Frogbot not creating pull requests after scan-repository task succeeds

[ManudattaG]

Describe the bug

I'm using JFrog Frogbot for scanning vulnerabilities on Gitlab repository. Currently, frogbot is unable to create automatic pull requests after the scan-repository command is completed successfully even though there are vulnerabilities reported in the "scan-pull-request" task. I also tried replicating the behavior by downgrading a package to a vulnerable version (affected version) and triggered "scan-repository" task in order to test automatic pull request creation by Frogbot. Unfortunately I don't see any pull requests created and logs says no changes to commit (full logs attached). Maybe something wrong with the configuration I have.
Could you please help me troubleshoot the issue? I have included all the relevant logs and frogbot config files in this issue report.
BTW, there are no existing pull requests with vulnerabilities open as it mentions in the logs.
Thanks!

Current behavior

Frogbot downloaded successfully!
10:10:42 [Info] Frogbot version: 2.21.13
10:10:42 [Info] Running Frogbot "scan-repository" command
[Info] Not entitled for JAS, skipping advance security scans...
10:10:45 [Info] Preforming 1 SCA scans:
[
{
"Target": "/tmp/jfrog.cli.temp.-1728295844-3614675312",
"Technology": "poetry",
"Descriptors": [
"/tmp/jfrog.cli.temp.-1728295844-3614675312/pyproject.toml"
]
}
]
10:10:45 [Info] Calculating Poetry dependencies...
10:10:48 [Info] [Thread 0] Running SCA scan for /tmp/jfrog.cli.temp.-1728295844-3614675312 vulnerable dependencies in /tmp/jfrog.cli.temp.-1728295844-3614675312 directory...
10:10:48 [Info] Scanning 20 poetry dependencies...
10:10:49 [Info] Waiting for scan to complete on JFrog Xray...
10:10:54 [Info] Xray scan completed
10:10:54 [Info] -----------------------------------------------------------------
10:10:54 [Info] Starting aggregated dependencies fix
10:10:54 [Info] There were no changes to commit after fixing vulnerabilities.
Note: Frogbot currently cannot address certain vulnerabilities in some package managers, which may result in the absence of changes
10:10:54 [Info] The existing pull request is in sync with the latest scan, and no further updates are required.
10:10:54 [Info] Frogbot "scan-repository" command finished successfully

Reproduction steps

No response

Expected behavior

Frogbot detects vulnerabilities after running "scan-repository" task for a repo and creates pull requests automatically with fixable versions and relevant changes.

JFrog Frogbot version

2.21.13

Package manager info

poetry.lock and Poetry (version 1.8.3)

Git provider

GitLab

JFrog Frogbot configuration yaml file

Git repositories in the same organization.

• params:

  Git parameters

  git:
  # [Mandatory]
  # Name of the git repository to scan
  repoName: mygitlabrepo

  # [Mandatory]
  # List of branches to scan
  branches:
    - main
  
  # [Optional]
  # Template for the branch name generated by Frogbot when creating pull requests with fixes.
  # The template must include {BRANCH_NAME_HASH}, to ensure that the generated branch name is unique.
  # The template can optionally include the {IMPACTED_PACKAGE} and {FIX_VERSION} variables.
  branchNameTemplate: 'frogbot-{BRANCH_NAME_HASH}'
  
  # [Optional]
  # Template for the commit message generated by Frogbot when creating pull requests with fixes
  # The template can optionally include the {IMPACTED_PACKAGE} and {FIX_VERSION} variables.
  commitMessageTemplate: 'Upgrade {IMPACTED_PACKAGE} to {FIX_VERSION}'
  
  # [Optional]
  # Template for the pull request title generated by Frogbot when creating pull requests with fixes.
  # The template can optionally include the {IMPACTED_PACKAGE} and {FIX_VERSION} variables.
  pullRequestTitleTemplate: '[🐸 Frogbot] Upgrade {IMPACTED_PACKAGE} to {FIX_VERSION}'
  
  # [Optional]
  # Avoid adding extra info to pull request comments. that isn't related to the scan findings.
  # avoidExtraMessages: false
  
  # [Optional]
  # Add a title to pull request comments generated by Frogbot.
  # pullRequestCommentTitle: ""
  
  # [Optional, Default: false]
  # If true, Frogbot creates a single pull request with all the fixes.
  # If false, Frogbot creates a separate pull request for each fix.
  aggregateFixes: true
  
  # [Optional, Default: [email protected]]
  # Set the email of the commit author
  # emailAuthor: ""
  

  Frogbot scanning parameters

  scan:
  # [Default: false]
  # Frogbot displays all existing vulnerabilities, including the ones that were not added by the pull request
  includeAllVulnerabilities: true

  # [Default: true]
  # Frogbot does not fail the task if security issues are found and this parameter is set to false
  failOnSecurityIssues: false
  
  # [Default: false]
  # Handle vulnerabilities with fix versions only
  # fixableOnly: true
  
  # [Optional]
  # Set the list of allowed licenses
  # The full list of licenses can be found in:
  # https://github.com/jfrog/frogbot/blob/master/docs/licenses.md
  # allowedLicenses:
  #   - MIT
  #   - Apache-2.0
  
  # [Optional]
  # Set the minimum severity for vulnerabilities that should be fixed and commented on in pull requests
  # The following values are accepted: Low, Medium, High or Critical
  minSeverity: 'Low'
  
  # [Optional]
  # List of email addresses to receive emails about secrets that has been detected in a pull request scan.
  # Applies only to servers that are entitled to JFrog Advanced Security.
  # emailReceivers:
  #  - [email protected]
  
  # List of subprojects / project dirs inside the Git repository
  projects:
    # [Mandatory if the two conditions below are met]
    # 1. The project uses poetry to download its dependencies
    # 2. The `installCommand` variable isn't set in your frogbot-config.yml file.
    #
    # The command that installs the project dependencies (e.g "nuget restore")
    - installCommand: 'poetry install'
  
      # [Default: root directory]
      # List of relative path's to the projects directories in the git repository
      workingDirs:
        - '.'
  
      # [Optional]
      # Name of a Virtual Repository in Artifactory to resolve (download) the project dependencies from
      # repository: 'gitlab-artf'
  

  JFrog Platform parameters

  jfrogPlatform:

  [Optional]

  JFrog project key. Learn more about it here

  jfrogProjectKey: ""

  [Optional]

  Xray Watches. Learn more about it here

  watches:

  - ""

Operating system type and version

macOS 14.6

JFrog Xray version

No response

[eranturgeman]

Hello @ManudattaG and thank you for using Frogbot.
First, can you please re-run Frogbot with the following env var in your CI: JFROG_CLI_LOG_LEVEL=DEBUG
This will print all logs and will enable us to better understand what happened.
Second - Frogbot cannot fix every vulnerability it finds. Sometimes we dont have a fixed version to suggest, sometimes in a multi0module env we cannot fix the vulnerability since we do not fully support multi-module env currently.
please provide the logs with the env var I asked and we can continue from there

[ManudattaG]

Thanks for your quick response @eranturgeman
After enabling debug logs. I understood from the logs that it cannot fix indirect dependencies. Is this the default behavior of frogbot? If so, what exactly does frogbot tries to fix w.r.t packages and libraries that is in poetry manager and potentially creates pull requests for us automatically?
I mean do we have an option to fix peer dependencies by Frogbot where we likely have more vulnerabilities at, most of the times?

11:06:38 [Info] Calculating Poetry dependencies...
11:06:38 [Debug] Running poetry install
11:06:42 [Debug] Created 'Poetry' dependency tree with 20 nodes. Elapsed time: 3.9 seconds.
11:06:42 [Debug] Unique dependencies list:
[
    "pypi://mypy-boto3-ssm:1.35.21",
    "pypi://mypy-boto3-s3:1.35.22",
    "pypi://typing-extensions:4.12.2",
    "pypi://idna:3.4",
    "pypi://botocore:1.35.29",
    "pypi://python-dateutil:2.9.0.post0",
    "pypi://boto3:1.35.29",
    "pypi://six:1.16.0",
    "pypi://s3transfer:0.10.2",
    "pypi://mypy-boto3-sqs:1.35.0",
    "pypi://python:",
    "pypi://requests:2.32.3",
    "pypi://jmespath:1.0.1",
    "pypi://mypy-boto3-sts:1.35.0",
    "pypi://aws-lambda-powertools:2.43.1",
    "pypi://certifi:2024.8.30",
    "pypi://charset-normalizer:3.3.2",
    "pypi://urllib3:1.26.20"
  ]
11:06:42 [Info] [Thread 0] Running SCA scan for /tmp/jfrog.cli.temp.-1728299197-2622092991 vulnerable dependencies in /tmp/jfrog.cli.temp.-1728299197-2622092991 directory...
11:06:42 [Info] Scanning 20 poetry dependencies...
11:06:42 [Debug] Sending HTTP POST request to: https://vzcdaas.jfrog.io/xsc/api/v1/sca/scan/graph?multi_scan_id=38fb1cc0-849c-11ef-ba70-2e1075724ac7&scan_type=dependency
11:06:42 [Info] Waiting for scan to complete on JFrog Xray...
11:06:42 [Debug] Sending HTTP GET request to: https://vzcdaas.jfrog.io/xsc/api/v1/sca/scan/graph/2ec50470-3bba-4d8c-55af-7b44ff86ad3f?include_vulnerabilities=true
11:06:42 [Debug] Get Dependencies Scan results... (Attempt 1)
11:06:47 [Debug] Sending HTTP GET request to: https://vzcdaas.jfrog.io/xsc/api/v1/sca/scan/graph/2ec50470-3bba-4d8c-55af-7b44ff86ad3f?include_vulnerabilities=true
11:06:47 [Info] Xray scan completed
11:06:47 [Debug] Frogbot will attempt to resolve the following vulnerable dependencies:
 idna
11:06:48 [Debug] No pull request found from source branch  frogbot-Poetry-main
11:06:48 [Info] -----------------------------------------------------------------
11:06:48 [Info] Starting aggregated dependencies fix
11:06:48 [Debug] Creating branch frogbot-Poetry-main ...
11:06:48 [Debug] idna is an indirect dependency that will not be updated to version 3.7.
Fixing indirect dependencies can potentially cause conflicts with other dependencies that depend on the previous version.
Frogbot skips this to avoid potential incompatibilities and breaking changes.
11:06:48 [Info] There were no changes to commit after fixing vulnerabilities.
Note: Frogbot currently cannot address certain vulnerabilities in some package managers, which may result in the absence of changes
11:06:48 [Debug] Running git checkout to branch: main
11:06:48 [Info] The existing pull request is in sync with the latest scan, and no further updates are required.
11:06:48 [Debug] Sending HTTP PUT request to: https://vzcdaas.jfrog.io/xsc/api/v1/event
11:06:48 [Debug] General event updated
{{0 completed   1 0 false       10.378216682s  } 38fb1cc0-849c-11ef-ba70-2e1075724ac7}
11:06:48 [Info] Frogbot "scan-repository" command finished successfully

[eranturgeman]

@ManudattaG You are correct. Frogbot is able to fix ONLY direct dependencies.
Think about it. lets say you imported package A v1.0.0 that imports B v1.0.0, and B is vulnerable.
You update B to its fixed version manually to its fixed version, lets say v1.0.1
But you still have package A that brings B v1.0.0
You have no control of indirect dependencies that comes from packages you import directly.
So what Frogbot does? It scans all direct & indirect dependencies and identify the vulnerable deps.
Then it builds and dependency tree so it can understand what is the direct dependency that brings the vulnerable one, and it suggests the fixed version to the direct one that fixes the indirect dependency it brought.

FYI - Scan-Repository ONLY can create PRs with fixes, if it has something it can fix.
As for Scan-PR it only presents the results of the scan as a comment in your PR (since we do not want to add content to someone's PR)
Hope it cleared everything out, and if not feel free to ask

[ManudattaG]

@eranturgeman Got it. Thanks for explaining the details :)

[ManudattaG]

Just one last question maybe.
So I can understand that Frogbot doesn't fix indirect dependencies but does it present the result as part of comments in the PR, that there are vulnerable packages which are identified as both direct and indirect dependencies to a fixed version (if there's one)?