Merge branch 'dev' into github-integration

docs/install-azure-pipelines.md

@@ -94,7 +94,11 @@ jobs:
              #       Uncheck the 'Store Artifacts Locally' option
              # 3. Set the value of the 'JF_RELEASES_REPO' variable with the Repository Key you created.
              # JF_RELEASES_REPO: ""
-
+
+             # [Optional]
+             # Avoid adding extra info to pull request comments. that isn't related to the scan findings.
+             # JF_AVOID_EXTRA_MESSAGES: "TRUE"
+
              ###########################################################################
              ##   If your project uses a 'frogbot-config.yml' file, you should define ##
              ##   the following variables inside the file, instead of here.           ##
@@ -267,6 +271,10 @@ jobs:
             # [Mandatory if JF_SMTP_SERVER is set]
             # The password associated with the username required for authentication with the SMTP server.
             # JF_SMTP_PASSWORD: ""
+
+            # [Optional]
+            # Avoid adding extra info to pull request comments. that isn't related to the scan findings.
+            # JF_AVOID_EXTRA_MESSAGES: "TRUE"
 
             ###########################################################################
             ##   If your project uses a 'frogbot-config.yml' file, you should define ##

docs/install-gitlab.md

@@ -82,6 +82,10 @@ frogbot-scan:
     # The password associated with the username required for authentication with the SMTP server.
     # JF_SMTP_PASSWORD: ""
 
+    # [Optional]
+    # Avoid adding extra info to pull request comments. that isn't related to the scan findings.
+    # JF_AVOID_EXTRA_MESSAGES: "TRUE"
+
     ###########################################################################
     ##   If your project uses a 'frogbot-config.yml' file, you should define ##
     ##   the following variables inside the file, instead of here.           ##

docs/templates/github-actions/frogbot-scan-pull-request.yml

@@ -134,3 +134,7 @@ jobs:
           # The full list of licenses can be found in:
           # https://github.com/jfrog/frogbot/blob/master/docs/licenses.md
           # JF_ALLOWED_LICENSES: "MIT, Apache-2.0"
+
+          # [Optional]
+          # Avoid adding extra info to pull request comments. that isn't related to the scan findings.
+          # JF_AVOID_EXTRA_MESSAGES: "TRUE"

docs/templates/github-actions/frogbot-scan-repository.yml

@@ -122,3 +122,7 @@ jobs:
           # [Optional, Default: [email protected]]
           # Set the email of the commit author
           # JF_GIT_EMAIL_AUTHOR: ""
+
+          # [Optional]
+          # Avoid adding extra info to pull request comments. that isn't related to the scan findings.
+          # JF_AVOID_EXTRA_MESSAGES: "TRUE"

docs/templates/jenkins/scan-pull-request.jenkinsfile

@@ -79,6 +79,10 @@ pipeline {
         // The password associated with the username required for authentication with the SMTP server.
         // JF_SMTP_PASSWORD= ""
 
+        // [Optional]
+        // Avoid adding extra info to pull request comments. that isn't related to the scan findings.
+        // JF_AVOID_EXTRA_MESSAGES= "TRUE"
+
         ///////////////////////////////////////////////////////////////////////////
         //   If your project uses a 'frogbot-config.yml' file, you should define //
         //   the following variables inside the file, instead of here.           //

docs/templates/jenkins/scan-repository.jenkinsfile

@@ -50,6 +50,10 @@ pipeline {
         // The 'frogbot' executable and other tools it needs will be downloaded through this repository.
         // JF_RELEASES_REPO= ""
 
+        // [Optional]
+        // Avoid adding extra info to pull request comments. that isn't related to the scan findings.
+        // JF_AVOID_EXTRA_MESSAGES= "TRUE"
+
         ///////////////////////////////////////////////////////////////////////////
         //   If your project uses a 'frogbot-config.yml' file, you should define //
         //   the following variables inside the file, instead of here.           //

docs/templates/jfrog-pipelines/pipelines-dotnet.yml

@@ -90,6 +90,10 @@ pipelines:
             # The password associated with the username required for authentication with the SMTP server.
             # JF_SMTP_PASSWORD: ""
 
+            # [Optional]
+            # Avoid adding extra info to pull request comments. that isn't related to the scan findings.
+            # JF_AVOID_EXTRA_MESSAGES: "TRUE"
+
             ###########################################################################
             ##   If your project uses a 'frogbot-config.yml' file, you should define ##
             ##   the following variables inside the file, instead of here.           ##

docs/templates/jfrog-pipelines/pipelines-go.yml

@@ -90,6 +90,10 @@ pipelines:
             # The password associated with the username required for authentication with the SMTP server.
             # JF_SMTP_PASSWORD: ""
 
+            # [Optional]
+            # Avoid adding extra info to pull request comments. that isn't related to the scan findings.
+            # JF_AVOID_EXTRA_MESSAGES: "TRUE"
+
             ###########################################################################
             ##   If your project uses a 'frogbot-config.yml' file, you should define ##
             ##   the following variables inside the file, instead of here.           ##

docs/templates/jfrog-pipelines/pipelines-gradle.yml

@@ -90,6 +90,10 @@ pipelines:
             # The password associated with the username required for authentication with the SMTP server.
             # JF_SMTP_PASSWORD: ""
 
+            # [Optional]
+            # Avoid adding extra info to pull request comments. that isn't related to the scan findings.
+            # JF_AVOID_EXTRA_MESSAGES: "TRUE"
+
             ###########################################################################
             ##   If your project uses a 'frogbot-config.yml' file, you should define ##
             ##   the following variables inside the file, instead of here.           ##

docs/templates/jfrog-pipelines/pipelines-maven.yml

@@ -90,6 +90,10 @@ pipelines:
             # The password associated with the username required for authentication with the SMTP server.
             # JF_SMTP_PASSWORD: ""
 
+            # [Optional]
+            # Avoid adding extra info to pull request comments. that isn't related to the scan findings.
+            # JF_AVOID_EXTRA_MESSAGES: "TRUE"
+
             ###########################################################################
             ##   If your project uses a 'frogbot-config.yml' file, you should define ##
             ##   the following variables inside the file, instead of here.           ##

docs/templates/jfrog-pipelines/pipelines-npm.yml

@@ -90,6 +90,10 @@ pipelines:
             # The password associated with the username required for authentication with the SMTP server.
             # JF_SMTP_PASSWORD: ""
 
+            # [Optional]
+            # Avoid adding extra info to pull request comments. that isn't related to the scan findings.
+            # JF_AVOID_EXTRA_MESSAGES: "TRUE"
+
             ###########################################################################
             ##   If your project uses a 'frogbot-config.yml' file, you should define ##
             ##   the following variables inside the file, instead of here.           ##

docs/templates/jfrog-pipelines/pipelines-pip.yml

@@ -97,6 +97,10 @@ pipelines:
             # The password associated with the username required for authentication with the SMTP server.
             # JF_SMTP_PASSWORD: ""
 
+            # [Optional]
+            # Avoid adding extra info to pull request comments. that isn't related to the scan findings.
+            # JF_AVOID_EXTRA_MESSAGES: "TRUE"
+
             ###########################################################################
             ##   If your project uses a 'frogbot-config.yml' file, you should define ##
             ##   the following variables inside the file, instead of here.           ##

docs/templates/jfrog-pipelines/pipelines-pipenv.yml

@@ -90,6 +90,10 @@ pipelines:
             # The password associated with the username required for authentication with the SMTP server.
             # JF_SMTP_PASSWORD: ""
 
+            # [Optional]
+            # Avoid adding extra info to pull request comments. that isn't related to the scan findings.
+            # JF_AVOID_EXTRA_MESSAGES: "TRUE"
+
             ###########################################################################
             ##   If your project uses a 'frogbot-config.yml' file, you should define ##
             ##   the following variables inside the file, instead of here.           ##

docs/templates/jfrog-pipelines/pipelines-poetry.yml

@@ -90,6 +90,10 @@ pipelines:
             # The password associated with the username required for authentication with the SMTP server.
             # JF_SMTP_PASSWORD: ""
 
+            # [Optional]
+            # Avoid adding extra info to pull request comments. that isn't related to the scan findings.
+            # JF_AVOID_EXTRA_MESSAGES: "TRUE"
+
             ###########################################################################
             ##   If your project uses a 'frogbot-config.yml' file, you should define ##
             ##   the following variables inside the file, instead of here.           ##

docs/templates/jfrog-pipelines/pipelines-yarn2.yml

@@ -97,6 +97,10 @@ pipelines:
             # The password associated with the username required for authentication with the SMTP server.
             # JF_SMTP_PASSWORD: ""
 
+            # [Optional]
+            # Avoid adding extra info to pull request comments. that isn't related to the scan findings.
+            # JF_AVOID_EXTRA_MESSAGES: "TRUE"
+
             ###########################################################################
             ##   If your project uses a 'frogbot-config.yml' file, you should define ##
             ##   the following variables inside the file, instead of here.           ##

scanpullrequest/scanpullrequest.go

@@ -157,6 +157,7 @@ func auditPullRequestInProject(repoConfig *utils.Repository, scanDetails *utils.
 	// Audit source branch
 	var sourceResults *audit.Results
 	workingDirs := utils.GetFullPathWorkingDirs(scanDetails.Project.WorkingDirs, sourceBranchWd)
+	log.Info("Scanning source branch...")
 	sourceResults, err = scanDetails.RunInstallAndAudit(workingDirs...)
 	if err != nil {
 		return
@@ -199,6 +200,7 @@ func auditTargetBranch(repoConfig *utils.Repository, scanDetails *utils.ScanDeta
 	// Set target branch scan details
 	var targetResults *audit.Results
 	workingDirs := utils.GetFullPathWorkingDirs(scanDetails.Project.WorkingDirs, targetBranchWd)
+	log.Info("Scanning target branch...")
 	targetResults, err = scanDetails.RunInstallAndAudit(workingDirs...)
 	if err != nil {
 		return

testdata/messages/summarycomment/structure/fix_mr_not_entitled.md

@@ -8,6 +8,8 @@
 ```
 some content
 ```
+<details>
+<summary>Note</summary>
 
 ---
 <div align='center'>
@@ -16,6 +18,7 @@ some content
 
 </div>
 
+</details>
 
 ---
 <div align='center'>

testdata/messages/summarycomment/structure/fix_pr_not_entitled.md

@@ -8,6 +8,8 @@
 ```
 some content
 ```
+<details>
+<summary>Note</summary>
 
 ---
 <div align='center'>
@@ -16,6 +18,7 @@ some content
 
 </div>
 
+</details>
 
 ---
 <div align='center'>

testdata/messages/summarycomment/structure/fix_simplified_not_entitled.md

@@ -4,6 +4,8 @@
 some content
 ```
 
+Note:
+
 ---
 **Frogbot** also supports **Contextual Analysis, Secret Detection, IaC and SAST Vulnerabilities Scanning**. This features are included as part of the [JFrog Advanced Security](https://jfrog.com/advanced-security) package, which isn't enabled on your system.
 

testdata/messages/summarycomment/structure/summary_comment_mr_issues_not_entitled.md

@@ -8,6 +8,8 @@
 ```
 some content
 ```
+<details>
+<summary>Note</summary>
 
 ---
 <div align='center'>
@@ -16,6 +18,7 @@ some content
 
 </div>
 
+</details>
 
 ---
 <div align='center'>

testdata/messages/summarycomment/structure/summary_comment_mr_no_issues_not_entitled.md

@@ -4,6 +4,8 @@
 
 </div>
 
+<details>
+<summary>Note</summary>
 
 ---
 <div align='center'>
@@ -12,6 +14,7 @@
 
 </div>
 
+</details>
 
 ---
 <div align='center'>

testdata/messages/summarycomment/structure/summary_comment_pr_issues_not_entitled.md

@@ -8,6 +8,8 @@
 ```
 some content
 ```
+<details>
+<summary>Note</summary>
 
 ---
 <div align='center'>
@@ -16,6 +18,7 @@ some content
 
 </div>
 
+</details>
 
 ---
 <div align='center'>

testdata/messages/summarycomment/structure/summary_comment_pr_no_issues_not_entitled.md

@@ -4,6 +4,8 @@
 
 </div>
 
+<details>
+<summary>Note</summary>
 
 ---
 <div align='center'>
@@ -12,6 +14,7 @@
 
 </div>
 
+</details>
 
 ---
 <div align='center'>

testdata/messages/summarycomment/structure/summary_comment_simplified_issues_not_entitled.md

@@ -4,6 +4,8 @@
 some content
 ```
 
+Note:
+
 ---
 **Frogbot** also supports **Contextual Analysis, Secret Detection, IaC and SAST Vulnerabilities Scanning**. This features are included as part of the [JFrog Advanced Security](https://jfrog.com/advanced-security) package, which isn't enabled on your system.
 

testdata/messages/summarycomment/structure/summary_comment_simplified_no_issues_not_entitled.md

@@ -1,5 +1,7 @@
 **👍 Frogbot scanned this pull request and found that it did not add vulnerable dependencies.**
 
+Note:
+
 ---
 **Frogbot** also supports **Contextual Analysis, Secret Detection, IaC and SAST Vulnerabilities Scanning**. This features are included as part of the [JFrog Advanced Security](https://jfrog.com/advanced-security) package, which isn't enabled on your system.
 

utils/comment.go

@@ -26,20 +26,26 @@ const (
 	IacComment        ReviewCommentType = "Iac"
 	SastComment       ReviewCommentType = "Sast"
 
-	RescanRequestComment = "rescan"
+	RescanRequestComment   = "rescan"
+	commentRemovalErrorMsg = "An error occurred while attempting to remove older Frogbot pull request comments:"
 )
 
 func HandlePullRequestCommentsAfterScan(issues *IssuesCollection, repo *Repository, client vcsclient.VcsClient, pullRequestID int) (err error) {
 	if !repo.Params.AvoidPreviousPrCommentsDeletion {
+		// The removal of comments may fail for various reasons,
+		// such as concurrent scanning of pull requests and attempts
+		// to delete comments that have already been removed in a different process.
+		// Since this task is not mandatory for a Frogbot run,
+		// we will not cause a Frogbot run to fail but will instead log the error.
 		log.Debug("Looking for an existing Frogbot pull request comment. Deleting it if it exists...")
 		// Delete previous PR regular comments, if exists (not related to location of a change)
 		if err = DeleteExistingPullRequestComments(repo, client); err != nil {
-			err = errors.New("couldn't delete pull request comment: " + err.Error())
+			log.Error(fmt.Sprintf("%s:\n%v", commentRemovalErrorMsg, err))
 			return
 		}
 		// Delete previous PR review comments, if exists (related to location of a change)
 		if err = DeleteExistingPullRequestReviewComments(repo, pullRequestID, client); err != nil {
-			err = errors.New("couldn't delete pull request review comment: " + err.Error())
+			log.Error(fmt.Sprintf("%s:\n%v", commentRemovalErrorMsg, err))
 			return
 		}
 	}
@@ -49,9 +55,10 @@ func HandlePullRequestCommentsAfterScan(issues *IssuesCollection, repo *Reposito
 		err = errors.New("couldn't add pull request comment: " + err.Error())
 		return
 	}
+
 	// Handle review comments at the pull request
 	if err = addReviewComments(repo, pullRequestID, client, issues); err != nil {
-		err = errors.New("couldn't add review comments: " + err.Error())
+		err = errors.New("couldn't add pull request review comments: " + err.Error())
 		return
 	}
 	return

utils/consts.go

@@ -79,6 +79,9 @@ const (
 	FixVersionPlaceHolder = "{FIX_VERSION}"
 	BranchHashPlaceHolder = "{BRANCH_NAME_HASH}"
 
+	// General flags
+	AvoidExtraMessages = "JF_AVOID_EXTRA_MESSAGES"
+
 	// Default naming templates
 	BranchNameTemplate                       = "frogbot-" + PackagePlaceHolder + "-" + BranchHashPlaceHolder
 	AggregatedBranchNameTemplate             = "frogbot-update-" + BranchHashPlaceHolder + "-dependencies"

utils/outputwriter/outputcontent.go

@@ -77,10 +77,10 @@ func fixCVETitleSrc(vcsProvider vcsutils.VcsProvider) ImageSource {
 }
 
 func untitledForJasMsg(writer OutputWriter) string {
-	if writer.IsEntitledForJas() {
+	if writer.AvoidExtraMessages() || writer.IsEntitledForJas() {
 		return ""
 	}
-	return fmt.Sprintf("%s\n%s", SectionDivider(), writer.MarkInCenter(jasFeaturesMsgWhenNotEnabled))
+	return writer.MarkAsCollapsible("Note", fmt.Sprintf("%s\n%s", SectionDivider(), writer.MarkInCenter(jasFeaturesMsgWhenNotEnabled)))
 }
 
 func footer(writer OutputWriter) string {

utils/outputwriter/outputcontent_test.go

@@ -853,3 +853,10 @@ func TestSastReviewContent(t *testing.T) {
 		}
 	}
 }
+
+func TestMarkAsCollapsible(t *testing.T) {
+	so := &StandardOutput{}
+	assert.Equal(t, "<details>\n<summary>title</summary>\ndescription\n</details>", so.MarkAsCollapsible("title", "description"))
+	smo := &SimplifiedOutput{}
+	assert.Equal(t, "\ntitle:\ndescription", smo.MarkAsCollapsible("title", "description"))
+}