FoD plugin does not honor environment variables
Opened this issue · 0 comments
fortifysoftware commented
Jenkins and plugins versions report
Environment
Jenkins: 2.378
OS: Linux - 5.4.0-1090-azure
---
ace-editor:1.1
ant:481.v7b_09e538fcca
antisamy-markup-formatter:155.v795fb_8702324
apache-httpcomponents-client-4-api:4.5.13-138.v4e7d9a_7b_a_e61
authentication-tokens:1.4
bootstrap4-api:4.6.0-5
bootstrap5-api:5.2.1-3
bouncycastle-api:2.26
branch-api:2.1051.v9985666b_f6cc
build-timeout:1.24
caffeine-api:2.9.3-65.v6a_47d0f4d1fe
checks-api:1.8.0
cloudbees-folder:6.795.v3e23d3c6f194
command-launcher:90.v669d7ccb_7c31
commons-lang3-api:3.12.0-36.vd97de6465d5b_
commons-text-api:1.10.0-27.vb_fa_3896786a_7
configuration-as-code:1569.vb_72405b_80249
contrast-continuous-application-security:3.10
credentials:1214.v1de940103927
credentials-binding:523.vd859a_4b_122e6
cvs:2.19.1
dark-theme:262.v0202a_4c8fb_6a
display-url-api:2.3.6
docker-commons:1.21
docker-workflow:528.v7c193a_0b_e67c
durable-task:501.ve5d4fc08b0be
echarts-api:5.4.0-1
email-ext:2.92
external-monitor-job:203.v683c09d993b_9
font-awesome-api:6.2.0-3
fortify:22.1.38
fortify-on-demand-uploader:7.1.1
git:4.13.0
git-client:3.13.0
git-server:99.va_0826a_b_cdfa_d
github:1.36.0
github-api:1.303-400.v35c2d8258028
github-branch-source:1696.v3a_7603564d04
gradle:2.1.1
handlebars:3.0.8
http_request:1.16
instance-identity:116.vf8f487400980
ionicons-api:31.v4757b_6987003
jackson2-api:2.13.4.20221013-295.v8e29ea_354141
jakarta-activation-api:2.0.1-2
jakarta-mail-api:2.0.1-2
javadoc:226.v71211feb_e7e9
javax-activation-api:1.2.0-5
javax-mail-api:1.6.2-8
jaxb:2.3.7-1
jdk-tool:63.v62d2fd4b_4793
jjwt-api:0.11.5-77.v646c772fddb_0
jnr-posix-api:3.1.15-2
jquery-detached:1.2.1
jquery3-api:3.6.1-2
jsch:0.1.55.61.va_e9ee26616e7
junit:1160.vf1f01a_a_ea_b_7f
ldap:2.12
lockable-resources:2.18
mailer:438.v02c7f0a_12fa_4
mapdb-api:1.0.9-28.vf251ce40855d
matrix-auth:3.1.5
matrix-project:785.v06b_7f47b_c631
maven-invoker-plugin:2.4
mina-sshd-api-common:2.9.1-44.v476733c11f82
mina-sshd-api-core:2.9.1-44.v476733c11f82
momentjs:1.1.1
okhttp-api:4.9.3-108.v0feda04578cf
pam-auth:1.10
pipeline-build-step:2.18
pipeline-github-lib:38.v445716ea_edda_
pipeline-graph-analysis:195.v5812d95a_a_2f9
pipeline-groovy-lib:613.v9c41a_160233f
pipeline-input-step:456.vd8a_957db_5b_e9
pipeline-milestone-step:101.vd572fef9d926
pipeline-model-api:2.2118.v31fd5b_9944b_5
pipeline-model-definition:2.2118.v31fd5b_9944b_5
pipeline-model-extensions:2.2118.v31fd5b_9944b_5
pipeline-rest-api:2.27
pipeline-stage-step:296.v5f6908f017a_5
pipeline-stage-tags-metadata:2.2118.v31fd5b_9944b_5
pipeline-stage-view:2.27
plain-credentials:139.ved2b_9cf7587b
plugin-util-api:2.18.0
popper-api:1.16.1-3
popper2-api:2.11.6-2
resource-disposer:0.20
scm-api:621.vda_a_b_055e58f7
script-security:1190.v65867a_a_47126
snakeyaml-api:1.33-90.v80dcb_3814d35
ssh-credentials:305.v8f4381501156
ssh-slaves:2.854.v7fd446b_337c9
sshd:3.249.v2dc2ea_416e33
structs:324.va_f5d6774f3a_d
subversion:2.16.0
theme-manager:1.5
timestamper:1.21
token-macro:308.v4f2b_ed62b_b_16
trilead-api:2.72.v2a_3236754f73
variant:59.vf075fe829ccb
windows-slaves:1.8.1
workflow-aggregator:590.v6a_d052e5a_a_b_5
workflow-api:1200.v8005c684b_a_c6
workflow-basic-steps:994.vd57e3ca_46d24
workflow-cps:3536.vb_8a_6628079d5
workflow-durable-task-step:1210.va_1e5d77e122b
workflow-job:1254.v3f64639b_11dd
workflow-multibranch:716.vc692a_e52371b_
workflow-scm-step:400.v6b_89a_1317c9a_
workflow-step-api:639.v6eca_cd8c04a_a_
workflow-support:839.v35e2736cfd5c
ws-cleanup:0.43
What Operating System are you using (both controller, and any agents involved in the problem)?
- Ubuntu 18.04
- Tomcat 9
- Java 17.0.5
- Jenkins 2.378
Reproduction steps
It seems the fodStaticAssessment step does not honor the JAVA_HOME environment variable, even though it's defined in Jenkins and on the machine for all users.
This issue occurs with both a freestyle project and a pipeline project. In the case of a pipeline project, here is my pipeline script:
Pipeline Script
pipeline {
agent any
tools {
maven "Maven (Latest)"
jdk "JDK 17"
}
stages {
stage('Get code') {
steps {
// Get code from GitHub repo
git branch: 'v8.2.2',
changelog: false,
poll: false,
url: 'https://github.com/micro-focus/FoD-WebGoat.git'
// Test Java version
sh "echo Testing java"
sh "java -version"
}
}
stage('Run Static Assessment') {
tools {
jdk "JDK 17"
}
steps {
sh "echo JAVA_HOME=$JAVA_HOME"
sh "echo PATH=$PATH"
fodStaticAssessment applicationName: '',
applicationType: '',
assessmentType: '',
attributes: '',
auditPreference: '',
bsiToken: '',
businessCriticality: '',
entitlementId: '',
entitlementPreference: '',
frequencyId: '',
inProgressBuildResultType: 'FailBuild',
inProgressScanActionType: 'Queue',
isMicroservice: false,
languageLevel: '',
microserviceName: '',
openSourceScan: '',
overrideGlobalConfig: false,
personalAccessToken: '',
releaseId: '<redacted>',
releaseName: '',
remediationScanPreferenceType: 'RemediationScanIfAvailable',
scanCentral: 'Maven',
scanCentralBuildCommand: '',
scanCentralBuildFile: '',
scanCentralBuildToolVersion: '',
scanCentralIncludeTests: '',
scanCentralRequirementFile: '',
scanCentralSkipBuild: '',
scanCentralVirtualEnv: '',
sdlcStatus: '',
srcLocation: '.',
technologyStack: '',
tenantId: '',
username: ''
}
}
stage('Poll Results') {
tools {
jdk "JDK 17"
}
steps {
fodPollResults bsiToken: '',
personalAccessToken: '<redacted>',
pollingInterval: 1,
releaseId: '<redacted>',
tenantId: '<redacted>',
username: ''
}
}
}
}Expected Results
JAVA_HOME would be resolvable by scancentral and the fodStaticAssessment step would succeed.
Actual Results
Here is a relevant snippet of the console output:
Console Output
[Pipeline] sh
+ echo Testing java
Testing java
[Pipeline] sh
+ java -version
NOTE: Picked up JDK_JAVA_OPTIONS: --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED
java version "17.0.5" 2022-10-18 LTS
Java(TM) SE Runtime Environment (build 17.0.5+9-LTS-191)
Java HotSpot(TM) 64-Bit Server VM (build 17.0.5+9-LTS-191, mixed mode, sharing)
[Pipeline] }
[Pipeline] // withEnv
[Pipeline] }
[Pipeline] // stage
[Pipeline] stage
[Pipeline] { (Run Static Assessment)
[Pipeline] tool
[Pipeline] envVarsForTool
[Pipeline] tool
[Pipeline] envVarsForTool
[Pipeline] withEnv
[Pipeline] {
[Pipeline] sh
+ echo JAVA_HOME=/usr/lib/jvm/jdk-17
JAVA_HOME=/usr/lib/jvm/jdk-17
[Pipeline] sh
+ echo PATH=/usr/lib/jvm/jdk-17/bin:/opt/apache/maven/latest/bin:/usr/lib/jvm/jdk-17/bin:/opt/apache/maven/latest/bin:/opt/fortify/sca/latest/bin:/opt/apache/maven/latest/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
PATH=/usr/lib/jvm/jdk-17/bin:/opt/apache/maven/latest/bin:/usr/lib/jvm/jdk-17/bin:/opt/apache/maven/latest/bin:/opt/fortify/sca/latest/bin:/opt/apache/maven/latest/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
[Pipeline] fodStaticAssessment
Running fodStaticAssessment step
Fortify on Demand Upload Running...
Starting FoD Upload.
Correlation Id = f8f9628d-98a0-448a-84fb-cdb3e53ad13a
Scan Central Path : /opt/fortify/sca/latest/bin/scancentral
Checking ScanCentralVersion
JAVA_HOME: null
Failed executing scan central :
Packaged File Output Path : null
Scan Central package output not found.
Notice that scancentral reports JAVA_HOME: null, even though right before the fodStaticAssessment step, the command echo JAVA_HOME=$JAVA_HOME outputted the correct value:
[Pipeline] sh
+ echo JAVA_HOME=/usr/lib/jvm/jdk-17
JAVA_HOME=/usr/lib/jvm/jdk-17
Anything else?
A similar issue existed with the regular Fortify plugin, but the developer (Anna K) was able to figure out the solution. ("It turned out that we didn't take env overrides into account for our pipelines.")