frogbot
frogbot copied to clipboard
JFrog reports a go.mod file as being in the root when it isn't
Describe the bug
We just tried installing frogbot and running it in our repository, it finds several go.mod files in subdirectories and reports vulnerabilities just fine.
However, it then reports the vulnerability on go.mod
in the root directory, where there isn't any, and subsequently fails to generate fix PRs:
Current behavior
I can't share too much of the code and logs, but I can say that this works just fine in another repository with a single go.mod file in a subdirectory, but in this repository there are multiple go.mod files in subdirectories.
Configuration:
with:
version: latest
env:
JF_URL: https://<url>/
JF_USER: ***
JF_PASSWORD: ***
JF_GIT_TOKEN: ***
14:07:19 [Info] Running SCA scan for go vulnerable dependencies in /tmp/jfrog.cli.temp.-1714399604-2368152455/.pages directory...
14:07:19 [Info] Calculating Go dependencies...
14:07:19 [Info] Running 'go mod graph' in /tmp/jfrog.cli.temp.-1714399[60](https://github.com/LEGO/novus-platform/actions/runs/8879975780/job/24378990209#step:3:61)4-2368152455/.pages
14:07:19 [Info] Running 'go list -mod=mod -f {{with .Module}}{{.Path}}:{{.Version}}{{end}} all' in /tmp/jfrog.cli.temp.-1714399604-2368152455/.pages
14:07:19 [Info] Running 'go list -mod=mod -m' in /tmp/jfrog.cli.temp.-1714399604-2368152455/.pages
14:07:19 [Info] Scanning 2 go dependencies...
14:07:20 [Info] Waiting for scan to complete on JFrog Xray...
14:07:20 [Info] Running SCA scan for npm vulnerable dependencies in /tmp/jfrog.cli.temp.-1714399604-2368152455 directory...
14:07:20 [Info] Calculating npm dependencies...
14:07:22 [Info] Scanning 558 npm dependencies...
14:07:22 [Info] Waiting for scan to complete on JFrog Xray...
14:07:39 [Info] Xray scan completed
14:07:40 [Info] The complete scanning results have been uploaded to your Code Scanning alerts view
Error: 1 [Error] the following errors occured while fixing vulnerabilities in '/tmp/jfrog.cli.temp.-1714399604-2368152455':
failed to update go dependency: 'go get golang.org/x/[email protected]' command failed: exit status 1
go: go.mod file not found in current directory or any parent directory.
'go get' is no longer supported outside a module.
To build and install a command, use 'go install' with a version,
like 'go install example.com/cmd@latest'
For more information, see https://golang.org/doc/go-get-install-deprecation
or run 'go help get' or 'go help install'.
Error: The process '/opt/hostedtoolcache/frogbot/[RELEASE]/x64/frogbot' failed with exit code 1
Reproduction steps
No response
Expected behavior
No response
JFrog Frogbot version
2.20.2
Package manager info
Go modules
Git provider
GitHub
JFrog Frogbot configuration yaml file
No response
Operating system type and version
ubuntu-latest
JFrog Xray version
No response