When Frogbot Scan fails for any reason, no comment is added to PR

[pru-qmir]

Describe the bug

When Frogbot Scan fails for any reason, no comment is added to PR.

Current behavior

11:28:55 11:28:55 [Info] Running Frogbot "scan-pull-request" command 11:28:55 11:28:55 [Info] Scanning Pull Request #4 (from source branch: to target branch: ) 11:28:55 11:28:55 [Info] ----------------------------------------------------------- 11:28:55 11:28:55 [Info] xxxxxxxxxxxxxxxx repository downloaded successfully. Starting with repository extraction... 11:28:55 11:28:55 [Info] Extracted repository successfully 11:28:55 11:28:55 [Info] Scanning source branch... 11:28:55 11:28:55 [Info] Preforming 1 SCA scans: 11:28:55 [ 11:28:55 { 11:28:55 "Technology": "poetry", 11:28:55 "WorkingDirectory": "/tmp/jfrog.cli.temp.-1719588535-3386079605", 11:28:55 "Descriptors": [ 11:28:55 "/tmp/jfrog.cli.temp.-1719588535-3386079605/pyproject.toml" 11:28:55 ] 11:28:55 } 11:28:55 ] 11:28:55 11:28:55 [Info] Running SCA scan for poetry vulnerable dependencies in /tmp/jfrog.cli.temp.-1719588535-3386079605 directory... 11:28:55 11:28:55 [Info] Calculating Poetry dependencies... 11:29:08 11:29:06 [Info] Scanning 57 poetry dependencies... 11:29:08 11:29:06 [Info] Waiting for scan to complete on JFrog Xray... 11:29:13 11:29:12 [Info] xxxxxxxxxxxxxxxx repository downloaded successfully. Starting with repository extraction... 11:29:13 11:29:12 [Info] Extracted repository successfully 11:29:13 11:29:12 [Info] Scanning target branch... 11:29:13 11:29:12 [Info] Preforming 1 SCA scans: 11:29:13 [ 11:29:13 { 11:29:13 "Technology": "poetry", 11:29:13 "WorkingDirectory": "/tmp/jfrog.cli.temp.-1719588552-491394444", 11:29:13 "Descriptors": [ 11:29:13 "/tmp/jfrog.cli.temp.-1719588552-491394444/pyproject.toml" 11:29:13 ] 11:29:13 } 11:29:13 ] 11:29:13 11:29:12 [Info] Running SCA scan for poetry vulnerable dependencies in /tmp/jfrog.cli.temp.-1719588552-491394444 directory... 11:29:13 11:29:12 [Info] Calculating Poetry dependencies... 11:29:14 11:29:14 [Error] audit command in '/tmp/jfrog.cli.temp.-1719588552-491394444' failed: 11:29:14 failed while building 'poetry' dependency tree: 11:29:14 "poetry install" command failed: exit status 1 - Creating virtualenv docs-loader-iPgwi-HJ-py3.11 in /opt/jenkins/.cache/pypoetry/virtualenvs 11:29:14 Installing dependencies from lock file 11:29:14
11:29:14 pyproject.toml changed significantly since poetry.lock was last generated. Run poetry lock [--no-update] to fix the lock file. 11:29:14
11:29:14 [Pipeline] } 11:29:14 [Pipeline] // stage 11:29:14 [Pipeline] stage 11:29:14 [Pipeline] { (Declarative: Post Actions) 11:29:14 [Pipeline] cleanWs 11:29:14 [WS-CLEANUP] Deleting project workspace... 11:29:14 [WS-CLEANUP] Deferred wipeout is used... 11:29:15 [WS-CLEANUP] done 11:29:15 [Pipeline] } 11:29:15 [Pipeline] // stage 11:29:15 [Pipeline] } 11:29:15 [Pipeline] // withEnv 11:29:15 [Pipeline] } 11:29:15 [Pipeline] // withCredentials 11:29:15 [Pipeline] } 11:29:15 [Pipeline] // withEnv 11:29:15 [Pipeline] } 11:29:15 [Pipeline] // node 11:29:15 [Pipeline] End of Pipeline 11:29:15 ERROR: script returned exit code 1 11:29:16 Posting build status of com.atlassian.bitbucket.jenkins.internal.model.BitbucketBuildStatus@86456856 to XXXXXXXXXX for commit id [xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx] and ref 'refs/heads/master' 11:29:16 Finished: FAILURE

Reproduction steps

(Pull Request Scan) Env:**

• Jenkins Pipeline
• BitBucket Server
• Project Technologies: Poetry (with a lock file that differs from toml file)

Expected behavior

If pull request is created, Jfrogbot SCAN results should be added as a comment to PR whether its Successful and/or Fails

• If scan is successfull, PR is updated with results as comment -- Working
• If the scan fails, PR should be updated stating Frogbot cannot scan with a error message -- Desired Behaviour

JFrog Frogbot version

Latest

Package manager info

pyproject.toml, poetry.lock

Git provider

Bitbucket Server

JFrog Frogbot configuration yaml file

No response

Operating system type and version

Linux

JFrog Xray version

Latest

[attiasas]

Hi @pru-qmir,

Thank you for using Frogbot!

As you can see from the log you shared:

11:29:14 [Error] audit command in '/tmp/jfrog.cli.temp.-1719588552-491394444' failed:
11:29:14 failed while building 'poetry' dependency tree:
11:29:14 "poetry install" command failed: exit status 1 - Creating virtualenv docs-loader-iPgwi-HJ-py3.11 in /opt/jenkins/.cache/pypoetry/virtualenvs

Your project has been detected as using poetry. Is this the correct technology you are using? When fetching the dependencies, we execute poetry install, and this command has failed:

11:29:14 "poetry install" command failed: exit status 1 - Creating virtualenv docs-loader-iPgwi-HJ-py3.11 in /opt/jenkins/.cache/pypoetry/virtualenvs

Can you execute poetry install on your project successfully?

[gailazar300]

Thank you for your comment @pru-qmir For now, this is Frogbot's expected behavior, I'll pass it along and we'll look into adding it as a comment.

[pru-qmir]

Can you execute poetry install on your project successfully?

Yes, poetry installs works -

• when lock file is removed from the project
• when force option is used to ignore lock file

I am thinking this will be a common scenario for multiple tech types that uses lock files. Frogbot should allow a force option that would ignore lock files if included in projects to minimize such errors.

Also, since we are using frogbot to scan all PR to provide our development teams this visibility. It will be helpful for development team to see if and why a frogbot scan fail for their PR as a PR comment as well.

---

From: Assaf Attias @.> Sent: Sunday, June 30, 2024 2:29:09 AM To: jfrog/frogbot @.> Cc: Qasim Mir @.>; Mention @.> Subject: Re: [jfrog/frogbot] When Frogbot Scan fails for any reason, no comment is added to PR (Issue #720)

Hi @pru-qmirhttps://github.com/pru-qmir,

Thank you for using Frogbot!

As you can see from the log you shared:

11:29:14 [Error] audit command in '/tmp/jfrog.cli.temp.-1719588552-491394444' failed: 11:29:14 failed while building 'poetry' dependency tree: 11:29:14 "poetry install" command failed: exit status 1 - Creating virtualenv docs-loader-iPgwi-HJ-py3.11 in /opt/jenkins/.cache/pypoetry/virtualenvs

Your project has been detected as using poetry. Is this the correct technology you are using? When fetching the dependencies, we execute poetry install, and this command has failed:

11:29:14 "poetry install" command failed: exit status 1 - Creating virtualenv docs-loader-iPgwi-HJ-py3.11 in /opt/jenkins/.cache/pypoetry/virtualenvs

Can you execute poetry install on your project successfully?

— Reply to this email directly, view it on GitHubhttps://github.com/jfrog/frogbot/issues/720#issuecomment-2198451529, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AR6G6UONF6JOIZM2XNRY6J3ZJ6QTBAVCNFSM6AAAAABKCFPLL6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCOJYGQ2TCNJSHE. You are receiving this because you were mentioned.Message ID: @.***>

[eranturgeman]

Hello @pru-qmir There is a way to enforce Frogbot to install. In frogbot-config.yml you can define an install command for the project. Ill explain how it works: After Frogbot is detecting the utilized tech, it figures out if an 'install command' was already executed on the project (for example, if you utilized package manager creates a lock file - it searches for the existence of a lock file) If it detects the project was already installed - it skips the installation phase in order to improve performance. We give you the choice to provide your own install command (with and valid flags you want, therefore if there is a flag that enforces installation while ignoring a lock file- you can just provide it). When doing so the install command you provided will always be executed (FYI, you can provide only the install command without any working dir, not even '.', to utilize our auto detection mechanism that detect technology in each working dir and initiate scans for each pair of working dir + tech)

As for your request - Frogbot does not currently support opening a PR if it failed at some point since we do not want to open empty PRs just to provide the failure reason (in scan-repository), and does not add a comment to an existing PR for about a failure in order to keep the PR clean as possible. For this you have the execution log. For more detailed log you can add to Frogbot's step in the CI the following env var: JFROG_CLI_LOG_LEVEL=DEBUG. Doing this will give you all the info you can have for this executions If you think this feature is valuable for you, feel free to contact you Jfrog representative or open a feature request here on GitHub. Hope my answer cleared everything out :)