Having problems with your account or logging in?
A lot of changes are happening in the community right now. Some may affect you. READ MORE HERE
nareshe2011 Contributor.
Contributor.
2283 views

Automate Web Inspect Scan through Jenkins?

Can anyone help me how to automate Web Inspect work flow scans or Web Ispect Scans using Jenkins?

I tried to automate using the windows batch command like below:

 wi.exe -u "http://zero.webappsecurity.com/bank/account-summary.html" -ps 1 -s "C:\ProgramData\HP\HP WebInspect\Settings\Default.xml" -macro "C:\Program Files\Samples\WebMacros\ZeroAppworkflow.webmacro" -am "C:\Program Files\Samples\WebMacros\zero_login.webmacro" -ep "C:\Users\user1\AppData\Local\HP\HP WebInspect\Exports\ZeroAppCMdScan1.fpr" -r "Vulnerability" -y "Standard" -f "C:\Users\user1\AppData\Local\HP\HP WebInspect\Exports\ZeroAppVuln.pdf" -gp

But when i run the job it is throwing me an error  :

This tool is not licensed for use by WebInspect.

How to solve this issue? Much appreciated if any one help me to solve this issue? 

0 Likes
2 Replies
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: Automate Web Inspect Scan through Jenkins?

I believe your issue comes down to the licensing.  For the user specified, "user1", are they able to open and use the WebInspect GUI?  If not, then they are not activated by the Activation Token.  Assuming you have the Named User model of the WebInspect license, that license is only activated for the Current Windows User (someone other than user1?), plus some combination of the MAC IDs and DiskIDs of the machine.  Other Windows users on the same machine are not automatically licensed/activated.  A remote call by Jenkins must authenticate to that Windows system as that activated user in order to effectively use WebInspect in this way, as a remote CLI.

My current user account is activated on WebInspect and I was able to run the following command locally from the CLI.  I removed the Workflow Macro call as I did not have one ready for this test.  To avoid typos and other small errors, you may want to replace portions of this CLI with variables (FilePath, Host, URI, OutPutFileName, etc.) and use a small, re-usable script to operate your scans form Jenkins.

-----------------------------------------------------------------

c:\Program Files\HP\HP WebInspect>wi.exe -u "http://zero.webappsecurity.com/bank/account-summary.html" -ps 1 -s "C:\ProgramData\HP\HP WebInspect\Settings\Default.xml" -am "C:\Program Files\HP\HP WebInspect\Samples\WebMacros\zero_login.webmacro" -ep "C:\Users\enders\AppData\Local\HP\HP WebInspect\Exports\ZeroAppCMdScan1.fpr" -r "Vulnerability" -y "Standard" -
f "C:\Users\enders\AppData\Local\HP\HP WebInspect\Exports\ZeroAppVuln.pdf" -gp
9/19/2018 10:05:01 AM
Scan started
-----------------------------------------------------------------
Name: New Web Site Scan
Scan Type: crawl/audit - concurrent
URL: http://zero.webappsecurity.com:80/bank/account-summary.html
Policy: Standard
Scan ID: 026c13da-6511-4374-8545-294bfce6765d
-----------------------------------------------------------------
The following settings from 'Default' were overridden
Policy ID - Value: 1 - Reason: Command line option -p
-----------------------------------------------------------------
Allowed Hosts
The Following host is allowed
zero.webappsecurity.com:80
-----------------------------------------------------------------

 

 

Since it is likely that your Jenkins server is not co-installed on the WebInspect machine, then you are probably making these CLI calls directly across the network, which is a form of Remote Code Execution (RCE), and that is likely to give your network admins the heebie-jeebies.   ;-)   For the scenario of remote automation, you may be better off utilizing the WebInspect API.  Once you start that Windows Service, and assuming you used the default configurations, then any network user (or Jnkins) would be able to run scans via the Swagger-based API at http:://webinspect_machine_name:8083/webinspect/api  That interface also lets you try out individual commands in the browser interface and provides samples showing how to use the various endpoints with cURL.

The only permissions issue to be concerned with when using the WebInspect API would occur if you are using SQL Express to store the scans.  If that is your situation, then the WebInspect API Windows Service needs permissions to access the SQL Express scan files.  One fix for that is to reconfigure the WebInspect API Service to be Run By the same account that has activated WebInspect.  In my case, that is the user, "enders".  This is based on how and where SQL Express stores the MDF files that constitute each scan stored by SQL Express.

Another work around could be done by leaving the WebInspect API service as it is, and changing the location and file permissions where the ScanData is stored.  The default for ScanData is %LocalAppData%\HP\HP WebInspect\ScanData\  See the WebInspect Edit menu > Application Settings > Directories panel if you wish to change that.  Whatever account is running the WebInspect API Service would need to be able to access the ScanData folder and files.


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
0 Likes
nareshe2011 Contributor.
Contributor.

Re: Automate Web Inspect Scan through Jenkins?

Thanks for providing me lot of information that i really unaware of.

I forget to mention that we are using concurrent license through LIM servcie to run the WebInspect tool.

I think this might be the cause for jenkins job failure.Becase i can start the scan in CLI with the provided Code but whne i tried through jenkins it is not taking detecting the license to start the scan.

FYI, jenkins and Webinspect both installed and running in the same machine. and also we are running jenkins jobs using the same user account who activated the license for WI.

Sorry for not mentioning this earlier.Can anyone look at this and help me to solve this issue.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.