search

fortify / FortifyVulnerabilityExporter

Export Fortify vulnerability data to GitHub, GitLab, SonarQube and more
Other
24 stars 8 forks source link

javax.validation.ConstraintDeclarationException: HV000170: No JSR-223 scripting engine could be bootstrapped for language "javascript #36

Closed paganellif closed 2 years ago

paganellif commented 2 years ago

Environment:

Command:

FortifyVulnerabilityExporter FoDToCSV --fod.baseUrl=$FOD_URL --fod.tenant=$FOD_TENANT --fod.userName=$FOD_USERNAME --fod.password=$FOD_PAT --fod.release.id=$FOD_RELEASE_ID --csv.output.file=$CI_PROJECT_DIR/scan-report.csv

Log:

11:48:16.336 [main] DEBUG com.fortify.util.spring.boot.container.PopulateContainerDirs - Populate container directories enabled: false
  ______         _   _  __                                  
 |  ____|       | | (_)/ _|                                 
 | |__ ___  _ __| |_ _| |_ _   _                            
 |  __/ _ \| '__| __| |  _| | | |                           
 | | | (_) | |  | |_| | | | |_| |                           
 |_|  \___/|_|   \__|_|_|  \__, |                           
 __      __    _            __/ |     _     _ _ _ _         
 \ \    / /   | |          |___/     | |   (_) (_) |        
  \ \  / /   _| |_ __   ___ _ __ __ _| |__  _| |_| |_ _   _ 
   \ \/ / | | | | '_ \ / _ \ '__/ _` | '_ \| | | | __| | | |
    \  /| |_| | | | | |  __/ | | (_| | |_) | | | | |_| |_| |
     \/  \__,_|_|_| |_|\___|_|  \__,_|_.__/|_|_|_|\__|\__, |
  ______                       _                       __/ |
 |  ____|                     | |                     |___/ 
 | |__  __  ___ __   ___  _ __| |_ ___ _ __                 
 |  __| \ \/ / '_ \ / _ \| '__| __/ _ \ '__|                
 | |____ >  <| |_) | (_) | |  | ||  __/ |                   
 |______/_/\_\ .__/ \___/|_|   \__\___|_|                   
             | |                                            
             |_|                                            
2022-01-26 11:48:17.705  INFO 725 --- [           main] e.p.PluginConfigEnvironmentPostProcessor : Loaded 13 plugin configuration files
2022-01-26 11:48:18.019  INFO 725 --- [           main] c.f.v.FortifyVulnerabilityExporter       : Starting FortifyVulnerabilityExporter v1.5.3 using Java 17.0.2 with PID 725 (/root/.fortify/tools/FortifyVulnerabilityExporter/latest-20220126/FortifyVulnerabilityExporter.jar started by root in /builds/[MASKED]cloud/violazione-command-service)
2022-01-26 11:48:18.019  INFO 725 --- [           main] c.f.v.FortifyVulnerabilityExporter       : The following profiles are active: default
2022-01-26 11:48:19.037  INFO 725 --- [           main] c.f.v.FortifyVulnerabilityExporter       : Using configuration file /root/.fortify/tools/FortifyVulnerabilityExporter/latest-20220126/config/FoDToCSV.yml
2022-01-26 11:48:19.039  INFO 725 --- [           main] c.f.v.FortifyVulnerabilityExporter       : Started FortifyVulnerabilityExporter in 2.34 seconds (JVM running for 3.012)
javax.validation.ConstraintDeclarationException: HV000170: No JSR-223 scripting engine could be bootstrapped for language "javascript".
    at org.hibernate.validator.internal.constraintvalidators.hv.AbstractScriptAssertValidator.initialize(AbstractScriptAssertValidator.java:42)
    at org.hibernate.validator.internal.constraintvalidators.hv.ScriptAssertValidator.initialize(ScriptAssertValidator.java:38)
    at org.hibernate.validator.internal.engine.constraintvalidation.AbstractConstraintValidatorManagerImpl.initializeValidator(AbstractConstraintValidatorManagerImpl.java:140)
    at org.hibernate.validator.internal.engine.constraintvalidation.AbstractConstraintValidatorManagerImpl.createAndInitializeValidator(AbstractConstraintValidatorManagerImpl.java:90)
    at org.hibernate.validator.internal.engine.constraintvalidation.ConstraintValidatorManagerImpl.getInitializedValidator(ConstraintValidatorManagerImpl.java:117)
    at org.hibernate.validator.internal.engine.constraintvalidation.ConstraintTree.getInitializedConstraintValidator(ConstraintTree.java:136)
    at org.hibernate.validator.internal.engine.constraintvalidation.SimpleConstraintTree.validateConstraints(SimpleConstraintTree.java:54)
    at org.hibernate.validator.internal.engine.constraintvalidation.ConstraintTree.validateConstraints(ConstraintTree.java:75)
    at org.hibernate.validator.internal.metadata.core.MetaConstraint.doValidateConstraint(MetaConstraint.java:130)
    at org.hibernate.validator.internal.metadata.core.MetaConstraint.validateConstraint(MetaConstraint.java:123)
    at org.hibernate.validator.internal.engine.ValidatorImpl.validateMetaConstraint(ValidatorImpl.java:555)
    at org.hibernate.validator.internal.engine.ValidatorImpl.validateConstraintsForSingleDefaultGroupElement(ValidatorImpl.java:518)
    at org.hibernate.validator.internal.engine.ValidatorImpl.validateConstraintsForDefaultGroup(ValidatorImpl.java:488)
    at org.hibernate.validator.internal.engine.ValidatorImpl.validateConstraintsForCurrentGroup(ValidatorImpl.java:450)
    at org.hibernate.validator.internal.engine.ValidatorImpl.validateInContext(ValidatorImpl.java:400)
    at org.hibernate.validator.internal.engine.ValidatorImpl.validateCascadedAnnotatedObjectForCurrentGroup(ValidatorImpl.java:629)
    at org.hibernate.validator.internal.engine.ValidatorImpl.validateCascadedConstraints(ValidatorImpl.java:590)
    at org.hibernate.validator.internal.engine.ValidatorImpl.validateInContext(ValidatorImpl.java:409)
    at org.hibernate.validator.internal.engine.ValidatorImpl.validate(ValidatorImpl.java:172)
    at org.springframework.validation.beanvalidation.SpringValidatorAdapter.validate(SpringValidatorAdapter.java:358)
    at com.fortify.util.config.loader.StandardConfigLoader.validateConfig(StandardConfigLoader.java:106)
    at com.fortify.util.config.loader.StandardConfigLoader.loadConfig(StandardConfigLoader.java:93)
    at com.fortify.vulnexport.spi.source.vuln.loader.AbstractVulnerabilityLoaderFactory.createConfig(AbstractVulnerabilityLoaderFactory.java:97)
    at com.fortify.vulnexport.spi.source.vuln.loader.AbstractVulnerabilityLoaderFactory.createVulnerabilityLoader(AbstractVulnerabilityLoaderFactory.java:73)
    at com.fortify.vulnexport.api.vuln.loader.active.ActiveVulnerabilityLoaderFactory.lambda$createVulnerabilityLoader$0(ActiveVulnerabilityLoaderFactory.java:59)
    at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197)
    at java.base/java.util.Iterator.forEachRemaining(Iterator.java:133)
    at java.base/java.util.Spliterators$IteratorSpliterator.forEachRemaining(Spliterators.java:1845)
    at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:509)
    at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499)
    at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:921)
    at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
    at java.base/java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:682)
    at com.fortify.vulnexport.api.vuln.loader.active.ActiveVulnerabilityLoaderFactory.createVulnerabilityLoader(ActiveVulnerabilityLoaderFactory.java:61)
    at com.fortify.vulnexport.FortifyVulnerabilityExporterRunnerFactory.runActiveVulnerabilityLoader(FortifyVulnerabilityExporterRunnerFactory.java:91)
    at com.fortify.util.spring.boot.scheduler.RunOrSchedule.runOnce(RunOrSchedule.java:76)
    at com.fortify.util.spring.boot.scheduler.RunOrSchedule.run(RunOrSchedule.java:48)
    at org.springframework.boot.SpringApplication.callRunner(SpringApplication.java:767)
    at org.springframework.boot.SpringApplication.callRunners(SpringApplication.java:751)
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:309)
    at com.fortify.vulnexport.FortifyVulnerabilityExporter.main(FortifyVulnerabilityExporter.java:62)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.base/java.lang.reflect.Method.invoke(Method.java:568)
    at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:49)
    at org.springframework.boot.loader.Launcher.launch(Launcher.java:108)
    at org.springframework.boot.loader.Launcher.launch(Launcher.java:58)
    at org.springframework.boot.loader.PropertiesLauncher.main(PropertiesLauncher.java:467)
Caused by: org.hibernate.validator.spi.scripting.ScriptEvaluatorNotFoundException: HV000232: No JSR 223 script engine found for language "javascript".
    at org.hibernate.validator.internal.engine.scripting.DefaultScriptEvaluatorFactory.createNewScriptEvaluator(DefaultScriptEvaluatorFactory.java:66)
    at java.base/java.util.concurrent.ConcurrentHashMap.computeIfAbsent(ConcurrentHashMap.java:1708)
    at org.hibernate.validator.spi.scripting.AbstractCachingScriptEvaluatorFactory.getScriptEvaluatorByLanguageName(AbstractCachingScriptEvaluatorFactory.java:41)
    at org.hibernate.validator.internal.engine.constraintvalidation.HibernateConstraintValidatorInitializationContextImpl.getScriptEvaluatorForLanguage(HibernateConstraintValidatorInitializationContextImpl.java:50)
    at org.hibernate.validator.internal.constraintvalidators.hv.AbstractScriptAssertValidator.initialize(AbstractScriptAssertValidator.java:38)
    ... 48 more
Cleaning up project directory and file based variables
00:00
ERROR: Job failed: exit code 1
rsenden commented 2 years ago

Thanks for reporting this issue. At the moment, FortifyVulnerabilityExporter requires a JVM that provides a JSR 223 JavaScript engine. Effectively this means that it will probably not run on Java version 15 or higher, since those Java versions no longer ship with the Nashorn engine. I'll look into options to make FortifyVulnerabilityExporter run on Java 17, but this may take some time.

rsenden commented 2 years ago

The JSR 223 JavaScript engine requirement has now been removed, allowing FortifyVulnerabilityExporter to run on Java 17.