yaml.
We had a case where our dev tried to fix the Vulnerabilities we found in the dependencies. His feature branch has fix and after he raised a PR to main the frogbot scan ran and It still shows the vulnerabilities from main and not from the source/feature branch.

from frogbot.

@yalamarthisr,
We have just published a new release of Frogbot, which allows downloading all the project dependencies from Artifactory, without having to install them before Frogbot gets executed. You'll need to set the repository property with the name of the Artifactory repository from which the project dependencies should be downloaded inside your frogbot-config.yml file. Make sure to set the installCommand as well.
Will you be able to try this out and let us know if this resolve the below error for you, regardless of whether the includeAllVulnerabilities: true property is set?

No dependencies were found. Please try to build your project and re-run the audit command.

Let us know if you encounter other issues.

from frogbot.

@eyalbe4 Thank you. I will try that out. we also see something strange in the jfrog xray UI we have seen no vulnerabilites for elastic APM package and in the frogbot scan results we can see the same dependency as vulnerability. attached the images.

from frogbot.

@yalamarthisr,
The Elastic.Apm.NetCoreAll was found vulnerable by Frogbot, because Forgbot found that it uses a vulnerable dependency named System.Net.Security. Let us check this further and we'll let you know what we see.

from frogbot.

@yalamarthisr
That's actually right.
Elastic.Apm.NetCoreAll is indeed not vulnerable by itself and that is what you see on the UI.
Xray's Ui shows vulnerabilities assigned directly to the component.

Frogbot runs a dependency tree scan and scans all direct and sub dependencies.
You can see on the frogbot table that the vulnerable dependency is system.net.security and the direct dependency that brings system.net.security to your project is Elastic.Apm.NetCoreAll.

@eyalbe4

from frogbot.