search

fortify / fcli

fcli is a command-line utility for interacting with various Fortify products
https://fortify.github.io/fcli/
Other
31 stars 19 forks source link

tools - scancentral client, vulnerability exporter instalation #345

Closed xakrurychle closed 1 year ago

xakrurychle commented 1 year ago

For some reason I am not able to install sca client or vuln-exporter.

case1) without proxy - time out This one I quite understand as I am behind our company's proxy.

fcli tool vuln-exporter install -d ./vulnExporter 2.0.2
kong.unirest.UnirestException: org.apache.http.conn.ConnectTimeoutException: Connect to github.com:443 [github.com/140.82.121.4] failed: Connect timed out
        at kong.unirest.DefaultInterceptor.onFail(DefaultInterceptor.java:43)
        at kong.unirest.CompoundInterceptor.lambda$onFail$2(CompoundInterceptor.java:54)
        at java.base@17.0.7/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197)
        at java.base@17.0.7/java.util.Collections$2.tryAdvance(Collections.java:4853)
        at java.base@17.0.7/java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:129)
        at java.base@17.0.7/java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:527)
        at java.base@17.0.7/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:513)
        at java.base@17.0.7/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499)
        at java.base@17.0.7/java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:150)
        at java.base@17.0.7/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
        at java.base@17.0.7/java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:647)
        at kong.unirest.CompoundInterceptor.onFail(CompoundInterceptor.java:56)
        at kong.unirest.apache.ApacheClient.request(ApacheClient.java:138)
        at kong.unirest.Client.request(Client.java:57)
        at kong.unirest.BaseRequest.request(BaseRequest.java:359)
        at kong.unirest.BaseRequest.asFile(BaseRequest.java:326)
        at com.fortify.cli.tool.common.cli.cmd.AbstractToolInstallCommand.download(AbstractToolInstallCommand.java:111)
        at com.fortify.cli.tool.common.cli.cmd.AbstractToolInstallCommand.download(AbstractToolInstallCommand.java:104)
        at com.fortify.cli.tool.common.cli.cmd.AbstractToolInstallCommand.downloadAndInstall(AbstractToolInstallCommand.java:91)
        at com.fortify.cli.tool.common.cli.cmd.AbstractToolInstallCommand.getJsonNode(AbstractToolInstallCommand.java:72)
        at com.fortify.cli.common.output.cli.cmd.AbstractOutputCommand.run(AbstractOutputCommand.java:33)
        at picocli.CommandLine.executeUserObject(CommandLine.java:2104)
        at picocli.CommandLine$RunLast.executeUserObjectOfLastSubcommandWithSameParent(CommandLine.java:2539)
        at picocli.CommandLine$RunLast.handle(CommandLine.java:2531)
        at picocli.CommandLine$RunLast.handle(CommandLine.java:2493)
        at picocli.CommandLine$AbstractParseResultHandler.execute(CommandLine.java:2351)
        at picocli.CommandLine$RunLast.execute(CommandLine.java:2495)
        at picocli.CommandLine.execute(CommandLine.java:2248)
        at com.fortify.cli.app.FortifyCLI.execute(FortifyCLI.java:74)
        at com.fortify.cli.app.FortifyCLI.main(FortifyCLI.java:56)
Caused by: org.apache.http.conn.ConnectTimeoutException: Connect to github.com:443 [github.com/140.82.121.4] failed: Connect timed out
        at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:151)
        at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376)
        at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
        at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
        at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
        at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
        at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
        at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:118)
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
        at kong.unirest.apache.ApacheClient.request(ApacheClient.java:129)
        ... 17 more
Caused by: java.net.SocketTimeoutException: Connect timed out
        at java.base@17.0.7/sun.nio.ch.NioSocketImpl.timedFinishConnect(NioSocketImpl.java:546)
        at java.base@17.0.7/sun.nio.ch.NioSocketImpl.connect(NioSocketImpl.java:597)
        at java.base@17.0.7/java.net.SocksSocketImpl.connect(SocksSocketImpl.java:327)
        at java.base@17.0.7/java.net.Socket.connect(Socket.java:633)
        at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:368)
        at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
        ... 27 more

case2) with proxy - PKI cert error This case I don't understand. As for a final user there seems to be no need to provide any GitHub keys or anything. Wherever the download file comes from I assume is handled internally. Do I need to set something within FCLI that I missed?

./fcli tool sc-client install 23.1.0 -d ../fcli_scancentral/  -t "clientSCAPass"
kong.unirest.UnirestException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at kong.unirest.DefaultInterceptor.onFail(DefaultInterceptor.java:43)
        at kong.unirest.CompoundInterceptor.lambda$onFail$2(CompoundInterceptor.java:54)
        at java.base@17.0.7/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197)
        at java.base@17.0.7/java.util.Collections$2.tryAdvance(Collections.java:4853)
        at java.base@17.0.7/java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:129)
        at java.base@17.0.7/java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:527)
        at java.base@17.0.7/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:513)
        at java.base@17.0.7/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499)
        at java.base@17.0.7/java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:150)
        at java.base@17.0.7/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
        at java.base@17.0.7/java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:647)
        at kong.unirest.CompoundInterceptor.onFail(CompoundInterceptor.java:56)
        at kong.unirest.apache.ApacheClient.request(ApacheClient.java:138)
        at kong.unirest.Client.request(Client.java:57)
        at kong.unirest.BaseRequest.request(BaseRequest.java:359)
        at kong.unirest.BaseRequest.asFile(BaseRequest.java:326)
        at com.fortify.cli.tool.common.cli.cmd.AbstractToolInstallCommand.download(AbstractToolInstallCommand.java:111)
        at com.fortify.cli.tool.common.cli.cmd.AbstractToolInstallCommand.download(AbstractToolInstallCommand.java:104)
        at com.fortify.cli.tool.common.cli.cmd.AbstractToolInstallCommand.downloadAndInstall(AbstractToolInstallCommand.java:91)
        at com.fortify.cli.tool.common.cli.cmd.AbstractToolInstallCommand.getJsonNode(AbstractToolInstallCommand.java:72)
        at com.fortify.cli.common.output.cli.cmd.AbstractOutputCommand.run(AbstractOutputCommand.java:33)
        at picocli.CommandLine.executeUserObject(CommandLine.java:2104)
        at picocli.CommandLine$RunLast.executeUserObjectOfLastSubcommandWithSameParent(CommandLine.java:2539)
        at picocli.CommandLine$RunLast.handle(CommandLine.java:2531)
        at picocli.CommandLine$RunLast.handle(CommandLine.java:2493)
        at picocli.CommandLine$AbstractParseResultHandler.execute(CommandLine.java:2351)
        at picocli.CommandLine$RunLast.execute(CommandLine.java:2495)
        at picocli.CommandLine.execute(CommandLine.java:2248)
        at com.fortify.cli.app.FortifyCLI.execute(FortifyCLI.java:74)
        at com.fortify.cli.app.FortifyCLI.main(FortifyCLI.java:56)
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base@17.0.7/sun.security.ssl.Alert.createSSLException(Alert.java:131)
        at java.base@17.0.7/sun.security.ssl.TransportContext.fatal(TransportContext.java:378)
        at java.base@17.0.7/sun.security.ssl.TransportContext.fatal(TransportContext.java:321)
        at java.base@17.0.7/sun.security.ssl.TransportContext.fatal(TransportContext.java:316)
        at java.base@17.0.7/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1357)
        at java.base@17.0.7/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1232)
        at java.base@17.0.7/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1175)
        at java.base@17.0.7/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
        at java.base@17.0.7/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480)
        at java.base@17.0.7/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:458)
        at java.base@17.0.7/sun.security.ssl.TransportContext.dispatch(TransportContext.java:201)
        at java.base@17.0.7/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
        at java.base@17.0.7/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1510)
        at java.base@17.0.7/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1425)
        at java.base@17.0.7/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455)
        at java.base@17.0.7/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426)
        at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436)
        at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.upgrade(DefaultHttpClientConnectionOperator.java:191)
        at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.upgrade(PoolingHttpClientConnectionManager.java:392)
        at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:428)
        at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
        at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
        at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
        at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
        at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:118)
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
        at kong.unirest.apache.ApacheClient.request(ApacheClient.java:129)
        ... 17 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base@17.0.7/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
        at java.base@17.0.7/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
        at java.base@17.0.7/sun.security.validator.Validator.validate(Validator.java:264)
        at java.base@17.0.7/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
        at java.base@17.0.7/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)
        at java.base@17.0.7/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1341)
        ... 40 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base@17.0.7/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:146)
        at java.base@17.0.7/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:127)
        at java.base@17.0.7/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
        at java.base@17.0.7/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
        ... 45 more
rsenden commented 1 year ago

@xakrurychle I guess the proxy server is using a certificate that is signed by an internal CA? In that case, you'd need to point fcli to a trust store containing the appropriate certificates, using the fcli config truststore set command. Can you please confirm?

xakrurychle commented 1 year ago

Hi @rsenden, so I've done following:

1) set cacerts as trustore. Previously I had set trustore for tomcat but that was probably wrong, so I used cacerts we use for client side 2) set proxy 3) ran command ./fcli tool sc-client install 23.1.0 -d ../fcli_scancentral/ -t <pass> --log-level TRACE

which returns with error 

java.lang.RuntimeException: Entry with an illegal path: bin/
        at com.fortify.cli.tool.common.util.FileUtils.extractZip(FileUtils.java:77)
        at com.fortify.cli.tool.common.cli.cmd.AbstractToolInstallCommand.install(AbstractToolInstallCommand.java:122)
        at com.fortify.cli.tool.common.cli.cmd.AbstractToolInstallCommand.downloadAndInstall(AbstractToolInstallCommand.java:93)
        at com.fortify.cli.tool.common.cli.cmd.AbstractToolInstallCommand.getJsonNode(AbstractToolInstallCommand.java:72)
        at com.fortify.cli.common.output.cli.cmd.AbstractOutputCommand.run(AbstractOutputCommand.java:33)
        at picocli.CommandLine.executeUserObject(CommandLine.java:2104)
        at picocli.CommandLine$RunLast.executeUserObjectOfLastSubcommandWithSameParent(CommandLine.java:2539)
        at picocli.CommandLine$RunLast.handle(CommandLine.java:2531)
        at picocli.CommandLine$RunLast.handle(CommandLine.java:2493)
        at picocli.CommandLine$AbstractParseResultHandler.execute(CommandLine.java:2351)
        at picocli.CommandLine$RunLast.execute(CommandLine.java:2495)
        at picocli.CommandLine.execute(CommandLine.java:2248)
        at com.fortify.cli.app.FortifyCLI.execute(FortifyCLI.java:74)
        at com.fortify.cli.app.FortifyCLI.main(FortifyCLI.java:56)
rsenden commented 1 year ago

@xakrurychle Thanks for the feedback. Can you please try without the -d option, and/or pass an absolute path to the -d option? I think the relative path may be causing this issue.

xakrurychle commented 1 year ago

@xakrurychle Thanks for the feedback. Can you please try without the -d option, and/or pass an absolute path to the -d option? I think the relative path may be causing this issue.

Hi, yes it turned out to be the relative path issue. With /home/destination/ the command finished succesfully 

./fcli tool sc-client install 23.1.0 -d /home/<destination>/  -t <pass> --log-level TRACE
 Name       Version  Default  Installed  Install dir                                Bin dir                                        Action
 sc-client  23.1.0   Yes      Yes        /home<destination>/  /home/<destination>/bin  INSTALLED