frogbot
frogbot copied to clipboard
Published
20 hours ago •
jfrog
jfrog
Try to update to RC (release candidate) version instead of fixed version
Describe the bug
Frogot try to update dependencies with release condidates (RC) versions instead of fixed versions
Current behavior
Logs:
11:13:23 [Debug] Created 'Maven' dependency tree with 459 nodes. Elapsed time: 42.3 seconds.
11:13:23 [Debug] Unique dependencies list:
[
"gav://commons-io:commons-io:1.3.2",
...
]
...
11:13:36 [Debug] Frogbot will attempt to resolve the following vulnerable dependencies:
commons-io:commons-io,
....
11:13:41 [Debug] Attempting to fix commons-io:commons-io with 2.1-RC1
11:13:41 [Debug] Creating branch frogbot-commons-io_commons-io-17512654982787fe8c8207114ae2446c ...
11:13:42 [Debug] Running 'mvn -U -B org.codehaus.mojo:versions-maven-plugin:use-dep-version -Dincludes=commons-io:commons-io -DdepVersion=2.1-RC1 -DgenerateBackupPoms=false -DprocessDependencies=true -DprocessDependencyManagement=false'
...
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.codehaus.mojo:versions-maven-plugin:2.11.0:use-dep-version (default-cli) on project prm-sm-fwk: Version 2.1-RC1 is not available for artifact commons-io:commons-io -> [Help 1]
Why use an RC version (2.1-RC1) ?
Reproduction steps
No response
Expected behavior
No response
JFrog Frogbot version
2.19.4
Package manager info
Maven 3.9.6
Git provider
GitLab
JFrog Frogbot configuration yaml file
No response
Operating system type and version
Debian 12
JFrog Xray version
JFrog Xray version 3.41.4
Hi @philippe-granet, the results for the fixed versions are based on data we obtained from Xray. I will investigate this further and provide you with more information ASAP. Thank you!
Hi @philippe-granet, it seems that the issue is not reproducible when we use our JFrog SAAS instance with Xray v3.84.4. We conducted tests using Frogbot, CLI audit command, and the REST API to Xray, and here are the results:
{
"component_id": "gav://commons-io:commons-io:1.3.2",
"package_type": "maven",
"vulnerabilities": [
{
"cves": [
{
"cve": "CVE-2021-29425",
"cvss_v2_score": "5.8",
"cvss_v2_vector": "CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:N",
"cvss_v3_score": "4.8",
"cvss_v3_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
}
],
"summary": "In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like \"//../foo\", or \"\\\\..\\foo\", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus \"limited\" path traversal), if the calling code would use the result to construct a path value.",
"severity": "Medium",
"components": {
"gav://commons-io:commons-io:1.3.2": {
"package_name": "commons-io:commons-io",
"package_version": "1.3.2",
"package_type": "maven",
"fixed_versions": [
"[2.7]"
],
"infected_versions": [
"(,2.7)"
],
"impact_paths": [
[
{
"component_id": "gav://commons-io:commons-io:1.3.2"
}
]
]
}
},
"issue_id": "XRAY-172728",
"references": [
"https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe@%3Cusers.kafka.apache.org%3E",
"https://lists.apache.org/thread.html/r1c2f4683c35696cf6f863e3c107e37ec41305b1930dd40c17260de71@%3Ccommits.pulsar.apache.org%3E",
"https://lists.apache.org/thread.html/rbebd3e19651baa7a4a5503a9901c95989df9d40602c8e35cb05d3eb5@%3Cdev.creadur.apache.org%3E",
"https://lists.apache.org/thread.html/rfcd2c649c205f12b72dde044f905903460669a220a2eb7e12652d19d@%3Cdev.zookeeper.apache.org%3E",
"https://security.netapp.com/advisory/ntap-20220210-0004/",
"https://lists.apache.org/thread.html/red3aea910403d8620c73e1c7b9c9b145798d0469eb3298a7be7891af@%3Cnotifications.zookeeper.apache.org%3E",
"https://lists.apache.org/thread.html/r8569a41d565ca880a4dee0e645dad1cd17ab4a92e68055ad9ebb7375@%3Cdev.creadur.apache.org%3E",
"https://lists.apache.org/thread.html/ra8ef65aedc086d2d3d21492b4c08ae0eb8a3a42cc52e29ba1bc009d8@%3Cdev.creadur.apache.org%3E",
"https://www.oracle.com/security-alerts/cpuoct2021.html",
"https://lists.apache.org/thread.html/r86528f4b7d222aed7891e7ac03d69a0db2a2dfa17b86ac3470d7f374@%3Cnotifications.zookeeper.apache.org%3E",
"https://lists.apache.org/thread.html/r808be7d93b17a7055c1981a8453ae5f0d0fce5855407793c5d0ffffa@%3Cuser.commons.apache.org%3E",
"https://lists.apache.org/thread.html/r8bfc7235e6b39d90e6f446325a5a44c3e9e50da18860fdabcee23e29@%3Cissues.zookeeper.apache.org%3E",
"https://lists.apache.org/thread.html/r01b4a1fcdf3311c936ce33d75a9398b6c255f00c1a2f312ac21effe1@%3Cnotifications.zookeeper.apache.org%3E",
"https://lists.apache.org/thread.html/rfa2f08b7c0caf80ca9f4a18bd875918fdd4e894e2ea47942a4589b9c@%3Cdev.creadur.apache.org%3E",
"https://lists.apache.org/thread.html/r0bfa8f7921abdfae788b1f076a12f73a92c93cc0a6e1083bce0027c5@%3Cnotifications.zookeeper.apache.org%3E",
"https://lists.apache.org/thread.html/r47ab6f68cbba8e730f42c4ea752f3a44eb95fb09064070f2476bb401@%3Cdev.creadur.apache.org%3E",
"https://lists.apache.org/thread.html/r523a6ffad58f71c4f3761e3cee72df878e48cdc89ebdce933be1475c@%3Cdev.creadur.apache.org%3E",
"https://lists.apache.org/thread.html/rc65f9bc679feffe4589ea0981ee98bc0af9139470f077a91580eeee0@%3Cpluto-dev.portals.apache.org%3E",
"https://lists.apache.org/thread.html/r477c285126ada5c3b47946bb702cb222ac4e7fd3100c8549bdd6d3b2@%3Cissues.zookeeper.apache.org%3E",
"https://lists.apache.org/thread.html/re41e9967bee064e7369411c28f0f5b2ad28b8334907c9c6208017279@%3Cnotifications.zookeeper.apache.org%3E",
"https://lists.apache.org/thread.html/rad4ae544747df32ccd58fff5a86cd556640396aeb161aa71dd3d192a@%3Cuser.commons.apache.org%3E",
"https://lists.apache.org/thread.html/raa053846cae9d497606027816ae87b4e002b2e0eb66cb0dee710e1f5@%3Cdev.creadur.apache.org%3E",
"https://lists.apache.org/thread.html/r2345b49dbffa8a5c3c589c082fe39228a2c1d14f11b96c523da701db@%3Cnotifications.zookeeper.apache.org%3E",
"https://lists.apache.org/thread.html/rd09d4ab3e32e4b3a480e2ff6ff118712981ca82e817f28f2a85652a6@%3Cnotifications.zookeeper.apache.org%3E",
"https://lists.apache.org/thread.html/r462db908acc1e37c455e11b1a25992b81efd18e641e7e0ceb1b6e046@%3Cnotifications.zookeeper.apache.org%3E",
"https://lists.apache.org/thread.html/r27b1eedda37468256c4bb768fde1e8b79b37ec975cbbfd0d65a7ac34@%3Cdev.myfaces.apache.org%3E",
"https://lists.apache.org/thread.html/rc2dd3204260e9227a67253ef68b6f1599446005bfa0e1ddce4573a80@%3Cpluto-dev.portals.apache.org%3E",
"https://lists.apache.org/thread.html/r4050f9f6b42ebfa47a98cbdee4aabed4bb5fb8093db7dbb88faceba2@%3Ccommits.zookeeper.apache.org%3E",
"https://lists.apache.org/thread.html/r92ea904f4bae190b03bd42a4355ce3c2fbe8f36ab673e03f6ca3f9fa@%3Cnotifications.zookeeper.apache.org%3E",
"https://lists.apache.org/thread.html/rca71a10ca533eb9bfac2d590533f02e6fb9064d3b6aa3ec90fdc4f51@%3Cnotifications.zookeeper.apache.org%3E",
"https://lists.apache.org/thread.html/r20416f39ca7f7344e7d76fe4d7063bb1d91ad106926626e7e83fb346@%3Cnotifications.zookeeper.apache.org%3E",
"https://lists.apache.org/thread.html/r8efcbabde973ea72f5e0933adc48ef1425db5cde850bf641b3993f31@%3Cdev.commons.apache.org%3E",
"https://issues.apache.org/jira/browse/IO-556",
"https://lists.apache.org/thread.html/rc10fa20ef4d13cbf6ebe0b06b5edb95466a1424a9b7673074ed03260@%3Cnotifications.zookeeper.apache.org%3E",
"https://lists.apache.org/thread.html/rc359823b5500e9a9a2572678ddb8e01d3505a7ffcadfa8d13b8780ab%40%3Cuser.commons.apache.org%3E",
"https://lists.apache.org/thread.html/r2bc986a070457daca457a54fe71ee09d2584c24dc262336ca32b6a19@%3Cdev.creadur.apache.org%3E",
"https://lists.apache.org/thread.html/r2df50af2641d38f432ef025cd2ba5858215cc0cf3fc10396a674ad2e@%3Cpluto-scm.portals.apache.org%3E",
"https://www.oracle.com/security-alerts/cpujan2022.html",
"https://lists.apache.org/thread.html/rfd01af05babc95b8949e6d8ea78d9834699e1b06981040dde419a330@%3Cdev.commons.apache.org%3E",
"https://www.oracle.com/security-alerts/cpuapr2022.html",
"https://lists.apache.org/thread.html/r873d5ddafc0a68fd999725e559776dc4971d1ab39c0f5cc81bd9bc04@%3Ccommits.pulsar.apache.org%3E",
"https://lists.apache.org/thread.html/rc5f3df5316c5237b78a3dff5ab95b311ad08e61d418cd992ca7e34ae@%3Cnotifications.zookeeper.apache.org%3E",
"https://lists.apache.org/thread.html/r345330b7858304938b7b8029d02537a116d75265a598c98fa333504a@%3Cdev.creadur.apache.org%3E",
"https://lists.apache.org/thread.html/r0d73e2071d1f1afe1a15da14c5b6feb2cf17e3871168d5a3c8451436@%3Ccommits.pulsar.apache.org%3E",
"https://lists.apache.org/thread.html/r5149f78be265be69d34eacb4e4b0fc7c9c697bcdfa91a1c1658d717b@%3Cissues.zookeeper.apache.org%3E",
"https://lists.debian.org/debian-lts-announce/2021/08/msg00016.html",
"https://www.oracle.com/security-alerts/cpujul2022.html"
],
"is_high_profile": false,
"provider": "JFrog",
"edited": "0001-01-01T00:00:00Z",
"applicability": null
}
],
"scan_id": "89eea845-94ae-4442-42e3-5a878dc0ef17",
"status": "completed",
"top_vuln_severity": "Medium",
"progress_percentage": 100
}
I suggest, if possible, upgrading your Xray to a newer version and also verifying that your database is synced. I hope these steps will resolve your issue. Please let me know how it goes and if any further assistance is required.
Hello @philippe-granet We hope @omerzi helped resolving your issue. Since we didn't get any response from you in a while, we assume this issue was resolved with newer versions of Xray or Frogbot If not, please feel free to reopen this issue or a new GitHub issue so we can assist you further
