Skip to content

Remove frogbot-config.yml functionality - use only environment variables #952

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 7 commits into
base: v3_er
Choose a base branch
from
Open

Remove frogbot-config.yml functionality - use only environment variables #952

wants to merge 7 commits into from

Conversation

@eyalk007
Copy link
Contributor

@eyalk007 eyalk007 commented Nov 5, 2025

  • All tests passed. If this feature is not already covered by the tests, I added new tests.
  • This pull request is on the dev branch.
  • I used gofmt for formatting the code before submitting the pull request.
  • Update documentation about new features / new supported technologies

@eyalk007 eyalk007 self-assigned this Nov 20, 2025
@eyalk007 eyalk007 added the breaking change Automatically generated release notes label Nov 20, 2025
@eyalk007
Remove all config yml file support and references
8ef541e 
- Deleted .frogbot/frogbot-config.yml from repo root
- Deleted testdata/config/ directory with all config test files
- Deleted .frogbot directories from scanrepository test subdirectories
- Removed configPath parameters from test functions
- Removed config file validation from schema tests
- Removed unused config file path constants
- Cleaned up unused imports

Config files are no longer used - all configuration now comes from environment variables only
@orto17 orto17 requested review from attiasas and orto17 November 23, 2025 08:36
@eyalk007
Merge remote-tracking branch 'upstream/v3_er' into remove-config-yaml
59e943f 
# Conflicts:
#	.frogbot/frogbot-config.yml
#	scanrepository/scanmultiplerepositories_test.go
#	utils/params.go
@eyalk007 eyalk007 added the safe to test Approve running integration tests on a pull request label Nov 25, 2025
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Nov 25, 2025
@eyalk007
Remove deprecated schema and jfrog-pipelines templates
5fd7179 
- Delete schema/ directory (frogbot-schema.json, tests, testdata) - deprecated YAML config files
- Delete docs/templates/jfrog-pipelines/ - deprecated JFrog Pipelines platform templates
@eyalk007 eyalk007 added the safe to test Approve running integration tests on a pull request label Nov 25, 2025
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Nov 25, 2025
@eyalk007
Remove redundant config YAML tests
dc45007 
- Delete TestExtractAndAssertRepoParams - tested config YAML param extraction
- Delete TestBuildRepoAggregatorWithEmptyScan - tested empty scan in config YAML
- Delete TestBuildMergedRepoAggregator - tested merging config YAML with env vars

These tests are now redundant since config YAML functionality was removed.
The functionality they tested (env var extraction, defaults) is covered by other existing tests.
@eyalk007 eyalk007 added the safe to test Approve running integration tests on a pull request label Nov 26, 2025
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Nov 26, 2025
@eyalk007
Fix scanpullrequest test: add missing RepoName field
d9605e1 
The prepareConfigAndClient function was missing RepoName in gitTestParams,
causing 'repository name is missing' error in tests after config YAML removal.
@eyalk007 eyalk007 added the safe to test Approve running integration tests on a pull request label Nov 26, 2025
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Nov 26, 2025
eyalk007
eyalk007 commented Nov 26, 2025
View reviewed changes
.frogbot/frogbot-config.yml
Copy link
Contributor Author

@eyalk007 eyalk007 Nov 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

deleting this will break frogbot ?
i mean its using config yml today
also in oidc i think
if so ill add whats needed as env vars

@eyalk007
Fix failing multi-dir and no-fail tests by setting env vars
d6c1262 
After config YAML removal, these tests lost their configurations:

scanpullrequest tests:
- ScanPullRequestNoFail: Set JF_FAIL=false
- ScanPullRequestMultiWorkDir: Set JF_WORKING_DIR=sub1,sub3/sub4,sub2 + JF_REQUIREMENTS_FILE
- ScanPullRequestMultiWorkDirNoFail: Same as above

scanrepository tests:
- aggregate-multi-dir: Set JF_WORKING_DIR=npm1,npm2
- aggregate-multi-project: Set JF_WORKING_DIR=npm,pip + JF_REQUIREMENTS_FILE

These env vars replace the deleted config YAML files that previously provided these settings.
@eyalk007 eyalk007 added the safe to test Approve running integration tests on a pull request label Nov 26, 2025
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Nov 26, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Nov 26, 2025

🚨 Frogbot scanned this pull request and found the below:

📗 Scan Summary

  • Frogbot scanned for vulnerabilities and found 5 issues
Scan Category Status Security Issues
Software Composition Analysis ℹ️ Not Scanned -
Contextual Analysis ℹ️ Not Scanned -
Static Application Security Testing (SAST) ✅ Done
5 Issues Found 5 Medium
Secrets ✅ Done -
Infrastructure as Code (IaC) ✅ Done Not Found

@github-actions
Copy link
Contributor

github-actions bot commented Nov 26, 2025 

file

at scanrepository/scanrepository_test.go (line 853)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
medium
Medium		 Untrusted stored value is included in web page content
Full description

Vulnerability Details
Rule ID: go-stored-xss

Overview

Stored Cross-Site Scripting (XSS) is a type of vulnerability where malicious
scripts are injected into a web application and stored in a persistent state,
such as a database. When other users access the affected page, the stored
scripts are executed in their browsers, leading to various attacks.

Vulnerable example

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
    fmt.Fprintf(w, "<h1>%s</h1>", message)
}

In this example, the serveMessage function retrieves a message from the
database and directly embeds it into an HTML response without proper escaping.
If the message contains malicious scripts, it can lead to Stored XSS attacks
when other users view the page.

Remediation

To mitigate Stored XSS vulnerabilities, always sanitize and encode user
input before storing it in a persistent state and before displaying it
to other users:

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
-   fmt.Fprintf(w, "<h1>%s</h1>", message)
+   fmt.Fprintf(w, "<h1>%s</h1>", html.EscapeString(message))
}

In the remediation, we've used the html.EscapeString function to escape
the message before embedding it into the HTML response. This helps prevent
the execution of malicious scripts and mitigates the Stored XSS vulnerability.

Code Flows
Vulnerable data flow analysis result

↘️ os.ReadFile(fmt.Sprintf("%s.tar.gz", projectName)) (at scanrepository/scanrepository_test.go line 851)

↘️ file (at scanrepository/scanrepository_test.go line 851)

↘️ file (at scanrepository/scanrepository_test.go line 853)

@github-actions
Copy link
Contributor

github-actions bot commented Nov 26, 2025 

repoFile

at scanpullrequest/scanpullrequest_test.go (line 1226)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
medium
Medium		 Untrusted stored value is included in web page content
Full description

Vulnerability Details
Rule ID: go-stored-xss

Overview

Stored Cross-Site Scripting (XSS) is a type of vulnerability where malicious
scripts are injected into a web application and stored in a persistent state,
such as a database. When other users access the affected page, the stored
scripts are executed in their browsers, leading to various attacks.

Vulnerable example

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
    fmt.Fprintf(w, "<h1>%s</h1>", message)
}

In this example, the serveMessage function retrieves a message from the
database and directly embeds it into an HTML response without proper escaping.
If the message contains malicious scripts, it can lead to Stored XSS attacks
when other users view the page.

Remediation

To mitigate Stored XSS vulnerabilities, always sanitize and encode user
input before storing it in a persistent state and before displaying it
to other users:

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
-   fmt.Fprintf(w, "<h1>%s</h1>", message)
+   fmt.Fprintf(w, "<h1>%s</h1>", html.EscapeString(message))
}

In the remediation, we've used the html.EscapeString function to escape
the message before embedding it into the HTML response. This helps prevent
the execution of malicious scripts and mitigates the Stored XSS vulnerability.

Code Flows
Vulnerable data flow analysis result

↘️ os.ReadFile(filepath.Join("..", params.RepoName, "targetBranch.gz")) (at scanpullrequest/scanpullrequest_test.go line 1224)

↘️ repoFile (at scanpullrequest/scanpullrequest_test.go line 1224)

↘️ repoFile (at scanpullrequest/scanpullrequest_test.go line 1226)

@github-actions
Copy link
Contributor

github-actions bot commented Nov 26, 2025 

comments

at scanpullrequest/scanpullrequest_test.go (line 1233)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
medium
Medium		 Untrusted stored value is included in web page content
Full description

Vulnerability Details
Rule ID: go-stored-xss

Overview

Stored Cross-Site Scripting (XSS) is a type of vulnerability where malicious
scripts are injected into a web application and stored in a persistent state,
such as a database. When other users access the affected page, the stored
scripts are executed in their browsers, leading to various attacks.

Vulnerable example

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
    fmt.Fprintf(w, "<h1>%s</h1>", message)
}

In this example, the serveMessage function retrieves a message from the
database and directly embeds it into an HTML response without proper escaping.
If the message contains malicious scripts, it can lead to Stored XSS attacks
when other users view the page.

Remediation

To mitigate Stored XSS vulnerabilities, always sanitize and encode user
input before storing it in a persistent state and before displaying it
to other users:

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
-   fmt.Fprintf(w, "<h1>%s</h1>", message)
+   fmt.Fprintf(w, "<h1>%s</h1>", html.EscapeString(message))
}

In the remediation, we've used the html.EscapeString function to escape
the message before embedding it into the HTML response. This helps prevent
the execution of malicious scripts and mitigates the Stored XSS vulnerability.

Code Flows
Vulnerable data flow analysis result

↘️ os.ReadFile(filepath.Join("..", "commits.json")) (at scanpullrequest/scanpullrequest_test.go line 1231)

↘️ comments (at scanpullrequest/scanpullrequest_test.go line 1231)

↘️ comments (at scanpullrequest/scanpullrequest_test.go line 1233)

@github-actions
Copy link
Contributor

github-actions bot commented Nov 26, 2025 

discussions

at scanpullrequest/scanpullrequest_test.go (line 1268)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
medium
Medium		 Untrusted stored value is included in web page content
Full description

Vulnerability Details
Rule ID: go-stored-xss

Overview

Stored Cross-Site Scripting (XSS) is a type of vulnerability where malicious
scripts are injected into a web application and stored in a persistent state,
such as a database. When other users access the affected page, the stored
scripts are executed in their browsers, leading to various attacks.

Vulnerable example

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
    fmt.Fprintf(w, "<h1>%s</h1>", message)
}

In this example, the serveMessage function retrieves a message from the
database and directly embeds it into an HTML response without proper escaping.
If the message contains malicious scripts, it can lead to Stored XSS attacks
when other users view the page.

Remediation

To mitigate Stored XSS vulnerabilities, always sanitize and encode user
input before storing it in a persistent state and before displaying it
to other users:

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
-   fmt.Fprintf(w, "<h1>%s</h1>", message)
+   fmt.Fprintf(w, "<h1>%s</h1>", html.EscapeString(message))
}

In the remediation, we've used the html.EscapeString function to escape
the message before embedding it into the HTML response. This helps prevent
the execution of malicious scripts and mitigates the Stored XSS vulnerability.

Code Flows
Vulnerable data flow analysis result

↘️ os.ReadFile(filepath.Join("..", "list_merge_request_discussion_items.json")) (at scanpullrequest/scanpullrequest_test.go line 1266)

↘️ discussions (at scanpullrequest/scanpullrequest_test.go line 1266)

↘️ discussions (at scanpullrequest/scanpullrequest_test.go line 1268)

@github-actions
Copy link
Contributor

github-actions bot commented Nov 26, 2025 

repoFile

at scanpullrequest/scanpullrequest_test.go (line 1219)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
medium
Medium		 Untrusted stored value is included in web page content
Full description

Vulnerability Details
Rule ID: go-stored-xss

Overview

Stored Cross-Site Scripting (XSS) is a type of vulnerability where malicious
scripts are injected into a web application and stored in a persistent state,
such as a database. When other users access the affected page, the stored
scripts are executed in their browsers, leading to various attacks.

Vulnerable example

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
    fmt.Fprintf(w, "<h1>%s</h1>", message)
}

In this example, the serveMessage function retrieves a message from the
database and directly embeds it into an HTML response without proper escaping.
If the message contains malicious scripts, it can lead to Stored XSS attacks
when other users view the page.

Remediation

To mitigate Stored XSS vulnerabilities, always sanitize and encode user
input before storing it in a persistent state and before displaying it
to other users:

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
-   fmt.Fprintf(w, "<h1>%s</h1>", message)
+   fmt.Fprintf(w, "<h1>%s</h1>", html.EscapeString(message))
}

In the remediation, we've used the html.EscapeString function to escape
the message before embedding it into the HTML response. This helps prevent
the execution of malicious scripts and mitigates the Stored XSS vulnerability.

Code Flows
Vulnerable data flow analysis result

↘️ os.ReadFile(filepath.Join("..", params.RepoName, "sourceBranch.gz")) (at scanpullrequest/scanpullrequest_test.go line 1217)

↘️ repoFile (at scanpullrequest/scanpullrequest_test.go line 1217)

↘️ repoFile (at scanpullrequest/scanpullrequest_test.go line 1219)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@attiasas attiasas Awaiting requested review from attiasas

@orto17 orto17 Awaiting requested review from orto17

Assignees

@eyalk007 eyalk007

Labels

breaking change Automatically generated release notes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@eyalk007