topic Re: Jenkins Plugin: Scanner failed to run properly. Cannot run --http-proxy in Prisma Cloud Discussions

Jenkins Plugin: Scanner failed to run properly. Cannot run --http-proxy

TommyHunt — Wed, 02 Sep 2020 17:46:22 GMT

Given Jenkins running in a container

And Prisma Cloud Jenkins Plugin

And Dashboard View Plugin

And Static Analysis Utilities

And Jenkins Pipeline project

And this Jenkinsfile

And a corporate http(s) proxy

When I choose to Build the project

Then the plugin fails to generate proper shell command

And Jenkins Console reports the following...

Console Output

Started by user tommy hunt
Running in Durability level: MAX_SURVIVABILITY
[Pipeline] Start of Pipeline[Pipeline] nodeRunning on Jenkins in /var/jenkins_home/workspace/prismacloud-pipeline[Pipeline] {[Pipeline] stage[Pipeline] { (Build)[Pipeline] echoDO NOTHING[Pipeline] }[Pipeline] // stage[Pipeline] stage[Pipeline] { (Scan)[Pipeline] prismaCloudScanImage[PRISMACLOUD] Scanning images on master
[PRISMACLOUD] Waiting for scanner to complete
[PRISMACLOUD] --http-proxy 6af84ddd-3010-44b1-9f8b-a5a545337f2b:vbVqmkj9C3lX+asU7qEeIQnf5ws=@webcache.comp.pge.com:8080 /var/jenkins_home/workspace/prismacloud-pipeline/twistcli3673897521178042205 images scan nginx:latest --docker-address unix:///var/run/docker.sock --ci --publish --details --address https://us-east1.cloud.twistlock.com/us-1-111574323 --ci-results-file prisma-cloud-scan-results.json
[prismacloud-pipeline] $ --http-proxy 6af84ddd-3010-44b1-9f8b-a5a545337f2b:vbVqmkj9C3lX+asU7qEeIQnf5ws=@webcache.comp.pge.com:8080 /var/jenkins_home/workspace/prismacloud-pipeline/twistcli3673897521178042205 images scan nginx:latest --docker-address unix:///var/run/docker.sock --ci --publish --details --address https://us-east1.cloud.twistlock.com/us-1-111574323 --ci-results-file prisma-cloud-scan-results.json
[PRISMACLOUD] Scanner failed to run properly. Cannot run program "--http-proxy" (in directory "/var/jenkins_home/workspace/prismacloud-pipeline"): error=2, No such file or directory[Pipeline] }[Pipeline] // stage[Pipeline] stage[Pipeline] { (Declarative: Post Actions)[Pipeline] prismaCloudPublish[PRISMACLOUD] Publishing analysis results
[PRISMACLOUD] No matching scan result files were found[Pipeline] }[Pipeline] // stage[Pipeline] }[Pipeline] // node[Pipeline] End of PipelineERROR: Build failed
Finished: FAILURE

Notice this plugin attempted to execute "--http-proxy" as a shell command.

"--http-proxy" is a global option that should be included with the twistcli shell command.

How can I fix this?

What am I doing wrong?

Re: Jenkins Plugin: Scanner failed to run properly. Cannot run --http-proxy

XHarris — Thu, 28 May 2020 17:02:26 GMT

I am seeing the same issue in almost identical circumstances. Are there any workarounds for this?

Is it possible to use the twistlock Jenkins plugin with the newer version of the Prisma Cloud Console?

Re: Jenkins Plugin: Scanner failed to run properly. Cannot run --http-proxy

PBowden — Mon, 01 Jun 2020 12:36:13 GMT

Hi,

Thanks for reaching out. What version of Compute/TL are you running? Have you recently upgraded? For Compute 20.04.x you will require the Jenkins v2 plugin. Additionally, ensure your proxy configuration is set properly, both, in the console and in Jenkins under Manage > Advanced Settings. There are a few things to consider here, but that is a pretty good start.

Re: Jenkins Plugin: Scanner failed to run properly. Cannot run --http-proxy

JVelloen — Wed, 12 Aug 2020 22:22:38 GMT

I can confirm that on the latest version of the 20.04.177 version of the prisma-cloud-jenkins-plugin.hpi the http_proxy support is still broken, and doesn't support no_proxy or disabling the proxy:

[PRISMACLOUD] --http-proxy http://squid.com:3128 /var/lib/jenkins/workspace/kubernetes-builders/ubi8-dotnet-core-aspnet31/twistcli1882254558927248949 images scan docker.registry.local:5000/ubi8-dotnet-core-aspnet31:snapshot-d9a8f5d1ca8d6500d6e8cf5ad7fe637f52eefe07 --docker-address unix:///var/run/docker.sock --min-scan-time 1597113628542 --ci --publish --details --address https://asia-northeast1.cloud.twistlock.com/anz-XXXXXX --ci-results-file prisma-cloud-scan-results.json

[ubi8-dotnet-core-aspnet31] $ --http-proxy http://squid.com:3128 /var/lib/jenkins/workspace/kubernetes-builders/ubi8-dotnet-core-aspnet31/twistcli1882254558927248949 images scan docker.registry.local:5000/ubi8-dotnet-core-aspnet31:snapshot-d9a8f5d1ca8d6500d6e8cf5ad7fe637f52eefe07 --docker-address unix:///var/run/docker.sock --min-scan-time 1597113628542 --ci --publish --details --address https://asia-northeast1.cloud.twistlock.com/anz-XXXXXX --ci-results-file prisma-cloud-scan-results.json

The plugin invokes the twistcli inside a shell session and interrogating the twistcli highlights that it doesn't actually support the handling of http_proxy, proxy or no_proxy values:

./twistcli images scan --help
NAME:
twistcli images scan - Scan a set of images
USAGE:
twistcli images scan [command options] The ID or name of the image to scan
OPTIONS:
--address value Prisma Cloud Console's address (required) (default: "https://127.0.0.1:8083")
--containerized Run the scan from within a container
--custom-labels Include the image custom labels in the results
--details Show all vulnerability details
--docker-address value Docker daemon listening address (default: "unix:///var/run/docker.sock") [$DOCKER_CLIENT_ADDRESS]
--docker-tlscacert value Docker client CA certificate path
--docker-tlscert value Docker client Client certificate path
--docker-tlskey value Docker client Client private key path
--include-js-dependencies Include javascript package dependencies
--output-file value A path to output file containing the scan result
--password value, -p value User password for authenticating with Prisma Cloud Console [$TWISTLOCK_PASSWORD]
--podman-path value Forces using Podman. Set as "podman" for default installation path or otherwise provide the appropriate path
--project value When Projects are enabled, determines which Project to target with the command
--publish Publish the scan result to the console (unless the output-file flag is specified). Publish flag is true by default
--tlscacert value Path to Twistlock CA certificate file
--token value Token to use for authenticating with Prisma Cloud Console
--user value, -u value User for authenticating with Prisma Cloud Console (default: "admin") [$TWISTLOCK_USER]

The solution would be to source the system proxy settings and pass these into the script block as environment variables:

script {

def squid = jenkins.model.Jenkins.getInstance().proxy

env['http_proxy'] = "http://${squid.name}:${squid.port}"

env['https_proxy'] = env['http_proxy']

env['no_proxy'] = squid.noProxyHost

}

This behaviour has been confirmed by wrapping the twictcli binary invocation with the proxy environment variables ourselves in the following excerpt from one of our pipelines:

stage('Scan Container') {
  steps {
    script {
      def squid = jenkins.model.Jenkins.getInstance().proxy
      env['http_proxy'] = "http://${squid.name}:${squid.port}"
      env['no_proxy'] = "${squid.noProxyHost}"
      sh """
        /usr/local/bin/twistcli images scan --ci \
        --user=$TW_CREDS_USR \
        --password=$TW_CREDS_PSW \
        --address=$TW_CONSOLE \
        ${DOCKER_REGISTRY}/${IMAGE}:${COMMIT_SHA_TAG}
      """
    }
  }
}

Please could this be looked into, as disabling the proxy is not an option as it breaks the ability to update plugins on the jenkins instance, and without the support of http_proxy & no_proxy or being able to ignore proxy settings the use of an on-prem integration won't be possible either (which means that the plugin is actually broken for all companies that make use of corporate proxies).