Comments (10)
Hi @vinodhini-devops, thank you for bringing up this issue
By default, Frogbot is expected to remove all of its previous comments during a rerun and add only the current one. Did you observe duplicate comments when running Frogbot multiple times on the same PR? could you provide a log (with DEBUG level) of the second run? This will assist me in investigating the issue, as it should have deleted the old comments.
Have you attempted to exclude the JF_AVOID_PREVIOUS_PR_COMMENTS_DELETION altogether, even if it is set to false?
Concerning the suggestion of not commenting at all when no issues are found, could you please elaborate on why you'd like this feature added? What is the rationale behind not wanting to see a single comment in such cases?
Thank you once again.
from frogbot.
Hi @attiasas ,
yes, On the second run, the existing comments are still there and new ones are added.
logs:
###########LOGS############
02:24:00 [Debug] JFrog Xray version is: 3.80.9 02:24:00 [Debug] Artifactory response: 200 OK 02:24:00 [Debug] JFrog Artifactory version is: 7.68.14 02:24:00 [Debug] Sending HTTP POST request to: https://artifactory.kla-tencor.com/artifactory/api/system/usage 02:24:01 [Debug] Fetching pull requests by id in virgo 02:24:01 [Info] Scanning Pull Request #8232 (from source branch: <KLA-GPG/virgo/users/viraghu/vino-xray-pr> to target branch: <KLA-GPG/virgo/3.X>) 02:24:01 [Info] ----------------------------------------------------------- 02:24:01 [Debug] Downloading <KLA-GPG/virgo/users/viraghu/vino-xray-pr> to: '/tmp/jfrog.cli.temp.-1708597441-150988911' 02:24:01 [Debug] Download url: https://dev.azure.com/kla-gpg/Virgo/_apis/git/repositories/virgo/items/items?path=/&versionDescriptor[version]=users/viraghu/vino-xray-pr&$format=zip 02:24:02 [Info] virgo repository downloaded successfully. Starting with repository extraction... 02:24:04 [Info] Extracted repository successfully 02:24:04 [Debug] Repository download completed 02:24:04 [Info] Scanning source branch... 02:24:04 [Debug] Sending HTTP GET request to: https://artifactory.kla-tencor.com/xray/api/v1/system/version 02:24:04 [Debug] Sending HTTP GET request to: https://artifactory.kla-tencor.com/xray/api/v1/entitlements/feature/contextual_analysis 02:24:04 [Debug] The path '/tmp/jfrog.cli.temp.-1708597441-150988911/metajob/client/.gitignore' is excluded 02:24:04 [Info] Couldn't determine a package manager or build tool used by this project. Skipping the SCA scan... 02:24:04 [Debug] Downloading <KLA-GPG/virgo/3.X> to: '/tmp/jfrog.cli.temp.-1708597444-3671778060' 02:24:04 [Debug] Download url: https://dev.azure.com/kla-gpg/Virgo/_apis/git/repositories/virgo/items/items?path=/&versionDescriptor[version]=3.X&$format=zip 02:24:04 [Info] virgo repository downloaded successfully. Starting with repository extraction... 02:24:06 [Info] Extracted repository successfully 02:24:06 [Debug] Repository download completed 02:24:06 [Info] Scanning target branch... 02:24:06 [Debug] Sending HTTP GET request to: https://artifactory.kla-tencor.com/xray/api/v1/system/version 02:24:06 [Debug] Sending HTTP GET request to: https://artifactory.kla-tencor.com/xray/api/v1/entitlements/feature/contextual_analysis 02:24:06 [Debug] The path '/tmp/jfrog.cli.temp.-1708597444-3671778060/metajob/client/.gitignore' is excluded 02:24:06 [Info] Couldn't determine a package manager or build tool used by this project. Skipping the SCA scan... 02:24:06 [Info] Frogbot "scan-pull-request" command finished successfully Finishing: Download and Run Frogbot Scan
###########################################################################
my config :
`steps:
- task: CmdLine@2
condition: eq(variables['Build.Reason'], 'PullRequest')
displayName: 'Download and Run Frogbot Scan'
env:
JF_WATCHES: $(xray_watch_policyname)
JF_GIT_PULL_REQUEST_ID: $(System.PullRequest.PullRequestId)
JF_GIT_BASE_BRANCH: $(System.PullRequest.TargetBranch)
JF_GIT_PROJECT: $(System.TeamProject)
JF_GIT_API_ENDPOINT: $(System.CollectionUri)
JF_GIT_TOKEN: $(access-token-pat)
JF_VULN_CONTEXTUAL_ANALYSIS: TRUE
JF_URL: $(artifactoryurl)
JF_ACCESS_TOKEN: $(jfrog-identity-token)
JFROG_CLI_LOG_LEVEL: "DEBUG"
JF_GIT_OWNER: "KLA-GPG"
JF_AVOID_PREVIOUS_PR_COMMENTS_DELETION: TRUE
JF_GIT_REPO: "virgo"
JF_RELEASES_REPO: ""
JF_GIT_PROVIDER: "azureRepos"
JF_FAIL: FALSE
JF_INCLUDE_ALL_VULNERABILITIES: FALSE
JF_WORKING_DIR: ${{ parameters.componentName }}/${{ parameters.subcomponentname }}
JF_AVOID_EXTRA_MESSAGES: true # to avoid extra messages in the comment from JFROG
JF_PR_COMMENT_TITLE: ${{ parameters.componentName }}/${{ parameters.subcomponentname }}Report
JF_PATH_EXCLUSIONS : ""
inputs:
script: |
export HOME="/usr/share/maven"
export M2="$HOME/bin"
export MAVEN_OPTS="-Xms256m -Xmx512m"
export PATH="$M2:$PATH"
mvn --version
getFrogbotScriptPath=$(if [ -z "$JF_RELEASES_REPO" ]; then echo "https://releases.jfrog.io"; else echo "${JF_URL}/artifactory/${JF_RELEASES_REPO}"; fi)
curl -fLg "$getFrogbotScriptPath/artifactory/frogbot/v2/[RELEASE]/getFrogbot.sh" | sh
./frogbot spr
#./frogbot scan-and-fix-repos $(Build.SourceBranch)
continueOnError: true
`
#########################################################################
If there are no issues found, then in our case we dont need comments, the basic idea is to have a clean PR.
from frogbot.
Hi @vinodhini-devops, the config mentioned: JF_AVOID_PREVIOUS_PR_COMMENTS_DELETION: TRUE
so it will not delete the old one with that, as mentioned can you attempted to exclude the JF_AVOID_PREVIOUS_PR_COMMENTS_DELETION
altogether and send the logs?
from frogbot.
@attiasas you want me to remove the JF_AVOID_PREVIOUS_PR_COMMENTS_DELETION from config and try it ?
from frogbot.
@attiasas i tried excluding the JF_AVOID_PREVIOUS_PR_COMMENTS_DELETION , Only one comment is added.
This is not what im expecting, My PR has multiple builds and multiple components, each component gets scanned by frogbot and the comment is updated accordingly finally am able to see only one comment of the last component which got scanned
from frogbot.
logs
Frogbot downloaded successfully! 04:26:08 [Info] Frogbot version: 2.19.10 04:26:08 [Debug] Attempting to download frogbot-config.yml from KLA-GPG/virgo 04:26:08 [Debug] The frogbot-config.yml will be downloaded from refs/heads/3.X branch 04:26:08 [Debug] The .frogbot/frogbot-config.yml file wasn't recognized in <KLA-GPG/virgo> 04:26:08 [Debug] Locking config file to run config AddOrEdit command. 04:26:08 [Debug] Creating lock in: /tmp/jfrog.cli.temp.-1708604768-1063572001/locks/config 04:26:08 [Debug] Sending HTTP HEAD request to: 'https://github.com/jfrog/frogbot' 04:26:08 [Warn] couldn't extract payload from Access Token. The provided access token is not a valid JWT, probably a reference token. Some package managers only support basic authentication which requires also a username. If you plan to work with one of those package managers, please provide a username. 04:26:08 [Debug] Releasing lock: /tmp/jfrog.cli.temp.-1708604768-1063572001/locks/config/jfrog-cli.conf.lck.8570.1708604768486947253 04:26:08 [Debug] Config AddOrEdit command completed successfully. config file is released. 04:26:08 [Debug] Usage Report: Sending info... 04:26:08 [Info] Running Frogbot "scan-pull-request" command 04:26:08 [Debug] Sending HTTP POST request to: https://usage-ecosystem.jfrog.io/api/usage/report 04:26:08 [Debug] Sending HTTP GET request to: https://artifactory.kla-tencor.com/xray/api/v1/system/version 04:26:08 [Debug] Sending HTTP GET request to: https://artifactory.kla-tencor.com/artifactory/api/system/version 04:26:08 [Debug] JFrog Xray version is: 3.80.9 04:26:08 [Debug] Artifactory response: 200 OK 04:26:08 [Debug] JFrog Artifactory version is: 7.68.14 04:26:08 [Debug] Sending HTTP POST request to: https://artifactory.kla-tencor.com/artifactory/api/system/usage 04:26:09 [Debug] Fetching pull requests by id in virgo 04:26:09 [Info] Scanning Pull Request #8232 (from source branch: <KLA-GPG/virgo/users/viraghu/vino-xray-pr> to target branch: <KLA-GPG/virgo/3.X>) 04:26:09 [Info] ----------------------------------------------------------- 04:26:09 [Debug] Downloading <KLA-GPG/virgo/users/viraghu/vino-xray-pr> to: '/tmp/jfrog.cli.temp.-1708604769-2631806183' 04:26:09 [Debug] Download url: https://dev.azure.com/kla-gpg/Virgo/_apis/git/repositories/virgo/items/items?path=/&versionDescriptor[version]=users/viraghu/vino-xray-pr&$format=zip 04:26:09 [Info] virgo repository downloaded successfully. Starting with repository extraction... 04:26:11 [Info] Extracted repository successfully 04:26:11 [Debug] Repository download completed
from frogbot.
My expectation is, during the second run of the PR, the existing comments must be deleted and only new ones must be added. @attiasas
from frogbot.
@vinodhini-devops, If the env var was not set, I would expect to see at the DEBUG
log:
Looking for an existing Frogbot pull request comment. Deleting it if it exists...
As implemented here:
https://github.com/jfrog/frogbot/blob/master/utils/comment.go#L40
It seems that at the run logs you shared, this is set to True
because we can't see it and no error was reported.
It can either come from the environment variable: JF_AVOID_PREVIOUS_PR_COMMENTS_DELETION
or at the frogbot-config at the scan
section avoidPreviousPrCommentsDeletion
is set to true
from frogbot.
If you are running concurrent scanning of pull requests, we cannot determine when it will end. For each process of Frogbot, it will first delete the old comments and then comment with the new ones (or it may not delete at all). You can set a custom PullRequestCommentTitle for each run by configuring 'JF_PR_COMMENT_TITLE' to ensure that each comment corresponds to its respective run.
If this is not meeting your expectations, please provide more details so that I can better understand and assist you if possible.
from frogbot.
Hello @vinodhini-devops
Did the answers above satisfied you needs? Do you need any further assistance or do you have any further questions about the subject we can assist with?
from frogbot.
Related Issues (20)
- frogbot-config.yml for Gitlab HOT 1
- Frogbot does not create PR after scan-repository in a monorepo HOT 1
- git clone failed with error: authentication required HOT 2
- License violations don't include Severity. Also lots of licenses get reported as Unknown. HOT 15
- Fails to scan custom python packages HOT 2
- can be deleted
- Support for yarn3 workspaces? HOT 2
- Question HOT 2
- How to exclude scanning the devDependencies for npm / js projects? HOT 2
- Update action to use node 20 HOT 1
- OIDC Support to Frogbot HOT 3
- Problems executing frogbot in Enterprise env without internet connection HOT 7
- Receiving error: ./frogbot: No such file or directory HOT 3
- JFrog reports a go.mod file as being in the root when it isn't HOT 5
- Skip problematic dependency update HOT 1
- Version 2.8.0-RC1 is not available for artifact commons-io:commons-io HOT 1
- Frogbot opened PRs not showing in bitbucket HOT 1
- Couldn't update "org.springframework.ws:spring-ws" to suggested fix version: Version 2.4.4 is not available for artifact HOT 1
- Code Scan is not working for C# project HOT 4
- Raising of GitHub Security events for vulnerable packages HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from frogbot.