[JIRA] (JENKINS-61116) FOD-Octane Integration - no Vulnerabilities shown

30 views
Skip to first unread message

klee@serena.com (JIRA)

unread,
Feb 17, 2020, 10:27:02 AM2/17/20
to jenkinsc...@googlegroups.com
Kevin Lee created an issue
 
Jenkins / Bug JENKINS-61116
FOD-Octane Integration - no Vulnerabilities shown
Issue Type: Bug Bug
Assignee: Maria Narcisa Galan
Components: hp-application-automation-tools-plugin
Created: 2020-02-17 15:26
Environment: ALM Octane On Premise - 15.0.20.60
Jenkins 2.204.2
Micro Focus Application Automation Tools Plugin 6.1
FOD
Labels: plugin
Priority: Minor Minor
Reporter: Kevin Lee

Followed instructions from https://admhelp.microfocus.com/octane/en/15.0.20/Online/Content/AdminGuide/how-setup-FoD-integration.htm?Highlight=fortify

Pipeline Job successfully uploads to FOD and finds NEW vulnerabilities but nothing is shown in Octane for the pipeline. Waited to see if polling of FOD updates them but nothing appears.

Is there any way of debugging this to see if polling of FOD results is happening?
Add Comment Add Comment
 
This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f)
Atlassian logo

paul-adrian.tofan@microfocus.com (JIRA)

unread,
Feb 18, 2020, 2:24:05 AM2/18/20
to jenkinsc...@googlegroups.com
Paul-Adrian Tofan assigned an issue to Radi Berkovich
Change By: Paul-Adrian Tofan
Assignee: Maria Narcisa Galan Radi Berkovich

nir.yom-tov@microfocus.com (JIRA)

unread,
Feb 19, 2020, 2:17:02 AM2/19/20
to jenkinsc...@googlegroups.com
nir yom tov assigned an issue to nir yom tov
Change By: nir yom tov
Assignee: Radi Berkovich nir yom tov

nir.yom-tov@microfocus.com (JIRA)

unread,
Feb 19, 2020, 2:51:02 AM2/19/20
to jenkinsc...@googlegroups.com
nir yom tov commented on Bug JENKINS-61116
 
Re: FOD-Octane Integration - no Vulnerabilities shown

Hi, some question here

  1. I see that octane plugin is 6.1 - what is the FOD plugin ver ?
  2. Is the pipeline set to be type 'security' ?
  3. Are the vulnerabilities that were found have later date (introduce date) than the pipeline creation ? (vulnerabilities that exist before the pipeline creation wont be injected)
  4. Is it possible to submit jenkins log ? found in:  <Jenkins url>/userContent/nga/logs/nga.log

Thanx

Nir

nir.yom-tov@microfocus.com (JIRA)

unread,
Feb 19, 2020, 3:08:04 AM2/19/20
to jenkinsc...@googlegroups.com
nir yom tov edited a comment on Bug JENKINS-61116
Hi, some question here
# I see that octane plugin is 6.1 - what is the FOD plugin ver ?
# Is the pipeline set to be type 'security' ?
# Are the vulnerabilities that were found have later date (introduce date) than the pipeline creation ? (vulnerabilities that exist before the pipeline creation wont be injected)
# Is it possible to submit jenkins log ? found in:  <Jenkins url>/userContent/nga/logs/nga.log
 # Also, please tell me if u'r jenkins job is a simple one or pipeline as a code ?

Thanx

Nir

klee@serena.com (JIRA)

unread,
Feb 19, 2020, 4:24:02 AM2/19/20
to jenkinsc...@googlegroups.com
Kevin Lee updated an issue
 
Change By: Kevin Lee
Attachment: nga.log

klee@serena.com (JIRA)

unread,
Feb 19, 2020, 4:32:03 AM2/19/20
to jenkinsc...@googlegroups.com
Kevin Lee updated an issue
Change By: Kevin Lee
Attachment: 51667_scandata.fpr

klee@serena.com (JIRA)

unread,
Feb 19, 2020, 4:32:03 AM2/19/20
to jenkinsc...@googlegroups.com
Kevin Lee updated an issue
Change By: Kevin Lee
Attachment: scan-summary.PNG

klee@serena.com (JIRA)

unread,
Feb 19, 2020, 5:55:04 AM2/19/20
to jenkinsc...@googlegroups.com
Kevin Lee commented on Bug JENKINS-61116
 
Re: FOD-Octane Integration - no Vulnerabilities shown

Thanks Nir,

  1. FOD Plugin version 5.0.1
  2. Pipeline is "End to End" and "Security" - can it be more than one tag?
  3. Yes vulnerabilities found in commit to repository (see attached) after pipeline was created.
  4. Attached
  5. It is Jenkinsfile Pipeline in GitHub - commit to repository starts Jenkins/Octane Pipeline and FOD upload!

It is for customer demo. I can leave VM up for a while if you want to look (pm for login details: kevi...@microfocus.com)

Kevin

klee@serena.com (JIRA)

unread,
Feb 19, 2020, 5:59:02 AM2/19/20
to jenkinsc...@googlegroups.com

Tried running the same build in a Freestyle Jenkins Job (set Octane Pipeline to Security only) - now there is Authentication error in log (see nga2.log). Don't know why this is the case as the Pipeline uploads and runs the Scan in FOD successfully?

I have tried both API Key and Personal Access Token authentication with the same result.

 

Kevin

klee@serena.com (JIRA)

unread,
Feb 19, 2020, 5:59:02 AM2/19/20
to jenkinsc...@googlegroups.com
Kevin Lee updated an issue
Change By: Kevin Lee
Attachment: nga2.log

nir.yom-tov@microfocus.com (JIRA)

unread,
Feb 24, 2020, 2:10:02 AM2/24/20
to jenkinsc...@googlegroups.com
nir yom tov updated an issue
Change By: nir yom tov
Attachment: FOD.png

nir.yom-tov@microfocus.com (JIRA)

unread,
Feb 24, 2020, 2:11:02 AM2/24/20
to jenkinsc...@googlegroups.com
nir yom tov commented on Bug JENKINS-61116
 
Re: FOD-Octane Integration - no Vulnerabilities shown

Hi Kevin,

it seems according to the error that octane plugin having hard times connecting to FOD.

in jenkins configuration - did u update correctly the fortify on demand section ?  (url , API url, api key and secret) - is the test connection button working for you ? (see example below)

klee@serena.com (JIRA)

unread,
Feb 24, 2020, 4:02:07 AM2/24/20
to jenkinsc...@googlegroups.com
Kevin Lee updated an issue
 
Change By: Kevin Lee
Attachment: FOD-Config.PNG

klee@serena.com (JIRA)

unread,
Feb 24, 2020, 4:02:10 AM2/24/20
to jenkinsc...@googlegroups.com
Kevin Lee updated an issue
Change By: Kevin Lee
Attachment: image-2020-02-24-09-01-01-035.png

klee@serena.com (JIRA)

unread,
Feb 24, 2020, 4:04:02 AM2/24/20
to jenkinsc...@googlegroups.com
Kevin Lee commented on Bug JENKINS-61116
 
Re: FOD-Octane Integration - no Vulnerabilities shown

Yes, i have tried both API Key and PAT - clicking on "Test Connection" works. I notice your screenshot is slightly different as "Secret" does not use Jenkins Credentials - does this make any difference?

 

klee@serena.com (JIRA)

unread,
Feb 25, 2020, 7:04:03 AM2/25/20
to jenkinsc...@googlegroups.com
Kevin Lee updated an issue
Change By: Kevin Lee
Priority: Minor Blocker

klee@serena.com (JIRA)

unread,
Feb 25, 2020, 7:10:02 AM2/25/20
to jenkinsc...@googlegroups.com
Kevin Lee updated an issue
Change By: Kevin Lee
Environment:
ALM Octane On Premise - 15.0.20.60
Jenkins 2.204.2
Micro Focus Application Automation Tools Plugin 6.1
FOD Plugin 5.0.1

klee@serena.com (JIRA)

unread,
Feb 25, 2020, 7:10:02 AM2/25/20
to jenkinsc...@googlegroups.com
 
Re: FOD-Octane Integration - no Vulnerabilities shown

It looks like this does not work with the latest version of FOD Uploader plugin (5.0.1) where they switched to using Jenkins Credentials plugin for Secrets rather than plain text field. I added a bit of debugging to FODConnector.java:

INFO [VulnerabilitiesPushWorker-58 ] FODConnector : grant_type=client_credentials&scope=api-tenant&client_id=852dae7d-2280-4d76-8e2e-9f8fc0bee63c&client_secret=fod-api-key

For the client_secret it is use the Credentials id "fod-api-key" rather than resolving its actual value.

Reply all
Reply to author
Forward
0 new messages