sourceanalyzer isnan not found

I am building a fortify scan image to be used in our CI setup for Jenkins, as we dont use a standalone node were doing docker based build steps.

I first started installing fcli and it sub tools I need to be aible to communicate with the FortifySoftware Security Center. This workes great with the github binary.

We want also to be able sorse scan, as far as I can see I need for that the cli tools (fortifyupdate, sourceanalyzer and scancentral (the later being part of the fcli tool set already).

These are bundles in the  Fortify Apps & Tools bundle, I gotten the latest 24.2.0 for linux x64.

However these seems to be a snag when I try to run it I get the error "bash: ./Fortify_Apps_and_Tools_24.2.0_linux_x64.run: cannot execute: required file not found" this seems to be because all my images are based on Alpine most of the time.

If I do the following command:
ldd Fortify_Apps_and_Tools_24.2.0_linux_x64.run

Then I geth the folowing:

/lib64/ld-linux-x86-64.so.2 (0x7f7595602000)
libm.so.6 => /lib64/ld-linux-x86-64.so.2 (0x7f7595602000)
libdl.so.2 => /lib64/ld-linux-x86-64.so.2 (0x7f7595602000)
libpthread.so.0 => /lib64/ld-linux-x86-64.so.2 (0x7f7595602000)
libc.so.6 => /lib64/ld-linux-x86-64.so.2 (0x7f7595602000)
Error relocating Fortify_Apps_and_Tools_24.2.0_linux_x64.run: isnan: symbol not found
Error relocating Fortify_Apps_and_Tools_24.2.0_linux_x64.run: __register_atfork: symbol not found

It seems that the .run not supports ALPINE, has any one run in to this problem. Or have a way to install fortifyupdate, sourceanalyzer so I can use these tools. Or a way to make the installer work quickly.

  • 0  

    I have not personally tried installing Fortify SCA on Alpine Linux, but my colleagues recommend against it. The big problem is that Alpine uses musl libc as the core C/C++ library which is incompatible with Fortify SCA. There might be some workarounds, but it is a pain.

  • Suggested Answer

    0 in reply to   

    In the end I ended up adding glib, and its only for the installer witch I think is a thing. But for now this is my workaround:

     hadolint ignore=DL3007
    FROM mycompanyinternal.nexus.url/SDLC/jre-17:4.0.6
    
    ENV LANG=C.UTF-8
    
    USER root
    # Install GLIBC so we can use the fortify tools installer.
    # NOTE: Glibc 2.35 package is broken: https://github.com/sgerrand/alpine-pkg-glibc/issues/176, so we stick to 2.34 for now
    RUN ALPINE_GLIBC_BASE_URL="https://github.com/sgerrand/alpine-pkg-glibc/releases/download" && \
        ALPINE_GLIBC_PACKAGE_VERSION="2.34-r0" && \
        ALPINE_GLIBC_BASE_PACKAGE_FILENAME="glibc-$ALPINE_GLIBC_PACKAGE_VERSION.apk" && \
        ALPINE_GLIBC_BIN_PACKAGE_FILENAME="glibc-bin-$ALPINE_GLIBC_PACKAGE_VERSION.apk" && \
        ALPINE_GLIBC_I18N_PACKAGE_FILENAME="glibc-i18n-$ALPINE_GLIBC_PACKAGE_VERSION.apk" && \
        apk add --no-cache --virtual=.build-dependencies wget ca-certificates && \
        echo \
            "-----BEGIN PUBLIC KEY-----\
            MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApZ2u1KJKUu/fW4A25y9m\
            y70AGEa/J3Wi5ibNVGNn1gT1r0VfgeWd0pUybS4UmcHdiNzxJPgoWQhV2SSW1JYu\
            tOqKZF5QSN6X937PTUpNBjUvLtTQ1ve1fp39uf/lEXPpFpOPL88LKnDBgbh7wkCp\
            m2KzLVGChf83MS0ShL6G9EQIAUxLm99VpgRjwqTQ/KfzGtpke1wqws4au0Ab4qPY\
            KXvMLSPLUp7cfulWvhmZSegr5AdhNw5KNizPqCJT8ZrGvgHypXyiFvvAH5YRtSsc\
            Zvo9GI2e2MaZyo9/lvb+LbLEJZKEQckqRj4P26gmASrZEPStwc+yqy1ShHLA0j6m\
            1QIDAQAB\
            -----END PUBLIC KEY-----" | sed 's/   */\n/g' > "/etc/apk/keys/sgerrand.rsa.pub" && \
        wget \
            "$ALPINE_GLIBC_BASE_URL/$ALPINE_GLIBC_PACKAGE_VERSION/$ALPINE_GLIBC_BASE_PACKAGE_FILENAME" \
            "$ALPINE_GLIBC_BASE_URL/$ALPINE_GLIBC_PACKAGE_VERSION/$ALPINE_GLIBC_BIN_PACKAGE_FILENAME" \
            "$ALPINE_GLIBC_BASE_URL/$ALPINE_GLIBC_PACKAGE_VERSION/$ALPINE_GLIBC_I18N_PACKAGE_FILENAME" && \
        mv /etc/nsswitch.conf /etc/nsswitch.conf.bak && \
        apk add --no-cache --force-overwrite \
            "$ALPINE_GLIBC_BASE_PACKAGE_FILENAME" \
            "$ALPINE_GLIBC_BIN_PACKAGE_FILENAME" \
            "$ALPINE_GLIBC_I18N_PACKAGE_FILENAME" && \
        \
        mv /etc/nsswitch.conf.bak /etc/nsswitch.conf && \
        rm "/etc/apk/keys/sgerrand.rsa.pub" && \
        (/usr/glibc-compat/bin/localedef --force --inputfile POSIX --charmap UTF-8 "$LANG" || true) && \
        echo "export LANG=$LANG" > /etc/profile.d/locale.sh && \
        \
        apk del glibc-i18n && \
        \
        rm -f "/root/.wget-hsts" && \
        apk del .build-dependencies && \
        rm \
            "$ALPINE_GLIBC_BASE_PACKAGE_FILENAME" \
            "$ALPINE_GLIBC_BIN_PACKAGE_FILENAME" \
            "$ALPINE_GLIBC_I18N_PACKAGE_FILENAME"
    
    ARG F_HOME=/opt/Fortify
    ARG FCLI_HOME="$F_HOME"/fcli
    
    ENV PATH="${PATH}:$FCLI_HOME/bin"
    
    # hadolint ignore=DL3010
    COPY fcli-linux.tgz  /tmp/fcli-linux.tgz
    ADD Fortify_Tools_24.2.0_Linux.tar.gz  /tmp/Fortify_Apps_and_Tools_24.2.0_linux_x64.run
    
    RUN mkdir -p "$FCLI_HOME"/bin \
     && tar -zxvf /tmp/fcli-linux.tgz -C "$FCLI_HOME"/bin \
     && rm /tmp/fcli-linux.tgz \
     && chmod +x /tmp/Fortify_Apps_and_Tools_24.2.0_linux_x64.run/Fortify_Apps_and_Tools_24.2.0_linux_x64.run
    COPY tools/license/fortify.license  "$F_HOME"/fortify.license
    #USER java-app
    
    #Load our own trust sture we make in evry base image that we trust.
    RUN fcli config truststore set -f="$JAVA_HOME"/lib/security/cacerts -p=changeit \
     && fcli tool sc-client install
    
    CMD ["bash"]