Frogbot not showing "non-direct" vulnerable packages

[teodem]

Hello there i'm scanning a Maven project with a list of vulnerable dependencies. If i run Frogbot what i see is this:

[Info] Scanning 56 maven dependencies... [Info] Waiting for scan to complete on JFrog Xray... [Info] Xray scan completed [Info] Frogbot "scan-repository" command finished successfully

But if i run in "debug" i see this:

[Debug] org.springframework:spring-webmvc is an indirect dependency that will not be updated to version 5.2.20.RELEASE. Fixing indirect dependencies can potentially cause conflicts with other dependencies that depend on the previous version. Frogbot skips this to avoid potential incompatibilities and breaking changes.

My questions is: as i developer i would like at least to see the list of vulnerabilities independently if they are direct or non-direct (the same result as the CLI for instance). Is there any possibility to have this or bypass this configuration?

[eranturgeman]

Hello @teodem, and thank you for using Frogbot! Currently, Frogbot does not support the configuration you’re asking about. When running scan-repository, Frogbot is designed to show only what it can fix, as the primary goal of this flow is to implement fixes rather than display results.

For your needs, we offer another tool called ‘jf audit’. This CLI command runs all of our scanners on your project and displays all the results.

If you need this functionality in Frogbot, you can either open a GitHub issue with a feature request or, even better, contact your JFrog representative to ask for this feature.

I hope this clears things up. If not, feel free to reopen this issue and continue the discussion.