search

jfrog / frogbot

🐸 Scans your Git repository with JFrog Xray for security vulnerabilities. 🤖
https://docs.jfrog-applications.jfrog.io/
Apache License 2.0
301 stars 69 forks source link

Fix download URL for JF_RELEASES_REPO case #691

Open chkp-roniz opened 5 months ago

chkp-roniz commented 5 months ago

Using Artifactory remote repository JF_RELEASES_REPO produces an invalid URL:

https://artifactory.company.com/artifactory/myrepo/artifactory/frogbot/v2/[RELEASE]/frogbot-linux-amd64/frogbot

twice artifactory keyword and two repositories name in the URL

The fix includes a modification of the the URL in a way that supports both cases

github-actions[bot] commented 5 months ago

CLA Assistant Lite bot All contributors have signed the CLA ✍️ ✅

chkp-roniz commented 5 months ago

I have read the CLA Document and I hereby sign the CLA

chkp-roniz commented 5 months ago

recheck

eranturgeman commented 4 months ago

Hello @chkp-roniz and thank you for bringing this issue for our attention We will review it shortly and will update you

eranturgeman commented 4 months ago

Hey @chkp-roniz I have looked into this and the script works as it should, I'll explain: JF_RELEASES_REPO should contain ONLY the name of the remote repository Another important thing to note is that this repository MUST point to releases.jfrog.io for the switch to happen in a correct way (not releases.jfrog.io/artifactory). Ill explain with an example: lets say your platform url is https://artifactory.company.com, and the remote repo is called 'myRepo' and it points to releases.jfrog.io. The full url you get is (according to your example): https://artifactory.company.com/artifactory/myRepo/artifactory/frogbot/v2/[RELEASE]/frogbot-linux-amd64/frogbot

Now since https://artifactory.company.com/artifactory/myRepo = releases.jfrog.io the final url you address to is: https://releases.jfrog.io/artifactory/frogbot/v2/[RELEASE]/frogbot-linux-amd64/frogbot

which is exactly where you should address. Please make sure your remote repository points to the correct url. If so - please contact us again (I'll leave this PR open for a while so you can tell me if it worked for you. If it doesn't we will look into it again and fix the bug is such exist)

github-actions[bot] commented 4 months ago
[![👍 Frogbot scanned this pull request and did not find any new security issues.](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/noVulnerabilityBannerPR.png)](https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot)
[🐸 JFrog Frogbot](https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot)
chkp-roniz commented 3 months ago

Hi @eranturgeman, Thank you for the detailed description. It is working when referring only to https://releases.jfrog.io However, by this method, we lose Smart Repository features...

eranturgeman commented 3 months ago

Thanks @chkp-roniz for letting me know it works! Can you give me an example for a feature you are missing due to this way? I'd love to look deeper into it so we can consider a change if necessary and if it is valuable