Skip to content

Print logs indicating reasons for build/PR failing V2#1372

Merged
eranturgeman merged 7 commits into
jfrog:v2_mainfrom
eranturgeman:print-watch-policy-rule-log-v2
Jul 6, 2026
Merged

Print logs indicating reasons for build/PR failing V2#1372
eranturgeman merged 7 commits into
jfrog:v2_mainfrom
eranturgeman:print-watch-policy-rule-log-v2

Conversation

@eranturgeman

Copy link
Copy Markdown
Collaborator
  • All tests passed. If this feature is not already covered by the tests, I added new tests.
  • This pull request is on the dev branch.
  • I used gofmt for formatting the code before submitting the pull request.
  • Update documentation about new features / new supported technologies

@eranturgeman eranturgeman added safe to test Approve running integration tests on a pull request improvement Automatically generated release notes labels Jul 5, 2026
@github-actions github-actions Bot removed the safe to test Approve running integration tests on a pull request label Jul 5, 2026
Comment thread utils/issues/failingrules.go Outdated
Comment thread utils/issues/logfailingrules.go
Comment thread utils/issues/logfailingrules_test.go
@eranturgeman eranturgeman requested a review from Jordanh1996 July 6, 2026 08:25
@eranturgeman eranturgeman added the safe to test Approve running integration tests on a pull request label Jul 6, 2026
@github-actions github-actions Bot removed the safe to test Approve running integration tests on a pull request label Jul 6, 2026
@eranturgeman eranturgeman added the safe to test Approve running integration tests on a pull request label Jul 6, 2026
@github-actions github-actions Bot removed the safe to test Approve running integration tests on a pull request label Jul 6, 2026
@eranturgeman eranturgeman added the safe to test Approve running integration tests on a pull request label Jul 6, 2026
@github-actions github-actions Bot removed the safe to test Approve running integration tests on a pull request label Jul 6, 2026
@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

🚨 Frogbot scanned this pull request and found the below:

📗 Scan Summary

  • Frogbot scanned for vulnerabilities and found 5 issues
Scan Category Status Security Issues
Software Composition Analysis ✅ Done
5 Issues Found 4 High
1 Medium
Contextual Analysis ✅ Done -
Static Application Security Testing (SAST) ✅ Done Not Found
Secrets ✅ Done Not Found
Infrastructure as Code (IaC) ✅ Done Not Found

📦 Vulnerable Dependencies

Severity ID Contextual Analysis Dependency Path
high
High
CVE-2021-4435 Missing Context -
high
High
CVE-2020-8131 Not Covered -
high
High
CVE-2019-5448 Not Covered -
high
High
CVE-2019-10773 Not Covered -
medium
Medium
CVE-2019-15608 Not Covered -

🔖 Details

[ CVE-2021-4435 ] yarn 1.0.0

Vulnerability Details

Contextual Analysis: Missing Context
CVSS V3: 7.8

An untrusted search path vulnerability was found in Yarn. When a victim runs certain Yarn commands in a directory with attacker-controlled content, malicious commands could be executed in unexpected ways.

[ CVE-2020-8131 ] yarn 1.0.0

Vulnerability Details

Contextual Analysis: Not Covered
CVSS V3: 7.5

Arbitrary filesystem write vulnerability in Yarn 1.21.1 and earlier allows attackers to write to any path on the filesystem and potentially lead to arbitrary code execution by forcing the user to install a malicious package.

[ CVE-2019-5448 ] yarn 1.0.0

Vulnerability Details

Contextual Analysis: Not Covered
CVSS V3: 8.1

Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network.

[ CVE-2019-10773 ] yarn 1.0.0

Vulnerability Details

Contextual Analysis: Not Covered
CVSS V3: 7.8

In Yarn before 1.21.1, the package install functionality can be abused to generate arbitrary symlinks on the host filesystem by using specially crafted "bin" keys. Existing files could be overwritten depending on the current user permission set.

[ CVE-2019-15608 ] yarn 1.0.0

Vulnerability Details

Contextual Analysis: Not Covered
CVSS V3: 5.9

The package integrity validation in yarn < 1.19.0 contains a TOCTOU vulnerability where the hash is computed before writing a package to cache. It's not computed again when reading from the cache. This may lead to a cache pollution attack. This issue is fixed in 1.19.0.


@eranturgeman eranturgeman added the safe to test Approve running integration tests on a pull request label Jul 6, 2026
@github-actions github-actions Bot removed the safe to test Approve running integration tests on a pull request label Jul 6, 2026
@eranturgeman eranturgeman merged commit 8993643 into jfrog:v2_main Jul 6, 2026
43 of 57 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

improvement Automatically generated release notes

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants