search

microsoft / security-devops-azdevops

Microsoft Security DevOps extension for Azure DevOps.
MIT License
60 stars 16 forks source link

Error: Failed to install the MSDO CLI nuget package while running behind proxy #59

Open mnieto opened 1 year ago

mnieto commented 1 year ago

After the update to the 1.7.x version, the MicrosoftSecurityDevOps@1 started to fail in Azure DevOps self-hosted agents configured behind a proxy It's failling in both Windows and Linux agents. The below logs are from Windows2022 agents

In previous versions, 1.6.x ,when it had dependency on dotnet, execution was fine

Example failing task

  - task: MicrosoftSecurityDevOps@1
    displayName: Secret scanner
    inputs:
      categories: 'secrets'
      break: true
      publish: true
      artifactName: CodeAnalysisLogs

Log:

##[debug]Evaluating condition for step: 'Secret scanner'
##[debug]Evaluating: SucceededNode()
##[debug]Evaluating SucceededNode:
##[debug]=> True
##[debug]Result: True
Starting: Secret scanner
==============================================================================
Task         : Microsoft Security DevOps
Description  : Run the Microsoft Security DevOps CLI for static analysis.
Version      : 1.7.2
Author       : Microsoft Corporation
Help         : Runs the [Microsoft Security DevOps CLI](https://aka.ms/msdo-nuget) for security analysis.
==============================================================================
##[debug]Using node path: C:\agent01-2\externals\node16\bin\node.exe
##[debug]agent.TempDirectory=C:\agent01-2\_work\_temp
##[debug]loading inputs and endpoints
##[debug]loading ENDPOINT_AUTH_PARAMETER_SYSTEMVSSCONNECTION_ACCESSTOKEN
##[debug]loading ENDPOINT_AUTH_SCHEME_SYSTEMVSSCONNECTION
##[debug]loading ENDPOINT_AUTH_SYSTEMVSSCONNECTION
##[debug]loading INPUT_ARTIFACTNAME
##[debug]loading INPUT_BREAK
##[debug]loading INPUT_CATEGORIES
##[debug]loading INPUT_POLICY
##[debug]loading INPUT_PUBLISH
##[debug]loading SECRET_SYSTEM_ACCESSTOKEN
##[debug]loaded 9
##[debug]Agent.ProxyUrl=http://proxy:80
##[debug]Agent.ProxyUsername=undefined
##[debug]Agent.ProxyPassword=undefined
##[debug]Agent.ProxyBypassList=[".*\\.azurewebsites\\.net",".*\\.azure\\.net"]
##[debug]expose agent proxy configuration.
##[debug]expose agent certificate configuration.
##[debug]Agent.SkipCertValidation=undefined
##[debug]config=undefined
##[debug]policy=microsoft
##[debug]categories=secrets
##[debug]languages=undefined
##[debug]tools=undefined
##[debug]publish=true
##[debug]artifactName=CodeAnalysisLogs
##[debug]break=true
##[debug]sarifFile = C:\agent01-2\_work\69\a\.gdn\msdo.sarif
------------------------------------------------------------------------------
Installing Microsoft Security DevOps Cli version: Latest
##[debug]packageName = Microsoft.Security.Devops.Cli.win-x64
##[debug]agentDirectory = C:\agent01-2\_work\_msdo
##[debug]agentPackagesDirectory = C:\agent01-2\_work\_msdo\packages
##[debug]agentVersionsDirectory = C:\agent01-2\_work\_msdo\versions
##[debug]MSDO CLI version contains a latest quantifier: Latest. Continuing with install...
##[debug]MSDO_MICROSOFTSECURITYDEVOPSCLIWINX64_LATESTVERSION=undefined
##[debug]Fetching service index for: https://api.nuget.org/v3/index.json
##[debug]GET https://api.nuget.org/v3/index.json
(node:8784) Warning: Setting the NODE_TLS_REJECT_UNAUTHORIZED environment variable to '0' makes TLS connections and HTTPS requests insecure by disabling certificate verification.
(Use `node --trace-warnings ...` to show where the warning was created)
##[debug]Error: Error calling url: Error: connect ETIMEDOUT 152.199.23.209:443
##[debug]MSDO_MICROSOFTSECURITYDEVOPSCLIWINX64_LATESTVERSION=undefined
##[debug]Fetching service index for: https://api.nuget.org/v3/index.json
##[debug]GET https://api.nuget.org/v3/index.json
##[debug]Error: Error calling url: Error: connect ETIMEDOUT 152.199.23.209:443
##[debug]MSDO_MICROSOFTSECURITYDEVOPSCLIWINX64_LATESTVERSION=undefined
##[debug]Fetching service index for: https://api.nuget.org/v3/index.json
##[debug]GET https://api.nuget.org/v3/index.json
##[debug]Error: Error calling url: Error: connect ETIMEDOUT 152.199.23.209:443
Exception occurred while initializing MSDO:
##[debug]task result: Failed
##[error]Error: Failed to install the MSDO CLI nuget package.
##[debug]Processed: ##vso[task.issue type=error;]Error: Failed to install the MSDO CLI nuget package.
##[debug]Processed: ##vso[task.complete result=Failed;]Error: Failed to install the MSDO CLI nuget package.
Finishing: Secret scanner
Famble commented 1 year ago

I have the same problem with a self-hosted agent. After the update the task is now failing because MSDO CLI not installing

CapgG-sleeke commented 7 months ago

Did this problem ever progress to a workaround or even a solution ? We have upgrade just recently to v3.230.2 and now have issues with our self hosted agents on premise. Our Azure hosted agents are running a-ok.

As far as i can see the node.exe that runs index.js ( "C:\agent\externals\node16\bin\node.exe" "C:\agent_work_tasks\MicrosoftSecurityDevOps_XYZ\1.11.0\index.js") doesn't honor the proxy setup,

Testing with procmon64.exe shows that node.exe connects to the public IP's on 443 for the MicrosoftSecurityDevOps task.

Examples working with node.exe : AzureKeyVault 1.232.0 run.js UseDotNet 2.232.0 usedotnet.js

Not working with node.exe : MicrosoftSecurityDevOps 1.11.0 index.js

CapgG-sleeke commented 7 months ago

I found a resolution for this, and posted on the github repo issue running MSDO behind the proxy

This issue actually seems to be with a dependent msdo-nuget-client.js that doesnt handle any proxy connection