Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How does frogbot decide when to create a pull request? #598

Closed
juv opened this issue Dec 5, 2023 · 2 comments
Closed

How does frogbot decide when to create a pull request? #598

juv opened this issue Dec 5, 2023 · 2 comments
Labels
question Further information is requested

Comments

@juv
Copy link

juv commented Dec 5, 2023

Hi,

there has been a Logback CVE recently which also has a fix version since 01.12.2023: https://logback.qos.ch/news.html#1.3.14

Can you explain how Frogbot looks for fix versions and what kind of delay is expected until Frogbot creates PRs in our repos?
How does the frogbot decide when to create a PR in our repos and when not? In my example, there has been a fix version available since 01.12.2023 and we do not see a PR in our "affected" repos yet.

We use Frogbot version 2.19.4 and Jfrog Artifactory Enterprise Plus 7.71.4 rev 77104900 in case that matters.

Reference for the CVE:
https://nvd.nist.gov/vuln/detail/CVE-2023-6378
GHSA-gm62-rw4g-vrc4
https://nvd.nist.gov/vuln/detail/CVE-2023-6481
https://mailman.qos.ch/pipermail/announce/2023/000188.html
@juv juv added the question Further information is requested label Dec 5, 2023
@omerzi
Copy link
Member

omerzi commented Dec 5, 2023

Hello @juv, thank you for using Frogbot.

Frogbot generates a dependency graph and forwards it to Xray to determine whether there's a dependency linked to a vulnerable version. When Frogbot identifies a direct dependency that can be resolved by adjusting its version to a non-vulnerable one, it initiates a pull request containing the necessary modifications.

Upon reviewing our vulnerabilities database, I've found that both ch.qos.logback:logback-classic and ch.qos.logback:logback-core dependencies fall within the versions between (,1.3.12) and [1.4.0,1.4.12), which are vulnerable. These entries have been present in our database since Nov 29, 23:59. Do you happen to have one of these dependencies with a vulnerable version as a direct dependency in your pom.xml?

Thank you.

@juv
Copy link
Author

juv commented Dec 6, 2023

Hello @juv, thank you for using Frogbot.

Frogbot generates a dependency graph and forwards it to Xray to determine whether there's a dependency linked to a vulnerable version. When Frogbot identifies a direct dependency that can be resolved by adjusting its version to a non-vulnerable one, it initiates a pull request containing the necessary modifications.

Upon reviewing our vulnerabilities database, I've found that both ch.qos.logback:logback-classic and ch.qos.logback:logback-core dependencies fall within the versions between (,1.3.12) and [1.4.0,1.4.12), which are vulnerable. These entries have been present in our database since Nov 29, 23:59. Do you happen to have one of these dependencies with a vulnerable version as a direct dependency in your pom.xml?

Thank you.

Hi, thanks for the quick reply and for explaining the process!
We are using logback version 1.4.12 in two repos, which is unaffected by the CVEs above. I was mistaking in my assumption that Frogbot would also create a pull request, in a sense to update this minor version to the most recent patch version after a vulnerability has been found in "surrounding" versions.

@juv juv closed this as completed Dec 6, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@juv @omerzi