JFrog Xray has missing component reports for latest builds of an artefact

0
votes

We use Jenkins, and publish artefacts and build info to Artifactory and then enact an Xray scan. The problem we are finding is that we only seem to get Xray “Component” reports for certain build numbers of an artefact. There are no errors, except that the report doesn’t seem to be in Xray (when searching via “Components” and using the Artefact name).

For example, if the artefact was hellofred::develop::55, then we might enact Xray scan (as below), and the report for that artefact is indeed there in Xray. However, when we do another build from Jenkins (with no changes to the code, but a fresh build and deploy and scan), we see everything succeeding and no errors that we can see. However, we do not see hellofred::develop::56 in Xray. It still says the latest is 55! What is the best approach to troubleshoot?

We use Jenkins JFrog plugin code to enact an Xray scan, as standard. eg our pipeline code looks something like...

 def scanConfig = [
                        'buildName': script.artifactoryBuildInfo.name,
                        'buildNumber': script.artifactoryBuildInfo.number,
                        'failBuild'  : true
                    ]
                    def scanResult = artifactory.xrayScan scanConfig

Examples of the Jenkins console output from that report even show us the URL of the link to hellofred::develop::56, yet when we click it, it takes us to the latest which is hellofred::develop::55. (This is because there doesn’t seem to be a report for 56) Eg. Some excerpts from the Jenkins console output are:

11:03:31  [Pipeline] }
11:03:31  [Pipeline] // stage
11:03:31  [Pipeline] stage (hide)
11:03:31  [Pipeline] { (Xray scan) (hide)
11:03:31  [Pipeline] echo (hide)
11:03:31  Xray scan: true
11:03:31  [Pipeline] xrayScanBuild (hide)
11:03:40  Build hellofred:: develop number 56 was scanned by Xray and passed with no Alerts
11:03:40  Xray scan details are available at: http://xray-1.blah.blah:8000/web/#/component/details/build:~2F~2Fhellofred%20::%20develop%2F56
11:03:40  [Pipeline] echo (hide)
11:03:40  XRAY failed: SUCCESS
11:03:40  [Pipeline] echo (hide)
11:03:40  {
11:03:40    "summary" : {
11:03:40      "message" : "Build hellofred :: develop number 56 was scanned by Xray and passed with no Alerts",
11:03:40      "total_alerts" : 0,
11:03:40      "fail_build" : false,
11:03:40      "more_details_url" : "http://xray-1.blah.blah:8000/web/#/component/details/build:~2F~2Fhellofred%20::%20develop%2F56”
11:03:40    },
11:03:40    "alerts" : [ ],
11:03:40    "licenses" : [ {
11:03:40      "name" : "Unknown",
11:03:40      "components" : [etc blah blah blah],
11:03:40      "full_name" : "Unknown license"
11:03:40    }, {
11:03:40      "name" : "Apache-2.0",
11:03:40      "components" : [ "gav://org.apache.logging.log4j:log4j-slf4j-impl:2.11.2", "gav://org.mongodb:mongodb-driver:3.8.2",
2
jenkinsartifactoryjfrog-xray
do you see build with number hellofred:56 at the JFrog Xray UI at all? for example, if you search for itChen Keinan

2 Answers

0
votes

The problem might be that you're not publishing the info? Let me share a sample pipeline script that does something very similar.

node {
    def server = Artifactory.server SERVER_ID
    def rtGradle = Artifactory.newGradleBuild()
    //Clone example code from GitHub repository
    stage 'Build'
        git url: 'myGitServer', branch: 'myProjectBranch'
    //Configure Artifactory repository to pull/push artifacts
    stage 'Artifactory configuration'
        rtGradle.tool = 'gradle-3.5' // Tool name from Jenkins configuration
        rtGradle.deployer repo: 'gradle-release', server: server // This is where I deploy to
        rtGradle.resolver repo:'libs-release', server: server
        rtGradle.deployer.addProperty("unit-test", "pass").addProperty("qa-team", "platform", "ui")
        def buildInfo = Artifactory.newBuildInfo() // This is where the initial BuildInfo is created
        buildInfo.env.capture = true // This is where all environment data is captured
    //Run gradle build
    stage 'Exec Gradle'
        sh 'rm -rf ~/.gradle/caches'
        rtGradle.run rootDir: "gradle-examples/4/gradle-example-ci-server/", buildFile: 'build.gradle', tasks: 'clean artifactoryPublish', buildInfo: buildInfo
    //Publish artifacts to Artifactory along with build information and scan build artifacts in Xray
    stage 'Publish Build Information & Scan Artifacts'
        server.publishBuildInfo buildInfo // This is where BuildInfo is published
            def scanConfig = [
                'buildName'      : env.JOB_NAME,
                'buildNumber'    : env.BUILD_NUMBER,
                'failBuild'      : true
            ]
            def scanResult = server.xrayScan scanConfig
            echo scanResult as String
}
0
votes

I have confirmed that we do indeed publish the buildInfo to Artifactory , as above.. It seems a very odd problem, as its intermittent. However, we do always notice that the "DATE modified" field for the Xray component, is always updated for the report, but no necessarily the "latest build number". eg. If Jenkins, was performing build number 88 for hello-fred at 3:55PM August1st, we published the info to Artifactory, and it is indeed there for hello-fred: build number 88. However the Xray scan triggers, and , when we search for component "hello-fred", we sometimes may see that latest build report eg. "hello-fred:88" with latest build number of 88, and "DATE modified" of 3:55pm at August1st. However, this is intermittent, and we often notice that the report for this component seems missing in Xray. For example, it is maybe not updated. The latest build is the last one . eg maybe "82". So, Xray says that the latest build is "82", (although it have us a link for the apparently successfully produced report "88"). However, the "DATE modified" field is always correctly updated. eg. 3:55pm on August1st . We are using a "Trial Licence". So. not sure how best to troubleshoot this? Any ideas? It seems like something in Xray is being lost. eg maybe a message on the RabbitMq queue? Is this a known bug? Or how best to troubleshoot? Thanks