Command `jf aud` for gradle project always returns exit code 0

[vhryshchenko-source]

Describe the bug

The jf aud command returns exit code 0 even if vulnerable dependencies are found in the Gradle project. According to the documentation, the jf aud command has a 'fail' flag, which specifies that exit code 3 should be returned. This bug is critical if the command needs to be implemented in CI, as running this command from the pipeline does not trigger an error when vulnerabilities are found.

Current behavior

The jf aud command returns exit code 0 even if vulnerable dependencies are found in the Gradle project.

Reproduction steps

• jf aud --gradle
• echo $? 0

Expected behavior

• jf aud --gradle
• echo $? 3 (any none zero exit code)

JFrog CLI version

jf version 2.53.2

Operating system type and version

Linux Ubuntu 22.04.4 LTS

JFrog Artifactory version

No response

JFrog Xray version

3.69.3

[vhryshchenko-source]

This bug is also relevant for npm projects.

[dortam888]

Hey @vhryshchenko-source.

This behavior is by design. The fail flag indicates in the documentation: "Set to false if you do not wish the command to return exit code 3, even if the 'Fail Build' rule is matched by Xray" jf aud matches the vulnerabilities with a certain Xray Watch that contains policies and if the policy contains a Fail Build option it will return exit code 3. To get exit code 3 you should use the --watches flag with a watch that contains such a policy. See the documentation for Xray policies and watches: https://jfrog.com/help/r/jfrog-security-documentation/create-an-xray-policy https://jfrog.com/help/r/jfrog-security-documentation/create-a-watch

Let us know if it works with --watches flag as expected.