Is there a ENV variable to delete the previous comments in Frogbot and have only the current comment ?

[vinodhini-devops]

Describe the bug

Im using Frogbot for scanning the Pull request,
I have multiple builds running on my PR,
Currently, my pr is full of frogbot comments, Is there a way to delete the exisiting comments and have only the recent comment for the builds from frogbot ?
I tried using JF_AVOID_PREVIOUS_PR_COMMENTS_DELETION , but its clearing all the recent comments and giving only one common comment

And if there are No issues found, can we make frogbot not to comment anything, Not even saying no vulnerablities found ?

Current behavior

Im using Frogbot for scanning the Pull request,
I have multiple builds running on my PR,
Currently, my pr is full of frogbot comments, Is there a way to delete the exisiting comments and have only the recent comment for the builds from frogbot ?
I tried using JF_AVOID_PREVIOUS_PR_COMMENTS_DELETION , but its clearing all the recent comments and giving only one common comment

And if there are No issues found, can we make frogbot not to comment anything, Not even saying no vulnerablities found ?

Reproduction steps

No response

Expected behavior

No response

JFrog Frogbot version

Frogbot version: 2.19.10

Package manager info

No package manager

Git provider

GitHub

JFrog Frogbot configuration yaml file

steps:

included comment

• task: CmdLine@2
  condition: eq(variables['Build.Reason'], 'PullRequest')
  displayName: 'Download and Run Frogbot Scan'
  env:
  JF_WATCHES: $(xray_watch_policyname)
  JF_GIT_PULL_REQUEST_ID: $(System.PullRequest.PullRequestId)
  JF_GIT_BASE_BRANCH: $(System.PullRequest.TargetBranch)
  JF_GIT_PROJECT: $(System.TeamProject)
  JF_GIT_API_ENDPOINT: $(System.CollectionUri)
  JF_GIT_TOKEN: $(access-token-pat)
  JF_VULN_CONTEXTUAL_ANALYSIS: TRUE
  JF_URL: $(artifactoryurl)
  JF_ACCESS_TOKEN: $(jfrog-identity-token)
  JFROG_CLI_LOG_LEVEL: "DEBUG"
  JF_GIT_OWNER: "KLA-GPG"
  JF_AVOID_PREVIOUS_PR_COMMENTS_DELETION: FALSE
  JF_GIT_REPO: "virgo"
  JF_RELEASES_REPO: ""
  JF_GIT_PROVIDER: "azureRepos"
  JF_FAIL: FALSE
  JF_INCLUDE_ALL_VULNERABILITIES: FALSE
  JF_WORKING_DIR: ${{ parameters.componentName }}/${{ parameters.subcomponentname }}
  JF_AVOID_EXTRA_MESSAGES: true # to avoid extra messages in the comment from JFROG
  JF_PR_COMMENT_TITLE: ${{ parameters.componentName }}/${{ parameters.subcomponentname }}Report
  JF_PATH_EXCLUSIONS : ""
  inputs:
  script: |
  export HOME="/usr/share/maven"
  export M2="$HOME/bin"
  export MAVEN_OPTS="-Xms256m -Xmx512m"
  export PATH="$M2:$PATH"
  mvn --version
  getFrogbotScriptPath=$(if [ -z "$JF_RELEASES_REPO" ]; then echo "https://releases.jfrog.io"; else echo "${JF_URL}/artifactory/${JF_RELEASES_REPO}"; fi)
  curl -fLg "$getFrogbotScriptPath/artifactory/frogbot/v2/[RELEASE]/getFrogbot.sh" | sh
  ./frogbot spr
  #./frogbot scan-and-fix-repos $(Build.SourceBranch)
  continueOnError: true

Operating system type and version

ubuntu 18.04

JFrog Xray version

No response

[attiasas]

Hi @vinodhini-devops, thank you for bringing up this issue

By default, Frogbot is expected to remove all of its previous comments during a rerun and add only the current one. Did you observe duplicate comments when running Frogbot multiple times on the same PR? could you provide a log (with DEBUG level) of the second run? This will assist me in investigating the issue, as it should have deleted the old comments.

Have you attempted to exclude the JF_AVOID_PREVIOUS_PR_COMMENTS_DELETION altogether, even if it is set to false?

Concerning the suggestion of not commenting at all when no issues are found, could you please elaborate on why you'd like this feature added? What is the rationale behind not wanting to see a single comment in such cases?

Thank you once again.

[vinodhini-devops]

Hi @attiasas ,
yes, On the second run, the existing comments are still there and new ones are added.
logs:

###########LOGS############
02:24:00 [Debug] JFrog Xray version is: 3.80.9 02:24:00 [Debug] Artifactory response: 200 OK 02:24:00 [Debug] JFrog Artifactory version is: 7.68.14 02:24:00 [Debug] Sending HTTP POST request to: https://artifactory.kla-tencor.com/artifactory/api/system/usage 02:24:01 [Debug] Fetching pull requests by id in virgo 02:24:01 [Info] Scanning Pull Request #8232 (from source branch: <KLA-GPG/virgo/users/viraghu/vino-xray-pr> to target branch: <KLA-GPG/virgo/3.X>) 02:24:01 [Info] ----------------------------------------------------------- 02:24:01 [Debug] Downloading <KLA-GPG/virgo/users/viraghu/vino-xray-pr> to: '/tmp/jfrog.cli.temp.-1708597441-150988911' 02:24:01 [Debug] Download url: https://dev.azure.com/kla-gpg/Virgo/_apis/git/repositories/virgo/items/items?path=/&versionDescriptor[version]=users/viraghu/vino-xray-pr&$format=zip 02:24:02 [Info] virgo repository downloaded successfully. Starting with repository extraction... 02:24:04 [Info] Extracted repository successfully 02:24:04 [Debug] Repository download completed 02:24:04 [Info] Scanning source branch... 02:24:04 [Debug] Sending HTTP GET request to: https://artifactory.kla-tencor.com/xray/api/v1/system/version 02:24:04 [Debug] Sending HTTP GET request to: https://artifactory.kla-tencor.com/xray/api/v1/entitlements/feature/contextual_analysis 02:24:04 [Debug] The path '/tmp/jfrog.cli.temp.-1708597441-150988911/metajob/client/.gitignore' is excluded 02:24:04 [Info] Couldn't determine a package manager or build tool used by this project. Skipping the SCA scan... 02:24:04 [Debug] Downloading <KLA-GPG/virgo/3.X> to: '/tmp/jfrog.cli.temp.-1708597444-3671778060' 02:24:04 [Debug] Download url: https://dev.azure.com/kla-gpg/Virgo/_apis/git/repositories/virgo/items/items?path=/&versionDescriptor[version]=3.X&$format=zip 02:24:04 [Info] virgo repository downloaded successfully. Starting with repository extraction... 02:24:06 [Info] Extracted repository successfully 02:24:06 [Debug] Repository download completed 02:24:06 [Info] Scanning target branch... 02:24:06 [Debug] Sending HTTP GET request to: https://artifactory.kla-tencor.com/xray/api/v1/system/version 02:24:06 [Debug] Sending HTTP GET request to: https://artifactory.kla-tencor.com/xray/api/v1/entitlements/feature/contextual_analysis 02:24:06 [Debug] The path '/tmp/jfrog.cli.temp.-1708597444-3671778060/metajob/client/.gitignore' is excluded 02:24:06 [Info] Couldn't determine a package manager or build tool used by this project. Skipping the SCA scan... 02:24:06 [Info] Frogbot "scan-pull-request" command finished successfully Finishing: Download and Run Frogbot Scan
###########################################################################
my config :
`steps:

• task: CmdLine@2
  condition: eq(variables['Build.Reason'], 'PullRequest')
  displayName: 'Download and Run Frogbot Scan'
  env:
  JF_WATCHES: $(xray_watch_policyname)
  JF_GIT_PULL_REQUEST_ID: $(System.PullRequest.PullRequestId)
  JF_GIT_BASE_BRANCH: $(System.PullRequest.TargetBranch)
  JF_GIT_PROJECT: $(System.TeamProject)
  JF_GIT_API_ENDPOINT: $(System.CollectionUri)
  JF_GIT_TOKEN: $(access-token-pat)
  JF_VULN_CONTEXTUAL_ANALYSIS: TRUE
  JF_URL: $(artifactoryurl)
  JF_ACCESS_TOKEN: $(jfrog-identity-token)
  JFROG_CLI_LOG_LEVEL: "DEBUG"
  JF_GIT_OWNER: "KLA-GPG"
  JF_AVOID_PREVIOUS_PR_COMMENTS_DELETION: TRUE
  JF_GIT_REPO: "virgo"
  JF_RELEASES_REPO: ""
  JF_GIT_PROVIDER: "azureRepos"
  JF_FAIL: FALSE
  JF_INCLUDE_ALL_VULNERABILITIES: FALSE
  JF_WORKING_DIR: ${{ parameters.componentName }}/${{ parameters.subcomponentname }}
  JF_AVOID_EXTRA_MESSAGES: true # to avoid extra messages in the comment from JFROG
  JF_PR_COMMENT_TITLE: ${{ parameters.componentName }}/${{ parameters.subcomponentname }}Report
  JF_PATH_EXCLUSIONS : ""
  inputs:
  script: |
  export HOME="/usr/share/maven"
  export M2="$HOME/bin"
  export MAVEN_OPTS="-Xms256m -Xmx512m"
  export PATH="$M2:$PATH"
  mvn --version
  getFrogbotScriptPath=$(if [ -z "$JF_RELEASES_REPO" ]; then echo "https://releases.jfrog.io"; else echo "${JF_URL}/artifactory/${JF_RELEASES_REPO}"; fi)
  curl -fLg "$getFrogbotScriptPath/artifactory/frogbot/v2/[RELEASE]/getFrogbot.sh" | sh
  ./frogbot spr
  #./frogbot scan-and-fix-repos $(Build.SourceBranch)
  continueOnError: true
  `
  #########################################################################
  If there are no issues found, then in our case we dont need comments, the basic idea is to have a clean PR.

[attiasas]

Hi @vinodhini-devops, the config mentioned: JF_AVOID_PREVIOUS_PR_COMMENTS_DELETION: TRUE so it will not delete the old one with that, as mentioned can you attempted to exclude the JF_AVOID_PREVIOUS_PR_COMMENTS_DELETION altogether and send the logs?

[vinodhini-devops]

@attiasas you want me to remove the JF_AVOID_PREVIOUS_PR_COMMENTS_DELETION from config and try it ?

[vinodhini-devops]

@attiasas i tried excluding the JF_AVOID_PREVIOUS_PR_COMMENTS_DELETION , Only one comment is added.

This is not what im expecting, My PR has multiple builds and multiple components, each component gets scanned by frogbot and the comment is updated accordingly finally am able to see only one comment of the last component which got scanned

[vinodhini-devops]

logs

Frogbot downloaded successfully! 04:26:08 [Info] Frogbot version: 2.19.10 04:26:08 [Debug] Attempting to download frogbot-config.yml from KLA-GPG/virgo 04:26:08 [Debug] The frogbot-config.yml will be downloaded from refs/heads/3.X branch 04:26:08 [Debug] The .frogbot/frogbot-config.yml file wasn't recognized in <KLA-GPG/virgo> 04:26:08 [Debug] Locking config file to run config AddOrEdit command. 04:26:08 [Debug] Creating lock in: /tmp/jfrog.cli.temp.-1708604768-1063572001/locks/config 04:26:08 [Debug] Sending HTTP HEAD request to: 'https://github.com/jfrog/frogbot' 04:26:08 [Warn] couldn't extract payload from Access Token. The provided access token is not a valid JWT, probably a reference token. Some package managers only support basic authentication which requires also a username. If you plan to work with one of those package managers, please provide a username. 04:26:08 [Debug] Releasing lock: /tmp/jfrog.cli.temp.-1708604768-1063572001/locks/config/jfrog-cli.conf.lck.8570.1708604768486947253 04:26:08 [Debug] Config AddOrEdit command completed successfully. config file is released. 04:26:08 [Debug] Usage Report: Sending info... 04:26:08 [Info] Running Frogbot "scan-pull-request" command 04:26:08 [Debug] Sending HTTP POST request to: https://usage-ecosystem.jfrog.io/api/usage/report 04:26:08 [Debug] Sending HTTP GET request to: https://artifactory.kla-tencor.com/xray/api/v1/system/version 04:26:08 [Debug] Sending HTTP GET request to: https://artifactory.kla-tencor.com/artifactory/api/system/version 04:26:08 [Debug] JFrog Xray version is: 3.80.9 04:26:08 [Debug] Artifactory response: 200 OK 04:26:08 [Debug] JFrog Artifactory version is: 7.68.14 04:26:08 [Debug] Sending HTTP POST request to: https://artifactory.kla-tencor.com/artifactory/api/system/usage 04:26:09 [Debug] Fetching pull requests by id in virgo 04:26:09 [Info] Scanning Pull Request #8232 (from source branch: <KLA-GPG/virgo/users/viraghu/vino-xray-pr> to target branch: <KLA-GPG/virgo/3.X>) 04:26:09 [Info] ----------------------------------------------------------- 04:26:09 [Debug] Downloading <KLA-GPG/virgo/users/viraghu/vino-xray-pr> to: '/tmp/jfrog.cli.temp.-1708604769-2631806183' 04:26:09 [Debug] Download url: https://dev.azure.com/kla-gpg/Virgo/_apis/git/repositories/virgo/items/items?path=/&versionDescriptor[version]=users/viraghu/vino-xray-pr&$format=zip 04:26:09 [Info] virgo repository downloaded successfully. Starting with repository extraction... 04:26:11 [Info] Extracted repository successfully 04:26:11 [Debug] Repository download completed

[vinodhini-devops]

My expectation is, during the second run of the PR, the existing comments must be deleted and only new ones must be added. @attiasas

[attiasas]

@vinodhini-devops, If the env var was not set, I would expect to see at the DEBUG log:

Looking for an existing Frogbot pull request comment. Deleting it if it exists...

As implemented here:
https://github.com/jfrog/frogbot/blob/master/utils/comment.go#L40

It seems that at the run logs you shared, this is set to True because we can't see it and no error was reported.
It can either come from the environment variable: JF_AVOID_PREVIOUS_PR_COMMENTS_DELETION or at the frogbot-config at the scan section avoidPreviousPrCommentsDeletion is set to true

[attiasas]

@vinodhini-devops,

If you are running concurrent scanning of pull requests, we cannot determine when it will end. For each process of Frogbot, it will first delete the old comments and then comment with the new ones (or it may not delete at all). You can set a custom PullRequestCommentTitle for each run by configuring 'JF_PR_COMMENT_TITLE' to ensure that each comment corresponds to its respective run.

If this is not meeting your expectations, please provide more details so that I can better understand and assist you if possible.

[eranturgeman]

Hello @vinodhini-devops
Did the answers above satisfied you needs? Do you need any further assistance or do you have any further questions about the subject we can assist with?