jf docker scan is not failing build pipelines as expected

[Persi]

Describe the bug

When using jf docker scan our Gitlab CI Pipelines should fail if a high or critical CVE is found. Instead the pipelines just succeed.
This worked some time ago as expected and seems to be broken with one of the last jfrog-cli releases. Unfortunately I cannot exactly determine the time frame since this issue occured as we just realized it today.

For me this looks like jfrog-cli is not giving the correct return code, if "fail build" is configured on the relevant policy the cli tool should return rc != 0 if relevant CVEs are found.

Current behavior

We are using a policy with the following configuration:

Our pipelines scan our images as follows:
jf docker scan IMAGE --watches watch_referencing_above_policy

Result e.g. for a current tomcat image scan:

07:14:38 [Info] Waiting for scan to complete on JFrog Xray...
Security Violations
+------------+---------------------------+---------+---------------------------+----------+-----------+-------+----------------+
| SEVERITY   | DIRECT                    | DIRECT  | IMPACTED                  | IMPACTED | FIXED     | TYPE  | CVE            |
|            | PACKAGE                   | PACKAGE | PACKAGE                   | PACKAGE  | VERSIONS  |       |                |
|            |                           | VERSION | NAME                      | VERSION  |           |       |                |
+------------+---------------------------+---------+---------------------------+----------+-----------+-------+----------------+
| 💀Critical | sha256__a35cb2463fc100adc |         | org.apache.tomcat:tomcat- | 10.1.28  | [10.1.30] | Maven | CVE-2024-52316 |
|            | c6e589bb48fbc21aea5159898 |         | catalina                  |          | [11.0.1]  |       |                |
|            | e041f4a26a4ad888691477.ta |         |                           |          | [9.0.96]  |       |                |
|            | r                         |         |                           |          |           |       |                |
|            |                           |         |                           |          |           |       |                |
+------------+---------------------------+---------+---------------------------+----------+-----------+-------+----------------+
| 🎃Medium   | sha256__a35cb2463fc100adc |         | org.apache.tomcat:tomcat- | 10.1.28  | [10.1.31] | Maven | CVE-2024-52317 |
|            | c6e589bb48fbc21aea5159898 |         | coyote                    |          | [11.0.0]  |       |                |
|            | e041f4a26a4ad888691477.ta |         |                           |          | [9.0.96]  |       |                |
|            | r                         |         |                           |          |           |       |                |
|            |                           |         |                           |          |           |       |                |
+------------+---------------------------+---------+---------------------------+----------+-----------+-------+----------------+
License Compliance Violations
+---------------------------------------------+
| No license compliance violations were found |
+---------------------------------------------+
07:14:44 [Info] Scan completed successfully.
...
Job succeeded

This job should fail as it found a critical CVE, but instead it just succeeds.

Reproduction steps

No response

Expected behavior

No response

JFrog CLI-Security version

the one contained in jfrog-cli ...

JFrog CLI version (if applicable)

2.71.5

Operating system type and version

ubuntu:noble

JFrog Xray version

3.106.7

[codeart1st]

It seems to working now. Previous runs with

17:25:07 [Info] The downloaded Xray Indexer version is 3.109.3
...
17:25:40 [Info] Scan completed successfully.

and now it fails correctly with

08:04:49 [Info] The downloaded Xray Indexer version is 3.111.6
...
08:05:21 [Error] One or more of the detected violations are configured to fail the build that including them