Skip to content

Frogbot is unable to scan multiple branches or repositories #842

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
donCappo opened this issue Mar 19, 2025 · 0 comments
Open

Frogbot is unable to scan multiple branches or repositories #842

donCappo opened this issue Mar 19, 2025 · 0 comments
Labels
bug Something isn't working

Comments

@donCappo
Copy link

Describe the bug

Hello, I'm running into a weird problem. I'm trying to setup Frogbot against Bitbucket server with configuration that a) scans multiple branches in repo b) scans multiple repositories (https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot/setup-frogbot/frogbot-configuration)
In both cases I'm failing miserably :D

execution ends up with. Tested multiple times with different settings and always fails on reading non-existent pom. So I'm doing something wrong or something is broken :) I did test multiple branches against github with same result.

15:06:18 [Error] the following errors occurred while fixing vulnerabilities in /tmp/jfrog.cli.temp.-1742310357-1209650679: couldn't read pom.xml file: open /tmp/jfrog.cli.temp.-1742310283-295567115/pom.xml: no such file or directory couldn't read pom.xml file: open /tmp/jfrog.cli.temp.-1742310283-295567115/pom.xml: no such file or directory couldn't read pom.xml file: open /tmp/jfrog.cli.temp.-1742310283-295567115/pom.xml: no such file or directory couldn't read pom.xml file: open /tmp/jfrog.cli.temp.-1742310283-295567115/pom.xml: no such file or directory couldn't read pom.xml file: open /tmp/jfrog.cli.temp.-1742310283-295567115/pom.xml: no such file or directory couldn't read pom.xml file: open /tmp/jfrog.cli.temp.-1742310283-295567115/pom.xml: no such file or directory couldn't read pom.xml file: open /tmp/jfrog.cli.temp.-1742310283-295567115/pom.xml: no such file or directory couldn't read pom.xml file: open /tmp/jfrog.cli.temp.-1742310283-295567115/pom.xml: no such file or directory couldn't read pom.xml file: open /tmp/jfrog.cli.temp.-1742310283-295567115/pom.xml: no such file or directory couldn't read pom.xml file: open /tmp/jfrog.cli.temp.-1742310283-295567115/pom.xml: no such file or directory couldn't read pom.xml file: open /tmp/jfrog.cli.temp.-1742310283-295567115/pom.xml: no such file or directory couldn't read pom.xml file: open /tmp/jfrog.cli.temp.-1742310283-295567115/pom.xml: no such file or directory couldn't read pom.xml file: open /tmp/jfrog.cli.temp.-1742310283-295567115/pom.xml: no such file or directory couldn't read pom.xml file: open /tmp/jfrog.cli.temp.-1742310283-295567115/pom.xml: no such file or directory couldn't read pom.xml file: open /tmp/jfrog.cli.temp.-1742310283-295567115/pom.xml: no such file or directory couldn't read pom.xml file: open /tmp/jfrog.cli.temp.-1742310283-295567115/pom.xml: no such file or directory

also there is a bug while sending post to XSC with version 2.25.0. On 2.24.1 is fine.
15:06:18 [Debug] Sending HTTP PUT request to: ****/xray/api/v1/xsc/event 15:06:18 [Debug] failed updating general event in XSC service for multi_scan_id 7f58c943-040a-11f0-a2a9-aaf52590310f, error: server response: 400 Bad Request "

while setting JF_SKIP_AUTOFIX=FALSE helps, but it doesn't create PR - obviously :-) scan finishes with results in xray.
setting JF_ALLOW_PARTIAL_RESULTS=TRUE also helps, as it doesn't exit incorrectly.
I tired multiple scenarios where I started on clean state i.e. no existent PR or existing PRs created before.
With single repo and single branch scan works fine. It seems, that scans are done properly with multiple-repositories but then it tries to read pom.xml that was deleted in process, thus failing the Job.

Current behavior

this is output while runing scan on multiple branches with single repo from jenkins.

`./frogbot scan-repository
15:04:42 [Info] Frogbot version: 2.25.0
15:04:42 [Debug] Sending HTTP GET request to: ****/xray/api/v1/system/version
15:04:42 [Debug] Xray version: 3.111.15
15:04:42 [Debug] Sending HTTP GET request to: ****/xray/api/v1/xsc/system/version
15:04:42 [Debug] XSC version: 3.999.999
15:04:42 [Debug] Reading config from file system. Looking for .frogbot/frogbot-config.yml
15:04:42 [Debug] frogbot-config.yml wasn't found in /home/jenkins/agent/workspace/jfscr/.frogbot/frogbot-config.yml. Searching for it in upstream directories
15:04:42 [Debug] Attempting to download frogbot-config.yml from NOIB/vulnado
15:04:42 [Debug] JF_GIT_BASE_BRANCH is missing. Assuming that the frogbot-config.yml file exists on default branch
15:04:42 [Info] Successfully downloaded frogbot-config.yml file from <NOIB/vulnado/>
15:04:42 [Debug] The content of frogbot-config.yml that will be used is:

The "params" section includes the configuration of a single Git repository that needs to be scanned.

For Azure Repos, Bitbucket Server and GitHub with JFrog Pipelines or Jenkins, you can define multiple "params" sections one after the other, for scanning multiple

Git repositories in the same organization.

  • params:

    Git parameters

    git:
    # [Mandatory]
    # Name of the git repository to scan
    repoName: vulnado

    # [Mandatory]
# List of branches to scan
branches:
  - vuln
  - master
aggregateFixes: true

    scan:
    includeAllVulnerabilities: false
    jfrogPlatform:

    jfrogProjectKey: "noi"

15:04:42 [Debug] Configuration Profile usage is disabled. All configurations will be derived from environment variables and files.
To enable a Configuration Profile, please set JF_USE_CONFIG_PROFILE to TRUE
15:04:42 [Debug] Sending HTTP HEAD request to: 'https://github.com/jfrog/frogbot'
15:04:42 [Debug] Locking config file to run config AddOrEdit command.
15:04:42 [Debug] Creating lock in: /tmp/jfrog.cli.temp.-1742310282-3445408177/locks/config
15:04:42 [Debug] config file is released.
15:04:42 [Debug] Releasing lock: /tmp/jfrog.cli.temp.-1742310282-3445408177/locks/config/jfrog-cli.conf.lck.74.1742310282970686105
15:04:42 [Debug] Artifactory Call Home: Sending info...
15:04:42 [Info] Running Frogbot "scan-repository" command
15:04:42 [Debug] Sending HTTP GET request to: ****/xray/api/v1/system/version
15:04:42 [Debug] Sending HTTP POST request to: ****/artifactory/api/system/usage
15:04:42 [Debug] JFrog Xray version is: 3.111.15
15:04:42 [Debug] Sending HTTP POST request to: ****/xray/api/v1/usage/events/send
15:04:43 [Info] Getting resources (git repository: xxxxxxx:7990/scm/noib/vulnado.git, project: noi) active watches...
15:04:43 [Debug] Sending HTTP GET request to: ****/xray/api/v1/xsc/watches/resource?git_repository=xxxxxxx:7990/scm/noib/vulnado.git&project=noi
15:04:43 [Debug] Xray response (status 200 OK): {"project_watches":["watch-xxxxxxx","watch-xxxxxxx2"]}
15:04:43 [Info] Found 2 active watches
15:04:43 [Debug] Setting timeout for go-git to 120 seconds ...
15:04:43 [Debug] Created temp working directory: /tmp/jfrog.cli.temp.-1742310283-295567115
15:04:43 [Debug] Running git clone http://xxxxxxx:7990/scm/noib/vulnado.git (vuln branch)...
15:04:44 [Debug] Project cloned from http://xxxxxxx:7990/scm/noib/vulnado.git to /tmp/jfrog.cli.temp.-1742310283-295567115
15:04:44 [Debug] Sending HTTP POST request to: ****/xray/api/v1/xsc/event
15:04:46 [Debug] Sending HTTP GET request to: ****/xray/api/v1/entitlements/feature/contextual_analysis
15:04:46 [Debug] The path '/tmp/jfrog.cli.temp.-1742310283-295567115/.git' is excluded
15:04:46 [Debug] The path '/tmp/jfrog.cli.temp.-1742310283-295567115/.git/HEAD' is excluded
15:04:46 [Debug] The path '/tmp/jfrog.cli.temp.-1742310283-295567115/.git/config' is excluded
15:04:46 [Debug] The path '/tmp/jfrog.cli.temp.-1742310283-295567115/.git/index' is excluded
15:04:46 [Debug] The path '/tmp/jfrog.cli.temp.-1742310283-295567115/.git/objects' is excluded
15:04:46 [Debug] The path '/tmp/jfrog.cli.temp.-1742310283-295567115/.git/objects/info' is excluded
15:04:46 [Debug] The path '/tmp/jfrog.cli.temp.-1742310283-295567115/.git/objects/pack' is excluded
15:04:46 [Debug] The path '/tmp/jfrog.cli.temp.-1742310283-295567115/.git/objects/pack/pack-abdc1e424a5d7389cd2dd090627933a55ab5eeeb.idx' is excluded
15:04:46 [Debug] The path '/tmp/jfrog.cli.temp.-1742310283-295567115/.git/objects/pack/pack-abdc1e424a5d7389cd2dd090627933a55ab5eeeb.pack' is excluded
15:04:46 [Debug] The path '/tmp/jfrog.cli.temp.-1742310283-295567115/.git/refs' is excluded
15:04:46 [Debug] The path '/tmp/jfrog.cli.temp.-1742310283-295567115/.git/refs/heads' is excluded
15:04:46 [Debug] The path '/tmp/jfrog.cli.temp.-1742310283-295567115/.git/refs/heads/vuln' is excluded
15:04:46 [Debug] The path '/tmp/jfrog.cli.temp.-1742310283-295567115/.git/refs/remotes' is excluded
15:04:46 [Debug] The path '/tmp/jfrog.cli.temp.-1742310283-295567115/.git/refs/remotes/origin' is excluded
15:04:46 [Debug] The path '/tmp/jfrog.cli.temp.-1742310283-295567115/.git/refs/remotes/origin/vuln' is excluded
15:04:46 [Debug] The path '/tmp/jfrog.cli.temp.-1742310283-295567115/.git/refs/tags' is excluded
15:04:46 [Debug] The path '/tmp/jfrog.cli.temp.-1742310283-295567115/.git/shallow' is excluded
15:04:46 [Debug] The path '/tmp/jfrog.cli.temp.-1742310283-295567115/.gitignore' is excluded
15:04:46 [Debug] The path '/tmp/jfrog.cli.temp.-1742310283-295567115/src/test' is excluded
15:04:46 [Debug] The path '/tmp/jfrog.cli.temp.-1742310283-295567115/src/test/java' is excluded
15:04:46 [Debug] The path '/tmp/jfrog.cli.temp.-1742310283-295567115/src/test/java/com' is excluded
15:04:46 [Debug] The path '/tmp/jfrog.cli.temp.-1742310283-295567115/src/test/java/com/scalesec' is excluded
15:04:46 [Debug] The path '/tmp/jfrog.cli.temp.-1742310283-295567115/src/test/java/com/scalesec/vulnado' is excluded
15:04:46 [Debug] The path '/tmp/jfrog.cli.temp.-1742310283-295567115/src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java' is excluded
15:04:46 [Debug] mapped 1 working directories with indicators/descriptors:
{
"/tmp/jfrog.cli.temp.-1742310283-295567115": [
"/tmp/jfrog.cli.temp.-1742310283-295567115/pom.xml"
]
}
15:04:46 [Debug] Detected 1 technologies at /tmp/jfrog.cli.temp.-1742310283-295567115: [maven].
15:04:46 [Info] Performing scans on 1 targets:
[
{
"target": "/tmp/jfrog.cli.temp.-1742310283-295567115",
"technology": "maven"
}
]
15:04:46 [Info] Not entitled for JAS, skipping advance security scans...
15:04:46 [Info] Calculating Maven dependencies...
15:05:11 [Debug] Created 'Maven' dependency tree with 0 nodes. Elapsed time: 25.3 seconds.
15:05:11 [Debug] Unique dependencies list:
{
"gav://ch.qos.logback:logback-classic:1.2.3": {
"classifier": null,
"types": [
"jar"
],
"children": null
},
...
...
...
"gav://org.yaml:snakeyaml:1.23": {
"classifier": null,
"types": [
"jar"
],
"children": null
}
}
15:05:11 [Info] [Thread 0] Running SCA scan for /tmp/jfrog.cli.temp.-1742310283-295567115 vulnerable dependencies in /tmp/jfrog.cli.temp.-1742310283-295567115 directory...
15:05:11 [Info] Scanning 63 maven dependencies...
15:05:11 [Debug] Sending HTTP POST request to: ****/xray/api/v1/xsc/sca/scan/graph?project=noi&multi_scan_id=538434fa-040a-11f0-a2a9-aaf52590310f&tech=maven&scan_type=dependency&git_repo=xxxxxxx:7990/scm/noib/vulnado.git
15:05:11 [Info] Waiting for scan to complete on JFrog Xray...
15:05:11 [Debug] Sending HTTP GET request to: ****/xray/api/v1/xsc/sca/scan/graph/9d91cb5d-2a61-4f1e-7476-bd2c3234d582
15:05:11 [Debug] Get Dependencies Scan results... (Attempt 1)
15:05:16 [Debug] Sending HTTP GET request to: ****/xray/api/v1/xsc/sca/scan/graph/9d91cb5d-2a61-4f1e-7476-bd2c3234d582
15:05:16 [Debug] Get Dependencies Scan results... (Attempt 2)
15:05:21 [Debug] Sending HTTP GET request to: ****/xray/api/v1/xsc/sca/scan/graph/9d91cb5d-2a61-4f1e-7476-bd2c3234d582
15:05:22 [Info] Finished 'Maven' dependency tree scan. Found 230 sca violations
15:05:22 [Info] Xray scan completed
15:05:22 [Debug] Frogbot will attempt to resolve the following vulnerable dependencies:
org.postgresql:postgresql,
org.yaml:snakeyaml,
org.springframework:spring-web,
ch.qos.logback:logback-core,
org.springframework.boot:spring-boot-autoconfigure,
org.springframework.boot:spring-boot,
org.apache.tomcat.embed:tomcat-embed-websocket,
com.fasterxml.jackson.core:jackson-databind,
org.apache.tomcat.embed:tomcat-embed-core,
ch.qos.logback:logback-classic,
org.hibernate.validator:hibernate-validator,
org.springframework:spring-expression,
net.minidev:json-smart,
org.springframework:spring-webmvc,
org.springframework.boot:spring-boot-starter-web,
org.jsoup:jsoup
15:05:22 [Debug] Found pull request from source branch frogbot-update-Maven-dependencies-vuln
15:05:22 [Info] -----------------------------------------------------------------
15:05:22 [Info] Starting aggregated dependencies fix
15:05:22 [Debug] Creating branch frogbot-update-Maven-dependencies-vuln ...
15:05:28 [Debug] org.springframework:spring-webmvc is an indirect dependency that will not be updated to version 6.1.14.
Fixing indirect dependencies can potentially cause conflicts with other dependencies that depend on the previous version.
Frogbot skips this to avoid potential incompatibilities and breaking changes.
15:05:28 [Debug] org.springframework.boot:spring-boot-starter-web is an indirect dependency that will not be updated to version 2.5.12.
Fixing indirect dependencies can potentially cause conflicts with other dependencies that depend on the previous version.
Frogbot skips this to avoid potential incompatibilities and breaking changes.
15:05:28 [Debug] Running 'mvn -U -B org.codehaus.mojo:versions-maven-plugin:use-dep-version -Dincludes=org.jsoup:jsoup -DdepVersion=1.15.3 -DgenerateBackupPoms=false -DprocessDependencies=true -DprocessDependencyManagement=false'
15:05:47 [Info] Updated dependency 'org.jsoup:jsoup' to version '1.15.3'
15:05:47 [Debug] Running 'mvn -U -B org.codehaus.mojo:versions-maven-plugin:use-dep-version -Dincludes=org.postgresql:postgresql -DdepVersion=42.3.3 -DgenerateBackupPoms=false -DprocessDependencies=true -DprocessDependencyManagement=false'
15:05:57 [Info] Updated dependency 'org.postgresql:postgresql' to version '42.3.3'
15:05:57 [Debug] org.yaml:snakeyaml is an indirect dependency that will not be updated to version 2.0.
Fixing indirect dependencies can potentially cause conflicts with other dependencies that depend on the previous version.
Frogbot skips this to avoid potential incompatibilities and breaking changes.
15:05:57 [Info] Aggregated pull request already exists, verifying if update is needed...
15:05:57 [Debug] Comparing current scan results to existing vuln scan results
15:05:57 [Debug] Running git checkout to branch: vuln
15:05:57 [Info] The existing pull request is in sync with the latest scan, and no further updates are required.
15:05:57 [Debug] Sending HTTP PUT request to: ****/xray/api/v1/xsc/event
15:05:57 [Debug] failed updating general event in XSC service for multi_scan_id 538434fa-040a-11f0-a2a9-aaf52590310f, error: server response: 400 Bad Request "
15:05:57 [Debug] Created temp working directory: /tmp/jfrog.cli.temp.-1742310357-1209650679
15:05:57 [Debug] Running git clone http://xxxxxxx:7990/scm/noib/vulnado.git (master branch)...
15:05:58 [Debug] Project cloned from http://xxxxxxx:7990/scm/noib/vulnado.git to /tmp/jfrog.cli.temp.-1742310357-1209650679
15:05:58 [Debug] Sending HTTP POST request to: ****/xray/api/v1/xsc/event
15:05:58 [Debug] Sending HTTP GET request to: ****/xray/api/v1/entitlements/feature/contextual_analysis
15:05:58 [Debug] The path '/tmp/jfrog.cli.temp.-1742310357-1209650679/.git' is excluded
15:05:58 [Debug] The path '/tmp/jfrog.cli.temp.-1742310357-1209650679/.git/HEAD' is excluded
15:05:58 [Debug] The path '/tmp/jfrog.cli.temp.-1742310357-1209650679/.git/config' is excluded
15:05:58 [Debug] The path '/tmp/jfrog.cli.temp.-1742310357-1209650679/.git/index' is excluded
15:05:58 [Debug] The path '/tmp/jfrog.cli.temp.-1742310357-1209650679/.git/objects' is excluded
15:05:58 [Debug] The path '/tmp/jfrog.cli.temp.-1742310357-1209650679/.git/objects/info' is excluded
15:05:58 [Debug] The path '/tmp/jfrog.cli.temp.-1742310357-1209650679/.git/objects/pack' is excluded
15:05:58 [Debug] The path '/tmp/jfrog.cli.temp.-1742310357-1209650679/.git/objects/pack/pack-eb8c9000cece3670cb6b6fd241458bca15773e44.idx' is excluded
15:05:58 [Debug] The path '/tmp/jfrog.cli.temp.-1742310357-1209650679/.git/objects/pack/pack-eb8c9000cece3670cb6b6fd241458bca15773e44.pack' is excluded
15:05:58 [Debug] The path '/tmp/jfrog.cli.temp.-1742310357-1209650679/.git/refs' is excluded
15:05:58 [Debug] The path '/tmp/jfrog.cli.temp.-1742310357-1209650679/.git/refs/heads' is excluded
15:05:58 [Debug] The path '/tmp/jfrog.cli.temp.-1742310357-1209650679/.git/refs/heads/master' is excluded
15:05:58 [Debug] The path '/tmp/jfrog.cli.temp.-1742310357-1209650679/.git/refs/remotes' is excluded
15:05:58 [Debug] The path '/tmp/jfrog.cli.temp.-1742310357-1209650679/.git/refs/remotes/origin' is excluded
15:05:58 [Debug] The path '/tmp/jfrog.cli.temp.-1742310357-1209650679/.git/refs/remotes/origin/master' is excluded
15:05:58 [Debug] The path '/tmp/jfrog.cli.temp.-1742310357-1209650679/.git/refs/tags' is excluded
15:05:58 [Debug] The path '/tmp/jfrog.cli.temp.-1742310357-1209650679/.git/shallow' is excluded
15:05:58 [Debug] The path '/tmp/jfrog.cli.temp.-1742310357-1209650679/.gitignore' is excluded
15:05:58 [Debug] The path '/tmp/jfrog.cli.temp.-1742310357-1209650679/src/test' is excluded
15:05:58 [Debug] The path '/tmp/jfrog.cli.temp.-1742310357-1209650679/src/test/java' is excluded
15:05:58 [Debug] The path '/tmp/jfrog.cli.temp.-1742310357-1209650679/src/test/java/com' is excluded
15:05:58 [Debug] The path '/tmp/jfrog.cli.temp.-1742310357-1209650679/src/test/java/com/scalesec' is excluded
15:05:58 [Debug] The path '/tmp/jfrog.cli.temp.-1742310357-1209650679/src/test/java/com/scalesec/vulnado' is excluded
15:05:58 [Debug] The path '/tmp/jfrog.cli.temp.-1742310357-1209650679/src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java' is excluded
15:05:58 [Debug] mapped 1 working directories with indicators/descriptors:
{
"/tmp/jfrog.cli.temp.-1742310357-1209650679": [
"/tmp/jfrog.cli.temp.-1742310357-1209650679/pom.xml"
]
}
15:05:58 [Debug] Detected 1 technologies at /tmp/jfrog.cli.temp.-1742310357-1209650679: [maven].
15:05:58 [Info] Performing scans on 1 targets:
[
{
"target": "/tmp/jfrog.cli.temp.-1742310357-1209650679",
"technology": "maven"
}
]
15:05:58 [Info] Not entitled for JAS, skipping advance security scans...
15:05:58 [Info] Calculating Maven dependencies...
15:06:12 [Debug] Created 'Maven' dependency tree with 0 nodes. Elapsed time: 14.5 seconds.
15:06:12 [Debug] Unique dependencies list:
{
"gav://ch.qos.logback:logback-classic:1.2.3": {
"classifier": null,
"types": [
"jar"
],
"children": null
},
...
...
...
"gav://org.yaml:snakeyaml:1.23": {
"classifier": null,
"types": [
"jar"
],
"children": null
}
}
15:06:12 [Info] [Thread 0] Running SCA scan for /tmp/jfrog.cli.temp.-1742310357-1209650679 vulnerable dependencies in /tmp/jfrog.cli.temp.-1742310357-1209650679 directory...
15:06:12 [Info] Scanning 64 maven dependencies...
15:06:12 [Debug] Sending HTTP POST request to: ****/xray/api/v1/xsc/sca/scan/graph?project=noi&multi_scan_id=7f58c943-040a-11f0-a2a9-aaf52590310f&tech=maven&scan_type=dependency&git_repo=xxxxxxx:7990/scm/noib/vulnado.git
15:06:13 [Info] Waiting for scan to complete on JFrog Xray...
15:06:13 [Debug] Sending HTTP GET request to: ****/xray/api/v1/xsc/sca/scan/graph/2fe92606-1843-48d9-4029-23f959f2810f
15:06:13 [Debug] Get Dependencies Scan results... (Attempt 1)
15:06:18 [Debug] Sending HTTP GET request to: ****/xray/api/v1/xsc/sca/scan/graph/2fe92606-1843-48d9-4029-23f959f2810f
15:06:18 [Info] Finished 'Maven' dependency tree scan. Found 224 sca violations
15:06:18 [Info] Xray scan completed
15:06:18 [Debug] Frogbot will attempt to resolve the following vulnerable dependencies:
org.apache.tomcat.embed:tomcat-embed-core,
org.postgresql:postgresql,
org.jsoup:jsoup,
org.springframework:spring-expression,
com.fasterxml.jackson.core:jackson-databind,
org.springframework.boot:spring-boot-starter-web,
org.springframework:spring-webmvc,
org.hibernate.validator:hibernate-validator,
org.springframework:spring-web,
net.minidev:json-smart,
ch.qos.logback:logback-core,
org.springframework.boot:spring-boot-autoconfigure,
org.springframework.boot:spring-boot,
org.yaml:snakeyaml,
ch.qos.logback:logback-classic,
org.apache.tomcat.embed:tomcat-embed-websocket
15:06:18 [Debug] No pull request found from source branch frogbot-update-Maven-dependencies-master
15:06:18 [Info] -----------------------------------------------------------------
15:06:18 [Info] Starting aggregated dependencies fix
15:06:18 [Debug] Creating branch frogbot-update-Maven-dependencies-master ...
15:06:18 [Info] There were no changes to commit after fixing vulnerabilities.
Note: Frogbot currently cannot address certain vulnerabilities in some package managers, which may result in the absence of changes
15:06:18 [Debug] Running git checkout to branch: master
15:06:18 [Info] The existing pull request is in sync with the latest scan, and no further updates are required.
15:06:18 [Debug] Sending HTTP PUT request to: ****/xray/api/v1/xsc/event
15:06:18 [Debug] failed updating general event in XSC service for multi_scan_id 7f58c943-040a-11f0-a2a9-aaf52590310f, error: server response: 400 Bad Request "
15:06:18 [Debug] Sending an error report to JFrog analytics...
15:06:18 [Debug] Sending HTTP POST request to: ****/xray/api/v1/xsc/event/logMessage
15:06:18 [Error] the following errors occurred while fixing vulnerabilities in /tmp/jfrog.cli.temp.-1742310357-1209650679:
couldn't read pom.xml file: open /tmp/jfrog.cli.temp.-1742310283-295567115/pom.xml: no such file or directory
couldn't read pom.xml file: open /tmp/jfrog.cli.temp.-1742310283-295567115/pom.xml: no such file or directory
couldn't read pom.xml file: open /tmp/jfrog.cli.temp.-1742310283-295567115/pom.xml: no such file or directory
couldn't read pom.xml file: open /tmp/jfrog.cli.temp.-1742310283-295567115/pom.xml: no such file or directory
couldn't read pom.xml file: open /tmp/jfrog.cli.temp.-1742310283-295567115/pom.xml: no such file or directory
couldn't read pom.xml file: open /tmp/jfrog.cli.temp.-1742310283-295567115/pom.xml: no such file or directory
couldn't read pom.xml file: open /tmp/jfrog.cli.temp.-1742310283-295567115/pom.xml: no such file or directory
couldn't read pom.xml file: open /tmp/jfrog.cli.temp.-1742310283-295567115/pom.xml: no such file or directory
couldn't read pom.xml file: open /tmp/jfrog.cli.temp.-1742310283-295567115/pom.xml: no such file or directory
couldn't read pom.xml file: open /tmp/jfrog.cli.temp.-1742310283-295567115/pom.xml: no such file or directory
couldn't read pom.xml file: open /tmp/jfrog.cli.temp.-1742310283-295567115/pom.xml: no such file or directory
couldn't read pom.xml file: open /tmp/jfrog.cli.temp.-1742310283-295567115/pom.xml: no such file or directory
couldn't read pom.xml file: open /tmp/jfrog.cli.temp.-1742310283-295567115/pom.xml: no such file or directory
couldn't read pom.xml file: open /tmp/jfrog.cli.temp.-1742310283-295567115/pom.xml: no such file or directory
couldn't read pom.xml file: open /tmp/jfrog.cli.temp.-1742310283-295567115/pom.xml: no such file or directory
couldn't read pom.xml file: open /tmp/jfrog.cli.temp.-1742310283-295567115/pom.xml: no such file or directory
ERROR: script returned exit code 1
Finished: FAILURE`

this is scan running on multiple repositories with version 2.24.1 running locally from mac

`JF_GIT_BASE_BRANCH=master ./frogbot_2.41.1 scan-multiple-repositories
08:51:08 [🔵Info] Frogbot version: 2.24.1
08:51:08 [Debug] Sending HTTP GET request to: https://artifactory.xxxxxxx/xray/api/v1/system/version
08:51:08 [Debug] Xray version: 3.111.15
08:51:08 [Debug] Sending HTTP GET request to: https://artifactory.xxxxxxx/xray/api/v1/xsc/system/version
08:51:09 [Debug] XSC version: 3.999.999
08:51:09 [Debug] Reading config from file system. Looking for .frogbot/frogbot-config.yml
08:51:09 [Debug] frogbot-config.yml wasn't found in /Volumes/work-xxxxxxx/kb/.frogbot/frogbot-config.yml. Searching for it in upstream directories
08:51:09 [Debug] Attempting to download frogbot-config.yml from NOIB/vulnado
08:51:09 [Debug] The frogbot-config.yml will be downloaded from master branch
08:51:09 [🔵Info] Successfully downloaded frogbot-config.yml file from <NOIB/vulnado/master>
08:51:09 [Debug] The content of frogbot-config.yml that will be used is:

The "params" section includes the configuration of a single Git repository that needs to be scanned.

For Azure Repos, Bitbucket Server and GitHub with JFrog Pipelines or Jenkins, you can define multiple "params" sections one after the other, for scanning multiple

Git repositories in the same organization.

  • params:
    git:
    repoName: vulnerable-spring-boot-application
    branches:
    - master
    aggregateFixes: true
    jfrogPlatform:
    watches:
    - "watch-xxxxxxx"

  • params:

    Git parameters

    git:
    # [Mandatory]
    # Name of the git repository to scan
    repoName: vulnado

    # [Mandatory]
# List of branches to scan
branches:
  - master
  - vuln
aggregateFixes: true

08:51:09 [Debug] Configuration Profile usage is disabled. All configurations will be derived from environment variables and files.
To enable a Configuration Profile, please set JF_USE_CONFIG_PROFILE to TRUE
08:51:09 [Debug] Locking config file to run config AddOrEdit command.
08:51:09 [Debug] Creating lock in: /var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370669-4091318190/locks/config
08:51:09 [Debug] Sending HTTP HEAD request to: 'https://github.com/jfrog/frogbot'
08:51:09 [Debug] config file is released.
08:51:09 [Debug] Releasing lock: /var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370669-4091318190/locks/config/jfrog-cli.conf.lck.97100.1742370669613199000
08:51:09 [Debug] Artifactory Call Home: Sending info...
08:51:09 [🔵Info] Running Frogbot "scan-multiple-repositories" command
08:51:09 [Debug] Sending HTTP GET request to: https://artifactory.xxxxxxx/xray/api/v1/system/version
08:51:09 [Debug] Sending HTTP POST request to: https://artifactory.xxxxxxx/artifactory/api/system/usage
08:51:09 [Debug] JFrog Xray version is: 3.111.15
08:51:09 [Debug] Sending HTTP POST request to: https://artifactory.xxxxxxx/xray/api/v1/usage/events/send
08:51:10 [🔵Info] Getting resources (git repository: xxxxxxx/scm/noib/vulnerable-spring-boot-application.git) active watches...
08:51:10 [Debug] Sending HTTP GET request to: https://artifactory.xxxxxxx/xray/api/v1/xsc/watches/resource?git_repository=xxxxxxx/scm/noib/vulnerable-spring-boot-application.git
08:51:10 [Debug] Xray response (status 200 OK): {}
08:51:10 [🔵Info] Found 0 active watches
08:51:10 [Debug] Setting timeout for go-git to 120 seconds ...
08:51:10 [Debug] Created temp working directory: /var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370670-4032630047
08:51:10 [Debug] Running git clone http://xxxxxxx/scm/noib/vulnerable-spring-boot-application.git (master branch)...
08:51:13 [Debug] Project cloned from http://xxxxxxx/scm/noib/vulnerable-spring-boot-application.git to /var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370670-4032630047
08:51:13 [Debug] Sending HTTP POST request to: https://artifactory.xxxxxxx/xray/api/v1/xsc/event
08:51:14 [Debug] Sending HTTP GET request to: https://artifactory.xxxxxxx/xray/api/v1/entitlements/feature/contextual_analysis
08:51:14 [Debug] The path '/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370670-4032630047/.git' is excluded
08:51:14 [Debug] The path '/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370670-4032630047/.git/HEAD' is excluded
08:51:14 [Debug] The path '/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370670-4032630047/.git/config' is excluded
08:51:14 [Debug] The path '/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370670-4032630047/.git/index' is excluded
08:51:14 [Debug] The path '/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370670-4032630047/.git/objects' is excluded
08:51:14 [Debug] The path '/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370670-4032630047/.git/objects/info' is excluded
08:51:14 [Debug] The path '/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370670-4032630047/.git/objects/pack' is excluded
08:51:14 [Debug] The path '/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370670-4032630047/.git/objects/pack/pack-ffdf06d75f8a9dacf0e3e1041b1dcafe978d0812.idx' is excluded
08:51:14 [Debug] The path '/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370670-4032630047/.git/objects/pack/pack-ffdf06d75f8a9dacf0e3e1041b1dcafe978d0812.pack' is excluded
08:51:14 [Debug] The path '/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370670-4032630047/.git/refs' is excluded
08:51:14 [Debug] The path '/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370670-4032630047/.git/refs/heads' is excluded
08:51:14 [Debug] The path '/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370670-4032630047/.git/refs/heads/master' is excluded
08:51:14 [Debug] The path '/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370670-4032630047/.git/refs/remotes' is excluded
08:51:14 [Debug] The path '/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370670-4032630047/.git/refs/remotes/origin' is excluded
08:51:14 [Debug] The path '/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370670-4032630047/.git/refs/remotes/origin/master' is excluded
08:51:14 [Debug] The path '/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370670-4032630047/.git/refs/tags' is excluded
08:51:14 [Debug] The path '/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370670-4032630047/.git/shallow' is excluded
08:51:14 [Debug] The path '/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370670-4032630047/.gitignore' is excluded
08:51:14 [Debug] The path '/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370670-4032630047/src/test' is excluded
08:51:14 [Debug] The path '/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370670-4032630047/src/test/java' is excluded
08:51:14 [Debug] The path '/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370670-4032630047/src/test/java/com' is excluded
08:51:14 [Debug] The path '/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370670-4032630047/src/test/java/com/contrastsecurity' is excluded
08:51:14 [Debug] The path '/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370670-4032630047/src/test/java/com/contrastsecurity/demo' is excluded
08:51:14 [Debug] The path '/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370670-4032630047/src/test/java/com/contrastsecurity/demo/providersearch' is excluded
08:51:14 [Debug] The path '/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370670-4032630047/src/test/java/com/contrastsecurity/demo/providersearch/ProviderControllerTest.java' is excluded
08:51:14 [Debug] The path '/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370670-4032630047/src/test/java/com/contrastsecurity/demo/providersearch/ProviderSearchApplicationTests.java' is excluded
08:51:14 [Debug] The path '/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370670-4032630047/src/test/resources' is excluded
08:51:14 [Debug] The path '/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370670-4032630047/src/test/resources/application.properties' is excluded
08:51:14 [Debug] The path '/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370670-4032630047/testfile' is excluded
08:51:14 [Debug] mapped 1 working directories with indicators/descriptors:
{
"/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370670-4032630047": [
"/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370670-4032630047/pom.xml"
]
}
08:51:14 [Debug] Detected 1 technologies at /var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370670-4032630047: [maven].
08:51:14 [🔵Info] Performing scans on 1 targets:
[
{
"target": "/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370670-4032630047",
"technology": "maven"
}
]
08:51:14 [🔵Info] Not entitled for JAS, skipping advance security scans...
08:51:14 [🔵Info] Calculating Maven dependencies...
08:51:16 [Debug] Created 'Maven' dependency tree with 0 nodes. Elapsed time: 2.6 seconds.
08:51:16 [Debug] Unique dependencies list:
{
"gav://antlr:antlr:2.7.7": {
"classifier": null,
"types": [
"jar"
],
"children": null
},
...
...
...
"gav://org.yaml:snakeyaml:1.19": {
"classifier": null,
"types": [
"jar"
],
"children": null
}
}
08:51:16 [🔵Info] [Thread 0] Running SCA scan for /var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370670-4032630047 vulnerable dependencies in /var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370670-4032630047 directory...
08:51:16 [🔵Info] Scanning 83 maven dependencies...
08:51:16 [Debug] Sending HTTP POST request to: https://artifactory.xxxxxxx/xray/api/v1/xsc/sca/scan/graph?watch=watch-xxxxxxx&multi_scan_id=ee83d26f-0496-11f0-a2a9-aaf52590310f&tech=maven&scan_type=dependency&git_repo=xxxxxxx/scm/noib/vulnerable-spring-boot-application.git
08:51:17 [🔵Info] Waiting for scan to complete on JFrog Xray...
08:51:17 [Debug] Sending HTTP GET request to: https://artifactory.xxxxxxx/xray/api/v1/xsc/sca/scan/graph/834d766c-f506-4705-53d0-e7d1b2e87f40
08:51:17 [Debug] Get Dependencies Scan results... (Attempt 1)
08:51:22 [Debug] Sending HTTP GET request to: https://artifactory.xxxxxxx/xray/api/v1/xsc/sca/scan/graph/834d766c-f506-4705-53d0-e7d1b2e87f40
08:51:23 [🔵Info] Finished 'Maven' dependency tree scan. Found 130 sca violations
08:51:23 [🔵Info] Xray scan completed
08:51:23 [Debug] Frogbot will attempt to resolve the following vulnerable dependencies:
org.apache.tomcat.embed:tomcat-embed-websocket,
org.hibernate.validator:hibernate-validator,
com.fasterxml.jackson.datatype:jackson-datatype-jsr310,
com.fasterxml.jackson.core:jackson-databind,
org.yaml:snakeyaml,
com.h2database:h2,
org.springframework:spring-core,
net.minidev:json-smart,
ch.qos.logback:logback-classic,
org.springframework:spring-webmvc,
org.springframework.boot:spring-boot-starter-web,
org.thymeleaf:thymeleaf-spring5,
org.springframework:spring-web,
org.apache.tomcat.embed:tomcat-embed-core,
ch.qos.logback:logback-core,
org.springframework.boot:spring-boot-autoconfigure,
org.springframework.boot:spring-boot,
org.hibernate:hibernate-core,
org.springframework:spring-expression
08:51:23 [Debug] Found pull request from source branch frogbot-update-Maven-dependencies-master
08:51:23 [🔵Info] -----------------------------------------------------------------
08:51:23 [🔵Info] Starting aggregated dependencies fix
08:51:23 [Debug] Creating branch frogbot-update-Maven-dependencies-master ...
08:51:24 [Debug] org.hibernate:hibernate-core is an indirect dependency that will not be updated to version 5.3.20.Final.
Fixing indirect dependencies can potentially cause conflicts with other dependencies that depend on the previous version.
08:51:24 [Debug] Running 'mvn -U -B org.codehaus.mojo:versions-maven-plugin:use-dep-version -Dincludes=com.h2database:h2 -DdepVersion=2.1.210 -DgenerateBackupPoms=false -DprocessDependencies=true -DprocessDependencyManagement=false'
08:51:26 [🔵Info] Updated dependency 'com.h2database:h2' to version '2.1.210'
08:51:26 [Debug] org.springframework:spring-core is an indirect dependency that will not be updated to version 5.0.10.RELEASE.
Fixing indirect dependencies can potentially cause conflicts with other dependencies that depend on the previous version.
08:51:26 [🔵Info] Aggregated pull request already exists, verifying if update is needed...
08:51:26 [Debug] Comparing current scan results to existing master scan results
08:51:26 [Debug] Running git checkout to branch: master
08:51:26 [🔵Info] The existing pull request is in sync with the latest scan, and no further updates are required.
08:51:26 [Debug] Sending HTTP PUT request to: https://artifactory.xxxxxxx/xray/api/v1/xsc/event
08:51:26 [Debug] Command event:
{{0 completed 129 0 false 12.27574525s } ee83d26f-0496-11f0-a2a9-aaf52590310f }
08:51:26 [🔵Info] Getting resources (git repository: xxxxxxx/scm/noib/vulnado.git) active watches...
08:51:26 [Debug] Sending HTTP GET request to: https://artifactory.xxxxxxx/xray/api/v1/xsc/watches/resource?git_repository=xxxxxxx/scm/noib/vulnado.git
08:51:26 [Debug] Xray response (status 200 OK): {}
08:51:26 [🔵Info] Found 0 active watches
08:51:26 [Debug] Setting timeout for go-git to 120 seconds ...
08:51:27 [Debug] Created temp working directory: /var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370687-1579163430
08:51:27 [Debug] Running git clone http://xxxxxxx/scm/noib/vulnado.git (master branch)...
08:51:28 [Debug] Project cloned from http://xxxxxxx/scm/noib/vulnado.git to /var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370687-1579163430
08:51:28 [Debug] Sending HTTP POST request to: https://artifactory.xxxxxxx/xray/api/v1/xsc/event
08:51:28 [Debug] Sending HTTP GET request to: https://artifactory.xxxxxxx/xray/api/v1/entitlements/feature/contextual_analysis
08:51:28 [Debug] The path '/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370687-1579163430/.git' is excluded
08:51:28 [Debug] The path '/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370687-1579163430/.git/HEAD' is excluded
08:51:28 [Debug] The path '/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370687-1579163430/.git/config' is excluded
08:51:28 [Debug] The path '/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370687-1579163430/.git/index' is excluded
08:51:28 [Debug] The path '/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370687-1579163430/.git/objects' is excluded
08:51:28 [Debug] The path '/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370687-1579163430/.git/objects/info' is excluded
08:51:28 [Debug] The path '/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370687-1579163430/.git/objects/pack' is excluded
08:51:28 [Debug] The path '/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370687-1579163430/.git/objects/pack/pack-2c69b736a9a5dbefe6990b1a456f8a3e77541ca2.idx' is excluded
08:51:28 [Debug] The path '/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370687-1579163430/.git/objects/pack/pack-2c69b736a9a5dbefe6990b1a456f8a3e77541ca2.pack' is excluded
08:51:28 [Debug] The path '/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370687-1579163430/.git/refs' is excluded
08:51:28 [Debug] The path '/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370687-1579163430/.git/refs/heads' is excluded
08:51:28 [Debug] The path '/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370687-1579163430/.git/refs/heads/master' is excluded
08:51:28 [Debug] The path '/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370687-1579163430/.git/refs/remotes' is excluded
08:51:28 [Debug] The path '/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370687-1579163430/.git/refs/remotes/origin' is excluded
08:51:28 [Debug] The path '/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370687-1579163430/.git/refs/remotes/origin/master' is excluded
08:51:28 [Debug] The path '/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370687-1579163430/.git/refs/tags' is excluded
08:51:28 [Debug] The path '/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370687-1579163430/.git/shallow' is excluded
08:51:28 [Debug] The path '/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370687-1579163430/.gitignore' is excluded
08:51:28 [Debug] The path '/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370687-1579163430/src/test' is excluded
08:51:28 [Debug] The path '/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370687-1579163430/src/test/java' is excluded
08:51:28 [Debug] The path '/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370687-1579163430/src/test/java/com' is excluded
08:51:28 [Debug] The path '/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370687-1579163430/src/test/java/com/scalesec' is excluded
08:51:28 [Debug] The path '/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370687-1579163430/src/test/java/com/scalesec/vulnado' is excluded
08:51:28 [Debug] The path '/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370687-1579163430/src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java' is excluded
08:51:28 [Debug] mapped 1 working directories with indicators/descriptors:
{
"/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370687-1579163430": [
"/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370687-1579163430/pom.xml"
]
}
08:51:28 [Debug] Detected 1 technologies at /var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370687-1579163430: [maven].
08:51:28 [🔵Info] Performing scans on 1 targets:
[
{
"target": "/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370687-1579163430",
"technology": "maven"
}
]
08:51:28 [🔵Info] Not entitled for JAS, skipping advance security scans...
08:51:28 [🔵Info] Calculating Maven dependencies...
08:51:30 [Debug] Created 'Maven' dependency tree with 0 nodes. Elapsed time: 2.0 seconds.
08:51:30 [Debug] Unique dependencies list:
{
"gav://ch.qos.logback:logback-classic:1.2.3": {
"classifier": null,
"types": [
"jar"
],
"children": null
...
...
...
"gav://org.yaml:snakeyaml:1.23": {
"classifier": null,
"types": [
"jar"
],
"children": null
}
}
08:51:30 [🔵Info] [Thread 0] Running SCA scan for /var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370687-1579163430 vulnerable dependencies in /var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370687-1579163430 directory...
08:51:30 [🔵Info] Scanning 64 maven dependencies...
08:51:30 [Debug] Sending HTTP POST request to: https://artifactory.xxxxxxx/xray/api/v1/xsc/sca/scan/graph?watch=watch-xxxxxxx&multi_scan_id=f7346dc3-0496-11f0-a2a9-aaf52590310f&tech=maven&scan_type=dependency&git_repo=xxxxxxx/scm/noib/vulnado.git
08:51:31 [🔵Info] Waiting for scan to complete on JFrog Xray...
08:51:31 [Debug] Sending HTTP GET request to: https://artifactory.xxxxxxx/xray/api/v1/xsc/sca/scan/graph/fba52692-bb04-4fa9-5a0e-69d4b8e97f62
08:51:31 [Debug] Get Dependencies Scan results... (Attempt 1)
08:51:36 [Debug] Sending HTTP GET request to: https://artifactory.xxxxxxx/xray/api/v1/xsc/sca/scan/graph/fba52692-bb04-4fa9-5a0e-69d4b8e97f62
08:51:38 [🔵Info] Finished 'Maven' dependency tree scan. Found 109 sca violations
08:51:38 [🔵Info] Xray scan completed
08:51:38 [Debug] Frogbot will attempt to resolve the following vulnerable dependencies:
org.apache.tomcat.embed:tomcat-embed-core,
org.springframework:spring-webmvc,
org.yaml:snakeyaml,
ch.qos.logback:logback-core,
com.fasterxml.jackson.core:jackson-databind,
org.apache.tomcat.embed:tomcat-embed-websocket,
ch.qos.logback:logback-classic,
org.springframework.boot:spring-boot-autoconfigure,
org.hibernate.validator:hibernate-validator,
org.springframework.boot:spring-boot-starter-web,
org.springframework:spring-web,
net.minidev:json-smart,
org.springframework.boot:spring-boot,
org.springframework:spring-expression
08:51:38 [Debug] No pull request found from source branch frogbot-update-Maven-dependencies-master
08:51:38 [🔵Info] -----------------------------------------------------------------
08:51:38 [🔵Info] Starting aggregated dependencies fix
08:51:38 [Debug] Creating branch frogbot-update-Maven-dependencies-master ...
08:51:38 [🔵Info] There were no changes to commit after fixing vulnerabilities.
Note: Frogbot currently cannot address certain vulnerabilities in some package managers, which may result in the absence of changes
08:51:38 [Debug] Running git checkout to branch: master
08:51:38 [🔵Info] The existing pull request is in sync with the latest scan, and no further updates are required.
08:51:38 [Debug] Sending HTTP PUT request to: https://artifactory.xxxxxxx/xray/api/v1/xsc/event
08:51:38 [Debug] Command event:
{{0 failed 0 0 false 9.471369417s } f7346dc3-0496-11f0-a2a9-aaf52590310f }
08:51:38 [Debug] Sending an error report to JFrog analytics...
08:51:38 [Debug] Sending HTTP POST request to: https://artifactory.xxxxxxx/xray/api/v1/xsc/event/logMessage
08:51:38 [🚨Error] the following errors occurred while fixing vulnerabilities in /var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370687-1579163430:
couldn't read pom.xml file: open /private/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370670-4032630047/pom.xml: no such file or directory
couldn't read pom.xml file: open /private/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370670-4032630047/pom.xml: no such file or directory
couldn't read pom.xml file: open /private/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370670-4032630047/pom.xml: no such file or directory
couldn't read pom.xml file: open /private/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370670-4032630047/pom.xml: no such file or directory
couldn't read pom.xml file: open /private/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370670-4032630047/pom.xml: no such file or directory
couldn't read pom.xml file: open /private/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370670-4032630047/pom.xml: no such file or directory
couldn't read pom.xml file: open /private/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370670-4032630047/pom.xml: no such file or directory
couldn't read pom.xml file: open /private/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370670-4032630047/pom.xml: no such file or directory
couldn't read pom.xml file: open /private/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370670-4032630047/pom.xml: no such file or directory
couldn't read pom.xml file: open /private/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370670-4032630047/pom.xml: no such file or directory
couldn't read pom.xml file: open /private/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370670-4032630047/pom.xml: no such file or directory
couldn't read pom.xml file: open /private/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370670-4032630047/pom.xml: no such file or directory
couldn't read pom.xml file: open /private/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370670-4032630047/pom.xml: no such file or directory
couldn't read pom.xml file: open /private/var/folders/3q/31jz283n71z2wzt3c36ydn780000gp/T/jfrog.cli.temp.-1742370670-4032630047/pom.xml: no such file or directory`

Reproduction steps

create a config with multiple repositories or multiple branches like
`- params:
# Git parameters
git:
# [Mandatory]
# Name of the git repository to scan
repoName: vulnado

  # [Mandatory]
  # List of branches to scan
  branches:
    - master
    - vuln
  aggregateFixes: true`

Expected behavior

it doesn't crash at the end :)

JFrog Frogbot version

2.25.0,2.24.1

Package manager info

pom.xml

Git provider

Bitbucket Server

JFrog Frogbot configuration yaml file

  • params:

    Git parameters

    git:
    # [Mandatory]
    # Name of the git repository to scan
    repoName: vulnado

    # [Mandatory]
# List of branches to scan
branches:
  - master
  - vuln
aggregateFixes: true

or

  • params:
    git:
    repoName: vulnerable-spring-boot-application
    branches:
    - master
    aggregateFixes: true
    jfrogPlatform:
    watches:
    - "watch-xxxxxxx"

  • params:

    Git parameters

    git:
    # [Mandatory]
    # Name of the git repository to scan
    repoName: vulnado

    # [Mandatory]
# List of branches to scan
branches:
  - master
  - vuln
aggregateFixes: true

Operating system type and version

Jenkins agent debian bookworm

JFrog Xray version

3.111.15
@donCappo donCappo added the bug Something isn't working label Mar 19, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@donCappo