• State Not Answered
  • Replies replies
    2
  • Subscribers subscribers
    18
  • Views views
    187
  • Users 0 members are here
Related
Options

SourceAndLibScanner error with Fortify version 22.2.1

Lasse Boelius
 

We are seeing an issue with Fortify SourceAndLibScanner addon after updating Fortify SCA from version 22.1.1 to version 22.2.1. The Sonatype scan throws this error and fails to upload the scan results to SSC:
"Can not convert Sonatype result to proper SSC report"

The log has this error:
javax.ws.rs.ProcessingException: javax.net.ssl.SSLException: class org.bouncycastle.jcajce.provider.asymmetric.edec.BCXDHPublicKey cannot be cast to class java.security.interfaces.XECPublicKey (org.bouncycastle.jcajce.provider.asymmetric.edec.BCXDHPublicKey is in unnamed module of loader 'app'; java.security.interfaces.XECPublicKey is in module java.base of loader 'bootstrap')

The problem seems to be caused by JRE version 11.0.16.1 that ships with Fortify version 22.2.1. SourceAndLibScanner works fine with JRE 11.0.14.1

Does anyone know if SourceAndLibScanner is still being maintained/updated? Looks like it was last updated a year ago.

  • 0  

    Please verify and confirm the Bouncy Castle Crypto provider (bcprov-jdkXXon) version and ensure it's compatible with the JDK/JRE in use.

  • 0   in reply to Hersh Tahir

    Fortify SCA version 22.2.2 includes bcprov-jdk15on-1.70.jar in [install_dir]\Core\lib

    Installing SourceAndLibScanner version 21.1.2 adds an older version of this file (bcprov-jdk15on-1.64.jar) to the same directory.

    SourceAndLibScanner 21.1.2 will fail after this installation.

    After some experimentation I discoverd that deleting the older version of bcprov library (bcprov-jdk15on-1.64.jar) will make SourceAndLibScanner run normally again. I assume it uses the newer version.

    Our installation uses the jre that comes with Fortify SCA:
    openjdk 11.0.16.1 2022-07-19 LTS
    OpenJDK Runtime Environment Zulu11.58+23-CA (build 11.0.16.1+1-LTS)
    OpenJDK 64-Bit Server VM Zulu11.58+23-CA (build 11.0.16.1+1-LTS, mixed mode)

    This workaround solved the issue for this Fortify SCA update but I'd still like to know if SourceAndLibScanner is still being maintained and updated to work with future versions of Fortify?

Resources

Support
Documentation
Training
CyberRes Academy
Partner Portal
Contact us
Compliance
Help
Company
Privacy Policy
Terms of Use
Accessibility
Anti-Slavery Statement
Support
How To Buy
Careers
Investor Relations
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.