How does frogbot decide when to create a pull request? about frogbot HOT 2 CLOSED

Hello @juv, thank you for using Frogbot.

Frogbot generates a dependency graph and forwards it to Xray to determine whether there's a dependency linked to a vulnerable version. When Frogbot identifies a direct dependency that can be resolved by adjusting its version to a non-vulnerable one, it initiates a pull request containing the necessary modifications.

Upon reviewing our vulnerabilities database, I've found that both ch.qos.logback:logback-classic and ch.qos.logback:logback-core dependencies fall within the versions between (,1.3.12) and [1.4.0,1.4.12), which are vulnerable. These entries have been present in our database since Nov 29, 23:59. Do you happen to have one of these dependencies with a vulnerable version as a direct dependency in your pom.xml?

Thank you.

Hi, thanks for the quick reply and for explaining the process!
We are using logback version 1.4.12 in two repos, which is unaffected by the CVEs above. I was mistaking in my assumption that Frogbot would also create a pull request, in a sense to update this minor version to the most recent patch version after a vulnerability has been found in "surrounding" versions.

from frogbot.

Hello @juv, thank you for using Frogbot.

Frogbot generates a dependency graph and forwards it to Xray to determine whether there's a dependency linked to a vulnerable version. When Frogbot identifies a direct dependency that can be resolved by adjusting its version to a non-vulnerable one, it initiates a pull request containing the necessary modifications.

Upon reviewing our vulnerabilities database, I've found that both ch.qos.logback:logback-classic and ch.qos.logback:logback-core dependencies fall within the versions between (,1.3.12) and [1.4.0,1.4.12), which are vulnerable. These entries have been present in our database since Nov 29, 23:59. Do you happen to have one of these dependencies with a vulnerable version as a direct dependency in your pom.xml?

Thank you.

from frogbot.