Open AlexClineBB opened 7 years ago
I figured out what I think is going on.
I think Veracode tweaked their TLS ciphers in a bid to get an A+ at ssllabs.com and inadvertently broke this plugin because all but very recent versions of Jenkins still use Java 7. This is just a theory, but the simulated Java 7 connection at SSL labs fails to connect: https://www.ssllabs.com/ssltest/analyze.html?d=analysiscenter.veracode.com
Since Jenkins just started requiring Java 8 with 2.54 hopefully this problem disappears at that version? https://jenkins.io/blog/2017/04/10/jenkins-has-upgraded-to-java-8/
We are experiencing this as well. Our Veracode runs suddenly began failing with this error. Digging into the error revealed that there are no matching ciphers.
Hi folks: Veracode deprecated TLS 1.0 connections in June, which we had announced in advance that we would do for the past six months. From our release notes:
End of Support for TLS 1.0, and the TFS 2010 and VS 2010 Integrations For security reasons, starting 23 May 2017, Veracode APIs will block connections that use TLS 1.0. Veracode will also discontinue support of Team Foundation Server 2010 and Visual Studio 2010 integrations, which do not support TLS 1.1 or 1.2. Veracode Static Analysis will, however, continue to support applications compiled with Visual Studio 2003 and later.
You must upgrade the following integrations to support .NET 4.5 and TLS 1.2:
- .NET wrapper/SDK
- TFS flaw synchronizer
- TFS XAML build integration
- Visual Studio extension
You must upgrade the following integrations if you are using Java 1.7:
- Java wrapper/SDK
- Eclipse plugin
- IntelliJ plugin
- Jenkins plugin
- JIRA plugin
To support TLS 1.1 and 1.2 with Java 1.7, you must apply the Java Cryptographic Extension (JCE) Unlimited Strength Jurisdiction Policy to the JREs. The JCE Unlimited Strength Jurisdiction Policy files can be downloaded from Oracle. As supporting TLS 1.1 and 1.2 with Java 1.7 requires both an upgrade of Veracode integrations and a patch of the Java 1.7 JRE, Veracode recommends upgrading to Java 1.8 instead.
I suspect that applying the JCE policy would address the issue with this plugin on Java 7. However, you may also want to consider trying the Veracode-supported Jenkins plugin, which is being maintained and updated by Veracode.
While trying to run previously working Veracode Scanner Plugin jobs, I get an SSLHandshakeException. I was able to test with the Veracode Java API jar (current version) and the request succeeded. Could it be that the current version of the plugin is using an old version of the Java API and needs to be updated?