search

jfrog / frogbot

🐸 Scans your Git repository with JFrog Xray for security vulnerabilities. 🤖
https://docs.jfrog-applications.jfrog.io/
Apache License 2.0
301 stars 69 forks source link

Failing to run JFrog Bot Scan #654

Closed Sof0-0 closed 2 months ago

Sof0-0 commented 7 months ago

Hello, I have been trying to set up the JFrog Xray scanning for the repository in my organization and it keeps failing on something like this:

Screenshot 2024-02-29 at 17 57 18

I want to ask how exactly are the scans being conducted? Does the product has to be fully functional for scan to work or do I have to manually add dependencies and environment variables. Here is the configuration file:

Screenshot 2024-02-29 at 17 59 06

I would appreciate your help!

gailazar300 commented 7 months ago

Hello @Sof0-0 Can you please share your "JF_REQUIREMENTS_FILE" environment variable content in the attached configuration file? The error may occur if this variable is not set, as Frogbot will try to build the project without considering the requirements file.

You can try to add it manually to the configuration file:

        # Pip requirements.txt file path
        JF_REQUIREMENTS_FILE: ""
sharvesh06 commented 6 months ago

I have similar issue, 22:22:44 [Info] Xray scan completed 22:22:53 [Error] the following errors occured while fixing vulnerabilities in '/tmp/jfrog.cli.temp.-1710281552-1494864668': an error occurred while attempting to read the requirements file: open setup.py: no such file or directory We have a monorepo and JF_REQUIREMENTS_FILE is set to ""

eranturgeman commented 4 months ago

Hello @Sof0-0 and @sharvesh06 Let me break it down for you: It all depends on how you configured your CI workflow file. In general- Frogbot is searching for descriptor files in the project. After finding them it can decide which technology is being used in the project so it can perform the dependencies graphs constructions and the fixes correctly. When using python, since this language enables providing descriptor files in many different names, we require the customer to provide the descriptor file name. Now, if you didn't define a structure to your project in the CI file (meaning didn't define workingDirs [modules] manually) Frogbot will recursively scan the entire project and will search for the descriptor files (in your case - the file's name you provided in through pipRequirementsFile or JF_REQUIREMENTS_FILE). If you have defined working dirs, Frogbot will NOT perform a recursive scan and will search for the descriptor in the path you provided for the workingDir.

The error you are experiencing indicates that a descriptor is not found in the searched working dir. I assume this happens due to one of the following: 1) you didn't provide the name of the python descriptor you use (unless you use setup.py) 2) you defined workingDirs and you don't have the descriptor in the root path you defined for the working dir

If one of the scenarios above applied to you let me know and it will be easier to resolve. If not, I'd like to further investigate and I'd appreciate if you can provide the full workflow file and frogbot-config.yml you use (if you use this file)

eranturgeman commented 2 months ago

Hey @Sof0-0 and @sharvesh06 Since you didn't respond in a while, I assume my answer resolved your issue :) If not, please feel free to open this ticket again or open another Github issue with any questions you have