search

jenkinsci / fortify-plugin

Fortify Jenkins plugin
https://plugins.jenkins.io/fortify
Other
23 stars 29 forks source link

Documentation for updating the SSL keystore #69

Closed ngkmh closed 10 months ago

ngkmh commented 10 months ago

Describe your use-case which is not covered by existing documentation.

We are encountering an SSL handshake error trying to upload an fpr file to an SSC instance:

12:03:45  Running FortifyUpload step
12:03:47  Fortify Jenkins plugin v 22.2.39
12:03:47  Performing Fortify upload process
12:03:47  Using analysis results file: file:xxxx.fpr
12:03:47  Uploading analysis results file to SSC at https://xxx:8443/ssc to application 'XXX' and application version '1.0'
12:03:52  Error uploading to SSC: https://xxx:8443/ssc
12:03:52  javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
12:03:52  com.fortify.ssc.restclient.ApiException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
12:03:52    at com.fortify.plugin.jenkins.FortifyPlugin.runWithFortifyClient(FortifyPlugin.java:894)
12:03:52    at com.fortify.plugin.jenkins.steps.FortifyUpload.createNewOrGetProject(FortifyUpload.java:744)
12:03:52    at com.fortify.plugin.jenkins.steps.FortifyUpload.uploadToSSC(FortifyUpload.java:297)
12:03:52    at com.fortify.plugin.jenkins.steps.FortifyUpload.performAndReturnIssueCount(FortifyUpload.java:225)
12:03:52    at com.fortify.plugin.jenkins.steps.FortifyUpload$Execution.run(FortifyUpload.java:854)
12:03:52    at com.fortify.plugin.jenkins.steps.FortifyUpload$Execution.run(FortifyUpload.java:841)
12:03:52    at org.jenkinsci.plugins.workflow.steps.SynchronousNonBlockingStepExecution.lambda$start$0(SynchronousNonBlockingStepExecution.java:47)
12:03:52    at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
12:03:52    at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
12:03:52    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
12:03:52    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
12:03:52    at java.base/java.lang.Thread.run(Thread.java:834)
12:03:52  Caused by: com.fortify.ssc.restclient.ApiException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
12:03:52    at com.fortify.ssc.restclient.ApiClient.execute(ApiClient.java:930)
12:03:52    at com.fortify.ssc.restclient.api.ProjectControllerApi.listProjectWithHttpInfo(ProjectControllerApi.java:202)

Where do i need to update the cacerts for the fortify plugin ?

Reference any relevant documentation, other materials or issues/pull requests that can be used for inspiration.

The Fortify SCA user guide suggests replacing the cacerts in the jre of the SCA install.

We tried that but that didnt work.

We also tried updating the cacerts of the java JDK that we are using on our agent but that didnt work either.

akaryakina commented 10 months ago

@ngkmh You actually need to import into the cacerts of the jre that runs the application server that runs Jenkins master node. This error comes from the plugin itself, and the plugin runs the upload on master using an fpr from an agent machine.