Binal92 patch 3

.frogbot/frogbot-config.yml

@@ -0,0 +1,113 @@
+# The "params" section includes the configuration of a single Git repository that needs to be scanned.
+# For Azure Repos, Bitbucket Server and GitHub with JFrog Pipelines or Jenkins, you can define multiple "params" sections one after the other, for scanning multiple
+# Git repositories in the same organization.
+- params:
+    # Git parameters
+    git:
+      # [Mandatory]
+      # Name of the git repository to scan
+      repoName: my-project
+
+      # [Mandatory]
+      # List of branches to scan
+      branches:
+        - master
+
+      # [Optional]
+      # Template for the branch name generated by Frogbot when creating pull requests with fixes.
+      # The template must include ${BRANCH_NAME_HASH}, to ensure that the generated branch name is unique.
+      # The template can optionally include the ${IMPACTED_PACKAGE} and ${FIX_VERSION} variables.
+      # branchNameTemplate: "frogbot-${IMPACTED_PACKAGE}-${BRANCH_NAME_HASH}"
+
+      # [Optional]
+      # Template for the commit message generated by Frogbot when creating pull requests with fixes
+      # The template can optionally include the ${IMPACTED_PACKAGE} and ${FIX_VERSION} variables.
+      # commitMessageTemplate: "Upgrade ${IMPACTED_PACKAGE} to ${FIX_VERSION}"
+
+      # [Optional]
+      # Template for the pull request title generated by Frogbot when creating pull requests with fixes.
+      # The template can optionally include the ${IMPACTED_PACKAGE} and ${FIX_VERSION} variables.
+      # pullRequestTitleTemplate: "[🐸 Frogbot] Upgrade ${IMPACTED_PACKAGE} to ${FIX_VERSION}"
+
+      # [Optional, Default: false]
+      # If true, Frogbot creates a single pull request with all the fixes.
+      # If false, Frogbot creates a separate pull request for each fix.
+      # aggregateFixes: false
+
+      # [Optional, Default: [email protected]]
+      # Set the email of the commit author
+      # emailAuthor: ""
+
+    # Frogbot scanning parameters
+    scan:
+      # [Default: false]
+      # Frogbot displays all existing vulnerabilities, including the ones that were not added by the pull request
+      includeAllVulnerabilities: true
+
+      # [Default: false]
+      # When adding new comments on pull requests, keep old comments that were added by previous scans.
+      # avoidPreviousPrCommentsDeletion: true
+
+      # [Default: true]
+      # Frogbot does not fail the task if security issues are found and this parameter is set to false
+      # failOnSecurityIssues: false
+
+      # [Default: false]
+      # Handle vulnerabilities with fix versions only
+      # fixableOnly: true
+
+      # [Optional]
+      # Set the minimum severity for vulnerabilities that should be fixed and commented on in pull requests
+      # The following values are accepted: Low, Medium, High or Critical
+      # minSeverity: ""
+
+      # [Optional]
+      # List of email addresses to receive emails about secrets that has been detected in a pull request scan.
+      # Applies only to servers that are entitled to JFrog Advanced Security.
+      # emailReceivers:
+      # - [email protected]
+
+      # List of subprojects / project dirs inside the Git repository
+      projects:
+      # [Mandatory if the two conditions below are met]
+      # 1. The project uses yarn 2, NuGet or .NET Core to download its dependencies
+      # 2. The `installCommand` variable isn't set in your frogbot-config.yml file.
+      #
+      # The command that installs the project dependencies (e.g "nuget restore")
+      # - installCommand: ""
+
+      # [Default: root directory]
+      # List of relative path's to the projects directories in the git repository. If left empty (without providing "." yourself as the root directory's path), a recursive scan is triggered from the root directory of the project.
+      #   workingDirs:
+      #     - "."
+
+      # [Default: ["*.git*", "*node_modules*", "*target*", "*venv*", "*test*"]]
+      # List of exclusion patterns (utilizing wildcards) for excluding paths in the source code of the Git repository during SCA scans.
+      #   pathExclusions:
+      #     - "*node_modules*"
+      #     - "*target*"
+      #     - "*venv*"
+      #     - "*test*"
+
+      # [Mandatory for pip only if using requirements file, Default: pip install .]
+      # The requirements file name that is used to install dependencies in case of pip package manager
+      #   pipRequirementsFile: ""
+
+      # [Default: true]
+      # Use Gradle Wrapper (gradlew/gradlew.bat) to run Gradle
+      #   useWrapper: true
+
+      # [Optional]
+      # Name of a Virtual Repository in Artifactory to resolve (download) the project dependencies from
+      #   repository: ""
+
+    # JFrog Platform parameters
+    jfrogPlatform:
+    # [Optional]
+    # JFrog project key. Learn more about it [here](https://www.jfrog.com/confluence/display/JFROG/Projects)
+    # jfrogProjectKey: ""
+
+    # [Optional]
+    # Xray Watches. Learn more about it [here](https://www.jfrog.com/confluence/display/JFROG/Configuring+Xray+Watches)
+    # watches:
+    #  - ""

.github/workflows/ci.yml

@@ -1,7 +1,7 @@
 # This workflow will build a Java project with Gradle
 # For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-gradle
 
-name: Java CI with Gradle
+name: Java CI with Gradle Binal
 
 on:
   push:
@@ -15,12 +15,13 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
 
     - name: Set up JDK 1.8
-      uses: actions/setup-java@v1
+      uses: actions/setup-java@v4
       with:
-        java-version: 1.8
+        distribution: 'temurin'
+        java-version: 8.0.402+6
 
     - name: Grant execute permission for gradlew
       run: chmod +x gradlew
@@ -29,9 +30,9 @@ jobs:
       run: ./gradlew build
 
     - name: Build and Push Docker Image
-      uses: mr-smithers-excellent/docker-build-push@v4
+      uses: mr-smithers-excellent/docker-build-push@v6.2
       with:
-        image: nanajanashia/demo-app
+        image: binal92/demo-app
         registry: docker.io
         username: ${{ secrets.DOCKER_USERNAME }}
         password: ${{ secrets.DOCKER_PASSWORD }}

.github/workflows/frogbot-scan-pull-request.yml

@@ -0,0 +1,148 @@
+name: "Frogbot Scan Pull Request"
+on:
+  pull_request_target:
+    types: [opened, synchronize]
+permissions:
+  pull-requests: write
+  contents: read
+jobs:
+  scan-pull-request:
+    runs-on: ubuntu-latest
+    # A pull request needs to be approved before Frogbot scans it. Any GitHub user who is associated with the
+    # "frogbot" GitHub environment can approve the pull request to be scanned.
+    environment: frogbot
+    steps:
+      - uses: jfrog/frogbot@v2
+        env:
+          # [Mandatory]
+          # JFrog platform URL
+          JF_URL: ${{ secrets.JF_URL }}
+
+          # [Mandatory if JF_USER and JF_PASSWORD are not provided]
+          # JFrog access token with 'read' permissions on Xray service
+          JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }}
+
+          # [Mandatory if JF_ACCESS_TOKEN is not provided]
+          # JFrog username with 'read' permissions for Xray. Must be provided with JF_PASSWORD
+          # JF_USER: ${{ secrets.JF_USER }}
+
+          # [Mandatory if JF_ACCESS_TOKEN is not provided]
+          # JFrog password. Must be provided with JF_USER
+          # JF_PASSWORD: ${{ secrets.JF_PASSWORD }}
+
+          # [Mandatory]
+          # The GitHub token is automatically generated for the job
+          JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+          # [Optional, default: https://api.github.com]
+          # API endpoint to GitHub
+          # JF_GIT_API_ENDPOINT: https://github.example.com
+
+          # [Optional]
+          # By default, the Frogbot workflows download the Frogbot executable as well as other tools
+          # needed from https://releases.jfrog.io
+          # If the machine that runs Frogbot has no access to the internet, follow these steps to allow the
+          # executable to be downloaded from an Artifactory instance, which the machine has access to:
+          #
+          # 1. Login to the Artifactory UI, with a user who has admin credentials.
+          # 2. Create a Remote Repository with the following properties set.
+          #    Under the 'Basic' tab:
+          #       Package Type: Generic
+          #       URL: https://releases.jfrog.io
+          #    Under the 'Advanced' tab:
+          #       Uncheck the 'Store Artifacts Locally' option
+          # 3. Set the value of the 'JF_RELEASES_REPO' variable with the Repository Key you created.
+          # JF_RELEASES_REPO: ""
+
+          # [Optional]
+          # Configure the SMTP server to enable Frogbot to send emails with detected secrets in pull request scans.
+          # SMTP server URL including should the relevant port: (Example: smtp.server.com:8080)
+          # JF_SMTP_SERVER: ""
+
+          # [Mandatory if JF_SMTP_SERVER is set]
+          # The username required for authenticating with the SMTP server.
+          # JF_SMTP_USER: ""
+
+          # [Mandatory if JF_SMTP_SERVER is set]
+          # The password associated with the username required for authentication with the SMTP server.
+          # JF_SMTP_PASSWORD: ""
+
+          ##########################################################################
+          ##   If your project uses a 'frogbot-config.yml' file, you can define   ##
+          ##   the following variables inside the file, instead of here.          ##
+          ##########################################################################
+
+          # [Mandatory if the two conditions below are met]
+          # 1. The project uses yarn 2, NuGet or .NET Core to download its dependencies
+          # 2. The `installCommand` variable isn't set in your frogbot-config.yml file.
+          #
+          # The command that installs the project dependencies (e.g "nuget restore")
+          # JF_INSTALL_DEPS_CMD: ""
+
+          # [Optional, default: "."]
+          # Relative path to the root of the project in the Git repository. If left empty (without providing "." yourself as default), a recursive scan is triggered from the root directory of the project.
+          # JF_WORKING_DIR: path/to/project/dir
+
+          # [Default: "*git*;*node_modules*;*target*;*venv*;*test*"]
+          # List of exclusion patterns (utilizing wildcards) for excluding paths in the source code of the Git repository during SCA scans.
+          # JF_PATH_EXCLUSIONS: "*git*;*node_modules*;*target*;*venv*;*test*"
+
+          # [Optional]
+          # Xray Watches. Learn more about them here: https://www.jfrog.com/confluence/display/JFROG/Configuring+Xray+Watches
+          # JF_WATCHES: <watch-1>,<watch-2>...<watch-n>
+
+          # [Optional]
+          # JFrog project. Learn more about it here: https://www.jfrog.com/confluence/display/JFROG/Projects
+          # JF_PROJECT: <project-key>
+
+          # [Optional, default: "FALSE"]
+          # Displays all existing vulnerabilities, including the ones that were added by the pull request.
+          # JF_INCLUDE_ALL_VULNERABILITIES: "TRUE"
+
+          # [Optional, default: "FALSE"]
+          # When adding new comments on pull requests, keep old comments that were added by previous scans.
+          # JF_AVOID_PREVIOUS_PR_COMMENTS_DELETION: "TRUE"
+
+          # [Optional, default: "TRUE"]
+          # Fails the Frogbot task if any security issue is found.
+          # JF_FAIL: "FALSE"
+
+          # [Optional]
+          # Frogbot will download the project dependencies if they're not cached locally. To download the
+          # dependencies from a virtual repository in Artifactory, set the name of the repository. There's no
+          # need to set this value, if it is set in the frogbot-config.yml file.
+          # JF_DEPS_REPO: ""
+
+          # [Optional, Default: "FALSE"]
+          # If TRUE, Frogbot creates a single pull request with all the fixes.
+          # If false, Frogbot creates a separate pull request for each fix.
+          # JF_GIT_AGGREGATE_FIXES: "FALSE"
+
+          # [Optional, Default: "FALSE"]
+          # Handle vulnerabilities with fix versions only
+          # JF_FIXABLE_ONLY: "TRUE"
+
+          # [Optional]
+          # Set the minimum severity for vulnerabilities that should be fixed and commented on in pull requests
+          # The following values are accepted: Low, Medium, High or Critical
+          # JF_MIN_SEVERITY: ""
+
+          # [Optional]
+          # List of comma separated email addresses to receive email notifications about secrets
+          # detected during pull request scanning. The notification is also sent to the email set
+          # in the committer git profile regardless of whether this variable is set or not.
+          # JF_EMAIL_RECEIVERS: ""
+
+          # [Optional]
+          # Set the list of allowed licenses
+          # The full list of licenses can be found in:
+          # https://github.com/jfrog/frogbot/blob/master/docs/licenses.md
+          # JF_ALLOWED_LICENSES: "MIT, Apache-2.0"
+
+          # [Optional]
+          # Avoid adding extra info to pull request comments. that isn't related to the scan findings.
+          # JF_AVOID_EXTRA_MESSAGES: "TRUE"
+
+          # [Optional]
+          # Add a title to pull request comments generated by Frogbot.
+          # JF_PR_COMMENT_TITLE: ""