You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Can you explain how Frogbot looks for fix versions and what kind of delay is expected until Frogbot creates PRs in our repos?
How does the frogbot decide when to create a PR in our repos and when not? In my example, there has been a fix version available since 01.12.2023 and we do not see a PR in our "affected" repos yet.
We use Frogbot version 2.19.4 and Jfrog Artifactory Enterprise Plus 7.71.4 rev 77104900 in case that matters.
Frogbot generates a dependency graph and forwards it to Xray to determine whether there's a dependency linked to a vulnerable version. When Frogbot identifies a direct dependency that can be resolved by adjusting its version to a non-vulnerable one, it initiates a pull request containing the necessary modifications.
Upon reviewing our vulnerabilities database, I've found that both ch.qos.logback:logback-classic and ch.qos.logback:logback-core dependencies fall within the versions between (,1.3.12) and [1.4.0,1.4.12), which are vulnerable. These entries have been present in our database since Nov 29, 23:59. Do you happen to have one of these dependencies with a vulnerable version as a direct dependency in your pom.xml?
Frogbot generates a dependency graph and forwards it to Xray to determine whether there's a dependency linked to a vulnerable version. When Frogbot identifies a direct dependency that can be resolved by adjusting its version to a non-vulnerable one, it initiates a pull request containing the necessary modifications.
Upon reviewing our vulnerabilities database, I've found that both ch.qos.logback:logback-classic and ch.qos.logback:logback-core dependencies fall within the versions between (,1.3.12) and [1.4.0,1.4.12), which are vulnerable. These entries have been present in our database since Nov 29, 23:59. Do you happen to have one of these dependencies with a vulnerable version as a direct dependency in your pom.xml?
Thank you.
Hi, thanks for the quick reply and for explaining the process!
We are using logback version 1.4.12 in two repos, which is unaffected by the CVEs above. I was mistaking in my assumption that Frogbot would also create a pull request, in a sense to update this minor version to the most recent patch version after a vulnerability has been found in "surrounding" versions.
Hi,
there has been a Logback CVE recently which also has a fix version since 01.12.2023: https://logback.qos.ch/news.html#1.3.14
Can you explain how Frogbot looks for fix versions and what kind of delay is expected until Frogbot creates PRs in our repos?
How does the frogbot decide when to create a PR in our repos and when not? In my example, there has been a fix version available since 01.12.2023 and we do not see a PR in our "affected" repos yet.
We use Frogbot version
2.19.4
and Jfrog ArtifactoryEnterprise Plus 7.71.4 rev 77104900
in case that matters.Reference for the CVE:
https://nvd.nist.gov/vuln/detail/CVE-2023-6378
GHSA-gm62-rw4g-vrc4
https://nvd.nist.gov/vuln/detail/CVE-2023-6481
https://mailman.qos.ch/pipermail/announce/2023/000188.html
The text was updated successfully, but these errors were encountered: