-
Notifications
You must be signed in to change notification settings - Fork 224
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
jf audit fail with Gradle version 8 #1827
Comments
Hey @janardhanajl, we recently made significant improvements to the audit command using Gradle. Please upgrade your JFrog CLI version to v2.36.1 and let me know if the issue has been resolved. Thanks! |
@omerzi we cannot use version 2.36.1 since it adds an additional dependency which cannot be loaded in our environment (no Internet connection) and loading through Artifactory seems not to work. But it seems that it also works with 2.36.0. Is that correct? |
@schmist |
@yahavi
The local Artifactory is configured in the Jfrog CLI config file. |
Hey @schmist, thank you for informing us of this issue. |
@omerzi thanks for the hint with the
There is a problem when constructing the url for the |
Hey @schmist, @janardhanajl
To use this env, simply provide a |
@omerzi I've set the new Variable The scan is failing with timeouts:
The only option I see for me would be, to add a configuration option to configure a self written init.gradle to be able to configure the correct Gradle plugin repository. If i do this locally and call the init.gradle:
Result:
Is there a chance you could add an init script path config parameter to |
Hi @Persi, thank you for letting us know about your issue. Could you please provide us with the debug logs for the jf audit command? To enable DEBUG logs, please set the JFROG_CLI_LOG_LEVEL environment variable to DEBUG. Could you also provide us with the value you have set for the JFROG_CLI_RELEASES_REPO environment variable? It would be helpful if you could also provide some more details about your configuration. |
Hi @omerzi, thanks for your fast feedback! I've played a bit to get around our download timeout mentioned above. This is my current setup: jf cli config:
gradle.yaml for jf cli in the relevant project:
Debug log of the audit call:
Our Nexus proxy repository is accessible via anonymous but jf cli seems to enforce credentials. If I do not provide a gradle.yaml in the project I ran into the download timeout because of our internet proxy. Which I cannot configure either. With basic gradle init scripts it works, so for me the easiest way would be to provide my own init.gradle and tell jf cli via gradlec to use it instead of generate a new one on each run. |
Hi @Persi, thank you for providing the detailed information. I have a question regarding the functionality of your init script. Will it work correctly if you configure your repository in the following manner:
Thanks. |
Hi @omerzi, your init script looks more or less exactly the same as mine:
and both scripts works as expected. But if I run jf scan locally or in our ci pipelines, I get this error with the above mentioned gradle.yaml:
|
Describe the bug
Issue description:
jf audit does not work with Gradle 8. You need to change how the dependencies are collected if no specific publishing is defined. Resolving the archives configuration is no longer allowed with Gradle 8:
Current behavior
Observing the below error:
Reproduction steps
Expected behavior
jf audit --gradle, should work as expected and display the vulnerability result
JFrog CLI version
2.34.1
Operating system type and version
ubuntu 22.04, 18.04, mac os
JFrog Artifactory version
No response
JFrog Xray version
No response
The text was updated successfully, but these errors were encountered: