Add PNPM package manager support by nartuk · Pull Request #1519 · jfrog/jfrog-cli-core

nartuk · 2026-02-05T17:51:31Z

Related to feature request: RTECO-366

Requires:

Add PNPM package manager support build-info-go#368

Required for:

All tests passed. If this feature is not already covered by the tests, I added new tests.
All static analysis checks passed.
This pull request is on the master branch.
I used gofmt for formatting the code before submitting the pull request.

github-actions · 2026-02-05T17:53:49Z

📗 Scan Summary

Frogbot scanned for vulnerabilities and found 3 issues

Scan Category	Status	Security Issues
Software Composition Analysis	ℹ️ Not Scanned	-
Contextual Analysis	✅ Done	-
Static Application Security Testing (SAST)	✅ Done	3 Issues Found 3 Medium
Secrets	✅ Done	-
Infrastructure as Code (IaC)	✅ Done	Not Found

🐸 JFrog Frogbot

github-actions · 2026-02-05T17:53:51Z

configFilePath

at common/commands/configfile.go (line 399)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity	Finding
Medium	Untrusted stored input used in file paths, allowing access to unintended files.

Full description

Vulnerability Details


Rule ID:	go-stored-path-traversal

Overview

Stored Path Traversal is a type of vulnerability that arises when user-controlled
input, such as file names or paths, is stored by the application and later used
without proper validation or sanitization to perform file operations. This can
allow an attacker to traverse directories and access or overwrite sensitive files
on the filesystem, potentially compromising the security and integrity of the
application or system.

Vulnerable example

func serveFile(w http.ResponseWriter, r *http.Request) {
    row := db.QueryRow("SELECT file_path FROM files WHERE id = 12")
    row.Scan(&filePath)
    http.ServeFile(w, r, filePath)
}

In this example, the serveFile function serves a file based on the file query
parameter provided by the user. However, in a real-world scenario, the filePath
variable might be retrieved from a stored source, such as a database or configuration
file, instead of being directly obtained from the request URL. The vulnerability
arises if the stored filePath is not properly validated or sanitized before being
used to serve files. Attackers could manipulate the stored filePath to perform
directory traversal attacks, potentially accessing sensitive files outside the
intended directory structure.

Remediation

To mitigate stored path traversal vulnerabilities, it is essential to validate
and sanitize user-controlled input before using it to construct file paths or
perform file operations. In this example, we can validate the file name to ensure
it does not contain directory traversal sequences before serving the file.

func serveFile(w http.ResponseWriter, r *http.Request) {
    row := db.QueryRow("SELECT file_path FROM files WHERE id = ?", r.URL.Query().Get("id"))
    row.Scan(&filePath)
+    // Validate file path to prevent directory traversal
+    if strings.Contains(filePath, "..") {
+        http.Error(w, "Invalid file path", http.StatusBadRequest)
+        return
+    }
    http.ServeFile(w, r, filePath)
}

Code Flows

Vulnerable data flow analysis result

↘️ os.Getenv(HomeDir) (at utils/coreutils/utils.go line 312)

↘️ return os.Getenv(HomeDir), nil (at utils/coreutils/utils.go line 312)

↘️ (string, error) (at utils/coreutils/utils.go line 310)

↘️ coreutils.GetJfrogHomeDir() (at artifactory/utils/utils.go line 57)

↘️ (string, error) (at artifactory/utils/utils.go line 49)

↘️ getConfigDir(global) (at artifactory/utils/utils.go line 42)

↘️ configDir (at artifactory/utils/utils.go line 42)

↘️ configDir (at artifactory/utils/utils.go line 46)

↘️ filepath.Join(configDir, "projects") (at artifactory/utils/utils.go line 46)

↘️ return filepath.Join(configDir, "projects"), nil (at artifactory/utils/utils.go line 46)

↘️ (string, error) (at artifactory/utils/utils.go line 41)

↘️ utils.GetProjectDir(global) (at common/commands/configfile.go line 134)

↘️ projectDir (at common/commands/configfile.go line 134)

↘️ projectDir (at common/commands/configfile.go line 142)

↘️ filepath.Join(projectDir, confType.String()+".yaml") (at common/commands/configfile.go line 142)

↘️ configFilePath (at common/commands/configfile.go line 143)

↘️ configFilePath (at common/commands/configfile.go line 382)

↘️ configFilePath (at common/commands/configfile.go line 399)

🐸 JFrog Frogbot

github-actions · 2026-02-05T17:53:52Z

configFilePath

at common/commands/configfile.go (line 408)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity	Finding
Medium	Untrusted stored input used in file paths, allowing access to unintended files.

Full description

Vulnerability Details


Rule ID:	go-stored-path-traversal

Overview

Stored Path Traversal is a type of vulnerability that arises when user-controlled
input, such as file names or paths, is stored by the application and later used
without proper validation or sanitization to perform file operations. This can
allow an attacker to traverse directories and access or overwrite sensitive files
on the filesystem, potentially compromising the security and integrity of the
application or system.

Vulnerable example

func serveFile(w http.ResponseWriter, r *http.Request) {
    row := db.QueryRow("SELECT file_path FROM files WHERE id = 12")
    row.Scan(&filePath)
    http.ServeFile(w, r, filePath)
}

In this example, the serveFile function serves a file based on the file query
parameter provided by the user. However, in a real-world scenario, the filePath
variable might be retrieved from a stored source, such as a database or configuration
file, instead of being directly obtained from the request URL. The vulnerability
arises if the stored filePath is not properly validated or sanitized before being
used to serve files. Attackers could manipulate the stored filePath to perform
directory traversal attacks, potentially accessing sensitive files outside the
intended directory structure.

Remediation

To mitigate stored path traversal vulnerabilities, it is essential to validate
and sanitize user-controlled input before using it to construct file paths or
perform file operations. In this example, we can validate the file name to ensure
it does not contain directory traversal sequences before serving the file.

func serveFile(w http.ResponseWriter, r *http.Request) {
    row := db.QueryRow("SELECT file_path FROM files WHERE id = ?", r.URL.Query().Get("id"))
    row.Scan(&filePath)
+    // Validate file path to prevent directory traversal
+    if strings.Contains(filePath, "..") {
+        http.Error(w, "Invalid file path", http.StatusBadRequest)
+        return
+    }
    http.ServeFile(w, r, filePath)
}

Code Flows

Vulnerable data flow analysis result

↘️ os.Getenv(HomeDir) (at utils/coreutils/utils.go line 312)

↘️ return os.Getenv(HomeDir), nil (at utils/coreutils/utils.go line 312)

↘️ (string, error) (at utils/coreutils/utils.go line 310)

↘️ coreutils.GetJfrogHomeDir() (at artifactory/utils/utils.go line 57)

↘️ (string, error) (at artifactory/utils/utils.go line 49)

↘️ getConfigDir(global) (at artifactory/utils/utils.go line 42)

↘️ configDir (at artifactory/utils/utils.go line 42)

↘️ configDir (at artifactory/utils/utils.go line 46)

↘️ filepath.Join(configDir, "projects") (at artifactory/utils/utils.go line 46)

↘️ return filepath.Join(configDir, "projects"), nil (at artifactory/utils/utils.go line 46)

↘️ (string, error) (at artifactory/utils/utils.go line 41)

↘️ utils.GetProjectDir(global) (at common/commands/configfile.go line 134)

↘️ projectDir (at common/commands/configfile.go line 134)

↘️ projectDir (at common/commands/configfile.go line 142)

↘️ filepath.Join(projectDir, confType.String()+".yaml") (at common/commands/configfile.go line 142)

↘️ configFilePath (at common/commands/configfile.go line 143)

↘️ configFilePath (at common/commands/configfile.go line 382)

↘️ configFilePath (at common/commands/configfile.go line 408)

🐸 JFrog Frogbot

github-actions · 2026-02-05T17:53:53Z

destination

at common/commands/configfile.go (line 195)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity	Finding
Medium	Untrusted stored input used in file paths, allowing access to unintended files.

Full description

Vulnerability Details


Rule ID:	go-stored-path-traversal

Overview

Stored Path Traversal is a type of vulnerability that arises when user-controlled
input, such as file names or paths, is stored by the application and later used
without proper validation or sanitization to perform file operations. This can
allow an attacker to traverse directories and access or overwrite sensitive files
on the filesystem, potentially compromising the security and integrity of the
application or system.

Vulnerable example

func serveFile(w http.ResponseWriter, r *http.Request) {
    row := db.QueryRow("SELECT file_path FROM files WHERE id = 12")
    row.Scan(&filePath)
    http.ServeFile(w, r, filePath)
}

In this example, the serveFile function serves a file based on the file query
parameter provided by the user. However, in a real-world scenario, the filePath
variable might be retrieved from a stored source, such as a database or configuration
file, instead of being directly obtained from the request URL. The vulnerability
arises if the stored filePath is not properly validated or sanitized before being
used to serve files. Attackers could manipulate the stored filePath to perform
directory traversal attacks, potentially accessing sensitive files outside the
intended directory structure.

Remediation

To mitigate stored path traversal vulnerabilities, it is essential to validate
and sanitize user-controlled input before using it to construct file paths or
perform file operations. In this example, we can validate the file name to ensure
it does not contain directory traversal sequences before serving the file.

func serveFile(w http.ResponseWriter, r *http.Request) {
    row := db.QueryRow("SELECT file_path FROM files WHERE id = ?", r.URL.Query().Get("id"))
    row.Scan(&filePath)
+    // Validate file path to prevent directory traversal
+    if strings.Contains(filePath, "..") {
+        http.Error(w, "Invalid file path", http.StatusBadRequest)
+        return
+    }
    http.ServeFile(w, r, filePath)
}

Code Flows

Vulnerable data flow analysis result

↘️ os.Getenv(HomeDir) (at utils/coreutils/utils.go line 312)

↘️ return os.Getenv(HomeDir), nil (at utils/coreutils/utils.go line 312)

↘️ (string, error) (at utils/coreutils/utils.go line 310)

↘️ coreutils.GetJfrogHomeDir() (at artifactory/utils/utils.go line 57)

↘️ (string, error) (at artifactory/utils/utils.go line 49)

↘️ getConfigDir(global) (at artifactory/utils/utils.go line 42)

↘️ configDir (at artifactory/utils/utils.go line 42)

↘️ configDir (at artifactory/utils/utils.go line 46)

↘️ filepath.Join(configDir, "projects") (at artifactory/utils/utils.go line 46)

↘️ return filepath.Join(configDir, "projects"), nil (at artifactory/utils/utils.go line 46)

↘️ (string, error) (at artifactory/utils/utils.go line 41)

↘️ utils.GetProjectDir(global) (at common/commands/configfile.go line 134)

↘️ projectDir (at common/commands/configfile.go line 134)

↘️ projectDir (at common/commands/configfile.go line 142)

↘️ filepath.Join(projectDir, confType.String()+".yaml") (at common/commands/configfile.go line 142)

↘️ configFilePath (at common/commands/configfile.go line 152)

↘️ destination (at common/commands/configfile.go line 190)

↘️ destination (at common/commands/configfile.go line 195)

🐸 JFrog Frogbot

naveenku-jfrog · 2026-02-10T08:46:28Z

There is Frogbot failure.

naveenku-jfrog

Please fix the frogbot failure.

nartuk · 2026-02-10T12:15:06Z

@naveenku-jfrog thank you for the review!
The flagged issues raised by Frogbot are unrelated to my contribution and are related to the existing codebase.

Add PNPM package manager support

1a02bd4

nartuk mentioned this pull request Feb 5, 2026

Add PNPM package manager support jfrog/build-info-go#368

Open

5 tasks

This was referenced Feb 5, 2026

Add PNPM package manager support jfrog/jfrog-cli-artifactory#362

Open

Add PNPM package manager support jfrog/jfrog-cli#3342

Open

naveenku-jfrog requested changes Feb 10, 2026

View reviewed changes

Comments

Conversation

nartuk commented Feb 5, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions bot commented Feb 5, 2026

📗 Scan Summary

Uh oh!

github-actions bot commented Feb 5, 2026

🎯 Static Application Security Testing (SAST) Vulnerability

Vulnerability Details

Overview

Vulnerable example

Remediation

Uh oh!

github-actions bot commented Feb 5, 2026

🎯 Static Application Security Testing (SAST) Vulnerability

Vulnerability Details

Overview

Vulnerable example

Remediation

Uh oh!

github-actions bot commented Feb 5, 2026

🎯 Static Application Security Testing (SAST) Vulnerability

Vulnerability Details

Overview

Vulnerable example

Remediation

Uh oh!

naveenku-jfrog commented Feb 10, 2026

Uh oh!

naveenku-jfrog left a comment

Choose a reason for hiding this comment

Uh oh!

nartuk commented Feb 10, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

nartuk commented Feb 5, 2026 •

edited

Loading