jf audit fail with Gradle version 8 and anonymous repository access
Opened this issue · 0 comments
Persi commented
Describe the bug
We cannot use jf audit command for our gradle builds as we run into different types of problems originally described here.
This could probably be the case, because we do not have an internal Artifactory, so instead the variable JFROG_CLI_RELEASES_REPO points to a Nexus repository with anonymous access proxying the official JFrog OSS repo.
Current behavior
The scan is failing with timeouts:
Could not resolve all files for configuration 'classpath'.
> Could not resolve com.jfrog:gradle-dep-tree:2.2.0.
Required by:
unspecified:unspecified:unspecified
> Could not resolve com.jfrog:gradle-dep-tree:2.2.0.
> Could not get resource 'https://repo.maven.apache.org/maven2/com/jfrog/gradle-dep-tree/2.2.0/gradle-dep-tree-2.2.0.pom'.
> Could not GET 'https://repo.maven.apache.org/maven2/com/jfrog/gradle-dep-tree/2.2.0/gradle-dep-tree-2.2.0.pom'.
> Connect to repo.maven.apache.org:443 [repo.maven.apache.org/146.75.116.215] failed: Connect timed out
The only option I see for me would be, to add a configuration option to configure a self written init.gradle to be able to configure the correct Gradle plugin repository. If i do this locally and call the generateDepTrees task it works as expected.
init.gradle:
initscript {
repositories {
maven { url "https://internalnexusdomain/raw-proxy-jfrog-artifactory-oss"}
}
dependencies {
classpath 'com.jfrog:gradle-dep-tree:+'
}
}
allprojects {
apply plugin: com.jfrog.GradleDepTree
}
Result:
./gradlew -I init.gradle generateDepTrees -Dcom.jfrog.depsTreeOutputFile=gradledeptree.out -Dcom.jfrog.includeAllBuildFiles=true
> Configure project :
Building for Keycloak Release 21.0.2
BUILD SUCCESSFUL in 396ms
1 actionable task: 1 up-to-date
I've played a bit to get around our download timeout mentioned above. This is my current setup:
jf cli config:
jf config add nexusnb --artifactory-url https://internalnexusdomain/repository --interactive=false
JFROG_CLI_RELEASES_REPO=nexusnb/raw-proxy-jfrog-artifactory-oss
gradle.yaml for jf cli in the relevant project:
version: 1
type: gradle
resolver:
repo: nexusnb/raw-proxy-jfrog-artifactory-oss
serverId: nexusnb
deployer:
deployMavenDescriptors: true
deployIvyDescriptors: true
ivyPattern: '[organization]/[module]/ivy-[revision].xml'
artifactPattern: '[organization]/[module]/[revision]/[artifact]-[revision](-[classifier]).[ext]'
useWrapper: true
Debug log of the audit call:
$ jf audit --url $CLOUD_SERVICE_BASE_URL/xray --user $SECURITY_SCAN_USER --password $SECURITY_SCAN_PASSWORD --watches "${XRAY_WATCHES}" --gradle --use-wrapper --exclude-test-deps
14:21:43 [Debug] JFrog CLI version: 2.67.0
14:21:43 [Debug] OS/Arch: linux/amd64
14:21:43 [Debug] Trace ID for JFrog Platform logs: 5bcbcc78f5f93466
14:21:43 [Debug] Sending HTTP GET request to: https://companydomain.jfrog.io/xsc/api/v1/system/version
14:21:43 [Debug] Sending HTTP POST request to: https://companydomain.jfrog.io/xsc/api/v1/event
14:21:43 [Debug] New General event added successfully. multi_scan_id 2d197a21-6b92-11ef-9226-e23abd9cbd75
14:21:43 [Debug] Sending HTTP GET request to: https://companydomain.jfrog.io/xsc/api/v1/system/version
14:21:43 [Debug] Sending HTTP GET request to: https://companydomain.jfrog.io/xray/api/v1/system/version
14:21:44 [Debug] Sending HTTP GET request to: https://companydomain.jfrog.io/xray/api/v1/entitlements/feature/contextual_analysis
14:21:44 [Debug] The path 'projectpath/.gitignore' is excluded
14:21:44 [Debug] mapped 1 working directories with indicators/descriptors:
{
"projectpath": [
"projectpath/build.gradle"
]
}
14:21:44 [Debug] Detected 1 technologies at projectpath: [gradle].
14:21:44 [Info] Preforming 1 SCA scans:
[
{
"Target": "projectpath",
"Technology": "gradle",
"Descriptors": [
"projectpath/build.gradle"
]
}
]
14:21:44 [Debug] Preparing to read the config file projectpath/.jfrog/projects/gradle.yaml
14:21:44 [Debug] Found resolver in the config file projectpath/.jfrog/projects/gradle.yaml
14:21:44 [Debug] Using resolver config from projectpath/.jfrog/projects/gradle.yaml
14:21:44 [Info] Calculating Gradle dependencies...
14:21:44 [Debug] The `gradle-dep-tree.jar` will be resolved from raw-proxy-jfrog-artifactory-oss
14:21:44 [Debug] Sending HTTP PUT request to: https://companydomain.jfrog.io/xsc/api/v1/event
14:21:44 [Debug] General event updated
{{0 failed 0 0 false 442.107201ms } 2d197a21-6b92-11ef-9226-e23abd9cbd75}
The ‘jf audit’ command also supports JFrog Advanced Security features, such as 'Contextual Analysis', 'Secret Detection', 'IaC Scan' and ‘SAST’.
This feature isn't enabled on your system. Read more - https://jfrog.com/xray/
Security Violations
+-----------------------------------+
| No security violations were found |
+-----------------------------------+
License Compliance Violations
+---------------------------------------------+
| No license compliance violations were found |
+---------------------------------------------+
14:21:44 [Debug] Sending an error report to JFrog analytics...
14:21:44 [Debug] Sending HTTP GET request to: /xsc/api/v1/system/version
14:21:44 [Warn] (Attempt 1) - Failure occurred while sending GET request to /xsc/api/v1/system/version: Get "/xsc/api/v1/system/version": unsupported protocol scheme ""
14:21:44 [Debug] Sending HTTP GET request to: /xsc/api/v1/system/version
14:21:44 [Warn] (Attempt 2) - Failure occurred while sending GET request to /xsc/api/v1/system/version: Get "/xsc/api/v1/system/version": unsupported protocol scheme ""
14:21:44 [Debug] Sending HTTP GET request to: /xsc/api/v1/system/version
14:21:44 [Warn] (Attempt 3) - Failure occurred while sending GET request to /xsc/api/v1/system/version: Get "/xsc/api/v1/system/version": unsupported protocol scheme ""
14:21:44 [Debug] Sending HTTP GET request to: /xsc/api/v1/system/version
14:21:44 [Warn] (Attempt 4) - Failure occurred while sending GET request to /xsc/api/v1/system/version: Get "/xsc/api/v1/system/version": unsupported protocol scheme ""
14:21:44 [Info] executor timeout after 3 attempts with 0 milliseconds wait intervals
14:21:44 [Debug] failed to check availability of Xsc service:Get "/xsc/api/v1/system/version": unsupported protocol scheme ""
Reporting to JFrog analytics is skipped...
14:21:44 [Info] Trace ID for JFrog Platform logs: 5bcbcc78f5f93466
14:21:44 [Error] audit command in 'repopath' failed:
failed while building 'gradle' dependency tree:
either username/password or access token must be set for https://internalnexusdomain/repository/
Our Nexus proxy repository is accessible via anonymous but jf cli seems to enforce credentials. If I do not provide a gradle.yaml in the project I ran into the download timeout because of our internet proxy. Which I cannot configure either.
With basic gradle init scripts it works, so for me the easiest way would be to provide my own init.gradle and tell jf cli via gradlec to use it instead of generate a new one on each run.
Reproduction steps
No response
Expected behavior
jf audit --gradle, should work as expected and display the vulnerability result
JFrog CLI-Security version
1.8.0
JFrog CLI version (if applicable)
2.67.0
Operating system type and version
ubuntu jammy
JFrog Xray version
3.103.6