Getting 401 (Unauthorized) when running Microsoft.Security.Devops.Cli.linux-x64.0.188.2 on CentOS 7/Alma

[sarditi]

Hi, Very weird, it has been running for over a week and without any changes in OS or relevant pipelines the error 401 unauthorized appeared. It happens when running security dev ops extention in CentOS 7 / Alma 8. The error is mentioned below.

Thanks, Sagi

/home/devops-agent-1/agent/work/_msdo/versions/Microsoft.Security.Devops.Cli.linux-x64.0.188.2/tools/guardian init --force Init: Creating guardian repo at: /home/devops-agent-1/agent/work/6/s Added /home/devops-agent-1/agent/work/6/s/.gdn/.gitignore file to ignore internal files. Please commit this file. Guardian repository created at: /home/devops-agent-1/agent/work/6/s/.gdn Please commit everything in the .gdn folder to source control. You can now use "guardian run" to run tools. /home/devops-agent-1/agent/work/_msdo/versions/Microsoft.Security.Devops.Cli.linux-x64.0.188.2/tools/guardian run -p azuredevops --rich-exit-code --logger-pipeline --export-file /home/devops-agent-1/agent/work/6/a/.gdn/msdo.sarif --telemetry-environment azdevops Run: Installing Microsoft.Security.CodeAnalysis.Policy.Names

---

##[warning]Failed to install from source https://pkgs.dev.azure.com/secdevtools/SecDevTools/_packaging/MSCA.Policy/nuget/v3/index.json with exception NuGet.Protocol.Core.Types.FatalProtocolException: Unable to load the service index for source https://pkgs.dev.azure.com/secdevtools/SecDevTools/_packaging/MSCA.Policy/nuget/v3/index.json. ---> System.Net.Http.HttpRequestException: Response status code does not indicate success: 401 (Unauthorized).

[nickel-tyler]

getting this on 100% of runs as of 05/03/24. makes the task unusable. pls fix ms

[reynoldsa]

@nickel-tyler, have you used a custom config to pin a specific MSDO CLI version? If so, I suggest you remove that version pin to let the launcher take the latest version of the MSDO CLI; old versions will no longer work as their permissions have been revoked.

If not, can you give it another try now? Separately to the above issue, we also fixed something about the new package feeds, and I expect it would start working for you again.

[nickel-tyler]

@nickel-tyler, have you used a custom config to pin a specific MSDO CLI version? If so, I suggest you remove that version pin to let the launcher take the latest version of the MSDO CLI; old versions will no longer work as their permissions have been revoked.

If not, can you give it another try now? Separately to the above issue, we also fixed something about the new package feeds, and I expect it would start working for you again.

we are not using a custom config, just a basic invocation of the task template

• task: MicrosoftSecurityDevOps@1 displayName: MSDO scan inputs: command: run policy: azuredevops break: true publish: true

That said, it does seem like the issue is fixed for us now

[reynoldsa]

Sounds good, @nickel-tyler, thanks.

@sarditi at the end of this week, any versions of the MSDO tool earlier than v206 won't work any more due to a change in the authentication system. v188 is no longer supported.