search

Mixeway / MixewayHub

Mixeway is security orchestrator for vulnerability scanners which enable easy plug in integration with CICD pipelines. MixewayHub project contain one click docker-compose file which configure and run images from docker hub.
https://mixeway.io
GNU General Public License v3.0
107 stars 17 forks source link

mixeway-ci-fortify-mvn java.lang.NullPointerException #25

Closed D0n9 closed 3 years ago

D0n9 commented 3 years ago

Mixway all API 500 error code,How to solve it

error log

MixerBackend | 2020-11-23 16:31:17.151 ERROR 1 --- [nio-8443-exec-8] o.a.c.c.C.[.[.[/].[dispatcherServlet] : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception MixerBackend | MixerBackend | java.lang.NullPointerException: null MixerBackend | at io.mixeway.rest.utils.JwtUserDetailsService.loadUserByApiKeyAndRequestUri(JwtUserDetailsService.java:92) ~[classes!/:0.9] MixerBackend | at io.mixeway.rest.utils.JwtRequestFilter.doFilterInternal(JwtRequestFilter.java:42) ~[classes!/:0.9] MixerBackend | at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.2.8.RELEASE.jar!/:5.2.8.RELEASE] MixerBackend | at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.3.4.RELEASE.jar!/:5.3.4.RELEASE] MixerBackend | at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116) ~[spring-security-web-5.3.4.RELEASE.jar!/:5.3.4.RELEASE] MixerBackend | at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.3.4.RELEASE.jar!/:5.3.4.RELEASE] MixerBackend | at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:117) ~[spring-security-web-5.3.4.RELEASE.jar!/:5.3.4.RELEASE] MixerBackend | at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.2.8.RELEASE.jar!/:5.2.8.RELEASE] MixerBackend | at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.3.4.RELEASE.jar!/:5.3.4.RELEASE] MixerBackend | at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:92) ~[spring-security-web-5.3.4.RELEASE.jar!/:5.3.4.RELEASE] MixerBackend | at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:77) ~[spring-security-web-5.3.4.RELEASE.jar!/:5.3.4.RELEASE] MixerBackend | at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.2.8.RELEASE.jar!/:5.2.8.RELEASE] MixerBackend | at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.3.4.RELEASE.jar!/:5.3.4.RELEASE] MixerBackend | at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) ~[spring-security-web-5.3.4.RELEASE.jar!/:5.3.4.RELEASE] MixerBackend | at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.3.4.RELEASE.jar!/:5.3.4.RELEASE] MixerBackend | at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56) ~[spring-security-web-5.3.4.RELEASE.jar!/:5.3.4.RELEASE] MixerBackend | at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.2.8.RELEASE.jar!/:5.2.8.RELEASE] MixerBackend | at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.3.4.RELEASE.jar!/:5.3.4.RELEASE] MixerBackend | at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215) ~[spring-security-web-5.3.4.RELEASE.jar!/:5.3.4.RELEASE] MixerBackend | at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178) ~[spring-security-web-5.3.4.RELEASE.jar!/:5.3.4.RELEASE] MixerBackend | at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358) ~[spring-web-5.2.8.RELEASE.jar!/:5.2.8.RELEASE] MixerBackend | at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271) ~[spring-web-5.2.8.RELEASE.jar!/:5.2.8.RELEASE] MixerBackend | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-9.0.37.jar!/:9.0.37] MixerBackend | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-9.0.37.jar!/:9.0.37] MixerBackend | at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) ~[spring-web-5.2.8.RELEASE.jar!/:5.2.8.RELEASE] MixerBackend | at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.2.8.RELEASE.jar!/:5.2.8.RELEASE] MixerBackend | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-9.0.37.jar!/:9.0.37] MixerBackend | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-9.0.37.jar!/:9.0.37] MixerBackend | at io.mixeway.config.HstsHeaderPerventionFilter.doFilter(HstsHeaderPerventionFilter.java:39) ~[classes!/:0.9] MixerBackend | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-9.0.37.jar!/:9.0.37] MixerBackend | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-9.0.37.jar!/:9.0.37] MixerBackend | at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202) ~[tomcat-embed-core-9.0.37.jar!/:9.0.37] MixerBackend | at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) [tomcat-embed-core-9.0.37.jar!/:9.0.37] MixerBackend | at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541) [tomcat-embed-core-9.0.37.jar!/:9.0.37] MixerBackend | at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) [tomcat-embed-core-9.0.37.jar!/:9.0.37] MixerBackend | at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) [tomcat-embed-core-9.0.37.jar!/:9.0.37] MixerBackend | at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) [tomcat-embed-core-9.0.37.jar!/:9.0.37] MixerBackend | at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) [tomcat-embed-core-9.0.37.jar!/:9.0.37] MixerBackend | at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:373) [tomcat-embed-core-9.0.37.jar!/:9.0.37] MixerBackend | at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) [tomcat-embed-core-9.0.37.jar!/:9.0.37] MixerBackend | at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868) [tomcat-embed-core-9.0.37.jar!/:9.0.37] MixerBackend | at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1589) [tomcat-embed-core-9.0.37.jar!/:9.0.37] MixerBackend | at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-embed-core-9.0.37.jar!/:9.0.37] MixerBackend | at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [na:1.8.0_212] MixerBackend | at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [na:1.8.0_212] MixerBackend | at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-9.0.37.jar!/:9.0.37] MixerBackend | at java.lang.Thread.run(Thread.java:748) [na:1.8.0_212] MixerBackend | MixerFrontend | 172.30.17.140 - - [23/Nov/2020:16:31:17 +0000] "GET /v2/api/cicd/project/webgoat/code/verify/test/webgoat/1e7e110069286fdc5ea1b6a0fd04891b7b6813f5 HTTP/1.1" 500 200 "-" "curl/7.29.0"

siewer commented 3 years ago

Are You sure You have provided correct mixeway api key? “api key” header.

EDIT: Fortify-ci script is out of date. I will introduce PR tonight to fix it

D0n9 commented 3 years ago

Are You sure You have provided correct mixeway api key? “api key” header.

EDIT: Fortify-ci script is out of date. I will introduce PR tonight to fix it

Yes, I checked the api key and I am sure it is correct. I want to implement ci/cd using Jenkins pipeline. Want to know how mixeway supports

D0n9 commented 3 years ago

Are You sure You have provided correct mixeway api key? “api key” header.

EDIT: Fortify-ci script is out of date. I will introduce PR tonight to fix it

Hello, siewer I want to know when Fortify-ci script can update PR

siewer commented 3 years ago

PR for removing fortify-ci script will be introduced shortly. For now pls use https://github.com/Mixeway/MixewayHub/tree/master/scripts/CIScripts it contains Fortify integration as well but introduce OWASP Dependency Track integration (which can be removed with --skipopensource)

D0n9 commented 3 years ago

PR for removing fortify-ci script will be introduced shortly. For now pls use https://github.com/Mixeway/MixewayHub/tree/master/scripts/CIScripts it contains Fortify integration as well but introduce OWASP Dependency Track integration (which can be removed with --skipopensource)

There are also bugs in https://github.com/Mixeway/MixewayHub/tree/master/scripts/CIScripts , such as parameter transfer

MIXEWAY_RESPONSE=$(curl --request GET --url $mixeway_url/v2/api/cicd/project/$mixeway_project_id/code/verify/$group_name/$app_name/$COMMITID --header'apikey:'"$mixeway_api_key"' '-k -s)

Some parameters are not defined to obtain, it seems to be copied fortify-fortify-ci script

Please check

D0n9 commented 3 years ago

I fixed the parameter transfer problem, but the interface $mixeway_url/v2/api/cicd/project/$mixeway_project_id/code/scan/$group_name/$app_name/$COMMITID still has an error (HTTP CODE 500) I am sure the apikey is correct

siewer commented 3 years ago

Reopening to see if fix works. PR was introduced and some changes to the CI Script were made.

EDIT: Now that I think of it, it may not work as expected. CIScript is getting information about repository like repo URL and pass it to MixewayBackend, next backend is contacting MixewayFortifySCARestAPI with same informations to start the scan. It may be required for User to edit created project (project -> Configuration -> Code Projects -> edit) and set password and username for repository to be cloned manually.

D0n9 commented 3 years ago

Reopening to see if fix works. PR was introduced and some changes to the CI Script were made.

EDIT: Now that I think of it, it may not work as expected. CIScript is getting information about repository like repo URL and pass it to MixewayBackend, next backend is contacting MixewayFortifySCARestAPI with same informations to start the scan. It may be required for User to edit created project (project -> Configuration -> Code Projects -> edit) and set password and username for repository to be cloned manually.

Mixewayhub add Fortify SCA Rest API failed

Here is my configuration, Can you tell me what is wrong with the configuration

` CN=172.80.28.4

where $CN is ip of machine

openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout pki/private.key -out pki/cert.crt -subj "/CN=$CN" &> /dev/null

where $CN is ip of machine and $P12PASS is password to pkcs12 store

openssl pkcs12 -export -inkey pki/private.key -in pki/cert.crt -out pki/certificate.p12 -name "$CN" -password pass:123456

keytool -import -alias fortifyscarestapi -file /tmp/scaapi/pki/cert.crt -storetype JKS -keystore /tmp/MixewayHub/pki/trust.jks keytool -import -alias mixeway -file /tmp/MixewayHub/pki/cert.crt -storetype JKS -keystore /tmp/scaapi/pki/trust.jks

java -jar fortifyscaapi-1.0.0-SNAPSHOT.jar \ --server.port=18888 \ --server.ssl.key-store=/tmp/scaapi/pki/certificate.p12 \ --server.ssl.key-store-password=123456 \ --server.ssl.trust-store=/tmp/scaapi/pki/trust.jks \ --server.ssl.trust-store-password=123456 \ --allowed.user=172.80.28.4

`

siewer commented 3 years ago

It should work. Is there anything in MixewayBackend or MixewayFortifySCARestAPI log?

siewer commented 3 years ago

closed due to inactivity