search

Checkmarx / ast-github-action

Checkmarx application security testing (AST) GitHub action
https://github.com/marketplace/actions/checkmarx-ast-github-action
Apache License 2.0
16 stars 23 forks source link

[BUG] PR decoration fails randomly #97

Closed cmotsn closed 1 year ago

cmotsn commented 1 year ago

Describe the bug

Sometimes, the PR decoration - supposed to happen when running the action on a PR - fails and the Checkmarx comment on the PR is not created (or updated).

(This is run from GitHub hosted-runner so there's no issue of enterprise network/vpn).

Expected behavior

The PR should be commented with the Checkmarx result.

Actual behavior

The Checkmarx comment on the PR is sometimes not created/updated after the Checkmarx scan and we need to consult the acton logs to see the scan results.

The corresponding scan logs indicate the relevant lines:

Creating PR decoration for scan ID: xxxxxxxxx-xxxxxxxxxxxxxxx-xxxxxxxxxxxxxxx Post "https://eu.ast.checkmarx.net/api/flow-publisher/pr/github": context deadline exceeded (Client.Timeout exceeded while awaiting headers)

Steps to reproduce

Sadly random.

Additional comments

If the the Checkmarx server is unreliable (as it sadly appears to be, considering how often this fails) when trying to publish the PR result, it should be mitigated, for example with some kind of retry mechanism? (despite the 'Request attempt 1 in 4' log followed by a failure, there doesn't seem to be any second attempt)

Logs

Full section of the failing call (there is no mention of https://eu.ast.checkmarx.net/api/flow-publisher/pr/github earlier in the log, but let me know if you need the full log).

2023/01/13 10:03:00 Request attempt 1 in 4
2023/01/13 10:03:00 Receiving API response:
2023/01/13 10:03:00 HTTP/1.1 200 OK
Transfer-Encoding: chunked
Connection: keep-alive
Content-Type: application/json; charset=utf-8
Date: Fri, 13 Jan 2023 10:03:00 GMT
Server: Kestrel
Vary: Accept-Encoding
Via: 1.1 xxxxxxxxxxxxxxxxxxxxx.cloudfront.net (CloudFront)
X-Amz-Cf-Id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
X-Amz-Cf-Pop: xxxxxx
X-Cache: Miss from cloudfront

2023/01/13 10:03:00 sca-high: Limit = 1, Current = 9
Threshold check finished with status Failed : sca-high: Limit = 1, Current = 9 | 
2023/01/13 10:03:00 iac-security-high: Limit = 1, Current = 0
2023/01/13 10:03:00 sast-high: Limit = 1, Current = 0
Creating PR decoration for scan ID: xxxxxxxxxx-xxxxxxxxxxxxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx
Post "https://eu.ast.checkmarx.net/api/flow-publisher/pr/github": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
Warning: The `set-output` command is deprecated and will be disabled soon. Please upgrade to using Environment Files. For more information see: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/
pedrompflopes commented 1 year ago

Hi @cmotsn ,

Thanks for raising the issue. In the latest release, we changed the default timeout (which was too low) and it should now resolve the issue. If it happens again with the new version, please reopen the issue.

Version 2.0.14

Thanks