Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

frogbot-scan-pr with on "pull_request" instead of "pull_request_target" does not find frogbot-config.yml #374

Closed
philipp-rauch-se opened this issue Jun 30, 2023 · 14 comments · Fixed by #378
Closed

frogbot-scan-pr with on "pull_request" instead of "pull_request_target" does not find frogbot-config.yml #374

philipp-rauch-se opened this issue Jun 30, 2023 · 14 comments · Fixed by #378
Labels
bug Something isn't working

Comments

@philipp-rauch-se
Copy link

philipp-rauch-se commented Jun 30, 2023
edited
Loading

Describe the bug

we are executing frogbot-scan-pr with on "pull_request" instead of "pull_request_target" in our private repos using a reusable workflow.
When using "pull_request" it does not find frogbot-config.yml and therefore scan does not work.
When using "pull_request_target" it finds frogbot-config.yml and therefore scan works.

Current behavior

22:57:08 [Info] Frogbot version: 2.9.0
22:57:08 [Debug] Downloading frogbot-config.yml from target xxx / xxx
22:57:08 [Debug] the frogbot-config.yml will be downloaded from the xxx branch
22:57:08 [Debug] the .frogbot/frogbot-config.yml file wasn't recognized in the xxx repository owned by xxx

Reproduction steps

change on "pull_request_target" to "pull_request" in frogbot-scan-pr.yml and run scan on PR

Expected behavior

frogbot should find frogbot-config.yml and work properly with on "pull_request" too

JFrog Frogbot version

2.9.0

Package manager info

does not matter; package.json

Git provider

GitHub

JFrog Frogbot configuration yaml file

No response

Operating system type and version

Linux

JFrog Xray version

3.52.4
@philipp-rauch-se philipp-rauch-se added the bug Something isn't working label Jun 30, 2023
@EyalDelarea
Copy link
Contributor

Hello @philipp-rauch-se ,

Thank you for bringing this bug to our attention. We appreciate your usage of Frogbot.

Regarding the expected behavior, our intended approach is to search for the config file in the target branch. If it is not found there, the fallback option is to search in the source branch.
I will link the pull request fixing this issue once it's open so you will be able to track it's progress.

Thank you for helping us improve Frogbot!

Best regards,
Eyal Delarea

@EyalDelarea EyalDelarea linked a pull request Jul 6, 2023 that will close this issue
Fix extract Frogbot configuration from source branch #378
Merged
3 tasks
@EyalDelarea
Copy link
Contributor

Hi @philipp-rauch-se,

I wanted to inform you that a new version has been released, addressing the issue you encountered. We would greatly appreciate your feedback on whether the latest version resolved your problem.

@philipp-rauch-se
Copy link
Author

Hi @EyalDelarea, works like a charm. Thanks for the quick fix 👍

@eyalbe4 eyalbe4 closed this as completed Jul 11, 2023
@AdityaHitachi
Copy link

We are also facing the same issue. Currently, pull_request is not finding the configuration file in the source repository. It only takes the file if the event type is pull_request_target and the configuration file is in the target repository.

@eyalbe4
Copy link
Contributor

eyalbe4 commented Dec 7, 2023

@AdityaHitachi,
Are you using the latest Frogbot version?

@AdityaHitachi
Copy link

@AdityaHitachi, Are you using the latest Frogbot version?

   - name: FrogBot   
     uses: jfrog/frogbot@v2.19.4

@AdityaHitachi
Copy link

@AdityaHitachi, Are you using the latest Frogbot version?

Currently, I have a configuration file in the source branch within the .frogbot/frogbot-config.yml folder at the root of the project, as shown below. My project consists of approximately 15 submodules, but I want to run a scan on only two specific modules. Therefore, I have specified only those two module names in the config file. I am running the scan using the event type pull_request. However, Frogbot is not picking up that file; instead, it is directly running the scan on the entire project.

- params:
    git:
      branches:
      - testing-patch1
      repoName: my-test-project
    scan:
      projects:
      - workingDirs:
        - ./submodule1
        - ./submodule2

I am running scan using event type pull_request

@eyalbe4
Copy link
Contributor

eyalbe4 commented Dec 7, 2023

Thanks @AdityaHitachi.
Is your `frogbot-config.yml' file already pushed to the pull request's target branch when the scan is triggered?

@AdityaHitachi
Copy link

No, I have a configuration file in the source repository. Frogbot should pick up that file from the source repository instead of the target. In our case, the target branch is a protected one, as is often the case in many projects, making it impractical to push the file with different work directories each time.

Now I am a bit confused about Frogbot's behavior.
Case 1: Can you please tell me how the configuration file works with pull_request target or pull_request? Does the configuration file only work with pull_request_target?
Case 2: If I have the event type set to pull_request and I have a configuration file in the source repository, will Frogbot pick up that file?
Case 3: How can I pass my config file to JFrog from the source repository

@eyalbe4
Copy link
Contributor

eyalbe4 commented Dec 7, 2023

@AdityaHitachi,
The reason why Frogbot picks up the frogbot-config.yml file only from the target is related to a security concern. The frogbot-config.yml file can also include install commands. Potentially, a malicious contributor creating a pull request can manipulate this command to do harm.
What is the reason why you're looking to modify the scanned directory structure for different pull requests? The idea behind the frogbot-config.yml file was that it remains relatively constant over time. If your target branches are protected, and you occasionally wish to modify the frogbot-config.yml, you can always create a pull request to modify the frogbot-config.yml file.
Let me know what you think.

@AdityaHitachi
Copy link

@AdityaHitachi, The reason why Frogbot picks up the frogbot-config.yml file only from the target is related to a security concern. The frogbot-config.yml file can also include install commands. Potentially, a malicious contributor creating a pull request can manipulate this command to do harm. What is the reason why you're looking to modify the scanned directory structure for different pull requests? The idea behind the frogbot-config.yml file was that it remains relatively constant over time. If your target branches are protected, and you occasionally wish to modify the frogbot-config.yml, you can always create a pull request to modify the frogbot-config.yml file. Let me know what you think.

But this pull request #378 mentions that if the file is not found in the target repository, it will search for it in the source repository. It states that this bug has already been fixed.

@eyalbe4
Copy link
Contributor

eyalbe4 commented Dec 7, 2023

I believe this functionality is no longer available due to the above security concern @AdityaHitachi.

@AdityaHitachi
Copy link

I believe this functionality is no longer available due to the above security concern @AdityaHitachi.

Could you please provide any proof, such as a pull request or documentation, that demonstrates that this functionality no longer exists?

@AdityaHitachi
Copy link

Even though I specified version 2.10.0, is Frogbot still picking up the latest version? I'm unsure why this is happening. We want to use the specified version of Frogbot

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix extract Frogbot configuration from source branch EyalDelarea/frogbot
4 participants
@eyalbe4 @EyalDelarea @AdityaHitachi @philipp-rauch-se