Problem with client.properties file - Authorization token is not configured
Closed this issue · 6 comments
We can use our Fortify ScanCentral server infrastructure from other Internet-connected Ubuntu environments and it works well.
We tested with the ScanCentral upload token and client_auth_token from that environment and they have the correct permissions.
When we try to use this GitHub Action, it fails with this error message:
2020-08-07T22:32:18.9065701Z Initializing client authorization token...
2020-08-07T22:32:18.9120702Z Shutting down with errors. Please see log for details.
2020-08-07T22:32:18.9124057Z Problem with client.properties file - either not found or its properties not set correctly: Authorization token is not configured
When I install the 20.1.0 ScanCentral client software on an Ubuntu server by unzipping the archive from Fortify, the Core/config/client.properties file is not created. I need to create it by hand and put in the 'client_auth_token=' before the ScanCentral client will operate successfully.
I see in the GitHub Action log that the ScanCentral Client is installed by unzipping it:
2020-08-07T22:32:13.5206462Z ##[group]Setup Fortify ScanCentral Client
2020-08-07T22:32:14.9085695Z [command]/usr/bin/unzip -q /home/runner/work/_temp/85c1bd1e-f6f6-4ec9-a4e7-5a36012364dc
2020-08-07T22:32:17.0304937Z Successfully installed Fortify ScanCentral version 20.1.0
Is it possible that the current configuration is having the same issue that I experience with the 20.1.0 media?
If not, I do not see an explanation of how to get that 'client_auth_token' configured anywhere in the documentation.
I cannot tell from the log messages if this is a bug or if I am missing something in the setup. I have attached the complete log.
Fortify-ScanCentral-GitHub-Action-log-2020-08-07.txt
Update on 2020-08-10:
Is this the correct channel for interaction about this GitHub-Action?
Hi Matt,
Sorry for the late reply. This is the correct channel for interaction about this GitHub Action, however I have been very busy with other work.
Until now I have only tested this GitHub Action in combination with Fortify on Demand; in that scenario no client.properties is required. I will need to discuss with the ScanCentral product manager and will update this issue and the documentation accordingly if necessary.
Thank you for your patience.
Hi Matt,
I added some functionality to generate client.properties, optionally containing the client authentication token as specified as an action input parameter. Please see the updated README.md for details.
I don't have a ScanCentral Controller available right now, so I haven't been able to actually test this functionality. Can you please test and let me know whether everything works as expected?
Thanks!
Thank you for the enhanced action. If I use a double-quoted string, it works perfectly (e.g., "THESECRETSTRING!").
### Set up Fortify ScanCentral Client ###
- uses: fortify/gha-setup-scancentral-client@v1
with:
version: 20.1.0 # '20.1.0' is the default (and currently only version available)
client-auth-token: "THESECRETSTRING!" # Required by our ScanCentral Controllers
I work in financial services where this type of secrets-handling will not pass our audits.
I am able to use secrets & variables with the URL & TOKEN, but I was unable to find the right way to use a secret & variable with the client-auth-token. Here are some ways that I tried, along with the whole ScanCentral log from each try.
### Set up Fortify ScanCentral Client ###
- uses: fortify/gha-setup-scancentral-client@v1
with:
version: 20.1.0 # '20.1.0' is the default (and currently only version available)
client-auth-token: "$Env:CATOKEN" # Required by our ScanCentral Controllers
env:
CATOKEN: ${{ secrets.CLIENT_AUTH_TOKEN }}
URL: ${{ secrets.SSC_URL }}
TOKEN: ${{ secrets.SSC_UPLOAD_TOKEN }}
2020-08-18 02:00:01,484 [INFO] com.fortify.cloud.cli.Main - Initializing: ScanCentral version: 20.1.0.0153
2020-08-18 02:00:01,497 [WARN] com.fortify.cloud.cli.util.ArgHelper - /opt/hostedtoolcache/Fortify ScanCentral/20.1.0/x64/Core/config/scancentral.properties (No such file or directory)
2020-08-18 02:00:01,498 [INFO] com.fortify.cloud.cli.command.UnrecognizedArgumentCommand - Executing
2020-08-18 02:00:01,503 [INFO] com.fortify.cloud.cli.command.FindUrlCommand - Executing
2020-08-18 02:00:01,504 [INFO] com.fortify.cloud.cli.command.PingCommand - Executing
2020-08-18 02:00:01,966 [FATAL] com.fortify.cloud.cli.Main - An exception occurred.
2020-08-18 02:00:01,966 [INFO] com.fortify.cloud.cli.Main - Shutting down with errors.
### Set up Fortify ScanCentral Client ###
- uses: fortify/gha-setup-scancentral-client@v1
with:
version: 20.1.0 # '20.1.0' is the default (and currently only version available)
client-auth-token: ${CATOKEN} # Required by our ScanCentral Controllers
env:
CATOKEN: ${{ secrets.CLIENT_AUTH_TOKEN }}
2020-08-18 00:01:41,842 [INFO] com.fortify.cloud.cli.Main - Initializing: ScanCentral version: 20.1.0.0153
2020-08-18 00:01:41,854 [WARN] com.fortify.cloud.cli.util.ArgHelper - /opt/hostedtoolcache/Fortify
ScanCentral/20.1.0/x64/Core/config/scancentral.properties (No such file or directory)
2020-08-18 00:01:41,855 [INFO] com.fortify.cloud.cli.command.UnrecognizedArgumentCommand - Executing
2020-08-18 00:01:41,857 [INFO] com.fortify.cloud.cli.command.FindUrlCommand - Executing
2020-08-18 00:01:41,857 [INFO] com.fortify.cloud.cli.command.PingCommand - Executing
2020-08-18 00:01:42,236 [FATAL] com.fortify.cloud.cli.Main - An exception occurred.
2020-08-18 00:01:42,236 [INFO] com.fortify.cloud.cli.Main - Shutting down with errors.
### Set up Fortify ScanCentral Client ###
- uses: fortify/gha-setup-scancentral-client@v1
with:
version: 20.1.0 # '20.1.0' is the default (and currently only version available)
client-auth-token: $CATOKEN # Required by our ScanCentral Controllers
env:
CATOKEN: ${{ secrets.CLIENT_AUTH_TOKEN }}
2020-08-18 00:07:57,431 [INFO] com.fortify.cloud.cli.Main - Initializing: ScanCentral version: 20.1.0.0153
2020-08-18 00:07:57,442 [WARN] com.fortify.cloud.cli.util.ArgHelper - /opt/hostedtoolcache/Fortify ScanCentral/20.1.0/x64/Core/config/scancentral.properties (No such file or directory)
2020-08-18 00:07:57,442 [INFO] com.fortify.cloud.cli.command.UnrecognizedArgumentCommand - Executing
2020-08-18 00:07:57,447 [INFO] com.fortify.cloud.cli.command.FindUrlCommand - Executing
2020-08-18 00:07:57,448 [INFO] com.fortify.cloud.cli.command.PingCommand - Executing
2020-08-18 00:07:57,854 [FATAL] com.fortify.cloud.cli.Main - An exception occurred.
2020-08-18 00:07:57,854 [INFO] com.fortify.cloud.cli.Main - Shutting down with errors.
Can you offer any guidance on the way I should handle the secret & variable so that it feeds your code what it needs?
I entered the client-auth-token into the GitHub secret store 3 different times to ensure that this was not a typing error.
Hi Matt,
According to the GitHub documentation you should not use an intermediate environment variable, but rather pass the secret directly to the action:
### Set up Fortify ScanCentral Client ###
- uses: fortify/gha-setup-scancentral-client@v1
with:
version: 20.1.0 # '20.1.0' is the default (and currently only version available)
client-auth-token: ${{ secrets.CLIENT_AUTH_TOKEN }} # Required by our ScanCentral Controllers
Please let me know whether this works, then I'll add this information to the action documentation.
Thank you very much for the help. Using your recommendation it works exactly as it should.
As you evolve this GH Action, do not hesitate to nudge me for testing in an environment that has a private controller.
The code below is what I used for a Mavenized Java application.
I added the 'FranzDiebold/github-env-vars-action@v1.2.0' so that we can use the repo owner and repo names in our SSC and avoid having to hard-code anything in the GH Action.
Start GH Action
name: Fortify ScanCentral SAST Scan v2 # Name of this workflow
on:
push: # Perform Fortify SAST on push and/or pull requests
branches:
- master
pull_request:
branches:
- master
jobs:
build:
# The type of runner that the job will run on
runs-on: ubuntu-latest # Use the appropriate runner for building your source code
# Steps represent a sequence of tasks that will be executed as part of the job
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- uses: actions/checkout@v2 # Check out source code
- uses: actions/setup-java@v1 # Set up Java (required by ScanCentral Client and for actual build)
with:
java-version: '11.0.3'
- uses: FranzDiebold/github-env-vars-action@v1.2.0 # Expose environment variables
- name: Build with Maven
run: mvn -B package -DskipTests=true -Denforcer.skip=true -Dmaven.javadoc.skip=true -Dmaven.test.skip=true --file 'pom.xml'
### Set up Fortify ScanCentral Client ###
- uses: fortify/gha-setup-scancentral-client@v1
with:
version: 20.1.0 # '20.1.0' is the default (and currently only version available)
client-auth-token: ${{ secrets.CLIENT_AUTH_TOKEN }} # Required by some ScanCentral Controllers
### Run Fortify ScanCentral Client ###
# (Update based on your build tool, technology and Fortify ScanCentral details) this is a Maven app.
- run: scancentral -url ${URL} start -bt mvn -upload -application "$GITHUB_REPOSITORY_OWNER_SLUG" -version "$GITHUB_REPOSITORY_NAME_SLUG" -uptoken $TOKEN
env:
URL: ${{ secrets.SSC_URL }}
TOKEN: ${{ secrets.SSC_UPLOAD_TOKEN }}
### Archive ScanCentral Client logs on failure ###
- uses: actions/upload-artifact@v2
if: failure()
with:
name: scancentral-logs
path: ~/.fortify/scancentral/log
Good to hear that everything is working as expected now, thanks for your feedback!