frogbot icon indicating copy to clipboard operation
frogbot copied to clipboard

Published 20 hours ago verified publisher icon jfrog

JFrog reports a go.mod file as being in the root when it isn't

Open lukaspj opened this issue 2 months ago • 5 comments

Describe the bug

We just tried installing frogbot and running it in our repository, it finds several go.mod files in subdirectories and reports vulnerabilities just fine. However, it then reports the vulnerability on go.mod in the root directory, where there isn't any, and subsequently fails to generate fix PRs: image

Current behavior

I can't share too much of the code and logs, but I can say that this works just fine in another repository with a single go.mod file in a subdirectory, but in this repository there are multiple go.mod files in subdirectories.

Configuration:

with:
    version: latest
  env:
    JF_URL: https://<url>/
    JF_USER: ***
    JF_PASSWORD: ***
    JF_GIT_TOKEN: ***

14:07:19 [Info] Running SCA scan for go vulnerable dependencies in /tmp/jfrog.cli.temp.-1714399604-2368152455/.pages directory...
  14:07:19 [Info] Calculating Go dependencies...
  14:07:19 [Info] Running 'go mod graph' in /tmp/jfrog.cli.temp.-1714399[60](https://github.com/LEGO/novus-platform/actions/runs/8879975780/job/24378990209#step:3:61)4-2368152455/.pages
  14:07:19 [Info] Running 'go list -mod=mod -f {{with .Module}}{{.Path}}:{{.Version}}{{end}} all' in /tmp/jfrog.cli.temp.-1714399604-2368152455/.pages
  14:07:19 [Info] Running 'go list -mod=mod -m' in /tmp/jfrog.cli.temp.-1714399604-2368152455/.pages
  14:07:19 [Info] Scanning 2 go dependencies...
  14:07:20 [Info] Waiting for scan to complete on JFrog Xray...
  14:07:20 [Info] Running SCA scan for npm vulnerable dependencies in /tmp/jfrog.cli.temp.-1714399604-2368152455 directory...
  14:07:20 [Info] Calculating npm dependencies...
  14:07:22 [Info] Scanning 558 npm dependencies...
  14:07:22 [Info] Waiting for scan to complete on JFrog Xray...
  14:07:39 [Info] Xray scan completed
  14:07:40 [Info] The complete scanning results have been uploaded to your Code Scanning alerts view
  Error: 1 [Error] the following errors occured while fixing vulnerabilities in '/tmp/jfrog.cli.temp.-1714399604-2368152455':
  failed to update go dependency: 'go get golang.org/x/[email protected]' command failed: exit status 1
  go: go.mod file not found in current directory or any parent directory.
  	'go get' is no longer supported outside a module.
  	To build and install a command, use 'go install' with a version,
  	like 'go install example.com/cmd@latest'
  	For more information, see https://golang.org/doc/go-get-install-deprecation
  	or run 'go help get' or 'go help install'.
  Error: The process '/opt/hostedtoolcache/frogbot/[RELEASE]/x64/frogbot' failed with exit code 1

Reproduction steps

No response

Expected behavior

No response

JFrog Frogbot version

2.20.2

Package manager info

Go modules

Git provider

GitHub

JFrog Frogbot configuration yaml file

No response

Operating system type and version

ubuntu-latest

JFrog Xray version

No response

lukaspj avatar Apr 29 '24 14:04 lukaspj