Skip to content

frogbot can panic when JF_ALLOW_PARTIAL_RESULTS=true #962

New issue
New issue
Open
#998
Open
frogbot can panic when JF_ALLOW_PARTIAL_RESULTS=true#962
#998
Labels
bugSomething isn't working
@donloman

Description

@donloman
donloman
opened on Nov 14, 2025

Describe the bug

While running a Frogbot scan (frogbot scan-pull-request), with environment variable JF_ALLOW_PARTIAL_RESULTS=true, frogbot panicked.

Possible fix: check for nil in scanpullrequest.go:

func filterJasResultsIfScanFailed(targetResult, sourceResult *results.TargetResults, scanType jasutils.JasScanType) {
+	// Guard against nil JasResults - if either source or target has nil JasResults, there's nothing to filter
+	if sourceResult.JasResults == nil || targetResult.JasResults == nil {
+		return
+	}
+
	switch scanType {
	case jasutils.Applicability:
		if isJasScanFailedInSourceOrTarget(sourceResult.JasResults.ApplicabilityScanResults, targetResult.JasResults.ApplicabilityScanResults) {
			log.Debug(fmt.Sprintf(vulnerabilitiesFilteringErrorMessage, scanType.String()))
			sourceResult.JasResults.ApplicabilityScanResults = nil
		}

Current behavior

While running a Frogbot scan (frogbot scan-pull-request), with environment variable JF_ALLOW_PARTIAL_RESULTS=true, frogbot panicked.

...
19:12:00 [Debug] [Thread 0] Skipping SCA for /tmp/jfrog.cli.temp.-1763146928-1759940729/modules/digicert_automation as no dependencies were found in the target
19:12:00 [Debug] Diff scan - converting to new issues...
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x90 pc=0x11c38dc]

goroutine 1 [running]:
github.com/jfrog/frogbot/v2/scanpullrequest.filterJasResultsIfScanFailed(0xc002f66850, 0xc0003a2070, {0x172ca7e, 0xd})
	/var/opt/jfrog/pipelines/data/release_frogbot/runs/5625032/steps/Release/40097658/dependencyState/resources/frogbotGit/scanpullrequest/scanpullrequest.go:323 +0xdc
github.com/jfrog/frogbot/v2/scanpullrequest.filterOutFailedScansIfAllowPartialResultsEnabled(0xc00017c200, 0xc00017c000, 0x1?)
	/var/opt/jfrog/pipelines/data/release_frogbot/runs/5625032/steps/Release/40097658/dependencyState/resources/frogbotGit/scanpullrequest/scanpullrequest.go:312 +0xa7
github.com/jfrog/frogbot/v2/scanpullrequest.auditPullRequestSourceCode(0xc000484a08, 0xc000458d80, {0xc000036570, 0x2a}, {0xc000e88240, 0x29})
	/var/opt/jfrog/pipelines/data/release_frogbot/runs/5625032/steps/Release/40097658/dependencyState/resources/frogbotGit/scanpullrequest/scanpullrequest.go:276 +0x3f9
github.com/jfrog/frogbot/v2/scanpullrequest.auditPullRequestCode(0xc000484a08, 0xc000458d80, {0xc000036570, 0x2a}, {0xc000e88240, 0x29})
	/var/opt/jfrog/pipelines/data/release_frogbot/runs/5625032/steps/Release/40097658/dependencyState/resources/frogbotGit/scanpullrequest/scanpullrequest.go:240 +0x289
github.com/jfrog/frogbot/v2/scanpullrequest.auditPullRequestAndReport(0xc000484a08, {0x19b15c0?, 0xc0006d62d0?})
	/var/opt/jfrog/pipelines/data/release_frogbot/runs/5625032/steps/Release/40097658/dependencyState/resources/frogbotGit/scanpullrequest/scanpullrequest.go:173 +0x26c
github.com/jfrog/frogbot/v2/scanpullrequest.scanPullRequest(0xc000484a08, {0x19b15c0, 0xc0006d62d0})
	/var/opt/jfrog/pipelines/data/release_frogbot/runs/5625032/steps/Release/40097658/dependencyState/resources/frogbotGit/scanpullrequest/scanpullrequest.go:102 +0x330
github.com/jfrog/frogbot/v2/scanpullrequest.(*ScanPullRequestCmd).Run(0xc00049c4e0?, {0xc000484a08, 0x1, 0x1}, {0x19b15c0, 0xc0006d62d0}, 0xc0004a0840)
	/var/opt/jfrog/pipelines/data/release_frogbot/runs/5625032/steps/Release/40097658/dependencyState/resources/frogbotGit/scanpullrequest/scanpullrequest.go:54 +0x2c6
main.Exec({0x198d340, 0x2cac020}, {0x173a398, 0x11})
	/var/opt/jfrog/pipelines/data/release_frogbot/runs/5625032/steps/Release/40097658/dependencyState/resources/frogbotGit/commands.go:103 +0x45e
main.GetCommands.func1(0xc00043bbc0?)
	/var/opt/jfrog/pipelines/data/release_frogbot/runs/5625032/steps/Release/40097658/dependencyState/resources/frogbotGit/commands.go:34 +0x2c
github.com/urfave/cli/v2.(*Command).Run(0xc000336580, 0xc00043bbc0, {0xc000465020, 0x1, 0x1})
	/home/frogger/go/pkg/mod/github.com/urfave/cli/v2@v2.27.4/command.go:276 +0x7be
github.com/urfave/cli/v2.(*Command).Run(0xc000336c60, 0xc00043ba40, {0xc000032140, 0x2, 0x2})
	/home/frogger/go/pkg/mod/github.com/urfave/cli/v2@v2.27.4/command.go:269 +0xa45
github.com/urfave/cli/v2.(*App).RunContext(0xc000384600, {0x1999210, 0x2cac020}, {0xc000032140, 0x2, 0x2})
	/home/frogger/go/pkg/mod/github.com/urfave/cli/v2@v2.27.4/app.go:333 +0x5a5
github.com/urfave/cli/v2.(*App).Run(...)
	/home/frogger/go/pkg/mod/github.com/urfave/cli/v2@v2.27.4/app.go:307
main.ExecMain()
	/var/opt/jfrog/pipelines/data/release_frogbot/runs/5625032/steps/Release/40097658/dependencyState/resources/frogbotGit/main.go:25 +0x13b
main.main()
	/var/opt/jfrog/pipelines/data/release_frogbot/runs/5625032/steps/Release/40097658/dependencyState/resources/frogbotGit/main.go:14 +0x18
...

Reproduction steps

  1. export JF_ALLOW_PARTIAL_RESULTS=true
  2. launch frogbot. (In this case, it was frogbot scan-pull-request in a repo of mine containing multiple python projects defined with requirements.txt files managed with pip)

Result: frogbot does its thing for a while, but then panicks after reporting [Debug] Diff scan - converting to new issues...

Expected behavior

frogbot should run without panicking

JFrog Frogbot version

2.29.1

Package manager info

multiple requirements.txt (pip).

Git provider

Bitbucket Server

JFrog Frogbot configuration yaml file

No response

Operating system type and version

linux

JFrog Xray version

3.107.11

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions