Skip to content

Deprecate Frogbot env vars #973

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
kerenr-jfrog merged 33 commits into from
Dec 10, 2025
Merged

Deprecate Frogbot env vars #973

kerenr-jfrog merged 33 commits into from
Dec 10, 2025

Conversation

@kerenr-jfrog
Copy link
Contributor

@kerenr-jfrog kerenr-jfrog commented Dec 1, 2025
edited
Loading

  • All tests passed. If this feature is not already covered by the tests, I added new tests.
  • This pull request is on the dev branch.
  • I used gofmt for formatting the code before submitting the pull request.
  • Update documentation about new features / new supported technologies
  • Deprecating the following environment variables:
  1. JF_USE_CONFIG_PROFILE
  2. JF_CONFIG_PROFILE
  3. JF_GIT_EMAIL_AUTHOR
  4. JF_AVOID_PREVIOUS_PR_COMMENTS_DELETION
  5. JF_AVOID_EXTRA_MESSAGES
  6. JF_DISABLE_ADVANCED_SECURITY
  7. JF_PR_COMMENT_TITLE
  8. JF_FAIL
  9. JF_INCLUDE_ALL_VULNERABILITIES

eyalk007 and others added 11 commits November 3, 2025 15:44
@eyalk007
Remove frogbot-config.yml functionality - use only environment variables
555d703
@eyalk007
Remove all config yml file support and references
8ef541e 
- Deleted .frogbot/frogbot-config.yml from repo root
- Deleted testdata/config/ directory with all config test files
- Deleted .frogbot directories from scanrepository test subdirectories
- Removed configPath parameters from test functions
- Removed config file validation from schema tests
- Removed unused config file path constants
- Cleaned up unused imports

Config files are no longer used - all configuration now comes from environment variables only
@eyalk007
Merge remote-tracking branch 'upstream/v3_er' into remove-config-yaml
59e943f 
# Conflicts:
#	.frogbot/frogbot-config.yml
#	scanrepository/scanmultiplerepositories_test.go
#	utils/params.go
@eyalk007
Remove deprecated schema and jfrog-pipelines templates
5fd7179 
- Delete schema/ directory (frogbot-schema.json, tests, testdata) - deprecated YAML config files
- Delete docs/templates/jfrog-pipelines/ - deprecated JFrog Pipelines platform templates
@eyalk007
Remove redundant config YAML tests
dc45007 
- Delete TestExtractAndAssertRepoParams - tested config YAML param extraction
- Delete TestBuildRepoAggregatorWithEmptyScan - tested empty scan in config YAML
- Delete TestBuildMergedRepoAggregator - tested merging config YAML with env vars

These tests are now redundant since config YAML functionality was removed.
The functionality they tested (env var extraction, defaults) is covered by other existing tests.
@eyalk007
Fix scanpullrequest test: add missing RepoName field
d9605e1 
The prepareConfigAndClient function was missing RepoName in gitTestParams,
causing 'repository name is missing' error in tests after config YAML removal.
@eyalk007
Fix failing multi-dir and no-fail tests by setting env vars
d6c1262 
After config YAML removal, these tests lost their configurations:

scanpullrequest tests:
- ScanPullRequestNoFail: Set JF_FAIL=false
- ScanPullRequestMultiWorkDir: Set JF_WORKING_DIR=sub1,sub3/sub4,sub2 + JF_REQUIREMENTS_FILE
- ScanPullRequestMultiWorkDirNoFail: Same as above

scanrepository tests:
- aggregate-multi-dir: Set JF_WORKING_DIR=npm1,npm2
- aggregate-multi-project: Set JF_WORKING_DIR=npm,pip + JF_REQUIREMENTS_FILE

These env vars replace the deleted config YAML files that previously provided these settings.
@kerenr-jfrog
deleted GitEmailAuthorEnv
cc83c2b
@eyalk007
Cr fixes
6f082f6
@kerenr-jfrog
removed: JF_USE_CONFIG_PROFILE, JF_CONFIG_PROFILE, JF_AVOID_PREVIOUS_…
be82aaf 
…PR_COMMENTS_DELETION, JF_AVOID_EXTRA_MESSAGES
@kerenr-jfrog
fixed tests
f6fce1b
@kerenr-jfrog kerenr-jfrog added safe to test Approve running integration tests on a pull request breaking change Automatically generated release notes labels Dec 1, 2025
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Dec 1, 2025
@eyalk007
Fix aggregate-multi-project test expectations
93f5d9a 
- Update test to expect single combined branch 'frogbot-update-npm-Pip-dependencies-master'
- Instead of separate branches for each technology
- Aligns with new single-repository architecture that combines all technologies
- Fixes test failure caused by removal of multi-repository support
@eyalk007
Fix aggregate-multi-project test branch name
61fc295 
- Update expected branch name from 'frogbot-update-npm-Pip-dependencies-master'
- To 'frogbot-update-Pip-npm-dependencies-master' to match actual technology order
- Technologies are processed in alphabetical order: Pip comes before npm
@eyalk007
Fix scanpullrequest field access patterns to use nested Params structure
29999e3 
- Updated all field access to use repoConfig.Params.* pattern
- Ensures consistency with scanrepository.go refactoring
- Should fix vulnerability ordering in pull request tests
@eyalk007
Complete field access pattern fixes for scanrepository.go
e487989 
- Updated remaining field access patterns to use nested Params structure
- Ensures full consistency across all scan commands
@kerenr-jfrog kerenr-jfrog added the safe to test Approve running integration tests on a pull request label Dec 1, 2025
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Dec 1, 2025
eyalk007 and others added 2 commits December 1, 2025 14:07
@eyalk007
Update expected test response for new vulnerability ordering
da2f644 
- Vulnerability order changed due to refactoring from config files to env vars
- Python vulnerabilities now appear before npm vulnerabilities
- This is the correct new behavior after removing multi-repo support
@kerenr-jfrog
fixed params_test.go
94bff22
@kerenr-jfrog kerenr-jfrog added the safe to test Approve running integration tests on a pull request label Dec 1, 2025
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Dec 8, 2025
@kerenr-jfrog kerenr-jfrog added the safe to test Approve running integration tests on a pull request label Dec 8, 2025
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Dec 8, 2025
@kerenr-jfrog kerenr-jfrog added the safe to test Approve running integration tests on a pull request label Dec 8, 2025
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Dec 8, 2025
@kerenr-jfrog kerenr-jfrog added the safe to test Approve running integration tests on a pull request label Dec 9, 2025
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Dec 9, 2025
@kerenr-jfrog kerenr-jfrog added the safe to test Approve running integration tests on a pull request label Dec 9, 2025
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Dec 9, 2025
@kerenr-jfrog kerenr-jfrog added the safe to test Approve running integration tests on a pull request label Dec 9, 2025
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Dec 9, 2025
@kerenr-jfrog kerenr-jfrog added the safe to test Approve running integration tests on a pull request label Dec 9, 2025
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Dec 9, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Dec 9, 2025

🚨 Frogbot scanned this pull request and found the below:

📗 Scan Summary

  • Frogbot scanned for vulnerabilities and found 4 issues
Scan Category Status Security Issues
Software Composition Analysis ℹ️ Not Scanned -
Contextual Analysis ℹ️ Not Scanned -
Static Application Security Testing (SAST) ✅ Done
4 Issues Found 4 Medium
Secrets ✅ Done -
Infrastructure as Code (IaC) ✅ Done Not Found

@github-actions
Copy link
Contributor

github-actions bot commented Dec 9, 2025 

comments

at scanpullrequest/scanpullrequest_test.go (line 1139)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
medium
Medium		 Untrusted stored value is included in web page content
Full description

Vulnerability Details
Rule ID: go-stored-xss

Overview

Stored Cross-Site Scripting (XSS) is a type of vulnerability where malicious
scripts are injected into a web application and stored in a persistent state,
such as a database. When other users access the affected page, the stored
scripts are executed in their browsers, leading to various attacks.

Vulnerable example

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
    fmt.Fprintf(w, "<h1>%s</h1>", message)
}

In this example, the serveMessage function retrieves a message from the
database and directly embeds it into an HTML response without proper escaping.
If the message contains malicious scripts, it can lead to Stored XSS attacks
when other users view the page.

Remediation

To mitigate Stored XSS vulnerabilities, always sanitize and encode user
input before storing it in a persistent state and before displaying it
to other users:

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
-   fmt.Fprintf(w, "<h1>%s</h1>", message)
+   fmt.Fprintf(w, "<h1>%s</h1>", html.EscapeString(message))
}

In the remediation, we've used the html.EscapeString function to escape
the message before embedding it into the HTML response. This helps prevent
the execution of malicious scripts and mitigates the Stored XSS vulnerability.

Code Flows
Vulnerable data flow analysis result

↘️ os.ReadFile(filepath.Join("..", "commits.json")) (at scanpullrequest/scanpullrequest_test.go line 1137)

↘️ comments (at scanpullrequest/scanpullrequest_test.go line 1137)

↘️ comments (at scanpullrequest/scanpullrequest_test.go line 1139)

@github-actions
Copy link
Contributor

github-actions bot commented Dec 9, 2025 

discussions

at scanpullrequest/scanpullrequest_test.go (line 1174)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
medium
Medium		 Untrusted stored value is included in web page content
Full description

Vulnerability Details
Rule ID: go-stored-xss

Overview

Stored Cross-Site Scripting (XSS) is a type of vulnerability where malicious
scripts are injected into a web application and stored in a persistent state,
such as a database. When other users access the affected page, the stored
scripts are executed in their browsers, leading to various attacks.

Vulnerable example

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
    fmt.Fprintf(w, "<h1>%s</h1>", message)
}

In this example, the serveMessage function retrieves a message from the
database and directly embeds it into an HTML response without proper escaping.
If the message contains malicious scripts, it can lead to Stored XSS attacks
when other users view the page.

Remediation

To mitigate Stored XSS vulnerabilities, always sanitize and encode user
input before storing it in a persistent state and before displaying it
to other users:

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
-   fmt.Fprintf(w, "<h1>%s</h1>", message)
+   fmt.Fprintf(w, "<h1>%s</h1>", html.EscapeString(message))
}

In the remediation, we've used the html.EscapeString function to escape
the message before embedding it into the HTML response. This helps prevent
the execution of malicious scripts and mitigates the Stored XSS vulnerability.

Code Flows
Vulnerable data flow analysis result

↘️ os.ReadFile(filepath.Join("..", "list_merge_request_discussion_items.json")) (at scanpullrequest/scanpullrequest_test.go line 1172)

↘️ discussions (at scanpullrequest/scanpullrequest_test.go line 1172)

↘️ discussions (at scanpullrequest/scanpullrequest_test.go line 1174)

@github-actions
Copy link
Contributor

github-actions bot commented Dec 9, 2025 

repoFile

at scanpullrequest/scanpullrequest_test.go (line 1125)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
medium
Medium		 Untrusted stored value is included in web page content
Full description

Vulnerability Details
Rule ID: go-stored-xss

Overview

Stored Cross-Site Scripting (XSS) is a type of vulnerability where malicious
scripts are injected into a web application and stored in a persistent state,
such as a database. When other users access the affected page, the stored
scripts are executed in their browsers, leading to various attacks.

Vulnerable example

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
    fmt.Fprintf(w, "<h1>%s</h1>", message)
}

In this example, the serveMessage function retrieves a message from the
database and directly embeds it into an HTML response without proper escaping.
If the message contains malicious scripts, it can lead to Stored XSS attacks
when other users view the page.

Remediation

To mitigate Stored XSS vulnerabilities, always sanitize and encode user
input before storing it in a persistent state and before displaying it
to other users:

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
-   fmt.Fprintf(w, "<h1>%s</h1>", message)
+   fmt.Fprintf(w, "<h1>%s</h1>", html.EscapeString(message))
}

In the remediation, we've used the html.EscapeString function to escape
the message before embedding it into the HTML response. This helps prevent
the execution of malicious scripts and mitigates the Stored XSS vulnerability.

Code Flows
Vulnerable data flow analysis result

↘️ os.ReadFile(filepath.Join("..", params.RepoName, "sourceBranch.gz")) (at scanpullrequest/scanpullrequest_test.go line 1123)

↘️ repoFile (at scanpullrequest/scanpullrequest_test.go line 1123)

↘️ repoFile (at scanpullrequest/scanpullrequest_test.go line 1125)

@github-actions
Copy link
Contributor

github-actions bot commented Dec 9, 2025 

repoFile

at scanpullrequest/scanpullrequest_test.go (line 1132)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
medium
Medium		 Untrusted stored value is included in web page content
Full description

Vulnerability Details
Rule ID: go-stored-xss

Overview

Stored Cross-Site Scripting (XSS) is a type of vulnerability where malicious
scripts are injected into a web application and stored in a persistent state,
such as a database. When other users access the affected page, the stored
scripts are executed in their browsers, leading to various attacks.

Vulnerable example

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
    fmt.Fprintf(w, "<h1>%s</h1>", message)
}

In this example, the serveMessage function retrieves a message from the
database and directly embeds it into an HTML response without proper escaping.
If the message contains malicious scripts, it can lead to Stored XSS attacks
when other users view the page.

Remediation

To mitigate Stored XSS vulnerabilities, always sanitize and encode user
input before storing it in a persistent state and before displaying it
to other users:

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
-   fmt.Fprintf(w, "<h1>%s</h1>", message)
+   fmt.Fprintf(w, "<h1>%s</h1>", html.EscapeString(message))
}

In the remediation, we've used the html.EscapeString function to escape
the message before embedding it into the HTML response. This helps prevent
the execution of malicious scripts and mitigates the Stored XSS vulnerability.

Code Flows
Vulnerable data flow analysis result

↘️ os.ReadFile(filepath.Join("..", params.RepoName, "targetBranch.gz")) (at scanpullrequest/scanpullrequest_test.go line 1130)

↘️ repoFile (at scanpullrequest/scanpullrequest_test.go line 1130)

↘️ repoFile (at scanpullrequest/scanpullrequest_test.go line 1132)

@kerenr-jfrog kerenr-jfrog merged commit 53aad36 into jfrog:v3_er Dec 10, 2025
54 of 60 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@orto17 orto17 orto17 approved these changes

@eranturgeman eranturgeman Awaiting requested review from eranturgeman

@eyalk007 eyalk007 Awaiting requested review from eyalk007

Assignees

@kerenr-jfrog kerenr-jfrog

Labels

breaking change Automatically generated release notes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kerenr-jfrog @eyalk007 @orto17