search

jfrog / jfrog-cli

JFrog CLI is a client that provides a simple interface that automates access to the JFrog products.
https://www.jfrog.com/confluence/display/CLI/JFrog+CLI
Apache License 2.0
531 stars 230 forks source link

jf docker scan --watches => --watches parameter is ignored in jf > 2.11.0 #1476

Closed ngrande closed 2 years ago

ngrande commented 2 years ago

Describe the bug When running jf docker scan with parameter --watches the parameter is ignored and all violations are displayed. I tested version 2.13.0 and 2.11.0 -> 2.11.0 is working as documented here https://www.jfrog.com/confluence/display/CLI/CLI+for+JFrog+Xray but 2.13.0 seems to ignore the parameter completely. Tells me 

The full scan results are available here: /tmp/jfrog.cli.temp.-1647246858-2901573539
Note: no context was provided, so no policy could be determined to scan against.
You can get a list of custom violations by providing one of the command options: --watches, --repo-path or --project.
Read more about configuring Xray policies here: https://www.jfrog.com/confluence/display/JFROG/Creating+Xray+Policies+and+Rules
Below are all vulnerabilities detected.

and then i get a list of all vulnerabilities instead of the level specified in my watch (policies).

To Reproduce Compare version 2.13.0 with 2.11.0 scanning a docker image with parameter --watches

Expected behavior Expected to only list vulnerabilities higher than the level specified in the watch policy

Screenshots grafik grafik

Versions

Additional context None

sverdlov93 commented 2 years ago

Hi @ngrande Thanks for reporting this issue. Our apologies for the inconvenience caused by this. The above issue was already fixed by https://github.com/jfrog/jfrog-cli-core/pull/351 and will be released soon. I will update this thread once the next release will be out.

ngrande commented 2 years ago

@sverdlov93 Great, thank you!

Also: version 2.13.0 is missing the parameters (when using docker scan) --url, --user, --access-token and --password, so it only works with the context file Is that also already fixed or shall i open a new issue?

sverdlov93 commented 2 years ago

Hi @ngrande, One of our current main goals is to make JFROG CLI build tool commands (jf docker/npm/go/etc...) as similar as possible to the original build tool commands they wrap. As part of that agenda, we removed some flags, including the flags you referred to. It is possible to use jf config add, and work with a default config or multiple configs with --server-id flag.

sverdlov93 commented 2 years ago

Hi @ngrande, JFrog CLI 2.14.0 is released and should fix the above issue. Looking forward to your feedback on it.