Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Try to update to RC (release candidate) version instead of fixed version #597

Closed
philippe-granet opened this issue Dec 4, 2023 · 3 comments
Closed

Try to update to RC (release candidate) version instead of fixed version #597

philippe-granet opened this issue Dec 4, 2023 · 3 comments
Labels
bug Something isn't working

Comments

@philippe-granet
Copy link

Describe the bug

Frogot try to update dependencies with release condidates (RC) versions instead of fixed versions

Current behavior

Logs:

11:13:23 [Debug] Created 'Maven' dependency tree with 459 nodes. Elapsed time: 42.3 seconds.
11:13:23 [Debug] Unique dependencies list:
[
    "gav://commons-io:commons-io:1.3.2",
...
  ]
...
11:13:36 [Debug] Frogbot will attempt to resolve the following vulnerable dependencies:
 commons-io:commons-io,
....
11:13:41 [Debug] Attempting to fix commons-io:commons-io with 2.1-RC1
11:13:41 [Debug] Creating branch frogbot-commons-io_commons-io-17512654982787fe8c8207114ae2446c ...
11:13:42 [Debug] Running 'mvn -U -B org.codehaus.mojo:versions-maven-plugin:use-dep-version -Dincludes=commons-io:commons-io -DdepVersion=2.1-RC1 -DgenerateBackupPoms=false -DprocessDependencies=true -DprocessDependencyManagement=false'
...
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.codehaus.mojo:versions-maven-plugin:2.11.0:use-dep-version (default-cli) on project prm-sm-fwk: Version 2.1-RC1 is not available for artifact commons-io:commons-io -> [Help 1]

Why use an RC version (2.1-RC1) ?

Reproduction steps

No response

Expected behavior

No response

JFrog Frogbot version

2.19.4

Package manager info

Maven 3.9.6

Git provider

GitLab

JFrog Frogbot configuration yaml file

No response

Operating system type and version

Debian 12

JFrog Xray version

JFrog Xray version 3.41.4
@philippe-granet philippe-granet added the bug Something isn't working label Dec 4, 2023
@omerzi
Copy link
Member

omerzi commented Dec 5, 2023

Hi @philippe-granet, the results for the fixed versions are based on data we obtained from Xray. I will investigate this further and provide you with more information ASAP. Thank you!

@omerzi
Copy link
Member

omerzi commented Dec 5, 2023
edited
Loading

Hi @philippe-granet, it seems that the issue is not reproducible when we use our JFrog SAAS instance with Xray v3.84.4. We conducted tests using Frogbot, CLI audit command, and the REST API to Xray, and here are the results:

{
    "component_id": "gav://commons-io:commons-io:1.3.2",
    "package_type": "maven",
    "vulnerabilities": [
        {
            "cves": [
                {
                    "cve": "CVE-2021-29425",
                    "cvss_v2_score": "5.8",
                    "cvss_v2_vector": "CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:N",
                    "cvss_v3_score": "4.8",
                    "cvss_v3_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
                }
            ],
            "summary": "In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like \"//../foo\", or \"\\\\..\\foo\", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus \"limited\" path traversal), if the calling code would use the result to construct a path value.",
            "severity": "Medium",
            "components": {
                "gav://commons-io:commons-io:1.3.2": {
                    "package_name": "commons-io:commons-io",
                    "package_version": "1.3.2",
                    "package_type": "maven",
                    "fixed_versions": [
                        "[2.7]"
                    ],
                    "infected_versions": [
                        "(,2.7)"
                    ],
                    "impact_paths": [
                        [
                            {
                                "component_id": "gav://commons-io:commons-io:1.3.2"
                            }
                        ]
                    ]
                }
            },
            "issue_id": "XRAY-172728",
            "references": [
                "https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe@%3Cusers.kafka.apache.org%3E",
                "https://lists.apache.org/thread.html/r1c2f4683c35696cf6f863e3c107e37ec41305b1930dd40c17260de71@%3Ccommits.pulsar.apache.org%3E",
                "https://lists.apache.org/thread.html/rbebd3e19651baa7a4a5503a9901c95989df9d40602c8e35cb05d3eb5@%3Cdev.creadur.apache.org%3E",
                "https://lists.apache.org/thread.html/rfcd2c649c205f12b72dde044f905903460669a220a2eb7e12652d19d@%3Cdev.zookeeper.apache.org%3E",
                "https://security.netapp.com/advisory/ntap-20220210-0004/",
                "https://lists.apache.org/thread.html/red3aea910403d8620c73e1c7b9c9b145798d0469eb3298a7be7891af@%3Cnotifications.zookeeper.apache.org%3E",
                "https://lists.apache.org/thread.html/r8569a41d565ca880a4dee0e645dad1cd17ab4a92e68055ad9ebb7375@%3Cdev.creadur.apache.org%3E",
                "https://lists.apache.org/thread.html/ra8ef65aedc086d2d3d21492b4c08ae0eb8a3a42cc52e29ba1bc009d8@%3Cdev.creadur.apache.org%3E",
                "https://www.oracle.com/security-alerts/cpuoct2021.html",
                "https://lists.apache.org/thread.html/r86528f4b7d222aed7891e7ac03d69a0db2a2dfa17b86ac3470d7f374@%3Cnotifications.zookeeper.apache.org%3E",
                "https://lists.apache.org/thread.html/r808be7d93b17a7055c1981a8453ae5f0d0fce5855407793c5d0ffffa@%3Cuser.commons.apache.org%3E",
                "https://lists.apache.org/thread.html/r8bfc7235e6b39d90e6f446325a5a44c3e9e50da18860fdabcee23e29@%3Cissues.zookeeper.apache.org%3E",
                "https://lists.apache.org/thread.html/r01b4a1fcdf3311c936ce33d75a9398b6c255f00c1a2f312ac21effe1@%3Cnotifications.zookeeper.apache.org%3E",
                "https://lists.apache.org/thread.html/rfa2f08b7c0caf80ca9f4a18bd875918fdd4e894e2ea47942a4589b9c@%3Cdev.creadur.apache.org%3E",
                "https://lists.apache.org/thread.html/r0bfa8f7921abdfae788b1f076a12f73a92c93cc0a6e1083bce0027c5@%3Cnotifications.zookeeper.apache.org%3E",
                "https://lists.apache.org/thread.html/r47ab6f68cbba8e730f42c4ea752f3a44eb95fb09064070f2476bb401@%3Cdev.creadur.apache.org%3E",
                "https://lists.apache.org/thread.html/r523a6ffad58f71c4f3761e3cee72df878e48cdc89ebdce933be1475c@%3Cdev.creadur.apache.org%3E",
                "https://lists.apache.org/thread.html/rc65f9bc679feffe4589ea0981ee98bc0af9139470f077a91580eeee0@%3Cpluto-dev.portals.apache.org%3E",
                "https://lists.apache.org/thread.html/r477c285126ada5c3b47946bb702cb222ac4e7fd3100c8549bdd6d3b2@%3Cissues.zookeeper.apache.org%3E",
                "https://lists.apache.org/thread.html/re41e9967bee064e7369411c28f0f5b2ad28b8334907c9c6208017279@%3Cnotifications.zookeeper.apache.org%3E",
                "https://lists.apache.org/thread.html/rad4ae544747df32ccd58fff5a86cd556640396aeb161aa71dd3d192a@%3Cuser.commons.apache.org%3E",
                "https://lists.apache.org/thread.html/raa053846cae9d497606027816ae87b4e002b2e0eb66cb0dee710e1f5@%3Cdev.creadur.apache.org%3E",
                "https://lists.apache.org/thread.html/r2345b49dbffa8a5c3c589c082fe39228a2c1d14f11b96c523da701db@%3Cnotifications.zookeeper.apache.org%3E",
                "https://lists.apache.org/thread.html/rd09d4ab3e32e4b3a480e2ff6ff118712981ca82e817f28f2a85652a6@%3Cnotifications.zookeeper.apache.org%3E",
                "https://lists.apache.org/thread.html/r462db908acc1e37c455e11b1a25992b81efd18e641e7e0ceb1b6e046@%3Cnotifications.zookeeper.apache.org%3E",
                "https://lists.apache.org/thread.html/r27b1eedda37468256c4bb768fde1e8b79b37ec975cbbfd0d65a7ac34@%3Cdev.myfaces.apache.org%3E",
                "https://lists.apache.org/thread.html/rc2dd3204260e9227a67253ef68b6f1599446005bfa0e1ddce4573a80@%3Cpluto-dev.portals.apache.org%3E",
                "https://lists.apache.org/thread.html/r4050f9f6b42ebfa47a98cbdee4aabed4bb5fb8093db7dbb88faceba2@%3Ccommits.zookeeper.apache.org%3E",
                "https://lists.apache.org/thread.html/r92ea904f4bae190b03bd42a4355ce3c2fbe8f36ab673e03f6ca3f9fa@%3Cnotifications.zookeeper.apache.org%3E",
                "https://lists.apache.org/thread.html/rca71a10ca533eb9bfac2d590533f02e6fb9064d3b6aa3ec90fdc4f51@%3Cnotifications.zookeeper.apache.org%3E",
                "https://lists.apache.org/thread.html/r20416f39ca7f7344e7d76fe4d7063bb1d91ad106926626e7e83fb346@%3Cnotifications.zookeeper.apache.org%3E",
                "https://lists.apache.org/thread.html/r8efcbabde973ea72f5e0933adc48ef1425db5cde850bf641b3993f31@%3Cdev.commons.apache.org%3E",
                "https://issues.apache.org/jira/browse/IO-556",
                "https://lists.apache.org/thread.html/rc10fa20ef4d13cbf6ebe0b06b5edb95466a1424a9b7673074ed03260@%3Cnotifications.zookeeper.apache.org%3E",
                "https://lists.apache.org/thread.html/rc359823b5500e9a9a2572678ddb8e01d3505a7ffcadfa8d13b8780ab%40%3Cuser.commons.apache.org%3E",
                "https://lists.apache.org/thread.html/r2bc986a070457daca457a54fe71ee09d2584c24dc262336ca32b6a19@%3Cdev.creadur.apache.org%3E",
                "https://lists.apache.org/thread.html/r2df50af2641d38f432ef025cd2ba5858215cc0cf3fc10396a674ad2e@%3Cpluto-scm.portals.apache.org%3E",
                "https://www.oracle.com/security-alerts/cpujan2022.html",
                "https://lists.apache.org/thread.html/rfd01af05babc95b8949e6d8ea78d9834699e1b06981040dde419a330@%3Cdev.commons.apache.org%3E",
                "https://www.oracle.com/security-alerts/cpuapr2022.html",
                "https://lists.apache.org/thread.html/r873d5ddafc0a68fd999725e559776dc4971d1ab39c0f5cc81bd9bc04@%3Ccommits.pulsar.apache.org%3E",
                "https://lists.apache.org/thread.html/rc5f3df5316c5237b78a3dff5ab95b311ad08e61d418cd992ca7e34ae@%3Cnotifications.zookeeper.apache.org%3E",
                "https://lists.apache.org/thread.html/r345330b7858304938b7b8029d02537a116d75265a598c98fa333504a@%3Cdev.creadur.apache.org%3E",
                "https://lists.apache.org/thread.html/r0d73e2071d1f1afe1a15da14c5b6feb2cf17e3871168d5a3c8451436@%3Ccommits.pulsar.apache.org%3E",
                "https://lists.apache.org/thread.html/r5149f78be265be69d34eacb4e4b0fc7c9c697bcdfa91a1c1658d717b@%3Cissues.zookeeper.apache.org%3E",
                "https://lists.debian.org/debian-lts-announce/2021/08/msg00016.html",
                "https://www.oracle.com/security-alerts/cpujul2022.html"
            ],
            "is_high_profile": false,
            "provider": "JFrog",
            "edited": "0001-01-01T00:00:00Z",
            "applicability": null
        }
    ],
    "scan_id": "89eea845-94ae-4442-42e3-5a878dc0ef17",
    "status": "completed",
    "top_vuln_severity": "Medium",
    "progress_percentage": 100
}

I suggest, if possible, upgrading your Xray to a newer version and also verifying that your database is synced. I hope these steps will resolve your issue. Please let me know how it goes and if any further assistance is required.

@eranturgeman
Copy link
Contributor

Hello @philippe-granet
We hope @omerzi helped resolving your issue. Since we didn't get any response from you in a while, we assume this issue was resolved with newer versions of Xray or Frogbot
If not, please feel free to reopen this issue or a new GitHub issue so we can assist you further

This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@philippe-granet @omerzi @eranturgeman