search

jfrog / frogbot

🐸 Scans your Git repository with JFrog Xray for security vulnerabilities. 🤖
https://docs.jfrog-applications.jfrog.io/
Apache License 2.0
297 stars 69 forks source link

Different results with 'create-fix-pull-requests' vs 'scan-pull-request' #273

Open jghal opened 1 year ago

jghal commented 1 year ago

Describe the bug

I have self-hosted Gitlab and Artifactory, and am trying to integrate frogbot in a Java repo built with Maven. I have the scan-pull-request working on a branch MR, and it shows multiple vulnerabilities with a fix version. For example

image

Running the create-fix-pull-request command doesn't seem to be finding any of these vulnerabilities (with fixed versions)

Current behavior

When I try to run the create-fix-pull-requests command locally from a working copy of the branch (new repo, the master branch is empty still), it says there are no vulnerable dependencies with fix versions. But when I pull the scan report via the xray/api/v1/scan/graph that's in the frogbot output, the JSON response includes multiple fixed versions.

19:37:47 [Debug] Sending HTTP GET request to: https://repo.example.com/xray/api/v1/system/version
19:37:47 [🔵Info] JFrog Xray version is: 3.47.3
19:37:47 [🔵Info] Scanning module com.example.myproject:foolib:1.0-SNAPSHOT...
19:37:47 [Debug] Sending HTTP POST request to: https://repo.example.com/xray/api/v1/scan/graph?scan_type=dependency
19:37:47 [🔵Info] Waiting for scan to complete...
19:37:47 [Debug] Sending HTTP GET request to: https://repo.example.com/xray/api/v1/scan/graph/ac58a7a1-8d65-4df7-69dd-ce251552cba4?include_vulnerabilities=true
19:37:48 [Debug] Get Dependencies Scan results... (Attempt 1)
19:37:53 [Debug] Sending HTTP GET request to: https://repo.example.com/xray/api/v1/scan/graph/ac58a7a1-8d65-4df7-69dd-ce251552cba4?include_vulnerabilities=true
19:37:53 [🔵Info] Xray scan completed
19:37:53 [Debug] Upload Scan to GitLab is currently unsupported.
19:37:53 [🔵Info] Didn't find vulnerable dependencies with existing fix versions for foolib
19:37:53 [🔵Info] Frogbot "create-fix-pull-requests" command finished successfully 
/work # jq -r '.vulnerabilities[].components[].fixed_versions' report.json
[
  "[1.21-RC1]"
]
[
  "[1.21-RC1]"
]
[
  "[1.21]"
]
[
  "[1.21]"
]
[
  "[1.21]"
]
[
  "[1.21]"
]
[
  "[2.7]"
]
[
  "[2.5]"
]
[
  "[1.11.3]"
]

Reproduction steps

No response

Expected behavior

The set of vulnerable dependencies with fixed versions identified in the scan-pull-request command should have MR's opened to update to the identified fixed version.

JFrog Frogbot version

2.6.1

Package manager info

Maven 3.8.6, pom.xml

Git provider

GitLab

JFrog Frogbot configuration yaml file

No response

Operating system type and version

alpine:3.17

JFrog Xray version

3.47.3

omerzi commented 1 year ago

Hi @jghal,

Thank you for using Frogbot!

Some of the vulnerabilities Frogbot found when scanning the pull request are transitive (indirect) dependencies. When creating pull requests with fixes for Maven projects, Frogbot only fixes vulnerabilities on direct dependencies. Upgrading transitive dependencies cannot be done directly in most cases. Please let us know if you have follow-up questions or comments.

jghal commented 1 year ago

Thanks for that explanation. Perhaps the output of create-fix-pull-requests could include this extra context to avoid confusion.