Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

When Frogbot Scan fails for any reason, no comment is added to PR #720

Open
pru-qmir opened this issue Jun 28, 2024 · 4 comments
Open

When Frogbot Scan fails for any reason, no comment is added to PR #720

pru-qmir opened this issue Jun 28, 2024 · 4 comments
Labels
bug Something isn't working

Comments

@pru-qmir
Copy link

Describe the bug

When Frogbot Scan fails for any reason, no comment is added to PR.

Current behavior

11:28:55 11:28:55 [Info] Running Frogbot "scan-pull-request" command
11:28:55 11:28:55 [Info] Scanning Pull Request #4 (from source branch: to target branch: )
11:28:55 11:28:55 [Info] -----------------------------------------------------------
11:28:55 11:28:55 [Info] xxxxxxxxxxxxxxxx repository downloaded successfully. Starting with repository extraction...
11:28:55 11:28:55 [Info] Extracted repository successfully
11:28:55 11:28:55 [Info] Scanning source branch...
11:28:55 11:28:55 [Info] Preforming 1 SCA scans:
11:28:55 [
11:28:55 {
11:28:55 "Technology": "poetry",
11:28:55 "WorkingDirectory": "/tmp/jfrog.cli.temp.-1719588535-3386079605",
11:28:55 "Descriptors": [
11:28:55 "/tmp/jfrog.cli.temp.-1719588535-3386079605/pyproject.toml"
11:28:55 ]
11:28:55 }
11:28:55 ]
11:28:55 11:28:55 [Info] Running SCA scan for poetry vulnerable dependencies in /tmp/jfrog.cli.temp.-1719588535-3386079605 directory...
11:28:55 11:28:55 [Info] Calculating Poetry dependencies...
11:29:08 11:29:06 [Info] Scanning 57 poetry dependencies...
11:29:08 11:29:06 [Info] Waiting for scan to complete on JFrog Xray...
11:29:13 11:29:12 [Info] xxxxxxxxxxxxxxxx repository downloaded successfully. Starting with repository extraction...
11:29:13 11:29:12 [Info] Extracted repository successfully
11:29:13 11:29:12 [Info] Scanning target branch...
11:29:13 11:29:12 [Info] Preforming 1 SCA scans:
11:29:13 [
11:29:13 {
11:29:13 "Technology": "poetry",
11:29:13 "WorkingDirectory": "/tmp/jfrog.cli.temp.-1719588552-491394444",
11:29:13 "Descriptors": [
11:29:13 "/tmp/jfrog.cli.temp.-1719588552-491394444/pyproject.toml"
11:29:13 ]
11:29:13 }
11:29:13 ]
11:29:13 11:29:12 [Info] Running SCA scan for poetry vulnerable dependencies in /tmp/jfrog.cli.temp.-1719588552-491394444 directory...
11:29:13 11:29:12 [Info] Calculating Poetry dependencies...
11:29:14 11:29:14 [Error] audit command in '/tmp/jfrog.cli.temp.-1719588552-491394444' failed:
11:29:14 failed while building 'poetry' dependency tree:
11:29:14 "poetry install" command failed: exit status 1 - Creating virtualenv docs-loader-iPgwi-HJ-py3.11 in /opt/jenkins/.cache/pypoetry/virtualenvs
11:29:14 Installing dependencies from lock file
11:29:14
11:29:14 pyproject.toml changed significantly since poetry.lock was last generated. Run poetry lock [--no-update] to fix the lock file.
11:29:14
11:29:14 [Pipeline] }
11:29:14 [Pipeline] // stage
11:29:14 [Pipeline] stage
11:29:14 [Pipeline] { (Declarative: Post Actions)
11:29:14 [Pipeline] cleanWs
11:29:14 [WS-CLEANUP] Deleting project workspace...
11:29:14 [WS-CLEANUP] Deferred wipeout is used...
11:29:15 [WS-CLEANUP] done
11:29:15 [Pipeline] }
11:29:15 [Pipeline] // stage
11:29:15 [Pipeline] }
11:29:15 [Pipeline] // withEnv
11:29:15 [Pipeline] }
11:29:15 [Pipeline] // withCredentials
11:29:15 [Pipeline] }
11:29:15 [Pipeline] // withEnv
11:29:15 [Pipeline] }
11:29:15 [Pipeline] // node
11:29:15 [Pipeline] End of Pipeline
11:29:15 ERROR: script returned exit code 1
11:29:16 Posting build status of com.atlassian.bitbucket.jenkins.internal.model.BitbucketBuildStatus@86456856 to XXXXXXXXXX for commit id [xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx] and ref 'refs/heads/master'
11:29:16 Finished: FAILURE

Reproduction steps

(Pull Request Scan) Env:**

  • Jenkins Pipeline
  • BitBucket Server
  • Project Technologies: Poetry (with a lock file that differs from toml file)

Expected behavior

If pull request is created, Jfrogbot SCAN results should be added as a comment to PR whether its Successful and/or Fails

  • If scan is successfull, PR is updated with results as comment -- Working
  • If the scan fails, PR should be updated stating Frogbot cannot scan with a error message -- Desired Behaviour

JFrog Frogbot version

Latest

Package manager info

pyproject.toml, poetry.lock

Git provider

Bitbucket Server

JFrog Frogbot configuration yaml file

No response

Operating system type and version

Linux

JFrog Xray version

Latest
@pru-qmir pru-qmir added the bug Something isn't working label Jun 28, 2024
@attiasas
Copy link
Contributor

Hi @pru-qmir,

Thank you for using Frogbot!

As you can see from the log you shared:

11:29:14 [Error] audit command in '/tmp/jfrog.cli.temp.-1719588552-491394444' failed:
11:29:14 failed while building 'poetry' dependency tree:
11:29:14 "poetry install" command failed: exit status 1 - Creating virtualenv docs-loader-iPgwi-HJ-py3.11 in /opt/jenkins/.cache/pypoetry/virtualenvs

Your project has been detected as using poetry. Is this the correct technology you are using? When fetching the dependencies, we execute poetry install, and this command has failed:

11:29:14 "poetry install" command failed: exit status 1 - Creating virtualenv docs-loader-iPgwi-HJ-py3.11 in /opt/jenkins/.cache/pypoetry/virtualenvs

Can you execute poetry install on your project successfully?

@gailazar300
Copy link
Contributor

Thank you for your comment @pru-qmir
For now, this is Frogbot's expected behavior, I'll pass it along and we'll look into adding it as a comment.

@pru-qmir
Copy link
Author

pru-qmir commented Jun 30, 2024 via email

@eranturgeman
Copy link
Contributor

Hello @pru-qmir
There is a way to enforce Frogbot to install.
In frogbot-config.yml you can define an install command for the project. Ill explain how it works:
After Frogbot is detecting the utilized tech, it figures out if an 'install command' was already executed on the project (for example, if you utilized package manager creates a lock file - it searches for the existence of a lock file)
If it detects the project was already installed - it skips the installation phase in order to improve performance.
We give you the choice to provide your own install command (with and valid flags you want, therefore if there is a flag that enforces installation while ignoring a lock file- you can just provide it).
When doing so the install command you provided will always be executed (FYI, you can provide only the install command without any working dir, not even '.', to utilize our auto detection mechanism that detect technology in each working dir and initiate scans for each pair of working dir + tech)

As for your request - Frogbot does not currently support opening a PR if it failed at some point since we do not want to open empty PRs just to provide the failure reason (in scan-repository), and does not add a comment to an existing PR for about a failure in order to keep the PR clean as possible. For this you have the execution log. For more detailed log you can add to Frogbot's step in the CI the following env var: JFROG_CLI_LOG_LEVEL=DEBUG. Doing this will give you all the info you can have for this executions
If you think this feature is valuable for you, feel free to contact you Jfrog representative or open a feature request here on GitHub.
Hope my answer cleared everything out :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@attiasas @gailazar300 @pru-qmir @eranturgeman