[JENKINS-61116] FOD-Octane Integration - no Vulnerabilities shown - Jenkins Jira

Type: Bug
Resolution: Unresolved
Priority: Critical
Component/s: hp-application-automation-tools-plugin
Labels:
- plugin
Environment:
ALM Octane On Premise - 15.0.20.60
Jenkins 2.204.2
Micro Focus Application Automation Tools Plugin 6.1
FOD Plugin 5.0.1

Similar Issues:
Powered by SuggestiMate

Show

Followed instructions from https://admhelp.microfocus.com/octane/en/15.0.20/Online/Content/AdminGuide/how-setup-FoD-integration.htm?Highlight=fortify

Pipeline Job successfully uploads to FOD and finds NEW vulnerabilities but nothing is shown in Octane for the pipeline. Waited to see if polling of FOD updates them but nothing appears.

Is there any way of debugging this to see if polling of FOD results is happening?

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

51667_scandata.fpr
2.40 MB
2020-02-19 09:31
FOD.png
42 kB
2020-02-24 07:09
FOD-Config.PNG
26 kB
2020-02-24 09:01
image-2020-02-24-09-01-01-035.png
39 kB
2020-02-24 09:01
nga.log
1.22 MB
2020-02-19 09:23
nga2.log
1.24 MB
2020-02-19 10:58
scan-summary.PNG
29 kB
2020-02-19 09:31

nir yom tov added a comment - 2020-02-19 07:50 - edited

Hi, some question here

I see that octane plugin is 6.1 - what is the FOD plugin ver ?
Is the pipeline set to be type 'security' ?
Are the vulnerabilities that were found have later date (introduce date) than the pipeline creation ? (vulnerabilities that exist before the pipeline creation wont be injected)
Is it possible to submit jenkins log ? found in: <Jenkins url>/userContent/nga/logs/nga.log
Also, please tell me if u'r jenkins job is a simple one or pipeline as a code ?

Thanx

Nir

nir yom tov added a comment - 2020-02-19 07:50 - edited Hi, some question here I see that octane plugin is 6.1 - what is the FOD plugin ver ? Is the pipeline set to be type 'security' ? Are the vulnerabilities that were found have later date (introduce date) than the pipeline creation ? (vulnerabilities that exist before the pipeline creation wont be injected) Is it possible to submit jenkins log ? found in: <Jenkins url>/userContent/nga/logs/nga.log Also, please tell me if u'r jenkins job is a simple one or pipeline as a code ? Thanx Nir

Kevin Lee added a comment - 2020-02-19 10:54

Thanks Nir,

FOD Plugin version 5.0.1
Pipeline is "End to End" and "Security" - can it be more than one tag?
Yes vulnerabilities found in commit to repository (see attached) after pipeline was created.
Attached
It is Jenkinsfile Pipeline in GitHub - commit to repository starts Jenkins/Octane Pipeline and FOD upload!

It is for customer demo. I can leave VM up for a while if you want to look (pm for login details: kevin.lee@microfocus.com)

Kevin

Kevin Lee added a comment - 2020-02-19 10:54 Thanks Nir, FOD Plugin version 5.0.1 Pipeline is "End to End" and "Security" - can it be more than one tag? Yes vulnerabilities found in commit to repository (see attached) after pipeline was created. Attached It is Jenkinsfile Pipeline in GitHub - commit to repository starts Jenkins/Octane Pipeline and FOD upload! It is for customer demo. I can leave VM up for a while if you want to look (pm for login details: kevin.lee@microfocus.com) Kevin

Kevin Lee added a comment - 2020-02-19 10:58

Tried running the same build in a Freestyle Jenkins Job (set Octane Pipeline to Security only) - now there is Authentication error in log (see nga2.log). Don't know why this is the case as the Pipeline uploads and runs the Scan in FOD successfully?

I have tried both API Key and Personal Access Token authentication with the same result.

Kevin

Kevin Lee added a comment - 2020-02-19 10:58 Tried running the same build in a Freestyle Jenkins Job (set Octane Pipeline to Security only) - now there is Authentication error in log (see nga2.log). Don't know why this is the case as the Pipeline uploads and runs the Scan in FOD successfully? I have tried both API Key and Personal Access Token authentication with the same result. Kevin

nir yom tov added a comment - 2020-02-24 07:10

Hi Kevin,

it seems according to the error that octane plugin having hard times connecting to FOD.

in jenkins configuration - did u update correctly the fortify on demand section ? (url , API url, api key and secret) - is the test connection button working for you ? (see example below)

nir yom tov added a comment - 2020-02-24 07:10 Hi Kevin, it seems according to the error that octane plugin having hard times connecting to FOD. in jenkins configuration - did u update correctly the fortify on demand section ? (url , API url, api key and secret) - is the test connection button working for you ? (see example below)

Kevin Lee added a comment - 2020-02-24 09:03

Yes, i have tried both API Key and PAT - clicking on "Test Connection" works. I notice your screenshot is slightly different as "Secret" does not use Jenkins Credentials - does this make any difference?

Kevin Lee added a comment - 2020-02-24 09:03 Yes, i have tried both API Key and PAT - clicking on "Test Connection" works. I notice your screenshot is slightly different as "Secret" does not use Jenkins Credentials - does this make any difference?

Kevin Lee added a comment - 2020-02-25 12:09

It looks like this does not work with the latest version of FOD Uploader plugin (5.0.1) where they switched to using Jenkins Credentials plugin for Secrets rather than plain text field. I added a bit of debugging to FODConnector.java:

INFO [VulnerabilitiesPushWorker-58 ] FODConnector : grant_type=client_credentials&scope=api-tenant&client_id=852dae7d-2280-4d76-8e2e-9f8fc0bee63c&client_secret=fod-api-key

For the client_secret it is use the Credentials id "fod-api-key" rather than resolving its actual value.

Kevin Lee added a comment - 2020-02-25 12:09 It looks like this does not work with the latest version of FOD Uploader plugin (5.0.1) where they switched to using Jenkins Credentials plugin for Secrets rather than plain text field. I added a bit of debugging to FODConnector.java: INFO [VulnerabilitiesPushWorker-58 ] FODConnector : grant_type=client_credentials&scope=api-tenant&client_id=852dae7d-2280-4d76-8e2e-9f8fc0bee63c&client_secret= fod-api-key For the client_secret it is use the Credentials id "fod-api-key" rather than resolving its actual value.

Daniel Shmaya added a comment - 2020-09-22 11:26

This version of FOD is not supported yet.

Daniel Shmaya added a comment - 2020-09-22 11:26 This version of FOD is not supported yet.

Kevin Lee added a comment - 2021-02-16 14:54

Integration of ALM Octane and Fortify on Demand is still not possible - this is preventing adoption of Octane and FOD!!!

Kevin Lee added a comment - 2021-02-16 14:54 Integration of ALM Octane and Fortify on Demand is still not possible - this is preventing adoption of Octane and FOD!!!

Mark Serencha added a comment - 2021-10-04 12:16 - edited

Similar (same?) issue occurring.

Fortify scan is triggered, and runs to completion, but no Vulnerabilities are loaded into Octane.

Jenkins LTS 2.303.1 on Kubernetes
Micro Focus Application Automation Tools plugin 7.0
Fortify on Demand plugin 6.1.0
Octane 16.0.116.45
- API permissions verified
Fortify permissions verified

Relevant nga.log below:

{{ 01/10/2021 17:15:21,111 ERROR [VulnerabilitiesPushWorker-92 ] VulnerabilitiesServiceImpl : https://OCTANE_SERVER?p=142001 permanent error on 'JOB_NAME #9', passing over
com.hp.octane.integrations.exceptions.PermanentException: Cannot authenticate:Not Found
at com.hp.octane.integrations.services.vulnerabilities.fod.dto.FODConnector.getAccessToken(FODConnector.java:213) ~[integrations-sdk-2.7.0.18.jar:?]
at com.hp.octane.integrations.services.vulnerabilities.fod.dto.FODConnector.initConnection(FODConnector.java:80) ~[integrations-sdk-2.7.0.18.jar:?]
at com.hp.octane.integrations.services.vulnerabilities.fod.dto.FodConnectionFactory.createFodConnector(FodConnectionFactory.java:75) ~[integrations-sdk-2.7.0.18.jar:?]
at com.hp.octane.integrations.services.vulnerabilities.fod.dto.FodConnectionFactory.instance(FodConnectionFactory.java:39) ~[integrations-sdk-2.7.0.18.jar:?]
at com.hp.octane.integrations.services.vulnerabilities.fod.dto.services.FODReleaseService.getScansLastInFirstFetched(FODReleaseService.java:36) ~[integrations-sdk-2.7.0.18.jar:?]
at com.hp.octane.integrations.services.vulnerabilities.fod.FODServiceImpl.fodScanIsStillInProgress(FODServiceImpl.java:109) ~[integrations-sdk-2.7.0.18.jar:?]
at com.hp.octane.integrations.services.vulnerabilities.fod.FODServiceImpl.getVulnerabilitiesScanResultStream(FODServiceImpl.java:71) ~[integrations-sdk-2.7.0.18.jar:?]
at com.hp.octane.integrations.services.vulnerabilities.VulnerabilitiesServiceImpl.processPushVulnerabilitiesQueueItem(VulnerabilitiesServiceImpl.java:231) ~[integrations-sdk-2.7.0.18.jar:?]
at com.hp.octane.integrations.services.vulnerabilities.VulnerabilitiesServiceImpl.worker(VulnerabilitiesServiceImpl.java:172) ~[integrations-sdk-2.7.0.18.jar:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?]
at java.lang.Thread.run(Thread.java:829) [?:?]
01/10/2021 17:15:22,015 INFO [BuildLogsPushWorker-89 ] LogsServiceImpl : https://OCTANE_SERVER?p=142001 successfully pushed log of 'JOB_NAME #9', root job : JOB_NAME to WS 1002, correlation Id = 29ba96ee3ea4405c96ed3917d
}}

Mark Serencha added a comment - 2021-10-04 12:16 - edited Similar (same?) issue occurring. Fortify scan is triggered, and runs to completion, but no Vulnerabilities are loaded into Octane. Jenkins LTS 2.303.1 on Kubernetes Micro Focus Application Automation Tools plugin 7.0 Fortify on Demand plugin 6.1.0 Octane 16.0.116.45 API permissions verified Fortify permissions verified Relevant nga.log below: {{ 01/10/2021 17:15:21,111 ERROR [VulnerabilitiesPushWorker-92 ] VulnerabilitiesServiceImpl : https://OCTANE_SERVER?p=142001 permanent error on ' JOB_NAME #9', passing over com.hp.octane.integrations.exceptions.PermanentException: Cannot authenticate:Not Found at com.hp.octane.integrations.services.vulnerabilities.fod.dto.FODConnector.getAccessToken(FODConnector.java:213) ~ [integrations-sdk-2.7.0.18.jar:?] at com.hp.octane.integrations.services.vulnerabilities.fod.dto.FODConnector.initConnection(FODConnector.java:80) ~ [integrations-sdk-2.7.0.18.jar:?] at com.hp.octane.integrations.services.vulnerabilities.fod.dto.FodConnectionFactory.createFodConnector(FodConnectionFactory.java:75) ~ [integrations-sdk-2.7.0.18.jar:?] at com.hp.octane.integrations.services.vulnerabilities.fod.dto.FodConnectionFactory.instance(FodConnectionFactory.java:39) ~ [integrations-sdk-2.7.0.18.jar:?] at com.hp.octane.integrations.services.vulnerabilities.fod.dto.services.FODReleaseService.getScansLastInFirstFetched(FODReleaseService.java:36) ~ [integrations-sdk-2.7.0.18.jar:?] at com.hp.octane.integrations.services.vulnerabilities.fod.FODServiceImpl.fodScanIsStillInProgress(FODServiceImpl.java:109) ~ [integrations-sdk-2.7.0.18.jar:?] at com.hp.octane.integrations.services.vulnerabilities.fod.FODServiceImpl.getVulnerabilitiesScanResultStream(FODServiceImpl.java:71) ~ [integrations-sdk-2.7.0.18.jar:?] at com.hp.octane.integrations.services.vulnerabilities.VulnerabilitiesServiceImpl.processPushVulnerabilitiesQueueItem(VulnerabilitiesServiceImpl.java:231) ~ [integrations-sdk-2.7.0.18.jar:?] at com.hp.octane.integrations.services.vulnerabilities.VulnerabilitiesServiceImpl.worker(VulnerabilitiesServiceImpl.java:172) ~ [integrations-sdk-2.7.0.18.jar:?] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?] at java.lang.Thread.run(Thread.java:829) [?:?] 01/10/2021 17:15:22,015 INFO [BuildLogsPushWorker-89 ] LogsServiceImpl : https://OCTANE_SERVER?p=142001 successfully pushed log of ' JOB_NAME #9', root job : JOB_NAME to WS 1002, correlation Id = 29ba96ee3ea4405c96ed3917d }}

Assignee:: nir yom tov

Reporter:: Kevin Lee

Votes:: 1 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2020-02-17 15:26

Updated:: 2021-10-05 20:13

Jenkins

Details

Description

Attachments

Attachments

Activity

[JENKINS-61116] FOD-Octane Integration - no Vulnerabilities shown

Collapse comment: nir yom tov added a comment - 2020-02-19 07:50, Edited by nir yom tov - 2020-02-19 08:07

Expand comment: nir yom tov added a comment - 2020-02-19 07:50, Edited by nir yom tov - 2020-02-19 08:07

Collapse comment: Kevin Lee added a comment - 2020-02-19 10:54

Expand comment: Kevin Lee added a comment - 2020-02-19 10:54

Collapse comment: Kevin Lee added a comment - 2020-02-19 10:58

Expand comment: Kevin Lee added a comment - 2020-02-19 10:58

Collapse comment: nir yom tov added a comment - 2020-02-24 07:10

Expand comment: nir yom tov added a comment - 2020-02-24 07:10

Collapse comment: Kevin Lee added a comment - 2020-02-24 09:03

Expand comment: Kevin Lee added a comment - 2020-02-24 09:03

Collapse comment: Kevin Lee added a comment - 2020-02-25 12:09

Expand comment: Kevin Lee added a comment - 2020-02-25 12:09

Collapse comment: Daniel Shmaya added a comment - 2020-09-22 11:26

Expand comment: Daniel Shmaya added a comment - 2020-09-22 11:26

Collapse comment: Kevin Lee added a comment - 2021-02-16 14:54

Expand comment: Kevin Lee added a comment - 2021-02-16 14:54

Collapse comment: Mark Serencha added a comment - 2021-10-04 12:16, Edited by Mark Serencha - 2021-10-05 20:13

Expand comment: Mark Serencha added a comment - 2021-10-04 12:16, Edited by Mark Serencha - 2021-10-05 20:13

People

Dates