New build-scan command does not seem backwards compatible and yields 403 responses

[PM-JoakimGustavsson]

Describe the bug

There seems to be a bug with the jf build-scan command where it does not behave the same way as the now deprecated jf rt build-scan command. When we attempt to call the jf build-scan command a 403 Forbidden error is yielded, however when called through the deprecated jf rt build-scan command the scan proceeds and normal and yields expected output. It would therefor seem that the new command is not completely backwards compatible with the older command. We have been unable to use the newer jf build-scan command as we cannot get around the 403 Forbidden error.

Current behavior

In the example below the build info has already been published to Artifactory, and we are trying to trigger a scan of the already published build info.

$ jf c add mgx [email protected] --access-token=<redacted> --url=https://repo.mgx.pensionsmyndigheten.se/ --overwrite=true
$ jf c show
Server ID:			mgx
JFrog Platform URL:		https://repo.mgx.pensionsmyndigheten.se/
Artifactory URL:		https://repo.mgx.pensionsmyndigheten.se/artifactory/
Distribution URL:		https://repo.mgx.pensionsmyndigheten.se/distribution/
Xray URL:			https://repo.mgx.pensionsmyndigheten.se/xray/
Mission Control URL:		https://repo.mgx.pensionsmyndigheten.se/mc/
Pipelines URL:			https://repo.mgx.pensionsmyndigheten.se/pipelines/
User:				[email protected]
Access token:			***
Default:			true
$ JFROG_CLI_LOG_LEVEL="DEBUG" jf rt bs --fail=true "devops :: test-pipeline-maven-jar :: PLFORM-11374-jenkins-artifactory-utvardera-jfrogcli" 57
13:48:33 [Debug] JFrog CLI version: 2.53.2
13:48:33 [Debug] OS/Arch: linux/amd64
13:48:33 [🟠Warn] You are using a deprecated syntax of the command.
	Instead of:
	$ jf rt build-scan ...
	Use:
	$ jf build-scan ...
13:48:33 [🔵Info] Triggered Xray build scan... The scan may take a few minutes.
13:48:33 [Debug] Usage Report: Sending info...
13:48:34 [Debug] Sending HTTP GET request to: https://repo.mgx.pensionsmyndigheten.se/artifactory/api/system/version
13:48:34 [Debug] Sending HTTP POST request to: https://repo.mgx.pensionsmyndigheten.se/artifactory/api/xray/scanBuild
13:48:34 [Debug] Artifactory response: 200
13:48:34 [Debug] JFrog Artifactory version is: 7.55.10
13:48:34 [Debug] Sending HTTP POST request to: https://repo.mgx.pensionsmyndigheten.se/artifactory/api/system/usage
13:48:34 [🔵Info] Xray scan completed.
{
  "summary": {
    "total_alerts": 0,
    "fail_build": false,
    "message": "No Xray “Fail build in case of a violation” policy rule has been defined on this build. The Xray scan will run in parallel to the deployment of the build and will not obstruct the build. To review the Xray scan results, see the Xray Violations tab in the UI.",
    "more_details_url": ""
  },
  "alerts": [],
  "licenses": []
}
$ JFROG_CLI_LOG_LEVEL="DEBUG" jf bs --fail=true "devops :: test-pipeline-maven-jar :: PLFORM-11374-jenkins-artifactory-utvardera-jfrogcli" 57
13:48:51 [Debug] JFrog CLI version: 2.53.2
13:48:51 [Debug] OS/Arch: linux/amd64
13:48:51 [Debug] Sending HTTP GET request to: https://repo.mgx.pensionsmyndigheten.se/xray/api/v1/system/version
13:48:51 [Debug] Usage Report: Sending info...
13:48:51 [Debug] Sending HTTP GET request to: https://repo.mgx.pensionsmyndigheten.se/artifactory/api/system/version
13:48:51 [Debug] Sending HTTP POST request to: https://repo.mgx.pensionsmyndigheten.se/xray/api/v2/ci/build
13:48:52 [Debug] Artifactory response: 200
13:48:52 [Debug] JFrog Artifactory version is: 7.55.10
13:48:52 [Debug] Sending HTTP POST request to: https://repo.mgx.pensionsmyndigheten.se/artifactory/api/system/usage
13:48:52 [🚨Error] server response: 403 Forbidden

403 response code appears in the second call, despite having identical configuration and calling the same REST endpoints.

Reproduction steps

In this case we are using a very simple Hello World Java program, built with Maven, as our project.

1. Initiate and build the source code. Adaptations need to be made for your Artifactory/Xray server.

$ export JFROG_CLI_BUILD_NUMBER=57
$ export JFROG_CLI_RELEASES_REPO=mgx/jfrog-releases-remote
$ export JFROG_CLI_BUILD_URL=<path to CI server build>
$ export JFROG_CLI_REPORT_USAGE=false
$ export JFROG_CLI_BUILD_NAME="devops :: test-pipeline-maven-jar :: PLFORM-11374-jenkins-artifactory-utvardera-jfrogcli"
$ export CI=true
$ jf c add mgx [email protected] --access-token=<redacted> --url=https://repo.mgx.pensionsmyndigheten.se/ --overwrite=true
$ jf mvnc --repo-deploy-releases pm-mvn-release-local --repo-deploy-snapshots pm-mvn-snapshot-local --repo-resolve-releases pm-mvn-public --repo-resolve-snapshots pm-mvn-public --include-patterns '*.jar, *.pom' --exclude-patterns '*tests.jar, *sources.jar'
$ jf mvn -f pom.xml -Dartifactory.publish.artifacts=true package

2. Publish the build info and initiate build-scan.

$ jf rt bp
$ jf bs --fail

This fails with 403 Forbidden.

Expected behavior

The jf bs command behaves exactly like the jf rt bs command and produces the same result given the same input/configuration.

JFrog CLI-Security version

1.0.3

JFrog CLI version (if applicable)

2.53.2

Operating system type and version

Reproduced both on Red Hat 8 and Arch Linux.

JFrog Xray version

3.66.6

[orz25]

Hey @PM-JoakimGustavsson

It looks like JFrog CLI is working as intended. We suspect there might be a problem in Xray side (since the error is coming from Xray). To further investigate this issue we need logs from Xray server. Please contact your JFrog Xray support and they will know how to handle it.

Thank you!

[PM-JoakimGustavsson]

Hey @orz25 !
Thank you for your feedback!
I will file a support case with JFrog support instead then :)

[PM-JoakimGustavsson]

For reference looking at the log they seem to be issuing very different API calls under the hood:

2024-04-19T10:42:17.246Z|966d771705bcc8a|172.20.53.140, 172.18.0.1, 10.252.67.61|[email protected]|POST|/api/v2/ci/build|403|-1|125|3.949000|jfrog-cli-go/2.55.0
2024-04-19T10:42:17.756Z|658e17bb10674f93|172.20.53.140, 172.18.0.1, 10.252.67.61|[email protected]|POST|/api/v2/ci/build|403|-1|125|4.445000|jfrog-cli-go/2.55.0
2024-04-19T10:42:18.160Z|7a15a01c4213ebf|172.20.53.140, 172.18.0.1, 10.252.67.61|[email protected]|POST|/api/v2/ci/build|403|-1|125|4.152000|jfrog-cli-go/2.55.0
2024-04-19T10:42:18.743Z|7c0851dd2cf2bac9|172.20.53.140, 172.18.0.1, 10.252.67.61|[email protected]|POST|/api/v2/ci/build|403|-1|125|4.116000|jfrog-cli-go/2.55.0
2024-04-19T10:42:19.253Z|18f419b1d6cca645|172.20.53.140, 172.18.0.1, 10.252.67.61|[email protected]|POST|/api/v2/ci/build|403|-1|125|4.623000|jfrog-cli-go/2.55.0
2024-04-19T10:42:19.665Z|5ebdbedf0f8ed56e|172.20.53.140, 172.18.0.1, 10.252.67.61|[email protected]|POST|/api/v2/ci/build|403|-1|125|4.149000|jfrog-cli-go/2.55.0
2024-04-19T10:42:20.511Z|5fe6879272052dc|172.20.53.140, 172.18.0.1, 10.252.67.61|[email protected]|POST|/api/v2/ci/build|403|-1|125|4.858000|jfrog-cli-go/2.55.0
2024-04-19T10:42:21.186Z|4eedc8aee943918a|172.20.53.140, 172.18.0.1, 10.252.67.61|[email protected]|POST|/api/v2/ci/build|403|-1|125|4.686000|jfrog-cli-go/2.55.0
2024-04-19T10:42:21.756Z|50cad1b51d8cbbf2|172.20.53.140, 172.18.0.1, 10.252.67.61|[email protected]|POST|/api/v2/ci/build|403|-1|125|4.374000|jfrog-cli-go/2.55.0
2024-04-19T10:42:21.916Z|29aee8789c274063|172.20.53.140, 172.18.0.1, 127.0.0.1, 10.252.67.61|[email protected]|GET|/ui/system/logs/data?file_size=10298141&id=xray-request.log|200|-1|0|0.596000|JFrog-Frontend/1.55.2
2024-04-19T10:42:27.016Z|a6a3eea931d9fbe1|127.0.0.1, 10.252.67.61|jfrt@01ejxfxnn0xw200b4h3jeh1zxx|POST|/api/v1/scanBuild|200|-1|216|3.143000|XrayJavaClient/1.0.8
2024-04-19T10:42:27.432Z|34e0697fc58fd7c7|127.0.0.1, 10.252.67.61|jfrt@01ejxfxnn0xw200b4h3jeh1zxx|POST|/api/v1/scanBuild|200|-1|216|3.404000|XrayJavaClient/1.0.8
2024-04-19T10:42:27.469Z|42a71c775a81605f|127.0.0.1, 10.252.67.61|jfrt@01ejxfxnn0xw200b4h3jeh1zxx|GET|/api/v1/repositoriesPolicies?artifactoryId=default|200|-1|0|0.234000|XrayJavaClient/1.0.8
2024-04-19T10:42:27.944Z|c469e6da25143e57|127.0.0.1, 10.252.67.61|jfrt@01ejxfxnn0xw200b4h3jeh1zxx|POST|/api/v1/scanBuild|200|-1|216|3.550000|XrayJavaClient/1.0.8
2024-04-19T10:42:28.337Z|a53c6a104731e863|127.0.0.1, 10.252.67.61|jfrt@01ejxfxnn0xw200b4h3jeh1zxx|POST|/api/v1/scanBuild|200|-1|216|3.114000|XrayJavaClient/1.0.8
2024-04-19T10:42:28.908Z|84ce996f4719b4c0|127.0.0.1, 10.252.67.61|jfrt@01ejxfxnn0xw200b4h3jeh1zxx|POST|/api/v1/scanBuild|200|-1|216|3.249000|XrayJavaClient/1.0.8
2024-04-19T10:42:29.521Z|2cb4884860005711|127.0.0.1, 10.252.67.61|jfrt@01ejxfxnn0xw200b4h3jeh1zxx|POST|/api/v1/scanBuild|200|-1|216|5.291000|XrayJavaClient/1.0.8
2024-04-19T10:42:30.134Z|39a2d49db156679f|127.0.0.1, 10.252.67.61|jfrt@01ejxfxnn0xw200b4h3jeh1zxx|POST|/api/v1/scanBuild|200|-1|216|3.563000|XrayJavaClient/1.0.8

The calls to the v2 API are the failing ones from jf bs whereas the v1 calls are from jf rt bs. The 403 error seems to stem from the old command using a different user and not then one I configured during the jf c add command.

[PM-JoakimGustavsson]

I figured out what the issue was - the API token used by JFrog CLI needs to be an admin token. A user token is not sufficient. Switching to an admin token solved the issue.

[gailazar300]

@PM-JoakimGustavsson Thank you for the update!