diff --git a/go.mod b/go.mod
index 6c6fad720..f8e3ed529 100644
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
module github.com/jfrog/frogbot/v2
-go 1.25.5
+go 1.25.7
require (
github.com/CycloneDX/cyclonedx-go v0.9.3
@@ -10,9 +10,9 @@ require (
github.com/jfrog/build-info-go v1.13.1-0.20260216093441-40a4dc563294
github.com/jfrog/froggit-go v1.21.0
github.com/jfrog/gofrog v1.7.6
- github.com/jfrog/jfrog-cli-artifactory v0.8.1-0.20260218070105-39c72c2c8214
- github.com/jfrog/jfrog-cli-core/v2 v2.60.1-0.20260218080258-3bf55ed18973
- github.com/jfrog/jfrog-cli-security v1.26.2
+ github.com/jfrog/jfrog-cli-artifactory v0.8.1-0.20260303101540-67cc7f55724b
+ github.com/jfrog/jfrog-cli-core/v2 v2.60.1-0.20260225195817-bc599cec3973
+ github.com/jfrog/jfrog-cli-security v1.26.3
github.com/jfrog/jfrog-client-go v1.55.1-0.20260225080504-17057750d47b
github.com/jordan-wright/email v4.0.1-0.20210109023952-943e75fe5223+incompatible
github.com/owenrumney/go-sarif/v3 v3.2.3
@@ -36,7 +36,7 @@ require (
github.com/chzyer/readline v1.5.1 // indirect
github.com/clipperhouse/stringish v0.1.1 // indirect
github.com/clipperhouse/uax29/v2 v2.3.0 // indirect
- github.com/cloudflare/circl v1.6.1 // indirect
+ github.com/cloudflare/circl v1.6.3 // indirect
github.com/cpuguy83/go-md2man/v2 v2.0.7 // indirect
github.com/cyphar/filepath-securejoin v0.6.0 // indirect
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
@@ -126,7 +126,7 @@ require (
gopkg.in/warnings.v0 v0.1.2 // indirect
)
-replace github.com/jfrog/jfrog-cli-security => github.com/eranturgeman/jfrog-cli-security v0.0.0-20260224124116-b7910a66147c
+// replace github.com/jfrog/jfrog-cli-security => github.com/jfrog/jfrog-cli-security dev
// replace github.com/jfrog/jfrog-cli-core/v2 => github.com/jfrog/jfrog-cli-core/v2 dev
diff --git a/go.sum b/go.sum
index 1ed6ff4ce..126bd9b58 100644
--- a/go.sum
+++ b/go.sum
@@ -42,8 +42,8 @@ github.com/clipperhouse/stringish v0.1.1 h1:+NSqMOr3GR6k1FdRhhnXrLfztGzuG+VuFDfa
github.com/clipperhouse/stringish v0.1.1/go.mod h1:v/WhFtE1q0ovMta2+m+UbpZ+2/HEXNWYXQgCt4hdOzA=
github.com/clipperhouse/uax29/v2 v2.3.0 h1:SNdx9DVUqMoBuBoW3iLOj4FQv3dN5mDtuqwuhIGpJy4=
github.com/clipperhouse/uax29/v2 v2.3.0/go.mod h1:Wn1g7MK6OoeDT0vL+Q0SQLDz/KpfsVRgg6W7ihQeh4g=
-github.com/cloudflare/circl v1.6.1 h1:zqIqSPIndyBh1bjLVVDHMPpVKqp8Su/V+6MeDzzQBQ0=
-github.com/cloudflare/circl v1.6.1/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZh3pJrofs=
+github.com/cloudflare/circl v1.6.3 h1:9GPOhQGF9MCYUeXyMYlqTR6a5gTrgR/fBLXvUgtVcg8=
+github.com/cloudflare/circl v1.6.3/go.mod h1:2eXP6Qfat4O/Yhh8BznvKnJ+uzEoTQ6jVKJRn81BiS4=
github.com/cpuguy83/go-md2man/v2 v2.0.7 h1:zbFlGlXEAKlwXpmvle3d8Oe3YnkKIK4xSRTd3sHPnBo=
github.com/cpuguy83/go-md2man/v2 v2.0.7/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
@@ -60,8 +60,6 @@ github.com/elazarl/goproxy v1.7.2 h1:Y2o6urb7Eule09PjlhQRGNsqRfPmYI3KKQLFpCAV3+o
github.com/elazarl/goproxy v1.7.2/go.mod h1:82vkLNir0ALaW14Rc399OTTjyNREgmdL2cVoIbS6XaE=
github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc=
github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ=
-github.com/eranturgeman/jfrog-cli-security v0.0.0-20260224124116-b7910a66147c h1:nzqK7zOxVu3wuROny5itQbKINQf1F/qx5jwDzKYASXw=
-github.com/eranturgeman/jfrog-cli-security v0.0.0-20260224124116-b7910a66147c/go.mod h1:wyFzfjYoc8yE2dievbYm8kTaqB6LQRn5Y4Vlk3U0Vz0=
github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk=
github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM=
github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE=
@@ -83,8 +81,8 @@ github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMj
github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII=
github.com/go-git/go-git/v5 v5.16.5 h1:mdkuqblwr57kVfXri5TTH+nMFLNUxIj9Z7F5ykFbw5s=
github.com/go-git/go-git/v5 v5.16.5/go.mod h1:QOMLpNf1qxuSY4StA/ArOdfFR2TrKEjJiye2kel2m+M=
-github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
-github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
github.com/go-viper/mapstructure/v2 v2.4.0 h1:EBsztssimR/CONLSZZ04E8qAkxNYq4Qp9LvH92wZUgs=
@@ -146,10 +144,12 @@ github.com/jfrog/gofrog v1.7.6 h1:QmfAiRzVyaI7JYGsB7cxfAJePAZTzFz0gRWZSE27c6s=
github.com/jfrog/gofrog v1.7.6/go.mod h1:ntr1txqNOZtHplmaNd7rS4f8jpA5Apx8em70oYEe7+4=
github.com/jfrog/jfrog-apps-config v1.0.1 h1:mtv6k7g8A8BVhlHGlSveapqf4mJfonwvXYLipdsOFMY=
github.com/jfrog/jfrog-apps-config v1.0.1/go.mod h1:8AIIr1oY9JuH5dylz2S6f8Ym2MaadPLR6noCBO4C22w=
-github.com/jfrog/jfrog-cli-artifactory v0.8.1-0.20260218070105-39c72c2c8214 h1:XFWrW8nmKheIs3jdiphozbagBXEgybafcb0eFatkKQ4=
-github.com/jfrog/jfrog-cli-artifactory v0.8.1-0.20260218070105-39c72c2c8214/go.mod h1:qEUp3kyKkocqvf7xErppgAtkmudZR1TMaQUvDTGYCUI=
-github.com/jfrog/jfrog-cli-core/v2 v2.60.1-0.20260218080258-3bf55ed18973 h1:fOlWUGkCuujnIcE3166gpTdvicwv1wAZhLrfbm+f6rY=
-github.com/jfrog/jfrog-cli-core/v2 v2.60.1-0.20260218080258-3bf55ed18973/go.mod h1:GDveG1xAoiM12JlSx8RE0OcJ6Ov+xcmpmGv84we3pMA=
+github.com/jfrog/jfrog-cli-artifactory v0.8.1-0.20260303101540-67cc7f55724b h1:RFVA0SoRC1Hf54BdDkt3mv4x5t3600AqUcpA5Fy3n3E=
+github.com/jfrog/jfrog-cli-artifactory v0.8.1-0.20260303101540-67cc7f55724b/go.mod h1:IRUe9nYwCUq8V2WRDUd4bddwiXXdkxvNQ36+0U0uHqI=
+github.com/jfrog/jfrog-cli-core/v2 v2.60.1-0.20260225195817-bc599cec3973 h1:awB01Y4m0cWzmXuR3waf5IQnoQxDlbUmqT+FMWOpjbs=
+github.com/jfrog/jfrog-cli-core/v2 v2.60.1-0.20260225195817-bc599cec3973/go.mod h1:yhi+XpiEx18a3t8CZ6M2VpAf3EGqKpBhTzoPBTFe0dk=
+github.com/jfrog/jfrog-cli-security v1.26.3 h1:991m5HZrFxR8GOg5ALxTGxih73+wTPmLvlLG0VaXDxk=
+github.com/jfrog/jfrog-cli-security v1.26.3/go.mod h1:eZLjW37Z6f1DbeKCsL+NnYSm41hQnV1wV6NpLfIOwLw=
github.com/jfrog/jfrog-client-go v1.55.1-0.20260225080504-17057750d47b h1:mSxcMTXtnrYMVhCGk7ui2ERh6yLoUVUQhXaNwd3FhL8=
github.com/jfrog/jfrog-client-go v1.55.1-0.20260225080504-17057750d47b/go.mod h1:sCE06+GngPoyrGO0c+vmhgMoVSP83UMNiZnIuNPzU8U=
github.com/jhump/protoreflect v1.15.1 h1:HUMERORf3I3ZdX05WaQ6MIpd/NJ434hTp5YiKgfCL6c=
@@ -313,16 +313,16 @@ github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1
github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
-go.opentelemetry.io/otel v1.34.0 h1:zRLXxLCgL1WyKsPVrgbSdMN4c0FMkDAskSTQP+0hdUY=
-go.opentelemetry.io/otel v1.34.0/go.mod h1:OWFPOQ+h4G8xpyjgqo4SxJYdDQ/qmRH+wivy7zzx9oI=
-go.opentelemetry.io/otel/metric v1.34.0 h1:+eTR3U0MyfWjRDhmFMxe2SsW64QrZ84AOhvqS7Y+PoQ=
-go.opentelemetry.io/otel/metric v1.34.0/go.mod h1:CEDrp0fy2D0MvkXE+dPV7cMi8tWZwX3dmaIhwPOaqHE=
+go.opentelemetry.io/otel v1.37.0 h1:9zhNfelUvx0KBfu/gb+ZgeAfAgtWrfHJZcAqFC228wQ=
+go.opentelemetry.io/otel v1.37.0/go.mod h1:ehE/umFRLnuLa/vSccNq9oS1ErUlkkK71gMcN34UG8I=
+go.opentelemetry.io/otel/metric v1.37.0 h1:mvwbQS5m0tbmqML4NqK+e3aDiO02vsf/WgbsdpcPoZE=
+go.opentelemetry.io/otel/metric v1.37.0/go.mod h1:04wGrZurHYKOc+RKeye86GwKiTb9FKm1WHtO+4EVr2E=
go.opentelemetry.io/otel/sdk v1.34.0 h1:95zS4k/2GOy069d321O8jWgYsW3MzVV+KuSPKp7Wr1A=
go.opentelemetry.io/otel/sdk v1.34.0/go.mod h1:0e/pNiaMAqaykJGKbi+tSjWfNNHMTxoC9qANsCzbyxU=
go.opentelemetry.io/otel/sdk/metric v1.34.0 h1:5CeK9ujjbFVL5c1PhLuStg1wxA7vQv7ce1EK0Gyvahk=
go.opentelemetry.io/otel/sdk/metric v1.34.0/go.mod h1:jQ/r8Ze28zRKoNRdkjCZxfs6YvBTG1+YIqyFVFYec5w=
-go.opentelemetry.io/otel/trace v1.34.0 h1:+ouXS2V8Rd4hp4580a8q23bg0azF2nI8cqLYnC8mh/k=
-go.opentelemetry.io/otel/trace v1.34.0/go.mod h1:Svm7lSjQD7kG7KJ/MUHPVXSDGz2OX4h0M2jHBhmSfRE=
+go.opentelemetry.io/otel/trace v1.37.0 h1:HLdcFNbRQBE2imdSEgm/kwqmQj1Or1l/7bW6mxVK7z4=
+go.opentelemetry.io/otel/trace v1.37.0/go.mod h1:TlgrlQ+PtQO5XFerSPUYG0JSgGyryXewPGyayAWSBS0=
go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
diff --git a/packagehandlers/conanpackagehandler.go b/packagehandlers/conanpackagehandler.go
index 99c703b6c..d88799379 100644
--- a/packagehandlers/conanpackagehandler.go
+++ b/packagehandlers/conanpackagehandler.go
@@ -68,7 +68,7 @@ func (conan *ConanPackageHandler) updateConanFile(conanFilePath string, vulnDeta
log.Debug(fmt.Sprintf("impacted dependency '%s' not found in descriptor '%s', moving to the next descriptor if exists...", impactedDependency, conanFilePath))
return false, nil
}
- if err = os.WriteFile(conanFilePath, []byte(fixedFile), 0600); err != nil {
+ if err = os.WriteFile(conanFilePath, []byte(fixedFile), 0600); err != nil { // #nosec G703
err = fmt.Errorf("an error occured while writing the fixed version of %s to the requirements file '%s': %s", vulnDetails.ImpactedDependencyName, conanFilePath, err.Error())
}
isFileChanged = true
diff --git a/packagehandlers/gradlepackagehandler.go b/packagehandlers/gradlepackagehandler.go
index 7a6c511d4..f9dbd00be 100644
--- a/packagehandlers/gradlepackagehandler.go
+++ b/packagehandlers/gradlepackagehandler.go
@@ -2,10 +2,11 @@ package packagehandlers
import (
"fmt"
- "github.com/jfrog/frogbot/v2/utils"
"os"
"regexp"
"strings"
+
+ "github.com/jfrog/frogbot/v2/utils"
)
const (
@@ -149,7 +150,7 @@ func writeUpdatedBuildFile(filePath string, fileContent string) (err error) {
return
}
- err = os.WriteFile(filePath, []byte(fileContent), fileInfo.Mode())
+ err = os.WriteFile(filePath, []byte(fileContent), fileInfo.Mode()) // #nosec G703
if err != nil {
err = fmt.Errorf("couldn't write fixes to file '%s': %q", filePath, err)
}
diff --git a/scanrepository/scanrepository_test.go b/scanrepository/scanrepository_test.go
index 0bc737e33..21f3d281d 100644
--- a/scanrepository/scanrepository_test.go
+++ b/scanrepository/scanrepository_test.go
@@ -111,7 +111,7 @@ func TestScanRepositoryCmd_Run(t *testing.T) {
{
testName: "aggregate-multi-dir",
expectedPackagesInBranch: map[string][]string{"frogbot-update-68d9dee2475e5986e783d85dfa11baa0-dependencies-master": {"uuid", "minimatch", "mpath", "minimist"}},
- expectedVersionUpdatesInBranch: map[string][]string{"frogbot-update-68d9dee2475e5986e783d85dfa11baa0-dependencies-master": {"^1.2.6", "^9.0.0", "^0.8.4", "^10.2.1"}},
+ expectedVersionUpdatesInBranch: map[string][]string{"frogbot-update-68d9dee2475e5986e783d85dfa11baa0-dependencies-master": {"^1.2.6", "^9.0.0", "^0.8.4", "^10.2.3"}},
expectedMissingFilesInBranch: map[string][]string{"frogbot-update-68d9dee2475e5986e783d85dfa11baa0-dependencies-master": {"npm1/package-lock.json", "npm2/package-lock.json"}},
packageDescriptorPaths: []string{"npm1/package.json", "npm2/package.json"},
aggregateFixes: true,
@@ -120,7 +120,7 @@ func TestScanRepositoryCmd_Run(t *testing.T) {
{
testName: "aggregate-multi-project",
expectedPackagesInBranch: map[string][]string{"frogbot-update-68d9dee2475e5986e783d85dfa11baa0-dependencies-master": {"uuid", "minimatch", "mpath"}, "frogbot-update-e8fa179873704bb1362147aff9c40040-dependencies-master": {"pyjwt", "pexpect"}},
- expectedVersionUpdatesInBranch: map[string][]string{"frogbot-update-68d9dee2475e5986e783d85dfa11baa0-dependencies-master": {"^9.0.0", "^0.8.4", "^10.2.1"}, "frogbot-update-e8fa179873704bb1362147aff9c40040-dependencies-master": {"2.4.0"}},
+ expectedVersionUpdatesInBranch: map[string][]string{"frogbot-update-68d9dee2475e5986e783d85dfa11baa0-dependencies-master": {"^9.0.0", "^0.8.4", "^10.2.3"}, "frogbot-update-e8fa179873704bb1362147aff9c40040-dependencies-master": {"2.4.0"}},
expectedMissingFilesInBranch: map[string][]string{"frogbot-update-68d9dee2475e5986e783d85dfa11baa0-dependencies-master": {"npm/package-lock.json"}},
packageDescriptorPaths: []string{"npm/package.json", "pip/requirements.txt"},
aggregateFixes: true,
diff --git a/testdata/scanpullrequest/expected_response_multi_dir.md b/testdata/scanpullrequest/expected_response_multi_dir.md
index d0993f054..6a42736cd 100644
--- a/testdata/scanpullrequest/expected_response_multi_dir.md
+++ b/testdata/scanpullrequest/expected_response_multi_dir.md
@@ -11,11 +11,11 @@
## 📗 Scan Summary
-- Frogbot scanned for vulnerabilities and found 4 issues
+- Frogbot scanned for vulnerabilities and found 6 issues
| Scan Category | Status | Security Issues |
| --------------------- | :-----------------------------------: | ----------------------------------- |
-| **Software Composition Analysis** | ✅ Done | 4 Issues Found
4 High
6 Issues Found
6 High
High | CVE-2026-27904 | Not Covered | minimatch:3.0.4 | minimatch 3.0.4 | [3.1.4]
[4.2.5]
[5.1.8]
[6.2.2]
[7.4.8]
[8.0.6]
[9.0.7]
[10.2.3] |
+| 
High | CVE-2026-27903 | Not Applicable | minimatch:3.0.4 | minimatch 3.0.4 | [3.1.3]
[4.2.5]
[5.1.8]
[6.2.2]
[7.4.8]
[8.0.6]
[9.0.7]
[10.2.3] |
| 
High | CVE-2026-26996 | Not Applicable | minimatch:3.0.4 | minimatch 3.0.4 | [3.1.3]
[4.2.4]
[5.1.7]
[6.2.1]
[7.4.7]
[8.0.5]
[9.0.6]
[10.2.1] |
| 
High | CVE-2022-3517 | Not Applicable | minimatch:3.0.4 | minimatch 3.0.4 | [3.0.5] |
| 
High | CVE-2022-29217 | Not Covered | pyjwt:1.7.1 | pyjwt 1.7.1 | [2.4.0] |
@@ -38,12 +40,106 @@
### 🔖 Details
+[ CVE-2026-27904 ] minimatch 3.0.4
+
+### Vulnerability Details
+| | |
+| --------------------- | :-----------------------------------: |
+| **Jfrog Research Severity:** | 
Medium |
+| **Contextual Analysis:** | Not Covered |
+| **Direct Dependencies:** | minimatch:3.0.4 |
+| **Impacted Dependency:** | minimatch:3.0.4 |
+| **Fixed Versions:** | [3.1.4], [4.2.5], [5.1.8], [6.2.2], [7.4.8], [8.0.6], [9.0.7], [10.2.3] |
+| **CVSS V3:** | 7.5 |
+
+A ReDoS in minimatch may result in a denial-of-service when processing a crafted glob pattern.
+
+### 🔬 JFrog Research Details
+
+**Description:**
+[Minimatch](https://github.com/isaacs/minimatch) is a JavaScript library used to convert glob expressions into JavaScript objects for minimal matching.
+
+
+**Remediation:**
+##### Development mitigations
+
+The user can use a simple function to count the occurrences of "*" in the input string to make sure it is safe to use before calling `minimatch`:
+
+```
+function redosDetector(input_string, limit) {
+
+ if (typeof input_string !== 'string') {
+ throw new Error('Input must be a string');
+ }
+
+ let count = 0;
+ for (const char of input_string) {
+ if (char === '**') count++;
+ }
+
+ if (count > limit) {
+ throw new Error('Input string contains too many * characters, ReDoS detected');
+ }
+
+ return count;
+}
+```
+
+Another option is to use the safe `{ noext: true }` option if your application doesn't require extglob processing
+
[ CVE-2026-27903 ] minimatch 3.0.4
+
+### Vulnerability Details
+| | |
+| --------------------- | :-----------------------------------: |
+| **Jfrog Research Severity:** | Medium |
+| **Contextual Analysis:** | Not Applicable |
+| **Direct Dependencies:** | minimatch:3.0.4 |
+| **Impacted Dependency:** | minimatch:3.0.4 |
+| **Fixed Versions:** | [3.1.3], [4.2.5], [5.1.8], [6.2.2], [7.4.8], [8.0.6], [9.0.7], [10.2.3] |
+| **CVSS V3:** | 7.5 |
+
+A ReDoS in minimatch may result in a denial-of-service when processing a crafted glob pattern.
+
+### 🔬 JFrog Research Details
+
+**Description:**
+[Minimatch](https://github.com/isaacs/minimatch) is a JavaScript library used to convert glob expressions into JavaScript objects for minimal matching.
+
+
+**Remediation:**
+##### Development mitigations
+
+The user can use a simple function to count the occurrences of "**" in the input string to make sure it is safe to use before calling `minimatch`:
+
+```
+function redosDetector(input_string, limit) {
+
+ if (typeof input_string !== 'string') {
+ throw new Error('Input must be a string');
+ }
+
+ let count = 0;
+ for (const char of input_string) {
+ if (char === '**') count++;
+ }
+
+ if (count > limit) {
+ throw new Error('Input string contains too many * characters, ReDoS detected');
+ }
+
+ return count;
+}
+```
+
[ CVE-2026-26996 ] minimatch 3.0.4
### Vulnerability Details
| | |
| --------------------- | :-----------------------------------: |
-| **Jfrog Research Severity:** | High |
+| **Jfrog Research Severity:** | Medium |
| **Contextual Analysis:** | Not Applicable |
| **Direct Dependencies:** | minimatch:3.0.4 |
| **Impacted Dependency:** | minimatch:3.0.4 |
diff --git a/utils/analytics.go b/utils/analytics.go
index a36274b7a..2a34df9f5 100644
--- a/utils/analytics.go
+++ b/utils/analytics.go
@@ -10,7 +10,7 @@ import (
)
func CreateScanEvent(serviceDetails *config.ServerDetails, gitInfo *xscservices.XscGitInfoContext, scanType string) *xscservices.XscAnalyticsGeneralEvent {
- event := xsc.CreateAnalyticsEvent(xscservices.FrogbotProduct, xscservices.FrogbotType, serviceDetails)
+ event := xsc.CreateAnalyticsEvent(xscservices.FrogbotProduct, xscservices.FrogbotType, serviceDetails, "")
event.ProductVersion = FrogbotVersion
event.FrogbotScanType = scanType
event.FrogbotCiProvider = resolveCi()
diff --git a/utils/scandetails.go b/utils/scandetails.go
index 5ab60fd42..f15a4da61 100644
--- a/utils/scandetails.go
+++ b/utils/scandetails.go
@@ -75,7 +75,8 @@ func (sc *ScanDetails) SetProject(project *Project) *ScanDetails {
}
func (sc *ScanDetails) SetResultsContext(httpCloneUrl string, watches []string, jfrogProjectKey string, includeVulnerabilities, includeLicenses bool) *ScanDetails {
- sc.ResultContext = audit.CreateAuditResultsContext(sc.ServerDetails, sc.XrayVersion, watches, sc.RepoPath, jfrogProjectKey, httpCloneUrl, includeVulnerabilities, includeLicenses, false)
+ // Snippet detection is not supported in V2
+ sc.ResultContext = audit.CreateAuditResultsContext(sc.ServerDetails, sc.XrayVersion, watches, sc.RepoPath, jfrogProjectKey, httpCloneUrl, includeVulnerabilities, includeLicenses, false, false)
return sc
}