CODEWITHSUNDEEP
androidgithub-actionsartifactoryjfrog-xrayjfrog-pipelines
DJ-DOO
DJ-DOO

Reputation: 4781

Run JFrog Xray Github Actions for Android Project

I'm trying to integrate xray into my ci/cd pipeline and I'm having some difficulty.

Here is my .yml file:

name: JFrog - Xray
 
on:
  workflow_dispatch:

jobs:
  unit_tests:
    name: Run Unit Tests
    runs-on: ubuntu-latest
    steps:
      - uses: actions/[email protected]
      - uses: actions/[email protected]
        with:
          distribution: "temurin"
          java-version: 17

      - name: Change wrapper permissions
        run: chmod +x ./gradlew

  build:
    name: Build and analyze
    runs-on: ubuntu-latest
    steps:
      - uses: actions/[email protected]
        with:
          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis

      - name: Authenticate JFrog
        uses: jfrog/[email protected]
        env:
          JF_URL: ${{ secrets.J_FROG_URL }}
          JF_USER: ${{ secrets.J_FROG_USERNAME }}
          JF_PASSWORD: ${{ secrets.J_FROG_PASSWORD }}

      - name: Set up JDK 17
        uses: actions/[email protected]
        with:
          distribution: "temurin"
          java-version: 17

      - name: Setup Gradle
        uses: gradle/actions/setup-gradle@v4

      - name: Change wrapper permissions
        run: chmod +x ./gradlew

      - name: Run Tests and Analysis
        run: ./gradlew testsAndAnalysis

  scan-repository:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        branch: ["main"]

    steps:
      - uses: actions/[email protected]
        with:
          distribution: "temurin"
          java-version: 17

      - uses: jfrog/frogbot@v2
        env:
          JF_URL: ${{ secrets.J_FROG_URL }}
          JF_USER: ${{ secrets.J_FROG_USERNAME }}
          JF_PASSWORD: ${{ secrets.J_FROG_PASSWORD }}
          JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          JF_GIT_BASE_BRANCH: ${{ matrix.branch }}

When this workflow is run I get the following in my pipeline:

  {
    "xray_version": "3.107.11",
    "jas_entitled": false,
    "command_type": "source_code",
    "multi_scan_id": "97e80f8e-ac16-11ef-99fe-62877ead494e",
    "targets": [
      {
        "target": "/tmp/jfrog.cli.temp.-1732639850-1331667116",
        "technology": "gradle",
        "sca_scans": {
          "descriptors": [
            "/tmp/jfrog.cli.temp.-1732639850-1331667116/app/build.gradle.kts",
            "/tmp/jfrog.cli.temp.-1732639850-1331667116/build.gradle.kts",
            "/tmp/jfrog.cli.temp.-1732639850-1331667116/buildSrc/build.gradle.kts",
            "/tmp/jfrog.cli.temp.-1732639850-1331667116/cropper/build.gradle"
          ]
        }
      }
    ]
  }
  16:50:52 [Info] Not entitled for JAS, skipping advance security scans...
  16:50:52 [Info] Calculating Gradle dependencies...
  16:50:52 [Info] Running gradle deps tree command: ./gradlew clean generateDepTrees -I /tmp/jfrog.cli.temp.-1732639852-134659587/gradledeptree.init -q -Dcom.jfrog.depsTreeOutputFile=/tmp/jfrog.cli.temp.-1732639852-134659587/gradledeptree.out -Dcom.jfrog.includeAllBuildFiles=true
  16:53:38 [Info] [Thread 0] Running SCA scan for /tmp/jfrog.cli.temp.-1732639850-1331667116 vulnerable dependencies in /tmp/jfrog.cli.temp.-1732639850-1331667116 directory...
  16:53:38 [Info] Scanning 341 gradle dependencies...
  16:53:38 [Info] Waiting for scan to complete on JFrog Xray...
  16:53:54 [Info] Xray scan completed
  Error: 7 [Error] the following errors occured while fixing vulnerabilities in '/tmp/jfrog.cli.temp.-1732639850-1331667116':
  impacted package 'org.apache.commons:commons-text' was not found or could not be fixed in all descriptor files
  Error: The process '/opt/hostedtoolcache/frogbot/[RELEASE]/x64/frogbot' failed with exit code 1

I've been looking everywhere for a solution but there is noting intuitive that I can find. Can someone tell me what is wrong here please?

EDIT

So it seems I need to outline my project dependencies in the yml file. It does seem however that my dependencies need to be in a artifactory repo, is this correct? Does anyone have information?

EDIT I now have virtual repositories working through artifactory for my dependencies, I however, sill have the same issue

Upvotes: 0

Views: 53

Answers (0)

Related Questions