Issue with Checkmarx scan

Hi Folks,

We recently updated JNLP image from 4.13.3-1-jdk17 to 3283.v92c105e0f819-1-jdk17 to address frequent connection issues.

Post upgrade to 3283.v92c105e0f819-1-jdk17 connection issues are adddressed and builds are stable now however we are facing issues with Checkmarx scan.

15:31:24 [Cx-Debug]: Checking that next file has -rwxrwxrwx permissions ls /home/jenkins/agent/workspace/ScaResolver/ScaResolver -ltr
15:31:24 [Cx-Debug]: -rwxr-xr-x 1 jenkins jenkins 77721150 Jan 2 10:01 /home/jenkins/agent/workspace/ScaResolver/ScaResolver
15:31:24 [Cx-Debug]: Executing ScaResolver command.
15:31:26 [Cx-Error]: Error occurred while initiating scan.
15:31:26 com.cx.restclient.exception.CxClientException: Error while running sca resolver executable. Exit code: 134
15:31:26 at PluginClassLoader for checkmarx//com.cx.restclient.ast.AstScaClient.submitScaResolverEvidenceFile(AstScaClient.java:374)
15:31:26 at PluginClassLoader for checkmarx//com.cx.restclient.ast.AstScaClient.initiateScan(AstScaClient.java:311)

With inbound image 4.13.3-1-jdk17, this works fine. No other changes have been made in the environment. Please advise.

Environment details -
Jenkins version - 2.462.2
Checkmarx Plugin Version - 2022.4.3
Jnlp Image - jenkins/inbound-agent:3283.v92c105e0f819-1-jdk17

Full Error Msg:
15:12:17 [Cx-Debug]: Checking that next file has -rwxrwxrwx permissions ls /home/jenkins/agent/workspace/ScaResolver/ScaResolver -ltr
15:12:17 [Cx-Debug]: -rwxr-xr-x 1 jenkins jenkins 77721150 Jan 2 09:42 /home/jenkins/agent/workspace/ScaResolver/ScaResolver
15:12:17 [Cx-Debug]: Executing ScaResolver command.
15:12:19 [Cx-Error]: Error occurred while initiating scan.
15:12:19 com.cx.restclient.exception.CxClientException: Error while running sca resolver executable. Exit code: 134
15:12:19 at PluginClassLoader for checkmarx//com.cx.restclient.ast.AstScaClient.submitScaResolverEvidenceFile(AstScaClient.java:374)
15:12:19 at PluginClassLoader for checkmarx//com.cx.restclient.ast.AstScaClient.initiateScan(AstScaClient.java:311)
15:12:19 at PluginClassLoader for checkmarx//com.cx.restclient.CxClientDelegator.lambda$initiateScan$1(CxClientDelegator.java:87)
15:12:19 at java.base/java.util.Map.forEach(Unknown Source)
15:12:19 at PluginClassLoader for checkmarx//com.cx.restclient.CxClientDelegator.initiateScan(CxClientDelegator.java:85)
15:12:19 at PluginClassLoader for checkmarx//com.checkmarx.jenkins.CxScanCallable.invoke(CxScanCallable.java:141)
15:12:19 at PluginClassLoader for checkmarx//com.checkmarx.jenkins.CxScanCallable.invoke(CxScanCallable.java:28)
15:12:19 at Jenkins v2.462.2//hudson.FilePath$FileCallableWrapper.call(FilePath.java:3615)
15:12:19 at hudson.remoting.UserRequest.perform(UserRequest.java:225)
15:12:19 at hudson.remoting.UserRequest.perform(UserRequest.java:50)
15:12:19 at hudson.remoting.Request$2.run(Request.java:391)
15:12:19 at hudson.remoting.InterceptingExecutorService.lambda$wrap$0(InterceptingExecutorService.java:81)
15:12:19 at java.base/java.util.concurrent.FutureTask.run(Unknown Source)
15:12:19 at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
15:12:19 at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
15:12:19 at hudson.remoting.Engine$1.lambda$newThread$0(Engine.java:140)
15:12:19 at java.base/java.lang.Thread.run(Unknown Source)
15:12:19 [Cx-Error]: ********************************************
15:12:19 [Cx-Error]: The Build Failed for the Following Reasons:
15:12:19 [Cx-Error]: ********************************************
15:12:19 [Cx-Error]: Error creating scan.
15:12:19 [Cx-Error]:
15:12:19 [Cx-Error]: -----------------------------------------------------------------------------------------
15:12:19
15:12:19 [Cx-Error]:
15:12:20 [Cx-Error]: Failed to generate HTML report. SCA results are empty.

It would be great If you could help us to understand/fix this issue.

Thanks in advance

Hi @snehalhingane, :wave:

The error message indicates that the ScaResolver command is failing with an exit code of 134, which typically indicates a fatal error, such as a segmentation fault or an abort signal. :cry:

Since the issue started after updating the JNLP image, it is likely related to changes in the environment provided by the new image. :person_shrugging:
Here are a few steps that may help diagnose and potentially fix the issue:

  • Make sure that the Checkmarx plugin and the ScaResolver command are compatible with the new JNLP image. There might be dependencies or environment variables that need to be set.
  • Although the permissions seem correct (-rwxr-xr-x), ensure that the ScaResolver file and its dependencies have the necessary permissions and are executable.
  • The new JNLP image might be missing some libraries or tools that the ScaResolver command depends on. :thinking: You can compare the installed packages between the old and new images.
  • Try running the ScaResolver command manually inside a container using the new JNLP image to see if it provides more detailed error messages.
  • Enable more detailed logging for the Checkmarx plugin to get more insights into what might be going wrong.
  • If the issue persists, and you cannot find a solution, consider reverting to the previous JNLP image (4.13.3-1-jdk17) as a temporary workaround, or just bump one version, and see how things go.

To compare the old and new Docker images, you could use the following steps:

  1. Pull the Docker images: Ensure you have both the old and new Docker images pulled locally.
  2. Run containers from both images: Start containers from both images.
  3. Inspect the images: Use docker inspect to get detailed information about the images.
  4. Compare the installed packages: Use docker exec to run commands inside the containers and compare the installed packages.
# Pull the old and new Docker images
docker pull jenkins/inbound-agent:4.13.3-1-jdk17
docker pull jenkins/inbound-agent:3283.v92c105e0f819-1-jdk17

# Run containers from both images
docker run -d --name old_image jenkins/inbound-agent:4.13.3-1-jdk17 tail -f /dev/null
docker run -d --name new_image jenkins/inbound-agent:3283.v92c105e0f819-1-jdk17 tail -f /dev/null

# Inspect the images
docker inspect jenkins/inbound-agent:4.13.3-1-jdk17 > old_image_inspect.json
docker inspect jenkins/inbound-agent:3283.v92c105e0f819-1-jdk17 > new_image_inspect.json

# Compare the installed packages
docker exec old_image dpkg -l > old_image_packages.txt
docker exec new_image dpkg -l > new_image_packages.txt

# Use diff to compare the package lists
diff old_image_packages.txt new_image_packages.txt

# Clean up
docker stop old_image new_image
docker rm old_image new_image
1 Like