Open mathieu-cap opened 2 months ago
/api/v1/fileTokens
is a valid SSC endpoint, the same endpoint is also used for up- and downloading FPR files for example. This endpoint is documented in both SSC API Documentation and API Reference:
As far as I know, this endpoint has been available in SSC for a long time (documentation screenshots above are for SSC 23.2), but just to double-check, which SSC version are you using? Are you able to up/download FPR files with fcli using the same token? I recall there was a bug in some SSC version where some required permissions were missing for CIToken
, but I don't remember whether that affected the ability to access the fileTokens
endpoint.
Anyway, even if you would be able to access the fileTokens
endpoint, plugin upload would still fail as a CIToken
doesn't allow for plugin installation (CIToken
is meant for CI integrations, but installing plugins is an administrative task). To install plugins using fcli, you'd need to use one of the following on the fcli ssc session login
command:
UnifiedLoginToken
UnifiedLoginToken
under the hoods)AutomationToken
(only available in SSC 23.2+)Sorry, I should have mentioned my version right away. I am also using SSC 23.2, and I can indeed see now that the endpoint in the API reference.
Trying to download an artifact with the same CIToken (I used fcli ssc artifact download <id>
), the same 404 error occurs; but uploading artifacts succeeds with no problem at all:
$ fcli ssc artifact upload --av example_app:example_version -f example.fpr
Id Scan types Last scan date Upload date Status
10 N/A 2024-04-26T07:38:59.101+00:00 SCHED_PROCESSING
The artifact also appears on SSC (with an error, but only because it is from a random project scanned with an old SCA version).
Logged in using a UnifiedLoginToken, I actually can't download artifacts either, the 404 error is also there. Trying to install a plugin fails as well.
Running the artifact downloading command with --log-level TRACE --log-file log.txt
, I can see that /api/v1/artifacts
is hit and then /api/v1/fileTokens
is tried, but doing the same thing for the artifact uploading command, it appears it is not tried at all, instead /api/v1/projectVersions
is targetted directly (followed by /api/v1/artifacts
).
For the sake of completeness, I also tried running artifact download
, artifact upload
and plugin install
with an AutomationToken, but it is no different than the UnifiedLoginToken results.
Sorry for the delay, are you still experiencing this issue? With the correct access rights (user role, token type), I'm unable to reproduce your issue. So, this may either be a permission error or a generic issue with your SSC instance (are you able to perform those operations through the SSC UI, with the same user account)? Can you share the (redacted) fcli log file and maybe ssc.log as well, either here or by opening a regular Fortify support case (please include this issue URL and my name, asking them to forward the log files to me)?
Hello,
It appears the
fcli ssc plugin install
command does not work, as it tries to access a nonexistent API endpoint:/api/v1/fileTokens
.Trying on two separate instances of SSC (although their configurations are similar), I could not find the endpoint.
The
fileTokens
string appears in two places in the code:Other API endpoints otherwise work, so I know the token I used to login (via
fcli ssc session login
) is valid.My full workflow:
$token
variableOutput:
And sure enough, I get this log on the
ssc.log
file on SSC:Unfortunately I do not know how this could be fixed, or if it is a specific configuration issue from my side, so I hope you will be able to help. Thank you in advance.