search

jfrog / frogbot

🐸 Scans your Git repository with JFrog Xray for security vulnerabilities. 🤖
https://docs.jfrog-applications.jfrog.io/
Apache License 2.0
298 stars 69 forks source link

Does frogbot require Advanced Security? #604

Open rsi-mrobinson opened 9 months ago

rsi-mrobinson commented 9 months ago

I setup frogbot on a test repo and noticed that while Running Frogbot "scan-repository" command it does a series of checks for 200's back from various jfrog endpoints. We did not purchase the advanced security license so we do not have access to contextual_analysis. 

17:23:12 [Debug] Sending HTTP GET request to: https://companyname.jfrog.io/xray/api/v1/entitlements/feature/contextual_analysis
  Error: 2 [Error] got unexpected server response while attempting to get JFrog Xray entitlements response for contextual_analysis:
  server response: 404 Not Found

I noticed that the documentation makes note:

NOTE: SAST, Vulnerability Contextual Analysis, Secrets Detection and Infrastructure as Code scans require the [JFrog Advanced Security Package](https://jfrog.com/xray/).

but that doesnt seem to include dependency scanning or license scanning. However the UrlAccessChecker function still appears to require access to that endpoint in order to start a scan on the branch. I dug through your documentation, but failed to find a concrete answer or clear list of requirements for frogbot.

If this isn't something that can be used without Advanced Security it should probably be noted more clearly in the documentation. However if this is possible, I don't understand what I am missing to skip the checks for the endpoints my organization did not purchase.

Thanks!

omerzi commented 9 months ago

Hello @rsi-mrobinson, Frogbot specifically needs advanced security settings solely for accessing JFrog Advanced Security features like Contextual Analysis, Secrets Detection, SAST, and IaC. However, for license and vulnerability scans, Frogbot solely relies on Xray abilities. Could you kindly provide the complete debug logs? This will help us investigate your issues during the vulnerability scan.

rsi-mrobinson commented 9 months ago

Here's the debug logs: 


  17:22:58 [Info] Frogbot version: 2.19.4
  17:22:58 [Debug] Reading config from file system. Looking for .frogbot/frogbot-config.yml
  17:22:58 [Debug] frogbot-config.yml wasn't found in /home/runner/_work/proto-hastur-ui/proto-hastur-ui/.frogbot/frogbot-config.yml. Searching for it in upstream directories
  17:22:58 [Debug] Attempting to download frogbot-config.yml from orgname/proto-hastur-ui
  17:22:58 [Debug] The frogbot-config.yml will be downloaded from main branch
  17:22:58 [Info] Successfully downloaded frogbot-config.yml file from <orgname/proto-hastur-ui/main>
  17:22:58 [Debug] The content of frogbot-config.yml that will be used is:
  - params:
      git:
        repoName: proto-hastur-ui
        branches:
          - main
      scan:
        projects:
          - installCommand: "npm install"
      jfrogPlatform:
      jfrogProjectKey: "proj_key"
  17:22:58 [Debug] Sending HTTP HEAD request to: 'https://github.com/jfrog/frogbot'
  17:22:58 [Debug] Locking config file to run config AddOrEdit command.
  17:22:58 [Debug] Creating lock in: /tmp/jfrog.cli.temp.-1702488178-1625234196/locks/config
  17:22:58 [Debug] Releasing lock: /tmp/jfrog.cli.temp.-1702488178-1625234196/locks/config/jfrog-cli.conf.lck.86.1702488178830231779
  17:22:58 [Debug] Config AddOrEdit command completed successfully. config file is released.
  17:22:58 [Debug] Usage Report: Sending info...
  17:22:58 [Info] Running Frogbot "scan-repository" command
  17:22:58 [Debug] Sending HTTP POST request to: https://usage-ecosystem.jfrog.io/api/usage/report
  17:22:58 [Debug] Sending HTTP GET request to: https://company.jfrog.io/xray/api/v1/system/version
  17:22:58 [Debug] Sending HTTP GET request to: https://company.jfrog.io/artifactory/api/system/version
  17:22:58 [Debug] JFrog Xray version is: 3.86.4
  17:22:58 [Debug] Sending HTTP POST request to: https://company.jfrog.io/xray/api/v1/usage/events/send
  17:22:58 [Debug] Artifactory response: 200 
  17:22:58 [Debug] JFrog Artifactory version is: 7.75.4
  17:22:58 [Debug] Sending HTTP POST request to: https://company.jfrog.io/artifactory/api/system/usage
  17:22:59 [Debug] Setting timeout for go-git to 120 seconds ...
  17:22:59 [Debug] Created temp working directory: /tmp/jfrog.cli.temp.-1702488179-3490226136
  17:22:59 [Debug] Cloning <https://github.com/orgname/proto-hastur-ui.git/origin/refs/heads/main>...
  17:23:12 [Debug] Project cloned from https://github.com/orgname/proto-hastur-ui.git to /tmp/jfrog.cli.temp.-1702488179-3490226136
  17:23:12 [Debug] Sending HTTP GET request to: https://company.jfrog.io/xray/api/v1/system/version
  17:23:12 [Debug] Sending HTTP GET request to: https://company.jfrog.io/xray/api/v1/entitlements/feature/contextual_analysis
  Error: 2 [Error] got unexpected server response while attempting to get JFrog Xray entitlements response for contextual_analysis:
  server response: 404 Not Found
  Error: The process '/home/runner/_work/_tool/frogbot/[RELEASE]/x64/frogbot' failed with exit code 1```
rsi-mrobinson commented 9 months ago

Any indication what I may have done wrong @omerzi ?

eyalbe4 commented 9 months ago

@rsi-mrobinson, Will you be able to open a ticket JFrog Support, so that they can investigate why this error - [Error] got unexpected server response while attempting to get JFrog Xray entitlements response for contextual_analysis: server response: 404 Not Found is received when Frogbot attempts to access the Entitlement endpoint? This isn't something we're expecting or seeing for other setups.

jghal commented 4 months ago

Was there a resolution here? I'm seeing a similar error message but with a 401 response code. Using version 2.20.1.

$ /usr/local/bin/frogbot ${FROGBOT_CMD}
13:09:06 [Info] Frogbot version: 2.20.1
13:09:06 [Info] Running Frogbot "scan-pull-request" command
13:09:07 [Info] Scanning Pull Request #104 (from source branch: <path/to/project/branch> to target branch: <path/to/project/main>)
13:09:07 [Info] -----------------------------------------------------------
13:09:09 [Info] common repository downloaded successfully. Starting with repository extraction...
13:09:09 [Info] Extracted repository successfully
13:09:09 [Info] Scanning source branch...
13:09:09 [Error] got unexpected server response while attempting to get JFrog Xray entitlements response for contextual_analysis:
server response: 401 Unauthorized
{
  "error": "Found invalid token"
}

I can use the same token for API calls with curl.

$ jtoken=$(glab variable get -g path/to/project ART_TOKEN)
$ curl -H "Authorization: Bearer ${jtoken}" https://art.example.com/api/system/ping
OK
$
mcavey-arch commented 3 months ago

Was there a resolution here? I'm seeing a similar error message but with a 401 response code. Using version 2.20.1.

$ /usr/local/bin/frogbot ${FROGBOT_CMD}
13:09:06 [Info] Frogbot version: 2.20.1
13:09:06 [Info] Running Frogbot "scan-pull-request" command
13:09:07 [Info] Scanning Pull Request #104 (from source branch: <path/to/project/branch> to target branch: <path/to/project/main>)
13:09:07 [Info] -----------------------------------------------------------
13:09:09 [Info] common repository downloaded successfully. Starting with repository extraction...
13:09:09 [Info] Extracted repository successfully
13:09:09 [Info] Scanning source branch...
13:09:09 [Error] got unexpected server response while attempting to get JFrog Xray entitlements response for contextual_analysis:
server response: 401 Unauthorized
{
  "error": "Found invalid token"
}

I can use the same token for API calls with curl.

$ jtoken=$(glab variable get -g path/to/project ART_TOKEN)
$ curl -H "Authorization: Bearer ${jtoken}" https://art.example.com/api/system/ping
OK
$

Same for me - running scan pull request I also get a 401 while attempting to get JFrog Xray entitlements for contextual_analysis.

Any updates?