JF_DEPS_REPO credentials configuration

[xbovae]

I'm configuring Frogbot and having issues with JF_DEPS_REPO property.

GitHub Action sample

- name: Fail on new vulnerabilities
  uses: jfrog/frogbot@v2
  env:
    JF_URL: ${{ vars.ARTIFACTORY_URL }}
    JF_USER: ${{ secrets.ARTIFACTORY_USER }}
    JF_PASSWORD: ${{ secrets.ARTIFACTORY_PW }}
    JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    JF_DEPS_REPO: maven
    JF_FAIL: true
    JF_MIN_SEVERITY: high
    JF_AVOID_PREVIOUS_PR_COMMENTS_DELETION: true

maven – is a virtual repository under the specified JF_URL.

In my PR, I updated common-parent-pom from 2.0.1 to 2.0.2.
During the check, Frogbot tries to fetch common-parent-pom:2.0.1 for comparison with the new version.

My assumption is that Frogbot isn't using the provided credentials (JF_USER / JF_PASSWORD) to download the dependency, which causes the failure.

If I open the URL manually (from the error log):

• with correct auth, the dependency starts downloading
• unauthorized (using incognito mode), it returns 404

Error log

[Info] [INFO] Scanning for projects...
[INFO] Downloading from artifactory: https://company.biz/artifactory/maven/com/company/common-parent-pom/2.0.1/common-parent-pom-2.0.1.pom
Error: ] Some problems were encountered while processing the POMs:
[FATAL] Non-resolvable parent POM for com.company.send:api:1.0.0: The following artifacts could not be resolved: com.company:common-parent-pom:pom:2.0.1 (absent): Could not find artifact com.company:common-parent-pom:pom:2.0.1 in artifactory (https://company.biz/artifactory/maven) and 'parent.relativePath' points at wrong local POM @ line 11, column 13
 @
Error:  The build could not read 1 project -> [Help 1]
Error:
Error:    The project com.company.send:api:1.0.0 (/tmp/jfrog.cli.temp.-1757410752-1113025440/pom.xml) has 1 error
Error:      Non-resolvable parent POM for com.company.send:api:1.0.0: The following artifacts could not be resolved: com.company:common-parent-pom:pom:2.0.1 (absent): Could not find artifact com.company:common-parent-pom:pom:2.0.1 in artifactory (https://company.biz/artifactory/maven) and 'parent.relativePath' points at wrong local POM @ line 11, column 13 -> [Help 2]
Error:
Error:  To see the full stack trace of the errors, re-run Maven with the -e switch.
Error:  Re-run Maven using the -X switch to enable full debug logging.
Error:
Error:  For more information about the errors and possible solutions, please read the following articles:
Error:  [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/ProjectBuildingException
Error:  [Help 2] http://cwiki.apache.org/confluence/display/MAVEN/UnresolvableModelException

Did I misconfigure something?

[eranturgeman]

Hello @xbovae you need to provide the name of the artifactory repo, not the type.
is your repo name is 'maven'?

[xbovae]

hi @eranturgeman,
yes, my virtual repository name is maven

[eranturgeman]

@xbovae and it is under the Artifactory root, or is in some internal repo inside another?
Can you verify that the dependency you are getting the error on really exists in the repo?

[xbovae]

@eranturgeman:

1. yes, it is under the Artifactory root
2. yes, the dependency exists in the repo, I can access it using the link from the log (Downloading from artifactory: …) and as I mentioned: a) with correct auth, the dependency starts downloading; b) unauthorized (using incognito mode), it returns 404