jf docker scan --format=table does not hint on scan_id if no issues are found #1026
Labels
bug
Something isn't working
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
Our workflow depends on the scan_id for several purposes.
With JFrog CLI 2.51.1 there is one change coming with
https://github.com/jfrog/jfrog-cli-core/pull/994/files#diff-0cb3bf0da9f42f148ec1c1a33204b6506de9f1a92bc273c03c9aa9fafb22b15eR135
so that for any call to
jf docker scan --format=table ...
which is returning 0 vulnerabilities, we no longer have access to the scan_id information as we used to have for the table format. ( Using the json format we always get this information directly ).
Now we would need to set JFROG_CLI_LOG_LEVEL=DEBUG and parse stderr to retrieve this information, as this is the
only hint for this piece of information.
See Reproduction steps:
sf-user@sf-dev-tga:~$ grep '/xray/api/v1/scan/graph/' stderr
07:49:49 [Debug] Sending HTTP GET request to: http://192.168.2.7:8082/xray/api/v1/scan/graph/c452b793-255f-434b-5c33-71fd58cd8be4?include_vulnerabilities=true
07:49:54 [Debug] Sending HTTP GET request to: http://192.168.2.7:8082/xray/api/v1/scan/graph/c452b793-255f-434b-5c33-71fd58cd8be4?include_vulnerabilities=true
For several reasons we would prefer not to use this DEBUG hack but get the essential information either in the same way as before or maybe even in a better way.
Current behavior
See Reproduction steps:
sf-user@sf-dev-tga:~$ cat stdout
Vulnerable Components
+-------------------------------------+
| No vulnerable components were found |
+-------------------------------------+
Reproduction steps
sf-user@sf-dev-tga:~$ docker image list
REPOSITORY TAG IMAGE ID CREATED SIZE
sf-user@sf-dev-tga:~$ docker pull hello-world
Using default tag: latest
latest: Pulling from library/hello-world
719385e32844: Pull complete
Digest: sha256:88ec0acaa3ec199d3b7eaf73588f4518c25f9d34f58ce9a0df68429c5af48e8d
Status: Downloaded newer image for hello-world:latest
docker.io/library/hello-world:latest
sf-user@sf-dev-tga:~$ docker image list
REPOSITORY TAG IMAGE ID CREATED SIZE
hello-world latest 9c7a54a9a43c 6 months ago 13.3kB
sf-user@sf-dev-tga:~$ JFROG_CLI_LOG_LEVEL=DEBUG jf docker scan 9c7a54a9a43c --format=table > stdout 2> stderr
FYI: For testing an image including vulnerabilities (showing the expected behavior), I have been using
docker pull jenkins/jenkins
Expected behavior
sf-user@sf-dev-tga:~$ cat stdout
The full scan results are available here: /tmp/jfrog.cli.temp.-1699604631-2298637964
Vulnerable Components
+-------------------------------------+
| No vulnerable components were found |
+-------------------------------------+
and some existing file containing the scan_id:
sf-user@sf-dev-tga:~$ grep scan_id /tmp/jfrog.cli.temp.-1699604631-2298637964
"scan_id": "029b9813-bc10-4c86-4b3c-f3df156db27f",
Ideally we would love to see something like this:
sf-user@sf-dev-tga:~$ cat stdout
The full scan results are available here: /tmp/jfrog.cli.temp.-1699604631-2298637964
Vulnerable Components
scan_id: 029b9813-bc10-4c86-4b3c-f3df156db27f
+-------------------------------------+
| No vulnerable components were found |
+-------------------------------------+
JFrog CLI-Core version
v2.46.0
JFrog CLI version (if applicable)
jf version 2.51.1
Operating system type and version
Linux sf-dev-tga 5.10.0-26-cloud-amd64 #1 SMP Debian 5.10.197-1 (2023-09-29) x86_64 GNU/Linux
JFrog Artifactory version
7.46.10
JFrog Xray version
3.61.5
The text was updated successfully, but these errors were encountered: