@jfrog/opencode-jfrog-plugin 0.0.2 → 0.0.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (34) hide show
  1. package/README.md +105 -51
  2. package/dist/index.js +30 -238
  3. package/package.json +6 -6
  4. package/skills/jfrog/SKILL.md +529 -0
  5. package/skills/jfrog/assets/.gitkeep +0 -0
  6. package/skills/jfrog/references/apptrust-entities.md +154 -0
  7. package/skills/jfrog/references/artifactory-api-gaps.md +206 -0
  8. package/skills/jfrog/references/artifactory-aql-syntax.md +656 -0
  9. package/skills/jfrog/references/artifactory-entities.md +236 -0
  10. package/skills/jfrog/references/artifactory-operations.md +178 -0
  11. package/skills/jfrog/references/catalog-entities.md +219 -0
  12. package/skills/jfrog/references/general-bulk-operations-and-agent-patterns.md +93 -0
  13. package/skills/jfrog/references/general-parallel-execution.md +131 -0
  14. package/skills/jfrog/references/general-use-case-hints.md +27 -0
  15. package/skills/jfrog/references/jfrog-brand-html-report.md +98 -0
  16. package/skills/jfrog/references/jfrog-cli-install-upgrade.md +30 -0
  17. package/skills/jfrog/references/jfrog-entity-index.md +112 -0
  18. package/skills/jfrog/references/jfrog-login-flow.md +132 -0
  19. package/skills/jfrog/references/jfrog-url-references.md +51 -0
  20. package/skills/jfrog/references/onemodel-common-patterns.md +323 -0
  21. package/skills/jfrog/references/onemodel-graphql.md +446 -0
  22. package/skills/jfrog/references/onemodel-query-examples.md +753 -0
  23. package/skills/jfrog/references/platform-access-entities.md +200 -0
  24. package/skills/jfrog/references/platform-admin-api-gaps.md +164 -0
  25. package/skills/jfrog/references/platform-admin-operations.md +58 -0
  26. package/skills/jfrog/references/projects-api.md +241 -0
  27. package/skills/jfrog/references/release-lifecycle-entities.md +180 -0
  28. package/skills/jfrog/references/stored-packages-entities.md +165 -0
  29. package/skills/jfrog/references/xray-entities.md +740 -0
  30. package/skills/jfrog/scripts/check-environment.sh +224 -0
  31. package/skills/jfrog/scripts/jfrog-login-register-session.sh +84 -0
  32. package/skills/jfrog/scripts/jfrog-login-save-credentials.sh +128 -0
  33. package/skills/jfrog-package-safety-and-download/SKILL.md +275 -0
  34. package/sync-skills-vendor.json +5 -0
package/skills/jfrog/references/onemodel-query-examples.md ADDED
@@ -0,0 +1,753 @@
1
+ # OneModel GraphQL query examples
2
+
3
+ **Important:** These are illustrative query patterns, not guaranteed templates.
4
+ The OneModel schema is a federated supergraph that varies per server based on
5
+ products, entitlements, and license. **Always fetch the actual schema** from
6
+ `GET /onemodel/api/v1/supergraph/schema` and verify that the domains, types,
7
+ fields, and arguments used below exist on the specific server before running
8
+ any query. Replace placeholder values (in angle brackets) with actual values.
9
+
10
+ **When to read this file:** You are constructing OneModel queries and need
11
+ domain-specific shapes. For the full workflow (credentials, schema cache,
12
+ execution), read `onemodel-graphql.md`. For pagination and variables, read
13
+ `onemodel-common-patterns.md`.
14
+
15
+ ## Applications domain
16
+
17
+ The `applications` namespace queries applications, versions, and bound package
18
+ versions.
19
+
20
+ ### List all applications
21
+
22
+ ```graphql
23
+ query {
24
+ applications {
25
+ searchApplications(where: {}, first: 50) {
26
+ totalCount
27
+ edges {
28
+ node {
29
+ key
30
+ displayName
31
+ description
32
+ projectKey
33
+ criticality
34
+ maturityLevel
35
+ }
36
+ }
37
+ pageInfo {
38
+ hasNextPage
39
+ endCursor
40
+ }
41
+ }
42
+ }
43
+ }
44
+ ```
45
+
46
+ ### Get a single application by key
47
+
48
+ ```graphql
49
+ query {
50
+ applications {
51
+ getApplication(key: "<app-key>") {
52
+ key
53
+ displayName
54
+ description
55
+ projectKey
56
+ criticality
57
+ maturityLevel
58
+ owners {
59
+ name
60
+ type
61
+ }
62
+ labels {
63
+ key
64
+ value
65
+ }
66
+ }
67
+ }
68
+ }
69
+ ```
70
+
71
+ ### Search applications with filters
72
+
73
+ ```graphql
74
+ query {
75
+ applications {
76
+ searchApplications(
77
+ where: {
78
+ projectKey: "<project-key>"
79
+ criticality: "high"
80
+ maturityLevel: "production"
81
+ }
82
+ first: 25
83
+ orderBy: { field: NAME, direction: ASC }
84
+ ) {
85
+ totalCount
86
+ edges {
87
+ node {
88
+ key
89
+ displayName
90
+ criticality
91
+ maturityLevel
92
+ }
93
+ }
94
+ }
95
+ }
96
+ }
97
+ ```
98
+
99
+ ### Get application versions
100
+
101
+ ```graphql
102
+ query {
103
+ applications {
104
+ getApplication(key: "<app-key>") {
105
+ displayName
106
+ versionsConnection(first: 20) {
107
+ totalCount
108
+ edges {
109
+ node {
110
+ version
111
+ status
112
+ }
113
+ }
114
+ pageInfo {
115
+ hasNextPage
116
+ endCursor
117
+ }
118
+ }
119
+ }
120
+ }
121
+ }
122
+ ```
123
+
124
+ ### Get application with bound package versions
125
+
126
+ ```graphql
127
+ query {
128
+ applications {
129
+ getApplication(key: "<app-key>") {
130
+ displayName
131
+ packageVersionsConnection(first: 25) {
132
+ edges {
133
+ node {
134
+ type
135
+ name
136
+ version
137
+ }
138
+ }
139
+ }
140
+ }
141
+ }
142
+ }
143
+ ```
144
+
145
+ ## Stored packages domain
146
+
147
+ The `storedPackages` namespace queries packages and versions in Artifactory
148
+ repositories.
149
+
150
+ ### Search stored packages
151
+
152
+ `StoredPackageConnection` exposes `edges` and `pageInfo` only (no `totalCount`). `StoredPackageTag` has a single field `name` (not key/value pairs).
153
+
154
+ ```graphql
155
+ query {
156
+ storedPackages {
157
+ searchPackages(
158
+ where: { type: "docker" }
159
+ first: 20
160
+ ) {
161
+ edges {
162
+ node {
163
+ name
164
+ type
165
+ description
166
+ tags {
167
+ name
168
+ }
169
+ }
170
+ }
171
+ pageInfo {
172
+ hasNextPage
173
+ endCursor
174
+ }
175
+ }
176
+ }
177
+ }
178
+ ```
179
+
180
+ ### Get a stored package by name
181
+
182
+ `StoredPackageVersionConnection` has no `totalCount`. A version’s repos are modeled as `locationsConnection` on `StoredPackageVersion` (e.g. `repositoryKey`, `leadArtifactPath`), not a `repos` field.
183
+
184
+ ```graphql
185
+ query {
186
+ storedPackages {
187
+ getPackage(name: "<package-name>", type: "<PACKAGE_TYPE>") {
188
+ name
189
+ type
190
+ description
191
+ versionsConnection(first: 10) {
192
+ edges {
193
+ node {
194
+ version
195
+ locationsConnection(first: 5) {
196
+ edges {
197
+ node {
198
+ repositoryKey
199
+ leadArtifactPath
200
+ }
201
+ }
202
+ pageInfo {
203
+ hasNextPage
204
+ endCursor
205
+ }
206
+ }
207
+ }
208
+ }
209
+ pageInfo {
210
+ hasNextPage
211
+ endCursor
212
+ }
213
+ }
214
+ }
215
+ }
216
+ }
217
+ ```
218
+
219
+ ### Search stored package versions
220
+
221
+ `StoredPackageVersionWhereInput` does not take package `type` / `name` at the top level — filter via `hasPackageWith` and `StoredPackageWhereInput`.
222
+
223
+ ```graphql
224
+ query {
225
+ storedPackages {
226
+ searchPackageVersions(
227
+ where: {
228
+ hasPackageWith: [{ type: "npm", name: "<package-name>" }]
229
+ }
230
+ first: 20
231
+ ) {
232
+ edges {
233
+ node {
234
+ version
235
+ locationsConnection(first: 5) {
236
+ edges {
237
+ node {
238
+ repositoryKey
239
+ leadArtifactPath
240
+ }
241
+ }
242
+ }
243
+ }
244
+ }
245
+ pageInfo {
246
+ hasNextPage
247
+ endCursor
248
+ }
249
+ }
250
+ }
251
+ }
252
+ ```
253
+
254
+ ## Public packages domain
255
+
256
+ The `publicPackages` namespace queries packages from public registries (npm,
257
+ Maven Central, PyPI, etc.).
258
+
259
+ ### Search public packages
260
+
261
+ ```graphql
262
+ query {
263
+ publicPackages {
264
+ searchPackages(
265
+ where: { type: "npm", nameContains: "<search-term>" }
266
+ first: 20
267
+ ) {
268
+ totalCount
269
+ edges {
270
+ node {
271
+ name
272
+ type
273
+ description
274
+ latestVersion {
275
+ version
276
+ }
277
+ }
278
+ }
279
+ pageInfo {
280
+ hasNextPage
281
+ endCursor
282
+ }
283
+ }
284
+ }
285
+ }
286
+ ```
287
+
288
+ ### Get a public package
289
+
290
+ ```graphql
291
+ query {
292
+ publicPackages {
293
+ getPackage(type: "maven", name: "<package-name>") {
294
+ name
295
+ type
296
+ description
297
+ latestVersion {
298
+ version
299
+ }
300
+ versionsConnection(first: 10) {
301
+ edges {
302
+ node {
303
+ version
304
+ }
305
+ }
306
+ }
307
+ }
308
+ }
309
+ }
310
+ ```
311
+
312
+ ### Get a public package version with security and legal info
313
+
314
+ Version-level `securityInfo` and `legalInfo` use dedicated types
315
+ (`PublicPackageVersionSecurityInfo` and `PublicPackageVersionLegalInfo`) whose
316
+ subfields differ from the package-level counterparts. Use the subfield
317
+ selections shown here — they are verified against the schema.
318
+
319
+ ```graphql
320
+ query {
321
+ publicPackages {
322
+ getPackage(type: "npm", name: "<package-name>") {
323
+ name
324
+ versionsConnection(first: 5) {
325
+ edges {
326
+ node {
327
+ version
328
+ securityInfo {
329
+ vulnerabilities: vulnerabilitiesConnection(first: 100) {
330
+ edges {
331
+ node {
332
+ name
333
+ severity
334
+ cvss {
335
+ preferredBaseScore
336
+ }
337
+ aliases
338
+ advisories {
339
+ name
340
+ }
341
+ epss {
342
+ date @dateFormat(format: DD_MMM_YYYY)
343
+ score
344
+ percentile
345
+ }
346
+ }
347
+ }
348
+ }
349
+ maliciousnessInfo {
350
+ knownToBeMalicious
351
+ disclosedByJFrog
352
+ removedFromIndexAt @dateFormat(format: DD_MMM_YYYY)
353
+ }
354
+ }
355
+ legalInfo {
356
+ licenseInfo {
357
+ expression
358
+ licenses {
359
+ name
360
+ }
361
+ }
362
+ copyrights(first: 5) {
363
+ edges {
364
+ node {
365
+ content
366
+ }
367
+ }
368
+ }
369
+ }
370
+ }
371
+ }
372
+ }
373
+ }
374
+ }
375
+ }
376
+ ```
377
+
378
+ ## Public security domain
379
+
380
+ The `publicSecurityInfo` namespace queries vulnerability advisories from JFrog's
381
+ global catalog. A single CVE appears once per ecosystem — use the `name` filter
382
+ to find all ecosystem entries for a CVE, or add `ecosystem` to narrow results.
383
+
384
+ ### Search vulnerability by CVE name
385
+
386
+ `getVulnerability` requires both `name` and `ecosystem`. When the ecosystem is
387
+ unknown, use `searchVulnerabilities` with a `name` filter instead — it returns
388
+ all ecosystem entries for the CVE.
389
+
390
+ **Cannot filter by affected package:** `PublicVulnerabilityWhereInput` has no
391
+ package-name filter (e.g. no `hasPublicPackageInfoWith`). To find CVEs
392
+ affecting a specific package, use `publicPackages.getPackage` → version →
393
+ `securityInfo.vulnerabilitiesConnection`, or the Xray REST component summary
394
+ API. See `catalog-entities.md` § *Filtering limitations*.
395
+
396
+ **Ecosystem entries:** A CVE typically appears across multiple ecosystems
397
+ (e.g. `generic`, `debian`, `redhat`, `ubuntu`). The `generic` ecosystem
398
+ entry contains the actual vulnerable public package list; OS-specific entries
399
+ are for OS-level tracking and usually have `totalCount: 0` in
400
+ `vulnerablePublicPackagesConnection`.
401
+
402
+ **Pagination:** Popular CVEs can have hundreds of vulnerable versions (e.g.
403
+ lodash CVE-2021-23337 has 395). The example below uses `first: 500` to capture
404
+ most CVEs in a single page. If `totalCount` exceeds the page size, paginate
405
+ with `after:` and `pageInfo` on `vulnerablePublicPackagesConnection`.
406
+
407
+ ```graphql
408
+ query {
409
+ publicSecurityInfo {
410
+ searchVulnerabilities(
411
+ where: { name: "<CVE-ID>" }
412
+ first: 10
413
+ ) {
414
+ totalCount
415
+ edges {
416
+ node {
417
+ name
418
+ ecosystem
419
+ severity
420
+ description
421
+ withdrawn
422
+ publishedAt
423
+ modifiedAt
424
+ cvss {
425
+ preferredBaseScore
426
+ v2 { baseScore accessVector accessComplexity }
427
+ v3 {
428
+ baseScore attackVector attackComplexity
429
+ privilegesRequired userInteraction scope
430
+ confidentialityImpact integrityImpact availabilityImpact
431
+ }
432
+ }
433
+ epss { score percentile date }
434
+ knownExploit { addedAt dueDateAt }
435
+ aliases
436
+ cwesConnection(first: 10) {
437
+ edges {
438
+ node { identifier name }
439
+ }
440
+ }
441
+ advisories {
442
+ name
443
+ url
444
+ ... on PublicVulnerabilityNvdAdvisory {
445
+ severity shortDescription publishedAt
446
+ }
447
+ ... on PublicVulnerabilityGhsaAdvisory {
448
+ severity summary description publishedAt
449
+ }
450
+ ... on PublicVulnerabilityJFrogAdvisory {
451
+ severity shortDescription fullDescription
452
+ impact vulnerabilityType resolution
453
+ impactReasons { name description isPositive }
454
+ }
455
+ }
456
+ publicPackageInfo {
457
+ vulnerablePublicPackagesConnection(first: 500) {
458
+ totalCount
459
+ edges {
460
+ node {
461
+ publicPackageVersion {
462
+ version
463
+ publicPackage { name type }
464
+ }
465
+ fixVersionsConnection(first: 5) {
466
+ edges {
467
+ node { version }
468
+ }
469
+ }
470
+ }
471
+ }
472
+ }
473
+ }
474
+ }
475
+ }
476
+ }
477
+ }
478
+ }
479
+ ```
480
+
481
+ ## Release lifecycle domain
482
+
483
+ The `releaseBundleVersion` namespace queries release bundle versions and
484
+ contents.
485
+
486
+ ### Get release bundle version basic info
487
+
488
+ ```graphql
489
+ query {
490
+ releaseBundleVersion {
491
+ getVersion(name: "<bundle-name>", version: "<version>") {
492
+ createdBy
493
+ createdAt
494
+ }
495
+ }
496
+ }
497
+ ```
498
+
499
+ Optional arguments for `getVersion`:
500
+
501
+ - `repositoryKey` — defaults to `release-bundles-v2`
502
+ - `projectKey` — scopes to a specific project
503
+
504
+ ### Get release bundle artifacts
505
+
506
+ ```graphql
507
+ query {
508
+ releaseBundleVersion {
509
+ getVersion(name: "<bundle-name>", version: "<version>") {
510
+ artifactsConnection(first: 50) {
511
+ totalCount
512
+ edges {
513
+ node {
514
+ name
515
+ path
516
+ sha256
517
+ packageType
518
+ packageName
519
+ packageVersion
520
+ size
521
+ sourceRepositoryPath
522
+ properties {
523
+ key
524
+ values
525
+ }
526
+ }
527
+ }
528
+ pageInfo {
529
+ hasNextPage
530
+ endCursor
531
+ }
532
+ }
533
+ }
534
+ }
535
+ }
536
+ ```
537
+
538
+ ### Get release bundle source builds
539
+
540
+ ```graphql
541
+ query {
542
+ releaseBundleVersion {
543
+ getVersion(name: "<bundle-name>", version: "<version>") {
544
+ fromBuilds {
545
+ name
546
+ number
547
+ startedAt
548
+ repositoryKey
549
+ }
550
+ }
551
+ }
552
+ }
553
+ ```
554
+
555
+ ### Get release bundle with artifact evidence
556
+
557
+ ```graphql
558
+ query {
559
+ releaseBundleVersion {
560
+ getVersion(name: "<bundle-name>", version: "<version>") {
561
+ artifactsConnection(first: 50, where: { hasEvidence: true }) {
562
+ edges {
563
+ node {
564
+ name
565
+ packageType
566
+ evidenceConnection(first: 5) {
567
+ edges {
568
+ node {
569
+ predicateType
570
+ sha256
571
+ }
572
+ }
573
+ }
574
+ }
575
+ }
576
+ }
577
+ }
578
+ }
579
+ }
580
+ ```
581
+
582
+ ### Full traceability — release to build evidence
583
+
584
+ ```graphql
585
+ query {
586
+ releaseBundleVersion {
587
+ getVersion(name: "<bundle-name>", version: "<version>") {
588
+ createdBy
589
+ createdAt
590
+ fromBuilds {
591
+ name
592
+ number
593
+ startedAt
594
+ evidenceConnection(first: 10) {
595
+ edges {
596
+ node {
597
+ predicateType
598
+ sha256
599
+ createdBy
600
+ createdAt
601
+ }
602
+ }
603
+ }
604
+ }
605
+ }
606
+ }
607
+ }
608
+ ```
609
+
610
+ ## Evidence domain
611
+
612
+ The `evidence` namespace searches evidence attached to artifacts in repositories.
613
+
614
+ ### Search evidence in a repository
615
+
616
+ ```graphql
617
+ query {
618
+ evidence {
619
+ searchEvidence(
620
+ first: 10
621
+ where: {
622
+ hasSubjectWith: {
623
+ repositoryKey: "<repo-key>"
624
+ }
625
+ }
626
+ ) {
627
+ totalCount
628
+ edges {
629
+ node {
630
+ predicateSlug
631
+ predicateType
632
+ predicate
633
+ verified
634
+ downloadPath
635
+ subject {
636
+ path
637
+ name
638
+ }
639
+ }
640
+ }
641
+ pageInfo {
642
+ hasNextPage
643
+ endCursor
644
+ }
645
+ }
646
+ }
647
+ }
648
+ ```
649
+
650
+ ### Search evidence for a specific artifact
651
+
652
+ ```graphql
653
+ query {
654
+ evidence {
655
+ searchEvidence(
656
+ where: {
657
+ hasSubjectWith: {
658
+ repositoryKey: "<repo-key>"
659
+ path: "<path/to>"
660
+ name: "<filename>"
661
+ }
662
+ }
663
+ ) {
664
+ edges {
665
+ node {
666
+ predicateSlug
667
+ predicateType
668
+ verified
669
+ downloadPath
670
+ }
671
+ }
672
+ }
673
+ }
674
+ }
675
+ ```
676
+
677
+ ### Get evidence by location
678
+
679
+ ```graphql
680
+ query {
681
+ evidence {
682
+ getEvidence(
683
+ repositoryKey: "<repo-key>"
684
+ path: "<path/to>"
685
+ name: "<filename>"
686
+ ) {
687
+ evidenceId
688
+ verified
689
+ }
690
+ }
691
+ }
692
+ ```
693
+
694
+ ### Search evidence with variables
695
+
696
+ ```graphql
697
+ query GetEvidence($repoKey: String!, $path: String!, $name: String!) {
698
+ evidence {
699
+ getEvidence(
700
+ repositoryKey: $repoKey
701
+ path: $path
702
+ name: $name
703
+ ) {
704
+ evidenceId
705
+ verified
706
+ }
707
+ }
708
+ }
709
+ ```
710
+
711
+ Variables:
712
+
713
+ ```json
714
+ {
715
+ "repoKey": "example-repo-local",
716
+ "path": "path/to",
717
+ "name": "file.ext"
718
+ }
719
+ ```
720
+
721
+ ## Cross-domain queries
722
+
723
+ OneModel can combine domains in a single query.
724
+
725
+ ### Release bundle artifacts with evidence
726
+
727
+ ```graphql
728
+ query {
729
+ releaseBundleVersion {
730
+ getVersion(name: "<bundle-name>", version: "<version>") {
731
+ createdBy
732
+ createdAt
733
+ artifactsConnection(first: 20) {
734
+ edges {
735
+ node {
736
+ name
737
+ path
738
+ packageType
739
+ evidenceConnection(first: 5) {
740
+ edges {
741
+ node {
742
+ predicateSlug
743
+ verified
744
+ }
745
+ }
746
+ }
747
+ }
748
+ }
749
+ }
750
+ }
751
+ }
752
+ }
753
+ ```