Skip to content

Remove frogbot-config.yml functionality - use only environment variables #952

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 19 commits into from
Dec 3, 2025
Merged

Remove frogbot-config.yml functionality - use only environment variables #952

merged 19 commits into from
Dec 3, 2025
+196 −3,107

Conversation

@eyalk007
Copy link
Contributor

@eyalk007 eyalk007 commented Nov 5, 2025

  • All tests passed. If this feature is not already covered by the tests, I added new tests.
  • This pull request is on the dev branch.
  • I used gofmt for formatting the code before submitting the pull request.
  • Update documentation about new features / new supported technologies

@eyalk007 eyalk007 self-assigned this Nov 20, 2025
@eyalk007 eyalk007 added the breaking change Automatically generated release notes label Nov 20, 2025
@eyalk007
Remove all config yml file support and references
8ef541e 
- Deleted .frogbot/frogbot-config.yml from repo root
- Deleted testdata/config/ directory with all config test files
- Deleted .frogbot directories from scanrepository test subdirectories
- Removed configPath parameters from test functions
- Removed config file validation from schema tests
- Removed unused config file path constants
- Cleaned up unused imports

Config files are no longer used - all configuration now comes from environment variables only
@orto17 orto17 requested review from attiasas and orto17 November 23, 2025 08:36
@eyalk007
Merge remote-tracking branch 'upstream/v3_er' into remove-config-yaml
59e943f 
# Conflicts:
#	.frogbot/frogbot-config.yml
#	scanrepository/scanmultiplerepositories_test.go
#	utils/params.go
@eyalk007 eyalk007 added the safe to test Approve running integration tests on a pull request label Nov 25, 2025
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Nov 25, 2025
@eyalk007
Remove deprecated schema and jfrog-pipelines templates
5fd7179 
- Delete schema/ directory (frogbot-schema.json, tests, testdata) - deprecated YAML config files
- Delete docs/templates/jfrog-pipelines/ - deprecated JFrog Pipelines platform templates
@eyalk007 eyalk007 added the safe to test Approve running integration tests on a pull request label Nov 25, 2025
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Nov 25, 2025
@eyalk007
Remove redundant config YAML tests
dc45007 
- Delete TestExtractAndAssertRepoParams - tested config YAML param extraction
- Delete TestBuildRepoAggregatorWithEmptyScan - tested empty scan in config YAML
- Delete TestBuildMergedRepoAggregator - tested merging config YAML with env vars

These tests are now redundant since config YAML functionality was removed.
The functionality they tested (env var extraction, defaults) is covered by other existing tests.
@eyalk007 eyalk007 added the safe to test Approve running integration tests on a pull request label Nov 26, 2025
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Nov 26, 2025
@eyalk007
Fix scanpullrequest test: add missing RepoName field
d9605e1 
The prepareConfigAndClient function was missing RepoName in gitTestParams,
causing 'repository name is missing' error in tests after config YAML removal.
@eyalk007 eyalk007 added the safe to test Approve running integration tests on a pull request label Nov 26, 2025
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Nov 26, 2025
eyalk007
eyalk007 commented Nov 26, 2025
View reviewed changes
@eyalk007
Fix failing multi-dir and no-fail tests by setting env vars
d6c1262 
After config YAML removal, these tests lost their configurations:

scanpullrequest tests:
- ScanPullRequestNoFail: Set JF_FAIL=false
- ScanPullRequestMultiWorkDir: Set JF_WORKING_DIR=sub1,sub3/sub4,sub2 + JF_REQUIREMENTS_FILE
- ScanPullRequestMultiWorkDirNoFail: Same as above

scanrepository tests:
- aggregate-multi-dir: Set JF_WORKING_DIR=npm1,npm2
- aggregate-multi-project: Set JF_WORKING_DIR=npm,pip + JF_REQUIREMENTS_FILE

These env vars replace the deleted config YAML files that previously provided these settings.
@eyalk007 eyalk007 added the safe to test Approve running integration tests on a pull request label Nov 26, 2025
@eyalk007 eyalk007 added the safe to test Approve running integration tests on a pull request label Dec 1, 2025
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Dec 1, 2025
@eyalk007
Fix critical test isolation issues in TestScanRepositoryCmd_Run
3e5dce7 
1. Fixed missing function call: cmd.Run was not being called (missing parentheses)
2. Added proper cleanup for environment variables to prevent test interference:
   - JF_WORKING_DIRS was leaking between tests
   - aggregate-multi-dir would set npm1,npm2 and other tests would inherit it
   - This caused tests to look for vulnerabilities in wrong directories

These fixes resolve the issue where tests pass individually but fail when run together.
@eyalk007
Fix test isolation by adding environment variable cleanup
d5bc03a 
The main issue was that JF_WORKING_DIRS environment variable was leaking between tests:
- aggregate-multi-dir sets JF_WORKING_DIRS=npm1,npm2
- Later tests inherit this and look for vulnerabilities in wrong directories
- Added proper defer cleanup with os.Unsetenv to prevent test interference

This fixes the issue where tests pass individually but fail when run together.
@eyalk007 eyalk007 added the safe to test Approve running integration tests on a pull request label Dec 2, 2025
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Dec 2, 2025
@eyalk007 eyalk007 added the safe to test Approve running integration tests on a pull request label Dec 3, 2025
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Dec 3, 2025
@eyalk007 eyalk007 added the safe to test Approve running integration tests on a pull request label Dec 3, 2025
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Dec 3, 2025
@eyalk007 eyalk007 added the safe to test Approve running integration tests on a pull request label Dec 3, 2025
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Dec 3, 2025
@eyalk007 eyalk007 added the safe to test Approve running integration tests on a pull request label Dec 3, 2025
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Dec 3, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Dec 3, 2025 

comments

at file:///C:/Users/runneradmin/AppData/Local/Temp/jfrog.cli.temp.-1764764619-3351204132/scanpullrequest/scanpullrequest_test.go (line 1232)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
medium
Medium		 Untrusted stored value is included in web page content
Full description

Vulnerability Details
Rule ID: go-stored-xss

Overview

Stored Cross-Site Scripting (XSS) is a type of vulnerability where malicious
scripts are injected into a web application and stored in a persistent state,
such as a database. When other users access the affected page, the stored
scripts are executed in their browsers, leading to various attacks.

Vulnerable example

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
    fmt.Fprintf(w, "<h1>%s</h1>", message)
}

In this example, the serveMessage function retrieves a message from the
database and directly embeds it into an HTML response without proper escaping.
If the message contains malicious scripts, it can lead to Stored XSS attacks
when other users view the page.

Remediation

To mitigate Stored XSS vulnerabilities, always sanitize and encode user
input before storing it in a persistent state and before displaying it
to other users:

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
-   fmt.Fprintf(w, "<h1>%s</h1>", message)
+   fmt.Fprintf(w, "<h1>%s</h1>", html.EscapeString(message))
}

In the remediation, we've used the html.EscapeString function to escape
the message before embedding it into the HTML response. This helps prevent
the execution of malicious scripts and mitigates the Stored XSS vulnerability.

Code Flows
Vulnerable data flow analysis result

↘️ os.ReadFile(filepath.Join("..", "commits.json")) (at file:///C:/Users/runneradmin/AppData/Local/Temp/jfrog.cli.temp.-1764764619-3351204132/scanpullrequest/scanpullrequest_test.go line 1230)

↘️ comments (at file:///C:/Users/runneradmin/AppData/Local/Temp/jfrog.cli.temp.-1764764619-3351204132/scanpullrequest/scanpullrequest_test.go line 1230)

↘️ comments (at file:///C:/Users/runneradmin/AppData/Local/Temp/jfrog.cli.temp.-1764764619-3351204132/scanpullrequest/scanpullrequest_test.go line 1232)

@github-actions
Copy link
Contributor

github-actions bot commented Dec 3, 2025 

discussions

at file:///C:/Users/runneradmin/AppData/Local/Temp/jfrog.cli.temp.-1764764619-3351204132/scanpullrequest/scanpullrequest_test.go (line 1267)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
medium
Medium		 Untrusted stored value is included in web page content
Full description

Vulnerability Details
Rule ID: go-stored-xss

Overview

Stored Cross-Site Scripting (XSS) is a type of vulnerability where malicious
scripts are injected into a web application and stored in a persistent state,
such as a database. When other users access the affected page, the stored
scripts are executed in their browsers, leading to various attacks.

Vulnerable example

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
    fmt.Fprintf(w, "<h1>%s</h1>", message)
}

In this example, the serveMessage function retrieves a message from the
database and directly embeds it into an HTML response without proper escaping.
If the message contains malicious scripts, it can lead to Stored XSS attacks
when other users view the page.

Remediation

To mitigate Stored XSS vulnerabilities, always sanitize and encode user
input before storing it in a persistent state and before displaying it
to other users:

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
-   fmt.Fprintf(w, "<h1>%s</h1>", message)
+   fmt.Fprintf(w, "<h1>%s</h1>", html.EscapeString(message))
}

In the remediation, we've used the html.EscapeString function to escape
the message before embedding it into the HTML response. This helps prevent
the execution of malicious scripts and mitigates the Stored XSS vulnerability.

Code Flows
Vulnerable data flow analysis result

↘️ os.ReadFile(filepath.Join("..", "list_merge_request_discussion_items.json")) (at file:///C:/Users/runneradmin/AppData/Local/Temp/jfrog.cli.temp.-1764764619-3351204132/scanpullrequest/scanpullrequest_test.go line 1265)

↘️ discussions (at file:///C:/Users/runneradmin/AppData/Local/Temp/jfrog.cli.temp.-1764764619-3351204132/scanpullrequest/scanpullrequest_test.go line 1265)

↘️ discussions (at file:///C:/Users/runneradmin/AppData/Local/Temp/jfrog.cli.temp.-1764764619-3351204132/scanpullrequest/scanpullrequest_test.go line 1267)

@github-actions
Copy link
Contributor

github-actions bot commented Dec 3, 2025

🚨 Frogbot scanned this pull request and found the below:

📗 Scan Summary

  • Frogbot scanned for vulnerabilities and found 5 issues
Scan Category Status Security Issues
Software Composition Analysis ℹ️ Not Scanned -
Contextual Analysis ℹ️ Not Scanned -
Static Application Security Testing (SAST) ✅ Done
5 Issues Found 5 Medium
Secrets ✅ Done -
Infrastructure as Code (IaC) ✅ Done Not Found

@github-actions
Copy link
Contributor

github-actions bot commented Dec 3, 2025 

file

at scanrepository/scanrepository_test.go (line 849)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
medium
Medium		 Untrusted stored value is included in web page content
Full description

Vulnerability Details
Rule ID: go-stored-xss

Overview

Stored Cross-Site Scripting (XSS) is a type of vulnerability where malicious
scripts are injected into a web application and stored in a persistent state,
such as a database. When other users access the affected page, the stored
scripts are executed in their browsers, leading to various attacks.

Vulnerable example

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
    fmt.Fprintf(w, "<h1>%s</h1>", message)
}

In this example, the serveMessage function retrieves a message from the
database and directly embeds it into an HTML response without proper escaping.
If the message contains malicious scripts, it can lead to Stored XSS attacks
when other users view the page.

Remediation

To mitigate Stored XSS vulnerabilities, always sanitize and encode user
input before storing it in a persistent state and before displaying it
to other users:

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
-   fmt.Fprintf(w, "<h1>%s</h1>", message)
+   fmt.Fprintf(w, "<h1>%s</h1>", html.EscapeString(message))
}

In the remediation, we've used the html.EscapeString function to escape
the message before embedding it into the HTML response. This helps prevent
the execution of malicious scripts and mitigates the Stored XSS vulnerability.

Code Flows
Vulnerable data flow analysis result

↘️ os.ReadFile(fmt.Sprintf("%s.tar.gz", projectName)) (at scanrepository/scanrepository_test.go line 847)

↘️ file (at scanrepository/scanrepository_test.go line 847)

↘️ file (at scanrepository/scanrepository_test.go line 849)

@github-actions
Copy link
Contributor

github-actions bot commented Dec 3, 2025 

repoFile

at scanpullrequest/scanpullrequest_test.go (line 1218)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
medium
Medium		 Untrusted stored value is included in web page content
Full description

Vulnerability Details
Rule ID: go-stored-xss

Overview

Stored Cross-Site Scripting (XSS) is a type of vulnerability where malicious
scripts are injected into a web application and stored in a persistent state,
such as a database. When other users access the affected page, the stored
scripts are executed in their browsers, leading to various attacks.

Vulnerable example

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
    fmt.Fprintf(w, "<h1>%s</h1>", message)
}

In this example, the serveMessage function retrieves a message from the
database and directly embeds it into an HTML response without proper escaping.
If the message contains malicious scripts, it can lead to Stored XSS attacks
when other users view the page.

Remediation

To mitigate Stored XSS vulnerabilities, always sanitize and encode user
input before storing it in a persistent state and before displaying it
to other users:

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
-   fmt.Fprintf(w, "<h1>%s</h1>", message)
+   fmt.Fprintf(w, "<h1>%s</h1>", html.EscapeString(message))
}

In the remediation, we've used the html.EscapeString function to escape
the message before embedding it into the HTML response. This helps prevent
the execution of malicious scripts and mitigates the Stored XSS vulnerability.

Code Flows
Vulnerable data flow analysis result

↘️ os.ReadFile(filepath.Join("..", params.RepoName, "sourceBranch.gz")) (at scanpullrequest/scanpullrequest_test.go line 1216)

↘️ repoFile (at scanpullrequest/scanpullrequest_test.go line 1216)

↘️ repoFile (at scanpullrequest/scanpullrequest_test.go line 1218)

@github-actions
Copy link
Contributor

github-actions bot commented Dec 3, 2025 

repoFile

at scanpullrequest/scanpullrequest_test.go (line 1225)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
medium
Medium		 Untrusted stored value is included in web page content
Full description

Vulnerability Details
Rule ID: go-stored-xss

Overview

Stored Cross-Site Scripting (XSS) is a type of vulnerability where malicious
scripts are injected into a web application and stored in a persistent state,
such as a database. When other users access the affected page, the stored
scripts are executed in their browsers, leading to various attacks.

Vulnerable example

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
    fmt.Fprintf(w, "<h1>%s</h1>", message)
}

In this example, the serveMessage function retrieves a message from the
database and directly embeds it into an HTML response without proper escaping.
If the message contains malicious scripts, it can lead to Stored XSS attacks
when other users view the page.

Remediation

To mitigate Stored XSS vulnerabilities, always sanitize and encode user
input before storing it in a persistent state and before displaying it
to other users:

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
-   fmt.Fprintf(w, "<h1>%s</h1>", message)
+   fmt.Fprintf(w, "<h1>%s</h1>", html.EscapeString(message))
}

In the remediation, we've used the html.EscapeString function to escape
the message before embedding it into the HTML response. This helps prevent
the execution of malicious scripts and mitigates the Stored XSS vulnerability.

Code Flows
Vulnerable data flow analysis result

↘️ os.ReadFile(filepath.Join("..", params.RepoName, "targetBranch.gz")) (at scanpullrequest/scanpullrequest_test.go line 1223)

↘️ repoFile (at scanpullrequest/scanpullrequest_test.go line 1223)

↘️ repoFile (at scanpullrequest/scanpullrequest_test.go line 1225)

@github-actions
Copy link
Contributor

github-actions bot commented Dec 3, 2025 

comments

at scanpullrequest/scanpullrequest_test.go (line 1232)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
medium
Medium		 Untrusted stored value is included in web page content
Full description

Vulnerability Details
Rule ID: go-stored-xss

Overview

Stored Cross-Site Scripting (XSS) is a type of vulnerability where malicious
scripts are injected into a web application and stored in a persistent state,
such as a database. When other users access the affected page, the stored
scripts are executed in their browsers, leading to various attacks.

Vulnerable example

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
    fmt.Fprintf(w, "<h1>%s</h1>", message)
}

In this example, the serveMessage function retrieves a message from the
database and directly embeds it into an HTML response without proper escaping.
If the message contains malicious scripts, it can lead to Stored XSS attacks
when other users view the page.

Remediation

To mitigate Stored XSS vulnerabilities, always sanitize and encode user
input before storing it in a persistent state and before displaying it
to other users:

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
-   fmt.Fprintf(w, "<h1>%s</h1>", message)
+   fmt.Fprintf(w, "<h1>%s</h1>", html.EscapeString(message))
}

In the remediation, we've used the html.EscapeString function to escape
the message before embedding it into the HTML response. This helps prevent
the execution of malicious scripts and mitigates the Stored XSS vulnerability.

Code Flows
Vulnerable data flow analysis result

↘️ os.ReadFile(filepath.Join("..", "commits.json")) (at scanpullrequest/scanpullrequest_test.go line 1230)

↘️ comments (at scanpullrequest/scanpullrequest_test.go line 1230)

↘️ comments (at scanpullrequest/scanpullrequest_test.go line 1232)

@github-actions
Copy link
Contributor

github-actions bot commented Dec 3, 2025 

discussions

at scanpullrequest/scanpullrequest_test.go (line 1267)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
medium
Medium		 Untrusted stored value is included in web page content
Full description

Vulnerability Details
Rule ID: go-stored-xss

Overview

Stored Cross-Site Scripting (XSS) is a type of vulnerability where malicious
scripts are injected into a web application and stored in a persistent state,
such as a database. When other users access the affected page, the stored
scripts are executed in their browsers, leading to various attacks.

Vulnerable example

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
    fmt.Fprintf(w, "<h1>%s</h1>", message)
}

In this example, the serveMessage function retrieves a message from the
database and directly embeds it into an HTML response without proper escaping.
If the message contains malicious scripts, it can lead to Stored XSS attacks
when other users view the page.

Remediation

To mitigate Stored XSS vulnerabilities, always sanitize and encode user
input before storing it in a persistent state and before displaying it
to other users:

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
-   fmt.Fprintf(w, "<h1>%s</h1>", message)
+   fmt.Fprintf(w, "<h1>%s</h1>", html.EscapeString(message))
}

In the remediation, we've used the html.EscapeString function to escape
the message before embedding it into the HTML response. This helps prevent
the execution of malicious scripts and mitigates the Stored XSS vulnerability.

Code Flows
Vulnerable data flow analysis result

↘️ os.ReadFile(filepath.Join("..", "list_merge_request_discussion_items.json")) (at scanpullrequest/scanpullrequest_test.go line 1265)

↘️ discussions (at scanpullrequest/scanpullrequest_test.go line 1265)

↘️ discussions (at scanpullrequest/scanpullrequest_test.go line 1267)

@eyalk007 eyalk007 merged commit 2c98f1e into jfrog:v3_er Dec 3, 2025
38 of 45 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@orto17 orto17 orto17 approved these changes

@attiasas attiasas Awaiting requested review from attiasas

Assignees

@eyalk007 eyalk007

Labels

breaking change Automatically generated release notes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@eyalk007 @orto17