Merge branch 'dev' into nuget-dependency-fix-push-build-files-fix

.github/workflows/frogbot-scan-pull-request.yml

@@ -94,6 +94,10 @@ jobs:
           # Displays all existing vulnerabilities, including the ones that were added by the pull request.
           # JF_INCLUDE_ALL_VULNERABILITIES: "TRUE"
 
+          # [Optional, default: "FALSE"]
+          # When adding new comments on pull requests, keep old comments that were added by previous scans.
+          # JF_AVOID_PREVIOUS_PR_COMMENTS_DELETION: "TRUE"
+
           # [Optional, default: "TRUE"]
           # Fails the Frogbot task if any security issue is found.
           # JF_FAIL: "FALSE"

README.md

@@ -25,15 +25,15 @@ JFrog Frogbot is a Git bot that scans your Git repositories for security vulnera
 
 #### It supports the following Git providers:
 
-| <img height="20" width="20"  src="https://cdn.simpleicons.org/GitHub" alt="GitHub" /> GitHub | <img height="20" width="20"  src="https://cdn.simpleicons.org/GitLab" alt="GitLab" />  GitLab | <img height="20" width="20"  src="https://cdn.simpleicons.org/AzureDevops" alt="Azure" />  Azure Repos | <img height="20" width="20"  src="https://cdn.simpleicons.org/Bitbucket" alt="Bitbucket" />  Bitbucket Server |
+| <img src="https://raw.githubusercontent.com/jfrog/frogbot/master/images/github-icon.png" alt="GitHub" /> GitHub | <img src="https://raw.githubusercontent.com/jfrog/frogbot/master/images/gitlab-icon.png" alt="GitLab" />  GitLab | <img src="https://raw.githubusercontent.com/jfrog/frogbot/master/images/azure-devops-icon.png" alt="Azure" />  Azure Repos | <img src="https://raw.githubusercontent.com/jfrog/frogbot/master/images/bitbucket-icon.png" alt="Bitbucket" />  Bitbucket Server |
 |----------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------|
 
 
 #### It supports the following package managers are:
 
-|<img height="20" width="20"  src="https://cdn.simpleicons.org/Go" alt="Go" /> Go|<img height="20" width="20"  src="https://cdn.simpleicons.org/Gradle" alt="Gradle" /> Gradle|<img height="20" width="20"  src="https://cdn.simpleicons.org/ApacheMaven" alt="Maven" /> Maven|<img height="20" width="20"  src="https://cdn.simpleicons.org/npm" alt="npm" /> npm|<img height="20" width="20"  src="https://cdn.simpleicons.org/Yarn" alt="Yarn" /> Yarn|
+|<img src="https://raw.githubusercontent.com/jfrog/frogbot/master/images/go-icon.png" alt="Go" /> Go|<img src="https://raw.githubusercontent.com/jfrog/frogbot/master/images/gradle-icon.png" alt="Gradle" /> Gradle|<img src="https://raw.githubusercontent.com/jfrog/frogbot/master/images/maven-icon.png" alt="Maven" /> Maven|<img src="https://raw.githubusercontent.com/jfrog/frogbot/master/images/npm-icon.png" alt="npm" /> npm|<img src="https://raw.githubusercontent.com/jfrog/frogbot/master/images/yarn-icon.png" alt="Yarn" /> Yarn|
 |:----|:----|:----|:----|:----|
-|<img height="20" width="20"  src="https://cdn.simpleicons.org/.NET" alt=".NET" /> .NET|<img height="20" width="20"  src="https://cdn.simpleicons.org/NuGet" alt="NuGet" /> NuGet|<img height="20" width="20"  src="https://cdn.simpleicons.org/Python" alt="Pip" /> Pip|<img height="20" width="20"  src="https://cdn.simpleicons.org/Python" alt="Pipenv" /> Pipenv|<img height="20" width="20"  src="https://cdn.simpleicons.org/Poetry" alt="Poetry" /> Poetry|
+|<img src="https://raw.githubusercontent.com/jfrog/frogbot/master/images/dotnet-icon.png" alt=".NET" /> .NET|<img src="https://raw.githubusercontent.com/jfrog/frogbot/master/images/nuget-icon.png" alt="NuGet" /> NuGet|<img src="https://raw.githubusercontent.com/jfrog/frogbot/master/images/pip-icon.png" alt="Pip" /> Pip|<img src="https://raw.githubusercontent.com/jfrog/frogbot/master/images/pip-icon.png" alt="Pipenv" /> Pipenv|<img src="https://raw.githubusercontent.com/jfrog/frogbot/master/images/poetry-icon.png" alt="Poetry" /> Poetry|
 
 
 ### Why use JFrog Frogbot?
@@ -51,15 +51,15 @@ JFrog Frogbot is a Git bot that scans your Git repositories for security vulnera
 
 Set up Frogbot on your preferred CI server:
 
-<img height="20" width="20"  src="https://cdn.simpleicons.org/GitHubActions" alt="GitHubActions" /> [GitHub Actions](docs/install-github.md)
+<img src="https://raw.githubusercontent.com/jfrog/frogbot/master/images/github-actions-icon.png" alt="GitHubActions" /> [GitHub Actions](docs/install-github.md)
 
-<img height="20" width="20"  src="https://cdn.simpleicons.org/Jenkins" alt="Jenkins" /> [Jenkins](docs/templates/jenkins/README.md)
+<img src="https://raw.githubusercontent.com/jfrog/frogbot/master/images/jenkins-icon.png" alt="Jenkins" /> [Jenkins](docs/templates/jenkins/README.md)
 
-<img height="20" width="20"  src="https://cdn.simpleicons.org/JfrogPipelines" alt="jfrogpipelines" /> [JFrog Pipelines](docs/templates/jfrog-pipelines/README.md)
+<img src="https://raw.githubusercontent.com/jfrog/frogbot/master/images/jfrog-pipelines-icon.png" alt="jfrogpipelines" /> [JFrog Pipelines](docs/templates/jfrog-pipelines/README.md)
 
-<img height="20" width="20"  src="https://cdn.simpleicons.org/Gitlab" alt="Gitlab" /> [GitLab CI](docs/install-gitlab.md)
+<img src="https://raw.githubusercontent.com/jfrog/frogbot/master/images/gitlab-icon.png" alt="Gitlab" /> [GitLab CI](docs/install-gitlab.md)
 
-<img height="20" width="20"  src="https://cdn.simpleicons.org/AzurePipelines" alt="AzurePipelines" /> [Azure Pipelines](docs/install-azure-pipelines.md)
+<img src="https://raw.githubusercontent.com/jfrog/frogbot/master/images/azure-pipelines-icon.png" alt="AzurePipelines" /> [Azure Pipelines](docs/install-azure-pipelines.md)
 
 <details>
   <summary> Optional - set up a FREE JFrog Environment in the Cloud</summary>
@@ -198,18 +198,17 @@ When installing Frogbot using JFrog Pipelines, Jenkins, and Azure DevOps, Frogbo
 When installing Frogbot using GitHub Actions and GitLab however, Frogbot will initiate the scan only after it is approved by a maintainer of the project. The goal of this review is to ensure that external code contributors don't introduce malicious code as part of the pull request. Since this review step is enforced by Frogbot when used with GitHub Actions and GitLab, it is safe to be used for open-source projects.
 
 ### Scan results
-#### Software Composition Analysis (SCA), Vulnerability Contextual Analysis and Infrastructure as Code scans (IaC)
 
 Frogbot adds the scan results to the pull request in the following format:
 
-##### 👍 No issues
+#### 👍 No issues
 
 If no new vulnerabilities are found, Frogbot automatically adds the following comment to the pull request:
 
 [![](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/noVulnerabilityBannerPR.png)](#-no-issues)
 
-##### 👎 Issues were found
-
+#### 👎 Issues were found
+##### Software Composition Analysis (SCA)
 If new vulnerabilities are found, Frogbot adds them as a comment on the pull request. For example:
 
 [![](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/vulnerabilitiesBannerPR.png)](#-issues)
@@ -225,22 +224,25 @@ If new vulnerabilities are found, Frogbot adds them as a comment on the pull req
 
 <br>
 
-**INFRASTRUCTURE AS CODE**
-|                                                      SEVERITY                                                       | FILE           | LINE:COLUMN   | FINDING                   
-|:-------------------------------------------------------------------------------------------------------------------:| :------------: | :-----------: | :-----------------------------------: 
-|   ![](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/notApplicableCritical.png)<br>Critical    | test.js        | 1:20          | kms_key_id='' was detected
-|   ![](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/applicableHighSeverity.png)<br>    High   | mock.js        | 4:30          | Deprecated TLS version was detected
+##### Vulnerability Contextual Analysis
+![](https://raw.githubusercontent.com/jfrog/frogbot/master/images/pr-vuln-contextual-analysis.png)
 
-##### Secrets Detection
-When Frogbot detects secrets that have been inadvertently exposed within the code of a pull request, it promptly triggers an email notification to the user who pushed the corresponding commit. The email address utilized for this notification is sourced from the committer's Git profile configuration. Moreover, Frogbot offers the flexibility to direct the email notification to an extra email address if desired. To activate email notifications, it is necessary to configure your SMTP server details as variables within your Frogbot workflows.
+##### Static Application Security Testing (SAST)
+![](https://raw.githubusercontent.com/jfrog/frogbot/master/images/pr-sast.png)
 
-![](https://raw.githubusercontent.com/jfrog/frogbot/master/images/secrets-email.png)
+##### Infrastructure as Code scans (IaC)
+![](https://raw.githubusercontent.com/jfrog/frogbot/master/images/pr-iac.png)
 
 ##### Validate Dependency Licenses
 When Frogbot scans newly opened pull requests, it checks the licenses of any new direct project dependencies introduced by the pull request. If Frogbot identifies licenses that are not listed in a predefined set of approved licenses, it appends a comment to the pull request providing this information.
 
 ![](https://raw.githubusercontent.com/jfrog/frogbot/master/images/violated-licenses.png)
 
+#### Secrets Detection
+When Frogbot detects secrets that have been inadvertently exposed within the code of a pull request, it promptly triggers an email notification to the user who pushed the corresponding commit. The email address utilized for this notification is sourced from the committer's Git profile configuration. Moreover, Frogbot offers the flexibility to direct the email notification to an extra email address if desired. To activate email notifications, it is necessary to configure your SMTP server details as variables within your Frogbot workflows.
+
+![](https://raw.githubusercontent.com/jfrog/frogbot/master/images/secrets-email.png)
+
 </details>
 
 <details>

docs/install-azure-pipelines.md

@@ -288,6 +288,10 @@ jobs:
             # [Optional, default: "FALSE"]
             # Displays all existing vulnerabilities, including the ones that were added by the pull request.
             # JF_INCLUDE_ALL_VULNERABILITIES: "TRUE"
+
+            # [Optional, default: "FALSE"]
+            # When adding new comments on pull requests, keep old comments that were added by previous scans.
+            # JF_AVOID_PREVIOUS_PR_COMMENTS_DELETION: "TRUE"
 
             # [Optional, default: "TRUE"]
             # Fails the Frogbot task if any security issue is found.

docs/install-gitlab.md

@@ -110,6 +110,10 @@ frogbot-scan:
     # Displays all existing vulnerabilities, including the ones that were added by the pull request.
     # JF_INCLUDE_ALL_VULNERABILITIES: "TRUE"
 
+    # [Optional, default: "FALSE"]
+    # When adding new comments on pull requests, keep old comments that were added by previous scans.
+    # JF_AVOID_PREVIOUS_PR_COMMENTS_DELETION: "TRUE"
+
     # [Optional, default: "TRUE"]
     # Fails the Frogbot task if any security issue is found.
     # JF_FAIL: "FALSE"

docs/templates/github-actions/frogbot-scan-pull-request.yml

@@ -95,6 +95,10 @@ jobs:
           # Displays all existing vulnerabilities, including the ones that were added by the pull request.
           # JF_INCLUDE_ALL_VULNERABILITIES: "TRUE"
 
+          # [Optional, default: "FALSE"]
+          # When adding new comments on pull requests, keep old comments that were added by previous scans.
+          # JF_AVOID_PREVIOUS_PR_COMMENTS_DELETION: "TRUE"
+
           # [Optional, default: "TRUE"]
           # Fails the Frogbot task if any security issue is found.
           # JF_FAIL: "FALSE"

docs/templates/jenkins/scan-pull-request.jenkinsfile

@@ -107,6 +107,10 @@ pipeline {
         // Displays all existing vulnerabilities, including the ones that were added by the pull request.
         // JF_INCLUDE_ALL_VULNERABILITIES= "TRUE"
 
+        // [Optional, default: "FALSE"]
+        // When adding new comments on pull requests, keep old comments that were added by previous scans.
+        // JF_AVOID_PREVIOUS_PR_COMMENTS_DELETION= "TRUE"
+
         // [Optional, default: "TRUE"]
         // Fails the Frogbot task if any security issue is found.
         // JF_FAIL= "FALSE"

docs/templates/jfrog-pipelines/pipelines-dotnet.yml

@@ -126,6 +126,10 @@ pipelines:
             # Displays all existing vulnerabilities, including the ones that were added by the pull request.
             # JF_INCLUDE_ALL_VULNERABILITIES: "TRUE"
 
+            # [Optional, default: "FALSE"]
+            # When adding new comments on pull requests, keep old comments that were added by previous scans.
+            # JF_AVOID_PREVIOUS_PR_COMMENTS_DELETION: "TRUE"
+
             # [Optional, default: "TRUE"]
             # Fails the Frogbot task if any security issue is found.
             # JF_FAIL: "FALSE"

docs/templates/jfrog-pipelines/pipelines-go.yml

@@ -119,6 +119,10 @@ pipelines:
             # Displays all existing vulnerabilities, including the ones that were added by the pull request.
             # JF_INCLUDE_ALL_VULNERABILITIES: "TRUE"
 
+            # [Optional, default: "FALSE"]
+            # When adding new comments on pull requests, keep old comments that were added by previous scans.
+            # JF_AVOID_PREVIOUS_PR_COMMENTS_DELETION: "TRUE"
+
             # [Optional, default: "TRUE"]
             # Fails the Frogbot task if any security issue is found.
             # JF_FAIL: "FALSE"

docs/templates/jfrog-pipelines/pipelines-gradle.yml

@@ -119,6 +119,10 @@ pipelines:
             # Displays all existing vulnerabilities, including the ones that were added by the pull request.
             # JF_INCLUDE_ALL_VULNERABILITIES: "TRUE"
 
+            # [Optional, default: "FALSE"]
+            # When adding new comments on pull requests, keep old comments that were added by previous scans.
+            # JF_AVOID_PREVIOUS_PR_COMMENTS_DELETION: "TRUE"
+
             # [Optional]
             # Frogbot will download the project dependencies if they're not cached locally. To download the
             # dependencies from a virtual repository in Artifactory, set the name of the repository. There's no

docs/templates/jfrog-pipelines/pipelines-maven.yml

@@ -129,6 +129,10 @@ pipelines:
             # Displays all existing vulnerabilities, including the ones that were added by the pull request.
             # JF_INCLUDE_ALL_VULNERABILITIES: "TRUE"
 
+            # [Optional, default: "FALSE"]
+            # When adding new comments on pull requests, keep old comments that were added by previous scans.
+            # JF_AVOID_PREVIOUS_PR_COMMENTS_DELETION: "TRUE"
+
             # [Optional]
             # Template for the branch name generated by Frogbot when creating pull requests with fixes.
             # The template must include {BRANCH_NAME_HASH}, to ensure that the generated branch name is unique.

docs/templates/jfrog-pipelines/pipelines-npm.yml

@@ -126,6 +126,10 @@ pipelines:
             # Displays all existing vulnerabilities, including the ones that were added by the pull request.
             # JF_INCLUDE_ALL_VULNERABILITIES: "TRUE"
 
+            # [Optional, default: "FALSE"]
+            # When adding new comments on pull requests, keep old comments that were added by previous scans.
+            # JF_AVOID_PREVIOUS_PR_COMMENTS_DELETION: "TRUE"
+
             # [Optional, default: "TRUE"]
             # Fails the Frogbot task if any security issue is found.
             # JF_FAIL: "FALSE"
@@ -140,18 +144,6 @@ pipelines:
             # Relative path to the project in the git repository
             # JF_WORKING_DIR: path/to/project/dir
 
-            # [Optional]
-            # Xray Watches. Learn more about them here: https://www.jfrog.com/confluence/display/JFROG/Configuring+Xray+Watches
-            # JF_WATCHES: <watch-1>,<watch-2>...<watch-n>
-
-            # [Optional, default: "FALSE"]
-            # Displays all existing vulnerabilities, including the ones that were added by the pull request.
-            # JF_INCLUDE_ALL_VULNERABILITIES: "TRUE"
-
-            # [Optional, default: "TRUE"]
-            # Fails the Frogbot task if any security issue is found.
-            # JF_FAIL: "FALSE"
-
             # [Optional]
             # Template for the branch name generated by Frogbot when creating pull requests with fixes.
             # The template must include {BRANCH_NAME_HASH}, to ensure that the generated branch name is unique.

docs/templates/jfrog-pipelines/pipelines-pip.yml

@@ -132,6 +132,10 @@ pipelines:
             # Displays all existing vulnerabilities, including the ones that were added by the pull request.
             # JF_INCLUDE_ALL_VULNERABILITIES: "TRUE"
 
+            # [Optional, default: "FALSE"]
+            # When adding new comments on pull requests, keep old comments that were added by previous scans.
+            # JF_AVOID_PREVIOUS_PR_COMMENTS_DELETION: "TRUE"
+
             # [Optional, default: "TRUE"]
             # Fails the Frogbot task if any security issue is found.
             # JF_FAIL: "FALSE"

docs/templates/jfrog-pipelines/pipelines-pipenv.yml

@@ -125,6 +125,10 @@ pipelines:
             # Displays all existing vulnerabilities, including the ones that were added by the pull request.
             # JF_INCLUDE_ALL_VULNERABILITIES: "TRUE"
 
+            # [Optional, default: "FALSE"]
+            # When adding new comments on pull requests, keep old comments that were added by previous scans.
+            # JF_AVOID_PREVIOUS_PR_COMMENTS_DELETION: "TRUE"
+
             # [Optional, default: "TRUE"]
             # Fails the Frogbot task if any security issue is found.
             # JF_FAIL: "FALSE"

docs/templates/jfrog-pipelines/pipelines-poetry.yml

@@ -125,6 +125,10 @@ pipelines:
             # Displays all existing vulnerabilities, including the ones that were added by the pull request.
             # JF_INCLUDE_ALL_VULNERABILITIES: "TRUE"
 
+            # [Optional, default: "FALSE"]
+            # When adding new comments on pull requests, keep old comments that were added by previous scans.
+            # JF_AVOID_PREVIOUS_PR_COMMENTS_DELETION: "TRUE"
+
             # [Optional, default: "TRUE"]
             # Fails the Frogbot task if any security issue is found.
             # JF_FAIL: "FALSE"

docs/templates/jfrog-pipelines/pipelines-yarn2.yml

@@ -132,6 +132,10 @@ pipelines:
             # Displays all existing vulnerabilities, including the ones that were added by the pull request.
             # JF_INCLUDE_ALL_VULNERABILITIES: "TRUE"
 
+            # [Optional, default: "FALSE"]
+            # When adding new comments on pull requests, keep old comments that were added by previous scans.
+            # JF_AVOID_PREVIOUS_PR_COMMENTS_DELETION: "TRUE"
+
             # [Optional, default: "TRUE"]
             # Fails the Frogbot task if any security issue is found.
             # JF_FAIL: "FALSE"