05-19-2020 12:07 PM - last edited on 09-02-2020 10:46 AM by CHopson
Given Jenkins running in a container
And Prisma Cloud Jenkins Plugin
And Dashboard View Plugin
And Static Analysis Utilities
And this Jenkinsfile
And a corporate http(s) proxy
When I choose to Build the project
Then the plugin fails to generate proper shell command
And Jenkins Console reports the following...
Console Output
Started by user tommy hunt Running in Durability level: MAX_SURVIVABILITY [Pipeline] Start of Pipeline[Pipeline] nodeRunning on Jenkins in /var/jenkins_home/workspace/prismacloud-pipeline[Pipeline] {[Pipeline] stage[Pipeline] { (Build)[Pipeline] echoDO NOTHING[Pipeline] }[Pipeline] // stage[Pipeline] stage[Pipeline] { (Scan)[Pipeline] prismaCloudScanImage[PRISMACLOUD] Scanning images on master [PRISMACLOUD] Waiting for scanner to complete [PRISMACLOUD] --http-proxy 6af84ddd-3010-44b1-9f8b-a5a545337f2b:vbVqmkj9C3lX+asU7qEeIQnf5ws=@webcache.comp.pge.com:8080 /var/jenkins_home/workspace/prismacloud-pipeline/twistcli3673897521178042205 images scan nginx:latest --docker-address unix:///var/run/docker.sock --ci --publish --details --address https://us-east1.cloud.twistlock.com/us-1-111574323 --ci-results-file prisma-cloud-scan-results.json [prismacloud-pipeline] $ --http-proxy 6af84ddd-3010-44b1-9f8b-a5a545337f2b:vbVqmkj9C3lX+asU7qEeIQnf5ws=@webcache.comp.pge.com:8080 /var/jenkins_home/workspace/prismacloud-pipeline/twistcli3673897521178042205 images scan nginx:latest --docker-address unix:///var/run/docker.sock --ci --publish --details --address https://us-east1.cloud.twistlock.com/us-1-111574323 --ci-results-file prisma-cloud-scan-results.json [PRISMACLOUD] Scanner failed to run properly. Cannot run program "--http-proxy" (in directory "/var/jenkins_home/workspace/prismacloud-pipeline"): error=2, No such file or directory[Pipeline] }[Pipeline] // stage[Pipeline] stage[Pipeline] { (Declarative: Post Actions)[Pipeline] prismaCloudPublish[PRISMACLOUD] Publishing analysis results [PRISMACLOUD] No matching scan result files were found[Pipeline] }[Pipeline] // stage[Pipeline] }[Pipeline] // node[Pipeline] End of PipelineERROR: Build failed Finished: FAILURE
Notice this plugin attempted to execute "--http-proxy" as a shell command.
"--http-proxy" is a global option that should be included with the twistcli shell command.
How can I fix this?
What am I doing wrong?
06-01-2020 05:30 AM - edited 06-01-2020 05:36 AM
Hi,
Thanks for reaching out. What version of Compute/TL are you running? Have you recently upgraded? For Compute 20.04.x you will require the Jenkins v2 plugin. Additionally, ensure your proxy configuration is set properly, both, in the console and in Jenkins under Manage > Advanced Settings. There are a few things to consider here, but that is a pretty good start.
08-12-2020 03:22 PM
I can confirm that on the latest version of the 20.04.177 version of the prisma-cloud-jenkins-plugin.hpi the http_proxy support is still broken, and doesn't support no_proxy or disabling the proxy:
[PRISMACLOUD] --http-proxy http://squid.com:3128 /var/lib/jenkins/workspace/kubernetes-builders/ubi8-dotnet-core-aspnet31/twistcli1882254558927248949 images scan docker.registry.local:5000/ubi8-dotnet-core-aspnet31:snapshot-d9a8f5d1ca8d6500d6e8cf5ad7fe637f52eefe07 --docker-address unix:///var/run/docker.sock --min-scan-time 1597113628542 --ci --publish --details --address https://asia-northeast1.cloud.twistlock.com/anz-XXXXXX --ci-results-file prisma-cloud-scan-results.json
[ubi8-dotnet-core-aspnet31] $ --http-proxy http://squid.com:3128 /var/lib/jenkins/workspace/kubernetes-builders/ubi8-dotnet-core-aspnet31/twistcli1882254558927248949 images scan docker.registry.local:5000/ubi8-dotnet-core-aspnet31:snapshot-d9a8f5d1ca8d6500d6e8cf5ad7fe637f52eefe07 --docker-address unix:///var/run/docker.sock --min-scan-time 1597113628542 --ci --publish --details --address https://asia-northeast1.cloud.twistlock.com/anz-XXXXXX --ci-results-file prisma-cloud-scan-results.json
The plugin invokes the twistcli inside a shell session and interrogating the twistcli highlights that it doesn't actually support the handling of http_proxy, proxy or no_proxy values:
./twistcli images scan --help
NAME:
twistcli images scan - Scan a set of images
USAGE:
twistcli images scan [command options] The ID or name of the image to scan
OPTIONS:
--address value Prisma Cloud Console's address (required) (default: "https://127.0.0.1:8083")
--containerized Run the scan from within a container
--custom-labels Include the image custom labels in the results
--details Show all vulnerability details
--docker-address value Docker daemon listening address (default: "unix:///var/run/docker.sock") [$DOCKER_CLIENT_ADDRESS]
--docker-tlscacert value Docker client CA certificate path
--docker-tlscert value Docker client Client certificate path
--docker-tlskey value Docker client Client private key path
--include-js-dependencies Include javascript package dependencies
--output-file value A path to output file containing the scan result
--password value, -p value User password for authenticating with Prisma Cloud Console [$TWISTLOCK_PASSWORD]
--podman-path value Forces using Podman. Set as "podman" for default installation path or otherwise provide the appropriate path
--project value When Projects are enabled, determines which Project to target with the command
--publish Publish the scan result to the console (unless the output-file flag is specified). Publish flag is true by default
--tlscacert value Path to Twistlock CA certificate file
--token value Token to use for authenticating with Prisma Cloud Console
--user value, -u value User for authenticating with Prisma Cloud Console (default: "admin") [$TWISTLOCK_USER]
The solution would be to source the system proxy settings and pass these into the script block as environment variables:
script {
def squid = jenkins.model.Jenkins.getInstance().proxy
env['http_proxy'] = "http://${squid.name}:${squid.port}"
env['https_proxy'] = env['http_proxy']
env['no_proxy'] = squid.noProxyHost
}
This behaviour has been confirmed by wrapping the twictcli binary invocation with the proxy environment variables ourselves in the following excerpt from one of our pipelines:
stage('Scan Container') {
steps {
script {
def squid = jenkins.model.Jenkins.getInstance().proxy
env['http_proxy'] = "http://${squid.name}:${squid.port}"
env['no_proxy'] = "${squid.noProxyHost}"
sh """
/usr/local/bin/twistcli images scan --ci \
--user=$TW_CREDS_USR \
--password=$TW_CREDS_PSW \
--address=$TW_CONSOLE \
${DOCKER_REGISTRY}/${IMAGE}:${COMMIT_SHA_TAG}
"""
}
}
}Please could this be looked into, as disabling the proxy is not an option as it breaks the ability to update plugins on the jenkins instance, and without the support of http_proxy & no_proxy or being able to ignore proxy settings the use of an on-prem integration won't be possible either (which means that the plugin is actually broken for all companies that make use of corporate proxies).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
