I have several projects that need to be scanned and have their fpr files uploaded to a 360 server. The pom files for the projects include the Fortify SCA plugin for maven and use the same authToken. The fpr files were being uploaded successfully for a while, but have failed recently. I receive and ‘Access Denied’ when I run the following command from the command line trying to list the projects the authtoken has access to:
fortifyclient listprojects –url <360_SERVER_URL> -authtoken <AUTH_TOKEN>
I know there is a daysToLive option that can be used during token generation in order to specify the number of days the token is valid for. I think I read that the default is 30 days. I would like (and have tried) to make the daysToLive large as to avoid the need to continuously generate a new token and update all of the project pom files. So my question is:
Is there a maximum limit on the daysToLive option when generating a new authentication token?
Thanks
Each auth token is defined in WEB-INF/internal/serviceContext.xml.
Look for each <bean id="uploadToken" class="com.fortify.manager.security.ws.AuthenticationTokenSpec"> section for the specification of the token. You can even define your own token if you want, but you will have to re-create it every time you upgrade the Fortify SSC/360 software.
The property that you want to change for a long time to live is: <property name="maxDaysToLive" value="90"/>
Related
In my ADO build pipline, I have a secure file download step. When we branch versions, we use powershell to do the heavy lifting with cloning build definitions and updating settings/info in the cloned pipeline.
One issue I've run into is that the Secure File Download step doesn't accept variables, and in the UI you can only select names of files that already exist, so we've had to manually update it after every new branch we create.
I've grabbed the definition task step in powershell (as $step) and was hoping I could set the $step.inputs.fileInputs to a variable I assign to something like cert-$newVersion, however it currently is set to a guid.
Does anyone know if it possible to get the guid of secure files in ADO via the API or have a solution?
Does anyone know if it possible to get the guid of secure files in ADO via the API or have a solution?
Yes. This API exists.
You could try to use the following Rest API:
Get https://dev.azure.com/{OrganizationName}/{ProjectName}/_apis/distributedtask/securefiles?api-version=6.1-preview.1
Result:
You could get the secure file GUID based on the file name.
I am looking for an option, how to identify the version of artifact which is being stored in azure devops artifactory. Can someone please throw light on this.
Also i need to push artifact from 1 subscription (example ASubscrip) to another subscription (BSubscrip).
BSubscrip is obviously more strict in terms of security as PROD is being configured there, however our builds are done only on ASubScrip.
Hence I need to come up with a logic that if version available in BSubscrip is lower than version of ASubScrip, then only trigger the copy pipeline from ASubScrip to BSubScrip.
Please advise how it can be done via pipeline.
I was able to perform the operation with the help of below set of commands.
$response = invoke-RestMethod -Uri https://feeds.dev.azure.com/{Org}/{Project name}/_apis/packaging/Feeds//
The response would be json object and required property can be referred $response.versions.version
Please note that while reviewing the output of response object, my focus was only to retrieve version parameter and above approach helped me to get it.
Also note here TOKEN is PAT and there we need to perform some transformation as well.
$token = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes(":$($pat)"))
I am using Folder plugin and AD groups to control access to folder. This morning a team can't access their project anymore and later I found the AD group assignment in Assign Roles has been changed to wrong groups. Is there a way to find out which id did it? We only have a few admin ids.
Jenkins does not appear to keep an audit trail by default, as stated in this post on cloudbees.com, the folks that develop Jenkins.
The relevant lines:
Many Jenkins users look for a recommend a strategy for keeping an audit trail. This article is supposed to be a gap filler until more comprehensive compliance capabilities in JE/JOC are developed.
There are two open source plugins that enable you to track “WHO did WHAT?” in Jenkins:
...
The first plugin listed is Audit Trail Plugin which looks to provide exactly what you are seeking.
The description from the plugins page:
Keep a log of who performed particular Jenkins operations, such as configuring jobs.
This plugin adds an Audit Trail section in the main Jenkins configuration page. Here you can configure log location and settings (file size and number of rotating log files), and a URI pattern for requests to be logged. The default options select most actions with significant effect such as creating/configuring/deleting jobs and views or delete/save-forever/start a build. The log is written to disk as configured and recent entries can also be viewed in the Manage / System Log section.
I spent a few minutes looking through Jenkins various xml and log files, but could not find a log that contained something useful (username and/or timestamp). In this case it seems user auditing isn't built into Jenkins as of yet. Unfortunately it appears that you might not be able to determine who made those changes after the fact.
Is there a way to use the credential store with the CVS plugin to access a CVS repository? Looking for a way to store credential once and have one place to change it, despite many jobs making use of it.
The CVS plugin doesn't use the credentials store directly (although there are potential plans to move to this in a future overhaul of the plugin), but it does have a concept of global credentials which should provide what you need. The reason for having something separate from global credentials was that CVS introduced this prior to the credentials plugin being available and the steps have never been taken to try and perform a migration.
To use this credential feature, ensure you have version 2.4 or above of the CVS plugin, goto your 'Manage Configuration' screen, scroll down to the CVS section and click the 'Add' button next to the 'Authentication' option. Once you've added any credentials in here, go back to the jobs you're wanting to use the global credentials on, check the CVS root matches what you put in the authentication section and that it doesn't contain a username and then run your job. When running, the console should then show 'Using globally configured credentials for...' when trying to connect to CVS.
On my Jenkins build server, I want to set an Authentication Token so that only users that know the token can fire off builds. (As described here.)
This doc page says that it should be configurable under my job's "Build Triggers" configuration.
However, my server has no such fields, and I'm running the latest version (1.546). Mine looks like this:
.
As you can see, this doesn't really look like the docs say it should.
How can I set this token?
You're missing the Trigger builds remotely (e.g., from scripts) Build Trigger:
This is only visible with Security enabled. To get this option from a freshly downloaded 1.546 WAR, I changed Configure Global Security from Anyone can do anything to at least Logged-in users can do anything. For ease/speed of testing, under Security Realm I selected Jenkins’ own user database and Allow users to sign up:
You can go to http://Jenkins-IP/jobs/me/configure to check and change your API access token. Also check whether the user you intend to use has necessary permissions to execute the builds in Manage Jenkins>Configure Global Security
Each jenkins user gets an authentication token - applicable since version 1.426 (more).
You can see yours, provided you are logged in your jenkins server, at http://your.jenkins.server/me/configure
(press 'show API token' button)
Then you can copy and paste it in your scripts (e.g. see here for an example usage).