Debugging and Troubleshooting
Following are the solutions to troubleshoot issues and errors:
Error: The trustAnchors parameter must be non-empty
The following error is seen in console logs when the trustStore used by Java for SSL connection between Bamboo Server/Agent and Qualys, is not found, couldn’t be opened (permission issue), or is empty:
java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
You can fix this issue by reconfiguring/updating the certificates (ca-certs) present on the host where the Bamboo Server or Agent is installed. We have provided sample commands for CentOS and Ubuntu. Use the commands specific to the host OS running your Bamboo Server/Agent.
CentOS:
yum install -y ca-certificates
update-ca-trust force-enable
sudo ln -s /etc/ssl/your-cert.pem /etc/pki/ca-trust/source/anchors/your-cert.pem
update-ca-trust
Alternative commands for CentOS:
yum reinstall ca-certificates
update-ca-trust
Ubuntu:
sudo update-ca-certificates -f
sudo /var/lib/dpkg/info/ca-certificates-java.postinst configure
HTTP Codes in API Response
All API calls and their responses are logged by the plugin and are visible in the Console Output. Here are the HTTP response codes you may see during plugin execution.
|
Code |
Error |
Description |
|---|---|---|
|
204 |
No content |
Qualys sensor is processing data. You’ll see 200 OK when complete. |
|
200 |
OK |
You would see this code in two situations:
|
|
500 |
Internal server error |
Qualys service is down or there was an issue in processing data. |
|
400 |
Bad request |
Qualys API server is unable to understand the request. |
|
401 |
Unauthorized |
The credentials used for the Qualys API server are incorrect, or the user does not have access to the APIs. |
If you do not see any API Calls being Executed
Make sure you are correctly passing image IDs to the plugin. When the plugin starts the execution, it prints the image IDs provided and you can see this in the Console Output. Check that the container image IDs you provided are printed.
Plugin times out; no report seen
The plugin is designed to keep polling the Qualys API until the configured timeout period is reached. It stops if it does not get vulnerability data from Qualys within this period. In this case, the plugin fails the build only if you have set any fail-on conditions. Otherwise, it does not fail the build. You will not see any report links since the plugin could not get vulnerability data or prepare a report.
How to fix this?
On the Qualys Cloud Platform, go to Container Security > Assets > Images and verify if the image for which you checked the vulnerabilities is in the Images list.
If the image is not present, console logs have the following entry:
Get scan result API for image e0111ddfea06 returned code : 404;
HTTP Code: 404. Image: Not known to Qualys. Vulnerabilities: To be processed.. API Response: {"errorCode":"CMS-2002","message":"Data not available for given Image Id.","timestamp":1554568122039}
Ensure that the Qualys Container Sensor is installed on the host where the image is being built.
If the image is present, console logs have the following entry:
Get scan result API for image cef4ca723229 returned code : 200;
Waiting for vulnerabilities data from Qualys for image id cef4ca723229
HTTP Code: 200. Image: known to Qualys. Vulnerabilities: To be processed.
Wait for the vulnerability data to be uploaded to the Qualys Cloud Platform.
Where are the logs?
Bamboo logs are located in the following places on Linux:
- Server logs - <bamboo_server_home>/logs/atlassian-bamboo.log
- Agent logs - <bamboo_agent_home>/logs/atlassian-bamboo.log
Contact Support
Access online support information at www.qualys.com/support/
You typically need to provide the following information for Qualys Bamboo plugin issues:
- Bamboo version
- Java version on which Bamboo is running
- Version of the Qualys Container Scanning Connector
- Bamboo server-agent topology
- Whether the Docker daemon is on a Bamboo server, Bamboo agent, or remote host