jfrog / frogbot Goto Github PK
View Code? Open in Web Editor NEW🐸 Scans your Git repository with JFrog Xray for security vulnerabilities. 🤖
Home Page: https://docs.jfrog-applications.jfrog.io/
License: Apache License 2.0
🐸 Scans your Git repository with JFrog Xray for security vulnerabilities. 🤖
Home Page: https://docs.jfrog-applications.jfrog.io/
License: Apache License 2.0
Running frogbot scan-pull-request
in GitLab ci job ends with an error.
The issue is related to using the Gradle Artifactory plugin.
The same issue happens with jfrog-cli command jf audit
.
But with setting the config option jf gradle-config --uses-plugin
it works. As described in jfrog/jfrog-cli#1404
Error:
An exception occurred applying plugin request [id: 'com.jfrog.artifactory', version: '4.29.4']
> Failed to apply plugin 'com.jfrog.artifactory'.
> Cannot cast object 'org.jfrog.gradle.plugin.artifactory.dsl.ArtifactoryPluginConvention@da6fc6c' with class 'org.jfrog.gradle.plugin.artifactory.dsl.ArtifactoryPluginConvention' to class 'org.jfrog.gradle.plugin.artifactory.dsl.ArtifactoryPluginConvention'
Use Gradle Artifactory plugin in the project
Set jf gradle-config --uses-plugin
Run frogbot scan-pull-request
The option --uses-plugin
is applied to frogbot the same as for jfrog-cli
2.4.1
Gradle 7.6
GitLab
No response
Alpine Linux 3.17
No response
Describe the bug
I can't scan yarn projects
To Reproduce
Given the Jenkins pipeline:
pipeline {
agent {
docker {
image 'node:16'
}
}
parameters {
string name: 'project', trim: true, description: 'Bitbucket project'
string name: 'repo', trim:true, description: 'Bitbucket repository'
string name: 'deps_cmd', trim:true, description: 'The command that installs the project dependencies'
booleanParam name: 'all_vulns', description: 'Displays all existing vulnerabilities'
}
environment {
JF_ACCESS_TOKEN=credentials("JF_ACCESS_TOKEN_XRAY")
JF_GIT_API_ENDPOINT="https://bitbucket.redacted.org/rest"
JF_GIT_PROVIDER="bitbucketServer"
JF_GIT_TOKEN=credentials("JF_GIT_TOKEN")
JF_URL=credentials("JF_URL")
}
stages {
stage('Download Frogbot') {
steps {
sh """curl -fLg "https://releases.jfrog.io/artifactory/frogbot/v2/2.1.3/getFrogbot.sh" | sh"""
}
}
stage ('Scan Pull Requests') {
steps {
withEnv(["JF_INSTALL_DEPS_CMD=$params.deps_cmd",
"JF_GIT_OWNER=$params.project",
"JF_GIT_REPO=$params.repo",
"JF_INCLUDE_ALL_VULNERABILITIES=$params.all_vulns"]) {
sh "./frogbot scan-pull-requests"
}
}
}
}
}
parameter JF_INSTALL_DEPS_CMD
is yarn install
Getting this error output:
+ ./frogbot scan-pull-requests
13:06:43 [Info] Running Frogbot "scan-pull-requests" command
13:06:45 [Info] Auditing /tmp/jfrog.cli.temp.-1658322404-2045215346
13:06:45 [Info] Executing 'yarn' [install] at /tmp/jfrog.cli.temp.-1658322404-2045215346
13:09:11 [Info] Detected: Yarn.
panic: runtime error: slice bounds out of range [1:0]
goroutine 1 [running]:
github.com/jfrog/build-info-go/build/utils.(*YarnDependency).Name(...)
/root/go/pkg/mod/github.com/jfrog/[email protected]/build/utils/yarn.go:183
github.com/jfrog/jfrog-cli-core/v2/xray/audit/yarn.getXrayDependencyId(0x0)
/root/go/pkg/mod/github.com/jfrog/jfrog-cli-core/[email protected]/xray/audit/yarn/yarn.go:67 +0xb5
github.com/jfrog/jfrog-cli-core/v2/xray/audit/yarn.parseYarnDependenciesMap(0xc00003c150, 0x100b0b8)
/root/go/pkg/mod/github.com/jfrog/jfrog-cli-core/[email protected]/xray/audit/yarn/yarn.go:54 +0x10c
github.com/jfrog/jfrog-cli-core/v2/xray/audit/yarn.buildYarnDependencyTree()
/root/go/pkg/mod/github.com/jfrog/jfrog-cli-core/[email protected]/xray/audit/yarn/yarn.go:46 +0xf7
github.com/jfrog/jfrog-cli-core/v2/xray/audit/yarn.AuditYarn({{0x0, 0x0}, {0x0, 0x0}, {0x0, 0x0, 0x0}, {0xe8412e, 0xa}, 0x0, ...}, ...)
/root/go/pkg/mod/github.com/jfrog/jfrog-cli-core/[email protected]/xray/audit/yarn/yarn.go:18 +0x33
github.com/jfrog/jfrog-cli-core/v2/xray/commands/audit/generic.GenericAudit({{0x0, 0x0}, {0x0, 0x0}, {0x0, 0x0, 0x0}, {0xe8412e, 0xa}, 0x0, ...}, ...)
/root/go/pkg/mod/github.com/jfrog/jfrog-cli-core/[email protected]/xray/commands/audit/generic/auditmanager.go:42 +0x3a5
github.com/jfrog/frogbot/commands.runInstallAndAudit({{0x0, 0x0}, {0x0, 0x0}, {0x0, 0x0, 0x0}, {0xe8412e, 0xa}, 0x0, ...}, ...)
/var/opt/jfrog/pipelines/data/release_frogbot/runs/954228/steps/Release/7407400/dependencyState/resources/frogbotGit/commands/scanpullrequest.go:178 +0x1db
github.com/jfrog/frogbot/commands.auditSource({{0x0, 0x0}, {0x0, 0x0}, {0x0, 0x0, 0x0}, {0xe8412e, 0xa}, 0x0, ...}, ...)
/var/opt/jfrog/pipelines/data/release_frogbot/runs/954228/steps/Release/7407400/dependencyState/resources/frogbotGit/commands/scanpullrequest.go:122 +0x192
github.com/jfrog/frogbot/commands.scanPullRequest(0xc0004a3558, {0x101d2a0, 0xc00029a6c0})
/var/opt/jfrog/pipelines/data/release_frogbot/runs/954228/steps/Release/7407400/dependencyState/resources/frogbotGit/commands/scanpullrequest.go:38 +0xec
github.com/jfrog/frogbot/commands.downloadAndScanPullRequest({0x30, {{0xc0000d3780, 0x36}, {0xc0002dae44, 0x9}}, {{0xc0002daf50, 0xf}, {0xc0002daf94, 0x9}}}, 0xc0000d4800, ...)
/var/opt/jfrog/pipelines/data/release_frogbot/runs/954228/steps/Release/7407400/dependencyState/resources/frogbotGit/commands/scanpullrequests.go:130 +0x3ed
github.com/jfrog/frogbot/commands.scanAllPullRequests(0xc0000d4800, {0x101d2a0, 0xc00029a6c0})
/var/opt/jfrog/pipelines/data/release_frogbot/runs/954228/steps/Release/7407400/dependencyState/resources/frogbotGit/commands/scanpullrequests.go:37 +0x297
github.com/jfrog/frogbot/commands.ScanAllPullRequestsCmd.Run(...)
/var/opt/jfrog/pipelines/data/release_frogbot/runs/954228/steps/Release/7407400/dependencyState/resources/frogbotGit/commands/scanpullrequests.go:17
github.com/jfrog/frogbot/commands.Exec({0xff55c0, 0x1716828}, {0xe9c913, 0xc000280880})
/var/opt/jfrog/pipelines/data/release_frogbot/runs/954228/steps/Release/7407400/dependencyState/resources/frogbotGit/commands/commands.go:28 +0x1d5
github.com/jfrog/frogbot/commands.GetCommands.func3(0xc0002e6360)
/var/opt/jfrog/pipelines/data/release_frogbot/runs/954228/steps/Release/7407400/dependencyState/resources/frogbotGit/commands/commands.go:62 +0x32
github.com/urfave/cli/v2.(*Command).Run(0xc0002e6360, 0xc0002807c0)
/root/go/pkg/mod/github.com/urfave/cli/[email protected]/command.go:169 +0x6be
github.com/urfave/cli/v2.(*App).RunContext(0xc000133380, {0x1006f10, 0xc0000c4000}, {0xc0000b4000, 0x2, 0x2})
/root/go/pkg/mod/github.com/urfave/cli/[email protected]/app.go:341 +0x89c
github.com/urfave/cli/v2.(*App).Run(...)
/root/go/pkg/mod/github.com/urfave/cli/[email protected]/app.go:247
main.ExecMain()
/var/opt/jfrog/pipelines/data/release_frogbot/runs/954228/steps/Release/7407400/dependencyState/resources/frogbotGit/main.go:27 +0x158
main.main()
/var/opt/jfrog/pipelines/data/release_frogbot/runs/954228/steps/Release/7407400/dependencyState/resources/frogbotGit/main.go:16 +0x1e
Other projects (golang, java) can be scanned normally (with their specific docker agent).
Expected behavior
yarn projects can be scanned.
Versions
Is there a possibility to support integration for other CI frameworks in the future?
Is your feature request related to a problem? Please describe.
When multiple CVE are found for the same direct dependency, multiple MR are created, with the same fix.
Describe the solution you'd like to see
If multiple MR are fixing the same direct dependency, only one should be created.
Describe alternatives you've considered
Manually remove one of the two MR.
Additional context
Example with a project with Django dependency to "4.1.0", which has two CVE that are is fixed in "4.1.7".
$ frogbot scan-and-fix-repos
08:41:22 [Info] Frogbot version: 2.6.0
08:41:22 [Debug] Downloading frogbot-config.yml from target my-group/test / django-demo-app / main
08:41:22 [Debug] Reading config from file system. Looking for .frogbot/frogbot-config.yml
08:41:22 [Debug] frogbot-config.yml wasn't found in /builds/cicd-common/frogbot/.frogbot/frogbot-config.yml. Searching for it in upstream directories
08:41:22 [Debug] Retrieving frogbot-config.yml failed with: config file is missing: frogbot-config.yml wasn't found in the Frogbot directory and its subdirectories. Assuming all the configuration is stored as environment variables
08:41:22 [Info] Running Frogbot "scan-and-fix-repos" command
08:41:22 [Debug] Usage Report: Sending info...
08:41:22 [Debug] Sending HTTP GET request to: https://jfrog.ourdomain/artifactory/api/system/version
08:41:22 [Debug] Created temp working directory: /tmp/jfrog.cli.temp.-1678693282-179587785
08:41:22 [Debug] Downloading my-group/test/django-demo-app , branch: main to: /tmp/jfrog.cli.temp.-1678693282-179587785
08:41:22 [Debug] Artifactory response: 200
08:41:22 [Debug] JFrog Artifactory version is: 7.55.2
08:41:22 [Debug] Sending HTTP POST request to: https://jfrog.ourdomain/artifactory/api/system/usage
08:41:22 [Debug] Usage Report: Artifactory response: 200
08:41:22 [Debug] Usage Report: Usage info sent successfully.
08:41:22 [Info] django-demo-app downloaded successfully, starting with repository extraction
08:41:22 [Info] extracted repository successfully
08:41:22 [Debug] Repository download completed
08:41:22 [Info] Auditing project: /tmp/jfrog.cli.temp.-1678693282-179587785
08:41:22 [Info] Detected: poetry.
08:41:22 [Debug] Running "poetry install"
08:41:36 [Debug] Sending HTTP GET request to: https://jfrog.ourdomain/xray/api/v1/system/version
08:41:36 [Info] JFrog Xray version is: 3.67.9
08:41:36 [Info] Scanning module ...
08:41:36 [Debug] Sending HTTP POST request to: https://jfrog.ourdomain/xray/api/v1/scan/graph?scan_type=dependency
08:41:37 [Info] Waiting for scan to complete...
08:41:37 [Debug] Sending HTTP GET request to: https://jfrog.ourdomain/xray/api/v1/scan/graph/d8d156ca-6ee1-4266-40d7-0b297db6e52e?include_vulnerabilities=true
08:41:37 [Debug] Get Dependencies Scan results... (Attempt 1)
08:41:42 [Debug] Sending HTTP GET request to: https://jfrog.ourdomain/xray/api/v1/scan/graph/d8d156ca-6ee1-4266-40d7-0b297db6e52e?include_vulnerabilities=true
08:41:42 [Info] Xray scan completed
08:41:42 [Debug] Upload Scan to GitLab is currently unsupported.
08:41:42 [Info] Found 2 vulnerable dependencies with fix versions
08:41:42 [Debug] Created temp working directory: /tmp/jfrog.cli.temp.-1678693302-807964792
08:41:42 [Info] Cloning repository with these details:
Clone url: https://gitlab.ourdomain/my-group/test/django-demo-app.git remote name: origin, branch: refs/heads/main
08:41:42 [Debug] Project cloned from https://gitlab.ourdomain/my-group/test/django-demo-app.git to /tmp/jfrog.cli.temp.-1678693302-807964792
08:41:42 [Info] -----------------------------------------------------------------
08:41:42 [Info] Start fixing Django with 4.1.7
08:41:42 [Info] Creating branch: frogbot-Django-dac15f3245623e152ec5a946b7d4eac0
08:41:42 [Debug] Running 'poetry add Django==4.1.7'
08:41:56 [Debug] Running 'poetry update'
08:42:07 [Info] Checking if there are changes to commit
08:42:07 [Info] Running git add all and commit
08:42:07 [Info] Pushing fix branch: frogbot-Django-dac15f3245623e152ec5a946b7d4eac0
08:42:08 [Info] Creating Pull Request form: frogbot-Django-dac15f3245623e152ec5a946b7d4eac0 to: main
08:42:08 [Debug] creating new merge request: [ Frogbot] Upgrade Django to 4.1.7
08:42:08 [Info] Running git checkout to base branch: main
08:42:08 [Info] -----------------------------------------------------------------
08:42:08 [Info] Start fixing django with 4.1.7
08:42:09 [Info] Creating branch: frogbot-django-54007012d6a36ea8eeea9a214904c0ab
08:42:09 [Debug] Running 'poetry add django==4.1.7'
08:42:16 [Debug] Running 'poetry update'
08:42:26 [Info] Checking if there are changes to commit
08:42:26 [Info] Running git add all and commit
08:42:26 [Info] Pushing fix branch: frogbot-django-54007012d6a36ea8eeea9a214904c0ab
08:42:27 [Info] Creating Pull Request form: frogbot-django-54007012d6a36ea8eeea9a214904c0ab to: main
08:42:27 [Debug] creating new merge request: [ Frogbot] Upgrade django to 4.1.7
08:42:27 [Info] Running git checkout to base branch: main
08:42:27 [Info] Frogbot "scan-and-fix-repos" command finished successfully
Describe the bug
"The call to request() in index.js on line 1468 uses an unencrypted protocol instead of an encrypted protocol to communicate with the server."
To Reproduce
From the Fortify tool we found the below issue while scanning the repository.
Expected behavior
No critical issues reported.
Screenshots
NA
Versions
Additional context
All communication over HTTP, FTP, or gopher is unauthenticated and unencrypted. It is therefore subject to compromise, especially in the mobile environment where devices frequently connect to unsecured, public, wireless networks using WiFi connections.
Example 1: The following example reads data using the HTTP protocol (instead of using HTTPS).
var http = require('http');
...
http.request(options, function(res){
...
});
...
The incoming http.IncomingMessage object,res, may have been compromised as it is delivered over an unencrypted and unauthenticated channel.
Is your feature request related to a problem? Please describe.
Some of our project use the conventional commits message style. When frogbot creates a MR, the commits don't follow this convention.
Describe the solution you'd like to see
Allowing the user to enable a certain commits style in the frogbot-config.yml
, or to configure the commit messages prefix (e.g. fix(deps):
)
Describe alternatives you've considered
Manually editing the commit message when merging the MR.
Is your feature request related to a problem? Please describe.
We are using JFrog XRay in our Org to scan the docker images for OSS Issues. Jfrog has suggested us to use FrogBot as a Shift-left security feature. We did an analysis on the Frogbot features and noted a few improvements are required to leverage the Frogbot features. JFrog Xray provides CVSS Score for each of the OSS Issues identified. We use the same CVSS Score for prioritising the fixing of OSS Issues. For Ex: We have picked CVSS Score=10 as the top most priority for us to fix. Now when we try to use Frogbot, it does not provide us CVSS Score information and hence we are unable to leverage its features.
Describe the solution you'd like to see
We expect a CVSS_v3 Score against each OSS Issue in the Frogbot report. Same is already available in JFrog XRay vulnerability report.
Describe alternatives you've considered
NA
Additional context
NA
Is your feature request related to a problem? Please describe.
We're requesting to add the ability to ignore “dev dependencies” in Frogbot. This feature is already implemented for the jf audit
jfrog-cli command.
--dep-type [Default: all] Defines npm dependencies type. Possible values are: all, devOnly and prodOnly
Describe the solution you'd like to see
Add a property to allow this in the frogbot-config.yml file.
Describe alternatives you've considered
N/A
Additional context
Add any other context or screenshots about the feature request here.
Describe the solution you'd like to see
Support for reporting on ruby gem updates is added.
Additional context
Ruby is currently supported by xray and it would be helpful if frogbot also supported it.
Will be awesome to have support for SBT packet management https://www.scala-sbt.org/index.html.
Is this in the plans? We are using this very actively.
Thanks guys!
Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
I would like to use JFrog XRay to scan Pull Requests.
The source code repository containing multiple projects with different programming languages (dotnet, Angular, ...), so called mono-repo:
This can be dozens projects per repository. Currently frogbot seems to be prepared only for exactly one JF_PROJECT_WORKING_DIR and JF_INSTALL_DEPS_CMD. We are aware that we could have separate workflows for each project.
But you can image that its frustrating or even not usable when you have dozens of projects, dozens of scans must be approved manually and dozens separate comments are added to the Pull Request
Describe the solution you'd like to see
A solution to have only ONE scan for a Pull Request of a repository containing different projects with multiple languages as shown above. For example JF_PROJECT_WORKING_DIR and JF_INSTALL_DEPS_CMD could support comma separated values to specify multiple projects with multiple install commands
If you need more information don't hesitate to contact me. Many thanks in advance,
Philipp
Describe the bug
When using the Frogbot scan with Maven project and there is also a .jfrog/projects//maven.yaml file that points to a private registry, the cli-core will try to use the maven.yaml server ID which is not recognized by Github Actions and will lead to error:
Error: 2 [Error] Server ID arti-test: URL is required.
To Reproduce
Used the template
Add maven.yaml file such as follows:
version: 1
type: maven
resolver:
serverId: my-saas
snapshotRepo: libs-snapshots
releaseRepo: libs-releases
deployer:
serverId: my-saas
snapshotRepo: libs-snapshots
releaseRepo: libs-releases
Expected behavior
Frogbot should not throw an error about that.
Versions
Is your feature request related to a problem? Please describe.
Frogbot does not support Air-Gapped environments.
Describe the solution you'd like to see
Allow downloading Frogbot, extractors, and project dependencies from Artifactory.
Describe alternatives you've considered
N/A
Additional context
This is just a suggestion.
Let's split the solutions into 2 parts:
getFrogbot.sh
and upload it to the frogbot repository. The script should support an environment variable FROGBOT_REMOTE_REPO
and the regular frogbot connection details variables. Suggestion - users can put this script in an accessible place. It is better if this script will have a version.FROGBOT_REMOTE_REPO
env var in frogbot to download Maven and Gradle extractors.FROGBOT_RESOLUTION_REPO
variable to download dependencies from Artifactory.Is your feature request related to a problem? Please describe.
Yarn 2 template is missing.
Describe the solution you'd like to see
We should test Frogbot and add the needed template.
Describe alternatives you've considered
None
Additional context
None
We have an on-prem GitLab instance running on "gitlab.ourdomain".
When running the command scan-and-fix-repos
and vulnerabilities are found, frogbot tries to clone the repository without using JF_GIT_API_ENDPOINT
to construct the clone URL
Here is the output of our CI:
$ env | grep "JF"
JF_URL=https://jfrog.ourdomain
JF_GIT_OWNER=my-group/test
JF_GIT_REPO=demo-app
JF_GIT_API_ENDPOINT=https://gitlab.ourdomain
JF_GIT_TOKEN=[MASKED]
JF_USER=gitlab
JF_GIT_PROVIDER=gitlab
JF_PASSWORD=[MASKED]
JF_GIT_BASE_BRANCH=main
$ frogbot scan-and-fix-repos
09:49:52 [Debug] Downloading frogbot-config.yml from target my-group/test / demo-app / main
09:49:53 [Info] Running Frogbot "scan-and-fix-repos" command
09:49:53 [Debug] Usage Report: Sending info...
09:49:53 [Debug] Sending HTTP GET request to: https://jfrog.ourdomain/artifactory/api/system/version
09:49:53 [Debug] Created temp working directory: /tmp/jfrog.cli.temp.-1678265393-192215614
09:49:53 [Debug] Downloading my-group/test/demo-app , branch: main to: /tmp/jfrog.cli.temp.-1678265393-192215614
09:49:53 [Debug] Artifactory response: 200
09:49:53 [Debug] JFrog Artifactory version is: 7.41.13
09:49:53 [Debug] Sending HTTP POST request to: https://jfrog.ourdomain/artifactory/api/system/usage
09:49:53 [Debug] Usage Report: Artifactory response: 200
09:49:53 [Debug] Usage Report: Usage info sent successfully.
09:49:53 [Info] demo-app downloaded successfully, starting with repository extraction
09:49:53 [Info] extracted repository successfully
09:49:53 [Debug] Repository download completed
09:49:53 [Info] Auditing project: /tmp/jfrog.cli.temp.-1678265393-192215614
09:49:53 [Info] Detected: poetry.
09:49:53 [Debug] Running "poetry install"
09:50:08 [Debug] Sending HTTP GET request to: https://jfrog.ourdomain/xray/api/v1/system/version
09:50:08 [Info] JFrog Xray version is: 3.57.6
09:50:08 [Info] Scanning module ...
09:50:08 [Debug] Sending HTTP POST request to: https://jfrog.ourdomain/xray/api/v1/scan/graph?scan_type=dependency
09:50:09 [Info] Waiting for scan to complete...
09:50:09 [Debug] Sending HTTP GET request to: https://jfrog.ourdomain/xray/api/v1/scan/graph/b8066348-8c14-492e-7fb0-13d21a2f3fd7?include_vulnerabilities=true
09:50:09 [Debug] Get Dependencies Scan results... (Attempt 1)
09:50:14 [Debug] Sending HTTP GET request to: https://jfrog.ourdomain/xray/api/v1/scan/graph/b8066348-8c14-492e-7fb0-13d21a2f3fd7?include_vulnerabilities=true
09:50:14 [Info] Xray scan completed
09:50:14 [Debug] Upload Scan to GitLab is currently unsupported.
09:50:14 [Info] Found 2 vulnerable dependencies with fix versions
09:50:14 [Debug] Created temp working directory: /tmp/jfrog.cli.temp.-1678265414-3030771806
09:50:14 [Info] Cloning repository with these details:
Clone url: https://gitlab.com/my-group/test/demo-app.git remote name: origin, branch: refs/heads/main
09:50:14 [Error] repository demo-app returned the following error:
'git clone main from https://gitlab.com/my-group/test/demo-app.git' failed with error: authentication required
Set the environment variable JF_GIT_API_ENDPOINT
to gitlab instance URL, and run the command scan-and-fix-repos
on a repository with vulnerabilities.
The repo 'clone_url' should be 'https://gitlab.ourdomain/my-group/test/demo-app.git' instead of 'https://gitlab.com/my-group/test/demo-app.git'
2.5.9
poetry - pyproject.toml
GitLab
- params:
# Git parameters
git:
# [Mandatory]
# Name of the git repository to scan
repoName: demo-app
# [Mandatory]
# List of branches to scan
branches:
- main
RHEL 8.6
3.57.6
In Frogbot version 2.5.2 the download of a config file was implemented. Since then it is no longer possible for us to run frogbot in our pipeline, because it no longer uses the environment variables and always looks for this config file.
In the code of the merge request you can see that normally there should be a fallback to the environment variables if no config file is given. In the documentation it is not described where this configuration file comes from, how to generate it or how the config should look like. Could you add documentation for this?
08:05:33 [Error] GET https://gitlab.blub.de/api/v4/projects/project/my-service/repository/files/.frogbot/frogbot-config.yml: 404 {message: 404 File Not Found}
Set the frogbot version to 2.5.2.
Run frogbot scan-pull-request
If no configuration file is specified, the environment variables set in gitlab-ci.yml should be used.
2.5.2
Maven (pom.xml)
GitLab
no response
CIS Ubuntu 20 04 LTS
3.62.4
Is your feature request related to a problem? Please describe.
In a brand new repo, it is initialized with no package manager configuration. e.g.
$ git status
On branch develop
Your branch is up to date with 'origin/develop'.
nothing to commit, working tree clean
$ ls
README.md
Where the PR introduces the pom.xml, frogbot fails because no package manager is found in base branch:
10:36:19 [Debug] Downloading xxx-my-org/yyy-my-repo from branch:<develop>
10:36:19 [Debug] Downloading repository completed
10:36:19 [🔵Info] Auditing project:
10:36:19 [🚨Error] could not determine the package manager / build tool used by this project.
Describe the solution you'd like to see
Option to ignore missing package manager in base branch (and assume list of dependencies is empty), or generate warning instead of error.
Describe alternatives you've considered
First option is to not configure frogbot until pom is added to repo. However this poses the problem that the initial commit of pom.xml might introduce issues which are not found by frogbot, as they are not new issues in subsequent frogbot runs.
Additional context
Add any other context or screenshots about the feature request here.
Describe the bug
When trying to run locally, I am seeing an error where scan-pull-requests is trying to pull comments for an issue that doesn't exist and failing.
To Reproduce
This is using github enterprise server, and running the frogbot locally
√ frogbot % go run main.go scan-pull-requests
13:57:11 [Info] Running Frogbot "scan-pull-requests" command
13:57:11 [Debug] Usage Report: Sending info...
13:57:11 [Debug] Sending HTTP GET request to: https://my.jfrog/artifactory/api/system/version
13:57:11 [Debug] Artifactory response: 200 OK
13:57:11 [Debug] JFrog Artifactory version is: 7.41.12
13:57:11 [Debug] Sending HTTP POST request to: https://my.jfrog/artifactory/api/system/usage
13:57:11 [Debug] Usage Report: Artifactory response: 200 OK
13:57:11 [Debug] Usage Report: Usage info sent successfully.
13:57:11 [Error] GET https://my.github.enterprise/api/v3/repos/org1/repo1/issues/12345/comments: 404 Not Found []
13:57:11 [Error] GET https://my.github.enterprise/api/v3/repos/org1/repo1/issues/12345/comments: 404 Not Found []
exit status 1
Expected behavior
Would get as far as scanning a pull request
Versions
√ frogbot % sw_vers
ProductName: macOS
ProductVersion: 12.6
BuildVersion: 21G115
Additional context
Add any other context about the problem here.
I got the below error, I used the github action template for Python package scanning
/opt/hostedtoolcache/frogbot/[RELEASE]/x64/frogbot scan-pull-request
[14](https://github.com/telia-company/cirrus-ml-experimentation/runs/8191097884?check_suite_focus=true#step:5:15):37:39 [Info] Running Frogbot "scan-pull-request" command
14:37:39 [Info] Auditing /runner/_work/cirrus-ml-experimentation/cirrus-ml-experimentation
Error: 9 [Error] could not determine the package manager / build tool used by this project.
Error: The process '/opt/hostedtoolcache/frogbot/[RELEASE]/x64/frogbot' failed with exit code [1](https://github.com/telia-company/cirrus-ml-experimentation/runs/8191097884?check_suite_focus=true#step:9:1)
Hello, is there any way to use frogbot without Advanced Security?
Run jfrog/frogbot@v2
...
09:20:35 [Warn] upload code scanning failed with: POST https://github.kyndryl.net/api/v3/repos/org-for-tests/back/code-scanning/sarifs: 403 Advanced Security must be enabled for this repository to use code scanning. []
Is your feature request related to a problem? Please describe.
When a PR is opened, and changes are requested by approvers, there can be quite a few additional commits to the PR branch. This results in many repeating frogbot comments on the PR
Describe the solution you'd like to see
Check if comment is a duplicate and suppress in that case.
Describe alternatives you've considered
Open to suggestions...
Additional context
Add any other context or screenshots about the feature request here.
Is your feature request related to a problem? Please describe.
We areworking on closed environment (no internet) and want to use the frogbot on our azure devops 2020 on premise that would connect to our on-premise Jfrog server (xray+artifactory)
Describe the solution you'd like to see
add azure devops git to the guthub\gitlab\bitbucket options
Describe alternatives you've considered
My Frogbot version is 2.1.5
when use frogbot in gitlab with the feature "Pull requests opening",it will hang on branch creation until it times out after 1 hour
How to troubleshoot this ,Is there any way to debug ?
Sometimes it will report an error:
[Error] failed while trying to fix and create PR for: org.apache.logging.log4j:log4j-core with version: 2.8.2 with error: mvn command failed: exit status 1
Hello, my workflow is...
name: Frogbot Scan and Fix
on:
push:
permissions:
contents: write
pull-requests: write
security-events: write
jobs:
create-fix-pull-requests:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Setup NodeJS
uses: actions/setup-node@v3
with:
node-version: "16.x"
- uses: jfrog/frogbot@v2
env:
JF_INSTALL_DEPS_CMD: npm ci --legacy-peer-deps
JF_URL: https://na.artifactory.taas.kyndryl.net/
JF_GIT_API_ENDPOINT: https://github.kyndryl.net/api/v3
JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
JF_ACCESS_TOKEN: ${{ env.JF_TOKEN }}
Allow GitHub Actions to create and approve pull requests
checked
We are facing:
10:05:24 [Info] Creating branch: frogbot-moment-33a86fc7fc0e1cfbe5636bdf4c66e95f
Error: 7 [Error] failed while trying to fix and create PR for: moment with version: 2.29.4 with error: npm install [email protected] command failed: exit status 1
...
10:05:28 [Info] Creating branch: frogbot-terser-bd0ab704e2f11528b2588cddd3a649c9
Error: 1 [Error] failed while trying to fix and create PR for: terser with version: 4.8.1 with error: npm install [email protected] command failed: exit status 1
Is your feature request related to a problem? Please describe.
When Frogbot creates a Merge Request to fix vulnerable dependencies, it only says "Upgrade to " and a link to Frogbot readme.
Describe the solution you'd like to see
It would be great to have a link to which CVE is fixed by the Merge Request in the description (and eventually also the vulnerability severity).
This would allow us to have a better idea how urgent the MR is, and also to retroactively view which CVE were fixed in our repositories.
Describe alternatives you've considered
None
Additional context
None
How can I configure jfrogbot
so that it uses the Gradle wrapper specified by our project instead of reverting back to the inexistent gradle
binary? See the sample error I am receiving in my gitlab-ci output:
16:58:07 [Info] Running Frogbot "create-fix-pull-requests" command
16:58:07 [Info] Auditing /builds/pare/my-sandbox
16:58:07 [Info] Detected: gradle.
16:58:07 [Info] Running gradle...
16:58:07 [Info] The build-info-extractor jar is not cached locally. Downloading it now...
You can set the repository from which this jar is downloaded. Read more about it at https://www.jfrog.com/confluence/display/CLI/CLI+for+JFrog+Artifactory#CLIforJFrogArtifactory-DownloadingtheMavenandGradleExtractorJARs
16:58:07 [Info] Downloading build-info-extractor from https://releases.jfrog.io/artifactory/oss-release-local/org/jfrog/buildinfo/build-info-extractor-gradle/4.28.2/build-info-extractor-gradle-4.28.2-uber.jar
16:58:07 [Error] 'gradle' audit command failed:
exec: "gradle": executable file not found in $PATH
Cleaning up project directory and file based variables
00:01
ERROR: Job failed: exit code 1
When running the scanner; I get a considerable number of these from time to time
[2022-12-14T05:05:51.206Z] 05:05:51 [Debug] Sending HTTP GET request to: https://artifactory.somecompany.com/xray/api/v1/scan/graph/f3a51409-45f7-43ea-4ede-fc5d49732016?include_vulnerabilities=true
[2022-12-14T05:05:51.633Z] 05:05:51 [Debug] Get Dependencies Scan results... (Attempt 1)
[2022-12-14T05:05:57.185Z] 05:05:56 [Debug] Sending HTTP GET request to: https://artifactory.somecompany.com/xray/api/v1/scan/graph/f3a51409-45f7-43ea-4ede-fc5d49732016?include_vulnerabilities=true
[2022-12-14T05:05:57.185Z] 05:05:56 [Debug] Get Dependencies Scan results... (Attempt 2)
[2022-12-14T05:06:02.721Z] 05:06:01 [Debug] Sending HTTP GET request to: https://artifactory.somecompany.com/xray/api/v1/scan/graph/f3a51409-45f7-43ea-4ede-fc5d49732016?include_vulnerabilities=true
[2022-12-14T05:06:02.721Z] 05:06:02 [Debug] Get Dependencies Scan results... (Attempt 3)
[2022-12-14T05:06:07.210Z] 05:06:07 [Debug] Sending HTTP GET request to: https://artifactory.somecompany.com/xray/api/v1/scan/graph/f3a51409-45f7-43ea-4ede-fc5d49732016?include_vulnerabilities=true
[2022-12-14T05:06:07.645Z] 05:06:07 [Debug] Get Dependencies Scan results... (Attempt 4)
[2022-12-14T05:06:13.194Z] 05:06:12 [Debug] Sending HTTP GET request to: https://artifactory.somecompany.com/xray/api/v1/scan/graph/f3a51409-45f7-43ea-4ede-fc5d49732016?include_vulnerabilities=true
[2022-12-14T05:06:13.194Z] 05:06:12 [Debug] Get Dependencies Scan results... (Attempt 5)
[2022-12-14T05:06:18.773Z] 05:06:17 [Debug] Sending HTTP GET request to: https://artifactory.somecompany.com/xray/api/v1/scan/graph/f3a51409-45f7-43ea-4ede-fc5d49732016?include_vulnerabilities=true
[2022-12-14T05:06:18.773Z] 05:06:18 [Debug] Get Dependencies Scan results... (Attempt 6)
[2022-12-14T05:06:23.250Z] 05:06:23 [Debug] Sending HTTP GET request to: https://artifactory.somecompany.com/xray/api/v1/scan/graph/f3a51409-45f7-43ea-4ede-fc5d49732016?include_vulnerabilities=true
[2022-12-14T05:06:23.683Z] 05:06:23 [Debug] Get Dependencies Scan results... (Attempt 7)
[2022-12-14T05:06:29.249Z] 05:06:28 [Debug] Sending HTTP GET request to: https://artifactory.somecompany.com/xray/api/v1/scan/graph/f3a51409-45f7-43ea-4ede-fc5d49732016?include_vulnerabilities=true
[2022-12-14T05:06:29.249Z] 05:06:28 [Debug] Get Dependencies Scan results... (Attempt 8)
[2022-12-14T05:06:33.721Z] 05:06:33 [Debug] Sending HTTP GET request to: https://artifactory.somecompany.com/xray/api/v1/scan/graph/f3a51409-45f7-43ea-4ede-fc5d49732016?include_vulnerabilities=true
[2022-12-14T05:06:34.154Z] 05:06:34 [Debug] Get Dependencies Scan results... (Attempt 9)
[2022-12-14T05:06:39.714Z] 05:06:39 [Debug] Sending HTTP GET request to: https://artifactory.somecompany.com/xray/api/v1/scan/graph/f3a51409-45f7-43ea-4ede-fc5d49732016?include_vulnerabilities=true
[2022-12-14T05:06:39.714Z] 05:06:39 [Debug] Get Dependencies Scan results... (Attempt 10)
[2022-12-14T05:06:45.274Z] 05:06:44 [Debug] Sending HTTP GET request to: https://artifactory.somecompany.com/xray/api/v1/scan/graph/f3a51409-45f7-43ea-4ede-fc5d49732016?include_vulnerabilities=true
[2022-12-14T05:06:45.274Z] 05:06:44 [Debug] Get Dependencies Scan results... (Attempt 11)
[2022-12-14T05:06:50.830Z] 05:06:49 [Debug] Sending HTTP GET request to: https://artifactory.somecompany.com/xray/api/v1/scan/graph/f3a51409-45f7-43ea-4ede-fc5d49732016?include_vulnerabilities=true
[2022-12-14T05:06:50.830Z] 05:06:50 [Debug] Get Dependencies Scan results... (Attempt 12)
[2022-12-14T05:06:55.306Z] 05:06:55 [Debug] Sending HTTP GET request to: https://artifactory.somecompany.com/xray/api/v1/scan/graph/f3a51409-45f7-43ea-4ede-fc5d49732016?include_vulnerabilities=true
[2022-12-14T05:06:55.733Z] 05:06:55 [Debug] Get Dependencies Scan results... (Attempt 13)
[2022-12-14T05:07:01.290Z] 05:07:00 [Debug] Sending HTTP GET request to: https://artifactory.somecompany.com/xray/api/v1/scan/graph/f3a51409-45f7-43ea-4ede-fc5d49732016?include_vulnerabilities=true
[2022-12-14T05:07:01.290Z] 05:07:00 [Debug] Get Dependencies Scan results... (Attempt 14)
Sometimes it just works and gets through to the next issue - other times this will just carry on. If I kill the build and run it again, it seems to work.
Build is for dotnet core, and Linux x64.
Is there something you think I could do to fix this? as I've seen it go all the way to attempt 100+
I have self-hosted Gitlab and Artifactory, and am trying to integrate frogbot in a Java repo built with Maven. I have the scan-pull-request
working on a branch MR, and it shows multiple vulnerabilities with a fix version. For example
Running the create-fix-pull-request
command doesn't seem to be finding any of these vulnerabilities (with fixed versions)
When I try to run the create-fix-pull-requests
command locally from a working copy of the branch (new repo, the master branch is empty still), it says there are no vulnerable dependencies with fix versions. But when I pull the scan report via the xray/api/v1/scan/graph
that's in the frogbot output, the JSON response includes multiple fixed versions.
19:37:47 [Debug] Sending HTTP GET request to: https://repo.example.com/xray/api/v1/system/version
19:37:47 [🔵Info] JFrog Xray version is: 3.47.3
19:37:47 [🔵Info] Scanning module com.example.myproject:foolib:1.0-SNAPSHOT...
19:37:47 [Debug] Sending HTTP POST request to: https://repo.example.com/xray/api/v1/scan/graph?scan_type=dependency
19:37:47 [🔵Info] Waiting for scan to complete...
19:37:47 [Debug] Sending HTTP GET request to: https://repo.example.com/xray/api/v1/scan/graph/ac58a7a1-8d65-4df7-69dd-ce251552cba4?include_vulnerabilities=true
19:37:48 [Debug] Get Dependencies Scan results... (Attempt 1)
19:37:53 [Debug] Sending HTTP GET request to: https://repo.example.com/xray/api/v1/scan/graph/ac58a7a1-8d65-4df7-69dd-ce251552cba4?include_vulnerabilities=true
19:37:53 [🔵Info] Xray scan completed
19:37:53 [Debug] Upload Scan to GitLab is currently unsupported.
19:37:53 [🔵Info] Didn't find vulnerable dependencies with existing fix versions for foolib
19:37:53 [🔵Info] Frogbot "create-fix-pull-requests" command finished successfully
/work # jq -r '.vulnerabilities[].components[].fixed_versions' report.json
[
"[1.21-RC1]"
]
[
"[1.21-RC1]"
]
[
"[1.21]"
]
[
"[1.21]"
]
[
"[1.21]"
]
[
"[1.21]"
]
[
"[2.7]"
]
[
"[2.5]"
]
[
"[1.11.3]"
]
No response
The set of vulnerable dependencies with fixed versions identified in the scan-pull-request
command should have MR's opened to update to the identified fixed version.
2.6.1
Maven 3.8.6, pom.xml
GitLab
No response
alpine:3.17
3.47.3
Describe the bug
A clear and concise description of what the bug is.
[main] INFO org.jfrog.build.extractor.maven.BuildDeploymentHelper - Artifactory Build Info Recorder: deploy artifacts set to false, artifacts will not be deployed...
[main] INFO org.jfrog.build.extractor.maven.BuildDeploymentHelper - Artifactory Build Info Recorder: publish build info set to false, build info will not be published...
[main] INFO org.apache.maven.cli.event.ExecutionEventLogger - ------------------------------------------------------------------------
[main] INFO org.apache.maven.cli.event.ExecutionEventLogger - BUILD SUCCESS
[main] INFO org.apache.maven.cli.event.ExecutionEventLogger - ------------------------------------------------------------------------
[main] INFO org.apache.maven.cli.event.ExecutionEventLogger - Total time: 3.466 s
[main] INFO org.apache.maven.cli.event.ExecutionEventLogger - Finished at: 2022-04-21T07:55:09Z
[main] INFO org.apache.maven.cli.event.ExecutionEventLogger - ------------------------------------------------------------------------
07:55:09 [Info] Scanning module com.example:demo:0.0.1-SNAPSHOT...
07:55:09 [Info] Waiting for scan to complete...
07:55:14 [Info] Auditing frogbot-test master
07:55:15 [Error] GET https://gitlab.com/api/v4/projects/root/frogbot-test/repository/archive.tar.gz: 401 {message: 401 Unauthorized}
To Reproduce
Steps to reproduce the behavior
Expected behavior
A clear and concise description of what you expected to happen.
Screenshots
If applicable, add screenshots to help explain your problem.
Versions
Additional context
Add any other context about the problem here.
Describe the bug
I'm trying to use the frogbot GitHub action and at the end of the build I can't access the report file generated. I get a 404 file not found error.
The same project with the command jf xr audit-mvn
generates the expected report.
The project that I am using is:
Basic maven project: https://github.com/ixchelruiz/app
Github action: https://github.com/ixchelruiz/app/actions/runs/2185445703
At the end of the build on "[scan-pull-request]" I get the following error:
[main] INFO org.jfrog.build.extractor.maven.BuildDeploymentHelper - Artifactory Build Info Recorder: publish build info set to false, build info will not be published...
[465](https://github.com/ixchelruiz/app/runs/6066751313?check_suite_focus=true#step:4:465)
[main] INFO org.apache.maven.cli.event.ExecutionEventLogger - ------------------------------------------------------------------------
[466](https://github.com/ixchelruiz/app/runs/6066751313?check_suite_focus=true#step:4:466)
[main] INFO org.apache.maven.cli.event.ExecutionEventLogger - BUILD SUCCESS
[467](https://github.com/ixchelruiz/app/runs/6066751313?check_suite_focus=true#step:4:467)
[main] INFO org.apache.maven.cli.event.ExecutionEventLogger - ------------------------------------------------------------------------
[468](https://github.com/ixchelruiz/app/runs/6066751313?check_suite_focus=true#step:4:468)
[main] INFO org.apache.maven.cli.event.ExecutionEventLogger - Total time: 5.889 s
[469](https://github.com/ixchelruiz/app/runs/6066751313?check_suite_focus=true#step:4:469)
[main] INFO org.apache.maven.cli.event.ExecutionEventLogger - Finished at: 2022-04-18T18:42:34Z
[470](https://github.com/ixchelruiz/app/runs/6066751313?check_suite_focus=true#step:4:470)
[main] INFO org.apache.maven.cli.event.ExecutionEventLogger - ------------------------------------------------------------------------
[471](https://github.com/ixchelruiz/app/runs/6066751313?check_suite_focus=true#step:4:471)
Error: 4 [Error] Server response: 404
[472](https://github.com/ixchelruiz/app/runs/6066751313?check_suite_focus=true#step:4:472)
{
[473](https://github.com/ixchelruiz/app/runs/6066751313?check_suite_focus=true#step:4:473)
"errors": [
[474](https://github.com/ixchelruiz/app/runs/6066751313?check_suite_focus=true#step:4:474)
{
[475](https://github.com/ixchelruiz/app/runs/6066751313?check_suite_focus=true#step:4:475)
"status": 404,
[476](https://github.com/ixchelruiz/app/runs/6066751313?check_suite_focus=true#step:4:476)
"message": "File not found."
[477](https://github.com/ixchelruiz/app/runs/6066751313?check_suite_focus=true#step:4:477)
}
[478](https://github.com/ixchelruiz/app/runs/6066751313?check_suite_focus=true#step:4:478)
]
[479](https://github.com/ixchelruiz/app/runs/6066751313?check_suite_focus=true#step:4:479)
}
[480](https://github.com/ixchelruiz/app/runs/6066751313?check_suite_focus=true#step:4:480)
Error: The process '/opt/hostedtoolcache/frogbot/[RELEASE]/x64/frogbot' failed with exit code 1
To Reproduce
Use
Basic maven project: https://github.com/ixchelruiz/app
Github action: https://github.com/ixchelruiz/app/actions/runs/2185445703
Expected behavior
Report is generated and added in the comments exactly as the report generated on the Jfrog cli
jf xr audit-mvn
Screenshots
If applicable, add screenshots to help explain your problem.
Versions
My local setup (jfrog CLI ) same configuration ( tokens ) WORKS
jf config show
Server ID: Default-Server
JFrog platform URL: https://ixchelr.jfrog.io/
Artifactory URL: https://ixchelr.jfrog.io/artifactory/
Distribution URL: https://ixchelr.jfrog.io/distribution/
Xray URL: https://ixchelr.jfrog.io/xray/
Mission Control URL: https://ixchelr.jfrog.io/mc/
Pipelines URL: https://ixchelr.jfrog.io/pipelines/
Password: ***
Access token: ***
Refresh token: ***
Default: true
GitHub actions configuration -- DOESNT WORK
Run jfrog/frogbot@v1
[2](https://github.com/ixchelruiz/app/runs/6066751313?check_suite_focus=true#step:4:2)
with:
[3](https://github.com/ixchelruiz/app/runs/6066751313?check_suite_focus=true#step:4:3)
version: latest
[4](https://github.com/ixchelruiz/app/runs/6066751313?check_suite_focus=true#step:4:4)
env:
[5](https://github.com/ixchelruiz/app/runs/6066751313?check_suite_focus=true#step:4:5)
JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/11.0.14-1/x[6](https://github.com/ixchelruiz/app/runs/6066751313?check_suite_focus=true#step:4:6)4
6
JF_URL: ***
[7](https://github.com/ixchelruiz/app/runs/6066751313?check_suite_focus=true#step:4:7)
JF_GIT_TOKEN: ***
[8](https://github.com/ixchelruiz/app/runs/6066751313?check_suite_focus=true#step:4:8)
JF_ACCESS_TOKEN: ***
[9](https://github.com/ixchelruiz/app/runs/6066751313?check_suite_focus=true#step:4:9)
Frogbot
Additional context
Add any other context about the problem here.
Is your feature request related to a problem? Please describe.
Frogbot automated fix pull requests can be more informative and may look even better :)
Describe the solution you'd like to see
I suggest the following changes to the created PR:
I have enabled debug logging in the github workflow and see those logs:
##[debug]Starting: Run jfrog/frogbot@v2
##[debug]Loading inputs
##[debug]Loading env
Run jfrog/frogbot@v2
::group::Frogbot
Frogbot
However I see only info level logging from frogbot:
14:09:57 [Info] Detected: maven.
14:09:57 [Info] Running Mvn...
and a failure like so:
[main] INFO org.apache.maven.cli.event.ExecutionEventLogger - ------------------------------------------------------------------------
[main] INFO org.apache.maven.cli.event.ExecutionEventLogger - BUILD SUCCESS
[main] INFO org.apache.maven.cli.event.ExecutionEventLogger - ------------------------------------------------------------------------
[main] INFO org.apache.maven.cli.event.ExecutionEventLogger - Total time: 18.028 s
[main] INFO org.apache.maven.cli.event.ExecutionEventLogger - Finished at: 2022-11-04T14:10:17Z
[main] INFO org.apache.maven.cli.event.ExecutionEventLogger - ------------------------------------------------------------------------
Error: 7 [Error] 'maven' audit command failed:
server response: 404 Not Found
<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
</body>
</html>
Error: The process '/github-actions/hostedtoolcache/frogbot/[RELEASE]/x64/frogbot' failed with exit code 1
::endgroup::
I see a bunch of debug level logging in the code:
clientLog.Debug("Created temp working directory:", wd)
but don't see those logged out anywhere....
We Followed similar pattern for Dotnet Project and Kinda getting below pasted error
19:09:20 [Info] Running Frogbot "scan-pull-request" command
19:09:21 [Info] Auditing project: /home/runner/work/test/test
Error: 1 [Error] audit command in /home/runner/work/test/test failed:
could not determine the package manager / build tool used by this project.
Error: The process '/opt/hostedtoolcache/frogbot/[RELEASE]/x64/frogbot' failed with exit code 1
It would be good to have enough documentation for Dotnet.
My Github action workflows looks like below:
name: "Frogbot Scan Pull Request"
on:
pull_request_target:
types: [opened, synchronize]
permissions:
pull-requests: write
contents: read
jobs:
scan-pull-request:
runs-on: ubuntu-latest
# A pull request needs to be approved, before Frogbot scans it. Any GitHub user who is associated with the
# "frogbot" GitHub environment can approve the pull request to be scanned.
environment: frogbot
steps:
- uses: actions/checkout@v2
with:
ref: ${{ github.event.pull_request.head.sha }}
# Install prerequisites
- uses: actions/setup-dotnet@v2
with:
dotnet-version: "6.0.x"
- uses: jfrog/frogbot@v2
env:
JF_URL:
JF_ACCESS_TOKEN: ${{ secrets.ARTIFACTORY_DEPLOYER }}
JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
JF_INCLUDE_ALL_VULNERABILITIES: "TRUE"
JF_REQUIREMENTS_FILE: "test/test.sln"
Regards
Sri
Describe the bug
Getting authentication required errors when frogbot tries to create a PR when finds vulnerabilities.
I have tried with the run github token ( ${{ secrets.GITHUB_TOKEN }} ) and with a personal token with all the required permissions and I get the same error
To Reproduce
Use the below workflow for a maven project
name: "Frogbot Fix"
on:
push:
branches:
- 'main'
- 'master'
- 'feature-*'
permissions:
contents: write
pull-requests: write
jobs:
create-fix-pull-requests:
runs-on: [ self-hosted ]
steps:
- uses: actions/checkout@v2
- name: Set up Java
uses: actions/setup-java@v3
with:
java-version: "8"
distribution: "corretto"
cache: 'maven'
- name: Set up Maven
uses: stCarolas/[email protected]
with:
maven-version: 3.5.2
- uses: jfrog/[email protected]
env:
JF_URL: ${{ secrets.JFROG_URL }}
JF_USER: ${{ secrets.IMAGE_REGISTRY_USER }}
JF_PASSWORD: ${{ secrets.IMAGE_REGISTRY_PASSWORD }}
JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Expected behavior
Create a PR for each vulnerability found
Screenshots
Logs:
23:00:37 [Info] Waiting for scan to complete...
23:00:42 [Info] Xray scan completed
23:00:42 [Info] Found 5 vulnerable dependencies with fix versions
23:00:43 [Info] -----------------------------------------------------------------
23:00:43 [Info] Start fixing org.apache.cxf:cxf-rt-frontend-jaxrs with 3.0.16
Error: 3 [Error] failed while trying to fix and create PR for: org.apache.cxf:cxf-rt-frontend-jaxrs with version: 3.0.16 with error: authentication required
23:00:43 [Info] Running git checkout to base branch: refs/heads/feature-GITACT-325-Jfrog-revisit-create-pr-to-fix-vulnerabilities
23:00:43 [Info] -----------------------------------------------------------------
23:00:43 [Info] Start fixing junit:junit with 4.13.1
Error: 3 [Error] failed while trying to fix and create PR for: junit:junit with version: 4.13.1 with error: authentication required
23:00:43 [Info] Running git checkout to base branch: refs/heads/feature-GITACT-325-Jfrog-revisit-create-pr-to-fix-vulnerabilities
23:00:43 [Info] -----------------------------------------------------------------
23:00:43 [Info] Start fixing ch.qos.logback:logback-classic with 1.2.0
Error: 3 [Error] failed while trying to fix and create PR for: ch.qos.logback:logback-classic with version: 1.2.0 with error: authentication required
23:00:43 [Info] Running git checkout to base branch: refs/heads/feature-GITACT-325-Jfrog-revisit-create-pr-to-fix-vulnerabilities
23:00:43 [Info] -----------------------------------------------------------------
23:00:43 [Info] Start fixing ch.qos.logback:logback-core with 1.2.0
Error: 3 [Error] failed while trying to fix and create PR for: ch.qos.logback:logback-core with version: 1.2.0 with error: authentication required
23:00:43 [Info] Running git checkout to base branch: refs/heads/feature-GITACT-325-Jfrog-revisit-create-pr-to-fix-vulnerabilities
23:00:44 [Info] -----------------------------------------------------------------
23:00:44 [Info] Start fixing com.fasterxml.jackson.core:jackson-databind with 2.12.6
Error: 4 [Error] failed while trying to fix and create PR for: com.fasterxml.jackson.core:jackson-databind with version: 2.12.6 with error: authentication required
23:00:44 [Info] Running git checkout to base branch: refs/heads/feature-GITACT-325-Jfrog-revisit-create-pr-to-fix-vulnerabilities
23:00:44 [Info] Frogbot "create-fix-pull-requests" command finished successfully
Versions
Additional context
Add any other context about the problem here.
Is your feature request related to a problem? Please describe.
Docker artifacts are not currently listed as supported. Request for Docker artifact scanning to be supported.
Describe the solution you'd like to see
Add support for Docker artifacts to FrogBot
Describe alternatives you've considered
Dependbot and jfrog cli
Additional context
Teams would like to standardize on FrogBot for pre-merge scanning but Docker artifacts are a blocker.
I have to say I'm a little disappointed.
We try the FrogBot on Azure DevOps, but it shows, that there is lot of configuration for each project and in the end it is the same process as for build process, which we primary focus on set-up (so duplication).
The current Frogbot running is also high resource consumption according to the number of pull requests and the length of the build time.
What I would like to see?
It should be easy to set-up as global settings for all projects, even when thay dont have yet JFrog in build pipeline.
I expect functionality similar to JFrog Xray in IDE, where JFrog just takes the connection, components and show the results. No other settings is required. (for example from pom file, or requirement.txt file or cproj file )
i am evaluating frogbot to scan GitHub PR with basic config:
export JF_URL=https://frogbotv230.jfrog.io
export JF_USER=xxxxxx
export JF_PASSWORD=AKxxxxxxxxxxxxxxxxxx
export JF_GIT_PROVIDER=github
export JF_GIT_TOKEN=ghp_N4T2xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
export JF_GIT_OWNER=xxxxxx
export JF_GIT_REPO=xxxxxxxx
with jenkins stages:
stage('Download Frogbot') {
steps {
sh """ curl -fLg "https://releases.jfrog.io/artifactory/frogbot/v2/[RELEASE]/getFrogbot.sh" | sh"""
}
}
stage('Scan Pull Requests') {
steps {
sh "./frogbot scan-pull-requests"
}
}
stage('Scan and Fix Repos') {
steps {
sh "./frogbot scan-and-fix-repos"
}
}
}
and using basic frogbot-config.yaml file in root folder of project.
but scan stage failed with error:
ERROR: Package 're-id-service' requires a different Python: 3.6.9 not in '>=3.9'
any help would be appreciated.
Could someone assist me to resolve the following issue
[main] INFO org.jfrog.build.extractor.maven.BuildDeploymentHelper - Artifactory Build Info Recorder: deploy artifacts set to false, artifacts will not be deployed...
[main] INFO org.jfrog.build.extractor.maven.BuildDeploymentHelper - Artifactory Build Info Recorder: publish build info set to false, build info will not be published...
[main] INFO org.apache.maven.cli.event.ExecutionEventLogger - ------------------------------------------------------------------------
[main] INFO org.apache.maven.cli.event.ExecutionEventLogger - BUILD SUCCESS
[main] INFO org.apache.maven.cli.event.ExecutionEventLogger - ------------------------------------------------------------------------
[main] INFO org.apache.maven.cli.event.ExecutionEventLogger - Total time: 1.164 s
[main] INFO org.apache.maven.cli.event.ExecutionEventLogger - Finished at: 2022-05-11T07:22:47+02:00
[main] INFO org.apache.maven.cli.event.ExecutionEventLogger - ------------------------------------------------------------------------
Error: 7 [Error] invalid character '<' looking for beginning of value
Error: The process '/data/github_action/actions-runner/_work/_tool/frogbot/[RELEASE]/x64/frogbot' failed with exit code 1
We are doing POC of this new feature in our organization to help our projects. We are not sure why it is failing. Followed GitHub installation procedure.
To Reproduce
Steps to reproduce the behavior
Expected behavior
A clear and concise description of what you expected to happen.
Versions
Frogbot version: jfrog/frogbot@v1
Operating system: Ubuntu 18
JFrog Artifactory version: Enterprise Plus 7.33.12
JFrog Xray version: xray-server:3.30.2
Thanks in advance.
Describe the bug
frogbot scan-pull-requests
throws stack trace when scanning a pip project
To Reproduce
frogbot scan-pull-requests
Expected behavior
Frogbot to run without crashing
Screenshots
-bash-4.2$ env JF_GIT_API_ENDPOINT="http://stash.example.com/rest" JF_GIT_OWNER=INFRA JF_GIT_REPO=xray-test JF_URL=https://artifactory.dev.example.com ./frogbot scan-pull-requests
10:09:34 [🔵Info] Running Frogbot "scan-pull-requests" command
10:09:34 [🔵Info] Auditing /tmp/jfrog.cli.temp.-1663319374-3547796160
10:09:34 [🔵Info] Detected: pip.
10:09:37 [🚨Error] pip Audit command failed: failed running command: '/tmp/jfrog.cli.temp.-1663319374-2082447499/venvdir/bin/python python /data/jenkins/.jfrog/dependencies/pip/5/pipdeptree.py --json' with error: exit status 1 - Traceback (most recent call last):
File "/data/jenkins/.jfrog/dependencies/pip/5/pipdeptree.py", line 874, in <module>
sys.exit(main())
File "/data/jenkins/.jfrog/dependencies/pip/5/pipdeptree.py", line 822, in main
user_only=args.user_only)
File "/data/jenkins/.jfrog/dependencies/pip/5/pipdeptree.py", line 801, in get_installed_distributions
from pip._internal.utils import misc
ImportError: No module named _internal.utils
10:09:37 [🚨Error] pip Audit command failed: failed running command: '/tmp/jfrog.cli.temp.-1663319374-2082447499/venvdir/bin/python python /data/jenkins/.jfrog/dependencies/pip/5/pipdeptree.py --json' with error: exit status 1 - Traceback (most recent call last):
File "/data/jenkins/.jfrog/dependencies/pip/5/pipdeptree.py", line 874, in <module>
sys.exit(main())
File "/data/jenkins/.jfrog/dependencies/pip/5/pipdeptree.py", line 822, in main
user_only=args.user_only)
File "/data/jenkins/.jfrog/dependencies/pip/5/pipdeptree.py", line 801, in get_installed_distributions
from pip._internal.utils import misc
ImportError: No module named _internal.utils
Versions
Additional context
Pip itself appears to be working fine. Packages can be installed inside user context or new virtualenvs without issue.
Describe the bug
I created a setup of yarn2 using the workflow you guys provided. And it's seems like JF_USER is undefined even tho it's set up.
To Reproduce
Just do your starter flow
Expected behavior
The run will go as planned
Screenshots
Versions
Additional context
I looked in your code I didn't see any place that you are setting up JF_USER in your env.
I also tried to supply JF_USER in:
Is it possible to use frogbot without github advanced security in GH enterprise?
get this error at the moment:
Error: 2 [Error] upload code scanning failed with: POST https://my.github.enterprise/api/v3/repos/org/repo1/code-scanning/sarifs: 403 Advanced Security must be enabled for this repository to use code scanning. []
Error: The process '/github-actions/actions-runner/_work/_tool/frogbot/[RELEASE]/x64/frogbot' failed with exit code 1
seems like it would be useful to have a flag for disabling this functionality:
2d3b55c#diff-d8b6807ea777814b68ce9cf71f8f78e2afd9dfd682ec923567710b840d43e341R31
(not sure if anything else requires GHAS...?)
Hi, I tried to run frogbot on my poetry project (see https://github.com/joergsesterhenn/py-tic-tac-toe/actions/runs/3285427920/jobs/5412508082 ).
I got this error message:
/opt/hostedtoolcache/frogbot/[RELEASE]/x64/frogbot scan-pull-request 22:30:30 [Info] Running Frogbot "scan-pull-request" command 22:30:30 [Info] Auditing /home/runner/work/py-tic-tac-toe/py-tic-tac-toe 22:30:30 [Info] Detected: poetry. Error: 1 [Error] 'poetry' audit command failed: poetry install command failed: exec: "poetry": executable file not found in $PATH - Error: The process '/opt/hostedtoolcache/frogbot/[RELEASE]/x64/frogbot' failed with exit code 1
There seems to be some support for poetry but then poetry seems to be missing from the frogbot image.
Can I somehow install it in a previous step? or could you change frogbot to execute poetry using abatilo/actions-poetry@v2 ?
Is there some way to make this work?
When Frogbot tries to apply a remediation and create a PR, it doesn't use the JF_WORKING_DIR environment variable.
frogbot/commands/createfixpullrequests.go
Line 201 in 9304d3b
022-12-08T22:54:00.2572103Z 22:54:00 [Info] JFrog Xray version is: 3.61.5
2022-12-08T22:54:00.2573048Z 22:54:00 [Info] Scanning module com.example:multi-module-library:3.0.0...
2022-12-08T22:54:00.6906700Z 22:54:00 [Info] Waiting for scan to complete...
2022-12-08T22:54:01.2769030Z 22:54:01 [Info] Xray scan completed
2022-12-08T22:54:01.2769451Z 22:54:01 [Info] Note: no context was provided, so no policy could be determined to scan against.
2022-12-08T22:54:01.2770194Z You can get a list of custom violations by providing one of the command options: --watches, --repo-path or --project.
2022-12-08T22:54:01.2770764Z Read more about configuring Xray policies here: https://www.jfrog.com/confluence/display/JFROG/Creating+Xray+Policies+and+Rules
2022-12-08T22:54:01.2771245Z All vulnerabilities detected will be included in the output JSON.
2022-12-08T22:54:01.9045736Z 22:54:01 [Info] Found 1 vulnerable dependencies with fix versions
2022-12-08T22:54:03.6144703Z 22:54:03 [Info] -----------------------------------------------------------------
2022-12-08T22:54:03.6145548Z 22:54:03 [Info] Start fixing org.apache.camel:camel-ldap with 3.14.6
2022-12-08T22:54:03.7230746Z 22:54:03 [Info] Creating branch: frogbot-org.apache.camel_camel-ldap-77492e313a8b7198cf626f35a1bc4942
2022-12-08T22:54:07.0362324Z 22:54:07 [Error] failed while trying to fix and create PR for: org.apache.camel:camel-ldap with version: 3.14.6 with error: mvn command failed: exit status 1
2022-12-08T22:54:07.0363070Z [INFO] Scanning for projects...
2022-12-08T22:54:07.0364068Z [INFO] Downloading from central: https://repo.maven.apache.org/maven2/org/apache/maven/plugins/maven-clean-plugin/2.5/maven-clean-plugin-2.5.pom
...
2022-12-08T22:54:07.0417960Z [INFO] Downloading from central: https://repo.maven.apache.org/maven2/org/codehaus/mojo/versions-maven-plugin/2.13.0/versions-maven-plugin-2.13.0.jar
2022-12-08T22:54:07.0418807Z [INFO] Downloaded from central: https://repo.maven.apache.org/maven2/org/codehaus/mojo/versions-maven-plugin/2.13.0/versions-maven-plugin-2.13.0.jar (416 kB at 6.5 MB/s)
2022-12-08T22:54:07.0419227Z [INFO]
2022-12-08T22:54:07.0419604Z [INFO] ------------------< org.apache.maven:standalone-pom >-------------------
2022-12-08T22:54:07.0420007Z [INFO] Building Maven Stub Project (No POM) 1
2022-12-08T22:54:07.0420429Z [INFO] --------------------------------[ pom ]---------------------------------
2022-12-08T22:54:07.0420868Z [INFO] ------------------------------------------------------------------------
2022-12-08T22:54:07.0421161Z [INFO] BUILD FAILURE
2022-12-08T22:54:07.0421532Z [INFO] ------------------------------------------------------------------------
2022-12-08T22:54:07.0421827Z [INFO] Total time: 2.199 s
2022-12-08T22:54:07.0422352Z [INFO] Finished at: 2022-12-08T22:54:07Z
2022-12-08T22:54:07.0422752Z [INFO] ------------------------------------------------------------------------
2022-12-08T22:54:07.0423724Z [ERROR] Failed to execute goal org.codehaus.mojo:versions-maven-plugin:2.13.0:use-dep-version (default-cli): Goal requires a project to execute but there is no POM in this directory (/tmp/jfrog.cli.temp.-1670540041-4076773722). Please verify you invoked Maven from the correct directory. -> [Help 1]
2022-12-08T22:54:07.0424308Z [ERROR]
2022-12-08T22:54:0
The PR should be opened when setting the JF_WORKING_DIR
using jfrog/frogbot@v2 action but the logs shows latest ...
using actions/setup-java@v3 action : java-version=11, distribution=temurin java-package: jdk
GitHub
name: "Frogbot"
on:
push:
branches:
- "test-bot"
permissions:
contents: write
pull-requests: write
security-events: write
jobs:
create-fix-pull-requests:
runs-on: ubuntu-latest
environment: frogbot
steps:
- uses: actions/checkout@v2
with:
ref: ${{ github.event.pull_request.head.sha }}
# Install prerequisites
- name: Set up Java
uses: actions/setup-java@v3
with:
java-version: "11"
distribution: "temurin"
- uses: jfrog/frogbot@v2
env:
JF_URL: ${{ secrets.JF_URL }}
JF_USER: ${{ secrets.JF_USER }}
JF_PASSWORD: ${{ secrets.JF_PASSWORD }}
JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
JF_WORKING_DIR: src/library/
JF_INCLUDE_ALL_VULNERABILITIES: "TRUE"
ubuntu-22.04
3.61.5
Hi,
We are finding that the Frogbot scans are a lot slower than the equivalent scans/reports in the Xray UI. For instance a Frogbot scan takes ~13 minutes and the Xray UI takes ~10-30 seconds for the same artifact.
What resources are recommended and what parameters/options can we tune to improve Frogbot performance please?
Thanks!
Hey I get differing results based on the URL I choose, so im a little confused to which one I should use
If JF_GIT_API_ENDPOINT is set to https://github.somecompany.com/api/v3/ then I get this error
[2022-12-14T04:38:07.819Z] 04:38:07 [Info]
[2022-12-14T04:38:07.819Z] Auditing base branch: somerepo release
[2022-12-14T04:38:07.819Z] 04:38:07 [Debug] Created temp working directory: /tmp/jfrog.cli.temp.-1670992687-3585851041
[2022-12-14T04:38:07.819Z] 04:38:07 [Debug] Downloading somecompany/some-repo from branch:<release>
[2022-12-14T04:38:07.819Z] 04:38:07 [Error] unexpected status code: 404 Not Found
script returned exit code 1
If JF_GIT_API_ENDPOINT is set to https://github.somecompany.com then I get this error
[2022-12-14T04:10:36.994Z] 04:10:36 [Info] Xray scan completed
[2022-12-14T04:10:36.994Z] 04:10:36 [Info] Note: no context was provided, so no policy could be determined to scan against.
[2022-12-14T04:10:36.995Z] You can get a list of custom violations by providing one of the command options: --watches, --repo-path or --project.
[2022-12-14T04:10:36.995Z] Read more about configuring Xray policies here: https://www.jfrog.com/confluence/display/JFROG/Creating+Xray+Policies+and+Rules
[2022-12-14T04:10:36.995Z] All vulnerabilities detected will be included in the output JSON.
[2022-12-14T04:10:36.995Z] 04:10:36 [Warn] upload code scanning failed with: GET https://github.somecompany.com/login?return_to=https%3A%2F%2Fgithub.somecompany.com%2Frepos%2Fsomecompany%2Fsome-repo%2Fcommits%3Fpage%3D1%26per_page%3D1%26sha%3Drelease: 406 []
[2022-12-14T04:10:36.995Z] 04:10:36 [Info] Found 7 vulnerable dependencies with fix versions
[2022-12-14T04:10:36.995Z] 04:10:36 [Debug] Created temp working directory: /tmp/jfrog.cli.temp.-1670991036-1063396961
[2022-12-14T04:10:36.995Z] 04:10:36 [Error] 'git clone release from https://github.somecompany.com/somecompany/some-repo.git' failed with error: authorization failed script returned exit code 1
build is for dotnet core, and Linux x64.
And, based on which one I should use, any ideas on how do I fix the error that I get above?
Our developers are complaining of too many emails for MRs due to the Frogbot comments when no vulnerabilities are found. Now whilst I don't agree with them entirely about this as I think it's important to have the status on the MR even when nothing bad is found, we need happy developers.
So please could you implement a flag, maybe something like JF_SUCCESS_COMMENT with a boolean value true/false that would disable the commenting on MRs if no vulnerabilities are found?
Thanks!
James
Describe the solution you'd like to see
I would be great to be able to configure some assignees or reviewers in the repo's frogbot-config.yml
, that would be set by frogbot when it creates a Merge Request to fix a vulnerability (when running the scan-and-fix
mode).
This way, the repos owners could be triggered when a vulnerability is discovered on a dependency of the project.
Is your feature request related to a problem? Please describe.
I would like to be able to pass a maven option on-the-fly e.g. -DdisableX=true
(currently our builds try and extract a git branch from the working directory, and it seems that the base branch audit is downloaded as an archive and untarred and results in bare code- we can disable this on the fly e.g. -DdisableX=true
, but can't find a way to pass this into frogbot job)
Describe the solution you'd like to see
A JF_MAVEN_ARGS env var to pass options specific to the frogbot run
Describe alternatives you've considered
Additional context
Add any other context or screenshots about the feature request here.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.