Closed quinnturner closed 1 month ago
MikeTheSnowman
commented
5 months ago Hey @quinnturner. Until the smart people chime in, are you able to see if there are any errors/failures in the Application Scans page of the application release that you tried to upload to? If you see something like that, click on the ... button on the far right of the failed scan to see if there's any log or manifest that you can bring back over here for us to take a look at.
rsenden
commented
5 months ago Hi @quinnturner, as you can see in the output, the GitHub Action uses fcli to upload the package to FoD. To get a better idea about whether this issue may be on the fcli-side or the FoD side, can you try submitting the scan request (with the same package) using FoDUploader?
You can either archive and download the package.zip file to try manually, or you can use the fortify/github-action/setup action to install FoDUploader and run it from your pipeline. If you could share the package with us, that would be even better to allow us to try for ourselves.
MikeTheSnowman
commented
5 months ago Hey @quinnturner . Have you had any luck with making progress on your issue?
quinnturner
commented
5 months ago Hi all, I will be tackling this tomorrow. Will report back when I have more info!
quinnturner
commented
3 months ago I just wanted to let you know I got this working using the uploader. I think we were not using scan-central to build the application, or there was some issue with variable substitution.
I will close this ticket.
name: Fortify on Demand SAST Scan
on:
workflow_dispatch:
inputs:
branch:
description: "Branch to scan"
required: true
default: "main"
schedule:
# ┌───────────── minute (0 - 59)
# │ ┌───────────── hour (0 - 23)
# │ │ ┌───────────── day of the month (1 - 31)
# │ │ │ ┌───────────── month (1 - 12 or JAN-DEC)
# │ │ │ │ ┌───────────── day of the week (0 - 6 or SUN-SAT)
# │ │ │ │ │
# │ │ │ │ │
# │ │ │ │ │
# * * * * *
- cron: "30 1 * * 1"
push:
paths:
- .github/workflows/fortify.yml
jobs:
FoD-SAST-Scan:
# Use the appropriate runner for building your source code.
# Use Windows runner for projects that use msbuild. Additional changes to RUN commands will be required.
runs-on: windows-latest
steps:
- uses: actions/checkout@v4
with:
ref: ${{ github.event.inputs.branch || 'main' }}
- name: Setup MSBuild
uses: microsoft/setup-msbuild@v1
with:
vs-version: 16
# Java is required to run ScanCentral Client and may be required for your build.
# The Java version to use depends on the Java version required to run your build (if any),
# and the Java version supported by the ScanCentral Client version that you are running.
- name: Setup Java
uses: actions/setup-java@v1
with:
java-version: 1.8
- name: Setup Fortify tools
uses: fortify/github-action/setup@v1
with:
tool-definitions: https://github.com/fortify/tool-definitions/releases/download/v1/tool-definitions.yaml.zip
export-path: true
fcli: latest
sc-client: 23.1.0
fod-uploader: latest
vuln-exporter: v2
bugtracker-utility: skip
debricked-cli: skip
- name: Run scancentral
run: |
scancentral package --build-tool msbuild --build-file project.sln --output package.zip
- name: Perform SAST Scan
run: FoDUpload -z package.zip -ep 2 -aurl "https://api.emea.fortify.com" -purl "https://emea.fortify.com" -tc "${{ secrets.FOD_TENANT }}" -ac "${{ secrets.FOD_API_KEY }}" "${{ secrets.FOD_SECRET_KEY }}" -rid "${{ secrets.FOD_RELEASE_ID }}" -n "Triggered by GitHub Actions (${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})"
Hi @quinnturner, good to see that you've found a work-around that works for you. However, we'd like to understand why the upload with fcli was failing before. Ultimately the goal is to integrate all functionality provided by other Fortify command-line utilities (like FoDUploader) into fcli, so obviously if fcli fails to upload some payloads, we'd like to understand why, and fix it.
Given your sample workflow above, can you try replacing the FoDUpload call with the corresponding fcli calls, i.e., something like the following (please double-check for typos), and let us know the results?
fcli fod session login --url https://emea.fortify.com -t "${{ secrets.FOD_TENANT }}" --client-id "${{ secrets.FOD_API_KEY }}" --client-secret "${{ secrets.FOD_SECRET_KEY }}"
fcli fod sast-scan start -f package.zip --rel "${{ secrets.FOD_RELEASE_ID }}" --notes "Triggered by GitHub Actions (${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})"
fcli fod session logoutGiven that your earlier output showed the fcli upload failing halfway, I very much doubt that this is related to incorrect variable substitution. Our GitHub Action should have taken care of the scancentral invocation to package the source code, although by default it uses auto-detection (so it wouldn't have the explicit --build-tool and --build-file options), but I don't see how that could cause the upload to fail halfway.
So, either this is an fcli-specific issue or an issue with the FoD upload endpoint that fcli is using (which may be different than the endpoint used by FoDUploader), or maybe it was just some temporary FoD-side issue.
rsenden
commented
1 month ago Closing as we haven't been able to reproduce this issue, and user started using FoDUploader instead.
I am trying to scan a C# project using Fortify from GitHub Actions.
Every time I run this, I get the following logs:
The failure always occurs at the same amount of data uploaded.
Hoping for some advice!