JF_USER is undefined

[yarinsa]

Describe the bug

I created a setup of yarn2 using the workflow you guys provided. And it's seems like JF_USER is undefined even tho it's set up.

To Reproduce Just do your starter flow

Expected behavior The run will go as planned

Screenshots

Versions

• Frogbot version: v2.3.2
• Operating system: Linux (runner)
• JFrog Artifactory version:
• JFrog Xray version (version 3.29.0 or above is required):

Additional context I looked in your code I didn't see any place that you are setting up JF_USER in your env. I also tried to supply JF_USER in:

1. workflow context
2. job context
3. action context

[omerzi]

Hi @yarinsa, thank you for informing us about this issue. Can you please share the YAML file that you used?

[yarinsa]

Frogbot workflow yml

name: 'Frogbot Scan Pull Request' on: pull_request: types: [opened, synchronize] permissions: pull-requests: write contents: read jobs: scan-pull-request: runs-on: self-hosted # A pull request needs to be approved, before Frogbot scans it. Any GitHub user who is associated with the # "frogbot" GitHub environment can approve the pull request to be scanned. environment: frogbot env: JF_URL: ${{ secrets.JF_URL }} JF_USER: ${{ secrets.JF_USER }} JF_PASSWORD: ${{ secrets.JF_PASSWORD }} GH_TOKEN: ${{ secrets.GH_TOKEN }} steps: - uses: actions/checkout@v2 with: ref: ${{ github.event.pull_request.head.sha }} persist-credentials: false # Install prerequisites - uses: actions/checkout@v3 with: repository: transmit-poc/setup-yarn token: ${{ env.GH_TOKEN }} path: setup-yarn - name: Setup Yarn uses: ./setup-yarn with: artifactory_user: ${{ env.JF_USER }} artifactory_password: ${{ env.JF_PASSWORD }} node_version: 16.13.1 # - run: rm .yarnrc.yml - uses: actions/checkout@v3 with: repository: transmit-poc/frogbot token: ${{ env.GH_TOKEN }} path: frogbot ref: v2 - name: Run Frogbot uses: ./frogbot env: # [Mandatory] # The command that installs the dependencies JF_INSTALL_DEPS_CMD: 'yarn install' # [Mandatory] # JFrog platform URL (This functionality requires version 3.29.0 or above of Xray) JF_URL: ${{ secrets.JF_URL }} # [Mandatory if JF_ACCESS_TOKEN is not provided] # JFrog username with 'read' permissions for Xray. Must be provided with JF_PASSWORD JF_USER: ${{ secrets.JF_USER }} # [Mandatory if JF_ACCESS_TOKEN is not provided] # JFrog password. Must be provided with JF_USER JF_PASSWORD: ${{ secrets.JF_PASSWORD }} # [Mandatory] # The GitHub token automatically generated for the job JF_GIT_TOKEN: ${{ secrets.GH_TOKEN }} # Uncomment the below options if you'd like to use them. # [Optional, default: https://api.github.com] # API endpoint to GitHub # JF_GIT_API_ENDPOINT: https://github.example.com # [Mandatory if JF_USER and JF_PASSWORD are not provided] # JFrog access token with 'read' permissions on Xray service # JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }} # [Optional, default: "."] # Relative path to the project in the git repository # JF_WORKING_DIR: path/to/package.json/dir # [Optional] # Xray Watches. Learn more about them here: https://www.jfrog.com/confluence/display/JFROG/Configuring+Xray+Watches # JF_WATCHES: ,... # [Optional] # JFrog project. Learn more about it here: https://www.jfrog.com/confluence/display/JFROG/Projects # JF_PROJECT: # [Optional, default: "FALSE"] # Displays all existing vulnerabilities, including the ones that were added by the pull request. # JF_INCLUDE_ALL_VULNERABILITIES: "TRUE"

We had to fork the bot to our organization as we are not installing actions that are not verified, so we security review and fork, but its the exact same code as you guys (no change)

Setup yarn for me is a custom action trying to deal with the difference of authenticating with jfrog: For example: using api_key & user (our local setup) yarn config set npmAuthIdent user:api_key using password & user (CI setup) yarn config set npmAuthIdent (user:password | base64)

Setup yarn

``` # action.yml name: "Setup Yarn" description: "Initial setup for yarn with artifactory credentials" branding: icon: "package" color: "gray-dark" inputs: artifactory_user: description: "Artifactory user name (usually company email)" required: true artifactory_password: description: "Artifactory password (ApiKey can be used for fetching artifacts only)" required: true node_version: description: "Artifactory password" required: false default: 16.13.1 runs: using: composite steps: - name: Setup Node.js uses: actions/setup-node@v3 with: node-version: ${{ inputs.node_version }} - name: escape undefined variables shell: sh run: | echo "JF_API_KEY=${{ inputs.artifactory_password }}" >> $GITHUB_ENV echo "JF_PASSWORD=${{ inputs.artifactory_password }}" >> $GITHUB_ENV echo "JF_USER=${{ inputs.artifactory_user }}" >> $GITHUB_ENV - name: Setup credentials # Currently tests and compatible with Yarn2+ shell: sh run: | corepack enable yarn config unset npmAuthIdent yarn config set npmAuthIdent $(echo -n '${{ inputs.artifactory_user }}:${{ inputs.artifactory_password }}'| base64) - name: Retrieve Yarn Cache id: yarn-cache-dir-path shell: sh run: echo "::set-output name=dir::$(yarn config get cacheFolder)" - uses: actions/cache@v3 id: yarn-cache with: path: ${{ steps.yarn-cache-dir-path.outputs.dir }} key: ${{ runner.os }}-yarn-${{ hashFiles('yarn.lock') }} restore-keys: | ${{ runner.os }}-yarn- - name: Install dependencies shell: sh run: yarn install --immutable ```

I didn't see any reference of you guys setting this up in the action env here

[omerzi]

Thanks, @yarinsa for the detailed information. We do set this env here: https://github.com/jfrog/frogbot/blob/9304d3b1d8e05a1b5fc0ba9ebf9ffbd495386250/commands/utils/params.go#L91

Could you please run this again with debug logs? Please add the following environment variable to Frogbot on Github: JFROG_CLI_LOG_LEVEL With value: DEBUG

[yarinsa]

@omerzi I ended up using "yarn audit" which access jfrog x-ray anyway

[omerzi]

@yarinsa I'm glad that it worked for you, and thank you for the feedback! It would be greatly appreciated if you could help us understand this issue better, so we can take the right steps moving forward. Have you used the JFrog CLI command 'audit yarn' to fix it?

[yarinsa]

nope. I fixed them manually , as for the log level, will do and update here

/opt/hostedtoolcache/frogbot/[RELEASE]/x64/frogbot scan-pull-request
  07:34:49 [Info] Running Frogbot "scan-pull-request" command 
  07:34:49 [Info] Auditing /runner/_work/TIP/TIP
  07:34:49 [Info] Executing 'yarn' [install] at  /runner/_work/TIP/TIP
  07:34:49 [Debug] Usage Report: Sending info...
  07:34:49 [Debug] Sending HTTP GET request to: ***/artifactory/api/system/version
  07:34:49 [Debug] Artifactory response: 200 OK
  07:34:49 [Debug] JFrog Artifactory version is: 7.42.5
  07:34:49 [Debug] Sending HTTP POST request to: ***/artifactory/api/system/usage
  07:34:49 [Debug] Usage Report: Artifactory response: 200 OK
  07:34:49 [Debug] Usage Report: Usage info sent successfully.
  07:34:54 [Info] Detected: yarn.
  07:34:55 [Debug] Sending HTTP GET request to: ***/xray/api/v1/system/version
  07:34:55 [Info] JFrog Xray version is: 3.57.6
  07:34:55 [Info] Scanning module tip:portal:0.37.0...
  07:34:55 [Debug] Sending HTTP POST request to: ***/xray/api/v1/scan/graph?scan_type=dependency
  07:34:55 [Info] Waiting for scan to complete...
  07:34:55 [Debug] Sending HTTP GET request to: ***/xray/api/v1/scan/graph/9a[15](https://github.com/transmitsecurity-dev/TIP/actions/runs/3172355902/jobs/5166741757#step:7:16)a1d2-1ddf-4109-4fba-e25ba26caa1d?include_vulnerabilities=true
  07:34:55 [Info] Auditing TIP refs/pull/59/merge
  07:34:55 [Debug] Created temp working directory: /tmp/jfrog.cli.temp.-[16](https://github.com/transmitsecurity-dev/TIP/actions/runs/3172355902/jobs/5166741757#step:7:17)64782495-394088[23](https://github.com/transmitsecurity-dev/TIP/actions/runs/3172355902/jobs/5166741757#step:7:24)43
  07:34:55 [Debug] Downloading transmitsecurity-dev/TIP , branch:refs/pull/59/merge to:/tmp/jfrog.cli.temp.-166478[24](https://github.com/transmitsecurity-dev/TIP/actions/runs/3172355902/jobs/5166741757#step:7:25)95-3940882[34](https://github.com/transmitsecurity-dev/TIP/actions/runs/3172355902/jobs/5166741757#step:7:35)3
  07:34:56 [Debug] Downloading repository completed
  07:34:56 [Info] Executing 'yarn' [install] at  /tmp/jfrog.cli.temp.-1664782495-3940882343
  07:34:56 [Info] Couldn't run the installation command on the base branch. Assuming new project in the source branch: exit status 1
  07:34:56 [Info] Detected: yarn.
  07:34:57 [Warn] An error was thrown while collecting dependencies info: exit status 1
  Command output:
  Usage Error: Environment variable not found (JF_USER) in /tmp/jfrog.cli.temp.-1664782495-[39](https://github.com/transmitsecurity-dev/TIP/actions/runs/3172355902/jobs/5166741757#step:7:40)[40](https://github.com/transmitsecurity-dev/TIP/actions/runs/3172355902/jobs/5166741757#step:7:41)882343/.yarnrc.yml (in /tmp/jfrog.cli.temp.-1664782495-3940882343/.yarnrc.yml)

  ━━━ Yarn Package Manager - 3.2.2 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

    $ yarn <command>

  You can also print more details about any of these commands by calling them with 
  the `-h,--help` flag right after the command name.