Debugging and Troubleshooting

You may face the following errors:

Where are the logs?

Windows:

Jenkins logs are located on Windows at JENKINS_HOME path.

For example,

Controller logs - C:\Program Files (x86)\Jenkins\jenkins.err

Agent logs - C:\Program Files (x86)\Jenkins\logs\agent\<agent_name>\agent_log_file

Linux:

Controller logs - /var/log/jenkins/jenkins.log

Agent logs - /var/jenkins/remoting/logs/remoting.log.0

HTTP Codes in API Response

All API calls and their responses are logged by the plugin and are visible in the Console Output. Here are the HTTP response codes you may see during plugin execution.

Code

Error

Description

204

No content

Qualys sensor is processing data. You can see 200 OK when complete.

200

OK

You would see this code in two situations:

  1. You might have received partial data from Qualys where image details are available but vulnerability data is unavailable.
  2. Vulnerability data is also available. This is usually the last call, after which the thread for that image ID stops.

500

Internal server error

Qualys service is down or there was an issue processing data.

400

Bad request

   Qualys API server is unable to understand the request.

401

Unauthorized

The credentials used for Qualys API server are incorrect or the user does not have access to the APIs.

If you do not see any API calls being made.

Make sure you are correctly passing image Ids to the plugin. When the plugin starts the execution, it prints the image Ids provided and you can see this in the Console Output. Check that the container image Ids you provided are printed.

Plugin times out, no report seen

The plugin is designed to keep polling the Qualys API until the configured timeout period is reached. If it does not get vulnerability data from Qualys within this period, it stops. In this case, the plugin fails the build only if you have set any fail-on conditions. Otherwise, it does not fail the build. You cannot see any report links since the plugin could not get vulnerability data and could not prepare a report.

How to fix this?

On the Qualys Cloud Platform, go to Container Security > Assets > Images and verify if the image for which you check the vulnerabilities is in the Images list.

If the image is not present console logs have the following entry:

Get scan result API for image e0111ddfea06 returned code : 404;

HTTP Code: 404. Image: Not known to Qualys. Vulnerabilities: To be processed.. API Response : {"errorCode":"CMS-2002","message":"Data not available for given Image Id.","timestamp":1554568122039}

Ensure that the Qualys Container Sensor is installed on the host where image is being built.

If the image is present console logs have the following entry:

Get scan result API for image cef4ca723229 returned code : 200;

Waiting for vulnerabilities data from Qualys for image id cef4ca723229

HTTP Code: 200. Image: known to Qualys. Vulnerabilities: To be processed.

Wait for the vulnerabilities data to be uploaded to the Qualys Cloud Platform.

No space left on device

Console logs have the following entry:

Apr 04, 2019 11:20:47 AM hudson.remoting.JarCacheSupport$DownloadRunnable run

WARNING: Failed to resolve a jar 7cab007bbd804ea3a998084524ce236e

java.io.IOException: Failed to write to /home/dockerAdmin/.jenkins/cache/jars/7C/AB007BBD804EA3A998084524CE236E.jar

at hudson.remoting.FileSystemJarCache.retrieve(FileSystemJarCache.java:150)

at hudson.remoting.JarCacheSupport$DownloadRunnable.run(JarCacheSupport.java:110)

at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)

at java.util.concurrent.FutureTask.run(FutureTask.java:266)

at hudson.remoting.AtmostOneThreadExecutor$Worker.run(AtmostOneThreadExecutor.java:112)

at java.lang.Thread.run(Thread.java:748)

Caused by: java.nio.file.FileSystemException: /home/dockerAdmin/.jenkins/cache/jars/7C: No space left on device

Possible reasons could be:

  1.  Agent machine is running out of disk space.

    Use the command df -h to check the disk space. Observe ‘Use%’ and ‘Available’ space in the output of the command.

    Ensure that you have provisioned enough disk space on the host. You may remove unnecessary files to increase free disk space.

  2. iNodes are exhausted during the Jenkins plugin job.

Use the command df -i to check the iNodes. Observe ‘IFree’count and ‘IUse%’ in the output of the command.

If IUse% is at 100 or near, then large number of small (cached) files are present on the host.

To delete the cached files from the host:

  • Run the following command to list all the directories and files:
    for i in /*; do echo $i; find $i | wc -l; done
  • Locate the directory with unusually large number of small files, and the run the following command to see where exactly the files are:
    For example, if the directory is /home:
    for i in /home/*; do echo $i; find $i |wc -l; done
  •  Run the following command to remove those files:
    sudo rm -rf <path of the directory with small files>

Incorrect checksum of retrieved jar

Console logs have the following entry:

WARNING: Failed to resolve a jar 4fd2a7e0ee23f360d678b2af7903dab0

java.io.IOException: Failed to write to /home/dockerAdmin/.jenkins/cache/jars/4F/D2A7E0EE23F360D678B2AF7903DAB0.jar

at hudson.remoting.FileSystemJarCache.retrieve(FileSystemJarCache.java:150)

at hudson.remoting.JarCacheSupport$DownloadRunnable.run(JarCacheSupport.java:110)

at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)

at java.util.concurrent.FutureTask.run(FutureTask.java:266)

at hudson.remoting.AtmostOneThreadExecutor$Worker.run(AtmostOneThreadExecutor.java:112)

at java.lang.Thread.run(Thread.java:748)

Caused by: java.io.IOException: Incorrect checksum of retrieved jar:

Jenkins writes the jar required for job execution in its cache on the agent host. This error comes in case the already existing jar in cache is corrupted.

To fix this, clear the cache. The logs show the location of the cache.

For example, in the above logs the cache is located at:

/home/dockerAdmin/.jenkins/cache/jars/4F/D2A7E0EE23F360D678B2AF7903DAB0.jar

Execute the command -ll to verify that Jenkins has permission to write to the folder:

/home/dockerAdmin/.jenkins/

Ensure that the cache directory /home/dockerAdmin/.jenkins/cache/ is writable to the user with which the agent is added to the Jenkins Server. To give permissions, add the respective user owner group OR change the owner to the user with which the Jenkins agent is configured.

Upgrade Issues

If the Qualys Container Scanning Connector is upgraded to version 1.6.2.5 or higher, it is recommended that you reconfigure your existing Qualys Container Scanning operations with Freestyle and/or Pipeline Jobs. Starting with version 1.6.2.5, we are providing a drop-down that contains a list of Qualys platforms to avoid manually entering the input of Qualys API URL. Prior to version 1.6.2.5, the Qualys API URL field was provided in the text box, so this change is not compatible with the previous version.

Contact Support

Access online support information at www.qualys.com/support/

You may need to provide the following information for Qualys Jenkins plugin issues:

  • Jenkins version
  • Java version on which Jenkins is running
  • Version of the Qualys Container Scanning Connector.
  • Jenkins controller-agent topology
  • Whether the Docker daemon is on the Jenkins controller or Jenkins agent or remote host

Related Topic

View Your Qualys Report