jfrog
Invalid return url from build scan since 2.60.0
Describe the bug
We have noticed that since updating to the latest 2.61.2 release, the xray_data_url value being returned from running jf build-scan is no longer a valid URL as it does not contain the Xray host name.
It would appear to be related to the changes from https://github.com/jfrog/jfrog-cli-security/pull/106 that were added in 2.60.0
I am wondering if it is related to the fact that we supply the --server-id argument to the jf build-scan command?
Current behavior
Receive results similar to the following (note the incomplete URL):
...
[Debug] JFrog Xray version is: 3.69.3
[🔵Info] Waiting for Build Scan to complete...
[Debug] Sending HTTP GET request to: https://artifactory.somecompany.com/xray/api/v2/ci/build/some-build/1.2.3
[Debug] The resulted url from API is https://au.artifactory.somecompany.com/, and the CLI config url is
[🔵Info] The scan data is available at: ui/builds/some-build/1.2.3/1722401114525/xrayData?buildRepo=artifactory-build-info
DEBUG: [
{
"xray_data_url": "ui/builds/some-build/1.2.3/1722401114525/xrayData?buildRepo=artifactory-build-info"
}
]
...
Reproduction steps
For an Artifactory/Xray instance with a different API Base URL compared to the CLI:
- Add a server configuration using
jf config add 'SERVER-ID' ... - Run a build scan using
jf build-scan --server-id 'SERVER-ID' ...
Expected behavior
Given the example in the current behaviour, we'd expect to see the following as the returned URL:
{
"xray_data_url": "https://artifactory.somecompany.com/ui/builds/some-build/1.2.3/1722401114525/xrayData?buildRepo=artifactory-build-info"
}
JFrog CLI version
2.60.0
Operating system type and version
Linux
JFrog Artifactory version
No response
JFrog Xray version
No response
Hello @santhonisz Thanks for reporting this. I would like to see the details of your jfrog-cli configuration. Can you please share the version of your jfrog cli config and details on https://artifactory.somecompany.com/?
these details can be found in ~/.jfrog jfrog-cli.conf file (can be v1,v2,v3,v4,v5,v6) don't share password/access-token only share the following:
"url": ,
"artifactoryUrl":,
"distributionUrl": ,
"xrayUrl": ,
"serverId": ,
Hi @dortam888,
Ok, checking the file I can see that only artifactoryUrl and xrayUrl are defined e.g.
"artifactoryUrl": "https://artifactory.somecompany.com/artifactory/",
"xrayUrl": "https://artifactory.somecompany.com/xray/",
I think I've figured out why this is. We are running the Xray scan in a CI pipeline, where the required JFrog server configuration is added with the following command. Note we don't pass the --url (JFrog Platform URL) parameter as it is optional and not required for the scan to be performed.
jf config add XRAY-CI --overwrite --user [REDACTED] --artifactory-url https://artifactory.somecompany.com/artifactory --xray-url https://artifactory.somecompany.com/xray --access-token [REDACTED]
Interestingly if I run this command locally I get prompted to supply the JFrog Platform URL, but as our CI build agents define CI=true the interactive prompts are disabled in our pipelines and hence the config is added without the JFrog Platform URL.
None of this changes the fact that the code added in https://github.com/jfrog/jfrog-cli-security/pull/106 should probably be smartened up to handle when the JFrog Platform URL is not supplied e.g. is empty, in which case it should fall back to the previous behaviour or possibly use the xrayUrl instead of the url etc.
Thanks @santhonisz You're correct it's a valid use case and I will add a fix to the next version. Thanks for reporting that!
@santhonisz the PR for fix is merged and will be released in the next version of the JFrog CLI.
Hey @santhonisz,
I'm closing this issue, but feel free to reopen it if needed. Thank you again for you contribution.
