Android - Frogbot Error

[GaryDoolinTX]

Hi all,

I'm trying to implement x-ray with frobbot on my Android application and I am coming across the issue below. Android build files are .gradle.kts which contains dependency management etc.. I am using a virtual artifactory repository for the majority of my dependencies.

I am completely new to this and I am struggling to find good documentation on the requirements to make this work.. If anyone could tell me what I'm doing wrong or what is required I would appreciate it.

Below is my YAML.

name: JFrog - Test

on:
  workflow_dispatch:

jobs:
  unit_tests:
    name: Run Unit Tests
    runs-on: ubuntu-latest
    steps:
      - uses: actions/[email protected]
      - uses: actions/[email protected]
        with:
          distribution: "temurin"
          java-version: 17

      - name: Change wrapper permissions
        run: chmod +x ./gradlew

  build:
    name: Build and analyze
    runs-on: ubuntu-latest
    steps:
      - uses: actions/[email protected]
        with:
          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis

      - name: Authenticate JFrog
        uses: jfrog/[email protected]
        env:
          JF_URL: ${{ secrets.J_FROG_URL }}
          JF_USER: ${{ secrets.J_FROG_USERNAME }}
          JF_PASSWORD: ${{ secrets.J_FROG_PASSWORD }}

      - name: Set up JDK 17
        uses: actions/[email protected]
        with:
          distribution: "temurin"
          java-version: 17

      - name: Setup Gradle
        uses: gradle/actions/setup-gradle@v4

      - name: Change wrapper permissions
        run: chmod +x ./gradlew

      - name: Run Tests and Analysis
        run: ./gradlew testsAndAnalysis

  scan-repository:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        branch: ["main"]

    steps:
      - uses: actions/[email protected]
        with:
          distribution: "temurin"
          java-version: 17

      - uses: jfrog/frogbot@v2
        env:
          JF_URL: ${{ secrets.J_FROG_URL }}
          JF_USER: ${{ secrets.J_FROG_USERNAME }}
          JF_PASSWORD: ${{ secrets.J_FROG_PASSWORD }}
          JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          JF_GIT_BASE_BRANCH: ${{ matrix.branch }}
          JF_DEPS_REPO: ${{ secrets.REPO_NAME }}

ERROR LOG:

Frogbot
  /opt/hostedtoolcache/frogbot/[RELEASE]/x64/frogbot scan-repository
  10:46:36 [Info] Frogbot version: 2.23.6
  10:46:37 [Info] Running Frogbot "scan-repository" command
  10:46:40 [Info] Preforming scans on 1 targets:
  {
    "xray_version": "3.107.11",
    "xsc_version": "1.12.5",
    "jas_entitled": false,
    "command_type": "source_code",
    "start_time": "2024-12-10T10:46:40.010737342Z",
    "multi_scan_id": "097a5ed0-b6e4-11ef-9ec9-a2188be74f53",
    "targets": [
      {
        "target": "/tmp/jfrog.cli.temp.-1733827598-[16](https://github.com/*********/actions/runs/12253277427/job/34185456405#step:3:17)04238085",
        "technology": "gradle",
        "sca_scans": {
          "descriptors": [
            "/tmp/jfrog.cli.temp.-[17](https://github.com/*******/actions/runs/12253277427/job/34185456405#step:3:18)33827598-1604238085/app/build.gradle.kts",
            "/tmp/jfrog.cli.temp.-1733827598-1604238085/build.gradle.kts",
            "/tmp/jfrog.cli.temp.-1733827598-1604[23](https://github.com/**********/actions/runs/12253277427/job/34185456405#step:3:24)8085/buildSrc/build.gradle.kts",
            "/tmp/jfrog.cli.temp.-1733827598-1604238085/cropper/build.gradle"
          ]
        }
      }
    ]
  }
  10:46:40 [Info] Not entitled for JAS, skipping advance security scans...
  10:46:40 [Info] Calculating Gradle dependencies...
  10:46:40 [Info] Running gradle deps tree command: ./gradlew clean generateDepTrees -I /tmp/jfrog.cli.temp.-17338[27](https://github.com/transact-pd/mo-android/actions/runs/12253277427/job/34185456405#step:3:28)600-3076640809/gradledeptree.init -q -Dcom.jfrog.depsTreeOutputFile=/tmp/jfrog.cli.temp.-1733827600-[30](https://github.com/transact-pd/mo-android/actions/runs/12253277427/job/34185456405#step:3:31)76640809/gradledeptree.out -Dcom.jfrog.includeAllBuildFiles=true
  10:50:43 [Info] [Thread 0] Running SCA scan for /tmp/jfrog.cli.temp.-1733827598-1604238085 vulnerable dependencies in /tmp/jfrog.cli.temp.-17[33](https://github.com/transact-pd/mo-android/actions/runs/12253277427/job/34185456405#step:3:34)827598-1604238085 directory...
  10:50:43 [Info] Scanning 340 gradle dependencies...
  10:50:43 [Info] Waiting for scan to complete on JFrog Xray...
  10:51:00 [Info] Xray scan completed
  Error: 3 [Error] the following errors occured while fixing vulnerabilities in '/tmp/jfrog.cli.temp.-173[38](https://github.com/transact-pd/mo-android/actions/runs/12253277427/job/34185456405#step:3:39)27598-1604238085':
  impacted package 'org.apache.commons:commons-text' was not found or could not be fixed in all descriptor files
  Error: The process '/opt/hostedtoolcache/frogbot/[RELEASE]/x64/frogbot' failed with exit code 1

DEPENDENCY RESOLUTION:

pluginManagement {
    repositories {
        google {
            content {
                includeGroupByRegex("com\\.android.*")
                includeGroupByRegex("com\\.google.*")
                includeGroupByRegex("androidx.*")
            }
        }
        mavenCentral()
        gradlePluginPortal()
    }
}

dependencyResolutionManagement {
    repositoriesMode.set(RepositoriesMode.PREFER_SETTINGS)
    repositories {
        maven (url = "https://jitpack.io")
        maven {
            url = uri("********") <-- Jfrog repo url
            credentials {
                username = "********" <-- Jfrog username
                password = "********" <-- Jfrog password
            }
        }
    }
}

include (":app")
gradle.startParameter.excludedTaskNames.addAll(listOf(":buildSrc:testClasses"))

[GaryDoolinTX]

Is there anyone who can shed light on this? I have 3 gradle files in the code base and I believe frog bot is taking each one as a descriptor (from looking at the logs). Can a path to a descriptor be defined?? I would appreciate some help on this