frogbot icon indicating copy to clipboard operation
frogbot copied to clipboard

Published 20 hours ago verified publisher icon jfrog

"Branch already exists" during scan-repository fix

Open eranturgeman opened this issue 11 months ago • 1 comments

  • [x] All tests passed. If this feature is not already covered by the tests, I added new tests.
  • [x] This pull request is on the dev branch.
  • [x] I used gofmt for formatting the code before submitting the pull request.

This PR addresses a bug in the scan-repository flow. When multiple descriptor files contain at least one similar fix (package name + version), Frogbot encounters an issue when attempting to fix the second descriptor due to duplication in the 'fix' branch names. To resolve this issue, we have introduced a new field in the frogbot-config.yml file under the 'projects' section called 'projectName'. By adding this field to an entry in the 'projects' array, it enables differentiation between two similar fixes, resulting in unique branch names and titles (the unique identifier is appended to the title).

SCENARIOS:

  • You receive an error indicating "a branch named XXX already exists."
  • You have multiple descriptors to scan, and among them there are some with similar vulnerabilities that need fixing.
  • You manually specified working directories for scanning and encounter duplicate vulnerabilities among them.
  • You manually divided your scanned repository into projects, resulting in duplicate vulnerabilities.

ACTION PLAN:

  1. Organize your scanned repository into distinct 'projects' by creating separate entries under the 'projects' array in frogbot-config.yml (an example for splitting descriptors for a python project was added below)
  2. Ensure there are no duplicated packages that needs to be fixed within the same project.
  3. Assign a unique key to each project using the 'projectName' field.
  4. Set 'aggregateFixes' to FALSE.
  5. Commit and push the updated frogbot-config.yml to your target branch.
  6. Re-run the scan.

Screenshot 2024-03-05 at 10 44 36

IMPORTANT: As of its current architecture, Frogbot does NOT offer support for multiple descriptor files. This fix serves as a temporary "workaround" as achieving full support for this feature would necessitate significant architectural adjustments.

CAUTION: If you opt to utilize this new feature and you already have existing PRs from Frogbot, please note that new PRs will be generated without removing the old ones!

eranturgeman avatar Feb 26 '24 10:02 eranturgeman

👍 Frogbot scanned this pull request and found that it did not add vulnerable dependencies.

github-actions[bot] avatar Feb 29 '24 14:02 github-actions[bot]