Describe the bug
Upgraded the CLI from version 2.71.3 to 2.74.1. The build-scan option is now showing incorrectly that there are no security violations.
Current behavior
When running jf build-scan version 2.71.3 on a build with a violation, receive the following:
07:32:52 [Info] Waiting for Build Scan to complete...
07:32:52 [Info] The scan data is available at: ####
Security Violations
┌──────────┬───────────────────────────┬────────────┬───────────────────────────┬────────────┬──────────┬───────┬────────────────┐
│ SEVERITY │ DIRECT │ DIRECT │ IMPACTED │ IMPACTED │ FIXED │ TYPE │ CVE │
│ │ DEPENDENCY │ DEPENDENCY │ DEPENDENCY │ DEPENDENCY │ VERSIONS │ │ │
│ │ │ VERSION │ NAME │ VERSION │ │ │ │
├──────────┼───────────────────────────┼────────────┼───────────────────────────┼────────────┼──────────┼───────┼────────────────┤
│ Critical │ jpetstore-1.06-20250407.1 │ │ com.thoughtworks.xstream: │ 1.3.1 │ [1.4.16] │ Maven │ GHSA-hwpc-8xqv-jvj4 │
│ │ 23230-1.war │ │ xstream │ │ │ │ │
│ │ │ │ │ │ │ │ │
└──────────┴───────────────────────────┴────────────┴───────────────────────────┴────────────┴──────────┴───────┴────────────────┘
License Compliance Violations
+---------------------------------------------+
| No license compliance violations were found |
+---------------------------------------------+
Now, running the jf 2.74.1 version on the same build:
07:32:40 [Info] Waiting for Build Scan to complete...
07:32:51 [Info] The scan data is available at: ###
Security Violations
+-----------------------------------+
| No security violations were found |
+-----------------------------------+
License Compliance Violations
+---------------------------------------------+
| No license compliance violations were found |
+---------------------------------------------+
Operational Risk Violations
+-------------------------------------------+
| No operational risk violations were found |
+-------------------------------------------+
Reproduction steps
Upload an artifact as part of a pipeline build and run a build scan
jf rt upload ...
jf rt build-publish
jf build-scan
Expected behavior
Expected to the Security Violation output the same as the 2.71.3 version of CLI
JFrog CLI-Security version
2.74.1
JFrog CLI version (if applicable)
2.74.1
Operating system type and version
Windows Server 2016
JFrog Xray version
7.98.10
Describe the bug
Upgraded the CLI from version 2.71.3 to 2.74.1. The build-scan option is now showing incorrectly that there are no security violations.
Current behavior
When running jf build-scan version 2.71.3 on a build with a violation, receive the following:
07:32:52 [Info] Waiting for Build Scan to complete...
07:32:52 [Info] The scan data is available at: ####
Security Violations
┌──────────┬───────────────────────────┬────────────┬───────────────────────────┬────────────┬──────────┬───────┬────────────────┐
│ SEVERITY │ DIRECT │ DIRECT │ IMPACTED │ IMPACTED │ FIXED │ TYPE │ CVE │
│ │ DEPENDENCY │ DEPENDENCY │ DEPENDENCY │ DEPENDENCY │ VERSIONS │ │ │
│ │ │ VERSION │ NAME │ VERSION │ │ │ │
├──────────┼───────────────────────────┼────────────┼───────────────────────────┼────────────┼──────────┼───────┼────────────────┤
│ Critical │ jpetstore-1.06-20250407.1 │ │ com.thoughtworks.xstream: │ 1.3.1 │ [1.4.16] │ Maven │ GHSA-hwpc-8xqv-jvj4 │
│ │ 23230-1.war │ │ xstream │ │ │ │ │
│ │ │ │ │ │ │ │ │
└──────────┴───────────────────────────┴────────────┴───────────────────────────┴────────────┴──────────┴───────┴────────────────┘
License Compliance Violations
+---------------------------------------------+
| No license compliance violations were found |
+---------------------------------------------+
Now, running the jf 2.74.1 version on the same build:
07:32:40 [Info] Waiting for Build Scan to complete...
07:32:51 [Info] The scan data is available at: ###
Security Violations
+-----------------------------------+
| No security violations were found |
+-----------------------------------+
License Compliance Violations
+---------------------------------------------+
| No license compliance violations were found |
+---------------------------------------------+
Operational Risk Violations
+-------------------------------------------+
| No operational risk violations were found |
+-------------------------------------------+
Reproduction steps
Upload an artifact as part of a pipeline build and run a build scan
jf rt upload ...
jf rt build-publish
jf build-scan
Expected behavior
Expected to the Security Violation output the same as the 2.71.3 version of CLI
JFrog CLI-Security version
2.74.1
JFrog CLI version (if applicable)
2.74.1
Operating system type and version
Windows Server 2016
JFrog Xray version
7.98.10