jfrog / jfrog-docker-desktop-extension Goto Github PK
View Code? Open in Web Editor NEW๐ธ Scans any of your local Docker images for security vulnerabilities. ๐
๐ธ Scans any of your local Docker images for security vulnerabilities. ๐
On the settings page, if the user changes the URL or username and leaves the password and access token empty then these changes are ignored with no error.
We need to allow editing the URL and username without entering the password or access token.
The Docker Desktop JFrog Extension does not work properly on Windows 10 machines. Image scans seem to be missing most or all vulnerabilities.
This problem can be demonstrated by Scanning the nginx:1.23.1 image, which is publicly available from DockerHub.
Using Artifactory 7.41.6 and Xray 3.52.4, when we scan the image nginx:1.23.1 using the "All Vulnerabilities" scanning policy, we get the following scan results.
The count of "critical" "high" "medium" and "low" vulnerabilities matches the counts when we generate a report for each severity level for this specific image (note in the screenshot above, the count by severity is organized from top to bottom critical to low while in the screenshot below the count is organized top to bottom low to critical).
When scanning from Windows 10 with the same settings, however, there are no vulnerabilities found at all.
I tried using the "Watches" scanning policy instead, however this resulted in the Image scan simply failing.
After canceling a scan or a setup process, it'll be best to close the CLI processes.
That's how to do it:
https://docs.docker.com/desktop/extensions-sdk/dev/api/reference/interfaces/ExecProcess/
We need to let the user know, after he finishes the setup process, that he needs to confirm his email address, otherwise his environment will be closed.
If there's an API that can let us know if the user didn't do so already, it'd be best to add a notice for him about that when he enters the extension.
When the user is at the "Completing the setup" stage, the "Back" button should be disabled.
Save the logs of the extension to a file in a logs directory inside the .jfrog-docker-desktop-extension directory.
The JFrog CLI logs need to be included in these logs (they're not saved now at all, because it's not executed in a terminal).
In some places in the extension, unclear errors are thrown from other libraries, and they are passed to the user:
error while login:InvalidCharacterError: Failed to execute 'btoa' on 'Window': The string to be encoded contains characters outside of the Latin1 range.
Containing non-Latin characters should not be allowed, but the error is not clear and is a little intimidating.
These errors are unclear and also a little intimidating.
They'd better be replaced.
Validate if the watches or project filled by the user is valid and exists when he saves the settings.
It'll be even better to add auto-complete to these fields.
When i try to login to the jfrog extension on Docker Desktop i get the message 'C:\User{username} is not recognised as an internal or external command, operable program or batch file'. This happens whether i am using a basic using my username and password for Jfrog or when i obtain an access token from JFrog and use the access token. Is there a bug in the extension? or is it something i am doing wrong
I am able to run jf docker scan
on command line, docker desktop seems to run fine as I'm able to run many other containers, etc.
However, using Docker Desktop with JFrog extension I am getting the following error:
09:37:38 [Error] failed running command ... with error: exec: "docker": executable file not found in $PATH
Yet, docker
runs on my command line find and the path to it is included in my $PATH variable.
macOS Ventura 13.3.1
Apple M2 Max
Docker Desktop v4.19.0
JFrog extension v1.2.1
Xray Version: 3.73.5
CLI Version: 2.25.1
I cannot use this useful Extension in our company network as it fails to connect to our cloud instance of X-Ray. As I cannot configure a proxy server within the settings of this extension, there seems to be no way to get it running behind an internet proxy.
Execute all JFrog CLI commands in the extension with the following environment variable:
CI=true
Make sure to add it to all JFrog CLI calls for Windows and Unix.
When importing credentials from the host's JFrog CLI (on the extension's first run), the extension doesn't validate the credentials and doesn't check if it has sufficient permissions.
It might cause some users, who don't have permissions for running scans, to skip the welcome page and get an error only after running their first scan.
Instead of popping an alert in case of scan error, use Docker Desktop API to show an error notification.
Read more here: https://docs.docker.com/desktop/extensions-sdk/dev/api/dashboard/
This API is already used in the settings and welcome pages.
It's highly recommended to do this issue after resolving issue #56, because showing the current log errors in a notification will look even worse than it looks now.
We need to add a CI/CD process that'll run the tests, and build and push new versions automatically.
When I scan an image using JFrog Xray Scan in Docker Desktop I get these error banners:
When checking the logs I have this:
11:05:49 [Info] Creating image archive...
11:05:49 [Error] failed running command: 'docker save bridgecrew/checkov:latest -o /var/folders/1z/18hkqblx4gj8cw08xkpnfw180000gq/T/jfrog.cli.temp.-1684631149-3754232923/image.tar' with error: exec: "docker": executable file not found in $PATH -
The output of
which -a docker
# Output
/usr/local/bin/docker
I'm using
OS: MacOS Ventura 13.3.1
From JFrog Docker extension settings
Xray: 3.73.8
CLI: 2.25.1
We need to add UT to the API functions, and maybe also in other places in our code.
Hi all,
my company is running Docker Desktop 4.13 with a full-paid Docker business subscription. We also have a XRay server and now want to work with this cool extensions here :)
What I have done now:
I provided the XRay server URL together with this identity token for the initial setup. I am receiving following response:
Meanwhile I have pulled some Docker images
I want to scan some of these local images and always received following 401 error response
Could you help me with this issue. I am not sure where to find logs etc.
Add a video or an animated overview of the extension's features on the first run of the extension.
getting the following when using this extension with my docker desktop:
13:41:33 [Error] failed running command: 'docker save hopeful3:latest -o /var/folders/d_/vn18_5mn0wzdw0x4c1cp2sqm0000gn/T/jfrog.cli.temp.-1694457692-1934035051/image.tar' with error: exec: "docker": executable file not found in $PATH -
Not sure what is going on here, but it would be REALLY NICE if you had an override in the extension which would let you set the path for docker. As it stands,I spent two hours trying to figure out how to work around this without luck.
Add the option to export the scan results into a file (i.e. CSV).
Add an about page with the current version of Xray and JFrog CLI.
This page can also include links to the logs directory and to our GitHub repository.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.