-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fortify SSC export failed with "exit code 3221225781" #31
Comments
@kalyanreddy1992, thanks for reporting this. Quick Google search shows that this exist code may be caused by missing DLL files. Can you share what type of runner you're using (self-hosted or GitHub-hosted runner, what Windows version, ...)? We build the Windows executable from Java code using GraalVM, so I'd need to figure out what DLL files are required exactly by the executable; maybe some extra steps are required in the GitHub Action to install any necessary dependencies. |
@kalyanreddy1992 I'm noticing in your error message that
The answers to my questions will help me to decide how to best address your issue. |
@wtfacoconut @rsenden , Thanks for your quick response. I am using self hosted runner and the below are my windows VM specifications. Edition Windows Server 2022 Datacenter Azure Edition Earlier faced an issue with some limitation of powershell 5 w.r.t handling zip files , so have installed powershell 7 and also enabled windows subsystem for Linux. |
@kalyanreddy1992, the screenshot below shows the direct dependencies for fcli.exe (generated using Dependency Walker). I guess this may not show dynamically loaded DLLs (if any). Looks like these are mostly standard Windows DLLs, apart from VCRUNTIME*.DLL. You may want to check that you have the Visual C++ redistributable installed on your runner: https://learn.microsoft.com/en-US/cpp/windows/latest-supported-vc-redist. If that doesn't help, we'll need to dive deeper into this. |
@rsenden , I have installed VC++ and gave a try but facing a different issue this time _C:\Users\sonatype\actions-runner_work_temp/fortify/tools/fcli/aHR0cHM6Ly9naXRodWIuY29tL2ZvcnRpZnkvZmNsaS9yZWxlYXNlcy9kb3dubG9hZC92Mi4zLjAvZmNsaS13aW5kb3dzLnppcA==/bin/fcli.exe tool vuln-exporter install -y -v 2.0.4 -b C:\Users\sonatype\actions-runner_work_temp/fortify/tools --no-global-bin --progress none -o expr={installDir}\n C:\Users\sonatype\actions-runner_work_temp\fortify\tools\vuln-exporter\2.0.4_ Run case ${SSC_APPVERSION} in Please do let me know if I am missing something here. I have the following installed on my agent machine PS C:\Users\sonatype> wsl --list |
Not sure what that file is, but it looks like all the path characters are getting removed in |
Using FortifyVulnerabilityExporter.jar, I was able to get the SARIF file generated and uploaded it using same fortify/github-action/ssc-export@v1 task. Although it failed this time as well, still uploaded the SARIF file to GHA security as I made the manually generated file available in the repository directly. But I don't see the vulnerabilities reflected in dashboard, did i miss something here? |
@kalyanreddy1992, to start with the original issue, all of our actions were developed with the standard GitHub-hosted runners in mind, and assume standard bash shell features to be available, even on Windows runners. For Windows Server 2022, this list shows bash 5.2.26 to be available on GitHub-hosted runners. What I think is happening, is that you don't have a Windows-version of bash installed on your runner. As you do have WSL installed, any This would also explain the missing path separators, as workflows running on Windows would be using Looking at GitHub-hosted runners in more detail, it looks like they actually have 3 different |
As for the second question about uploading manually generated SARIF file, I very much doubt that the So, for manually generated SARIF files, I'd suggest using the GitHub-provided action for uploading the SARIF file directly, example can be seen in the GitHub documentation or in our action: github-action/ssc-export/action.yml Line 24 in b802d70
If the SARIF file contains any vulnerabilities and the upload is successful, the vulnerabilities should show up under Security->Code Scanning in the GitHub web interface. Note however the following restriction as listed at https://docs.github.com/en/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning: |
@rsenden , thanks for your inputs.
Since there is no other way, have tried to make the SARIF file available in the repo/same folder for the task fortify/github-action/ssc-export@v1 to upload it to GHA security. |
@kalyanreddy1992, not sure why you're referring to the The
The deprecated If you manually generated a SARIF file (for example using FortifyVulnerabilityExporter), you'll still need to do step 3, i.e., call the GitHub-provided Of course, although useful for testing, manually generating the SARIF file and putting it into your repository isn't a proper long-term solution. So, ideally you should try to get the Alternatively, you can manually perform the 3 steps above in your workflow, either using the |
@kalyanreddy1992 Do you have any further questions/input on this topic? If not, we'll go ahead and close this issue. |
Closing as there's no further questions or input. |
I am trying to use fortify/github-action/ssc-export@v1 task to download Fortify latest scan results and publish the same on to GitHub advanced Security Dashboard.
Error: Action failed with error: Error: The process 'C:\Users\sonatype\actions-runner_work_temp/fortify/tools/fcli/aHR0cHM6Ly9naXRodWIuY29tL2ZvcnRpZnkvZmNsaS9yZWxlYXNlcy9kb3dubG9hZC92Mi4yLjAvZmNsaS13aW5kb3dzLnppcA==/bin/fcli.exe' failed with exit code 3221225781
Kindly help me resolve this issue.
The text was updated successfully, but these errors were encountered: