Intermittent Error Thrown-Unable to deserialize the response.

[ryan-perkins-adesa]

Title

Intermittent Error Thrown-Unable to deserialize the response.

Description

Thrown error 2021-10-07T20:29:47.2411995Z Exception for resource: [ResourceType: KeyVault] [ResourceGroupName: my-resource-group] [ResourceName: my-resource-name] 2021-10-07T20:29:47.2613292Z Cannot convert value "@{FeatureName=KeyVault; Reference=aka.ms/azsktcp/keyvault; IsMaintenanceMode=False; Controls=System.Object[]; ControlID=Azure_KeyVault_Audit_Enable_Diagnostics_Log; Enabled=False; Id=KeyVault180}" to type "SVTConfig". Error: "Cannot convert the "@{FeatureName=KeyVault; Reference=aka.ms/azsktcp/keyvault; IsMaintenanceMode=False; Controls=System.Object[]; ControlID=Azure_KeyVault_Audit_Enable_Diagnostics_Log; Enabled=False; Id=KeyVault180}" value of type "System.Management.Automation.PSCustomObject" to type "SVTConfig"." 2021-10-07T20:29:47.9956076Z 2021-10-07T20:29:47.9956689Z Checking resource [2/2] 2021-10-07T20:29:49.8772440Z Exception for resource: [ResourceType: AppService] [ResourceGroupName: my-resource-group] [ResourceName: my-resource-name] 2021-10-07T20:29:49.8803106Z Unable to deserialize the response.

This error is occurring in our release pipelines. This error has been occurring for some time, but we were unaware because it would not cause the release of the stage to fail. Yesterday this began causing our stages to fail. We are using the 4.0.5 version of the AzSK Security Verification Tests task.

Steps to reproduce

Add the AzSK Security Verification Tests to ADO release pipeline. AzSk task resource_group field is set to a resource group that has valid resources. This task fails in the pipeline intermittently, but always logs the exception.

Expected behavior

Either Fail every time, or it should not throw an exception at all.

Actual behavior

The task throws an exception every time, but it does not always fail the stage in the pipeline.

[gvaradarajan-msft]

@ryan-perkins-adesa - Is it just this exception and no Control failures that are causing the pipeline to fail? Also, did you try running the scan outside your pipeline to see if this issue still occurs?

[ryan-perkins-adesa]

@gvaradarajan-msft - This is not a control failure within the pipeline as this task had been succeeding for 100's of release with no changes to the task. The task was not set to "continue on error" but that has been the case since it was implemented. I am actively working on running the scan outside of the pipeline.

[gvaradarajan-msft]

@ryan-perkins-adesa - Thank you for getting back. The Controls can still fail without any changes to the task (the resources being evaluated could have now been modified, and one or more Controls that were passing previously could have failed because of that). I am not sure why this exception should fail the pipeline.

I haven't been able to reproduce this following the steps listed above. I am continuing to do this.

I have also been trying to reach you over mail and have requested additional information to help debug this.

[gvaradarajan-msft]

@ryan-perkins-adesa - If you are using custom org. policies, please ensure that they are in the right format and/or have the correct configuration. This includes files like KeyVault.json, AppService.json, etc.

[gvaradarajan-msft]

The issue was root caused to a misconfiguration in some of the org. specific settings used by @ryan-perkins-adesa. They have since been fixed, and the pipeline is running as before.