Hi all,
we installed ScanDAST 24.2 and performed a scan successfully using the SSC Web GUI.
We then try to do some calls to DAST API but we get the following errors
• From swagger UI (X.X.X.X:8081/.../index.html) :
Error: response status is 401
Response headers
content-length: 0
date: Wed,26 Jun 2024 07:22:08 GMT
server: Kestrel
• From fcli (fcli ssc app list):
com.fortify.cli.common.rest.unirest.UnexpectedHttpResponseException:
Request: GET X.X.X.X/.../projects:
Response: 401
Response Body:
{"message":"Authentication failed.","responseCode":401,"errorCode":-10301}
at com.fortify.cli.common.rest.unirest.config.UnirestUnexpectedHttpResponseConfigurer$UnexpectedHttpResponseInterceptor.onResponse(UnirestUnexpectedHttpResponseConfigurer.java:36)
at kong.unirest.CompoundInterceptor.lambda$onResponse$1(CompoundInterceptor.java:48)
at java.base/java.util.ArrayList.forEach(ArrayList.java:1596)
at kong.unirest.CompoundInterceptor.onResponse(CompoundInterceptor.java:48)
at kong.unirest.apache.ApacheClient.request(ApacheClient.java:134)
at kong.unirest.Client.request(Client.java:57)
at kong.unirest.BaseRequest.request(BaseRequest.java:365)
at kong.unirest.BaseRequest.asObject(BaseRequest.java:266)
at com.fortify.cli.common.output.writer.output.standard.StandardOutputWriter.writeRecords(StandardOutputWriter.java:174)
at com.fortify.cli.common.output.writer.output.standard.StandardOutputWriter.write(StandardOutputWriter.java:122)
at com.fortify.cli.common.output.cli.mixin.AbstractOutputHelperMixin.write(AbstractOutputHelperMixin.java:73)
at com.fortify.cli.common.output.cli.cmd.AbstractOutputCommand.run(AbstractOutputCommand.java:31)
at picocli.CommandLine.executeUserObject(CommandLine.java:2103)
at picocli.CommandLine$RunLast.executeUserObjectOfLastSubcommandWithSameParent(CommandLine.java:2538)
at picocli.CommandLine$RunLast.handle(CommandLine.java:2530)
at picocli.CommandLine$RunLast.handle(CommandLine.java:2492)
at picocli.CommandLine$AbstractParseResultHandler.execute(CommandLine.java:2350)
at picocli.CommandLine$RunLast.execute(CommandLine.java:2494)
at picocli.CommandLine.execute(CommandLine.java:2247)
at com.fortify.cli.app.runner.DefaultFortifyCLIRunner.run(DefaultFortifyCLIRunner.java:49)
at com.fortify.cli.app.FortifyCLI.execute(FortifyCLI.java:38)
at com.fortify.cli.app.FortifyCLI.main(FortifyCLI.java:32)
• Containers logs don't show any errors.
• curl call taken from swagger UI
curl -X 'GET' \
'X.X.X.X:8081/.../applications' \
-H 'accept: text/plain' \
-H 'Authorization: TOKEN-VALUE'
gives the following
* Trying X.X.X.X:8081...
* Connected to X.X.X.X (X.X.X.X) port 8081
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 / secp384r1 / rsaEncryption
* ALPN: server accepted h2
* Server certificate:
* subject: REDACTED
* start date: Jun 14 10:12:28 2024 GMT
* expire date: Jun 14 10:12:28 2026 GMT
* issuer: REDACTED
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* using HTTP/2
* [HTTP/2] [1] OPENED stream for X.X.X.X:8081/.../applications
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: X.X.X.X:8081]
* [HTTP/2] [1] [:path: /api/v2/applications]
* [HTTP/2] [1] [user-agent: curl/8.7.1]
* [HTTP/2] [1] [accept: text/plain]
* [HTTP/2] [1] [authorization: TOKEN-VALUE]
> GET /api/v2/applications HTTP/2
> Host: X.X.X.X:8081
> User-Agent: curl/8.7.1
> accept: text/plain
> Authorization: TOKEN-VALUE
>
* Request completely sent off
< HTTP/2 401
< date: Wed, 26 Jun 2024 08:25:44 GMT
< server: Kestrel
< content-length: 0
<
* Connection #0 to host X.X.X.X left intact
• SSC logs show that URLs called are
- /ssc/api/v1/projects?fields=id,name,-_href&limit=-1
- /ssc/api/v1/projectVersions?fields=id,name,active,project&limit=1000&includeInactive=true
If we log in into SSC Web GUI and paste the above URLs in browser's address bar we have the following successful outcome:
- /ssc/api/v1/projects?fields=id,name,-_href&limit=-1 ==>> works fine and gives the following with expected data
{"data":[{"id":1,"name":"Expected Application Name"}],"count":1,"responseCode":200,"links":{"last":{"href":""first":{"href":"https://X.X.X.X/ssc/api/v1/projects?fields=id,name,-_href&limit=-1&start=0"}}}">X.X.X.X/.../projects
- /ssc/api/v1/projectVersions?fields=id,name,active,project&limit=1000&includeInactive=true ==>> gives the following message
{"data":[{"id":10000,"project":{"id":1,"name":"Expected Application Name","description":null,"creationDate":"2024-06-24T13:47:27.134+00:00","createdBy":"sicappadmin","issueTemplateId":"Prioritized-HighRisk-Project-Template"},"name":"1.0","active":true,"_href":"https://X.X.X.X/ssc/api/v1/projectVersions/10000"}],"count":1,"responseCode":200,"links":{"last":{"href":""first":{"href":"https://X.X.X.X/ssc/api/v1/projectVersions?fields=id,name,active,project&limit=1000&includeInactive=true&start=0"}}}">X.X.X.X/.../projectVersions
So I guess that when DAST API calls SSC API there's some problem I can't spot.
We're using a CIToken-type token of a user with Administrator role.
Any thoughts on this matter on how to debug this in a better way?
Thank you very much for your time.