search

jfrog / frogbot

🐸 Scans your Git repository with JFrog Xray for security vulnerabilities. 🤖
https://docs.jfrog-applications.jfrog.io/
Apache License 2.0
290 stars 61 forks source link

Try to update to RC (release candidate) version instead of fixed version #597

Open philippe-granet opened 7 months ago

philippe-granet commented 7 months ago

Describe the bug

Frogot try to update dependencies with release condidates (RC) versions instead of fixed versions

Current behavior

Logs:

11:13:23 [Debug] Created 'Maven' dependency tree with 459 nodes. Elapsed time: 42.3 seconds.
11:13:23 [Debug] Unique dependencies list:
[
    "gav://commons-io:commons-io:1.3.2",
...
  ]
...
11:13:36 [Debug] Frogbot will attempt to resolve the following vulnerable dependencies:
 commons-io:commons-io,
....
11:13:41 [Debug] Attempting to fix commons-io:commons-io with 2.1-RC1
11:13:41 [Debug] Creating branch frogbot-commons-io_commons-io-17512654982787fe8c8207114ae2446c ...
11:13:42 [Debug] Running 'mvn -U -B org.codehaus.mojo:versions-maven-plugin:use-dep-version -Dincludes=commons-io:commons-io -DdepVersion=2.1-RC1 -DgenerateBackupPoms=false -DprocessDependencies=true -DprocessDependencyManagement=false'
...
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.codehaus.mojo:versions-maven-plugin:2.11.0:use-dep-version (default-cli) on project prm-sm-fwk: Version 2.1-RC1 is not available for artifact commons-io:commons-io -> [Help 1]

Why use an RC version (2.1-RC1) ?

Reproduction steps

No response

Expected behavior

No response

JFrog Frogbot version

2.19.4

Package manager info

Maven 3.9.6

Git provider

GitLab

JFrog Frogbot configuration yaml file

No response

Operating system type and version

Debian 12

JFrog Xray version

JFrog Xray version 3.41.4

omerzi commented 7 months ago

Hi @philippe-granet, the results for the fixed versions are based on data we obtained from Xray. I will investigate this further and provide you with more information ASAP. Thank you!

omerzi commented 7 months ago

Hi @philippe-granet, it seems that the issue is not reproducible when we use our JFrog SAAS instance with Xray v3.84.4. We conducted tests using Frogbot, CLI audit command, and the REST API to Xray, and here are the results:

{
    "component_id": "gav://commons-io:commons-io:1.3.2",
    "package_type": "maven",
    "vulnerabilities": [
        {
            "cves": [
                {
                    "cve": "CVE-2021-29425",
                    "cvss_v2_score": "5.8",
                    "cvss_v2_vector": "CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:N",
                    "cvss_v3_score": "4.8",
                    "cvss_v3_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
                }
            ],
            "summary": "In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like \"//../foo\", or \"\\\\..\\foo\", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus \"limited\" path traversal), if the calling code would use the result to construct a path value.",
            "severity": "Medium",
            "components": {
                "gav://commons-io:commons-io:1.3.2": {
                    "package_name": "commons-io:commons-io",
                    "package_version": "1.3.2",
                    "package_type": "maven",
                    "fixed_versions": [
                        "[2.7]"
                    ],
                    "infected_versions": [
                        "(,2.7)"
                    ],
                    "impact_paths": [
                        [
                            {
                                "component_id": "gav://commons-io:commons-io:1.3.2"
                            }
                        ]
                    ]
                }
            },
            "issue_id": "XRAY-172728",
            "references": [
                "https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe@%3Cusers.kafka.apache.org%3E",
                "https://lists.apache.org/thread.html/r1c2f4683c35696cf6f863e3c107e37ec41305b1930dd40c17260de71@%3Ccommits.pulsar.apache.org%3E",
                "https://lists.apache.org/thread.html/rbebd3e19651baa7a4a5503a9901c95989df9d40602c8e35cb05d3eb5@%3Cdev.creadur.apache.org%3E",
                "https://lists.apache.org/thread.html/rfcd2c649c205f12b72dde044f905903460669a220a2eb7e12652d19d@%3Cdev.zookeeper.apache.org%3E",
                "https://security.netapp.com/advisory/ntap-20220210-0004/",
                "https://lists.apache.org/thread.html/red3aea910403d8620c73e1c7b9c9b145798d0469eb3298a7be7891af@%3Cnotifications.zookeeper.apache.org%3E",
                "https://lists.apache.org/thread.html/r8569a41d565ca880a4dee0e645dad1cd17ab4a92e68055ad9ebb7375@%3Cdev.creadur.apache.org%3E",
                "https://lists.apache.org/thread.html/ra8ef65aedc086d2d3d21492b4c08ae0eb8a3a42cc52e29ba1bc009d8@%3Cdev.creadur.apache.org%3E",
                "https://www.oracle.com/security-alerts/cpuoct2021.html",
                "https://lists.apache.org/thread.html/r86528f4b7d222aed7891e7ac03d69a0db2a2dfa17b86ac3470d7f374@%3Cnotifications.zookeeper.apache.org%3E",
                "https://lists.apache.org/thread.html/r808be7d93b17a7055c1981a8453ae5f0d0fce5855407793c5d0ffffa@%3Cuser.commons.apache.org%3E",
                "https://lists.apache.org/thread.html/r8bfc7235e6b39d90e6f446325a5a44c3e9e50da18860fdabcee23e29@%3Cissues.zookeeper.apache.org%3E",
                "https://lists.apache.org/thread.html/r01b4a1fcdf3311c936ce33d75a9398b6c255f00c1a2f312ac21effe1@%3Cnotifications.zookeeper.apache.org%3E",
                "https://lists.apache.org/thread.html/rfa2f08b7c0caf80ca9f4a18bd875918fdd4e894e2ea47942a4589b9c@%3Cdev.creadur.apache.org%3E",
                "https://lists.apache.org/thread.html/r0bfa8f7921abdfae788b1f076a12f73a92c93cc0a6e1083bce0027c5@%3Cnotifications.zookeeper.apache.org%3E",
                "https://lists.apache.org/thread.html/r47ab6f68cbba8e730f42c4ea752f3a44eb95fb09064070f2476bb401@%3Cdev.creadur.apache.org%3E",
                "https://lists.apache.org/thread.html/r523a6ffad58f71c4f3761e3cee72df878e48cdc89ebdce933be1475c@%3Cdev.creadur.apache.org%3E",
                "https://lists.apache.org/thread.html/rc65f9bc679feffe4589ea0981ee98bc0af9139470f077a91580eeee0@%3Cpluto-dev.portals.apache.org%3E",
                "https://lists.apache.org/thread.html/r477c285126ada5c3b47946bb702cb222ac4e7fd3100c8549bdd6d3b2@%3Cissues.zookeeper.apache.org%3E",
                "https://lists.apache.org/thread.html/re41e9967bee064e7369411c28f0f5b2ad28b8334907c9c6208017279@%3Cnotifications.zookeeper.apache.org%3E",
                "https://lists.apache.org/thread.html/rad4ae544747df32ccd58fff5a86cd556640396aeb161aa71dd3d192a@%3Cuser.commons.apache.org%3E",
                "https://lists.apache.org/thread.html/raa053846cae9d497606027816ae87b4e002b2e0eb66cb0dee710e1f5@%3Cdev.creadur.apache.org%3E",
                "https://lists.apache.org/thread.html/r2345b49dbffa8a5c3c589c082fe39228a2c1d14f11b96c523da701db@%3Cnotifications.zookeeper.apache.org%3E",
                "https://lists.apache.org/thread.html/rd09d4ab3e32e4b3a480e2ff6ff118712981ca82e817f28f2a85652a6@%3Cnotifications.zookeeper.apache.org%3E",
                "https://lists.apache.org/thread.html/r462db908acc1e37c455e11b1a25992b81efd18e641e7e0ceb1b6e046@%3Cnotifications.zookeeper.apache.org%3E",
                "https://lists.apache.org/thread.html/r27b1eedda37468256c4bb768fde1e8b79b37ec975cbbfd0d65a7ac34@%3Cdev.myfaces.apache.org%3E",
                "https://lists.apache.org/thread.html/rc2dd3204260e9227a67253ef68b6f1599446005bfa0e1ddce4573a80@%3Cpluto-dev.portals.apache.org%3E",
                "https://lists.apache.org/thread.html/r4050f9f6b42ebfa47a98cbdee4aabed4bb5fb8093db7dbb88faceba2@%3Ccommits.zookeeper.apache.org%3E",
                "https://lists.apache.org/thread.html/r92ea904f4bae190b03bd42a4355ce3c2fbe8f36ab673e03f6ca3f9fa@%3Cnotifications.zookeeper.apache.org%3E",
                "https://lists.apache.org/thread.html/rca71a10ca533eb9bfac2d590533f02e6fb9064d3b6aa3ec90fdc4f51@%3Cnotifications.zookeeper.apache.org%3E",
                "https://lists.apache.org/thread.html/r20416f39ca7f7344e7d76fe4d7063bb1d91ad106926626e7e83fb346@%3Cnotifications.zookeeper.apache.org%3E",
                "https://lists.apache.org/thread.html/r8efcbabde973ea72f5e0933adc48ef1425db5cde850bf641b3993f31@%3Cdev.commons.apache.org%3E",
                "https://issues.apache.org/jira/browse/IO-556",
                "https://lists.apache.org/thread.html/rc10fa20ef4d13cbf6ebe0b06b5edb95466a1424a9b7673074ed03260@%3Cnotifications.zookeeper.apache.org%3E",
                "https://lists.apache.org/thread.html/rc359823b5500e9a9a2572678ddb8e01d3505a7ffcadfa8d13b8780ab%40%3Cuser.commons.apache.org%3E",
                "https://lists.apache.org/thread.html/r2bc986a070457daca457a54fe71ee09d2584c24dc262336ca32b6a19@%3Cdev.creadur.apache.org%3E",
                "https://lists.apache.org/thread.html/r2df50af2641d38f432ef025cd2ba5858215cc0cf3fc10396a674ad2e@%3Cpluto-scm.portals.apache.org%3E",
                "https://www.oracle.com/security-alerts/cpujan2022.html",
                "https://lists.apache.org/thread.html/rfd01af05babc95b8949e6d8ea78d9834699e1b06981040dde419a330@%3Cdev.commons.apache.org%3E",
                "https://www.oracle.com/security-alerts/cpuapr2022.html",
                "https://lists.apache.org/thread.html/r873d5ddafc0a68fd999725e559776dc4971d1ab39c0f5cc81bd9bc04@%3Ccommits.pulsar.apache.org%3E",
                "https://lists.apache.org/thread.html/rc5f3df5316c5237b78a3dff5ab95b311ad08e61d418cd992ca7e34ae@%3Cnotifications.zookeeper.apache.org%3E",
                "https://lists.apache.org/thread.html/r345330b7858304938b7b8029d02537a116d75265a598c98fa333504a@%3Cdev.creadur.apache.org%3E",
                "https://lists.apache.org/thread.html/r0d73e2071d1f1afe1a15da14c5b6feb2cf17e3871168d5a3c8451436@%3Ccommits.pulsar.apache.org%3E",
                "https://lists.apache.org/thread.html/r5149f78be265be69d34eacb4e4b0fc7c9c697bcdfa91a1c1658d717b@%3Cissues.zookeeper.apache.org%3E",
                "https://lists.debian.org/debian-lts-announce/2021/08/msg00016.html",
                "https://www.oracle.com/security-alerts/cpujul2022.html"
            ],
            "is_high_profile": false,
            "provider": "JFrog",
            "edited": "0001-01-01T00:00:00Z",
            "applicability": null
        }
    ],
    "scan_id": "89eea845-94ae-4442-42e3-5a878dc0ef17",
    "status": "completed",
    "top_vuln_severity": "Medium",
    "progress_percentage": 100
}

I suggest, if possible, upgrading your Xray to a newer version and also verifying that your database is synced. I hope these steps will resolve your issue. Please let me know how it goes and if any further assistance is required.