Jenkins Plugin: Scanner failed to run properly. Cannot run --http-proxy

Reply
Highlighted
L1 Bithead

Jenkins Plugin: Scanner failed to run properly. Cannot run --http-proxy

Given Jenkins running in a container

And Prisma Cloud Jenkins Plugin

And Dashboard View Plugin

And Static Analysis Utilities

And Jenkins Pipeline project

And this Jenkinsfile

And a corporate http(s) proxy

When I choose to Build the project

Then the plugin fails to generate proper shell command

And Jenkins Console reports the following...

Console Output

Started by user tommy hunt
Running in Durability level: MAX_SURVIVABILITY
[Pipeline] Start of Pipeline[Pipeline] nodeRunning on Jenkins in /var/jenkins_home/workspace/prismacloud-pipeline[Pipeline] {[Pipeline] stage[Pipeline] { (Build)[Pipeline] echoDO NOTHING[Pipeline] }[Pipeline] // stage[Pipeline] stage[Pipeline] { (Scan)[Pipeline] prismaCloudScanImage[PRISMACLOUD] Scanning images on master
[PRISMACLOUD] Waiting for scanner to complete
[PRISMACLOUD] --http-proxy 6af84ddd-3010-44b1-9f8b-a5a545337f2b:vbVqmkj9C3lX+asU7qEeIQnf5ws=@webcache.comp.pge.com:8080 /var/jenkins_home/workspace/prismacloud-pipeline/twistcli3673897521178042205 images scan nginx:latest --docker-address unix:///var/run/docker.sock --ci --publish --details --address https://us-east1.cloud.twistlock.com/us-1-111574323 --ci-results-file prisma-cloud-scan-results.json
[prismacloud-pipeline] $ --http-proxy 6af84ddd-3010-44b1-9f8b-a5a545337f2b:vbVqmkj9C3lX+asU7qEeIQnf5ws=@webcache.comp.pge.com:8080 /var/jenkins_home/workspace/prismacloud-pipeline/twistcli3673897521178042205 images scan nginx:latest --docker-address unix:///var/run/docker.sock --ci --publish --details --address https://us-east1.cloud.twistlock.com/us-1-111574323 --ci-results-file prisma-cloud-scan-results.json
[PRISMACLOUD] Scanner failed to run properly. Cannot run program "--http-proxy" (in directory "/var/jenkins_home/workspace/prismacloud-pipeline"): error=2, No such file or directory[Pipeline] }[Pipeline] // stage[Pipeline] stage[Pipeline] { (Declarative: Post Actions)[Pipeline] prismaCloudPublish[PRISMACLOUD] Publishing analysis results
[PRISMACLOUD] No matching scan result files were found[Pipeline] }[Pipeline] // stage[Pipeline] }[Pipeline] // node[Pipeline] End of PipelineERROR: Build failed
Finished: FAILURE

 

Notice this plugin attempted to execute "--http-proxy" as a shell command.

"--http-proxy" is a global option that should be included with the twistcli shell command.

How can I fix this?

What am I doing wrong?

Highlighted
L0 Member

I am seeing the same issue in almost identical circumstances. Are there any workarounds for this? 

 

Is it possible to use the twistlock Jenkins plugin with the newer version of the Prisma Cloud Console?

 

 

Tags (3)
Highlighted
L2 Linker

Hi,

Thanks for reaching out. What version of Compute/TL are you running? Have you recently upgraded? For Compute 20.04.x you will require the Jenkins v2 plugin. Additionally, ensure your proxy configuration is set properly, both, in the console and in Jenkins under Manage > Advanced Settings. There are a few things to consider here, but that is a pretty good start.

Respectfully,
Patrick
Highlighted
L0 Member

I can confirm that on the latest version of the 20.04.177 version of the prisma-cloud-jenkins-plugin.hpi the http_proxy support is still broken, and doesn't support no_proxy or disabling the proxy:

 

[PRISMACLOUD] --http-proxy http://squid.com:3128 /var/lib/jenkins/workspace/kubernetes-builders/ubi8-dotnet-core-aspnet31/twistcli1882254558927248949 images scan docker.registry.local:5000/ubi8-dotnet-core-aspnet31:snapshot-d9a8f5d1ca8d6500d6e8cf5ad7fe637f52eefe07 --docker-address unix:///var/run/docker.sock --min-scan-time 1597113628542 --ci --publish --details --address https://asia-northeast1.cloud.twistlock.com/anz-XXXXXX --ci-results-file prisma-cloud-scan-results.json

 

[ubi8-dotnet-core-aspnet31] $ --http-proxy http://squid.com:3128 /var/lib/jenkins/workspace/kubernetes-builders/ubi8-dotnet-core-aspnet31/twistcli1882254558927248949 images scan docker.registry.local:5000/ubi8-dotnet-core-aspnet31:snapshot-d9a8f5d1ca8d6500d6e8cf5ad7fe637f52eefe07 --docker-address unix:///var/run/docker.sock --min-scan-time 1597113628542 --ci --publish --details --address https://asia-northeast1.cloud.twistlock.com/anz-XXXXXX --ci-results-file prisma-cloud-scan-results.json

 

The plugin invokes the twistcli inside a shell session and interrogating the twistcli highlights that it doesn't actually support the handling of http_proxy, proxy or no_proxy values:

 

./twistcli images scan --help
NAME:
twistcli images scan - Scan a set of images
USAGE:
twistcli images scan [command options] The ID or name of the image to scan
OPTIONS:
--address value Prisma Cloud Console's address (required) (default: "https://127.0.0.1:8083")
--containerized Run the scan from within a container
--custom-labels Include the image custom labels in the results
--details Show all vulnerability details
--docker-address value Docker daemon listening address (default: "unix:///var/run/docker.sock") [$DOCKER_CLIENT_ADDRESS]
--docker-tlscacert value Docker client CA certificate path
--docker-tlscert value Docker client Client certificate path
--docker-tlskey value Docker client Client private key path
--include-js-dependencies Include javascript package dependencies
--output-file value A path to output file containing the scan result
--password value, -p value User password for authenticating with Prisma Cloud Console [$TWISTLOCK_PASSWORD]
--podman-path value Forces using Podman. Set as "podman" for default installation path or otherwise provide the appropriate path
--project value When Projects are enabled, determines which Project to target with the command
--publish Publish the scan result to the console (unless the output-file flag is specified). Publish flag is true by default
--tlscacert value Path to Twistlock CA certificate file
--token value Token to use for authenticating with Prisma Cloud Console
--user value, -u value User for authenticating with Prisma Cloud Console (default: "admin") [$TWISTLOCK_USER]

 

The solution would be to source the system proxy settings and pass these into the script block as environment variables:

 

script {

  def squid = jenkins.model.Jenkins.getInstance().proxy

  env['http_proxy'] = "http://${squid.name}:${squid.port}"

  env['https_proxy'] = env['http_proxy']

  env['no_proxy'] = squid.noProxyHost

}

 

This behaviour has been confirmed by wrapping the twictcli binary invocation with the proxy environment variables ourselves in the following excerpt from one of our pipelines:

stage('Scan Container') {
steps {
script {
def squid = jenkins.model.Jenkins.getInstance().proxy
env['http_proxy'] = "http://${squid.name}:${squid.port}"
env['no_proxy'] = "${squid.noProxyHost}"
sh """
/usr/local/bin/twistcli images scan --ci \
--user=$TW_CREDS_USR \
--password=$TW_CREDS_PSW \
--address=$TW_CONSOLE \
${DOCKER_REGISTRY}/${IMAGE}:${COMMIT_SHA_TAG}
"""
}
}
}

 Please could this be looked into, as disabling the proxy is not an option as it breaks the ability to update plugins on the jenkins instance, and without the support of http_proxy & no_proxy or being able to ignore proxy settings the use of an on-prem integration won't be possible either (which means that the plugin is actually broken for all companies that make use of corporate proxies).

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!