SSC: `404 Not Found` when using `fcli ssc plugin install`

[mathieu-cap]

Hello,

It appears the fcli ssc plugin install command does not work, as it tries to access a nonexistent API endpoint: /api/v1/fileTokens.
Trying on two separate instances of SSC (although their configurations are similar), I could not find the endpoint.

The fileTokens string appears in two places in the code:

• https://github.com/fortify/fcli/blob/727f009711f7bfe049474b2c2bc8da5702a1ee57/fcli-core/fcli-ssc/src/main/java/com/fortify/cli/ssc/_common/rest/transfer/SSCFileTransferHelper.java#L128
• https://github.com/fortify/fcli/blob/727f009711f7bfe049474b2c2bc8da5702a1ee57/fcli-core/fcli-ssc/src/main/java/com/fortify/cli/ssc/_common/rest/SSCUrls.java#L149

Other API endpoints otherwise work, so I know the token I used to login (via fcli ssc session login) is valid.

My full workflow:

1. Download a parser plugin, such as the OWASP Dependency Check plugin
2. Prepare a CIToken in the $token variable
3. Execute:

   fcli ssc session login --url <my_ssc_url> -t $token
   fcli ssc av list
   fcli ssc plugin install -f fortify-ssc-parser-owasp-dependency-check-1.4.3.jar

Output:

 Name     Type  Url                                  Created                  Expires  Expired  Action
 default  SSC   <my_ssc_url>                         2024-04-25 15:21:49 UTC  N/A      Unknown  CREATED

 Id  Application name  Name                             Issue template name                   Created by
 1   example_app       example_version                  Prioritized High Risk Issue Template  admin

com.fortify.cli.common.rest.unirest.UnexpectedHttpResponseException: 
Request: POST <my_ssc_url>/api/v1/fileTokens: 
Response: 404 Not Found
Response Body:
{"message":"Resource not found.","responseCode":404,"errorCode":-20020}
        at com.fortify.cli.common.rest.unirest.config.UnirestUnexpectedHttpResponseConfigurer$UnexpectedHttpResponseInterceptor.onResponse(UnirestUnexpectedHttpResponseConfigurer.java:36)
        at kong.unirest.CompoundInterceptor.lambda$onResponse$1(CompoundInterceptor.java:48)
        at java.base@17.0.9/java.util.ArrayList.forEach(ArrayList.java:1511)
        at kong.unirest.CompoundInterceptor.onResponse(CompoundInterceptor.java:48)
        at kong.unirest.apache.ApacheClient.request(ApacheClient.java:134)
        at kong.unirest.Client.request(Client.java:57)
        at kong.unirest.BaseRequest.request(BaseRequest.java:365)
        at kong.unirest.BaseRequest.asObject(BaseRequest.java:266)
        at com.fortify.cli.ssc._common.rest.transfer.SSCFileTransferHelper$SSCFileTransferTokenSupplier.<init>(SSCFileTransferHelper.java:132)
        at com.fortify.cli.ssc._common.rest.transfer.SSCFileTransferHelper.upload(SSCFileTransferHelper.java:58)
        at com.fortify.cli.ssc.plugin.cli.cmd.SSCPluginInstallCommand.getJsonNode(SSCPluginInstallCommand.java:43)
        at com.fortify.cli.ssc._common.output.cli.cmd.AbstractSSCJsonNodeOutputCommand.getJsonNode(AbstractSSCJsonNodeOutputCommand.java:23)
        at com.fortify.cli.common.output.cli.cmd.AbstractOutputCommand.run(AbstractOutputCommand.java:33)
        at picocli.CommandLine.executeUserObject(CommandLine.java:2103)
        at picocli.CommandLine$RunLast.executeUserObjectOfLastSubcommandWithSameParent(CommandLine.java:2538)
        at picocli.CommandLine$RunLast.handle(CommandLine.java:2530)
        at picocli.CommandLine$RunLast.handle(CommandLine.java:2492)
        at picocli.CommandLine$AbstractParseResultHandler.execute(CommandLine.java:2350)
        at picocli.CommandLine$RunLast.execute(CommandLine.java:2494)
        at picocli.CommandLine.execute(CommandLine.java:2247)
        at com.fortify.cli.app.runner.DefaultFortifyCLIRunner.run(DefaultFortifyCLIRunner.java:49)
        at com.fortify.cli.app.FortifyCLI.execute(FortifyCLI.java:38)
        at com.fortify.cli.app.FortifyCLI.main(FortifyCLI.java:32)

And sure enough, I get this log on the ssc.log file on SSC:

2024-04-25 15:48:14,393 127.0.0.6 /api/v1/fileTokens [WARN] com.fortify.server.platform.shared.spring.RestApiExceptionHandlerAdvice - com.fortify.server.platform.shared.exceptions.ApiNotFoundException: Resource not found. [url: /api/v1/fileTokens]

Unfortunately I do not know how this could be fixed, or if it is a specific configuration issue from my side, so I hope you will be able to help. Thank you in advance.

[rsenden]

/api/v1/fileTokens is a valid SSC endpoint, the same endpoint is also used for up- and downloading FPR files for example. This endpoint is documented in both SSC API Documentation and API Reference:

As far as I know, this endpoint has been available in SSC for a long time (documentation screenshots above are for SSC 23.2), but just to double-check, which SSC version are you using? Are you able to up/download FPR files with fcli using the same token? I recall there was a bug in some SSC version where some required permissions were missing for CIToken, but I don't remember whether that affected the ability to access the fileTokens endpoint.

Anyway, even if you would be able to access the fileTokens endpoint, plugin upload would still fail as a CIToken doesn't allow for plugin installation (CIToken is meant for CI integrations, but installing plugins is an administrative task). To install plugins using fcli, you'd need to use one of the following on the fcli ssc session login command:

• UnifiedLoginToken
• Username/password (which will generate a UnifiedLoginToken under the hoods)
• AutomationToken (only available in SSC 23.2+)

[mathieu-cap]

Sorry, I should have mentioned my version right away. I am also using SSC 23.2, and I can indeed see now that the endpoint in the API reference.

Trying to download an artifact with the same CIToken (I used fcli ssc artifact download <id>), the same 404 error occurs; but uploading artifacts succeeds with no problem at all:

$ fcli ssc artifact upload --av example_app:example_version -f example.fpr
 Id  Scan types  Last scan date  Upload date                    Status
 10              N/A             2024-04-26T07:38:59.101+00:00  SCHED_PROCESSING

The artifact also appears on SSC (with an error, but only because it is from a random project scanned with an old SCA version).

Logged in using a UnifiedLoginToken, I actually can't download artifacts either, the 404 error is also there. Trying to install a plugin fails as well.
Running the artifact downloading command with --log-level TRACE --log-file log.txt, I can see that /api/v1/artifacts is hit and then /api/v1/fileTokens is tried, but doing the same thing for the artifact uploading command, it appears it is not tried at all, instead /api/v1/projectVersions is targetted directly (followed by /api/v1/artifacts).

For the sake of completeness, I also tried running artifact download, artifact upload and plugin install with an AutomationToken, but it is no different than the UnifiedLoginToken results.

[rsenden]

Sorry for the delay, are you still experiencing this issue? With the correct access rights (user role, token type), I'm unable to reproduce your issue. So, this may either be a permission error or a generic issue with your SSC instance (are you able to perform those operations through the SSC UI, with the same user account)? Can you share the (redacted) fcli log file and maybe ssc.log as well, either here or by opening a regular Fortify support case (please include this issue URL and my name, asking them to forward the log files to me)?