fortifyExecuteScan updateRulepack fails

SAP-archive / cloud-s4-sdk-pipeline

The Cloud SDK pipeline uses the Cloud SDK continuous delivery server for building, checking, and deploying extension applications. Projects based on the SAP Cloud SDK archetype will automatically use this pipeline.

Apache License 2.0

65 stars 25 forks source link

fortifyExecuteScan updateRulepack fails #45

Closed T1mey closed 4 years ago

T1mey commented 4 years ago

Hello,

the update of the rulepack from our internal SSC fails.

info fortifyExecuteScan - Error 6235: You must have write access to the rules directory: /opt/fortify/Core/config/rules

In our docker image we used root as installation user for all needed components (maven , python & fortify). Is there a need to do that as a user 1000 (group 999) ?

fwilhe commented 4 years ago

Hi @T1mey

was we're for legal reasons not able to offer an image for fortify I think our ability to provide support here is limited.

The first naive question I would ask who owns the dir /opt/fortify/Core/config/rules and does your user 1000 (I assume that is the one running the fortify scan)? What is the output of ls -la /opt/fortify/Core/config in a container of that image?

T1mey commented 4 years ago

@fwilhe I think the pipeline is starting it with this user:group

fwilhe commented 4 years ago

Technically Jenkins and the Jenkins docker plugin do that, yes. I don't know what I can tell you except that it looks like you need to modify the docker image so that user 1000 is allowed to write into /opt/fortify/Core/config/rules. Something like chmod -R 777 /opt/fortify/Core/config should do the trick.

T1mey commented 4 years ago

@fwilhe So there is no need to install the fortify application with that user? Just the permission to that folder is enough ?

Will he be able to execute fortify binaries because they belong to root ...

I would suggest to offer a basic dockerfile example where the main steps are shown. Like maven installation, users, working dir etc.. which can be adjusted by each user to their needs, but have the main actions listed.

fwilhe commented 4 years ago

I'm not a fortify expert, I can't provide a list of requirements that a Dockerfile needs to fulfil. I'm not sure if we can maintain an example Dockerfile, I'll discuss this within the team.

Does it work once you applied the right directory permissions?

T1mey commented 4 years ago

So I solved it User (with id 1000 and group 999) must be created with home dir and the installation of fortify must be done by the user .

fwilhe commented 4 years ago

@T1mey

Ok, that's good to hear, thanks for letting us know.

If possible you could provide a template Dockerfile (omitting any confidential things) that we could add to the documentation for other users to base their work on?

T1mey commented 4 years ago

@fwilhe As my dockerfile is based on assumptions which haven't or can't be confirmed, I think this might be dangerous ;-)

Maybe some info's (use at yout own risk):

derive from image that uses glibc
install your company's certificates in OS
install maven
install python3 python3-pip 

create user and group 1000:999 and his homedir
install fortify + lic as user 1000
update fortify jre cacerts with needed certs
update rulepacks

fwilhe commented 4 years ago

Issue is resolved, nothing we can improve, thanks for reporting and sharing the solution snippet.