search

jenkinsci / fortify-on-demand-uploader-plugin

Fortify on Demand Uploader
https://plugins.jenkins.io/fortify-on-demand-uploader/
8 stars 37 forks source link

FoD plugin does not honor environment variables #142

Open fortifysoftware opened 1 year ago

fortifysoftware commented 1 year ago

Jenkins and plugins versions report

Environment ```text Jenkins: 2.378 OS: Linux - 5.4.0-1090-azure --- ace-editor:1.1 ant:481.v7b_09e538fcca antisamy-markup-formatter:155.v795fb_8702324 apache-httpcomponents-client-4-api:4.5.13-138.v4e7d9a_7b_a_e61 authentication-tokens:1.4 bootstrap4-api:4.6.0-5 bootstrap5-api:5.2.1-3 bouncycastle-api:2.26 branch-api:2.1051.v9985666b_f6cc build-timeout:1.24 caffeine-api:2.9.3-65.v6a_47d0f4d1fe checks-api:1.8.0 cloudbees-folder:6.795.v3e23d3c6f194 command-launcher:90.v669d7ccb_7c31 commons-lang3-api:3.12.0-36.vd97de6465d5b_ commons-text-api:1.10.0-27.vb_fa_3896786a_7 configuration-as-code:1569.vb_72405b_80249 contrast-continuous-application-security:3.10 credentials:1214.v1de940103927 credentials-binding:523.vd859a_4b_122e6 cvs:2.19.1 dark-theme:262.v0202a_4c8fb_6a display-url-api:2.3.6 docker-commons:1.21 docker-workflow:528.v7c193a_0b_e67c durable-task:501.ve5d4fc08b0be echarts-api:5.4.0-1 email-ext:2.92 external-monitor-job:203.v683c09d993b_9 font-awesome-api:6.2.0-3 fortify:22.1.38 fortify-on-demand-uploader:7.1.1 git:4.13.0 git-client:3.13.0 git-server:99.va_0826a_b_cdfa_d github:1.36.0 github-api:1.303-400.v35c2d8258028 github-branch-source:1696.v3a_7603564d04 gradle:2.1.1 handlebars:3.0.8 http_request:1.16 instance-identity:116.vf8f487400980 ionicons-api:31.v4757b_6987003 jackson2-api:2.13.4.20221013-295.v8e29ea_354141 jakarta-activation-api:2.0.1-2 jakarta-mail-api:2.0.1-2 javadoc:226.v71211feb_e7e9 javax-activation-api:1.2.0-5 javax-mail-api:1.6.2-8 jaxb:2.3.7-1 jdk-tool:63.v62d2fd4b_4793 jjwt-api:0.11.5-77.v646c772fddb_0 jnr-posix-api:3.1.15-2 jquery-detached:1.2.1 jquery3-api:3.6.1-2 jsch:0.1.55.61.va_e9ee26616e7 junit:1160.vf1f01a_a_ea_b_7f ldap:2.12 lockable-resources:2.18 mailer:438.v02c7f0a_12fa_4 mapdb-api:1.0.9-28.vf251ce40855d matrix-auth:3.1.5 matrix-project:785.v06b_7f47b_c631 maven-invoker-plugin:2.4 mina-sshd-api-common:2.9.1-44.v476733c11f82 mina-sshd-api-core:2.9.1-44.v476733c11f82 momentjs:1.1.1 okhttp-api:4.9.3-108.v0feda04578cf pam-auth:1.10 pipeline-build-step:2.18 pipeline-github-lib:38.v445716ea_edda_ pipeline-graph-analysis:195.v5812d95a_a_2f9 pipeline-groovy-lib:613.v9c41a_160233f pipeline-input-step:456.vd8a_957db_5b_e9 pipeline-milestone-step:101.vd572fef9d926 pipeline-model-api:2.2118.v31fd5b_9944b_5 pipeline-model-definition:2.2118.v31fd5b_9944b_5 pipeline-model-extensions:2.2118.v31fd5b_9944b_5 pipeline-rest-api:2.27 pipeline-stage-step:296.v5f6908f017a_5 pipeline-stage-tags-metadata:2.2118.v31fd5b_9944b_5 pipeline-stage-view:2.27 plain-credentials:139.ved2b_9cf7587b plugin-util-api:2.18.0 popper-api:1.16.1-3 popper2-api:2.11.6-2 resource-disposer:0.20 scm-api:621.vda_a_b_055e58f7 script-security:1190.v65867a_a_47126 snakeyaml-api:1.33-90.v80dcb_3814d35 ssh-credentials:305.v8f4381501156 ssh-slaves:2.854.v7fd446b_337c9 sshd:3.249.v2dc2ea_416e33 structs:324.va_f5d6774f3a_d subversion:2.16.0 theme-manager:1.5 timestamper:1.21 token-macro:308.v4f2b_ed62b_b_16 trilead-api:2.72.v2a_3236754f73 variant:59.vf075fe829ccb windows-slaves:1.8.1 workflow-aggregator:590.v6a_d052e5a_a_b_5 workflow-api:1200.v8005c684b_a_c6 workflow-basic-steps:994.vd57e3ca_46d24 workflow-cps:3536.vb_8a_6628079d5 workflow-durable-task-step:1210.va_1e5d77e122b workflow-job:1254.v3f64639b_11dd workflow-multibranch:716.vc692a_e52371b_ workflow-scm-step:400.v6b_89a_1317c9a_ workflow-step-api:639.v6eca_cd8c04a_a_ workflow-support:839.v35e2736cfd5c ws-cleanup:0.43 ```

What Operating System are you using (both controller, and any agents involved in the problem)?

Reproduction steps

It seems the fodStaticAssessment step does not honor the JAVA_HOME environment variable, even though it's defined in Jenkins and on the machine for all users.

This issue occurs with both a freestyle project and a pipeline project. In the case of a pipeline project, here is my pipeline script:

Pipeline Script ```groovy pipeline { agent any tools { maven "Maven (Latest)" jdk "JDK 17" } stages { stage('Get code') { steps { // Get code from GitHub repo git branch: 'v8.2.2', changelog: false, poll: false, url: 'https://github.com/micro-focus/FoD-WebGoat.git' // Test Java version sh "echo Testing java" sh "java -version" } } stage('Run Static Assessment') { tools { jdk "JDK 17" } steps { sh "echo JAVA_HOME=$JAVA_HOME" sh "echo PATH=$PATH" fodStaticAssessment applicationName: '', applicationType: '', assessmentType: '', attributes: '', auditPreference: '', bsiToken: '', businessCriticality: '', entitlementId: '', entitlementPreference: '', frequencyId: '', inProgressBuildResultType: 'FailBuild', inProgressScanActionType: 'Queue', isMicroservice: false, languageLevel: '', microserviceName: '', openSourceScan: '', overrideGlobalConfig: false, personalAccessToken: '', releaseId: '', releaseName: '', remediationScanPreferenceType: 'RemediationScanIfAvailable', scanCentral: 'Maven', scanCentralBuildCommand: '', scanCentralBuildFile: '', scanCentralBuildToolVersion: '', scanCentralIncludeTests: '', scanCentralRequirementFile: '', scanCentralSkipBuild: '', scanCentralVirtualEnv: '', sdlcStatus: '', srcLocation: '.', technologyStack: '', tenantId: '', username: '' } } stage('Poll Results') { tools { jdk "JDK 17" } steps { fodPollResults bsiToken: '', personalAccessToken: '', pollingInterval: 1, releaseId: '', tenantId: '', username: '' } } } } ```

Expected Results

JAVA_HOME would be resolvable by scancentral and the fodStaticAssessment step would succeed.

Actual Results

Here is a relevant snippet of the console output:

Console Output ``` [Pipeline] sh + echo Testing java Testing java [Pipeline] sh + java -version NOTE: Picked up JDK_JAVA_OPTIONS: --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED java version "17.0.5" 2022-10-18 LTS Java(TM) SE Runtime Environment (build 17.0.5+9-LTS-191) Java HotSpot(TM) 64-Bit Server VM (build 17.0.5+9-LTS-191, mixed mode, sharing) [Pipeline] } [Pipeline] // withEnv [Pipeline] } [Pipeline] // stage [Pipeline] stage [Pipeline] { (Run Static Assessment) [Pipeline] tool [Pipeline] envVarsForTool [Pipeline] tool [Pipeline] envVarsForTool [Pipeline] withEnv [Pipeline] { [Pipeline] sh + echo JAVA_HOME=/usr/lib/jvm/jdk-17 JAVA_HOME=/usr/lib/jvm/jdk-17 [Pipeline] sh + echo PATH=/usr/lib/jvm/jdk-17/bin:/opt/apache/maven/latest/bin:/usr/lib/jvm/jdk-17/bin:/opt/apache/maven/latest/bin:/opt/fortify/sca/latest/bin:/opt/apache/maven/latest/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin PATH=/usr/lib/jvm/jdk-17/bin:/opt/apache/maven/latest/bin:/usr/lib/jvm/jdk-17/bin:/opt/apache/maven/latest/bin:/opt/fortify/sca/latest/bin:/opt/apache/maven/latest/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin [Pipeline] fodStaticAssessment Running fodStaticAssessment step Fortify on Demand Upload Running... Starting FoD Upload. Correlation Id = f8f9628d-98a0-448a-84fb-cdb3e53ad13a Scan Central Path : /opt/fortify/sca/latest/bin/scancentral Checking ScanCentralVersion JAVA_HOME: null Failed executing scan central : Packaged File Output Path : null Scan Central package output not found. ```

Notice that scancentral reports JAVA_HOME: null, even though right before the fodStaticAssessment step, the command echo JAVA_HOME=$JAVA_HOME outputted the correct value:

[Pipeline] sh
+ echo JAVA_HOME=/usr/lib/jvm/jdk-17
JAVA_HOME=/usr/lib/jvm/jdk-17

Anything else?

A similar issue existed with the regular Fortify plugin, but the developer (Anna K) was able to figure out the solution. ("It turned out that we didn't take env overrides into account for our pipelines.")