Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tools - scancentral client, vulnerability exporter instalation #345

Closed
xakrurychle opened this issue Jul 14, 2023 · 4 comments
Closed

tools - scancentral client, vulnerability exporter instalation #345

xakrurychle opened this issue Jul 14, 2023 · 4 comments
Labels
bug Something isn't working

Comments

@xakrurychle
Copy link

For some reason I am not able to install sca client or vuln-exporter.

case1) without proxy - time out
This one I quite understand as I am behind our company's proxy.

fcli tool vuln-exporter install -d ./vulnExporter 2.0.2
kong.unirest.UnirestException: org.apache.http.conn.ConnectTimeoutException: Connect to github.com:443 [github.com/140.82.121.4] failed: Connect timed out
        at kong.unirest.DefaultInterceptor.onFail(DefaultInterceptor.java:43)
        at kong.unirest.CompoundInterceptor.lambda$onFail$2(CompoundInterceptor.java:54)
        at [email protected]/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197)
        at [email protected]/java.util.Collections$2.tryAdvance(Collections.java:4853)
        at [email protected]/java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:129)
        at [email protected]/java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:527)
        at [email protected]/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:513)
        at [email protected]/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499)
        at [email protected]/java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:150)
        at [email protected]/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
        at [email protected]/java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:647)
        at kong.unirest.CompoundInterceptor.onFail(CompoundInterceptor.java:56)
        at kong.unirest.apache.ApacheClient.request(ApacheClient.java:138)
        at kong.unirest.Client.request(Client.java:57)
        at kong.unirest.BaseRequest.request(BaseRequest.java:359)
        at kong.unirest.BaseRequest.asFile(BaseRequest.java:326)
        at com.fortify.cli.tool.common.cli.cmd.AbstractToolInstallCommand.download(AbstractToolInstallCommand.java:111)
        at com.fortify.cli.tool.common.cli.cmd.AbstractToolInstallCommand.download(AbstractToolInstallCommand.java:104)
        at com.fortify.cli.tool.common.cli.cmd.AbstractToolInstallCommand.downloadAndInstall(AbstractToolInstallCommand.java:91)
        at com.fortify.cli.tool.common.cli.cmd.AbstractToolInstallCommand.getJsonNode(AbstractToolInstallCommand.java:72)
        at com.fortify.cli.common.output.cli.cmd.AbstractOutputCommand.run(AbstractOutputCommand.java:33)
        at picocli.CommandLine.executeUserObject(CommandLine.java:2104)
        at picocli.CommandLine$RunLast.executeUserObjectOfLastSubcommandWithSameParent(CommandLine.java:2539)
        at picocli.CommandLine$RunLast.handle(CommandLine.java:2531)
        at picocli.CommandLine$RunLast.handle(CommandLine.java:2493)
        at picocli.CommandLine$AbstractParseResultHandler.execute(CommandLine.java:2351)
        at picocli.CommandLine$RunLast.execute(CommandLine.java:2495)
        at picocli.CommandLine.execute(CommandLine.java:2248)
        at com.fortify.cli.app.FortifyCLI.execute(FortifyCLI.java:74)
        at com.fortify.cli.app.FortifyCLI.main(FortifyCLI.java:56)
Caused by: org.apache.http.conn.ConnectTimeoutException: Connect to github.com:443 [github.com/140.82.121.4] failed: Connect timed out
        at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:151)
        at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376)
        at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
        at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
        at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
        at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
        at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
        at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:118)
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
        at kong.unirest.apache.ApacheClient.request(ApacheClient.java:129)
        ... 17 more
Caused by: java.net.SocketTimeoutException: Connect timed out
        at [email protected]/sun.nio.ch.NioSocketImpl.timedFinishConnect(NioSocketImpl.java:546)
        at [email protected]/sun.nio.ch.NioSocketImpl.connect(NioSocketImpl.java:597)
        at [email protected]/java.net.SocksSocketImpl.connect(SocksSocketImpl.java:327)
        at [email protected]/java.net.Socket.connect(Socket.java:633)
        at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:368)
        at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
        ... 27 more

case2) with proxy - PKI cert error
This case I don't understand. As for a final user there seems to be no need to provide any GitHub keys or anything. Wherever the download file comes from I assume is handled internally. Do I need to set something within FCLI that I missed?

./fcli tool sc-client install 23.1.0 -d ../fcli_scancentral/  -t "clientSCAPass"
kong.unirest.UnirestException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at kong.unirest.DefaultInterceptor.onFail(DefaultInterceptor.java:43)
        at kong.unirest.CompoundInterceptor.lambda$onFail$2(CompoundInterceptor.java:54)
        at [email protected]/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197)
        at [email protected]/java.util.Collections$2.tryAdvance(Collections.java:4853)
        at [email protected]/java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:129)
        at [email protected]/java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:527)
        at [email protected]/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:513)
        at [email protected]/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499)
        at [email protected]/java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:150)
        at [email protected]/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
        at [email protected]/java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:647)
        at kong.unirest.CompoundInterceptor.onFail(CompoundInterceptor.java:56)
        at kong.unirest.apache.ApacheClient.request(ApacheClient.java:138)
        at kong.unirest.Client.request(Client.java:57)
        at kong.unirest.BaseRequest.request(BaseRequest.java:359)
        at kong.unirest.BaseRequest.asFile(BaseRequest.java:326)
        at com.fortify.cli.tool.common.cli.cmd.AbstractToolInstallCommand.download(AbstractToolInstallCommand.java:111)
        at com.fortify.cli.tool.common.cli.cmd.AbstractToolInstallCommand.download(AbstractToolInstallCommand.java:104)
        at com.fortify.cli.tool.common.cli.cmd.AbstractToolInstallCommand.downloadAndInstall(AbstractToolInstallCommand.java:91)
        at com.fortify.cli.tool.common.cli.cmd.AbstractToolInstallCommand.getJsonNode(AbstractToolInstallCommand.java:72)
        at com.fortify.cli.common.output.cli.cmd.AbstractOutputCommand.run(AbstractOutputCommand.java:33)
        at picocli.CommandLine.executeUserObject(CommandLine.java:2104)
        at picocli.CommandLine$RunLast.executeUserObjectOfLastSubcommandWithSameParent(CommandLine.java:2539)
        at picocli.CommandLine$RunLast.handle(CommandLine.java:2531)
        at picocli.CommandLine$RunLast.handle(CommandLine.java:2493)
        at picocli.CommandLine$AbstractParseResultHandler.execute(CommandLine.java:2351)
        at picocli.CommandLine$RunLast.execute(CommandLine.java:2495)
        at picocli.CommandLine.execute(CommandLine.java:2248)
        at com.fortify.cli.app.FortifyCLI.execute(FortifyCLI.java:74)
        at com.fortify.cli.app.FortifyCLI.main(FortifyCLI.java:56)
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at [email protected]/sun.security.ssl.Alert.createSSLException(Alert.java:131)
        at [email protected]/sun.security.ssl.TransportContext.fatal(TransportContext.java:378)
        at [email protected]/sun.security.ssl.TransportContext.fatal(TransportContext.java:321)
        at [email protected]/sun.security.ssl.TransportContext.fatal(TransportContext.java:316)
        at [email protected]/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1357)
        at [email protected]/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1232)
        at [email protected]/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1175)
        at [email protected]/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
        at [email protected]/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480)
        at [email protected]/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:458)
        at [email protected]/sun.security.ssl.TransportContext.dispatch(TransportContext.java:201)
        at [email protected]/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
        at [email protected]/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1510)
        at [email protected]/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1425)
        at [email protected]/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455)
        at [email protected]/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426)
        at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436)
        at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.upgrade(DefaultHttpClientConnectionOperator.java:191)
        at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.upgrade(PoolingHttpClientConnectionManager.java:392)
        at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:428)
        at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
        at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
        at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
        at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
        at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:118)
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
        at kong.unirest.apache.ApacheClient.request(ApacheClient.java:129)
        ... 17 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at [email protected]/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
        at [email protected]/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
        at [email protected]/sun.security.validator.Validator.validate(Validator.java:264)
        at [email protected]/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
        at [email protected]/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)
        at [email protected]/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1341)
        ... 40 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at [email protected]/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:146)
        at [email protected]/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:127)
        at [email protected]/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
        at [email protected]/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
        ... 45 more
@rsenden
Copy link
Contributor

rsenden commented Jul 14, 2023

@xakrurychle I guess the proxy server is using a certificate that is signed by an internal CA? In that case, you'd need to point fcli to a trust store containing the appropriate certificates, using the fcli config truststore set command. Can you please confirm?

@xakrurychle
Copy link
Author

Hi @rsenden, so I've done following:

  1. set cacerts as trustore. Previously I had set trustore for tomcat but that was probably wrong, so I used cacerts we use for client side
  2. set proxy
  3. ran command ./fcli tool sc-client install 23.1.0 -d ../fcli_scancentral/ -t <pass> --log-level TRACE

which returns with error

java.lang.RuntimeException: Entry with an illegal path: bin/
        at com.fortify.cli.tool.common.util.FileUtils.extractZip(FileUtils.java:77)
        at com.fortify.cli.tool.common.cli.cmd.AbstractToolInstallCommand.install(AbstractToolInstallCommand.java:122)
        at com.fortify.cli.tool.common.cli.cmd.AbstractToolInstallCommand.downloadAndInstall(AbstractToolInstallCommand.java:93)
        at com.fortify.cli.tool.common.cli.cmd.AbstractToolInstallCommand.getJsonNode(AbstractToolInstallCommand.java:72)
        at com.fortify.cli.common.output.cli.cmd.AbstractOutputCommand.run(AbstractOutputCommand.java:33)
        at picocli.CommandLine.executeUserObject(CommandLine.java:2104)
        at picocli.CommandLine$RunLast.executeUserObjectOfLastSubcommandWithSameParent(CommandLine.java:2539)
        at picocli.CommandLine$RunLast.handle(CommandLine.java:2531)
        at picocli.CommandLine$RunLast.handle(CommandLine.java:2493)
        at picocli.CommandLine$AbstractParseResultHandler.execute(CommandLine.java:2351)
        at picocli.CommandLine$RunLast.execute(CommandLine.java:2495)
        at picocli.CommandLine.execute(CommandLine.java:2248)
        at com.fortify.cli.app.FortifyCLI.execute(FortifyCLI.java:74)
        at com.fortify.cli.app.FortifyCLI.main(FortifyCLI.java:56)

@rsenden
Copy link
Contributor

rsenden commented Jul 18, 2023

@xakrurychle Thanks for the feedback. Can you please try without the -d option, and/or pass an absolute path to the -d option? I think the relative path may be causing this issue.

@xakrurychle
Copy link
Author

@xakrurychle Thanks for the feedback. Can you please try without the -d option, and/or pass an absolute path to the -d option? I think the relative path may be causing this issue.

Hi, yes it turned out to be the relative path issue. With /home/destination/ the command finished succesfully

./fcli tool sc-client install 23.1.0 -d /home/<destination>/  -t <pass> --log-level TRACE
 Name       Version  Default  Installed  Install dir                                Bin dir                                        Action
 sc-client  23.1.0   Yes      Yes        /home<destination>/  /home/<destination>/bin  INSTALLED

@rsenden rsenden added bug Something isn't working and removed pending-feedback labels Jul 19, 2023
@github-actions github-actions bot mentioned this issue Aug 18, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore(develop): release 1.2.4 fortify/fcli
2 participants
@rsenden @xakrurychle