search

fortify / FortifyVulnerabilityExporter

Export Fortify vulnerability data to GitHub, GitLab, SonarQube and more
Other
24 stars 8 forks source link

error when trying to export to gitlab #18

Closed hopenbr closed 3 years ago

hopenbr commented 3 years ago

What am I missing

I have tried ssc.Authtoken as well with out success

Gitlab yml

export/fortify:
  stage: .pre
  image: fortifydocker/fortify-vulnerability-exporter:latest
  variables:
    export_config: /config/SSCToGitLabSAST.yml
    ssc_baseUrl: $FORITY_URL
    ssc_user: $FORTIFY_USER
    ssc_password: $FORTIFY_PWD
    ssc_version_id: $FORTIFY_VID
  script: 
    - echo Script entry is required but not used
  #when: manual
  allow_failure: false
  artifacts:
    reports:
      sast: gl-fortify-sast.json

Gitlab log: 

12:57:14.591 [main] DEBUG com.fortify.util.spring.boot.container.PopulateContainerDirs - Populate container directories enabled: true
12:57:14.595 [main] DEBUG com.fortify.util.spring.boot.container.PopulateContainerDirs - Checking whether container directories need to be initialized
  ______         _   _  __                                  
 |  ____|       | | (_)/ _|                                 
 | |__ ___  _ __| |_ _| |_ _   _                            
 |  __/ _ \| '__| __| |  _| | | |                           
 | | | (_) | |  | |_| | | | |_| |                           
 |_|  \___/|_|   \__|_|_|  \__, |                           
 __      __    _            __/ |     _     _ _ _ _         
 \ \    / /   | |          |___/     | |   (_) (_) |        
  \ \  / /   _| |_ __   ___ _ __ __ _| |__  _| |_| |_ _   _ 
   \ \/ / | | | | '_ \ / _ \ '__/ _` | '_ \| | | | __| | | |
    \  /| |_| | | | | |  __/ | | (_| | |_) | | | | |_| |_| |
     \/  \__,_|_|_| |_|\___|_|  \__,_|_.__/|_|_|_|\__|\__, |
  ______                       _                       __/ |
 |  ____|                     | |                     |___/ 
 | |__  __  ___ __   ___  _ __| |_ ___ _ __                 
 |  __| \ \/ / '_ \ / _ \| '__| __/ _ \ '__|                
 | |____ >  <| |_) | (_) | |  | ||  __/ |                   
 |______/_/\_\ .__/ \___/|_|   \__\___|_|                   
             | |                                            
             |_|                                            
2021-04-13 12:57:17.578  INFO 1 --- [           main] e.p.PluginConfigEnvironmentPostProcessor : Loaded 11 plugin configuration files
2021-04-13 12:57:17.700  INFO 1 --- [           main] c.f.v.FortifyVulnerabilityExporter       : Starting FortifyVulnerabilityExporter v1.2.0 using Java 1.8.0_275 on runner-estzx7bj-project-11312-concurrent-0 with PID 1 (/app/classpath/FortifyVulnerabilityExporter-1.2.0.jar started by root in /)
2021-04-13 12:57:17.711  INFO 1 --- [           main] c.f.v.FortifyVulnerabilityExporter       : The following profiles are active: default,ssc
2021-04-13 12:57:22.344  INFO 1 --- [           main] c.f.v.FortifyVulnerabilityExporter       : Started FortifyVulnerabilityExporter in 7.083 seconds (JVM running for 8.306)
2021-04-13 12:57:23.454 ERROR 1 --- [           main] o.s.boot.SpringApplication               : Application run failed
java.lang.IllegalStateException: Failed to execute CommandLineRunner
    at org.springframework.boot.SpringApplication.callRunner(SpringApplication.java:807) ~[spring-boot-2.4.3.jar:2.4.3]
    at org.springframework.boot.SpringApplication.callRunners(SpringApplication.java:788) ~[spring-boot-2.4.3.jar:2.4.3]
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:333) ~[spring-boot-2.4.3.jar:2.4.3]
    at com.fortify.vulnexport.FortifyVulnerabilityExporter.main(FortifyVulnerabilityExporter.java:39) [FortifyVulnerabilityExporter-1.2.0.jar:1.2.0]
Caused by: javax.validation.ConstraintDeclarationException: HV000170: No JSR-223 scripting engine could be bootstrapped for language "javascript".
    at org.hibernate.validator.internal.constraintvalidators.hv.AbstractScriptAssertValidator.initialize(AbstractScriptAssertValidator.java:42) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
    at org.hibernate.validator.internal.constraintvalidators.hv.ScriptAssertValidator.initialize(ScriptAssertValidator.java:38) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
    at org.hibernate.validator.internal.engine.constraintvalidation.AbstractConstraintValidatorManagerImpl.initializeValidator(AbstractConstraintValidatorManagerImpl.java:140) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
    at org.hibernate.validator.internal.engine.constraintvalidation.AbstractConstraintValidatorManagerImpl.createAndInitializeValidator(AbstractConstraintValidatorManagerImpl.java:90) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
    at org.hibernate.validator.internal.engine.constraintvalidation.ConstraintValidatorManagerImpl.getInitializedValidator(ConstraintValidatorManagerImpl.java:117) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
    at org.hibernate.validator.internal.engine.constraintvalidation.ConstraintTree.getInitializedConstraintValidator(ConstraintTree.java:136) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
    at org.hibernate.validator.internal.engine.constraintvalidation.SimpleConstraintTree.validateConstraints(SimpleConstraintTree.java:54) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
    at org.hibernate.validator.internal.engine.constraintvalidation.ConstraintTree.validateConstraints(ConstraintTree.java:75) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
    at org.hibernate.validator.internal.metadata.core.MetaConstraint.doValidateConstraint(MetaConstraint.java:130) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
    at org.hibernate.validator.internal.metadata.core.MetaConstraint.validateConstraint(MetaConstraint.java:123) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
    at org.hibernate.validator.internal.engine.ValidatorImpl.validateMetaConstraint(ValidatorImpl.java:555) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
    at org.hibernate.validator.internal.engine.ValidatorImpl.validateConstraintsForSingleDefaultGroupElement(ValidatorImpl.java:518) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
    at org.hibernate.validator.internal.engine.ValidatorImpl.validateConstraintsForDefaultGroup(ValidatorImpl.java:488) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
    at org.hibernate.validator.internal.engine.ValidatorImpl.validateConstraintsForCurrentGroup(ValidatorImpl.java:450) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
    at org.hibernate.validator.internal.engine.ValidatorImpl.validateInContext(ValidatorImpl.java:400) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
    at org.hibernate.validator.internal.engine.ValidatorImpl.validateCascadedAnnotatedObjectForCurrentGroup(ValidatorImpl.java:629) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
    at org.hibernate.validator.internal.engine.ValidatorImpl.validateCascadedConstraints(ValidatorImpl.java:590) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
    at org.hibernate.validator.internal.engine.ValidatorImpl.validateInContext(ValidatorImpl.java:409) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
    at org.hibernate.validator.internal.engine.ValidatorImpl.validate(ValidatorImpl.java:172) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
    at org.springframework.validation.beanvalidation.SpringValidatorAdapter.validate(SpringValidatorAdapter.java:358) ~[spring-context-5.3.4.jar:5.3.4]
    at com.fortify.util.config.loader.StandardConfigLoader.validateConfig(StandardConfigLoader.java:69) ~[FortifyVulnerabilityExporter-api.jar:na]
    at com.fortify.util.config.loader.StandardConfigLoader.loadConfig(StandardConfigLoader.java:63) ~[FortifyVulnerabilityExporter-api.jar:na]
    at com.fortify.util.config.loader.AbstractConfigLoader.loadConfig(AbstractConfigLoader.java:62) ~[FortifyVulnerabilityExporter-api.jar:na]
    at com.fortify.vulnexport.spi.source.vuln.loader.AbstractVulnerabilityLoaderFactory.createConfig(AbstractVulnerabilityLoaderFactory.java:59) ~[FortifyVulnerabilityExporter-spi-from.jar:na]
    at com.fortify.vulnexport.spi.source.vuln.loader.AbstractVulnerabilityLoaderFactory.createVulnerabilityLoader(AbstractVulnerabilityLoaderFactory.java:51) ~[FortifyVulnerabilityExporter-spi-from.jar:na]
    at com.fortify.vulnexport.api.vuln.loader.active.ActiveVulnerabilityLoaderFactory.lambda$createVulnerabilityLoader$0(ActiveVulnerabilityLoaderFactory.java:59) ~[FortifyVulnerabilityExporter-api.jar:na]
    at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193) ~[na:1.8.0_275]
    at java.util.Iterator.forEachRemaining(Iterator.java:116) ~[na:1.8.0_275]
    at java.util.Spliterators$IteratorSpliterator.forEachRemaining(Spliterators.java:1801) ~[na:1.8.0_275]
    at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:482) ~[na:1.8.0_275]
    at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:472) ~[na:1.8.0_275]
    at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708) ~[na:1.8.0_275]
    at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[na:1.8.0_275]
    at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:566) ~[na:1.8.0_275]
    at com.fortify.vulnexport.api.vuln.loader.active.ActiveVulnerabilityLoaderFactory.createVulnerabilityLoader(ActiveVulnerabilityLoaderFactory.java:61) ~[FortifyVulnerabilityExporter-api.jar:na]
    at com.fortify.vulnexport.FortifyVulnerabilityExporterRunnerFactory.runActiveVulnerabilityLoader(FortifyVulnerabilityExporterRunnerFactory.java:65) ~[FortifyVulnerabilityExporter-1.2.0.jar:1.2.0]
    at com.fortify.util.spring.boot.scheduler.RunOrSchedule.runOnce(RunOrSchedule.java:55) ~[FortifyVulnerabilityExporter-1.2.0.jar:1.2.0]
    at com.fortify.util.spring.boot.scheduler.RunOrSchedule.run(RunOrSchedule.java:34) ~[FortifyVulnerabilityExporter-1.2.0.jar:1.2.0]
    at org.springframework.boot.SpringApplication.callRunner(SpringApplication.java:804) ~[spring-boot-2.4.3.jar:2.4.3]
    ... 3 common frames omitted
Caused by: org.hibernate.validator.spi.scripting.ScriptEvaluatorNotFoundException: HV000232: No JSR 223 script engine found for language "javascript".
    at org.hibernate.validator.internal.engine.scripting.DefaultScriptEvaluatorFactory.createNewScriptEvaluator(DefaultScriptEvaluatorFactory.java:66) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
    at java.util.concurrent.ConcurrentHashMap.computeIfAbsent(ConcurrentHashMap.java:1660) ~[na:1.8.0_275]
    at org.hibernate.validator.spi.scripting.AbstractCachingScriptEvaluatorFactory.getScriptEvaluatorByLanguageName(AbstractCachingScriptEvaluatorFactory.java:41) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
    at org.hibernate.validator.internal.engine.constraintvalidation.HibernateConstraintValidatorInitializationContextImpl.getScriptEvaluatorForLanguage(HibernateConstraintValidatorInitializationContextImpl.java:50) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
    at org.hibernate.validator.internal.constraintvalidators.hv.AbstractScriptAssertValidator.initialize(AbstractScriptAssertValidator.java:38) ~[hibernate-validator-6.1.7.Final.jar:6.1.7.Final]
    ... 41 common frames omitted
hopenbr commented 3 years ago

our SSC portal is using a self-signed cert

rsenden commented 3 years ago

Hi, this particular error is caused by #16 and #17; this has been fixed in fortifydocker/fortify-vulnerability-exporter:latest_rc and will be released as latest soon.

I think you will see other errors due to the self-signed SSC certificate though; if so please submit a new issue with full output here and I'll have a look at it.

hopenbr commented 3 years ago

yes it look like the latest_rc clear up these error yet the self signed certs are cause issues I opened https://github.com/fortify/FortifyVulnerabilityExporter/issues/19