frogbot icon indicating copy to clipboard operation
frogbot copied to clipboard

Published 20 hours ago verified publisher icon jfrog

Cannot scan yarn projects

Open lorsatti opened this issue 1 year ago • 5 comments

Describe the bug I can't scan yarn projects

To Reproduce Given the Jenkins pipeline:

pipeline {
    agent {
        docker {
            image 'node:16'
        }
    }

    parameters {
        string name: 'project', trim: true, description: 'Bitbucket project'
        string name: 'repo', trim:true, description: 'Bitbucket repository'
        string name: 'deps_cmd', trim:true, description: 'The command that installs the project dependencies'
        booleanParam name: 'all_vulns', description: 'Displays all existing vulnerabilities'
    }

    environment {
        JF_ACCESS_TOKEN=credentials("JF_ACCESS_TOKEN_XRAY")
        JF_GIT_API_ENDPOINT="https://bitbucket.redacted.org/rest"
        JF_GIT_PROVIDER="bitbucketServer"
        JF_GIT_TOKEN=credentials("JF_GIT_TOKEN")
        JF_URL=credentials("JF_URL")
    }

   stages {
        stage('Download Frogbot') {
            steps {
                sh """curl -fLg "https://releases.jfrog.io/artifactory/frogbot/v2/2.1.3/getFrogbot.sh" | sh"""
            }
        }

        stage ('Scan Pull Requests') {
            steps {
                withEnv(["JF_INSTALL_DEPS_CMD=$params.deps_cmd", 
                         "JF_GIT_OWNER=$params.project", 
                         "JF_GIT_REPO=$params.repo",
                         "JF_INCLUDE_ALL_VULNERABILITIES=$params.all_vulns"]) {
                    sh "./frogbot scan-pull-requests"
                }
            }
        }
    }
}

parameter JF_INSTALL_DEPS_CMD is yarn install

Getting this error output:

+ ./frogbot scan-pull-requests
13:06:43 [Info] Running Frogbot "scan-pull-requests" command 
13:06:45 [Info] Auditing /tmp/jfrog.cli.temp.-1658322404-2045215346
13:06:45 [Info] Executing 'yarn' [install] at  /tmp/jfrog.cli.temp.-1658322404-2045215346
13:09:11 [Info] Detected: Yarn.
panic: runtime error: slice bounds out of range [1:0]

goroutine 1 [running]:
github.com/jfrog/build-info-go/build/utils.(*YarnDependency).Name(...)
	/root/go/pkg/mod/github.com/jfrog/[email protected]/build/utils/yarn.go:183
github.com/jfrog/jfrog-cli-core/v2/xray/audit/yarn.getXrayDependencyId(0x0)
	/root/go/pkg/mod/github.com/jfrog/jfrog-cli-core/[email protected]/xray/audit/yarn/yarn.go:67 +0xb5
github.com/jfrog/jfrog-cli-core/v2/xray/audit/yarn.parseYarnDependenciesMap(0xc00003c150, 0x100b0b8)
	/root/go/pkg/mod/github.com/jfrog/jfrog-cli-core/[email protected]/xray/audit/yarn/yarn.go:54 +0x10c
github.com/jfrog/jfrog-cli-core/v2/xray/audit/yarn.buildYarnDependencyTree()
	/root/go/pkg/mod/github.com/jfrog/jfrog-cli-core/[email protected]/xray/audit/yarn/yarn.go:46 +0xf7
github.com/jfrog/jfrog-cli-core/v2/xray/audit/yarn.AuditYarn({{0x0, 0x0}, {0x0, 0x0}, {0x0, 0x0, 0x0}, {0xe8412e, 0xa}, 0x0, ...}, ...)
	/root/go/pkg/mod/github.com/jfrog/jfrog-cli-core/[email protected]/xray/audit/yarn/yarn.go:18 +0x33
github.com/jfrog/jfrog-cli-core/v2/xray/commands/audit/generic.GenericAudit({{0x0, 0x0}, {0x0, 0x0}, {0x0, 0x0, 0x0}, {0xe8412e, 0xa}, 0x0, ...}, ...)
	/root/go/pkg/mod/github.com/jfrog/jfrog-cli-core/[email protected]/xray/commands/audit/generic/auditmanager.go:42 +0x3a5
github.com/jfrog/frogbot/commands.runInstallAndAudit({{0x0, 0x0}, {0x0, 0x0}, {0x0, 0x0, 0x0}, {0xe8412e, 0xa}, 0x0, ...}, ...)
	/var/opt/jfrog/pipelines/data/release_frogbot/runs/954228/steps/Release/7407400/dependencyState/resources/frogbotGit/commands/scanpullrequest.go:178 +0x1db
github.com/jfrog/frogbot/commands.auditSource({{0x0, 0x0}, {0x0, 0x0}, {0x0, 0x0, 0x0}, {0xe8412e, 0xa}, 0x0, ...}, ...)
	/var/opt/jfrog/pipelines/data/release_frogbot/runs/954228/steps/Release/7407400/dependencyState/resources/frogbotGit/commands/scanpullrequest.go:122 +0x192
github.com/jfrog/frogbot/commands.scanPullRequest(0xc0004a3558, {0x101d2a0, 0xc00029a6c0})
	/var/opt/jfrog/pipelines/data/release_frogbot/runs/954228/steps/Release/7407400/dependencyState/resources/frogbotGit/commands/scanpullrequest.go:38 +0xec
github.com/jfrog/frogbot/commands.downloadAndScanPullRequest({0x30, {{0xc0000d3780, 0x36}, {0xc0002dae44, 0x9}}, {{0xc0002daf50, 0xf}, {0xc0002daf94, 0x9}}}, 0xc0000d4800, ...)
	/var/opt/jfrog/pipelines/data/release_frogbot/runs/954228/steps/Release/7407400/dependencyState/resources/frogbotGit/commands/scanpullrequests.go:130 +0x3ed
github.com/jfrog/frogbot/commands.scanAllPullRequests(0xc0000d4800, {0x101d2a0, 0xc00029a6c0})
	/var/opt/jfrog/pipelines/data/release_frogbot/runs/954228/steps/Release/7407400/dependencyState/resources/frogbotGit/commands/scanpullrequests.go:37 +0x297
github.com/jfrog/frogbot/commands.ScanAllPullRequestsCmd.Run(...)
	/var/opt/jfrog/pipelines/data/release_frogbot/runs/954228/steps/Release/7407400/dependencyState/resources/frogbotGit/commands/scanpullrequests.go:17
github.com/jfrog/frogbot/commands.Exec({0xff55c0, 0x1716828}, {0xe9c913, 0xc000280880})
	/var/opt/jfrog/pipelines/data/release_frogbot/runs/954228/steps/Release/7407400/dependencyState/resources/frogbotGit/commands/commands.go:28 +0x1d5
github.com/jfrog/frogbot/commands.GetCommands.func3(0xc0002e6360)
	/var/opt/jfrog/pipelines/data/release_frogbot/runs/954228/steps/Release/7407400/dependencyState/resources/frogbotGit/commands/commands.go:62 +0x32
github.com/urfave/cli/v2.(*Command).Run(0xc0002e6360, 0xc0002807c0)
	/root/go/pkg/mod/github.com/urfave/cli/[email protected]/command.go:169 +0x6be
github.com/urfave/cli/v2.(*App).RunContext(0xc000133380, {0x1006f10, 0xc0000c4000}, {0xc0000b4000, 0x2, 0x2})
	/root/go/pkg/mod/github.com/urfave/cli/[email protected]/app.go:341 +0x89c
github.com/urfave/cli/v2.(*App).Run(...)
	/root/go/pkg/mod/github.com/urfave/cli/[email protected]/app.go:247
main.ExecMain()
	/var/opt/jfrog/pipelines/data/release_frogbot/runs/954228/steps/Release/7407400/dependencyState/resources/frogbotGit/main.go:27 +0x158
main.main()
	/var/opt/jfrog/pipelines/data/release_frogbot/runs/954228/steps/Release/7407400/dependencyState/resources/frogbotGit/main.go:16 +0x1e

Other projects (golang, java) can be scanned normally (with their specific docker agent).

Expected behavior yarn projects can be scanned.

Versions

  • Frogbot version: 2.1.3
  • Operating system: linux
  • JFrog Artifactory version: 7.37.14
  • JFrog Xray version (version 3.29.0 or above is required): 3.52.4

lorsatti avatar Jul 20 '22 13:07 lorsatti

@lorsatti Thanks for the report! To investigate this, could you please mention the Yarn version you use?

asafgabai avatar Jul 20 '22 15:07 asafgabai

@asafgabai Hi! Yarn is 1.22.19. This is the one contained in the node docker image.

lorsatti avatar Jul 21 '22 10:07 lorsatti

@lorsatti Oh I'm sorry, I was a little confused. We actually don't support Yarn in Frogbot at all right now. We intend to add support in Yarn in the future.

asafgabai avatar Jul 21 '22 11:07 asafgabai

@asafgabai Hi, I have the same issue. Do you know when it will be solved?

urbaned121 avatar Sep 22 '22 13:09 urbaned121

@urbaned121 We're working hard on improving Frogbot and have a long list of features and improvements which we're gradually introducing. Support of Yarn 1 is one of them. We're planning to introduce Yarn 1 support in the future.

asafgabai avatar Nov 06 '22 14:11 asafgabai